On Mon, Dec 4, 2023 at 5:33 AM Florian Westphal <fw@xxxxxxxxx> wrote: > Maciej Żenczykowski <zenczykowski@xxxxxxxxx> wrote: > > > You could try this: > > > > > > tcp option @34,8,8 == 34 > > > > So this seems to mean @number(34),offset(8),length(8) == 34 > > And I understand the idea, but don't understand where the two 8's are > > coming from. > > Yes, its wrong, it should be 0,8 as you found out. > > > Is this counting bits? bytes? > > Bits. > > > Furthermore, I realized that really mangle postrouting 'reset tcp > > option fastopen' is a better solution to my particular problem. > > Ah, yes, that will nop it out. So... new problem - turns out there's an experimental and an official tcp fastopen option. And it looks like numeric options segfault: root@mf286a:~# cat /usr/share/nftables.d/chain-pre/mangle_postrouting/nop-out-tcp-fastopen.nft #meta nfproto ipv4 oifname "464-xlat" tcp flags syn / fin,syn,rst,ack tcp option 254 length ge 4 counter drop comment "drop outbound IPv4 TCP Exp FastOpen"; #meta nfproto ipv6 oifname "wwan0" tcp flags syn / fin,syn,rst,ack tcp option 254 length ge 4 counter drop comment "drop outbound IPv6 TCP Exp FastOpen"; meta nfproto ipv4 oifname "464-xlat" tcp flags syn / fin,syn,rst,ack tcp option fastopen length ge 2 reset tcp option fastopen counter comment "NOP out outbound IPv4 TCP FastOpen"; meta nfproto ipv6 oifname "wwan0" tcp flags syn / fin,syn,rst,ack tcp option fastopen length ge 2 reset tcp option fastopen counter comment "NOP out outbound IPv6 TCP FastOpen" works, but if I uncomment things then 'fw4 check' hits a 'Segmentation fault' in nft: [122865.227686] do_page_fault(): sending SIGSEGV to nft for invalid read access from 0000003d [122865.236361] epc = 77d0aa0d in libnftables.so.1.1.0[77cf0000+a4000] [122865.242935] ra = 77d0c7b5 in libnftables.so.1.1.0[77cf0000+a4000] root@mf286a:~# opkg search /usr/sbin/nft nftables-json - 1.0.8-1 root@mf286a:~# opkg search /usr/lib/libnftables.so.1.1.0 nftables-json - 1.0.8-1 the issue is (total guess) related to 254 failing to convert back into a string, since using '34' works... (I can make things work if I use 'tcp option @254,0,32 == 0xFE0CF989' instead, which is better anyway... but still)
