2016-04-08 14:10 GMT+02:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: > So the question is, in case you need some extension, what kind of > generic expression we could introduce so you can build what you need > following a lego-like thinking, plugging expressions one after > another. I've done some more reading, and it seems that everything that I need is probably already there. My imagined flow of work takes packets that match specific criteria and sends them to a netfilter module to process. These criteria and what to do with the packets would have been specified by custom iptable matches/targets. But after reading some more of the nftables HOWTO pages, it seems that the equivalent of custom matches is creating a custom chain and then jumping into that chain when a packet matches my criterias, have I got that right? (Can I register a netfilter module on a custom chain?) What I still haven't found though, is how I can configure a netfilter module via nftables. For a silly example, let's say I write a netfilter module to change the MSS of each outgoing packet. How can I tell this module what to change the MSS to for different connections? I've only done a basic netfilter module so far (Inspect every packet, then drop if some requirements are met), so maybe this is easy and I just overlooked it? Regards, Stephan -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
