On Wed, 17 Apr 2002, Brad Chapman wrote: > > So we need to filter them out before conntrack and currently that seems > > impossible without adding the notrack/prestate table.
> Everyone so far seems to be thinking about adding a new > autonomous table with separate hooks positioned at a priority > NF_IP_PRI_FIRST < x < NF_IP_PRI_CONNTRACK (where x is the priority of > the new table) for the purposes of selecting which packets to exempt > from the conntrack system. What about hooking the table directly into > the conntrack core, and simply calling ipt_do_table() _before_ the > ip_conntrack_in() function is entered, either directly at > NF_IP_PRE_ROUTING, or after ip_conntrack_local() at NF_IP_LOCAL_OUT? It would be confusing. One could think: the 'conntrack' table is for adjusting the conntrack subsystem. But we are not going to do that (only indirectly, by selecting packets *not* to enter conntrack). Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
