On 23.05.2011 18:13, Pablo Neira Ayuso wrote: > On 23/05/11 17:59, Jan Engelhardt wrote: >> On Monday 2011-05-23 17:47, Pablo Neira Ayuso wrote: >> >>> On 23/05/11 16:29, Patrick McHardy wrote: >>>> On 19.05.2011 00:21, Jan Engelhardt wrote: >>>>> Hej, >>>>> >>>>> >>>>> While working with a customer setup, I came up with this funny idea >>>>> of plugging a no-op NFCT helper in to workaround some nfct_ftp >>>>> problem. Besides that, it may also be used to simply skip helping and >>>>> save cycles. See the patch's message for details - I'd love to hear >>>>> something about it. >>>>> >>>>> (NB: nf_nat_ftp was loaded, but not used when connecting between netA >>>>> and netB.) >>>> >>>> Wouldn't a flag to the CT target to skip the helper lookup work as well? >>> >>> Indeed. >> >> Yes, but how would xt_CT.ko convey to NFCT then that no helper is >> supposed to be used? Calling nf_ct_helper_ext_add, but then leave help >> at NULL? > > You can attach a template conntrack in the raw table with the CT target. > That template should have some status flag set to skip helper > allocation/assignation. Problem might be the second lookup done after NAT. We don't have the template available at that time. I don't like the dummy helper idea very much though, what I would prefer is an option to use only explicit helper assignment. That would be a more flexible option, additionally allowing to track protocols on any port without specifying each of them when loading the helper. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
