On Tue, Mar 8, 2016 at 2:18 AM, Han Zhou wrote:
>
>
> On Wed, Mar 2, 2016 at 1:43 PM, Russell Bryant wrote:
> There is a small problem of this patch. For an established connection, if
> the ACL rule allowing the connection is deleted, it will take effect by
> setting the mark to 1 in CT table. H
On Wed, Mar 2, 2016 at 1:43 PM, Russell Bryant wrote:
>
> Prior to this commit, once a connection had been committed to the
> connection tracker, the connection would continue to be allowed, even
> if the policy defined in the ACL table changed. This patch changes
> the implementation so that exi
Prior to this commit, once a connection had been committed to the
connection tracker, the connection would continue to be allowed, even
if the policy defined in the ACL table changed. This patch changes
the implementation so that existing connections are affected by policy
changes.
The implementa