On Wed, 7 Jun 2023 14:30:19 +0100 Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > On Wed, 7 Jun 2023 13:17:43 +0200 > Marek Küthe <m-k-mailling-list@xxxxxxx> wrote: > > > Hello, > > > > I hope I am in the right place. I have two questions about nftables: > > > > 1) Is it possible to perform OR operations in nftables? For example > > `ip6 saddr ::/128 OR ip saddr 127.0.0.1/8 accept;` As far as I > > understand it, everything else is concatenated with AND. > > No. Nor would a set suffice, as ipv4_addr and ipv6_addr elements cannot be mixed. Too bad nftables doesn't have something like that. > > > > > 2) I want to see how many IPv4 packets I can get with the Evil Bit > > (RFC3514). Since there seems to be no native function for this in > > nftables, I seem to have to use raw payload expression. So I have > > set up the following: > > > > @th,6,1 & 0x80 = 0x80 \ > > log prefix "[nftables] Evil bit: " counter reject; > > > > However, `Error: syntax error, unexpected '='` appears. What is the > > reason for this? How can I formulate this expression correctly? > > Try @nh,48,8 & 0x80 == 0x80. The offset and length values are expressed in bits, not bytes. Thanks a lot! This works. > > -- > Kerin Millar -- Marek Küthe m.k@xxxxxxx er/ihm he/him
Attachment:
pgp0RzHl4_etU.pgp
Description: OpenPGP digital signature