Re: IPv4 Evil Bit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 7 Jun 2023 14:30:19 +0100
Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:

> On Wed, 7 Jun 2023 13:17:43 +0200
> Marek Küthe <m-k-mailling-list@xxxxxxx> wrote:
> 
> > Hello,
> > 
> > I hope I am in the right place. I have two questions about nftables:
> > 
> > 1) Is it possible to perform OR operations in nftables? For example
> > `ip6 saddr ::/128 OR ip saddr 127.0.0.1/8 accept;` As far as I
> > understand it, everything else is concatenated with AND.  
> 
> No. Nor would a set suffice, as ipv4_addr and ipv6_addr elements cannot be mixed.

Too bad nftables doesn't have something like that.

> 
> > 
> > 2) I want to see how many IPv4 packets I can get with the Evil Bit
> > (RFC3514). Since there seems to be no native function for this in
> > nftables, I seem to have to use raw payload expression. So I have
> > set up the following:
> > 
> > @th,6,1 & 0x80 = 0x80 \
> >     log prefix "[nftables] Evil bit: " counter reject;
> > 
> > However, `Error: syntax error, unexpected '='` appears. What is the
> > reason for this? How can I formulate this expression correctly?  
> 
> Try @nh,48,8 & 0x80 == 0x80. The offset and length values are expressed in bits, not bytes.

Thanks a lot! This works.

> 
> -- 
> Kerin Millar


-- 
Marek Küthe
m.k@xxxxxxx
er/ihm he/him

Attachment: pgp0RzHl4_etU.pgp
Description: OpenPGP digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux