On Tue, 24 Apr 2018, Toke Høiland-Jørgensen wrote: > Pete Heist writes: > >>> On Apr 24, 2018, at 7:58 AM, Jonathan Morton wrote: >>> >>> Turning NAT support on by default might actually be reasonable, since >>> it doesn't really break anything if it's not needed - it just eats a >>> bit of CPU with unnecessary conntrack lookups. >> >> I would be for it, if it eats say < 1% additional CPU, and preferably >> less. I expect the impact to increase with packet rates. > > I'm a bit worried that the way it is implemented now, if we turn it on > by default we risk activating conntrack even when it was otherwise > disabled... I will say that just about every system ships with conntrack enabled, and disabling it can be pretty difficult (especially in LEDE/OpenWRT), there are so many things that require it that tracking them all down and disabling them is very difficult. There are not that many places where Cake is going to be used that NAT or some other thing that requires connection tracking is not also going to be used, in the remaining cases, can it be disabled manually in configs after it's been sucked in automatically?