From: Ben Greear <greearb@candelatech.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Adayadil Thomas <adayadil.thomas@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>
Subject: Re: Connection tracking and vlan
Date: Fri, 30 Oct 2009 16:25:17 -0700 [thread overview]
Message-ID: <4AEB75DD.8050204@candelatech.com> (raw)
In-Reply-To: <m1639wmq1f.fsf@fess.ebiederm.org>
On 10/30/2009 04:15 PM, Eric W. Biederman wrote:
>> If ip_conntrack does not consider vlans, it is possible that all 5
>> tuple are the same
>> and thus affect the connection tracking.
>>
>> I hope I have described the scenario well. If not I can explain in a
>> more detailed fashion.
>
> Unless you have multiple network namespaces linux assumes all packets are
> in the same ip space. And 10.10.10.1 is the same machine no matter
> which interface you talk to it on.
It only takes a relatively small patch that lets conn-track hash on a
skb->foo_mark, and allow that mark to be set on incoming packets
based on netdevice or whatever, (before the conn-track lookup is
done).
This is logically somewhat similar to using multiple routing
tables and has been working well for me for several years....
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next prev parent reply other threads:[~2009-10-30 23:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-29 15:43 Connection tracking and vlan Adayadil Thomas
2009-10-30 15:20 ` Herbert Xu
2009-10-30 15:31 ` Eric Dumazet
2009-10-30 15:46 ` Herbert Xu
2009-10-30 16:19 ` Eric Dumazet
2009-10-30 16:27 ` Patrick McHardy
2009-10-30 16:55 ` Herbert Xu
2009-10-30 16:26 ` Patrick McHardy
2009-10-30 19:20 ` Adayadil Thomas
2009-10-30 19:51 ` Caitlin Bestler
2009-10-30 20:40 ` Adayadil Thomas
2009-10-30 23:15 ` Eric W. Biederman
2009-10-30 23:25 ` Ben Greear [this message]
2009-11-02 16:14 ` Adayadil Thomas
2009-11-02 16:30 ` Adayadil Thomas
2009-11-02 16:33 ` Patrick McHardy
2009-11-02 16:41 ` Eric Dumazet
2009-11-02 16:48 ` Patrick McHardy
2009-11-02 17:02 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AEB75DD.8050204@candelatech.com \
--to=greearb@candelatech.com \
--cc=adayadil.thomas@gmail.com \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).