Hello Florian, hello all,
More than a year has past since I asked all those questions about
adding expectation attribute to nf_tables, and I finally have time to
work on it. But I find it difficult to understand the way it is
written, and therefore have questions. Here are the first ones (see
below).
Le lun. 12 mars 2018 à 16:53, Florian Westphal <fw@xxxxxxxxx> a écrit :
> > > Something like:
> > >
> > > chain postrouting {
> > > type filter hook postrouting priority 0;
> > > # tell kernel to install an expectation
> > > # arriving on udp ports 6970-7170
> > > # expectation will follow whatever NAT transformation
> > > # is active on master connection
> > > # expectation is removed after 5 minutes
> > > # (we could of course also allow to install an expectation
> > > # for 'foreign' addresses as well but I don't think its needed
> > > # yet
> > > ip dport 554 ct expectation set udp dport 6970-7170 timeout 5m
> > > }
> >
> > It may be what I'm looking for. But I couldn't find any documentation
> > about this “ct expectation” command. Or do you mean I should create a
> > conntrack helper module for that?
>
> Right, this doesn't exist yet.
>
> I think we (you) should consider to extend net/netfilter/nft_ct.c, to
> support a new NFT_CT_EXPECT attribute in nft_ct_set_eval() function.
>
> This would then install a new expectation based on what userspace told
> us.
>
> You can look at
> net/netfilter/nf_conntrack_ftp.c
> and search for nf_ct_expect_alloc() to see where the ftp helper installs
> the expectation.
>
> The main difference would be that with nft_ct.c, most properties of
> the new expectation would be determined by netlink attributes which were
> set by the nftables ruleset.
Does this mean I should create a new structure containing expectation
data, as required by the nf_ct_expect_init function, and that I should
expect to find this structure at ®s->data[priv->sreg] in
nft_ct_set_eval?
When all this is done, I will have to also update the nftables
command. Will I also need to update the nftables library?
Thank you.
