Matching connection tracking stateful metainformation
nftables conntrack (ct) expressions enable stateful firewalls by matching packets that correspond to connections tracked by netfilter's Connection Tracking System.
Conntrack expressions
The following sections will make use of this sample partial conntrack output:
% conntrack -L -o id,extended
...
ipv4 2 tcp 6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051
...In addition, it use useful to refer to the conntrack data types.
ct state - conntrack state
The ct state expression is almost certainly the one you will use the most.
The conntrack state may be one of:
- new
- established
- related
- invalid
- untracked
The following example shows how to deploy an extremely simple stateful firewall with nftables:
nft add rule filter input ct state established,related counter accept #1
nft add rule filter input counter drop #2
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.
ct status - conntrack status
The conntrack status may be one of:
- expected
- seen-reply
- assured
- confirmed
- snat
- dnat
- dying
ct mark - conntrack mark
The following example shows how to match packets based on the conntrack mark:
nft add rule filter input ct mark 123 counter
To know more about conntrack marks and packet marks, see Setting packet metainformation.
ct helper - conntrack helper
The following example shows how to match packets based on the conntrack helper:
nft add rule filter input ct helper "ftp" counter