From: mudrunka@spoje.net
To: netfilter-devel@vger.kernel.org
Subject: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently
Date: Tue, 06 Dec 2016 06:54:26 +0100 [thread overview]
Message-ID: <83039186e8c81a62f20e605de41ccba3@spoje.net> (raw)
Hello,
currently in iptables i can set NOTRACK (-j CT --notrack) only for
OUTPUT and PREROUTING. Because the routing decision is made after the
conntracking.
I need stateful firewall on INPUT, but conntrack on FORWARD is
performance drawback for me. And i can imagine that someone might have
exact oposite of this problem.
When i want to enable conntrack for input, but not for forwarding, i
have to list all the ip adresses on local interfaces. This is big
administrative PITA for several reasons. i have routers with hundreds of
vlans and each of these vlans have multiple ip adresses - both ipv4 and
ipv6. Disabling conntrack for FORWARD only means listing all of them in
PREROUTING to disguise INPUT traffic from the FORWARDed one. This is
annoying and prone to error.
It would be super useful if one can simply use "-j CT --notrack" in
INPUT and FORWARD. (it already works in OUTPUT)
If it's impossible to postpone conntrack after routing decision, it
might be possible to add some macro that would match any of local
adresses that are currently on any of interfaces. like "--src local" or
"--dst local". Currently i am using ipset filled by cron script with all
these adresses parsed from "ip a s". But that's far from being elegant
or reliable.
I am planning to switch over to nftables, so it might be another
solution...
Is this planned to be fixed in nftables? If not can you please consider
fixing it?
Thanks
Best regards
Tomas Mudrunka
next reply other threads:[~2016-12-06 6:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-06 5:54 mudrunka [this message]
2016-12-06 5:56 ` Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently mudrunka
2016-12-17 12:29 ` Florian Westphal
2016-12-17 14:27 ` mudrunka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83039186e8c81a62f20e605de41ccba3@spoje.net \
--to=mudrunka@spoje.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).