Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Mon, Jul 31, 2023 at 02:46:37PM +0200, Florian Westphal wrote:
> [...]
> > My point is how nft should differentiate between
> >
> > ct helper "bla" {
> >
> > rule add ct helper "foo"
> >
> > In above map declaration. What does
> >
> > "typeof ip saddr : ct helper" declare?
> > As far as I can see its arbitrary 16-byte strings, so the
> > above doesn't delcare an objref map that maps ip addresses
> > to conntrack helper templates.
>
> Oh, indeed. Selector semantics are overloaded, I proposed kernel
> patches that have remained behind:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-2-pablo@xxxxxxxxxxxxx/
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-3-pablo@xxxxxxxxxxxxx/
Even if we had those two patches in tree, we would still need
a different userspace syntax for the two cases.
We can't go for
"typeof ip saddr : ct helpername"
because we need to continue to support
ct helper "foo"
So maybe
typeof ip saddr : objref ct helper
Or:
typeof ip saddr : ct helper
flags objref
(Might be able to make this work by internally mangling
the type after the "objref" flag is found).
> I also proposed change to have two selectors, one for the helper type
> and another for the user-defined helper name. I still have to update
> libnftnl and nftables.
Did not recall that.
