darius <dram@xxxxxxxxxxx> wrote:
> I'm struggling a bit with helpers and can't get them working. I'm using
> this simple script from wiki:
>
> #!/usr/sbin/nft -f
>
> table ip ipv4_mangle{
>
> # Helpers
> ct helper ftp_std{
> type "ftp" protocol tcp
> }
>
> # PREROUTING chain in filter hook
> chain fl_prerouting{
> type filter hook prerouting priority 0;
>
> tcp dport 21 ct helper set "ftp_std"
> }
> }
>
> When I try to load script to nft, then I get this error:
>
> Error: Could not process rule: No such file or directory
> tcp dport 21 ct helper set "ftp_std"
> ^^^^^^^^^^^^^^^^^^^^^
It works for me.
> Just before loading script, I have executed following command: "echo 1 >
> /proc/sys/net/netfilter/nf_conntrack_helper"
This isn't needed. Or your script isn't needed -- this knob enables
old 'auto-assign' of helpers so ftp should work after this even with
no iptables or nft rules to assign helpers.
> I'm running nftables 0.8.2 and kernel 4.14.32
It was added in 4.12 kernel so this should work.
> I have tried lsmod | grep nf_conntrack_helper and I get nothing, meaning
> this module is not loaded.
It would be autoloaded normally, no need to do any modprobes first.
> I have investigated a bit, and apparently
> nf_conntract_helper is built as a part of kmod-ipt-core which I do not
> use.
There is no 'nf_conntrack_helper' module. The base helper
infrastructure is part of nf_conntrack.
> I'm trying to build pure nftables firewall without any iptables
> components. On the other hand, I have nf_conntrack_ftp module loaded,
> but it does not help.
>
> Where can be the problem? How to use helpers without having iptables
> components installed?
You do not need iptables components.
Does your kenel support objref infrastructure (modinfo nft_objref)?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
