On Wed, Mar 27, 2024 at 03:36:19PM +0700, Vlad Tsisyk wrote: > Hello, > > I have a set of pairs of MAC address and mask: > > aa:bb:cc:dd:ee:ff 00:ff:ff:ff:ff:ff You would like to match this? xx:bb:cc:dd:ee:ff or mark is reversed? > aa:bb:cc:dd:ee:ff 00:ff:ff:ff:ff:00 > > ... > > I want to apply a mask to source MAC from the packet, and then compare > the result with the MAC from the pair. I can do it like so: > > nft add table t > nft add chain t c > nft --debug=netlink add rule ip t c ether saddr and aa:bb:cc:dd:ee:ff 00:ff:ff:ff:ff:00 because rule syntax is not correct, mask is reversed: nft --debug=netlink add rule ip t c ether saddr and 00:ff:ff:ff:ff:00 == aa:bb:cc:dd:ee:ff that is: nft --debug=netlink add rule ip t c ether saddr and MASK == VALUE > ip t c > [ meta load iiftype => reg 1 ] > [ cmp eq reg 1 0x00000001 ] > [ payload load 6b @ link header + 6 => reg 1 ] > [ bitwise reg 1 = (reg=1 & 0xddccbbaa 0x0000ffee ) ^ 0x00000000 > 0x00000000 ] > [ cmp eq reg 1 0xffffff00 0x000000ff ] > ... > > But I have to create a new rule for each pair. Is there any > workarounds to use sets? You can use ranges in sets.
