From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 15B7D2F0C49 for ; Tue, 14 Oct 2025 15:29:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760455757; cv=none; b=XFUb/345z5zmermsSnJTiCo3JlQRKKvR6qWpdKmsWHrTXTb57zCPnfxrtdBd734ZNcTjFcamlUaxTPXeMJaFhzGXe7Bda4/PjmBi3NhD7fIesFtfM8OPp3lRVcjskUKmZUrT8BS8Xdn5hVAAPZWBWaQ1kBQjZN5iwGH15uZtdMw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760455757; c=relaxed/simple; bh=bx7WtxQ1IuuZSt2CYxCibeUrjNkdfo1IeCtCCqgVX30=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=MuEG78bsaf3qieaWSw/KDW0XYEMd1KgTK9JypYZZ5zEOqJsrHd5asLaMy8SM6q2UiXgNg2+65grEdX4a09Z5Qq4iFjhYU1tAr3qZRL/L1PsX6iJzVLcrDQJGpeBN2mHR/nGjT4/mcwabX+lIHysjsLTXrdfZxdMlHnR4Q4kcVHU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=strlen.de Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id C4B45603CA; Tue, 14 Oct 2025 17:29:11 +0200 (CEST) Date: Tue, 14 Oct 2025 17:29:11 +0200 From: Florian Westphal To: Fernando Fernandez Mancera Cc: "Remy D. Farley" , "netfilter-devel@vger.kernel.org" Subject: Re: iptables: zero dereference parsing bitwise operations Message-ID: References: Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Fernando Fernandez Mancera wrote: > > > >> Hi Remy, could you share the full output of: > >> > >> 'nft --debug=netlink list ruleset' > >> > >> This will allow me to understand what is the generated bytecode and an > >> easy way to reproduce this with libnftnl. I am happy to investigate/fix > >> this on the nft/libnftnl/kernel side :) > > > > > > Hi Fernando, > > > > Not sure if it worth investigating, but here you go. > > > > > > I have reproduced this and confirmed that the right source register is > being set (NFT_REG_1) and that libnftnl is reporting it correctly. The > problem is on nft command line tool side.. I do not think it is worth > going deeper as it is probably related to nftables not being able to > delinearize this rule as it is not supported by nft itself. What the rule is doing is supported, but nft will transform it to use xor/and, as that will work on all nf_tables versions rather than only kernels that support NFT_BITWISE_OR. I think it would be possible to extend netlink_delinerize.c to support it but its technically not needed. nft can also not be expected to ever be able to make sense of a ruleset generated by something else, there is just too much variance to always be able to map this back to nft grammar.