accel-ppp.org

I would like to setup various rules to disable connection tracking for the l2tp interface.

Normally I would do this by the interface name.

However, in ACCEL-PPP the interface is not created until the first session comes in.

I’ve set ifname=l2tp0%d to l2tp0 to make all interfaces l2tp0.

I then want to set:-
iptables -t raw -I PREROUTING -i l2tp0 -j CT --notrack
iptables -t raw -I OUTPUT -o l2tp0 -j CT –notrack

However, if I type:- ip route

I can see:- ‘default dev l2tp0 scope link metric 1’ does not exist before the first session comes in.

I know I can disable connection tracking via IP ranges, but this will create extra work.

Any ideas?

Hi @tj-19, why you can not use + char in this case? ifname=l2tp0%d this said that you will have l2tp00, l2tp01 ...
Also, does not possible to have the same name for the second interface

Hi,

I'm using Ubuntu with a Xanmod Kernel 5.15.16-xanmod1

I've added the rules to my iptables as above. But a conntrack -D shows IP'a via the l2tp intefaces are still being tracked.

Any ideas how to fix this?

You have to check all rules, show me an output

Hi,

iptables -t raw -L -n -v

Chain PREROUTING (policy ACCEPT 99022 packets, 54M bytes)
pkts bytes target prot opt in out source destination
17109 4671K CT all -- l2tp+ * 0.0.0.0/0 0.0.0.0/0 CT notrack

Chain OUTPUT (policy ACCEPT 40338 packets, 44M bytes)
pkts bytes target prot opt in out source destination
0 0 CT all -- * l2tp+ 0.0.0.0/0 0.0.0.0/0 CT notrack


If I look at conntrack, I can still see the tracked sessions to IP's on the l2tp00, l2tp01 etc.

For example:-

conntrack -L |grep XXX.XXX.XXX.XXX

Any ideas why this is the case?