Daniel Curtis a écrit : > > So, it is better to use state module instead of conntrack, > when it comes to filter INVALID packets or it does not > matter, which module will be in use? What is your > opinion on this?
It does not matter. The conntrack match has more options, but "-m conntrack --ctstate INVALID" does exactly the same as "-m state --state INVALID". The connection tracking is not performed by either module, their purpose is just to match the state of the packet, not to decide what state the packet is in. > I know, that in e.g. iptables v1.4.16.3, state module is obsolete. [...] > WARNING: The state match is obsolete. Use conntrack instead. No, the state match is not obsolete any more. The developpers of iptables have finally decided that it would not be deprecated and would be aliased by the conntrack module instead, so you can safely ignore this warning. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
