Disable Conntrack per Firewall Chain
Open, NormalPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	L0crian
	May 20 2025, 5:06 PM

Description

For users running an ISP, enabling the firewall to secure just VyOS on the input/output chains can impact the overall performance of forwarding, since conntrack will be enabled for all traffic. It could be useful to disable conntrack per chain for these users.

This can be accomplished by adding these lines to the top of the appropriate chains (IPv4 Example):

Input:
ip vyos_filter VYOS_PREROUTING_raw fib daddr . iif type local notrack counter

Output:
ip vyos_filter VYOS_OUTPUT_raw notrack counter

Forward:
ip vyos_filter VYOS_PREROUTING_raw fib daddr . iif type unicast notrack counter

Details

Version: -
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Related Objects

Mentioned In: T7475: Make it possible to disable connection tracking for specific firewall chains

Event Timeline

L0crian created this task.May 20 2025, 5:06 PM

pasik subscribed.May 20 2025, 5:43 PM

Viacheslav triaged this task as Normal priority.May 21 2025, 2:59 PM

L0crian mentioned this in T7475: Make it possible to disable connection tracking for specific firewall chains.May 21 2025, 9:12 PM

Disable Conntrack per Firewall ChainOpen, NormalPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

Disable Conntrack per Firewall Chain
Open, NormalPublicFEATURE REQUEST
Actions