It's not clear to me if the check for INVALID vs ESTABLISHED,RELATED is equally fast for both cases (and if the states are completely orthogonal) Do I have to drop INVALID before accepting ESTABLISHED or can I safely accept ESTABLISHED and then drop INVALID?
- Doesn't matter in the grand scheme of things but I've always had it the last.Artem S. Tashkinov– Artem S. Tashkinov2024-04-07 19:14:53 +00:00Commented Apr 7, 2024 at 19:14
Add a comment |
1 Answer
Logically the state INVALID should be mutually exclusive with any of ESTABLISHED, RELATED and NEW.
I can't give you throughput measurements. All I can say is that since a packet can only be in precisely one of the four states you won't end up accepting invalid packets unless you have a catch-all rule of ACCEPT. Drop them early and then there's no need to worry about them.
Personally I would drop INVALID as early in the chain as possible.
