Difference between revisions of "Setting packet connection tracking metainformation"

From nftables wiki
Jump to navigation Jump to search
(notrack is usable in linux 4.9)
(Added section ct secmark set.)
 
(16 intermediate revisions by 4 users not shown)
Line 1: Line 1:
You can set some bits of the packet conntrack metainformation, apart of [[Matching connection tracking stateful metainformation | matching on it]].
You can set some bits of the packet [[Connection_Tracking_System | conntrack]] metainformation, as well as [[Matching connection tracking stateful metainformation | match on it]].


== notrack ==


You can use the '''notrack''' support to explicitly skip connection tracking for matching packets.
== ''notrack'' - Bypass connection tracking ==


The example below skips traffic for 80/tcp and 443/tcp:
You can use the ''notrack'' statement (added in Linux kernel 4.9, nftables 0.7) to explicitly skip connection tracking for matched packets. To be effective '''your ''notrack'' rule must come before conntrack is triggered'''. You can ensure this by attaching it to a base chain with [[Netfilter_hooks | ''prerouting'' hook]] and [[Configuring_chains#Base_chain_priority | priority]] < NF_IP_PRI_CONNTRACK (-200). Using ''raw'' priority (-300) is a good choice. The following example skips incoming traffic to tcp ports 80 (http) and 443 (https):


<source lang="bash">
<source lang="bash">
nft add rule ip raw prerouting tcp dport { 80, 443 } notrack
nft add table my_table
nft add chain my_table prerouting { type filter hook prerouting priority -300 \; }
nft add rule my_table prerouting tcp dport { 80, 443 } notrack
</source>
</source>


Please, note that you should use notrack before the kernel connection tracking is triggered.
Use a chain with priority -300. Example:


<source lang="bash">
== ''ct helper set'' - Assign conntrack helper ==
nft add table raw
nft add chain raw prerouting { type filter hook prerouting priority -300 \; }
nft add rule raw prerouting tcp dport 80 notrack
</source>
 
Support for this was added in linux kernel 4.9 and in nftables v0.7.
 
== helpers ==


You can assign each packet a conntrack helper.
You can assign each packet a [[Conntrack_helpers|conntrack helper]].


Instantiate a helper, using a named object:
Instantiate a helper, using a named object:
Line 34: Line 25:
       }
       }


       ct helper ftp-standar {
      ct helper tftp-69 {
            type "tftp" protocol udp;
      }
 
       ct helper ftp-standard {
             type "ftp" protocol tcp;
             type "ftp" protocol tcp;
       }
       }


       chain c {
       chain c {
            type filter hook prerouting priority 0;
       }
       }
}
}
</source>
</source>
Your chain priority must be > -200, because conntrack registers at this priority.
Otherwise, packets will not find any conntrack information (which is required
to attach the helper).


Then, from the rules:
Then, from the rules:


<source>
<source>
nft add rule filter filter c udp dport 5060 ct helper set "sip-5060"
nft add rule filter c ct state new tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c ct state new udp dport 5060 ct helper set "sip-5060"
nft add rule filter c ct state new udp dport 69 ct helper set "tftp-69"
</source>
</source>


You can of course use a dictionary, one single rule to assign many helpers:
You can use a [[Maps | map]] to assign many helpers using a single rule:


<source>
<source>
nft add rule x y ct helper set udp dport map { \
nft add rule filter c ct state new ct helper set ip protocol . th dport map { \
                         69 : "tftp-69", \
                         udp . 69 : "tftp-69", \
                         5060 : "sip-5060" }
                         udp . 5060 : "sip-5060", \
                        tcp . 21 : "ftp-standard" }
</source>
</source>
which sets the helper based in the transport protocol number and the transport destination port.


