From 481ebae4f0fc9bed6afdfdf9f08e3b2b04f276c6 Mon Sep 17 00:00:00 2001
From: diogo464 <diogo464@d464.sh>
Date: Thu, 7 Aug 2025 11:29:15 +0100
Subject: disabled conntrack on 10.0.0.0/8 packets

we were hitting conntrack limits when opening lots of connections and
sending UDP packets to many different hosts. this resulted in TCP
packets getting dropped which would manifest itself as errors when
connecting or timeouts and when sending UDP packets using `sendto` it
would fail with permission denied error. disabling conntrack fixes all
of these problems.
---
 src/main.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src')

diff --git a/src/main.rs b/src/main.rs
index 839ddf8..310477c 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1038,6 +1038,21 @@ fn machine_generate_configs(
         }
 
         machine_nft_script.push_str("table ip oar-p2p {\n");
+        machine_nft_script.push_str(
+            r#"
+    chain prerouting {
+        type filter hook prerouting priority raw;
+        ip saddr 10.0.0.0/8 notrack
+        ip daddr 10.0.0.0/8 notrack
+    }
+    chain output {
+        type filter hook output priority raw;
+        ip saddr 10.0.0.0/8 notrack
+        ip daddr 10.0.0.0/8 notrack
+    }
+"#,
+        );
+
         machine_nft_script.push_str("\tmap mark_pairs {\n");
         machine_nft_script.push_str("\t\ttype ipv4_addr . ipv4_addr : mark\n");
         machine_nft_script.push_str("\t\telements = {\n");
-- 
cgit