On Tue, Sep 16, 2003 at 06:57:13PM +0200, Cedric Blancher spoke thusly: >Le mar 16/09/2003 ? 17:50, Ramin Dousti a ?crit : >> > Can I ask you why do you want to turn off the conntrack? >> I don't. I just wanted to learn from the people who were saying "just don't >> load the ip_conntrack..." > >I assume that if someone wants to fallback on stateless filtering is for >saving load on his box. I can miss something, but I really don't see >another reason. Once ip_conntrack is loaded, all packets are tracked >anyway, weither you use state match or not. Yes, one can write a whole >stateless ruleset with conntrack running, but what's the point : the cost >implied by a rule with state matching and one without is the same, as >state flaging is done anyway ! > >That's why assuming that stateless is for save load implies ip_conntrack >module removal. But, as it relies on conntrack, NAT is broken. It is as >simple as this. (snip) In regards to system load (stateful vs non-stateful) -- the following paper states that might not always be the case. YMMV of course. http://www.benzedrine.cx/pf-paper.html Furthermore, the pf performance tricks do seem rather nice to me :-) But I'm not a coder, so the logic complexity might be excessive.
