On Tue, Oct 06, 2020 at 11:41:21AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 06, 2020 at 11:37:44AM +0200, Phil Sutter wrote:
> > On Tue, Oct 06, 2020 at 10:56:21AM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Oct 02, 2020 at 11:03:34AM +0200, Phil Sutter wrote:
> > > > Payload expression works on byte-boundaries, leverage this with suitable
> > > > prefix lengths.
> > >
> > > Interesing. But it kicks in the raw payload expression in nftables.
> > >
> > > # nft list ruleset
> > > table ip filter {
> > > chain INPUT {
> > > type filter hook input priority filter; policy accept;
> > > @nh,96,24 8323072 counter packets 0 bytes 0
> > > }
> > >
> > > Would you send a patch for nftables too? There is already approximate
> > > offset matching in the tree, it should not be too hard to amend.
> >
> > I had a quick look but it didn't seem trivial to me. It is in
> > payload_expr_complete() where a template lookup happens based on
> > expression offset and length which fails due to the unexpected length.
> > Is this the right place to adjust or am I wrong?
> >
> > Strictly speaking, this is just a lack of feature in nftables and
> > nothing breaks due to it. Do you still want to block the iptables change
> > for it?
>
> Not block. Just get things aligned. This is a bit of a step back in
> the integration between iptables-nft and nft IMO.
Well yes, it takes iptables-nft ahead in that regard. We should
implement the same flexible payload size matching in nftables, too.
> I will have a look.
Thanks!
