On 2012-07-02 8:16, Jan Engelhardt wrote:
The use of -m conntrack (state is obsolete) is cheaper than people
think, because the ct belonging to a packet is already long determined,
so looking at the state is quite simple.
I just discovered that -m state is obsolete. There not much to read about -m
conntrack on the mailing lists (this one or the dev one). Would you care the
elaborate on the advantages of the conntrack module as opposed to the state
one ?
Should we also stop using -p, -s, -d, --sport and --dport and replace them
with the equivalents in the conntrack module ?
conntrack match options:
[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, e.g.
"tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
TCP/UDP/SCTP orig./reply source/destination
port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Flow direction of packet
Thanks,
Julien
--
Julien Vehent - http://1nw.eu/!j
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
