[clug] conntrack --ctstate or state --state?
Logan McLintock
u4955237 at anu.edu.au
Mon Dec 2 04:32:52 MST 2013
Hi guys,
I'm on a Debian 7 machine, and I am confused as to which one is best for my iptables rules?
I have searched the net:
http://serverfault.com/questions/358996/iptables-whats-the-difference-between-m-state-and-m-conntrack
and found
Both use same kernel internals underneath (connection tracking subsystem).
Header of xt_conntrack.c:
xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)
So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features[1].
My call is to use conntrack if you need it's features, otherwise stick with state module.
What do you guys think?
Regards,
Logan
More information about the linux
mailing list