Difference between revisions of "Setting packet connection tracking metainformation"

From nftables wiki
Jump to navigation Jump to search
m (corrected typo "ftp-standar" -> "ftp-standard")
(→‎helpers: update)
Line 32: Line 32:
       ct helper sip-5060 {
       ct helper sip-5060 {
             type "sip" protocol udp;
             type "sip" protocol udp;
      }
      ct helper tftp-69 {
            type "tftp" protocol udp;
       }
       }


Line 39: Line 43:


       chain c {
       chain c {
            type filter hook prerouting priority 0;
       }
       }
}
}
Line 46: Line 51:


<source>
<source>
nft add rule filter filter c udp dport 5060 ct helper set "sip-5060"
nft add rule filter c tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c udp dport 5060 ct helper set "sip-5060"
nft add rule filter c udp dport 69 ct helper set "tftp-69"
</source>
</source>


Line 52: Line 59:


<source>
<source>
nft add rule x y ct helper set udp dport map { \
nft add rule filter c ct helper set ip protocol . th dport map { \
                         69 : "tftp-69", \
                         udp . 69 : "tftp-69", \
                         5060 : "sip-5060" }
                         udp . 5060 : "sip-5060", \
                        tcp . 21 : "ftp-standard" }
</source>
</source>
which sets the helper based in the transport protocol number and the transport destination port.


You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.


In case of a previous version of nftables, you can can set automatic assignement with:
In case of a previous version of nftables, you can enable automatic assignment with:


<source>
<source>

Revision as of 11:25, 20 October 2020

You can set some bits of the packet conntrack metainformation, apart of matching on it.

notrack

You can use the notrack support to explicitly skip connection tracking for matching packets.

The example below skips traffic for 80/tcp and 443/tcp:

nft add rule ip raw prerouting tcp dport { 80, 443 } notrack

Please, note that you should use notrack before the kernel connection tracking is triggered. Use a chain with priority -300. Example:

nft add table raw
nft add chain raw prerouting { type filter hook prerouting priority -300 \; }
nft add rule raw prerouting tcp dport 80 notrack

Support for this was added in linux kernel 4.9 and in nftables v0.7.

helpers

You can assign each packet a conntrack helper.

Instantiate a helper, using a named object:

table filter {
      ct helper sip-5060 {
             type "sip" protocol udp;
      }

      ct helper tftp-69 {
             type "tftp" protocol udp;
      }

      ct helper ftp-standard {
             type "ftp" protocol tcp;
      }

      chain c {
             type filter hook prerouting priority 0;
      }
}

Then, from the rules:

nft add rule filter c tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c udp dport 5060 ct helper set "sip-5060"
nft add rule filter c udp dport 69 ct helper set "tftp-69"

You can of course use a dictionary, one single rule to assign many helpers:

nft add rule filter c ct helper set ip protocol . th dport map { \
                        udp . 69 : "tftp-69", \
                        udp . 5060 : "sip-5060", \
                        tcp . 21 : "ftp-standard" }

which sets the helper based in the transport protocol number and the transport destination port.

You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.

In case of a previous version of nftables, you can enable automatic assignment with:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

Also, with the sysctl parameter:

net.netfilter.nf_conntrack_helper = 1