Re: location of conntrack rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 24.10.24 um 00:10 schrieb Matt Zagrabelny:
Greetings,

I have, what could be, a simple question.

Do folks put their connection tracking rules near the top (earlier
rule) of their ruleset, or near the bottom (later rule)?

I used to believe that it "made sense" to have the conntrack rules
earlier in the rule set, because the packets would be
related/established and wouldn't need to hit the other rules
unnecessarily.

However, the conntrack requires more kernel memory to track the
packets. Therefore if every connection is tracked, then that would
drive up the memory required for having the conntrack track every
connection/packet - thus possibly exhausting the memory and not
allowing other packets through.
completly irrelevant

the conntrack happens no matter where your rules are long before




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux