new netfilter user question

[aaz]

a followup.

> > If we do not include the ip_conntrack module into the kernel, does
netfilter
> > basically NOT track connections and our filters just end up working like
> > ipchains?
>
> Exactly. You lose NAT in all its variants, and you lose the '-m state'
> match in the filter chains. Normal per-packet filter table, and mangle
> table stuff should work fine.

What is generally better performing? Not loading ip_conntrack and just using
ipchains like filters, OR using ip_conntrack and the state module in rules?