On Mon, February 7, 2005 7:00 am, Alexander Piavka said: > > Hello, i have a question about connection tracking. Hi > > if i have at least one iptables rule with -m state ,no matter in which > chain,then the conntrack module gets loaded in all iptables hooks and > thus all packets will be connection tracked, even if i need to track > only a small subset of packets. This means that the only way to avoid > connection tracking for most of packes is to use the NOTRACK module in raw > table to match them. Is my understanding correct? Yes. This is right. Keep in mind that conntrack is a hook in the packet traversal just like any other hooks (PREROUTING, INPUT, FORWARD, ...) Usually, that's the first hook ever. But, with the raw table, there's a new hook registered before conntrack. That's why you can tell : That packet which is not going to TCP X and host X, just don't track it (NOTRACK). > Or i can avoid connection tracking without the use of NOTRACK modules? Without NOTRACK, that's a no conntrack for all or conntrack for all condition. There's no beside. > > Thanks a lot > Piavlo Alexander > HTH, Samuel
