Arch Linux

vecino

Member

Registered: 2022-12-10

Posts: 139

[SOLVED] NAT | Connection tracking | nftables

Hi, I have a sw router with nftables. About 90% of the traffic is pure routing, but I also have a small LAN and it is behind NAT. Because of the NAT the router has to use connection tracking.

My question is can I somehow disable connection tracking for everything else outside the subnet that is being NATed?

LAN = 10.11.12.0/28
vlan102 = uplink #1
vlan103 = uplink #2

I tried that, but the LAN stops working.

table inet raw {
        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                ip saddr != 10.11.12.0/28 counter notrack
        }

        chain OUTPUT {
                type filter hook prerouting priority raw; policy accept;
        }
}

and

table inet raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                fib daddr type local accept
                notrack accept
        }
}

My NAT:

table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.11.12.0/28 counter oifname { "vlan102", "vlan103" } snat to 10.107.80.1
                counter comment "count postrouting packets"
        }

        chain PREROUTING {
                type nat hook prerouting priority filter; policy accept;
        }
}

Do you have any ideas? Thank you

Last edited by vecino (2024-04-05 20:07:59)

schard

Forum Moderator

From: Hannover

Registered: 2016-05-06

Posts: 2,129

Website

Re: [SOLVED] NAT | Connection tracking | nftables

This is the NAT setting in a firewall that I administer:

table inet nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                iifname "enp3s0" oifname "enp2s0" masquerade comment "Source-NAT für Verbindungen ins Internet"
        }
}

Instead of selecting the source packets via interface, you can of course select them via address.

---

Inofficial first vice president of the Rust Evangelism Strike Force

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

Thank you for your response. Me SNAT works fine with that no problem. My goal is to disable Connection tracking (conntrack) for all other traffic outside of subnet 10.11.12.0/28 of my LAN which is NATed.

-thc

Member

Registered: 2017-03-15

Posts: 739

Re: [SOLVED] NAT | Connection tracking | nftables

Is this an exercise in minimalism or is there an understandable reason for it?

If you take a look at an established connection in the conntrack table:

tcp      6 432000 ESTABLISHED src=10.7.0.2 dst=192.168.1.4 sport=59887 dport=22 src=192.168.1.4 dst=10.7.0.2 sport=22 dport=59887 [ASSURED] mark=0 use=1

you'll notice both directions.

In my opinion you also have to protect the opposite direction (vlan10X to 10.11.12.0/28) from "notrack".

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

I would like to get the packet through the router as fast as possible without any unnecessary connection tracking. Something similar to Mikrotik and its FastPath.

Manual:Fast Path - https://wiki.mikrotik.com/wiki/Manual:Fast_Path
"Fast path allows to forward packets without additional processing in the Linux kernel. It improves forwarding speeds significantly."

Due to the fact that I have to use NAT on the router, the kernel automatically monitors all connections (connection tracking) which seems unnecessary to me. That's why I want to try a way to do it.

@-thc You are absolutely right that I have to work with both directions. Thank you very much.

That seems to be how it works:

table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                ip saddr { 10.11.12.0/28, 10.107.80.1 } counter accept
                ip daddr { 10.11.12.0/28, 10.107.80.1 } counter accept
                fib daddr type local counter accept
                notrack counter accept
        }

-thc

Member

Registered: 2017-03-15

Posts: 739

Re: [SOLVED] NAT | Connection tracking | nftables

O.K. - depending on your throughput unnecessary tracking may be an issue.

Since most of my software routers do packet filtering based on connections and need conntrack anyway I was just wondering.

Koatao

Member

Registered: 2018-08-30

Posts: 98

Re: [SOLVED] NAT | Connection tracking | nftables

Hi,

Well, you cannot have something similar than MikroTik FastPath or FastTrack because they designed specific drivers to avoid using the Linux Kernel. Obviously, Netfilter generically will always use Linux.

Although, Netfilter devs have designed a software Fastpath with Flowtable: https://www.kernel.org/doc/html/latest/ … table.html

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] NAT | Connection tracking | nftables

Hi Koatao,

thanks a lot for the tip - I don't know this, but I've already applied it to my router and am testing it. It looks very good.

--
I really like the community here - you can actually learn a lot of stuff here / people are cool / happy to give advice.