On Thu, Jan 30, 2025 at 06:49:41PM +0100, Pablo Neira Ayuso wrote: > Hi, > > On Thu, Jan 30, 2025 at 04:52:29PM +0300, Alexey Kashavkin wrote: > > Hello, > > > > I am still figuring out the syntax for adding rules to filter IP > > options. Please, if anyone has an understanding of how this works > > give at least a short reply. > > This 'type' field is redundant. > > > I understand how the exthdr expression works in the kernel code. But > > so far there is still a question about specifying the type field, > > what is the purpose of this field here? There is also a question > > about other fields, let's take for example the IP option LSRR, it > > has an addr field. I assume, knowing this option from RFC791 it > > specifies IP addresses, but in the case of nft it is not so, this > > field has datatype intereger. > > Yes, this should be at least 32-bits. Actually, this is 32-bits already: # nft describe ip option lsrr addr exthdr expression, datatype integer (integer), 32 bits
