firewall4
firewall4 copied to clipboard
openwrt
creating NOTRACK firewall rules are bogus
In my case , i want to remove connection tracking on DNS on my local network only .
I added 2 rules
extract of /etc/config/firewall
# rule A
config rule
option name 'dont track DNS queries'
option src 'lan'
option dest_port '53'
option target 'NOTRACK'
# rule B
config rule
option name 'dont track DNS queries'
option src_port '53'
option dest 'lan'
option target 'NOTRACK'
-
rule Ais too wide , because capture packet in forward mode
current nft ruleset
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
iifname "br-lan" jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
}
chain notrack_lan {
tcp dport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
udp dport 53 counter packets 1298 bytes 91957 notrack comment "!fw4: dont track DNS queries"
}
```
the rule in `raw_prerouting` must be something like this
iifname "br-lan" fib daddr . iif type local jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
2. `rule B` does not generate nft rule
so firewall4 must generate a block like this
chain raw_output {
type filter hook output priority raw; policy accept;
oifname "br-lan" jump notrack_output_lan comment "!fw4: Handle lan IPv4/IPv6 notrack output traffic"
}
chain notrack_output_lan {
tcp sport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
udp sport 53 counter packets 921 bytes 73525 notrack comment "!fw4: dont track DNS queries"
}
Rule 1 is correctly generated. There is no raw/forward, it acts on any packet reaching the network card (after flowtable offload which is at even lower level) You can set one bit in mark then extract it in following rule
or better you can put your fragments renamed from generated names in /etc/nftables.d/???.nft (see fw4 print for re-usable zone name variables)
