From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter-devel@vger.kernel.org
Subject: Re: The glorious NFCT "none" helper
Date: Tue, 24 May 2011 09:06:41 +0200 [thread overview]
Message-ID: <4DDB5901.2090607@trash.net> (raw)
In-Reply-To: <4DDA8793.7010203@netfilter.org>
On 23.05.2011 18:13, Pablo Neira Ayuso wrote:
> On 23/05/11 17:59, Jan Engelhardt wrote:
>> On Monday 2011-05-23 17:47, Pablo Neira Ayuso wrote:
>>
>>> On 23/05/11 16:29, Patrick McHardy wrote:
>>>> On 19.05.2011 00:21, Jan Engelhardt wrote:
>>>>> Hej,
>>>>>
>>>>>
>>>>> While working with a customer setup, I came up with this funny idea
>>>>> of plugging a no-op NFCT helper in to workaround some nfct_ftp
>>>>> problem. Besides that, it may also be used to simply skip helping and
>>>>> save cycles. See the patch's message for details - I'd love to hear
>>>>> something about it.
>>>>>
>>>>> (NB: nf_nat_ftp was loaded, but not used when connecting between netA
>>>>> and netB.)
>>>>
>>>> Wouldn't a flag to the CT target to skip the helper lookup work as well?
>>>
>>> Indeed.
>>
>> Yes, but how would xt_CT.ko convey to NFCT then that no helper is
>> supposed to be used? Calling nf_ct_helper_ext_add, but then leave help
>> at NULL?
>
> You can attach a template conntrack in the raw table with the CT target.
> That template should have some status flag set to skip helper
> allocation/assignation.
Problem might be the second lookup done after NAT. We don't have the
template available at that time.
I don't like the dummy helper idea very much though, what I would
prefer is an option to use only explicit helper assignment. That
would be a more flexible option, additionally allowing to track
protocols on any port without specifying each of them when loading
the helper.
next prev parent reply other threads:[~2011-05-24 7:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-18 22:21 The glorious NFCT "none" helper Jan Engelhardt
2011-05-18 22:21 ` [PATCH] netfilter: the "none" conntrack helper module Jan Engelhardt
2011-05-23 14:29 ` The glorious NFCT "none" helper Patrick McHardy
2011-05-23 15:47 ` Pablo Neira Ayuso
2011-05-23 15:59 ` Jan Engelhardt
2011-05-23 16:13 ` Pablo Neira Ayuso
2011-05-24 7:06 ` Patrick McHardy [this message]
2011-05-24 19:03 ` Pablo Neira Ayuso
2011-06-07 10:23 ` Patrick McHardy
2011-06-07 11:09 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDB5901.2090607@trash.net \
--to=kaber@trash.net \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.