Stéphane Veyret <sveyret@xxxxxxxxx> wrote:
> 2018-03-12 12:25 GMT+01:00 Florian Westphal <fw@xxxxxxxxx>:
> > (Or i still fail to understand what you want to do, it does
> > sound exactly like expectations, e.g. for ftp data channel in
> > response to PASV command on ftp control channel).
>
> No, what I would like to have is more like FTP *active* connexion.
Thats what I meant :-/
(PORT command, not PASV).
> > Something like:
> >
> > chain postrouting {
> > type filter hook postrouting priority 0;
> > # tell kernel to install an expectation
> > # arriving on udp ports 6970-7170
> > # expectation will follow whatever NAT transformation
> > # is active on master connection
> > # expectation is removed after 5 minutes
> > # (we could of course also allow to install an expectation
> > # for 'foreign' addresses as well but I don't think its needed
> > # yet
> > ip dport 554 ct expectation set udp dport 6970-7170 timeout 5m
> > }
>
> It may be what I'm looking for. But I couldn't find any documentation
> about this “ct expectation” command. Or do you mean I should create a
> conntrack helper module for that?
Right, this doesn't exist yet.
I think we (you) should consider to extend net/netfilter/nft_ct.c, to
support a new NFT_CT_EXPECT attribute in nft_ct_set_eval() function.
This would then install a new expectation based on what userspace told
us.
You can look at
net/netfilter/nf_conntrack_ftp.c
and search for nf_ct_expect_alloc() to see where the ftp helper installs
the expectation.
The main difference would be that with nft_ct.c, most properties of
the new expectation would be determined by netlink attributes which were
set by the nftables ruleset.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
