Hi,
I installed Alpine Linux 3.13 on a _physical_ x86_64 arch.
I have problems with using nftables connection tracking helper.
TEST command sequence with ftp helper:
lsmod | grep nf_
sudo nft flush ruleset
sudo nft list ruleset
sudo nft add table ip TABLE4
sudo nft add chain ip TABLE4 CHAIN4 '{ type filter hook input
priority 0 ; policy accept; }'
sudo nft add ct helper ip TABLE4 ftp-21 '{ type "ftp" protocol tcp; }'
sudo nft add rule ip TABLE4 CHAIN4 'tcp dport 21 counter ct helper
set "ftp-21" accept'
Error: Could not process rule: No such file or directory
add rule ip TABLE4 CHAIN4 tcp dport 21 counter ct helper set "ftp-21" accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I then recompiled the Kernel with changed config
# CONFIG_NFT_OBJREF is not set
to CONFIG_NFT_OBJREF=m
And nftables works as expected on Alpine x86_64.
ALPINE:~$ sudo nft list ruleset
table ip TABLE4 {
ct helper ftp-21 {
type "ftp" protocol tcp
l3proto ip
}
chain CHAIN4 {
type filter hook input priority filter; policy accept;
tcp dport 21 counter packets 0 bytes 0 ct helper set "ftp-21" accept
}
}
ALPINE:~$ lsmod | grep nf_
nf_conntrack_ftp 16384 1
nf_conntrack 147456 2 nft_ct,nf_conntrack_ftp
nf_defrag_ipv6 16384 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 1 nf_conntrack
nf_tables 167936 8 nft_ct,nft_objref,nft_counter
nfnetlink 16384 3 nf_tables,nfnetlink_log
I am searching for arguments to initiate the Alpine x86_64 Kernel
maintainer to change the kernel config to CONFIG_NFT_OBJREF=m
Can someone with the proper knowledge assist why this config option
could be safely enabled als m?
ev Pros VS Cons?
Nb. I posted this already on the alpine mailing list 3 month ago but no
response.
Nb. there are Alpine rasperry-pi images eg config-rpi4 armv7 where
CONFIG_NFT_OBJREF=m ist already set.
--
Thanks,
Stefan Hartmann
