Matching connection tracking stateful metainformation
The following sections will make use of this sample partial conntrack output:
% conntrack -L -o id,extended ... ipv4 2 tcp 6 421957 ESTABLISHED src=192.168.0.2 dst=192.168.0.8 sport=34621 dport=22 src=192.168.0.8 dst=192.168.0.2 sport=22 dport=34621 [ASSURED] mark=6 use=1 id=2014938051 ...
In addition, it use useful to refer to the conntrack data types.
ct state - conntrack state
The ct state expression is almost certainly the one you will use the most.
The conntrack state may be one of:
|new||Netfilter has so far seen packets between this pair of hosts in only one direction. At least one of these packets is part of a valid initialization sequence, e.g. SYN packet for a TCP connection.|
|established||Netfilter has seen valid packets travel in both directions between this pair of hosts. For TCP connections, the three-way-handshake has been successfully completed.|
|related||This connection was initiated after the main connection, as expected from normal operation of the main connection. A common example is an FTP data channel established at the behest of an FTP control channel.|
|invalid||Assigned to packets that do not follow the expected behavior of a connection.|
|untracked||Dummy state assigned to packets that have been explicitly excluded from conntrack. See notrack.|
The following example shows how to deploy an extremely simple stateful firewall with nftables:
nft add rule filter input ct state established,related counter accept #1 nft add rule filter input counter drop #2
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.
ct status - conntrack status
The conntrack status may be one of:
ct mark - conntrack mark
The following example shows how to match packets based on the conntrack mark:
nft add rule filter input ct mark 123 counter
To know more about conntrack marks and packet marks, see Setting packet metainformation.
ct helper - conntrack helper
The following example shows how to match packets based on the conntrack helper:
nft add rule filter input ct helper "ftp" counter