Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

[mudrunka]

Hello,
currently in iptables i can set NOTRACK (-j CT --notrack) only for 
OUTPUT and PREROUTING. Because the routing decision is made after the 
conntracking.

I need stateful firewall on INPUT, but conntrack on FORWARD is 
performance drawback for me. And i can imagine that someone might have 
exact oposite of this problem.

When i want to enable conntrack for input, but not for forwarding, i 
have to list all the ip adresses on local interfaces. This is big 
administrative PITA for several reasons. i have routers with hundreds of 
vlans and each of these vlans have multiple ip adresses - both ipv4 and 
ipv6. Disabling conntrack for FORWARD only means listing all of them in 
PREROUTING to disguise INPUT traffic from the FORWARDed one. This is 
annoying and prone to error.

It would be super useful if one can simply use "-j CT --notrack" in 
INPUT and FORWARD. (it already works in OUTPUT)

If it's impossible to postpone conntrack after routing decision, it 
might be possible to add some macro that would match any of local 
adresses that are currently on any of interfaces. like "--src local" or 
"--dst local". Currently i am using ipset filled by cron script with all 
these adresses parsed from "ip a s". But that's far from being elegant 
or reliable.

I am planning to switch over to nftables, so it might be another 
solution...
Is this planned to be fixed in nftables? If not can you please consider 
fixing it?


Thanks

Best regards
       Tomas Mudrunka

Re: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

[mudrunka]

And by "disguise" i've meant "distinguish" :-)
T.

Dne 2016-12-06 06:54, mudrunka@spoje.net napsal:
> Hello,
> currently in iptables i can set NOTRACK (-j CT --notrack) only for
> OUTPUT and PREROUTING. Because the routing decision is made after the
> conntracking.
> 
> I need stateful firewall on INPUT, but conntrack on FORWARD is
> performance drawback for me. And i can imagine that someone might have
> exact oposite of this problem.
> 
> When i want to enable conntrack for input, but not for forwarding, i
> have to list all the ip adresses on local interfaces. This is big
> administrative PITA for several reasons. i have routers with hundreds
> of vlans and each of these vlans have multiple ip adresses - both ipv4
> and ipv6. Disabling conntrack for FORWARD only means listing all of
> them in PREROUTING to disguise INPUT traffic from the FORWARDed one.
> This is annoying and prone to error.
> 
> It would be super useful if one can simply use "-j CT --notrack" in
> INPUT and FORWARD. (it already works in OUTPUT)
> 
> If it's impossible to postpone conntrack after routing decision, it
> might be possible to add some macro that would match any of local
> adresses that are currently on any of interfaces. like "--src local"
> or "--dst local". Currently i am using ipset filled by cron script
> with all these adresses parsed from "ip a s". But that's far from
> being elegant or reliable.
> 
> I am planning to switch over to nftables, so it might be another 
> solution...
> Is this planned to be fixed in nftables? If not can you please
> consider fixing it?
> 
> 
> Thanks
> 
> Best regards
>       Tomas Mudrunka

Re: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

[Florian Westphal]

mudrunka@spoje.net <mudrunka@spoje.net> wrote:
> >It would be super useful if one can simply use "-j CT --notrack" in
> >INPUT and FORWARD. (it already works in OUTPUT)
> >
> >If it's impossible to postpone conntrack after routing decision, it
> >might be possible to add some macro that would match any of local
> >adresses that are currently on any of interfaces. like "--src local"
> >or "--dst local".

conntrack hook is in PREROUTING so by time INPUT/FORWARD hooks are
invokes conntrack already picked the packet up.

> >with all these adresses parsed from "ip a s". But that's far from
> >being elegant or reliable.

I suggest to use the addrtype match for this:
addrtype --dst-type LOCAL should do what you want.

> >I am planning to switch over to nftables, so it might be another
> >solution...
> >Is this planned to be fixed in nftables? If not can you please
> >consider fixing it?

The fib expression can be used in nft. ("fib daddr type local").

Re: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

[mudrunka]

WOW! Thank you very much, this actually works!


> I suggest to use the addrtype match for this:
> addrtype --dst-type LOCAL should do what you want.
> 
>> >I am planning to switch over to nftables, so it might be another
>> >solution...
>> >Is this planned to be fixed in nftables? If not can you please
>> >consider fixing it?
> 
> The fib expression can be used in nft. ("fib daddr type local").
> --
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html