[Cialug] Netfilter kernel differences

Zachary Kotlarek zach at kotlarek.com
Wed Apr 21 14:31:54 CDT 2010


On Apr 21, 2010, at 1:25 PM, Tom Pohl wrote:

> I'm really late to take notice, but is anyone familiar with netfilter switch between using ip_conntrack and nf_conntrack in its kernel modules?
> 
> I'm more curious than anything as to what the major differences might be between the two mechanisms.  I run centos servers for the most part, so I'm still on the old skool ip_conntrack, but wonder what netfilter goodness I might be missing out on :)


The structural difference in that netfilter is family-independent, so you can get IPv4 and IPv6 (and in theory other families too, though I don't know if anyone has tried) support on the same mechanism, and can write application-level modules (nf_conntrack_ftp) that support both families.

Otherwise they're mostly the same. /proc/net/ip_conntrack becomes /proc/net/nf_conntrack. The module names change. But the actual capabilities of the dependent modules is nearly (if not exactly) the same between versions. I haven't come across any reason to run the old version unless you need a module that depends on ip_conntrack and hasn't been ported to nf_conntrack.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100421/45e7c7ed/attachment.bin 


More information about the Cialug mailing list