On Sun, 2020-06-14 at 02:17 +0100, kfm@xxxxxxxxxxxxx wrote: > If you want to be able to rely exclusively on the related ct_state > to > allow such packets to pass, check that your kernel has > CONFIG_NF_CONNTRACK_TFTP enabled. It's usually enabled as a loadable > kernel module so, if you are able to "modprobe nf_conntrack_tftp" > and > observe that the module is listed by "lsmod", you should be in good > standing. > > The other thing you should know is that nftables has a specific > syntax > to register connection tracking helpers and to attach them to a > given > rule. The man page contains an example for FTP, which should be > straightforward to adapt: > > https://git.netfilter.org/nftables/tree/doc/stateful-objects.txt#n29 Both solutions worked, but for both I needed to enable helpers by running `sysctl net/netfilter/nf_conntrack_helper=1`, as specified in: https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation Thanks for your help!
