Hello,
unfortunately the helper is not there:
conntrack -L | grep sip -> no output
It is strange, that if I use iptables-nft it is working. Some userspace problem?
Marek
2020-06-21 11:01 GMT+02:00, Florian Westphal <fw@xxxxxxxxx>:
> Marek Greško <mgresko8@xxxxxxxxx> wrote:
>> Hello,
>>
>> thanks for your help. Unfortunately, it does not work either.
>
> Please keep mailing list on CC.
>
>> table ip raw {
>> ct helper sip {
>> type "sip" protocol udp
>> }
>>
>> ct helper ftp {
>> type "ftp" protocol tcp
>> }
>>
>> chain PREROUTING {
>> type filter hook prerouting priority raw; policy accept;
>> meta l4proto udp udp dport 5060 ct helper set "sip"
>> meta l4proto tcp tcp dport 21 ct helper set "ftp"
>> }
>>
>> chain OUTPUT {
>> type filter hook output priority raw; policy accept;
>> meta l4proto udp udp dport 5060 ct helper set "sip"
>> meta l4proto tcp tcp dport 21 ct helper set "ftp"
>> }
>> }
>
> Looks good.
>
>> Still nothing.
>
> Hmm, give it worked with iptables it should work with nft too since
> the tracker is the same code.
>
> Try 'conntrack -L' and check if the udp flow has a helper assigned.
> You might need to flush the conntrack table to make it pick up the
> tracker (assigning it only works at the start of the connection).
>
