Hello all,
I've setup nf_nat_rtsp / nf_conntrack_rtsp to handle iptv flow from my
internet provider.
This now work ok, but to make it work correctly, I need a rule like this
one in the firewall:
iptables-nft -t raw -A PREROUTING -p tcp --dport 554 -j CT --helper
rtsp
So If Issue this command, everything is working of.
The matter is that I don't know how to translate it to put in my
firewall.nft file.
nft list ruleset give me something like:
# Warning: table ip raw is managed by iptables-nft, do not touch!
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
tcp dport 554 counter packets 0 bytes 0 xt target "CT"
}
}
If i put something like
table ip raw {
chain PREROUTING {
tcp dport 554 -j "CT"
tcp dport 554 counter xt target "CT";
}
}
I've got an error on loading:
nft flush ruleset; nft -f /etc/nftables/main.nft
/etc/nftables/main.nft:380:27-40: Error: unsupported xtables compat
expression, use iptables-nft with this ruleset
tcp dport 554 counter xt target "CT";
I've also try the following syntax:
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
tcp dport 554 counter ct helper rtsp;
}
}
This is loading ok, but have no effect.
Can someone point me the good way to target the rtsp conntrack from
nftables ?
Thanks,
Laurent.
