Le 23/09/2016 à 17:19, Pablo Neira Ayuso a écrit :
On Fri, Sep 23, 2016 at 04:48:32PM +0200, Christophe Leroy wrote:
Le 23/09/2016 à 16:24, Pablo Neira Ayuso a écrit :
On Fri, Sep 23, 2016 at 12:45:06PM +0200, Christophe Leroy wrote:
Le 20/09/2016 à 17:38, Florian Westphal a écrit :
[...]
nft will need to populate this (or rather, libnftnl will do this on
behalf of nft).
Currently we do this:
nft --debug=netlink add rule filter i ct helper set foo
ip filter i
[ immediate reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
Florian, Christophe, sorry for this late jump on this.
If we pass the helper name as string, then helper autoload will not
work as we don't have a way to solve this from the packet path.
That's maybe a stupid idea, but my idea was to do the same as
xt_ct_set_helper() from nft_ct_set_init(), hence the need to be able to
catch the name in the _init() function.
By doing this, the helper would be autoloaded if needed, wouldn't it ?
Yes. Something similar to xt_ct_set_helper() would autoload the
module.
Hm, but this needs more attributes, not only the helper name.
nf_conntrack_helper_try_module_get() needs l3 and l4 protocol numbers,
and this information won't be available from there unless we add
explicit netlink attributes to specify then too. This information is
important since we have helpers that run over udp and tcp.
Right but the rule we add to the output filter is
udp dport tftp ct helper set "tftp"
So the l3/l4 information is there. Can it be retrieved in
nft_ct_set_init() ?
Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
