Eric Dumazet wrote:

Herbert Xu a écrit :

quoted

On Fri, Oct 30, 2009 at 04:31:50PM +0100, Eric Dumazet wrote:

quoted

Same thing if you have two interfaces, eth0 & eth1 : IP conntrack tuples dont
include interface name/index

Indeed, but imagine what happens when eth0 is the LAN and eth1 is
the wild wild Internet.  Do you really want their packets to mix?

No, Abayadi needs firewall rules (or RPF), before entering conntrack.

Allowing spoofed packets to come from wild Internet would be...
interesting in many aspects.

And since some setups use several links to LAN, several links to
Internet, its user policy decisions.

Correct, users need to take care of this manually.