* [nftables][ipv6] Header examination
@ 2017-10-01 15:40 Jeff Kletsky
2017-10-02 16:20 ` J Doe
0 siblings, 1 reply; 3+ messages in thread
From: Jeff Kletsky @ 2017-10-01 15:40 UTC (permalink / raw)
To: netfilter
In reading the nft man page and the wiki, it is not clear if the
'nexthdr' examines *all* of the header chain, or only the next header in
particular.
As one specific use case, I would like to block all packets which
contain next-header values of 43, 135, or 201, no matter where in the
header chain they occur.
Can someone confirm or deny if the straightforward
ip6 nexthdr 43 drop
will scan the complete header chain for *any* header 43?
In general, is such a nexthdr search robust to multiple instances of the
same header type, even such a packet is arguably malformed? Namely,
will it scan *all* of the headers that potentially match, including
further qualification of the match past the header type?
Related is how can I inspect the *contents* of a header and its options?
I don't immediately see a way to, for example, select a packet based on
it having a specific Router Alert option value set.
I also would like to ensure that Pad1 and PadN options do not harbor a
backchannel; no payload (looks like 'length' covers part of this),
padding is all zeros, no more than five bytes of padding, no more than
one Pad1/N option. Yes, I realize that such packets are "wrong" -- that
is exactly why I want to block them.
On a side note -- If anyone else is wondering why the locally generated
man page isn't being installed, apparently the docbook2x package is
required or the generation of the man page is silently skipped.
Thanks,
Jeff Kletsky
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [nftables][ipv6] Header examination
2017-10-01 15:40 [nftables][ipv6] Header examination Jeff Kletsky
@ 2017-10-02 16:20 ` J Doe
2017-10-05 22:02 ` Duncan Roe
0 siblings, 1 reply; 3+ messages in thread
From: J Doe @ 2017-10-02 16:20 UTC (permalink / raw)
To: Jeff Kletsky; +Cc: netfilter
> On Oct 1, 2017, at 11:40 AM, Jeff Kletsky <netfilter@allycomm.com> wrote:
>
> On a side note -- If anyone else is wondering why the locally generated man page isn't being installed, apparently the docbook2x package is required or the generation of the man page is silently skipped.
Hi Jeff,
I experienced the same thing when building nftables 0.7, which is the tar.gz version on the website. Does this also happen on checkout from git ?
Thanks,
- J
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [nftables][ipv6] Header examination
2017-10-02 16:20 ` J Doe
@ 2017-10-05 22:02 ` Duncan Roe
0 siblings, 0 replies; 3+ messages in thread
From: Duncan Roe @ 2017-10-05 22:02 UTC (permalink / raw)
To: netfilter
On Mon, Oct 02, 2017 at 12:20:44PM -0400, J Doe wrote:
>
> > On Oct 1, 2017, at 11:40 AM, Jeff Kletsky <netfilter@allycomm.com> wrote:
> >
> > On a side note -- If anyone else is wondering why the locally generated
> > man page isn't being installed, apparently the docbook2x package is
> > required or the generation of the man page is silently skipped.
>
> Hi Jeff,
>
> I experienced the same thing when building nftables 0.7, which is the tar.gz
> version on the website. Does this also happen on checkout from git ?
>
> Thanks,
>
> - J
Builds fine for me, but I have linuxdoc-tools installed (provides
/usr/bin/docbook2x-{man,texi})
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-05 22:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-01 15:40 [nftables][ipv6] Header examination Jeff Kletsky
2017-10-02 16:20 ` J Doe
2017-10-05 22:02 ` Duncan Roe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.