iptables 1.8.8 misses -j CT calls

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables 1.8.8 misses -j CT calls
@ 2022-07-21 14:20 Jan Engelhardt
  2022-07-23  7:48 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2022-07-21 14:20 UTC (permalink / raw)
  To: Netfilter Developer Mailing List


Bug report.

Input
=====
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i lo -j CT --notrack
-A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
COMMIT


Output
======
# Translated by iptables-restore-translate v1.8.8 on Thu Jul 21 16:18:58 2022
add table ip raw
add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
add rule ip raw PREROUTING iifname "lo" counter notrack
# -t raw -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
# Completed on Thu Jul 21 16:18:58 2022


Expected output
===============
An nft rule involving port 21.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables 1.8.8 misses -j CT calls
  2022-07-21 14:20 iptables 1.8.8 misses -j CT calls Jan Engelhardt
@ 2022-07-23  7:48 ` Pablo Neira Ayuso
  2022-07-23  8:17   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-07-23  7:48 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List, fw

On Thu, Jul 21, 2022 at 04:20:32PM +0200, Jan Engelhardt wrote:
> 
> Bug report.
> 
> Input
> =====
> *raw
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -i lo -j CT --notrack
> -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> COMMIT
> 
> 
> Output
> ======
> # Translated by iptables-restore-translate v1.8.8 on Thu Jul 21 16:18:58 2022
> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
> add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
> add rule ip raw PREROUTING iifname "lo" counter notrack
> # -t raw -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> # Completed on Thu Jul 21 16:18:58 2022

the problem with this translation is that nftables expects the helper
to be set after the input conntrack hook.

IIRC Florian preferred not to use the conntrack template (which is
used before the conntrack object is attached to the skb). Instead, the
help is attached once after the conntrack lookup.

> Expected output
> ===============
> An nft rule involving port 21.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables 1.8.8 misses -j CT calls
  2022-07-23  7:48 ` Pablo Neira Ayuso
@ 2022-07-23  8:17   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-07-23  8:17 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List, fw

On Sat, Jul 23, 2022 at 09:48:56AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 21, 2022 at 04:20:32PM +0200, Jan Engelhardt wrote:
> > 
> > Bug report.
> > 
> > Input
> > =====
> > *raw
> > :PREROUTING ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A PREROUTING -i lo -j CT --notrack
> > -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> > COMMIT
> > 
> > 
> > Output
> > ======
> > # Translated by iptables-restore-translate v1.8.8 on Thu Jul 21 16:18:58 2022
> > add table ip raw
> > add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
> > add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
> > add rule ip raw PREROUTING iifname "lo" counter notrack
> > # -t raw -A PREROUTING -i ve-+ -p tcp --dport 21 -j CT --helper ftp
> > # Completed on Thu Jul 21 16:18:58 2022
> 
> the problem with this translation is that nftables expects the helper
> to be set after the input conntrack hook.

for the sake of clarity:

NF_IP_PRI_CONNTRACK = -200 in the prerouting hook.

which is coming _after_ the NF_IP_PRI_RAW = -300

> IIRC Florian preferred not to use the conntrack template (which is
> used before the conntrack object is attached to the skb). Instead, the
> help is attached once after the conntrack lookup.
> 
> > Expected output
> > ===============
> > An nft rule involving port 21.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-07-23  8:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-21 14:20 iptables 1.8.8 misses -j CT calls Jan Engelhardt
2022-07-23  7:48 ` Pablo Neira Ayuso
2022-07-23  8:17   ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.