From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Frank Myhr <fmyhr@fhmtech.com>,
Stefan Hartmann <stefanh@hafenthal.de>,
"netfilter.org" <netfilter@vger.kernel.org>
Subject: Re: nftables carefully open the related-flow: ct state related ct helper "ftp-21" ...
Date: Tue, 9 Mar 2021 22:06:06 +0100 [thread overview]
Message-ID: <20210309210606.GA6016@salvia> (raw)
In-Reply-To: <20210309172428.GF10808@breakpoint.cc>
On Tue, Mar 09, 2021 at 06:24:28PM +0100, Florian Westphal wrote:
> Frank Myhr <fmyhr@fhmtech.com> wrote:
> > > The ct helper "ftp" matches on the RELATED packets.
> >
> > Stefan, congrats on getting your configuration working. :-)
> > And thank you very much for posting your complete ruleset below.
> >
> > Florian, I hope you can comment:
> >
> > 1) I will look at the code, but am surprised that "ct helper" uses the
> > in-kernel name "ftp" rather than that of the stateful object "ftp-21" that
> > the ruleset goes to the trouble of explicitly defining.
> >
> > a) Is this simply a parsing artifact -- if the helper were called "abcd"
> > would the expression 'ct helper "abcd"' match it?
> >
> > b) If it is NOT a parsing artifact but by design: why? It would be more
> > intuitive to use the name of the explicitly-named helper object. Another way
> > to ask the same thing: why bother with the explicit helper object at all,
> > rather than just use "ftp" (which implies the ip & tcp protocols in "ftp-21"
> > definition anyway) in both match and statement, like 'ct helper set "ftp"'?
>
> Its a design fuckup. When I made the objref patches to attach the
> defined helpers I did not consider that we already had a 'ct helper'
> with existing behaviour.
>
> The explicit helper objects were done this way to allow defining
> multiple helpers wuth different settings.
>
> There are helpers that can be tuned by options and users might want to
> use different settings in each.
Just posted a patchset, maybe we can address this inconsistency moving
forward:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-2-pablo@netfilter.org/
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210309210134.13620-3-pablo@netfilter.org/
> > 2) Does it make a difference whether 'ct helper set' is done in input (as in
> > below ruleset) or in prerouting? Maybe it has to be in prerouting only in
> > case of forwarded traffic?
>
> It can be in input if the traffic is not forwarded.
Actually it can be place in forward chain too IIRC.
If the rule is added to prerouting, then the ct helper is attached to
both input and forward traffic.
next prev parent reply other threads:[~2021-03-09 21:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-07 15:12 nftables carefully open the related-flow: ct state related ct helper "ftp-21" Stefan Hartmann
2021-03-07 20:06 ` Frank Myhr
2021-03-08 9:24 ` Stefan Hartmann
2021-03-08 12:48 ` Frank Myhr
2021-03-08 19:22 ` Stefan Hartmann
2021-03-08 19:59 ` Frank Myhr
2021-03-08 21:05 ` Florian Westphal
2021-03-09 16:13 ` Stefan Hartmann
2021-03-09 16:59 ` Frank Myhr
2021-03-09 17:24 ` Florian Westphal
2021-03-09 17:29 ` Frank Myhr
2021-03-09 21:06 ` Pablo Neira Ayuso [this message]
2021-03-10 0:13 ` Frank Myhr
2021-03-15 11:18 ` Frank Myhr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210309210606.GA6016@salvia \
--to=pablo@netfilter.org \
--cc=fmyhr@fhmtech.com \
--cc=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
--cc=stefanh@hafenthal.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox