On Fri, Sep 23, 2016 at 04:48:32PM +0200, Christophe Leroy wrote: > Le 23/09/2016 à 16:24, Pablo Neira Ayuso a écrit : > >On Fri, Sep 23, 2016 at 12:45:06PM +0200, Christophe Leroy wrote: > >>Le 20/09/2016 à 17:38, Florian Westphal a écrit : > >[...] > >>>nft will need to populate this (or rather, libnftnl will do this on > >>>behalf of nft). > >>> > >>>Currently we do this: > >>>nft --debug=netlink add rule filter i ct helper set foo > >>>ip filter i > >>> [ immediate reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ] > > > >Florian, Christophe, sorry for this late jump on this. > > > >If we pass the helper name as string, then helper autoload will not > >work as we don't have a way to solve this from the packet path. > > That's maybe a stupid idea, but my idea was to do the same as > xt_ct_set_helper() from nft_ct_set_init(), hence the need to be able to > catch the name in the _init() function. > > By doing this, the helper would be autoloaded if needed, wouldn't it ? Yes. Something similar to xt_ct_set_helper() would autoload the module. Hm, but this needs more attributes, not only the helper name. nf_conntrack_helper_try_module_get() needs l3 and l4 protocol numbers, and this information won't be available from there unless we add explicit netlink attributes to specify then too. This information is important since we have helpers that run over udp and tcp. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
