Florian Westphal <fw@xxxxxxxxx> wrote: > Serguei Bezverkhi (sbezverk) <sbezverk@xxxxxxxxx> wrote: > > Hello, > > > > I started testing nfproxy in ipv6 enabled kubernetes cluster and it seems ipv6 address cannot be a part of concatenation expression. Is there a known issue or it is me doing something incorrect? > > From my side the code is the same, I just change ip4_addr to ip6_addr when I build sets. > > types are irrelvant for the kernel. They are ONLY used by the nft tool > so it knows how to format output. > > I suspect you need to fix up the generated payload expressions > for ipv6. Essentially, in the ipv6 case, you have a concatenation > > ipv4_addr . ipv4_addr . ip4_addr . ipv4_addr . inet_service > > (ipv6 address needs 4 32-bit registers) > > i.e., you need to use a different destination register when you store > the tcp/udp port, else you will clobber a part of the ipv6 address. Addendum: you can check with nft --debug=netlink list ruleset to make sure the registers get populated as expected by lookup expression.
