Raw payload expressions are mangled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:

udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1

In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)

After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:

ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1

It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.

I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.

Is this optimisation able to be toggled off?

Regards,
Sunny73cr





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux