Kyle Larose <kyle@xxxxxxxxxxxx> wrote: > On 6 September 2018 at 09:26, Florian Westphal <fw@xxxxxxxxx> wrote: > > What conntrack features do you use? > > Basically whether or not the flow is in a NEW state. The idea is that > I want to process the first packet or so of a flow, but nothing else. > > > Upon reinject the packet(s) should be picked up by conntrack. > > This is true. However, when I queried conntrack in the raw table, it > never matched, > even for flows which were clearly established. > > Basically, something like this: > > iptables -t raw -N sniffer > iptables -t raw -A sniffer -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN > iptables -t raw -A sniffer -j NFQUEUE --queue-num 0 --queue-bypass > iptables -t raw -A OUTPUT -j sniffer Yes, that won't work unfortunately. > I'm probably okay with doing this for DNS, but I wouldn't want to do > it in general for UDP; I can't afford the CPU time to process every > packet. I *hope* that other UDP protocols would be fairly resilient > to drops, but you never know what crazy stuff people are doing. :) I guess your best bet is to only queue dns in raw output then so you can use -m conntrack for rest in mangle or filter.
