From: Jan Engelhardt <jengelh@inai.de>
To: Julien Vehent <julien@linuxwall.info>
Cc: netfilter@vger.kernel.org
Subject: Re: module order: tcp/conntrack vs. conntrack/tcp
Date: Tue, 3 Jul 2012 13:56:06 +0200 (CEST) [thread overview]
Message-ID: <alpine.LNX.2.01.1207031320400.28179@frira.zrqbmnf.qr> (raw)
In-Reply-To: <6b9bf8d2fbee67290e206ae8bef72242@njm.linuxwall.info>
On Tuesday 2012-07-03 03:57, Julien Vehent wrote:
> On 2012-07-02 8:16, Jan Engelhardt wrote:
>> The use of -m conntrack (state is obsolete) is cheaper than people
>> think, because the ct belonging to a packet is already long determined,
>> so looking at the state is quite simple.
>
>I just discovered that -m state is obsolete. There not much to read
>about -m conntrack on the mailing lists (this one or the dev one).
>Would you care the elaborate on the advantages of the conntrack module
>as opposed to the state one?
More states that can be checked.
>Should we also stop using -p, -s, -d, --sport and --dport and replace
>them with the equivalents in the conntrack module?
1. That is for you to decide. As always, different matches only
exist because their semantics are reasonably different from the rest.
Consider
-A FORWARD -s 2001:db8::4 -j ACCEPT
-A FORWARD -d 2001:db8::4 -j ACCEPT
and
-A FORWARD -m conntrack --ctorigsrc 2001:db8::4 -j ACCEPT
The former will allow all packets from and to 2001:db8::4 no matter who
started.
The latter will only accept packets that belong to connections initiated
by 2001:db8::4; 2001:db8::4 can be in the srcip or the dstip field.
Some unexperienced people may be sufficiently puzzled by that.
So in a way, the latter check is stricter and matches less, but if that
is what you actually want, you just discovered a rule saver.
2. If you have connection pickup enabled, the order of the orig
and repl tuples depends on who we see a packet first from.
next prev parent reply other threads:[~2012-07-03 11:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-02 12:02 module order: tcp/conntrack vs. conntrack/tcp Wouter
2012-07-02 12:16 ` Jan Engelhardt
2012-07-02 12:49 ` Wouter
2012-07-03 1:57 ` Julien Vehent
2012-07-03 11:56 ` Jan Engelhardt [this message]
2012-07-04 5:47 ` Julien Vehent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.01.1207031320400.28179@frira.zrqbmnf.qr \
--to=jengelh@inai.de \
--cc=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.