Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 23, 2016 at 12:45:06PM +0200, Christophe Leroy wrote:
> > Le 20/09/2016 à 17:38, Florian Westphal a écrit :
> [...]
> > >nft will need to populate this (or rather, libnftnl will do this on
> > >behalf of nft).
> > >
> > >Currently we do this:
> > >nft --debug=netlink add rule filter i ct helper set foo
> > >ip filter i
> > > [ immediate reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
>
> Florian, Christophe, sorry for this late jump on this.
>
> If we pass the helper name as string, then helper autoload will not
> work as we don't have a way to solve this from the packet path.
>
> To solve this, I'm considering a different approach. Basically,
> explicit preload the helpers and pass a helper handle through
> register instead.
>
> In the ruleset file, this would look like this:
>
> table ip x {
> helper ftp protocol tcp #1
This would also allow to support helper specific configuration from the
nft frontend rather than via modprobe args (e.g. ftp loose mode).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
