On 2022-03-15, at 21:15:58 +0000, Kevin 'ldir' Darbyshire-Bryant wrote: > I’m trying to migrate to using nftables and hitting some good things > but also a bad thing. I have a firewall that makes use of conntrack > marks that get bit-wise manipulated by iptables. I don’t appear to be > able to get the same functionality in nftables. eg: > > The following stores the DSCP into the conntrack mark and sets another > bit as a flag. Unfortunately it destroys any prior value stored in > say the upper 16 bits. > > meta nfproto ipv4 ct mark set @nh,8,6 or 0x200 counter > > What I’d like to do instead is something more like: > > meta nfproto ipv4 ct mark set ct mark or @nh,8,6 ct mark set ct mark or 0x200 counter Funnily enough, I picked the work I did on this two years ago recently. I was going to post it again last month when I noticed there was a bug in the ipv6 delinearization. I'll see if I can fix it this week-end. If not, I'll post the patches as an RFC to get some feedback at least. J.
Attachment:
signature.asc
Description: PGP signature
