On 11/15/24 14:13, Stefan Hanreich wrote:
> I see two ways of solving this problem:
>
> * We introduce a knob at VM level that lets you decide whether to drop
> ct invalid traffic or not. (Invalid traffic would then still be
> evaluated by the firewall rules if it's allowed in principle, as is the
On 11/15/24 13:33, Hannes Laimer wrote:
> We only add a `block-conntrack-invalid` jump to the in chain, if
> the `nf_conntrack_allow_invalid` option is not set in the config. But we
> already drop connections with an invalid ct state by default. So we have
> to either allow connections with an i
We only add a `block-conntrack-invalid` jump to the in chain, if
the `nf_conntrack_allow_invalid` option is not set in the config. But we
already drop connections with an invalid ct state by default. So we have
to either allow connections with an invalid ct state by default, or explicitly
allow the
