On Tue, Oct 06, 2020 at 10:56:21AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 02, 2020 at 11:03:34AM +0200, Phil Sutter wrote:
> > Payload expression works on byte-boundaries, leverage this with suitable
> > prefix lengths.
>
> Interesing. But it kicks in the raw payload expression in nftables.
>
> # nft list ruleset
> table ip filter {
> chain INPUT {
> type filter hook input priority filter; policy accept;
> @nh,96,24 8323072 counter packets 0 bytes 0
> }
>
> Would you send a patch for nftables too? There is already approximate
> offset matching in the tree, it should not be too hard to amend.
I had a quick look but it didn't seem trivial to me. It is in
payload_expr_complete() where a template lookup happens based on
expression offset and length which fails due to the unexpected length.
Is this the right place to adjust or am I wrong?
Strictly speaking, this is just a lack of feature in nftables and
nothing breaks due to it. Do you still want to block the iptables change
for it?
Cheers, Phil
