On Mon, 15 May 2006, Patrick McHardy wrote: > >>This will load the conntrack modules even if the track flag is not set. > > > > > > I guess need_conntrack() could be moved to checkentry() and only called > > if the track flag is set. > > > That won't help, the function itself does nothing, its just a symbol > dependency.
Not sure what you mean: it will cause ip_conntrack to be loaded, which is needed when you specify the track flag. > > Another possibility would be to get rid of CONNSECMARK completely and have > > SECMARK copy security marks from connections to packets via the use of a > > different flag (perhaps change --track into --save-state and then have > > --restore-state, or similar). > > > The reason why I'm asking is because my understanding is that SECMARK > would also be useful without conntrack, Yes. > but automatically pulling in the module leaves no option not to use > conntrack except not to compile this part in. Conntrack will only be loaded if someone uses "SECMARK --track", which is exactly what is desired. Without --track, conntrack will not be loaded by SECMARK. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
