You are not logged in.

#1 2023-09-12 16:54:36

vecino
Member
Registered: 2022-12-10
Posts: 139

[SOLVED] NAT | Connection tracking | nftables

Hi, I have a sw router with nftables. About 90% of the traffic is pure routing, but I also have a small LAN and it is behind NAT. Because of the NAT the router has to use connection tracking.

My question is can I somehow disable connection tracking for everything else outside the subnet that is being NATed?

LAN = 10.11.12.0/28
vlan102 = uplink #1
vlan103 = uplink #2

I tried that, but the LAN stops working.

table inet raw {
        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                ip saddr != 10.11.12.0/28 counter notrack
        }

        chain OUTPUT {
                type filter hook prerouting priority raw; policy accept;
        }
}

and

table inet raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                fib daddr type local accept
                notrack accept
        }
}

My NAT:

table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.11.12.0/28 counter oifname { "vlan102", "vlan103" } snat to 10.107.80.1
                counter comment "count postrouting packets"
        }

        chain PREROUTING {
                type nat hook prerouting priority filter; policy accept;
        }
}

Do you have any ideas? Thank you

Last edited by vecino (2024-04-05 20:07:59)

Offline

#2 2023-09-12 17:44:09

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,117
Website

Re: [SOLVED] NAT | Connection tracking | nftables

This is the NAT setting in a firewall that I administer:

table inet nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                iifname "enp3s0" oifname "enp2s0" masquerade comment "Source-NAT für Verbindungen ins Internet"
        }
}

Instead of selecting the source packets via interface, you can of course select them via address.


Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#3 2023-09-12 18:05:49

vecino
Member
Registered: 2022-12-10
Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

Thank you for your response. Me SNAT works fine with that no problem. My goal is to disable Connection tracking (conntrack) for all other traffic outside of subnet 10.11.12.0/28 of my LAN which is NATed.

Offline

#4 2023-09-13 11:11:07

-thc
Member
Registered: 2017-03-15
Posts: 717

Re: [SOLVED] NAT | Connection tracking | nftables

Is this an exercise in minimalism or is there an understandable reason for it?

If you take a look at an established connection in the conntrack table:

tcp      6 432000 ESTABLISHED src=10.7.0.2 dst=192.168.1.4 sport=59887 dport=22 src=192.168.1.4 dst=10.7.0.2 sport=22 dport=59887 [ASSURED] mark=0 use=1

you'll notice both directions.

In my opinion you also have to protect the opposite direction (vlan10X to 10.11.12.0/28) from "notrack".

Offline

#5 2023-09-13 18:01:59

vecino
Member
Registered: 2022-12-10
Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

I would like to get the packet through the router as fast as possible without any unnecessary connection tracking. Something similar to Mikrotik and its FastPath.

Manual:Fast Path - https://wiki.mikrotik.com/wiki/Manual:Fast_Path
"Fast path allows to forward packets without additional processing in the Linux kernel. It improves forwarding speeds significantly."

Due to the fact that I have to use NAT on the router, the kernel automatically monitors all connections (connection tracking) which seems unnecessary to me. That's why I want to try a way to do it.

@-thc You are absolutely right that I have to work with both directions. Thank you very much.

That seems to be how it works:

table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                ip saddr { 10.11.12.0/28, 10.107.80.1 } counter accept
                ip daddr { 10.11.12.0/28, 10.107.80.1 } counter accept
                fib daddr type local counter accept
                notrack counter accept
        }

Offline

#6 2023-09-14 04:52:22

-thc
Member
Registered: 2017-03-15
Posts: 717

Re: [SOLVED] NAT | Connection tracking | nftables

O.K. - depending on your throughput unnecessary tracking may be an issue.

Since most of my software routers do packet filtering based on connections and need conntrack anyway I was just wondering.

Offline

#7 2023-09-14 06:18:05

Koatao
Member
Registered: 2018-08-30
Posts: 98

Re: [SOLVED] NAT | Connection tracking | nftables

Hi,

Well, you cannot have something similar than MikroTik FastPath or FastTrack because they designed specific drivers to avoid using the Linux Kernel. Obviously, Netfilter generically will always use Linux.

Although, Netfilter devs have designed a software Fastpath with Flowtable: https://www.kernel.org/doc/html/latest/ … table.html

Offline

#8 2023-09-14 09:02:31

vecino
Member
Registered: 2022-12-10
Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

Hi Koatao,

thanks a lot for the tip - I don't know this, but I've already applied it to my router and am testing it. It looks very good. smile

--
I really like the community here - you can actually learn a lot of stuff here / people are cool / happy to give advice.

Offline

Board footer

Powered by FluxBB