On Thu, Jul 21, 2022 at 04:20:32PM +0200, Jan Engelhardt wrote:
>
> Bug report.
>
> Input
> =====
> *raw
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -i lo -j CT --notrack
> -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> COMMIT
>
>
> Output
> ======
> # Translated by iptables-restore-translate v1.8.8 on Thu Jul 21 16:18:58 2022
> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
> add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
> add rule ip raw PREROUTING iifname "lo" counter notrack
> # -t raw -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> # Completed on Thu Jul 21 16:18:58 2022
the problem with this translation is that nftables expects the helper
to be set after the input conntrack hook.
IIRC Florian preferred not to use the conntrack template (which is
used before the conntrack object is attached to the skb). Instead, the
help is attached once after the conntrack lookup.
> Expected output
> ===============
> An nft rule involving port 21.
