From: Florian Westphal <fw@strlen.de>
To: Stefan Hartmann <stefanh@hafenthal.de>
Cc: Frank Myhr <fmyhr@fhmtech.com>,
"netfilter.org" <netfilter@vger.kernel.org>
Subject: Re: nftables carefully open the related-flow: ct state related ct helper "ftp-21" ...
Date: Mon, 8 Mar 2021 22:05:18 +0100 [thread overview]
Message-ID: <20210308210518.GC10808@breakpoint.cc> (raw)
In-Reply-To: <375f428e-f37b-551a-e09d-1024f00abb3d@hafenthal.de>
Stefan Hartmann <stefanh@hafenthal.de> wrote:
> I tested with this sequence, with multiple counters and no verdicts and
> nflog:
>
> chain INPUT4 {
> type filter hook input priority 0; policy drop;
> iifname "lo" accept
> ct state established counter packets 403 bytes 26976 accept
> ct state related counter packets 1 bytes 60
> ct helper "ftp-21" counter packets 0 bytes 0
> ct state related ct helper "ftp-21" counter packets 0 bytes 0 accept
> ct state related counter packets 1 bytes 60 log group 10
> ct state related counter packets 1 bytes 60 accept
> ip protocol icmp accept
> tcp dport ssh accept
> tcp dport ftp ip daddr 10.18.16.143 counter packets 1 bytes 60 ct helper
> set "ftp-21" accept
> counter packets 0 bytes 0 log prefix "NFT: FILTER4/INPUT4: p. died: " group
> 0 drop
> }
>
> And indeed, the RELATED packet going through is the SYN packet from the FTP
> DATA flow.
>
> The ct helper "ftp-21" matches NOT on the RELATED packets, it matches pretty
> sure on the master connection.
> I will try to verificate this.
'ct state related ct helper "ftp"' should work for data connections.
Problem is that 'ct helper' fetches the in-kernel name of the helper
("ftp" in this case) and not the object name defined in the ruleset or
used for assignment.
next prev parent reply other threads:[~2021-03-08 21:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-07 15:12 nftables carefully open the related-flow: ct state related ct helper "ftp-21" Stefan Hartmann
2021-03-07 20:06 ` Frank Myhr
2021-03-08 9:24 ` Stefan Hartmann
2021-03-08 12:48 ` Frank Myhr
2021-03-08 19:22 ` Stefan Hartmann
2021-03-08 19:59 ` Frank Myhr
2021-03-08 21:05 ` Florian Westphal [this message]
2021-03-09 16:13 ` Stefan Hartmann
2021-03-09 16:59 ` Frank Myhr
2021-03-09 17:24 ` Florian Westphal
2021-03-09 17:29 ` Frank Myhr
2021-03-09 21:06 ` Pablo Neira Ayuso
2021-03-10 0:13 ` Frank Myhr
2021-03-15 11:18 ` Frank Myhr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210308210518.GC10808@breakpoint.cc \
--to=fw@strlen.de \
--cc=fmyhr@fhmtech.com \
--cc=netfilter@vger.kernel.org \
--cc=stefanh@hafenthal.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.