On Fri, Sep 23, 2016 at 12:45:06PM +0200, Christophe Leroy wrote:
> Le 20/09/2016 à 17:38, Florian Westphal a écrit :
[...]
> >nft will need to populate this (or rather, libnftnl will do this on
> >behalf of nft).
> >
> >Currently we do this:
> >nft --debug=netlink add rule filter i ct helper set foo
> >ip filter i
> > [ immediate reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
Florian, Christophe, sorry for this late jump on this.
If we pass the helper name as string, then helper autoload will not
work as we don't have a way to solve this from the packet path.
To solve this, I'm considering a different approach. Basically,
explicit preload the helpers and pass a helper handle through
register instead.
In the ruleset file, this would look like this:
table ip x {
helper ftp protocol tcp #1
chain y {
...
tcp dport 21 ct helper set ftp #2
}
}
Line #1 makes sure the ftp helper is loaded, we also increment reference
counter. This results in a handle that is dynamically allocated by
nf_tables, that can be retrieve in the same fashion of if_index (ie.
we can look up for the handle from the helper name).
Then from #2, we use the helper handle to refer to the helper.
Good things I see on this:
1) We can still use maps, although we would need a function to lookup
for the nf_conntrack_helper struct form this handle. We can have a
small hashtable for this (actually, we have similar approach currently
to look up for helpers from ports in the deprecated automagic helper
as signment).
2) We use a u32 instead of string to identify the helper.
3) We solve the module autoload issue.
4) We make sure helper module cannot be removed while there is a
reference from the ruleset.
5) We can validate that the helper runs from the right layer 4
protocol, eg. ensure the ftp helper is called for tcp since we can
do this from nft evaluation phase.
This would need commands like:
nft add helper ip x name ftp protocol tcp
and to delete this:
nft delete helper ip x name ftp protocol tcp
Main drawback is that this needs a explicit definition of the helper,
but I think this extra line is ok if it helps resolve other problems.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
