Difference between revisions of "Matching connection tracking stateful metainformation"

From nftables wiki
Jump to navigation Jump to search
m (More clearly label "example value" column of conntrack command output.)
(Linked in.h for inet_proto.)
Line 46: Line 46:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| style="text-align:right;" | 4
| style="text-align:right;" | 4
| 8-bit protocol value
| inet_proto
| ''6''
| ''6''
| ''ct protocol''
| ''ct protocol''
| Protocol value 6 indicates TCP.
| As shown in [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/in.h in.h] protocol value 6 indicates TCP.

|- style="vertical-align:top;"
|- style="vertical-align:top;"

Revision as of 13:59, 12 April 2021

nftables conntrack (ct) expressions enable stateful firewalls by matching packets that correspond to connections tracked by netfilter's Connection Tracking System.

Conntrack expressions

It is useful to refer to the conntrack data types.

The following sections will make use of this sample partial conntrack output:

% conntrack -L -o id,extended
ipv4     2 tcp      6 421957 ESTABLISHED src= dst= sport=34621 dport=22 src= dst= sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051
conntrack command output
Column # Description Example value ct Match Notes
1 L3 protocol ipv4 ct l3proto
2 2
3 L4 protocol tcp ct protocol
4 inet_proto 6 ct protocol As shown in in.h protocol value 6 indicates TCP.
5 timeout, s 421957 ct expiration Default TCP connection timeout is 5 days. You can change this via the conntrack sysfs setting nf_conntrack_tcp_timeout_established.
6 conntrack state ESTABLISHED ct state
7 L3 source address,

original direction

src= ct original saddr
8 L3 destination address,

original direction

dst= ct original daddr
9 L4 protocol source,

original direction

sport=34621 ct original proto‑src
10 L4 protocol destination,

original direction

dport=22 ct original proto‑dst
11 L3 source address,

reply direction

src= ct reply saddr
12 L3 destination address,

reply direction

dst= ct reply daddr
13 L4 protocol source,

reply direction

sport=22 ct reply proto‑src
14 L4 protocol destination,

reply direction

dport=34621 ct reply proto‑dst
15 conntrack status [ASSURED] ct status
16 conntrack mark mark=6 ct mark
17 reference count use=1 Mainly used by the garbage collector.
18 conntrack id id=2014938051 ct id

ct state - conntrack state

The ct state expression is almost certainly the one you will use the most.

The conntrack state may be one of:

conntrack states
State Description
new Netfilter has so far seen packets between this pair of hosts in only one direction. At least one of these packets is part of a valid initialization sequence, e.g. SYN packet for a TCP connection.
established Netfilter has seen valid packets travel in both directions between this pair of hosts. For TCP connections, the three-way-handshake has been successfully completed.
related This connection was initiated after the main connection, as expected from normal operation of the main connection. A common example is an FTP data channel established at the behest of an FTP control channel.
invalid Assigned to packets that do not follow the expected behavior of a connection.
untracked Dummy state assigned to packets that have been explicitly excluded from conntrack. See notrack.

The following example ruleset shows how to deploy an extremely simple stateful firewall with nftables:

table inet stateful_fw_demo {

    chain IN {
        type filter hook input priority filter; policy drop;

        ct state established,related accept

The rule in the IN chain accepts packets that are part of an established connection, and related packets. Note the use of a comma-separated list of the conntrack states that you want to match. The default chain policy drops all other incoming packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted.

ct status - conntrack status

The conntrack status may be one of:

  • expected
  • seen-reply
  • assured
  • confirmed
  • snat
  • dnat
  • dying

ct mark - conntrack mark

The following example shows how to match packets based on the conntrack mark:

nft add rule filter input ct mark 123 counter

To know more about conntrack marks and packet marks, see Setting packet metainformation.

ct helper - conntrack helper

The following example shows how to match packets based on the conntrack helper:

nft add rule filter input ct helper "ftp" counter

More on using ct helpers.