Matching connection tracking stateful metainformation
The following sections will make use of this sample partial conntrack output:
% conntrack -L -o id,extended ... ipv4 2 tcp 6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051 ...
In addition, it use useful to refer to the conntrack data types.
ct state - conntrack state
The ct state expression is almost certainly the one you will use the most.
The conntrack state may be one of:
The following example shows how to deploy an extremely simple stateful firewall with nftables:
nft add rule filter input ct state established,related counter accept #1 nft add rule filter input counter drop #2
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.
ct status - conntrack status
The conntrack status may be one of:
ct mark - conntrack mark
The following example shows how to match packets based on the conntrack mark:
nft add rule filter input ct mark 123 counter
To know more about conntrack marks and packet marks, see Setting packet metainformation.
ct helper - conntrack helper
The following example shows how to match packets based on the conntrack helper:
nft add rule filter input ct helper "ftp" counter