[clug] conntrack --ctstate or state --state?
u4955237 at anu.edu.au
Mon Dec 2 04:32:52 MST 2013
I'm on a Debian 7 machine, and I am confused as to which one is best for my iptables rules?
I have searched the net:
Both use same kernel internals underneath (connection tracking subsystem).
Header of xt_conntrack.c:
xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)
So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features.
My call is to use conntrack if you need it's features, otherwise stick with state module.
What do you guys think?
More information about the linux