module order: tcp/conntrack vs. conntrack/tcp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hello,

I'm wondering about the practical difference between these seemingly
equivalent rules (notice the module order):

iptables -A INPUT -i eth0 -p tcp --dport 8140 -m state --state NEW -j
ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8140
-j ACCEPT

[root@test1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8140
state NEW
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:8140

Rule 1: TCP --> state
Rule 2: state --> TCP

While I always use the form of rule 1 (filter first, then state NEW), I
found some systems configured like rule 2 – which appears to have the same
end result – and I wonder if rule 2 (state first, then filter) has any side
effects or causes more overhead.

Thanks for for any insight!

  Wouter
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Kernel Development]     [Linux Resources]     [Advanced Routing & Traffice Control]     [Bugtraq]     [Free Internet Dating]     [Yosemite Forum]     [Photos]

Add to Google Powered by Linux