From: toml <toml@thlu.de>
To: netfilter@vger.kernel.org
Subject: Re: Nftables + ALG + Linux 6.1.0-10-amd64 …?... is it a kown Problem?
Date: Tue, 01 Aug 2023 16:20:57 +0200 [thread overview]
Message-ID: <b47e1dc20a97eb4e6972d5cbfd2cf9dcaaab7e06.camel@mail> (raw)
In-Reply-To: <20230731133608.GA21425@breakpoint.cc>
Hello Florian
Thank you for your response!
Am Montag, dem 31.07.2023 um 15:36 +0200 schrieb Florian Westphal:
> You need to assign the helper to use in your nftables ruleset.
>
> You might need to do this from output too if you need
> this to work from the machine itself as well.
That is my test rule. My Server is both, FTP-Server (Web-Cams) and FTP-
Client for various uploads.
If I understand correctly, incoming packets (as FTP-Server) will first
activate the helper in prerouting. The input rules then allow the
control channel port 21 and the helper the (related) data channel port
n.
For outgoing packets (as FTP-Client) first the helper is activated in
the output chain, then port 21 is allowed again, the helper handles the
related data channel.
Have I understood this correctly?
table ip filter {
ct helper ftp-helper {
type "ftp" protocol tcp
l3proto ip
}
chain prerouting {
type filter hook prerouting priority -100; policy accept;
ct state 0x8 tcp dport 21 ct helper set "ftp-helper"
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport 21 accept
ct helper "ftp" accept
}
chain output {
type filter hook output priority 0; policy accept;
ct state 0x8 tcp dport 21 ct helper set "ftp-helper"
ct state 0x8 tcp dport 21 accept
ct helper "ftp" accept
}
}
Best Regards
Thomas
next prev parent reply other threads:[~2023-08-01 14:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-31 7:57 Nftables + ALG + Linux 6.1.0-10-amd64 …?... is it a kown Problem? toml
2023-07-31 13:36 ` Florian Westphal
2023-08-01 14:20 ` toml [this message]
2023-08-01 20:11 ` Florian Westphal
2023-08-02 7:27 ` toml
2023-08-03 12:35 ` toml
2023-08-03 13:47 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b47e1dc20a97eb4e6972d5cbfd2cf9dcaaab7e06.camel@mail \
--to=toml@thlu.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox