Matching connection tracking stateful metainformation: Difference between revisions
m (Linked existing sections in example conntrack output table.) |
m (Be explicit when referring to conntrack command, as opposed to a conntrack entry.) |
||
| Line 5: | Line 5: | ||
It is useful to refer to the [[Data_types#Conntrack_types|conntrack data types]]. | It is useful to refer to the [[Data_types#Conntrack_types|conntrack data types]]. | ||
The following sections will make use of this sample partial [http://conntrack-tools.netfilter.org/conntrack.html ''conntrack''] output: | The following sections will make use of this sample partial [http://conntrack-tools.netfilter.org/conntrack.html ''conntrack'' command] output: | ||
<source> | <source> | ||
Revision as of 01:22, 13 April 2021
nftables conntrack (ct) expressions enable stateful firewalls by matching packets that correspond to connections tracked by netfilter's Connection Tracking System.
Conntrack expressions
It is useful to refer to the conntrack data types.
The following sections will make use of this sample partial conntrack command output:
% conntrack -L -o id,extended
...
ipv4 2 tcp 6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051
...| conntrack command output | ||||
|---|---|---|---|---|
| Column # | Description | Example value | ct Match | Notes |
| 1 | L3 protocol | ipv4 | ct l3proto | |
| 2 | 2 | |||
| 3 | L4 protocol | tcp | ct protocol | |
| 4 | inet_proto | 6 | ct protocol | As shown in in.h protocol value 6 indicates TCP. |
| 5 | timeout, s | 421957 | ct expiration | Default TCP connection timeout is 5 days. You can change this via the conntrack sysfs setting nf_conntrack_tcp_timeout_established. |
| 6 | conntrack state | ESTABLISHED | ct state | |
| 7 | L3 source address,
original direction |
src=192.168.0.2 | ct original saddr | |
| 8 | L3 destination address,
original direction |
dst=192.168.0.8 | ct original daddr | |
| 9 | L4 protocol source,
original direction |
sport=34621 | ct original proto‑src | |
| 10 | L4 protocol destination,
original direction |
dport=22 | ct original proto‑dst | |
| 11 | L3 source address,
reply direction |
src=192.168.0.8 | ct reply saddr | |
| 12 | L3 destination address,
reply direction |
dst=192.168.0.2 | ct reply daddr | |
| 13 | L4 protocol source,
reply direction |
sport=22 | ct reply proto‑src | |
| 14 | L4 protocol destination,
reply direction |
dport=34621 | ct reply proto‑dst | |
| 15 | conntrack status | [ASSURED] | ct status | |
| 16 | conntrack mark | mark=6 | ct mark | |
| 17 | reference count | use=1 | Mainly used by the garbage collector. | |
| 18 | conntrack id | id=2014938051 | ct id | |
ct state - conntrack state
The ct state expression is almost certainly the one you will use the most.
The conntrack state may be one of:
| conntrack states | ||||
|---|---|---|---|---|
| State | Description | |||
| new | Netfilter has so far seen packets between this pair of hosts in only one direction. At least one of these packets is part of a valid initialization sequence, e.g. SYN packet for a TCP connection. | |||
| established | Netfilter has seen valid packets travel in both directions between this pair of hosts. For TCP connections, the three-way-handshake has been successfully completed. | |||
| related | This connection was initiated after the main connection, as expected from normal operation of the main connection. A common example is an FTP data channel established at the behest of an FTP control channel. | |||
| invalid | Assigned to packets that do not follow the expected behavior of a connection. | |||
| untracked | Dummy state assigned to packets that have been explicitly excluded from conntrack. See notrack. | |||
The following example ruleset shows how to deploy an extremely simple stateful firewall with nftables:
table inet stateful_fw_demo {
chain IN {
type filter hook input priority filter; policy drop;
ct state established,related accept
}The rule in the IN chain accepts packets that are part of an established connection, and related packets. Note the use of a comma-separated list of the conntrack states that you want to match. The default chain policy drops all other incoming packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted.
ct status - conntrack status
The conntrack status may be one of:
- expected
- seen-reply
- assured
- confirmed
- snat
- dnat
- dying
ct mark - conntrack mark
The following example shows how to match packets based on the conntrack mark:
nft add rule filter input ct mark 123 counter
To know more about conntrack marks and packet marks, see Setting packet metainformation.
ct helper - conntrack helper
The following example shows how to match packets based on the conntrack helper:
nft add rule filter input ct helper "ftp" counter