Hello,
I reply myself, as I finally find the good way to handle it.
The correct syntax seems to be:
table ip nat {
ct helper rtsp-standard {
type "rtsp" protocol tcp;
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 554 counter ct helper set "rtsp-standard";
That was not working at first, because I forget the set keywork on the
tcp dport 554 line.
Also, I use to set protocol udp in the definition helper, but first rtsp
connection is tcp, so it was failling with error.
Laurent.
Le 08/03/2025 à 10:54, Laurent ARNAL a écrit :
Hello all,
I've setup nf_nat_rtsp / nf_conntrack_rtsp to handle iptv flow from my
internet provider.
This now work ok, but to make it work correctly, I need a rule like
this one in the firewall:
iptables-nft -t raw -A PREROUTING -p tcp --dport 554 -j CT
--helper rtsp
So If Issue this command, everything is working of.
The matter is that I don't know how to translate it to put in my
firewall.nft file.
nft list ruleset give me something like:
# Warning: table ip raw is managed by iptables-nft, do not touch!
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
tcp dport 554 counter packets 0 bytes 0 xt target "CT"
}
}
If i put something like
table ip raw {
chain PREROUTING {
tcp dport 554 -j "CT"
tcp dport 554 counter xt target "CT";
}
}
I've got an error on loading:
nft flush ruleset; nft -f /etc/nftables/main.nft
/etc/nftables/main.nft:380:27-40: Error: unsupported xtables
compat expression, use iptables-nft with this ruleset
tcp dport 554 counter xt target "CT";
I've also try the following syntax:
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
tcp dport 554 counter ct helper rtsp;
}
}
This is loading ok, but have no effect.
Can someone point me the good way to target the rtsp conntrack from
nftables ?
Thanks,
Laurent.
