Re: ct state vmap (nft noob question)

"Trent W. Buck" <trentbuck@xxxxxxxxx> · Thu, 25 Jul 2019 10:46:13 +1000

[Resent because, I think, I screwed up gmane+gnus and sent it only to myself.]
--- Begin Message ---

Subject: Re: ct state vmap (nft noob question)
From: trentbuck@xxxxxxxxx (Trent W. Buck)
Date: Wed, 24 Jul 2019 19:53:13 +1000
In-reply-to: <87tvbd3yiw.fsf@goll.lan> (Trent W. Buck's message of "Tue, 23	Jul 2019 19:12:23 +1000")
References: <87tvbd3yiw.fsf@goll.lan>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

trentbuck@xxxxxxxxx (Trent W. Buck) writes:

>     ct state vmap { established:accept, related:accept, invalid:drop }

This works.

>     ct state vmap { established or related: accept, invalid: drop }

This doesn't.  Why?

In the attached output, you can see that "established,related" becomes
0x6 (bitwise xor of the two constants 0x2 and 0x4) in all rules.

It looks to me like "ct state 0x1234" is implicitly a bitwise-and (&),
whereas "ct state vmap { 0x1234: accept }" is implicitly an equals (==).
So the former matches when ct state has ANY bits matching 0x1234;
but the latter matches when ct state has ALL bits matching 0x1234.

Have I understood that right?

root@not-omega:~# cat tmp3.nft
flush ruleset
table inet x {
    chain y {
        type filter hook input priority filter
        policy accept
        counter
        ct state { established, related } counter
        ct state established,related counter
        counter comment "This counter should be bigger than the next one!"
        ct state vmap { established or related: accept, invalid: drop }
        counter comment "This counter should be less than the previous one!"
        ct state vmap { established: accept, related: accept, invalid: drop }
        counter comment "This counter should be the same as the previous one!"
    }
}
list ruleset
root@not-omega:~# nft --file tmp3.nft
table inet x {
	chain y {
		type filter hook input priority filter; policy accept;
		counter packets 0 bytes 0
		ct state { established, related } counter packets 0 bytes 0
		ct state 0x6 counter packets 0 bytes 0
		counter packets 0 bytes 0 comment "This counter should be bigger than the next one!"
		ct state vmap { 0x6 : accept, invalid : drop }
		counter packets 0 bytes 0 comment "This counter should be less than the previous one!"
		ct state vmap { established : accept, related : accept, invalid : drop }
		counter packets 0 bytes 0 comment "This counter should be the same as the previous one!"
	}
}
root@not-omega:~# ping -c1 localhost
[...]
root@not-omega:~# nft list ruleset
table inet x {
	chain y {
		type filter hook input priority filter; policy accept;
		counter packets 31 bytes 2404
		ct state { established, related } counter packets 30 bytes 2320
		ct state established,related counter packets 30 bytes 2320
		counter packets 31 bytes 2404 comment "This counter should be bigger than the next one!"
		ct state vmap { invalid : drop, established | related : accept }
		counter packets 31 bytes 2404 comment "This counter should be less than the previous one!"
		ct state vmap { invalid : drop, established : accept, related : accept }
		counter packets 1 bytes 84 comment "This counter should be the same as the previous one!"
	}
}
root@not-omega:~# 

--- End Message ---