Setting packet connection tracking metainformation: Difference between revisions
(notrack is usable in linux 4.9) |
(→helpers: add reference to using automatic helper assignement) |
||
Line 58: | Line 58: | ||
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature. | You need nftables >= 0.8 and the kernel >= 4.12 to use this feature. | ||
In case of a previous version of nftables, you can can set automatic assignement with: | |||
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper |
Revision as of 13:16, 9 August 2017
You can set some bits of the packet conntrack metainformation, apart of matching on it.
notrack
You can use the notrack support to explicitly skip connection tracking for matching packets.
The example below skips traffic for 80/tcp and 443/tcp:
nft add rule ip raw prerouting tcp dport { 80, 443 } notrack
Please, note that you should use notrack before the kernel connection tracking is triggered. Use a chain with priority -300. Example:
nft add table raw
nft add chain raw prerouting { type filter hook prerouting priority -300 \; }
nft add rule raw prerouting tcp dport 80 notrack
Support for this was added in linux kernel 4.9 and in nftables v0.7.
helpers
You can assign each packet a conntrack helper.
Instantiate a helper, using a named object:
table filter {
ct helper sip-5060 {
type "sip" protocol udp;
}
ct helper ftp-standar {
type "ftp" protocol tcp;
}
chain c {
}
}
Then, from the rules:
nft add rule filter filter c udp dport 5060 ct helper set "sip-5060"
You can of course use a dictionary, one single rule to assign many helpers:
nft add rule x y ct helper set udp dport map { \
69 : "tftp-69", \
5060 : "sip-5060" }
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
In case of a previous version of nftables, you can can set automatic assignement with: echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper