0

I'm experimenting with stateless NAT using nftables. On the page about statelessly mangling protocol fields, the author says:

Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked

Out of curiosity, what are some of the bad things that can happen if I fail to do this? I can't seem to find any information on this point.

Einheri
  • 195
  • 2
  • 7

1 Answers1

1

Connection tracking starts before the mangle table is processed, so the tracked connection would not match the mangled packets, making it useless at best or blocking connectivity at worst.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Hi Michael, thanks for your answer. Could you clarify something for me: if I have a rule in nftables that says "ip daddr 1.2.3.4 ip daddr set 5.6.7.8", are you saying it's the "mangle" table that performs the actual rewriting, regardless of how my nftables chain is configured (hooks, priorities, etc)? – Einheri Jan 11 '21 at 09:31