This option adds a new 'raw' table to iptables.  The raw table is the very
first in netfilter (it even precedes the conntrack subsystem) and uses the
PREROUTING and OUTPUT built-in chains.

The NOTRACK target can be used to select which packets *not* 
to enter the conntrack/NAT subsystems. Please keep in mind:
if you mark a packet with NOTRACK, then

- all the conntrack functionalities are lost for the packet
  (ICMP error tracking, protocol helpers, etc)
- all the NAT functionalities are also lost.

Packets marked with NOTRACK can be matched by the 'UNTRACKED'
state using the state or conntrack matches. Example

# Very busy webserver
iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j NOTRACK
iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 80 -j NOTRACK
...

# filter rules
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
