Raw payload expressions are mangled

Raw payload expressions are mangled

[Sunny73Cr]

Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:

udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1

In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)

After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:

ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1

It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.

I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.

Is this optimisation able to be toggled off?

Regards,
Sunny73cr

Re: Raw payload expressions are mangled

[Pablo Neira Ayuso]

On Tue, Sep 03, 2024 at 07:58:56AM +0000, Sunny73Cr wrote:
> Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:
> 
> udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1
> 
> In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)
> 
> After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:
> 
> ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1
> 
> It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.

raw expressions only support operations at byte boundary, you have to
use bitwise (&) expression to narrow down the scope of your matching.

> I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.
>
> Is this optimisation able to be toggled off?

No.

You can file a bugzilla ticket to request an enhancement, maybe
someone will pick it up at some point.

Re: Raw payload expressions are mangled

[Sunny73Cr]

The rule translation results in matching the binary:
"0b0001010000000001"

It should be "0b0010010000000001"

or really any selection from:

"0b0010010000000001"
"0b0110010000000001"
"0b1010010000000001"
"0b1110010000000001"

in order to match an "indeterminate LI"; as my rule was not concerned with this value.

I cannot reason as to why VN is matched as 2 instead of 4.

sunny

Re: Raw payload expressions are mangled

[Sunny73Cr]

> I cannot reason as to why VN is matched as 2 instead of 4.

I was incorrect when I manually translated the rule.

It still stands that LI must be zero for the rule to match.

sunny