On Tue, Sep 03, 2024 at 07:58:56AM +0000, Sunny73Cr wrote: > Hi, I am attempting to match ntpv4 replies inbound to my machine; like so: > > udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1 > > In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here) > > After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as: > > ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1 > > It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster. raw expressions only support operations at byte boundary, you have to use bitwise (&) expression to narrow down the scope of your matching. > I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration. > > Is this optimisation able to be toggled off? No. You can file a bugzilla ticket to request an enhancement, maybe someone will pick it up at some point.
