Hi there, I’m trying to migrate to using nftables and hitting some good things but also a bad thing. I have a firewall that makes use of conntrack marks that get bit-wise manipulated by iptables. I don’t appear to be able to get the same functionality in nftables. eg: The following stores the DSCP into the conntrack mark and sets another bit as a flag. Unfortunately it destroys any prior value stored in say the upper 16 bits. meta nfproto ipv4 ct mark set @nh,8,6 or 0x200 counter What I’d like to do instead is something more like: meta nfproto ipv4 ct mark set ct mark or @nh,8,6 ct mark set ct mark or 0x200 counter Thanks for your time. Cheers, Kevin D-B gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
Attachment:
signature.asc
Description: Message signed with OpenPGP
