Iptables, what’s the difference between -m state and -m conntrack?

Both use same kernel internals underneath (connection tracking subsystem).

Header of xt_conntrack.c:

xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)

So I would say — state module is simpler (and maybe less error prone). It’s also longer in kernel. Conntrack on the other side has more options and features[1].

My call is to use conntrack if you need it’s features, otherwise stick with state module.

Similar question on netfilter maillist.

[1] Quite useful like “-m conntrack –ctstate DNAT -j MASQUERADE” routing/DNAT fixup 😉

Leave a Comment