On Tue, Oct 06, 2020 at 11:37:44AM +0200, Phil Sutter wrote:
> On Tue, Oct 06, 2020 at 10:56:21AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 02, 2020 at 11:03:34AM +0200, Phil Sutter wrote:
> > > Payload expression works on byte-boundaries, leverage this with suitable
> > > prefix lengths.
> >
> > Interesing. But it kicks in the raw payload expression in nftables.
> >
> > # nft list ruleset
> > table ip filter {
> > chain INPUT {
> > type filter hook input priority filter; policy accept;
> > @nh,96,24 8323072 counter packets 0 bytes 0
> > }
> >
> > Would you send a patch for nftables too? There is already approximate
> > offset matching in the tree, it should not be too hard to amend.
>
> I had a quick look but it didn't seem trivial to me. It is in
> payload_expr_complete() where a template lookup happens based on
> expression offset and length which fails due to the unexpected length.
> Is this the right place to adjust or am I wrong?
>
> Strictly speaking, this is just a lack of feature in nftables and
> nothing breaks due to it. Do you still want to block the iptables change
> for it?
Not block. Just get things aligned. This is a bit of a step back in
the integration between iptables-nft and nft IMO.
I will have a look.
