On 05.03, christophe leroy wrote:
> Hello,
>
> I'm trying to implement support for CT HELPERs in linux kernel for
> nftables and need some help/guidance.
>
> The rule beeing 'udp dport tftp ct helper set "tftp"', I get
> nft_ct_set_init() called when I add the rule in the table output filter
> table.
>
> I believe I have to call nf_ct_helper_ext_add() from nft_ct_set_init(),
> but for that I need the name of the helper that is to be set, ie 'tftp'.
> How do I get the name of the requested helper in that function ? I
> suppose once I get it I can do the same as xt_ct_set_helper() does.
This depends on how we want to implement this. We could pass a static helper
name in a new CT attribute, look the helper up in the init path and assign it
to the conntrack in the eval function. This means we'd require a single rule
for every helper assignment.
Alternatively we could pass the helper name in a register and do the lookup
at runtime, that would allow to use maps for helper assignment, IOW:
ct set helper tcp dport { 21 : ftp, 5060 : sip, ... }
Since helper assignment should probably also do a module load, I'm leaning
towards the first possibility. If we still want to do map based assignements,
we could use maps of CT expressions, similar to what we do with dynset but
with statically initialized expressions.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
