Re: IPv4 Evil Bit

["Marek Küthe" <m-k-mailling-list@mk16.de>]

[-- Attachment #1: Type: text/plain, Size: 2491 bytes --]

On Wed, 7 Jun 2023 10:38:23 -0400
Paul Robert Marino <prmarino1@gmail.com> wrote:

> Answering the first question i think you may be looking for sets
> https://wiki.nftables.org/wiki-nftables/index.php/Sets

Thanks for the answer. Is there a possibility to combine sets (i.e. to
perform a kind of merge)?
iifname @dnet_interfaces oifname {
@client_interfaces, @dnet_interfaces } goto dnet_forward;

> 
> As for the second one RFC3514 implementing that is a bad idea for a
> number of reasons which is why as far as I know nothing implements it,
> it's too easy for a bad actor to take advantage of. In fact it was
> actually an april fools joke RFC. There are a lot of those and some
> people confuse them as being legitimate but they are not. if you see
> an RFC with a publish date of April 1st any year don't take it
> seriously.
> AGAIN I CAN NOT STRESS THIS POINT ENOUGH THAT RFC (RFC3514 ) WAS
> WRITTEN AS AN APRIL FOOLS JOKE!!!!!.

I know this RFC is intended as an April Fool's joke. However, I would
like to see how many requests I get with the Evil Bit. And how many
requests I forward for the dn42 with the Evil Bit.

How could a malicious actor have the advantage if I log this bit? Or do
you mean that I shouldn't rely on malicious requests having that bit?

"Inspired" me to this idea was
https://blog.benjojo.co.uk/post/evil-bit-RFC3514-real-world-usage.

> 
> On Wed, Jun 7, 2023 at 8:12 AM Marek Küthe <m-k-mailling-list@mk16.de> wrote:
> >
> > Hello,
> >
> > I hope I am in the right place. I have two questions about nftables:
> >
> > 1) Is it possible to perform OR operations in nftables? For example
> > `ip6 saddr ::/128 OR ip saddr 127.0.0.1/8 accept;` As far as I
> > understand it, everything else is concatenated with AND.
> >
> > 2) I want to see how many IPv4 packets I can get with the Evil Bit
> > (RFC3514). Since there seems to be no native function for this in
> > nftables, I seem to have to use raw payload expression. So I have
> > set up the following:
> >
> > @th,6,1 & 0x80 = 0x80 \
> >     log prefix "[nftables] Evil bit: " counter reject;
> >
> > However, `Error: syntax error, unexpected '='` appears. What is the
> > reason for this? How can I formulate this expression correctly?
> >
> > I would really appreciate your answers!
> >
> > Greetings
> > Marek Küthe
> >
> > --
> > Marek Küthe
> > m.k@mk16.de
> > er/ihm he/him  


-- 
Marek Küthe
m.k@mk16.de
er/ihm he/him

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]