What is the difference between -m conntrack --ctstate and -m state --state

I don't claim to be an expert with iptables rules but the first command is making use of the connection tracking extension (conntrack) while the second is making use of the state extension.

Data point #1

According to this document the conntrack extension superseded state.

 Obsolete extensions:
  • -m state: replaced by -m conntrack

Data point #2

Even so I found this SF Q&A titled: Firewall questions about state and policy? where the OP claimed to have asked this question on IRC in #iptables@freenode. After discussing it there he came to the conclusion that:

Technically the conntrack match supersedes - and so obsoletes - the state match. But practically the state match is not obsoleted in any way.

Data point #3

Lastly I found this SF Q&A titled: Iptables, what's the difference between -m state and -m conntrack?. The answer from this question is probably the best evidence and advice on how to view the usage of conntrack and state.

excerpt

Both use same kernel internals underneath (connection tracking subsystem).

Header of xt_conntrack.c:

xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)

So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features [1].

My call is to use conntrack if you need it's features, otherwise stick with state module.

  • Similar question on netfilter maillist.

[1] Quite useful like "-m conntrack --ctstate DNAT -j MASQUERADE" routing/DNAT fixup ;-)

Data point #4

I found this thread from the [email protected] netfilte/iptables discussions, titled: state match is obsolete 1.4.17, which pretty much says that state is just an alias to conntrack so it doesn't really matter which you use, in both circumstances you're using conntrack.

excerpt

Actually, I have to agree. Why don't we keep "state" as an alias and accept the old syntax in "conntrack"?

state is currently aliased and translated to conntrack in iptables if the kernel has it. No scripts are broken.

If the aliasing is done in userspace, the kernel part can be removed - someday maybe.

The aliasing is already done in userspace. One types in "state" and it's converted into "conntrack" and that is then sent to the kernel. (So as far as I see if the ipt_state, etc module aliases were added to the conntrack module, even the state kernel module could be removed.)

References

  • Firewall questions about state and policy?
  • iptables: differences using conntrack or state module

I am not an netfilter expert, but i looked into the iptables-extension man-page and suprise, there it is

The "state" extension is a subset of the "conntrack" module.

So state is a part of conntrack and just a simpler version of it if you really just need --state and non of the more fancy features of conntrack

Tags:

Iptables