From: Florian Westphal <fw@strlen.de>
To: Phil Sutter <phil@nwl.cc>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, Eric Garver <e@erig.me>,
netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH] src: Implement ip {s,d}addr6 expressions
Date: Tue, 9 Dec 2025 17:04:10 +0100 [thread overview]
Message-ID: <aThIerDrhFoaCiJB@strlen.de> (raw)
In-Reply-To: <20251209154048.26338-1-phil@nwl.cc>
Phil Sutter <phil@nwl.cc> wrote:
> These are pseudo payload expressions which represent an IPv4 packet's
> source or destination address as an IPv4-mapped IPv6 address as
> described in RFC4291 section 2.5.5.2[1]. It helps sharing ruleset
> elements like IP address-based sets/maps between rules for IPv4 and IPv6
> traffic.
OK, but why do we need a new keyword for this?
> +ip saddr6 ::ffff:1.2.3.4;ok
> +ip daddr6 ::ffff:1.2.3.4;ok
> +ip saddr6 { ::ffff:1.2.3.4, feed::c0:ff:ee };ok
> +ip daddr6 { ::ffff:1.2.3.4, feed::c0:ff:ee };ok
> +ip saddr6 ::ffff:1.2.3.4 ip daddr 5.6.7.8;ok
None of these examples make sense to me. How is this useful?
> --- a/tests/py/ip/ip.t.payload
> +++ b/tests/py/ip/ip.t.payload
> @@ -413,6 +413,40 @@ ip test-ip4 input
> [ bitwise reg 1 = ( reg 1 & 0xffff0000 ) ^ 0x00000000 ]
> [ cmp eq reg 1 0xffff0000 ]
>
> +# ip saddr6 ::ffff:1.2.3.4
> +ip test-ip4 input
> + [ immediate reg 1 0x00000000 0x00000000 0x0000ffff ]
> + [ payload load 4b @ network header + 12 => reg 11 ]
> + [ cmp eq reg 1 0x00000000 0x00000000 0x0000ffff 0x01020304 ]
Its just a more expensive way to express 'ip saddr 1.2.3.4'?
What would be useful is:
set s {
typeof ip6 saddr
...
}
nft add element inet t s { 1.2.3.4 }
... which makes nft autotranslate to '::ffff:1.2.3.4', combined
with
add rule inet t c ip saddr @s ...
... where, instead of rejecting this for the wrong size, autopads
the lookup, i.e.
[ immediate reg 1 0x00000000 0x00000000 0x0000ffff ]
[ payload load 4b @ network header + 12 => reg 11 ]
[ lookup ...
prev parent reply other threads:[~2025-12-09 16:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-09 15:40 [nft PATCH] src: Implement ip {s,d}addr6 expressions Phil Sutter
2025-12-09 16:04 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aThIerDrhFoaCiJB@strlen.de \
--to=fw@strlen.de \
--cc=e@erig.me \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).