Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

creating NOTRACK firewall rules are bogus #14

Open
ErwanMAS opened this issue Oct 18, 2023 · 1 comment
Open

creating NOTRACK firewall rules are bogus #14

ErwanMAS opened this issue Oct 18, 2023 · 1 comment

Comments

@ErwanMAS
Copy link

ErwanMAS commented Oct 18, 2023

In my case , i want to remove connection tracking on DNS on my local network only .

I added 2 rules

extract of /etc/config/firewall

# rule A
config rule
	option name 'dont track DNS queries'
	option src 'lan'
	option dest_port '53'
	option target 'NOTRACK'
# rule B
config rule
	option name 'dont track DNS queries'
	option src_port '53'
	option dest 'lan'
	option target 'NOTRACK'

  1. rule A is too wide , because capture packet in forward mode

current nft ruleset

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifname "br-lan" jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
	}

	chain notrack_lan {
		tcp dport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp dport 53 counter packets 1298 bytes 91957 notrack comment "!fw4: dont track DNS queries"
	}

the rule in raw_prerouting must be something like this

      iifname "br-lan" fib daddr . iif type local  jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
  1. rule B does not generate nft rule

so firewall4 must generate a block like this

	chain raw_output {
		type filter hook output priority raw; policy accept;
		oifname "br-lan" jump notrack_output_lan comment "!fw4: Handle lan IPv4/IPv6 notrack output traffic"
	}
	chain notrack_output_lan {
		tcp sport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp sport 53 counter packets 921 bytes 73525 notrack comment "!fw4: dont track DNS queries"
	}

@brada4
Copy link

brada4 commented Nov 3, 2023

Rule 1 is correctly generated. There is no raw/forward, it acts on any packet reaching the network card (after flowtable offload which is at even lower level)
You can set one bit in mark then extract it in following rule

or better you can put your fragments renamed from generated names in /etc/nftables.d/???.nft (see fw4 print for re-usable zone name variables)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants