On 18/08/2021 18:13, Florian Westphal wrote: > Eugene Crosser <crosser@xxxxxxxxxxx> wrote: >> My use case is to set up a stateful firewall allowing any outgoing connection >> from a host, and restricting incoming, which obviously requires conntracking. >> The twist is that there exists a rather high probability of DoS-like incoming >> traffic, that easily overflows conntrack table with unconfirmed entries, even >> though their lifetime is very short. > > Create a rule that drops NEW packets in prerouting hook. For iptables, > mangle will work (raw is too early). For nftables, youl need to choose > a hook prioriy of -199 or higher (-198, ... to anything below 2**31). > > Such packets will create a new connection entry, but because packet gets > dropped before confirmation the entry will not be committed to the table. Unfortunately this approach does not work for my case. I cannot drop packets before I know that they are going to the INPUT path. The point of the exercise is to route transit traffic without conntracking it (because tracking will overflow the table), but conntrack traffic to/from the host itself. Maybe I'd be able to determine which traffic is transit on prerouting stage (by IP addresses or interfaces) and set "notrack" selectively... Yet I am surprised that a flag meaning "conntrack, but only to confirm exiting entries" does not exist. Would not it be useful to have?.. Thanks again in any case! Eugene
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature