On Fri, Aug 16, 2019 at 12:12:37PM +1200, flyingrhino wrote: > Hi fellow net filter'ers, > > I need to filter packets with specific bytes in the layer 7 payload. > I know the offsets of these bytes in relation to the beginning of the L7 section of the packet. > Howver, I can't figure out how to configure this in nft: > > `man nft` section PAYLOAD EXPRESSIONS says: > Payload expressions refer to data from the packet's payload. > > But later on 'Supported payload protocol bases' only mentions filtering is supported in ll, nh & th: > ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > ???Base ??? Description ??? > ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > ???ll ??? Link layer, for example the Ethernet header ??? > ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > ???nh ??? Network header, for example IPv4 or IPv6 ??? > ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > ???th ??? Transport Header, for example TCP ??? > ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > > It looks to me like L7 filtering is not supported. Am I wrong? > > Thanks. Hi flyingrhino, To get anwhere past L3, you need to queue to userspace and process with your own software. I've fiddles with it a little bit but nothing serious, just verified it's do-able. Start here: https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace Cheers ... Duncan.
