On 11/15/24 14:13, Stefan Hanreich wrote:
> I see two ways of solving this problem:
>
> * We introduce a knob at VM level that lets you decide whether to drop
> ct invalid traffic or not. (Invalid traffic would then still be
> evaluated by the firewall rules if it's allowed in principle, as is the
On 11/15/24 13:33, Hannes Laimer wrote:
> We only add a `block-conntrack-invalid` jump to the in chain, if
> the `nf_conntrack_allow_invalid` option is not set in the config. But we
> already drop connections with an invalid ct state by default. So we have
> to either allow connections with an i
