For maximum scale and flexibility, there is an option to turn off the filter tracking feature. For most users, filter tracking is beneficial and should be left enabled.
To disable filter tracking, configure the sfc module option
disable_filter_tracking=Y
When filter tracking has been disabled, there is a risk of filter shadowing. This occurs whenever a less specific filter via the Express datapath overlaps with a more specific filter on the Enterprise datapath.
To reduce the risk of filter shadowing, options include:
- Allocate a different MAC/IP address for destinations using the Express datapath (so that filters cannot overlap with any filters on Enterprise datapath).
- Only use IP/port filters on the Express datapath.
- There is still a possible overlap if a TCP/UDP 5-tuple filter via the Enterprise datapath overlaps with a 3-tuple filter via the Express datapath.