disabled conntrack on 10.0.0.0/8 packets

we were hitting conntrack limits when opening lots of connections and
sending UDP packets to many different hosts. this resulted in TCP
packets getting dropped which would manifest itself as errors when
connecting or timeouts and when sending UDP packets using `sendto` it
would fail with permission denied error. disabling conntrack fixes all
of these problems.

1 files changed, 15 insertions, 0 deletions

diff --git a/src/main.rs b/src/main.rs
index 839ddf8..310477c 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1038,6 +1038,21 @@ fn machine_generate_configs(
         }
 
         machine_nft_script.push_str("table ip oar-p2p {\n");
+        machine_nft_script.push_str(
+            r#"
+    chain prerouting {
+        type filter hook prerouting priority raw;
+        ip saddr 10.0.0.0/8 notrack
+        ip daddr 10.0.0.0/8 notrack
+    }
+    chain output {
+        type filter hook output priority raw;
+        ip saddr 10.0.0.0/8 notrack
+        ip daddr 10.0.0.0/8 notrack
+    }
+"#,
+        );
+
         machine_nft_script.push_str("\tmap mark_pairs {\n");
         machine_nft_script.push_str("\t\ttype ipv4_addr . ipv4_addr : mark\n");
         machine_nft_script.push_str("\t\telements = {\n");