Re: module order: tcp/conntrack vs. conntrack/tcp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 2012-07-02 8:16, Jan Engelhardt wrote:
The use of -m conntrack (state is obsolete) is cheaper than people
think, because the ct belonging to a packet is already long determined,
so looking at the state is quite simple.

I just discovered that -m state is obsolete. There not much to read about -m conntrack on the mailing lists (this one or the dev one). Would you care the elaborate on the advantages of the conntrack module as opposed to the state one ?

Should we also stop using -p, -s, -d, --sport and --dport and replace them with the equivalents in the conntrack module ?

conntrack match options:
                               State(s) to match
[!] --ctproto proto Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
                               Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
TCP/UDP/SCTP orig./reply source/destination port
                               Status(es) to match
[!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                               value or range of values (inclusive)
    --ctdir {ORIGINAL|REPLY}   Flow direction of packet


Julien Vehent -!j
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Kernel Development]     [Linux Resources]     [Advanced Routing & Traffice Control]     [Bugtraq]     [Free Internet Dating]     [Yosemite Forum]     [Photos]

Add to Google Powered by Linux