Netfilter connection tracking, a full definition what related connections are? ARP is related to DHCP?

I was doing some basic OpenWRT firewall testing to make sure I understood how it works and at first was a bit surprised that the DHCP client and ARP got through even though I set everything to reject and deleted all the extra rules. Seems like DHCP client uses raw access for some reason, and I verified that ARP stopped being broadcast after removing the connection tracking line from the nft ruleset. I'm assuming it's a "related" connection. I verified this with packet capture on the router. (So even though it has raw access and bypasses netfilter firewall rules, it's still added as a connection to be tracked? huh)

The common example of related connections given is how FTP uses 2 ports. From that I wouldn't have guessed DHCP and ARP were related. I wonder what else I'm misunderstanding.

I've been looking and can't find a more thorough definition of how related connections are defined.

Anyone got a definition of what related connections are that doesn't require trying to dig through netfilter source code?

edit: changed last line for a more clear question.

It is icmp frag needed / unreachable as related to tcp or udp connections.

You can explore like this:
nft list ruleset > my.nft

edit file and change "related" lines

chain {
 hook ...
ct state vmap { established : accept , related : goto fancy_accept }
}

chain fancy_accept {
      counter
      log
      accept
}

then restore ruleset:

nft -c -f my.nft
nft flush ruleset ; nft -f my.nft

now check dmesg for those few related packets that come around.

On second read of your text, no it does not work like that.

You can drop DHCP in raw_pstrouting. ARP is lower than ip4/ip6, it can be dropped in arptables/ebtables bridge/netdev only, i.e where you can drop raw ethernet frames like hostile VLAN.

There is secondary conntrack on bridge class table, states not related to inet class conntrack.

FTP data connections are not "related", they are "expectations" set up by ALG nat helper if you install one.

related is in general ICMP control packets matching state inside encapped header copy.

education: https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables

1 Like

Good observation. Don't nail me on the details but years ago I read something about Linux DHCP server implementation and that they are forced to read raw packets. Maybe clients are affected too?
Iirc Nftables is able to filter also on a device level (even before raw is processed) maybe that's an option for you?

Affected by what? How do you get network communications without having own endpoint IP address?