On Tue, Nov 12, 2024 at 06:56:30PM +0100, Thomas Köller wrote:
> Hi,
>
> tried to create a rule using the conntrack state of a packet:
>
> [root@sarkovy nftables]# cat ruleset-own.txt
> create table netdev world
> add set netdev world blacklist { type ipv4_addr; flags dynamic,timeout;
> timeout 1h; gc-interval 6h; size 256; }
> create chain netdev world ingress { type filter hook ingress device
> "eth_cable" priority filter; policy drop; }
> add rule netdev world ingress ip protocol tcp ip saddr @blacklist counter
> drop
> add rule netdev world ingress ct state established,related counter accept
> [root@sarkovy nftables]# nft -cf ruleset-own.txt
> ruleset-own.txt:5:31-38: Error: Could not process rule: Protocol error
> add rule netdev world ingress ct state established,related counter accept
> ^^^^^^^^
> This is rejected, but why?
Because there is currently no support for connection tracking at
ingress.
> And, btw., which one is correct, 'ct state established,related' or 'ct state
> { established,related }'?
Use of { } implies a set instance.
# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bits
pre-defined symbolic constants (in hexadecimal):
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040
Use of:
ct state established,related
(just like in iptables --m --state) is perfectly fine for this
particular case.
