Eric W. Biederman <ebied...@xmission.com> wrote: > If loading the conntrack module changes the semantics of packet > processing when nothing is configured that is a bug in the conntrack > module.
Thats the default behaviour since forever. modprobe nf_conntrack_ipv4 -- module_init registers netfilter hooks and starts doing connection tracking. You might say 'its wrong' but thats how its been for over a decade. If you have a suggestion on how to transition to a 'sane' behaviour, then I'm all ears. Note however, that conntrack doesn't need any configuration currently. Its just there once module is loaded. We could try hooking into nftables/iptables modules that use conntrack info to make a decision, and thats what we do now in namespaces other than init_net. We still do it be default in iniet_net because someone could be doing conntrack just for purpose of ctnetlink events (conntrack -E and friends, or flow accouting and the like).
