Interesting article, thanks for sharing this! I'm slightly confused about some things in it though. Does this mean that any traffic will be put on the connection tracker and be treated as stateful unless we use CT --notrack, or can the kernel make a heuristic based on what's in the iptables rule (i.e. if it only covers a port or a network range, it must be stateless)?
What constitutes a busy server? For a recursor it'd be easy to achieve high throughput, but does an authoritative name server for a single website need it? On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote: > Absolutely right; I wrote this Linux-centric article about it: > > https://kb.isc.org/docs/aa-01183 > > It has not been updated to cover nftables. > > Note also that this is a good reason NOT to use the NAT that > other posters have encouraged. -- Michael De Roover <i...@nixmagic.com> _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users