How are ct helper to be configured with NFT ?

How are ct helper to be configured with NFT ?

[leroy christophe]

I need to do something equivalent to

     iptables -t raw -A OUTPUT -p udp -d 192.168.2.1 --dport tftp -j CT 
--helper tftp


I tried the following

nft add rule filter output ct helper "tftp" udp dport tftp

But it looks like it doesn't work, I still get.

[ 1113.706274] nf_conntrack: automatic helper assignment is deprecated 
and it will be removed soon. Use the iptables CT target to attach 
helpers instead.

What is the correct syntaxe for that ?

Christophe

Re: How are ct helper to be configured with NFT ?

[leroy christophe]

Hi,

I still get the warning from the kernel

# tftp -g server -r test.c
[ 1359.853269] nf_conntrack: automatic helper assignment is deprecated 
and it will be removed soon. Use the iptables CT target to attach 
helpers instead.
test.c               100% 
|************************************************************************| 
804   0:00:00 ETA

# nft list ruleset
table ip filter {
         chain output {
                  type filter hook output priority 0;
                  udp dport tftp ct helper "tftp"
         }

         chain input {
                  type filter hook input priority 0;
                  oifname "lo" accept
                  ct state { established, related} accept
                  ct state new tcp dport ssh accept
                  ip protocol icmp accept
                  drop
         }

         chain forward {
                  type filter hook forward priority 0;
                  drop
         }
}

Can you help ?

Thanks
Christophe

Le 26/11/2014 19:08, leroy christophe a écrit :
> I need to do something equivalent to
>
>     iptables -t raw -A OUTPUT -p udp -d 192.168.2.1 --dport tftp -j CT 
> --helper tftp
>
>
> I tried the following
>
> nft add rule filter output ct helper "tftp" udp dport tftp
>
> But it looks like it doesn't work, I still get.
>
> [ 1113.706274] nf_conntrack: automatic helper assignment is deprecated 
> and it will be removed soon. Use the iptables CT target to attach 
> helpers instead.
>
> What is the correct syntaxe for that ?
>
> Christophe

Re: How are ct helper to be configured with NFT ?

[Pablo Neira Ayuso]

On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
> Hi,
> 
> I still get the warning from the kernel
> 
> # tftp -g server -r test.c
> [ 1359.853269] nf_conntrack: automatic helper assignment is
> deprecated and it will be removed soon. Use the iptables CT target
> to attach helpers instead.

This is related to nf_conntrack. Read this:

https://home.regit.org/netfilter-en/secure-use-of-helpers/


> test.c               100% |************************************************************************|
> 804   0:00:00 ETA
> 
> # nft list ruleset
> table ip filter {
>         chain output {
>                  type filter hook output priority 0;
>                  udp dport tftp ct helper "tftp"

The right syntax is:

        udp dport tftp ct helper set "tftp"
                                 ^^^

your rule above does something different:

1) udp dport tftp

and

2) the ct helper is "tftp"

However, userspace supports this but unfortunately the kernel code is
still missing.  So you'll have to wait for this feature or
(temporarily) rely on the automagic helper assignment (from that
message, I understand you already do).

>         }
> 
>         chain input {
>                  type filter hook input priority 0;
>                  oifname "lo" accept
>                  ct state { established, related} accept

I think I already mentioned that ct state are flags.

# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bits

pre-defined symbolic constants:
        invalid                         0x00000001
        new                             0x00000008
        established                     0x00000002
        related                         0x00000004
        untracked                       0x00000040

so you can express that as command separated values, ie.

        ct state established,related accept

This only works if the basetype is a bitmask.

Re: How are ct helper to be configured with NFT ?

[leroy christophe]

Le 05/12/2014 11:38, Pablo Neira Ayuso a écrit :
> On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
>> test.c               100% |************************************************************************|
>> 804   0:00:00 ETA
>>
>> # nft list ruleset
>> table ip filter {
>>          chain output {
>>                   type filter hook output priority 0;
>>                   udp dport tftp ct helper "tftp"
> The right syntax is:
>
>          udp dport tftp ct helper set "tftp"
>                                   ^^^
>
> your rule above does something different:
>
> 1) udp dport tftp
>
> and
>
> 2) the ct helper is "tftp"
>
> However, userspace supports this but unfortunately the kernel code is
> still missing.  So you'll have to wait for this feature or
> (temporarily) rely on the automagic helper assignment (from that
> message, I understand you already do).
Any idea of when the kernel support will be added ?

