On Wed, 7 Jun 2023 10:38:23 -0400 Paul Robert Marino <prmarino1@xxxxxxxxx> wrote: > Answering the first question i think you may be looking for sets > https://wiki.nftables.org/wiki-nftables/index.php/Sets Thanks for the answer. Is there a possibility to combine sets (i.e. to perform a kind of merge)? iifname @dnet_interfaces oifname { @client_interfaces, @dnet_interfaces } goto dnet_forward; > > As for the second one RFC3514 implementing that is a bad idea for a > number of reasons which is why as far as I know nothing implements it, > it's too easy for a bad actor to take advantage of. In fact it was > actually an april fools joke RFC. There are a lot of those and some > people confuse them as being legitimate but they are not. if you see > an RFC with a publish date of April 1st any year don't take it > seriously. > AGAIN I CAN NOT STRESS THIS POINT ENOUGH THAT RFC (RFC3514 ) WAS > WRITTEN AS AN APRIL FOOLS JOKE!!!!!. I know this RFC is intended as an April Fool's joke. However, I would like to see how many requests I get with the Evil Bit. And how many requests I forward for the dn42 with the Evil Bit. How could a malicious actor have the advantage if I log this bit? Or do you mean that I shouldn't rely on malicious requests having that bit? "Inspired" me to this idea was https://blog.benjojo.co.uk/post/evil-bit-RFC3514-real-world-usage. > > On Wed, Jun 7, 2023 at 8:12 AM Marek Küthe <m-k-mailling-list@xxxxxxx> wrote: > > > > Hello, > > > > I hope I am in the right place. I have two questions about nftables: > > > > 1) Is it possible to perform OR operations in nftables? For example > > `ip6 saddr ::/128 OR ip saddr 127.0.0.1/8 accept;` As far as I > > understand it, everything else is concatenated with AND. > > > > 2) I want to see how many IPv4 packets I can get with the Evil Bit > > (RFC3514). Since there seems to be no native function for this in > > nftables, I seem to have to use raw payload expression. So I have > > set up the following: > > > > @th,6,1 & 0x80 = 0x80 \ > > log prefix "[nftables] Evil bit: " counter reject; > > > > However, `Error: syntax error, unexpected '='` appears. What is the > > reason for this? How can I formulate this expression correctly? > > > > I would really appreciate your answers! > > > > Greetings > > Marek Küthe > > > > -- > > Marek Küthe > > m.k@xxxxxxx > > er/ihm he/him -- Marek Küthe m.k@xxxxxxx er/ihm he/him
Attachment:
pgpwcCUdouITt.pgp
Description: OpenPGP digital signature
