Matching connection tracking stateful metainformation: Difference between revisions
(→Matching conntrack information: add some bits about status matches) |
(→notrack: hints about priority) |
||
Line 40: | Line 40: | ||
<source lang="bash"> | <source lang="bash"> | ||
nft add rule ip raw prerouting tcp dport { 80, 443 } notrack | nft add rule ip raw prerouting tcp dport { 80, 443 } notrack | ||
</source> | |||
Please, note that you should use notrack before the kernel connection tracking is triggered. | |||
Use a chain with priority -300. Example: | |||
<source lang="bash"> | |||
nft add table raw | |||
nft add chain raw prerouting { type filter hook prerouting priority -300 \; } | |||
nft add rule raw prerouting tcp dport 80 notrack | |||
</source> | </source> | ||
Suppor for this was added in linux kernel 4.10 and in nftables v0.7. | Suppor for this was added in linux kernel 4.10 and in nftables v0.7. |
Revision as of 11:10, 4 May 2017
As in iptables, you can match the state tracking information (sometimes refered as conntrack or ct information) that Netfilter collects through the Connection Tracking System to deploy stateful firewalls.
Matching conntrack information
nftables provides the ct selector which can be used to match:
- State information: new, established, related and invalid. In this regard, there is no changes with iptables.
- The conntrack mark.
- Status information: expected, seen-reply, assured, confirmed, snat, dnat, dying.
Matching the state information
The following example shows how to deploy an extremely simple stateful firewall with nftables:
nft add rule filter input ct state established,related counter accept #1
nft add rule filter input counter drop #2
The rule #1 allows packets that are part of an already established communication with the network. Thus, any attempt from a computer in the network to reach your computer will be dropped. However, the traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma separated list of the states that you want to match.
If you are not familiar with Netfilter flow state machine, you can give a quick read to this link.
Matching the conntrack mark
The following example shows how to match packets based on the conntrack mark:
nft add rule filter input ct mark 123 counter
To know more about conntrack marks and packet marks, see Setting packet metainformation.
notrack
You can use the notrack support to explicitly skip connection tracking for matching packets.
The example below skips traffic for 80/tcp and 443/tcp:
nft add rule ip raw prerouting tcp dport { 80, 443 } notrack
Please, note that you should use notrack before the kernel connection tracking is triggered. Use a chain with priority -300. Example:
nft add table raw
nft add chain raw prerouting { type filter hook prerouting priority -300 \; }
nft add rule raw prerouting tcp dport 80 notrack
Suppor for this was added in linux kernel 4.10 and in nftables v0.7.