Re: module order: tcp/conntrack vs. conntrack/tcp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2012-07-02 8:16, Jan Engelhardt wrote:
The use of -m conntrack (state is obsolete) is cheaper than people
think, because the ct belonging to a packet is already long determined,
so looking at the state is quite simple.

I just discovered that -m state is obsolete. There not much to read about -m conntrack on the mailing lists (this one or the dev one). Would you care the elaborate on the advantages of the conntrack module as opposed to the state one ?

Should we also stop using -p, -s, -d, --sport and --dport and replace them with the equivalents in the conntrack module ?

conntrack match options:
[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
                               State(s) to match
[!] --ctproto proto Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
                               Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
TCP/UDP/SCTP orig./reply source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
                               Status(es) to match
[!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                               value or range of values (inclusive)
    --ctdir {ORIGINAL|REPLY}   Flow direction of packet


Thanks,
Julien

--
Julien Vehent - http://1nw.eu/!j
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux