I would like to setup various rules to disable connection tracking for the l2tp interface.
Normally I would do this by the interface name.
However, in ACCEL-PPP the interface is not created until the first session comes in.
I’ve set ifname=l2tp0%d to l2tp0 to make all interfaces l2tp0.
I then want to set:-
iptables -t raw -I PREROUTING -i l2tp0 -j CT --notrack
iptables -t raw -I OUTPUT -o l2tp0 -j CT –notrack
However, if I type:- ip route
I can see:- ‘default dev l2tp0 scope link metric 1’ does not exist before the first session comes in.
I know I can disable connection tracking via IP ranges, but this will create extra work.
Any ideas?
Interface not created until first L2TP session established.
Re: Interface not created until first L2TP session established.
Hi @tj-19, why you can not use + char in this case?
ifname=l2tp0%d this said that you will have l2tp00, l2tp01 ...
Also, does not possible to have the same name for the second interface
Code: Select all
iptables -t raw -I PREROUTING -i l2tp+ -j CT --notrack
iptables -t raw -I OUTPUT -o l2tp+ -j CT –notrack
Also, does not possible to have the same name for the second interface
Re: Interface not created until first L2TP session established.
Hi,
I'm using Ubuntu with a Xanmod Kernel 5.15.16-xanmod1
I've added the rules to my iptables as above. But a conntrack -D shows IP'a via the l2tp intefaces are still being tracked.
Any ideas how to fix this?
I'm using Ubuntu with a Xanmod Kernel 5.15.16-xanmod1
I've added the rules to my iptables as above. But a conntrack -D shows IP'a via the l2tp intefaces are still being tracked.
Any ideas how to fix this?
Re: Interface not created until first L2TP session established.
You have to check all rules, show me an output
Code: Select all
iptables -t raw -L -n -v
Re: Interface not created until first L2TP session established.
Hi,
iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 99022 packets, 54M bytes)
pkts bytes target prot opt in out source destination
17109 4671K CT all -- l2tp+ * 0.0.0.0/0 0.0.0.0/0 CT notrack
Chain OUTPUT (policy ACCEPT 40338 packets, 44M bytes)
pkts bytes target prot opt in out source destination
0 0 CT all -- * l2tp+ 0.0.0.0/0 0.0.0.0/0 CT notrack
If I look at conntrack, I can still see the tracked sessions to IP's on the l2tp00, l2tp01 etc.
For example:-
conntrack -L |grep XXX.XXX.XXX.XXX
Any ideas why this is the case?
iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 99022 packets, 54M bytes)
pkts bytes target prot opt in out source destination
17109 4671K CT all -- l2tp+ * 0.0.0.0/0 0.0.0.0/0 CT notrack
Chain OUTPUT (policy ACCEPT 40338 packets, 44M bytes)
pkts bytes target prot opt in out source destination
0 0 CT all -- * l2tp+ 0.0.0.0/0 0.0.0.0/0 CT notrack
If I look at conntrack, I can still see the tracked sessions to IP's on the l2tp00, l2tp01 etc.
For example:-
conntrack -L |grep XXX.XXX.XXX.XXX
Any ideas why this is the case?