Re: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

[mudrunka@spoje.net]

And by "disguise" i've meant "distinguish" :-)
T.

Dne 2016-12-06 06:54, mudrunka@spoje.net napsal:
> Hello,
> currently in iptables i can set NOTRACK (-j CT --notrack) only for
> OUTPUT and PREROUTING. Because the routing decision is made after the
> conntracking.
> 
> I need stateful firewall on INPUT, but conntrack on FORWARD is
> performance drawback for me. And i can imagine that someone might have
> exact oposite of this problem.
> 
> When i want to enable conntrack for input, but not for forwarding, i
> have to list all the ip adresses on local interfaces. This is big
> administrative PITA for several reasons. i have routers with hundreds
> of vlans and each of these vlans have multiple ip adresses - both ipv4
> and ipv6. Disabling conntrack for FORWARD only means listing all of
> them in PREROUTING to disguise INPUT traffic from the FORWARDed one.
> This is annoying and prone to error.
> 
> It would be super useful if one can simply use "-j CT --notrack" in
> INPUT and FORWARD. (it already works in OUTPUT)
> 
> If it's impossible to postpone conntrack after routing decision, it
> might be possible to add some macro that would match any of local
> adresses that are currently on any of interfaces. like "--src local"
> or "--dst local". Currently i am using ipset filled by cron script
> with all these adresses parsed from "ip a s". But that's far from
> being elegant or reliable.
> 
> I am planning to switch over to nftables, so it might be another 
> solution...
> Is this planned to be fixed in nftables? If not can you please
> consider fixing it?
> 
> 
> Thanks
> 
> Best regards
>       Tomas Mudrunka