* Multiple conntrack tables
@ 2014-06-18 6:31 Sam Liddicott
2014-06-18 21:30 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Sam Liddicott @ 2014-06-18 6:31 UTC (permalink / raw)
To: netfilter-devel
I know that a rule in raw can prevent a packet from being processed by
contrack..
I wonder if it could also identify which contrack table it should go in.
This problem first came up when using contrack for some extra iptables
rules with multiple bridges but where different bridges had clients
with the same IP address.
I used to think Mac addresses would need to be part of the contrack
key and did some trial work on that but now I realise that multiple
named or numbered conntrack tables would be better.
I don't need this feature now but it does seem like a good idea.
Sam
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Multiple conntrack tables
2014-06-18 6:31 Multiple conntrack tables Sam Liddicott
@ 2014-06-18 21:30 ` Florian Westphal
2014-06-19 13:49 ` Sam Liddicott
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2014-06-18 21:30 UTC (permalink / raw)
To: Sam Liddicott; +Cc: netfilter-devel
Sam Liddicott <sam@liddicott.com> wrote:
> I know that a rule in raw can prevent a packet from being processed by
> contrack..
>
> I wonder if it could also identify which contrack table it should go in.
This is possible via conntrack zones, see
iptables-extensions(8), '--zone' option of CT target.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Multiple conntrack tables
2014-06-18 21:30 ` Florian Westphal
@ 2014-06-19 13:49 ` Sam Liddicott
0 siblings, 0 replies; 3+ messages in thread
From: Sam Liddicott @ 2014-06-19 13:49 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Thanks, Florian, that's great!
Sam
On Wed, Jun 18, 2014 at 10:30 PM, Florian Westphal <fw@strlen.de> wrote:
> Sam Liddicott <sam@liddicott.com> wrote:
>> I know that a rule in raw can prevent a packet from being processed by
>> contrack..
>>
>> I wonder if it could also identify which contrack table it should go in.
>
> This is possible via conntrack zones, see
> iptables-extensions(8), '--zone' option of CT target.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-06-19 13:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-18 6:31 Multiple conntrack tables Sam Liddicott
2014-06-18 21:30 ` Florian Westphal
2014-06-19 13:49 ` Sam Liddicott
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.