Re: Helper not working "No such file or directory"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

modinfo nft_objref returns:

cannot find module - nft_objref

Is it mandatory for helpers to run? I guess I should find the way to
enable this module?

On 29-04-2018 09:30, Florian Westphal wrote:
> darius <dram@xxxxxxxxxxx> wrote:
>> I'm struggling a bit with helpers and can't get them working. I'm using
>> this simple script from wiki:
>>
>> #!/usr/sbin/nft -f
>>
>> table ip ipv4_mangle{
>>
>>     # Helpers
>>     ct helper ftp_std{
>>         type "ftp" protocol tcp
>>     }
>>
>>     # PREROUTING chain in filter hook
>>     chain fl_prerouting{
>>         type filter hook prerouting priority 0;
>>
>>         tcp dport 21 ct helper set "ftp_std"
>>     }
>> }
>>
>> When I try to load script to nft, then I get this error:
>>
>> Error: Could not process rule: No such file or directory
>>         tcp dport 21 ct helper set "ftp_std"
>>         ^^^^^^^^^^^^^^^^^^^^^
> It works for me.
>
>> Just before loading script, I have executed following command: "echo 1 >
>> /proc/sys/net/netfilter/nf_conntrack_helper"
> This isn't needed.  Or your script isn't needed -- this knob enables
> old 'auto-assign' of helpers so ftp should work after this even with
> no iptables or nft rules to assign helpers.
>
>> I'm running nftables 0.8.2 and kernel 4.14.32
> It was added in 4.12 kernel so this should work.
>
>> I have tried lsmod | grep nf_conntrack_helper and I get nothing, meaning
>> this module is not loaded.
> It would be autoloaded normally, no need to do any modprobes first.
>
>> I have investigated a bit, and apparently
>> nf_conntract_helper is built as a part of kmod-ipt-core which I do not
>> use.
> There is no 'nf_conntrack_helper' module.  The base helper
> infrastructure is part of nf_conntrack.
>
>> I'm trying to build pure nftables firewall without any iptables
>> components. On the other hand, I have nf_conntrack_ftp module loaded,
>> but it does not help.
>>
>> Where can be the problem? How to use helpers without having iptables
>> components installed?
> You do not need iptables components.
> Does your kenel support objref infrastructure (modinfo nft_objref)?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux