Content #
Conntrack expressions are included with the keyword ct followed by one of these options:
- daddr
- direction
- expiration
- helper
- l3proto
- mark
- protocol
- proto-src
- proto-dst
- saddr
- state
- status
state expression #
Enables information about the packet to be recorded so that the processing rule will have context about the ongoing exchange of related traffic.
- new A new packet arriving at the firewall, a TCP packet with the SYN flag set, for example.
- established A packet that’s part of a connection that’s already being processed or tracked
- invalid A packet that doesn’t conform to protocol rules
- related A packet that’s related to a connection for a protocol that doesn’t use other means to track its state, such as ICMP or passive FTP
- untracked An administrative state used for bypassing connection tracking, typically used in special cases only
allow established and related SSH connections.
nft add rule filter input tcp dport 22 ct state established,related accept