On Mon, Jul 31, 2023 at 02:46:37PM +0200, Florian Westphal wrote:
[...]
> My point is how nft should differentiate between
>
> ct helper "bla" {
>
> rule add ct helper "foo"
>
> In above map declaration. What does
>
> "typeof ip saddr : ct helper" declare?
> As far as I can see its arbitrary 16-byte strings, so the
> above doesn't delcare an objref map that maps ip addresses
> to conntrack helper templates.
Oh, indeed. Selector semantics are overloaded, I proposed kernel
patches that have remained behind:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-2-pablo@xxxxxxxxxxxxx/
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-3-pablo@xxxxxxxxxxxxx/
I also proposed change to have two selectors, one for the helper type
and another for the user-defined helper name. I still have to update
libnftnl and nftables.
I don't think this is specifically related to the map definition
itself, but the fact that the selector semantics is ambiguous.
