I have an nat'ed asterisk server behind a router using nftables. Now,
the router forwards all SIP traffic to the asterisk server. The
asterisk server uses the netdev ingress hook to accept a whitelist and
drop a blacklist.
table netdev netdev1 {
set whitelist {
type ipv4_addr
flags interval
auto-merge
elements = { ........... }
}
set blacklist {
..............
elements = {.............}
}
chain ingress1 {
type filter hook ingress device eth0 priority 0; policy accept;
ip saddr @whitelist accept
ip saddr @blacklist counter packets 8 bytes 4630 drop
}
On the asterisk server, there's a LOT of rtp traffic for each call,
mostly udp but some tcp.
As understand "flow tables" it would allow established flows to avoid
these checks. But I can't figure out how to set this up.
I would think I'd add a rule to the ingress1 chain ;
ip flowtables
The man page says
"Flowtables reside in the ingress hook"
but the lwn article referenced in the 0.8.4 announcement,
table inet x {
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload counter
uses filter table and the forward hook.
So is a SIP a good use case for flowtables ? And if so, how ?
sean
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