Christophe

Re: How are ct helper to be configured with NFT ?

[Jason Sipula]

my understanding was 3.13 had the core of nftables merged

On Wed, Feb 25, 2015 at 4:16 AM, leroy christophe
<christophe.leroy@c-s.fr> wrote:
>
> Le 05/12/2014 11:38, Pablo Neira Ayuso a écrit :
>>
>> On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
>>>
>>> test.c               100%
>>> |************************************************************************|
>>> 804   0:00:00 ETA
>>>
>>> # nft list ruleset
>>> table ip filter {
>>>          chain output {
>>>                   type filter hook output priority 0;
>>>                   udp dport tftp ct helper "tftp"
>>
>> The right syntax is:
>>
>>          udp dport tftp ct helper set "tftp"
>>                                   ^^^
>>
>> your rule above does something different:
>>
>> 1) udp dport tftp
>>
>> and
>>
>> 2) the ct helper is "tftp"
>>
>> However, userspace supports this but unfortunately the kernel code is
>> still missing.  So you'll have to wait for this feature or
>> (temporarily) rely on the automagic helper assignment (from that
>> message, I understand you already do).
>
> Any idea of when the kernel support will be added ?
>
> Christophe
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How are ct helper to be configured with NFT ?

[christophe leroy]

Le 25/02/2015 16:58, Jason Sipula a écrit :
> my understanding was 3.13 had the core of nftables merged
Yes but according to Pablo, "userspace supports this but unfortunately 
the kernel code is still missing".
Hence my question.

As of today, what is the status of nftables regarding the support of ct 
helper ?
If it is not in yet, how can I help getting it in ?

Christophe

>
> On Wed, Feb 25, 2015 at 4:16 AM, leroy christophe
> <christophe.leroy@c-s.fr> wrote:
>> Le 05/12/2014 11:38, Pablo Neira Ayuso a écrit :
>>> On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
>>>> test.c               100%
>>>> |************************************************************************|
>>>> 804   0:00:00 ETA
>>>>
>>>> # nft list ruleset
>>>> table ip filter {
>>>>           chain output {
>>>>                    type filter hook output priority 0;
>>>>                    udp dport tftp ct helper "tftp"
>>> The right syntax is:
>>>
>>>           udp dport tftp ct helper set "tftp"
>>>                                    ^^^
>>>
>>> your rule above does something different:
>>>
>>> 1) udp dport tftp
>>>
>>> and
>>>
>>> 2) the ct helper is "tftp"
>>>
>>> However, userspace supports this but unfortunately the kernel code is
>>> still missing.  So you'll have to wait for this feature or
>>> (temporarily) rely on the automagic helper assignment (from that
>>> message, I understand you already do).
>> Any idea of when the kernel support will be added ?
>>
>> Christophe
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html


---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

Re: How are ct helper to be configured with NFT ?

[Jason Sipula]

Maybe we're talking about different things? I had read in some places
that linux kernel version 3.13 had the core of nftables merged.

https://wiki.archlinux.org/index.php/Nftables

I do not know anything about ct helper, however.

On Mon, Oct 12, 2015 at 11:06 AM, christophe leroy
<christophe.leroy@c-s.fr> wrote:
>
> Le 25/02/2015 16:58, Jason Sipula a écrit :
>>
>> my understanding was 3.13 had the core of nftables merged
>
> Yes but according to Pablo, "userspace supports this but unfortunately the
> kernel code is still missing".
> Hence my question.
>
> As of today, what is the status of nftables regarding the support of ct
> helper ?
> If it is not in yet, how can I help getting it in ?
>
> Christophe
>
>
>>
>> On Wed, Feb 25, 2015 at 4:16 AM, leroy christophe
>> <christophe.leroy@c-s.fr> wrote:
>>>
>>> Le 05/12/2014 11:38, Pablo Neira Ayuso a écrit :
>>>>
>>>> On Fri, Dec 05, 2014 at 08:27:11AM +0100, leroy christophe wrote:
>>>>>
>>>>> test.c               100%
>>>>>
>>>>> |************************************************************************|
>>>>> 804   0:00:00 ETA
>>>>>
>>>>> # nft list ruleset
>>>>> table ip filter {
>>>>>           chain output {
>>>>>                    type filter hook output priority 0;
>>>>>                    udp dport tftp ct helper "tftp"
>>>>
>>>> The right syntax is:
>>>>
>>>>           udp dport tftp ct helper set "tftp"
>>>>                                    ^^^
>>>>
>>>> your rule above does something different:
>>>>
>>>> 1) udp dport tftp
>>>>
>>>> and
>>>>
>>>> 2) the ct helper is "tftp"
>>>>
>>>> However, userspace supports this but unfortunately the kernel code is
>>>> still missing.  So you'll have to wait for this feature or
>>>> (temporarily) rely on the automagic helper assignment (from that
>>>> message, I understand you already do).
>>>
>>> Any idea of when the kernel support will be added ?
>>>
>>> Christophe
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
> ---
> L'absence de virus dans ce courrier électronique a été vérifiée par le
> logiciel antivirus Avast.
> https://www.avast.com/antivirus
>

Re: How are ct helper to be configured with NFT ?

[Pablo Neira Ayuso]

On Mon, Oct 12, 2015 at 08:06:38PM +0200, christophe leroy wrote:
> 
> Le 25/02/2015 16:58, Jason Sipula a écrit :
> >my understanding was 3.13 had the core of nftables merged
> Yes but according to Pablo, "userspace supports this but unfortunately the
> kernel code is still missing".
> Hence my question.
> 
> As of today, what is the status of nftables regarding the support of ct
> helper ?
> If it is not in yet, how can I help getting it in ?

I'd appreciate of you can send me patches that we can discuss on
netfilter-devel@vger.kernel.org.

I think it only requires extra little code for the nft_meta expression
from the kernel.

Thanks.

Re: How are ct helper to be configured with NFT ?

[Christophe Leroy]

Le 12/10/2015 20:11, Jason Sipula a écrit :
> Maybe we're talking about different things? I had read in some places
> that linux kernel version 3.13 had the core of nftables merged.
>
> https://wiki.archlinux.org/index.php/Nftables
>
> I do not know anything about ct helper, however.

"ct helper" stands for conntrack helper. It is some part of netfilter 
that helps conntrack
to track complex streams like FTP or TFTP streams where the conntrack 
needs to identify and keep
track of the data stream associated to the signalling stream

Christophe

Re: How are ct helper to be configured with NFT ?

[christophe leroy]

Le 12/10/2015 20:21, Pablo Neira Ayuso a écrit :
> On Mon, Oct 12, 2015 at 08:06:38PM +0200, christophe leroy wrote:
>> Le 25/02/2015 16:58, Jason Sipula a écrit :
>>> my understanding was 3.13 had the core of nftables merged
>> Yes but according to Pablo, "userspace supports this but unfortunately the
>> kernel code is still missing".
>> Hence my question.
>>
>> As of today, what is the status of nftables regarding the support of ct
>> helper ?
>> If it is not in yet, how can I help getting it in ?
> I'd appreciate of you can send me patches that we can discuss on
> netfilter-devel@vger.kernel.org.
>
> I think it only requires extra little code for the nft_meta expression
> from the kernel.
>
>
Isn't it is in nft_ct instead of nft_meta ?

I'm having difficulties to understand how it works.
nft_ct_set_init() is called when I add the rule in the table. So I 
believe I have to call nf_ct_helper_ext_add() from here, haven't I ?
But how do I get the name of the requested helper from that function ? I 
suppose once I get it I can do the same as  xt_ct_set_helper() does.

Otherwise, nft_ct_set_eval() is called when the helper is needed, but I 
suppose it is too late when that happens because the conntrack has 
already said that it has used automatic helper assignment.

Christophe

---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus