[PATCH] ila: add NETFILTER dependency
Pablo Neira Ayuso
pablo at netfilter.org
Fri Dec 18 12:37:17 PST 2015
On Fri, Dec 18, 2015 at 07:09:31PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo at netfilter.org> wrote:
> > I'm afraid this extra Kconfig dependency that Arnd adds to fix this is
> > a symptom that there is something that doesn't belong there.
> >
> > I overlook this new hook on priority -1, how does this integrate into
> > our infrastructure?
>
> Looks problematic since address changes post ipv6 dnat translations,
> its certainly unexpected for nft since we have magic address mangling
> after -2 and 0 priroized tables...
David indicated that this should be sort of transparent and integrated
into separated infrastructure.
The existing hook will break IPv6 conntrack and NAT for us, and the
extra hook is suboptimal as it
I'd suggest you add a static key and specific hook before netfilter to
deal with this.
More information about the linux-arm-kernel
mailing list