On Tue, 21 Jun 2005, Feizhou wrote: > > > I do see that you've disabled CONFIG_IP_NF_CONNTRACK, which is a very > > odd choice. Connection tracking is the strength of iptables! > > You mean weakness. > > netfilter's conntrack module sucks in performance and at the same time > is not fully stateful. Could you please back your claims with data (performance) and examples (not fully stateful)? About netfilter performance *data* you can read http://people.netfilter.org/kadlec/nftest.pdf. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
