On Tue, 12 Nov 2024, at 7:04 PM, Thomas Köller wrote: > Am 12.11.24 um 19:24 schrieb Pablo Neira Ayuso: >> Because there is currently no support for connection tracking at >> ingress. > > O.k., I guess this is probably obvious to people more familiar with the > kernel's netfilter subsystem. For the benefit of all others, it might be > desirable to have it documented somewhere in the nft man page (or did I > just miss it?). You didn't. This constraint is formally undocumented, as are various other aspects of nft. > > So, does this mean that I cannot use conntrack state in netdev tables, > since these only allow for the filter/ingress combo? What I wanted to > achieve was to create a firewall that just protects one particular > interface, the one connected to the internet at large. Netdev seemed > like the way to go. It very likely isn't, but it also depends on what the term, protects, entails in your case. You might not even need connection tracking to satisfy whatever your requirements are. In general, I would say that, if at all in doubt, you should avoid using the netdev family. To use it effectively requires for some understanding of its raison d'être and where it fits into Netfilter at large. There is a modicum of text in the wiki that may help to better understand its strengths and weaknesses. https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families#netdev -- Kerin Millar
