On 6 September 2018 at 09:26, Florian Westphal <fw@xxxxxxxxx> wrote: > What conntrack features do you use? Basically whether or not the flow is in a NEW state. The idea is that I want to process the first packet or so of a flow, but nothing else. > Upon reinject the packet(s) should be picked up by conntrack. This is true. However, when I queried conntrack in the raw table, it never matched, even for flows which were clearly established. Basically, something like this: iptables -t raw -N sniffer iptables -t raw -A sniffer -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN iptables -t raw -A sniffer -j NFQUEUE --queue-num 0 --queue-bypass iptables -t raw -A OUTPUT -j sniffer I never returned out of the sniffer chain; all packets were queued. Is it possible I was just doing something wrong? I'm probably okay with doing this for DNS, but I wouldn't want to do it in general for UDP; I can't afford the CPU time to process every packet. I *hope* that other UDP protocols would be fairly resilient to drops, but you never know what crazy stuff people are doing. :)
