Setting packet connection tracking metainformation: Difference between revisions
m (link Connection Tracking System; grammar) |
(→notrack: Rewrote, combining examples and explaining choice of priority in detail.) |
||
| Line 3: | Line 3: | ||
== notrack == | == notrack == | ||
You can use the | You can use the ''notrack'' statement (added in Linux kernel 4.9, nftables 0.7) to explicitly skip connection tracking for matching packets. To be effective '''your ''notrack'' rule must come before conntrack is triggered'''. You can ensure this by attaching it to a base chain with [[Configuring_chains#Base_chain_priority | priority]] < NF_IP_PRI_CONNTRACK (-200). Using ''raw'' priority (-300) is a good choice. The following example skips incoming traffic to tcp ports 80 (http) and 443 (https): | ||
<source lang="bash"> | <source lang="bash"> | ||
nft add table | nft add table my_raw_table | ||
nft add chain | nft add chain my_raw_table prerouting { type filter hook prerouting priority -300 \; } | ||
nft add rule | nft add rule my_raw_table prerouting tcp dport { 80, 443 } notrack | ||
</source> | </source> | ||
== helpers == | == helpers == | ||
Revision as of 13:52, 15 February 2021
You can set some bits of the packet conntrack metainformation, as well as match on it.
notrack
You can use the notrack statement (added in Linux kernel 4.9, nftables 0.7) to explicitly skip connection tracking for matching packets. To be effective your notrack rule must come before conntrack is triggered. You can ensure this by attaching it to a base chain with priority < NF_IP_PRI_CONNTRACK (-200). Using raw priority (-300) is a good choice. The following example skips incoming traffic to tcp ports 80 (http) and 443 (https):
nft add table my_raw_table
nft add chain my_raw_table prerouting { type filter hook prerouting priority -300 \; }
nft add rule my_raw_table prerouting tcp dport { 80, 443 } notrack
helpers
You can assign each packet a conntrack helper.
Instantiate a helper, using a named object:
table filter {
ct helper sip-5060 {
type "sip" protocol udp;
}
ct helper tftp-69 {
type "tftp" protocol udp;
}
ct helper ftp-standard {
type "ftp" protocol tcp;
}
chain c {
type filter hook prerouting priority 0;
}
}Your chain priority must be > -200, because conntrack registers at this priority. Otherwise, packets will not find any conntrack information (which is required to attach the helper).
Then, from the rules:
nft add rule filter c ct state new tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c ct state new udp dport 5060 ct helper set "sip-5060"
nft add rule filter c ct state new udp dport 69 ct helper set "tftp-69"You can use a map to assign many helpers using a single rule:
nft add rule filter c ct state new ct helper set ip protocol . th dport map { \
udp . 69 : "tftp-69", \
udp . 5060 : "sip-5060", \
tcp . 21 : "ftp-standard" }which sets the helper based in the transport protocol number and the transport destination port.
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
In case of a previous version of nftables, you can enable automatic assignment with:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helperAlso, with the sysctl parameter:
net.netfilter.nf_conntrack_helper = 1