Description
When creating a firewall rule in the forward chain, NethSecurity currently allows selecting the NOTRACK action to bypass conntrack for specific traffic.
This option is extremely rare and is usually used only for anomalous or special traffic patterns, such as monitoring probes or traffic that creates issues when processed by the standard connection tracking path.
In these cases, it is often necessary to bypass netifyd as well. If traffic is already considered special enough to require NOTRACK, sending it through DPI inspection may still cause unwanted side effects, false positives, or performance/processing issues.
For this reason, when a forward firewall rule uses the NOTRACK action, NethSecurity should also automatically bypass netifyd for the same traffic.
Proposed solution
When a firewall forward rule is configured with the NOTRACK action:
- the rule should bypass conntrack;
- the same traffic should also bypass
netifyd;
- no additional UI page should be introduced for managing
netifyd bypass rules separately.
This would make the existing NOTRACK option more effective in the rare cases where it is actually needed.
Expected behavior
When a forward firewall rule uses the NOTRACK action, matching traffic should not be processed by conntrack and should also be excluded from netifyd inspection.
Actual behavior
The NOTRACK action bypasses conntrack, but traffic may still be processed by netifyd.
Why
Keeping conntrack bypass and netifyd bypass together would solve a practical operational problem without adding a dedicated UI for netifyd bypass management.
This approach slightly reduces granularity. For example, it would no longer be possible to easily configure a case where traffic bypasses conntrack but still goes through netifyd.
However, this scenario is expected to be even rarer than the already rare use of NOTRACK itself. Creating and maintaining a dedicated UI only for this edge case does not seem proportionate.
Combining both behaviors under the existing NOTRACK action provides a simpler and more practical solution.
Benefits
- Provides a practical solution for anomalous traffic such as probes or special monitoring flows.
- Avoids unnecessary DPI processing for traffic explicitly marked as not trackable.
- Reduces the risk of false positives or unwanted blocking by
netifyd.
- Avoids introducing a dedicated
netifyd bypass UI for a very rare use case.
- Keeps the firewall UI simple and minimal.
Components
NethSecurity 8.7.2.
Description
When creating a firewall rule in the forward chain, NethSecurity currently allows selecting the
NOTRACKaction to bypass conntrack for specific traffic.This option is extremely rare and is usually used only for anomalous or special traffic patterns, such as monitoring probes or traffic that creates issues when processed by the standard connection tracking path.
In these cases, it is often necessary to bypass
netifydas well. If traffic is already considered special enough to requireNOTRACK, sending it through DPI inspection may still cause unwanted side effects, false positives, or performance/processing issues.For this reason, when a forward firewall rule uses the
NOTRACKaction, NethSecurity should also automatically bypassnetifydfor the same traffic.Proposed solution
When a firewall forward rule is configured with the
NOTRACKaction:netifyd;netifydbypass rules separately.This would make the existing
NOTRACKoption more effective in the rare cases where it is actually needed.Expected behavior
When a forward firewall rule uses the
NOTRACKaction, matching traffic should not be processed by conntrack and should also be excluded fromnetifydinspection.Actual behavior
The
NOTRACKaction bypasses conntrack, but traffic may still be processed bynetifyd.Why
Keeping conntrack bypass and
netifydbypass together would solve a practical operational problem without adding a dedicated UI fornetifydbypass management.This approach slightly reduces granularity. For example, it would no longer be possible to easily configure a case where traffic bypasses conntrack but still goes through
netifyd.However, this scenario is expected to be even rarer than the already rare use of
NOTRACKitself. Creating and maintaining a dedicated UI only for this edge case does not seem proportionate.Combining both behaviors under the existing
NOTRACKaction provides a simpler and more practical solution.Benefits
netifyd.netifydbypass UI for a very rare use case.Components
NethSecurity 8.7.2.