Is there way to bypass conntrack?

Is there way to bypass conntrack?

[Andrey Tverdokhleb]

I'd really like to have some way to bypass ip_conntrack for some 
packets. Basically I need to run very intensive port scanning through my 
firewall and as soon as ip_conntrack loaded it dies within seconds from 
syn flood. Increase limit doesnt work becuase I need about  127000 
packets to be sent from different source ports. So far I just keep 
contrack unloaded and firewall works fine as pure stateless filter. But 
now I need statefull inspection on this machine for some IPs. So the 
question - is it possible to avoid connection tracking for some specific 
IPs?

Thanks!

Andrey

Re: Is there way to bypass conntrack?

[Julian Gomez]

On Wed, Sep 03, 2003 at 10:47:06AM -0700, Andrey Tverdokhleb spoke thusly:

>I'd really like to have some way to bypass ip_conntrack for some 
>packets. Basically I need to run very intensive port scanning through my 
>firewall and as soon as ip_conntrack loaded it dies within seconds from 
>syn flood. Increase limit doesnt work becuase I need about  127000 
>packets to be sent from different source ports. So far I just keep 
>contrack unloaded and firewall works fine as pure stateless filter. But 
>now I need statefull inspection on this machine for some IPs. So the 
>question - is it possible to avoid connection tracking for some specific 
>IPs?

I think there is a NOTRACK patch somewhere (p-o-m / archives) ? Try looking
for it, from memory I think that is what you need.