As discussed in T7209, in some environments, enabling connection tracking by default is a bad idea. For example, in an ISP network, the firewall is usually configured to protect the router itself, so connection tracking is not really beneficial in the first place and can be prohibitively resource-intensive.
We should make it possible to disable connection per chain.
Trying to configure stateful rules in a chain where conntrack is disabled should probably cause commit errors.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T7475 Make it possible to disable connection tracking for specific firewall chains | |||
| Open | BUG | None | T7209 Configured conntrack on input affects on forward |
Will it not do what you want?
set firewall ipv4 prerouting raw default-action 'accept' set firewall ipv4 prerouting raw rule 10 action 'notrack' set firewall ipv4 prerouting raw rule 10 source address '192.0.2.0/24'
I created a task for this as well https://vyos.dev/T7469
That will disable conntrack for both the input and forward chains. The nft config would probably be something like this:
Input: ip vyos_filter VYOS_PREROUTING_raw fib daddr . iif type local notrack counter Output: ip vyos_filter VYOS_OUTPUT_raw notrack counter Forward: ip vyos_filter VYOS_PREROUTING_raw fib daddr . iif type unicast notrack counter