Christoph Pleger <christoph.pleger@xxxxxxxxxxxxxxxxxx> wrote:
> using nft from nftables, I created some IP filter rules inside a partially
> virtualized (Linux Vserver, www.linux-vserver.org) machine. Almost all rules
> are working as desired, but rules that need connection tracking helpers,
> like ftp and tftp, do not . some ip packets are blocked though they should
> be allowed. As the same tftp rules - I am sure that I made no mistake - work
> on a real host, there is probably some requirement for these helpers to work
> correctly and that is not fulfilled inside a Vserver.
In recent kernels no default assignments of helpers is done anymore,
iptables users need to use -j CT target, nft users need to add a helper
object:
nft add ct helper inet filter bar '{ type "ftp" protocol tcp; }'
nft add rule inet filter output tcp dport 21 ct helper set "bar"
The assignenment needs to be done in the direction that creates the
connections that need the helper.
So for a local host (connecting to remote server), this needs to be output;
for a server (expecting ftp connections), input.
For a gateway it can be in forward, or prerouting and output in case
its needed everywhere (local and forwarded).
Also it makes sense to limit helper assignemnt to connections
that need it (e.g. ip saddr 192.168/16 or somesuch).
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
