Using nftables 1.0.1 on an OpenWrt router, I would like to follow-up on this commit from 2018 regarding ip6 dscp crossing a byte boundary and being unable to use it in map statements. https://git.netfilter.org/nftables/commit/?id=48632359f4dea5ee2484debba498ba069229e6d0 (src: evaluate: add preliminary binop transfer support for vmaps) My goal is to be able to copy DSCP to ct mark to take advantage of tc's 'ctinfo dscp' action to restore DSCP from connmark on ingress from WAN. Example: map dscpct { typeof ip6 dscp : ct mark elements = { cs0 : 0x00, cs1 : 0x08, cs7 : 0x38, be : 0x00 } } ct mark set ip6 dscp map @dscpct This never works for ip6, but works for an equivalent ip dscp map without the byte boundary constraint. After a lot of trial and error, I can perform the required action with: meta nfproto ipv6 ct mark set ((@nh,0,16 & 4032) >> 6) but it would be nice to see if the original problem with ip6 dscp and the byte boundary can be solved, or another creative solution suggested. # nft --debug=netlink --check add rule inet fw4 mangle_forward ct mark set ip6 dscp map @dscpct inet [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] [ lookup reg 1 set dscpct dreg 1 ] [ ct set mark with reg 1 ] Regards, Brian
