On Sat, May 25, 2019 at 03:30:58PM +0200, Stéphane Veyret wrote:
> This patch allows to add, list and delete expectations via nft objref
> infrastructure and assigning these expectations via nft rule.
>
> This allows manual port triggering when no helper is defined to manage a
> specific protocol. For example, if I have an online game which protocol
> is based on initial connection to TCP port 9753 of the server, and where
> the server opens a connection to port 9876, I can set rules as follow:
>
> table ip filter {
> ct expectation mygame {
> protocol udp;
> dport 9876;
> timeout 2m;
> size 1;
> }
>
> chain input {
> type filter hook input priority 0; policy drop;
> tcp dport 9753 ct expectation set "mygame";
> }
>
> chain output {
> type filter hook output priority 0; policy drop;
> udp dport 9876 ct status expected accept;
> }
> }
LGTM.
Would you post userspace bits? I would like to give a quick test here :-)
Thanks.
