Difference between revisions of "Matching connection tracking stateful metainformation"

From nftables wiki
Jump to navigation Jump to search
m (→‎Matching the conntrack helper: Linked ct helpers page.)
(Use sections for expressions. Rewrote intro. Added sample conntrack output (still need to USE it in examples!). Linked conntrack data types. Noted ct state is most used.)
Line 1: Line 1:
As with iptables, nftables can match connection state tracking information (often referred to as ''conntrack'' or ''ct'' information) maintained by netfilter's [[Connection_Tracking_System | Connection Tracking System]] to deploy [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalls].
nftables conntrack (''ct'') expressions enable [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalls] by matching packets that correspond to connections tracked by netfilter's [[Connection_Tracking_System | Connection Tracking System]].


''nftables'' provides the ''ct'' selector which can be used to match:
= Conntrack expressions =


* State information: ''new'', ''established'', ''related'' and ''invalid''. In this regard, there is no changes with ''iptables''.
The following sections will make use of this sample partial ''conntrack'' output:
* The conntrack mark.
* Status information: ''expected'', ''seen-reply'', ''assured'', ''confirmed'', ''snat'', ''dnat'', ''dying''.


== Matching the conntrack state ==
<source>
% conntrack -L -o id,extended
...
ipv4    2 tcp      6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051
...
</source>
 
In addition, it use useful to refer to the [[Data_types#Conntrack_types|conntrack data types]].
 
 
== ''ct state'' - conntrack state ==
 
The ''ct state'' expression is almost certainly the one you will use the most.
 
The  conntrack state may be one of:
* ''new''
* ''established''
* ''related''
* ''invalid''
* ''untracked''


The following example shows how to deploy an extremely simple stateful firewall with nftables:
The following example shows how to deploy an extremely simple stateful firewall with nftables:
Line 18: Line 35:
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.


== Matching the conntrack mark ==
 
== ''ct status'' - conntrack status ==
 
The  conntrack status may be one of:
* ''expected''
* ''seen-reply''
* ''assured''
* ''confirmed''
* ''snat''
* ''dnat''
* ''dying''
 
 
== ''ct mark'' - conntrack mark ==


The following example shows how to match packets based on the conntrack mark:
The following example shows how to match packets based on the conntrack mark:
Line 28: Line 58:
To know more about conntrack marks and packet marks, see [[Setting packet metainformation]].
To know more about conntrack marks and packet marks, see [[Setting packet metainformation]].


== Matching the conntrack helper ==
 
== ''ct helper'' - conntrack helper ==


The following example shows how to match packets based on the conntrack helper:
The following example shows how to match packets based on the conntrack helper:

Revision as of 22:38, 11 April 2021

nftables conntrack (ct) expressions enable stateful firewalls by matching packets that correspond to connections tracked by netfilter's Connection Tracking System.

Conntrack expressions

The following sections will make use of this sample partial conntrack output:

% conntrack -L -o id,extended
...
ipv4     2 tcp      6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051
...

In addition, it use useful to refer to the conntrack data types.


ct state - conntrack state

The ct state expression is almost certainly the one you will use the most.

The conntrack state may be one of:

  • new
  • established
  • related
  • invalid
  • untracked

The following example shows how to deploy an extremely simple stateful firewall with nftables:

nft add rule filter input ct state established,related counter accept #1
nft add rule filter input counter drop #2

Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.


ct status - conntrack status

The conntrack status may be one of:

  • expected
  • seen-reply
  • assured
  • confirmed
  • snat
  • dnat
  • dying


ct mark - conntrack mark

The following example shows how to match packets based on the conntrack mark:

nft add rule filter input ct mark 123 counter

To know more about conntrack marks and packet marks, see Setting packet metainformation.


ct helper - conntrack helper

The following example shows how to match packets based on the conntrack helper:

nft add rule filter input ct helper "ftp" counter

More on using ct helpers.