From: Alexey Kashavkin <akashavkin@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org, ssuryaextr@gmail.com
Subject: Re: Clarification of the procedure for filtering IP option fields
Date: Fri, 31 Jan 2025 02:23:36 +0300 [thread overview]
Message-ID: <BCA1A218-C8C5-4CB4-91A8-8237EF440CE5@gmail.com> (raw)
In-Reply-To: <Z5u_wv3bfDkRKLXE@calendula>
> On 30 Jan 2025, at 21:06, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> This is what you mean:
>
> # nft describe ip option lsrr addr
> exthdr expression, datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits
> <ip-option-use-ipv4-type.patch>
Yes, changing the data type for the addr field in the templates with this macro makes it more user friendly and allows the user to specify the first IP address in the IP option in the network packet as the value of the addr field.
# nft list table ip ipopt
table ip ipopt {
chain ipopt {
ip option lsrr addr 192.168.0.11 drop
ip option lsrr addr 10.0.0.1 drop
ip option lsrr length 11 counter packets 0 bytes 0 drop
}
}
I assume that Stefan converted the IP to a decimal number and then already specified the resulting value in the addr field.
For example like this:
# echo '192*2^24 + 168*2^16 + 0 + 11' | bc
3232235531
# echo '10*2^24 + 0 + 0 + 1' | bc
167772161
# nft add rule ip ipopt_t test_ipopt_c ip option lsrr addr 3232235531 drop
# nft add rule ip ipopt_t test_ipopt_c ip option lsrr addr 167772161 drop
table ip ipopt_t {
chain ipopt_c {
ip option lsrr addr 3232235531 drop
ip option lsrr addr 167772161 drop
ip option lsrr length 11 counter packets 0 bytes 0 drop
}
}
Without the type field in the templates as a token for bison and ipaddr_type as the data type, this functionality in nft becomes more correct according to RFC791.
Thank you for the clarification.
prev parent reply other threads:[~2025-01-30 23:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-31 10:54 Clarification of the procedure for filtering IP option fields Alexey Kashavkin
2025-01-30 13:52 ` Alexey Kashavkin
2025-01-30 17:49 ` Pablo Neira Ayuso
2025-01-30 17:52 ` Pablo Neira Ayuso
2025-01-30 18:06 ` Pablo Neira Ayuso
2025-01-30 23:23 ` Alexey Kashavkin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BCA1A218-C8C5-4CB4-91A8-8237EF440CE5@gmail.com \
--to=akashavkin@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=ssuryaextr@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).