From: Phil Sutter <phil@nwl.cc>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
fw@strlen.de, pablo@netfilter.org
Subject: Re: [PATCH nf-next v3] netfilter: nf_tables: add math expression support
Date: Wed, 4 Feb 2026 17:07:08 +0100 [thread overview]
Message-ID: <aYNurHgLqfnX07NB@orbyte.nwl.cc> (raw)
In-Reply-To: <20260204152358.11396-1-fmancera@suse.de>
Hi Fernando,
On Wed, Feb 04, 2026 at 04:23:58PM +0100, Fernando Fernandez Mancera wrote:
> Historically, users have requested support for increasing and decreasing
> TTL value in nftables in order to migrate from iptables.
>
> Following the nftables spirit of flexible and multipurpose expressions,
> this patch introduces "nft_math" expression. This expression allows to
> increase and decrease u32, u16 and u8 values stored in the nftables
> registers.
>
> The math expression intends to be flexible enough in case it needs to be
> extended in the future, e.g implement bitfields operations. For this
> reason, the length of the data is indicated in bits instead of bytes.
>
> When loading a u8 or u16 payload into a register we don't know if the
> value is stored at least significant byte or most significant byte. In
> order to handle such cases, introduce a bitmask indicating what is the
> target bit and also use it to handle limits to prevent overflow.
This part puzzles me. IMO byteorder conversion is needed for arithmetic
on multi-byte values in non-host byte order.
Since nftables only knows host byte order and network byte order, the
only case to consider is Little Endian host with NBO data. Registers are
filled "from left to right", so (u16)0x1337 and (u32)0xfeedbabe look
like this when stored in Network Byte Order in registers:
{ 0x13, 0x37, 0x00, 0x00 }
{ 0xfe, 0xed, 0xba, 0xbe }
Interpreting those buffers as u16/u32 on Little Endian results in values
0x3713 and 0xbebaedfe. Any increment/decrement on those values leads to
wrong results.
Maybe there's a hidden secret in 'bit_unit', but even if you calculate
the right value to add/subtract from the right byte (0x100 and 0x1000000
in our examples), a possible carry-over bumps the wrong byte.
Assuming that I didn't entirely miss the point you might want to have a
look at recent libnftnl/nftables commits informing libnftnl of payload
byteorder for host byteorder independent debug output (with correct
values). Particularly interesting are nftnl_*_set_imm() functions. Maybe
this allows you to annotate math expression with data byteorder so it
may perform byteorder conversion as needed.
Cheers, Phil
next prev parent reply other threads:[~2026-02-04 16:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 15:23 [PATCH nf-next v3] netfilter: nf_tables: add math expression support Fernando Fernandez Mancera
2026-02-04 16:07 ` Phil Sutter [this message]
2026-02-04 16:44 ` Fernando Fernandez Mancera
2026-02-04 17:23 ` Phil Sutter
2026-02-09 12:14 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYNurHgLqfnX07NB@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.