toml <toml@xxxxxxx> wrote:
> Am Dienstag, dem 01.08.2023 um 22:11 +0200 schrieb Florian Westphal:
>
> > Sounds about right, helper assignment looks correct to me.
>
> Unfortunately, the example from my previous post does not work, when I tighten the filter to prevent unwanted traffic. For outgoing FTP I always get the message:
> "Could not open data connection to port nnnnn: Connection refused".
The helper is not active for that connection.
> chain output {
> type filter hook output priority 0; policy accept;
> oifname "lo" accept
> ct state 0x2,0x4 accept
> meta pkttype { 0, 1, 2 } accept
> ip protocol 1 accept
> ct state 0x8 tcp dport 21 ct helper set "ftp-helper"
adding a 'counter' after set "ftp-helper" will show that its never set.
I suspect packets are eaten by the preceeding pkttype rule.
You can test via
nft insert rule ip filter output tcp flags syn tcp dport 21 meta nftrace set 1
then run 'nft monitor' and try to connect to a tcp server.
