How to make conntrack to process all packets?

How to make conntrack to process all packets?

[Petr Chmelar]

Hi there,

We would like to use Ulogd's NFCT input for intelligent netflow-based 
statistics reporting. The problem is that the netfilter_conntrack 
doesn't process connections that don't go through the system (we have 
noticed and found in man conntrack /TABLES), which we need to process 
because of sniffing in promisc mode (we have forwarded traffic from 
different vlans). This doesn't work even when we do something like:
iptables -I PREROUTING -i eth9.10 -t raw -j CT

In fact we're looking for an opposite of NOTRACK. Do you have any idea 
how to setup or recompile the libnetfilter_conntrack or similar (ulogd2) 
so we get also flows not destined for the system?

Thank you, Petr

Re: How to make conntrack to process all packets?

[Pascal Hambourg]

Hello,

Petr Chmelar a écrit :
> 
> We would like to use Ulogd's NFCT input for intelligent netflow-based 
> statistics reporting. The problem is that the netfilter_conntrack 
> doesn't process connections that don't go through the system (we have 
> noticed and found in man conntrack /TABLES), which we need to process 
> because of sniffing in promisc mode (we have forwarded traffic from 
> different vlans). This doesn't work even when we do something like:
> iptables -I PREROUTING -i eth9.10 -t raw -j CT

From reading the manpage, I do not think that CT without any option does
anything.

> In fact we're looking for an opposite of NOTRACK. Do you have any idea 
> how to setup or recompile the libnetfilter_conntrack or similar (ulogd2) 
> so we get also flows not destined for the system?

IMO, you are looking in the wrong direction. The whole netfilter (not
only conntrack) won't process packets not destined to the host because
these packets do no reach the IP layer. A workaround may be to use a
bridge with bridge-nf-call-iptables enabled.