From: Patrick McHardy <kaber@trash.net>
To: christophe leroy <christophe.leroy@c-s.fr>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: Seeking help for implementing CT HELPER in nftables
Date: Mon, 7 Mar 2016 14:20:12 +0100 [thread overview]
Message-ID: <20160307132011.GA7620@macbook.localdomain> (raw)
In-Reply-To: <56DAC502.2060809@c-s.fr>
On 05.03, christophe leroy wrote:
> Hello,
>
> I'm trying to implement support for CT HELPERs in linux kernel for
> nftables and need some help/guidance.
>
> The rule beeing 'udp dport tftp ct helper set "tftp"', I get
> nft_ct_set_init() called when I add the rule in the table output filter
> table.
>
> I believe I have to call nf_ct_helper_ext_add() from nft_ct_set_init(),
> but for that I need the name of the helper that is to be set, ie 'tftp'.
> How do I get the name of the requested helper in that function ? I
> suppose once I get it I can do the same as xt_ct_set_helper() does.
This depends on how we want to implement this. We could pass a static helper
name in a new CT attribute, look the helper up in the init path and assign it
to the conntrack in the eval function. This means we'd require a single rule
for every helper assignment.
Alternatively we could pass the helper name in a register and do the lookup
at runtime, that would allow to use maps for helper assignment, IOW:
ct set helper tcp dport { 21 : ftp, 5060 : sip, ... }
Since helper assignment should probably also do a module load, I'm leaning
towards the first possibility. If we still want to do map based assignements,
we could use maps of CT expressions, similar to what we do with dynset but
with statically initialized expressions.
next prev parent reply other threads:[~2016-03-07 13:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-05 11:37 Seeking help for implementing CT HELPER in nftables christophe leroy
2016-03-07 13:20 ` Patrick McHardy [this message]
2016-03-08 23:25 ` Christophe Leroy
2016-04-12 13:40 ` Christophe Leroy
2016-04-12 13:51 ` Florian Westphal
2016-09-20 11:10 ` Christophe Leroy
2016-09-20 15:38 ` Florian Westphal
2016-09-23 10:45 ` Christophe Leroy
2016-09-23 14:24 ` Pablo Neira Ayuso
2016-09-23 14:31 ` Florian Westphal
2016-09-23 14:48 ` Christophe Leroy
2016-09-23 15:19 ` Pablo Neira Ayuso
2016-09-23 15:29 ` Christophe Leroy
2016-09-23 15:46 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160307132011.GA7620@macbook.localdomain \
--to=kaber@trash.net \
--cc=christophe.leroy@c-s.fr \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).