Re: nftables and connection tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marek Greško <mgresko8@xxxxxxxxx> wrote:
> I have problem to get connection tracking work when using nftables. I
> have this setup on my fedora 32:
> 
> table ip raw {
>         chain PREROUTING {
>                 type filter hook prerouting priority raw; policy accept;
>                 meta l4proto udp udp dport 5060 # CT helper sip
>         }
> 
>         chain OUTPUT {
>                 type filter hook output priority raw; policy accept;
>                 meta l4proto udp udp dport 5060 # CT helper sip
>         }

These rules don't do anything (it matches udp 5060, but no action is
given).  I suspect this from xtables-translate, which did not understand
the -j CT --helper sip rule.

This needs something like:
table ip raw {
   ct helper sip {
     type "sip" protocol udp
   }
   chain prerouting {
       meta l4proto udp udp dport 5060 ct helper set "sip"
   }

# same for output
}
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux