Disabling conntrack on VM interface (with nftables-based firewall enabled)

[tt2468]

Hey everyone,

I've got a VM running a site to site VPN which is a backup to a physical connection handled by a hardware router. As a result of this, the traffic passing via the internal interface may be asymmetrical, or existing connections created over the physical backhaul connection may at any time need to shift to the VPN. As one might expect, conntrack is a major issue for these kinds of scenarios, and will happily destroy your connections as a result.

Previously, I've used a hookscript to add an iptables rule (for example iptables --table raw -A PREROUTING -i "tap100i1" -p all -j NOTRACK) for the interface to disable all conntrack functionality for traffic on that interface.

I have been testing out the nftables-based firewall, mainly due to it fixing a few quirky MTU issues, and I can't seem to replicate the behavior of the above iptables rule. I have had the most progress with the following rules:

table bridge stateless {
        chain prerouting {
                type filter hook prerouting priority -310; policy accept;
                iif "tap100i1" counter packets 13 bytes 804 notrack
        }
}

However, when monitoring with conntrack -E, I am still getting sessions marked as `NEW` in the log. Upon causing a route shift to this interface, it does appear that connections are still dying. With the iptables firewall and the rule above, this issue does not happen.

I feel like I must be missing something obvious if the iptables filter works.

 

[shanreich]

Can you post the output of the conntrack event log, as well as the full network configuration of tap100i0? Which IPs are involved in those connections (i.e. how does traffic get routed exactly, I'm not sure I understand 100% what kind of setup you have).

I think you need to NOTRACK the incoming connections as well, since currently you're only notracking connections originating from the VM.

The firewall ruleset would be interesting as well:

nft list ruleset