On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Looking at ctnetlink, it should be possible to make it via > CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation, > the helper is set to this new connection too. > > See line 1086 in nf_conntrack_core.c. Thanks, that works. After setting the helper string, my callback is invoked for the replies. I'm running into a couple of other issues with the existing ssdp helper, though: 1) The code does not call cthelper_add_expect(). Nor do some of the other helpers, such as sane. When I use a restrictive firewall configuration, the expectation is never created (according to `conntrack -L expect`) and all of the incoming SSDP replies are dropped. Adding a call to cthelper_add_expect() fixes this. Do we know the circumstances under which the current master branch is expected to work properly? 2) Just noticed that the sane and tftp modules require Linux 3.12+. My test system is running 3.8. Does ssdp have a similar restriction, and if so, what would need to be backported? 3) It looks like each expectation matches, at most, one new connection. So if my host multicasts an SSDP request and then 5 other hosts send replies (each coming from a unique IP/port), only one of them will match the expectation and create a state table entry. Is this true, and if so, what is the best way to allow all 5 replies to be treated as related connections? 4) Ashley's email address was bouncing due to an overzealous spam filter. Will retry one last time. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
