Setting packet connection tracking metainformation: Difference between revisions
(Added ct set [mark, label, event, zone] sections.) |
(Reordered ct statements, consistent with ct expressions page.) |
||
Line 82: | Line 82: | ||
<source> | <source> | ||
ct mark set meta mark | ct mark set meta mark | ||
</source> | </source> | ||
Line 117: | Line 109: | ||
} | } | ||
} | } | ||
</source> | |||
== ''ct event set'' - Set conntrack event == | |||
Restrict events reported by ctnetlink: | |||
<source> | |||
ct event set new,related,destroy | |||
</source> | </source> |
Revision as of 19:34, 15 April 2021
You can set some bits of the packet conntrack metainformation, as well as match on it.
notrack - Bypass connection tracking
You can use the notrack statement (added in Linux kernel 4.9, nftables 0.7) to explicitly skip connection tracking for matched packets. To be effective your notrack rule must come before conntrack is triggered. You can ensure this by attaching it to a base chain with prerouting hook and priority < NF_IP_PRI_CONNTRACK (-200). Using raw priority (-300) is a good choice. The following example skips incoming traffic to tcp ports 80 (http) and 443 (https):
nft add table my_table
nft add chain my_table prerouting { type filter hook prerouting priority -300 \; }
nft add rule my_table prerouting tcp dport { 80, 443 } notrack
ct helper set - Assign conntrack helper
You can assign each packet a conntrack helper.
Instantiate a helper, using a named object:
table filter {
ct helper sip-5060 {
type "sip" protocol udp;
}
ct helper tftp-69 {
type "tftp" protocol udp;
}
ct helper ftp-standard {
type "ftp" protocol tcp;
}
chain c {
type filter hook prerouting priority 0;
}
}
Your chain priority must be > -200, because conntrack registers at this priority. Otherwise, packets will not find any conntrack information (which is required to attach the helper).
Then, from the rules:
nft add rule filter c ct state new tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c ct state new udp dport 5060 ct helper set "sip-5060"
nft add rule filter c ct state new udp dport 69 ct helper set "tftp-69"
You can use a map to assign many helpers using a single rule:
nft add rule filter c ct state new ct helper set ip protocol . th dport map { \
udp . 69 : "tftp-69", \
udp . 5060 : "sip-5060", \
tcp . 21 : "ftp-standard" }
which sets the helper based in the transport protocol number and the transport destination port.
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
In case of a previous version of nftables, you can enable automatic assignment with:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
Also, with the sysctl parameter:
net.netfilter.nf_conntrack_helper = 1
ct mark set - Set conntrack mark
Save packet nfmark in conntrack:
ct mark set meta mark
ct label set - Set conntrack label
Conntrack labels are 128-bit bitfields.
ct zone set - Set conntrack zone
When setting the conntrack zone, it is crucial to do so before the packet gets picked up by conntrack. The below demo ruleset uses ct zone set rules in chains with raw priority, which accomplishes this:
table inet zone_demo {
chain PRE {
type filter hook prerouting priority raw;
iif eth3 ct zone set 23
}
chain OUT {
type filter hook output priority raw;
oif eth3 ct zone set 23
}
}
ct event set - Set conntrack event
Restrict events reported by ctnetlink:
ct event set new,related,destroy