Hi all,
Looking for a way to implement an expression that can read the first few bytes of an packet's data contents.
It seems this is only possible using raw expressions such as @ll and @nh with an offset that goes past the header length and into the packet's data.
Is there another keyword that supports u32 behavior that I am missing? Will this approach fail because of some internal check to prevent out of bounds reads?
Another question is if raw expressions have been fixed or is there a kernel change required to enable raw expressions?
I still get the below error when I try to use 2017 nftables.
Re: nftables: Example involving payload_raw_expr
On Mon, Nov 30, 2015 at 02:28:38PM +0100, Stefan Berghofer wrote:
> > Hi all,
> >
> > I just tried out the example file tests/payload-ll distributed with nftables,
> > which makes use of payload raw expressions of the form "@..,..,..". While the first
> > two declarations in the file, i.e.
> >
> > nft add table ip filter
> > nft add chain ip filter input \{ type filter hook input priority 0\; \}
> >
> >work as expected, the third declaration
> >
> > nft add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter
> >
> > is rejected with the error message
> >
> > Error: protocol specification is invalid for this family
> It seems this got broken at some stage of the development, so it would
> be good to get this back working and add tests to our regression test
> infrastructure so we make sure this doesn't break again.
Thanks,
Raul
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
