> ...but I had expected > 0xfc0f... I disagree with the proposed mask: the message is likely not 64,527 bits in length (0xfc0f -> decimal: 64,527). > Use --debug=netlink Apologies, I am not sure what this refers to: I assume it is a compilation argument; and I cannot recompile NetFilter as of yet. I am using the `nft` command via '/etc/nftables.conf'; on an installation of the latest Debian 12.9 release. `/usr/sbin/nft -v` prints "nftables v1.0.6 (Lester Gooch #5)". Debian CD Signing key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B Debian 12 Bookwork release key fingerprint: 4D64FEC119C2029067D6E791F8D2585B8783D481 An example of the problem. Hopefully my explanation is easy to understand: To match "Version 4" of IPv4 header, and to clear DSCP code point (DSCP isn't used on my network): - At network header, bit offset 0, select the next 4 bits, and match the decimal value 4. - At network header, bit offset 8, select the next 6 bits and set the value to 0. @nh,0,4 0x4 \ @nh,8,6 set 0x0 \ accept; Translates to: @nh,0,8 & 0xf0 == 0x40 @nh,8,8 set @nh,8,8 & 0x7e accept I view this as: "Version and Internet Header Length, mask 240 bits, match a value of 64." My issue: I did not match IHL before translation. The rule may cause dropped frames that I was not concerned with. Then; "DSCP, and ECN, set to the same value, covering 124 bits at some offset" (I am assuming the offset is @nh,8). My issue: It has not set the bits to zero as I intended, and what to do if the bits selected (0x7e / 124 bits) is larger than the destination section to copy to (@nh8,8 / 8 bits at 8 bits from beginning of network header.) I cannot be certain of the correct way to translate the rule given the 8-bit backing store restriction. If I am only concerned with 4 bits, then, in order for my rules to function, a mask of 4 bits must be valid. I propose that a 'bit array' backing store may assist (though I sense that may reduce performance). Without a given socket buffer in memory; it is difficult to form the correct mask, where the mask must be larger than the selected bits. I would love to assist, though, I haven't read the source code of NetFilter. It is possible that I suggest an incorrect change without reading the source. sunny