You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.
In case of a previous version of nftables, you can enable automatic assignment with:
<source>
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
</source>
Also, with the sysctl parameter:
<source>
net.netfilter.nf_conntrack_helper = 1
</source>
== [[Ct_timeout|''ct timeout set'']] - Set conntrack timeout policy ==
<br>
<br>
== [[Ct_expectation|''ct expectation set'']] - Create a conntrack expectation ==
<br>
<br>
== ''ct mark set'' - Set conntrack mark ==
Save packet nfmark in conntrack:
<source>
ct mark set meta mark
</source>
== ''ct label set'' - Set conntrack label ==
[[Data_types#Conntrack_types|Conntrack labels]] are 128-bit bitfields.
== ''ct zone set'' - Set conntrack zone ==
[https://marc.info/?l=netfilter-devel&m=148612536015039&w=2 When setting the conntrack zone, it is crucial to do so '''before''' the packet gets picked up by conntrack]. The below demo ruleset uses ''ct zone set'' rules in chains with [[Netfilter_hooks#Priority_within_hook|''raw'' priority]], which accomplishes this:
<source>
table inet zone_demo {
    chain PRE {
        type filter hook prerouting priority raw;
        iif eth3 ct zone set 23
    }
    chain OUT {
        type filter hook output priority raw;
        oif eth3 ct zone set 23
    }
}
</source>
== ''ct secmark set'' - Set conntrack secmark from packet secmark ==
New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set a secmark on a conntrack entry from a packet secmark:
<source>
ct secmark set meta secmark
</source>
NOTE you cannot set the ct secmark to a constant value, you must set it from a matched packet as above.
== ''ct event set'' - Set conntrack event ==
Restrict events reported by ctnetlink:
<source>
ct event set new,related,destroy
</source>

Latest revision as of 17:53, 16 April 2021

You can set some bits of the packet conntrack metainformation, as well as match on it.


notrack - Bypass connection tracking

You can use the notrack statement (added in Linux kernel 4.9, nftables 0.7) to explicitly skip connection tracking for matched packets. To be effective your notrack rule must come before conntrack is triggered. You can ensure this by attaching it to a base chain with prerouting hook and priority < NF_IP_PRI_CONNTRACK (-200). Using raw priority (-300) is a good choice. The following example skips incoming traffic to tcp ports 80 (http) and 443 (https):

nft add table my_table
nft add chain my_table prerouting { type filter hook prerouting priority -300 \; }
nft add rule my_table prerouting tcp dport { 80, 443 } notrack


ct helper set - Assign conntrack helper

You can assign each packet a conntrack helper.

Instantiate a helper, using a named object:

table filter {
      ct helper sip-5060 {
             type "sip" protocol udp;
      }

      ct helper tftp-69 {
             type "tftp" protocol udp;
      }

      ct helper ftp-standard {
             type "ftp" protocol tcp;
      }

      chain c {
             type filter hook prerouting priority 0;
      }
}

Your chain priority must be > -200, because conntrack registers at this priority. Otherwise, packets will not find any conntrack information (which is required to attach the helper).

Then, from the rules:

nft add rule filter c ct state new tcp dport 21 ct helper set "ftp-standard"
nft add rule filter c ct state new udp dport 5060 ct helper set "sip-5060"
nft add rule filter c ct state new udp dport 69 ct helper set "tftp-69"

You can use a map to assign many helpers using a single rule:

nft add rule filter c ct state new ct helper set ip protocol . th dport map { \
                        udp . 69 : "tftp-69", \
                        udp . 5060 : "sip-5060", \
                        tcp . 21 : "ftp-standard" }

which sets the helper based in the transport protocol number and the transport destination port.

You need nftables >= 0.8 and the kernel >= 4.12 to use this feature.

In case of a previous version of nftables, you can enable automatic assignment with:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

Also, with the sysctl parameter:

net.netfilter.nf_conntrack_helper = 1


ct timeout set - Set conntrack timeout policy



ct expectation set - Create a conntrack expectation



ct mark set - Set conntrack mark

Save packet nfmark in conntrack:

ct mark set meta mark


ct label set - Set conntrack label

Conntrack labels are 128-bit bitfields.


ct zone set - Set conntrack zone

When setting the conntrack zone, it is crucial to do so before the packet gets picked up by conntrack. The below demo ruleset uses ct zone set rules in chains with raw priority, which accomplishes this:

table inet zone_demo {

    chain PRE {
        type filter hook prerouting priority raw;

        iif eth3 ct zone set 23
    }

    chain OUT {
        type filter hook output priority raw;

        oif eth3 ct zone set 23
    }
}


ct secmark set - Set conntrack secmark from packet secmark

New in nftables 0.9.3, you can set a secmark on a conntrack entry from a packet secmark:

ct secmark set meta secmark

NOTE you cannot set the ct secmark to a constant value, you must set it from a matched packet as above.


ct event set - Set conntrack event

Restrict events reported by ctnetlink:

ct event set new,related,destroy