Difference between revisions of "Matching connection tracking stateful metainformation"

From nftables wiki
Jump to navigation Jump to search
(cleanup file, split content to 'setting packet conntrack metainformation')
Line 29: Line 29:


To know more about conntrack marks and packet marks, see [[Setting packet metainformation]].
To know more about conntrack marks and packet marks, see [[Setting packet metainformation]].
== Matching the conntrack helper ==
The following example shows how to match packets based on the conntrack helper:
<source lang="bash">
nft add rule filter input ct helper "ftp" counter
</source>

Revision as of 18:38, 18 December 2020

As in iptables, you can match the state tracking information (sometimes refered as conntrack or ct information) that Netfilter collects through the Connection Tracking System to deploy stateful firewalls.

nftables provides the ct selector which can be used to match:

  • State information: new, established, related and invalid. In this regard, there is no changes with iptables.
  • The conntrack mark.
  • Status information: expected, seen-reply, assured, confirmed, snat, dnat, dying.

Matching the state information

The following example shows how to deploy an extremely simple stateful firewall with nftables:

nft add rule filter input ct state established,related counter accept #1
nft add rule filter input counter drop #2

The rule #1 allows packets that are part of an already established communication with the network. Thus, any attempt from a computer in the network to reach your computer will be dropped. However, the traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma separated list of the states that you want to match.

If you are not familiar with Netfilter flow state machine, you can give a quick read to this link.

Matching the conntrack mark

The following example shows how to match packets based on the conntrack mark:

nft add rule filter input ct mark 123 counter

To know more about conntrack marks and packet marks, see Setting packet metainformation.

Matching the conntrack helper

The following example shows how to match packets based on the conntrack helper:

nft add rule filter input ct helper "ftp" counter