[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: How are ct helper to be configured with NFT ?
From:       christophe leroy <christophe.leroy () c-s ! fr>
Date:       2016-03-02 18:14:05
Message-ID: 56D72D6D.3060308 () c-s ! fr
[Download RAW message or body]



Le 12/10/2015 20:21, Pablo Neira Ayuso a écrit :
> On Mon, Oct 12, 2015 at 08:06:38PM +0200, christophe leroy wrote:
>> Le 25/02/2015 16:58, Jason Sipula a écrit :
>>> my understanding was 3.13 had the core of nftables merged
>> Yes but according to Pablo, "userspace supports this but unfortunately the
>> kernel code is still missing".
>> Hence my question.
>>
>> As of today, what is the status of nftables regarding the support of ct
>> helper ?
>> If it is not in yet, how can I help getting it in ?
> I'd appreciate of you can send me patches that we can discuss on
> netfilter-devel@vger.kernel.org.
>
> I think it only requires extra little code for the nft_meta expression
> from the kernel.
>
>
Isn't it is in nft_ct instead of nft_meta ?

I'm having difficulties to understand how it works.
nft_ct_set_init() is called when I add the rule in the table. So I 
believe I have to call nf_ct_helper_ext_add() from here, haven't I ?
But how do I get the name of the requested helper from that function ? I 
suppose once I get it I can do the same as  xt_ct_set_helper() does.

Otherwise, nft_ct_set_eval() is called when the helper is needed, but I 
suppose it is too late when that happens because the conntrack has 
already said that it has used automatic helper assignment.

Christophe

---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]