Rules such as the following will always result in the NFT_BREAK verdict code: # filter input ip option rr ptr 4 counter Because the function nft_skb_copy_to_reg() returns -EFAULT. This happens because in the skb_copy_bits() function the 'offset > (int)skb->len - len' condition causes a jump to the fault part of the code. You can verify this with two virtual machines and the python scapy library. Configure the nftables rule on some virtual machine. From another virtual machine, use scapy to send packet with IP option: # python3 -m scapy # >>> send(IP(dst='x.x.x.x', options=IPOption_RR())/ICMP()) # . # Sent 1 packets. The 'rr exists counter' rule will show the receiving of one packet, and the 'rr ptr 4 counter' rule will not increment the counter. After applying the patch from the previous email, the 'rr ptr 4 counter' rule will increment the counter. This will happen with other options as well. But for lsrr and ssrr, you must send the packet with the routers parameter filled in. This is due to checks in __ip_options_compile() function. # send(IP(dst=‘x.x.x.x', options=IPOption_LSRR(routers=[‘x.x.x.x']))/ICMP())
