From: Pablo Neira Ayuso <pablo@netfilter.org>
To: leroy christophe <christophe.leroy@c-s.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: How are ct helper to be configured with NFT ?
Date: Fri, 5 Dec 2014 11:38:27 +0100 [thread overview]
Message-ID: <20141205103827.GB3746@salvia> (raw)
In-Reply-To: <54815E4F.10500@c-s.fr>
On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
> Hi,
>
> I still get the warning from the kernel
>
> # tftp -g server -r test.c
> [ 1359.853269] nf_conntrack: automatic helper assignment is
> deprecated and it will be removed soon. Use the iptables CT target
> to attach helpers instead.
This is related to nf_conntrack. Read this:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
> test.c 100% |************************************************************************|
> 804 0:00:00 ETA
>
> # nft list ruleset
> table ip filter {
> chain output {
> type filter hook output priority 0;
> udp dport tftp ct helper "tftp"
The right syntax is:
udp dport tftp ct helper set "tftp"
^^^
your rule above does something different:
1) udp dport tftp
and
2) the ct helper is "tftp"
However, userspace supports this but unfortunately the kernel code is
still missing. So you'll have to wait for this feature or
(temporarily) rely on the automagic helper assignment (from that
message, I understand you already do).
> }
>
> chain input {
> type filter hook input priority 0;
> oifname "lo" accept
> ct state { established, related} accept
I think I already mentioned that ct state are flags.
# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bits
pre-defined symbolic constants:
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040
so you can express that as command separated values, ie.
ct state established,related accept
This only works if the basetype is a bitmask.
next prev parent reply other threads:[~2014-12-05 10:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-26 18:08 How are ct helper to be configured with NFT ? leroy christophe
2014-12-05 7:27 ` leroy christophe
2014-12-05 10:38 ` Pablo Neira Ayuso [this message]
2015-02-25 12:16 ` leroy christophe
2015-02-25 15:58 ` Jason Sipula
2015-10-12 18:06 ` christophe leroy
2015-10-12 18:11 ` Jason Sipula
2015-10-13 5:49 ` Christophe Leroy
2015-10-12 18:21 ` Pablo Neira Ayuso
2016-03-02 18:14 ` christophe leroy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141205103827.GB3746@salvia \
--to=pablo@netfilter.org \
--cc=christophe.leroy@c-s.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox