is NOTRACK modules the only way to avoid connection tracking?
Samuel Jean
sj-netfilter at cookinglinux.org
Mon Feb 7 14:55:16 CET 2005
On Mon, February 7, 2005 7:00 am, Alexander Piavka said:
>
> Hello, i have a question about connection tracking.
Hi
>
> if i have at least one iptables rule with -m state ,no matter in which
> chain,then the conntrack module gets loaded in all iptables hooks and
> thus all packets will be connection tracked, even if i need to track
> only a small subset of packets. This means that the only way to avoid
> connection tracking for most of packes is to use the NOTRACK module in raw
> table to match them. Is my understanding correct?
Yes. This is right. Keep in mind that conntrack is a hook in the packet
traversal just like any other hooks (PREROUTING, INPUT, FORWARD, ...)
Usually, that's the first hook ever. But, with the raw table, there's a new
hook registered before conntrack. That's why you can tell :
That packet which is not going to TCP X and host X, just don't track it
(NOTRACK).
> Or i can avoid connection tracking without the use of NOTRACK modules?
Without NOTRACK, that's a no conntrack for all or conntrack for all
condition. There's no beside.
>
> Thanks a lot
> Piavlo Alexander
>
HTH,
Samuel
More information about the netfilter
mailing list