From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sunny73Cr <Sunny73Cr@protonmail.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Raw payload expressions are mangled
Date: Tue, 3 Sep 2024 11:43:50 +0200 [thread overview]
Message-ID: <ZtbaVgOFLwFIr4ve@calendula> (raw)
In-Reply-To: <DZC45RRhLNfzeCW9I6ahm9glqdw7JeVCHAtNRmJKEGsvLMzUaU1kI-yv-5rVp2mJq3dJPyHN2yWVbSiwc7JWWvZOf4GXBmtiPpYZS9zVKEo=@protonmail.com>
On Tue, Sep 03, 2024 at 07:58:56AM +0000, Sunny73Cr wrote:
> Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:
>
> udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1
>
> In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)
>
> After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:
>
> ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1
>
> It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.
raw expressions only support operations at byte boundary, you have to
use bitwise (&) expression to narrow down the scope of your matching.
> I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.
>
> Is this optimisation able to be toggled off?
No.
You can file a bugzilla ticket to request an enhancement, maybe
someone will pick it up at some point.
next prev parent reply other threads:[~2024-09-03 9:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-03 7:58 Raw payload expressions are mangled Sunny73Cr
2024-09-03 9:43 ` Pablo Neira Ayuso [this message]
2025-01-28 5:48 ` Sunny73Cr
2025-01-28 12:29 ` Sunny73Cr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtbaVgOFLwFIr4ve@calendula \
--to=pablo@netfilter.org \
--cc=Sunny73Cr@protonmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox