Le mar 16/09/2003 à 17:50, Ramin Dousti a écrit : > > Can I ask you why do you want to turn off the conntrack? > I don't. I just wanted to learn from the people who were saying "just don't > load the ip_conntrack..." I assume that if someone wants to fallback on stateless filtering is for saving load on his box. I can miss something, but I really don't see another reason. Once ip_conntrack is loaded, all packets are tracked anyway, weither you use state match or not. Yes, one can write a whole stateless ruleset with conntrack running, but what's the point : the cost implied by a rule with state matching and one without is the same, as state flaging is done anyway ! That's why assuming that stateless is for save load implies ip_conntrack module removal. But, as it relies on conntrack, NAT is broken. It is as simple as this. So, the remaining question is "why does OP wants to fallback to stateless filtering". If answer is "to save load", then he will have to remove ip_conntrack. If answer is... Well, I don't know, anything else, such as "I like writing weak ruleset for fun with powerful tools", then not using state matching will be sufficient. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
