* Raw payload expressions are mangled
@ 2024-09-03 7:58 Sunny73Cr
2024-09-03 9:43 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Sunny73Cr @ 2024-09-03 7:58 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:
udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1
In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)
After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:
ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1
It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.
I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.
Is this optimisation able to be toggled off?
Regards,
Sunny73cr
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Raw payload expressions are mangled
2024-09-03 7:58 Raw payload expressions are mangled Sunny73Cr
@ 2024-09-03 9:43 ` Pablo Neira Ayuso
2025-01-28 5:48 ` Sunny73Cr
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-09-03 9:43 UTC (permalink / raw)
To: Sunny73Cr; +Cc: netfilter@vger.kernel.org
On Tue, Sep 03, 2024 at 07:58:56AM +0000, Sunny73Cr wrote:
> Hi, I am attempting to match ntpv4 replies inbound to my machine; like so:
>
> udp sport 123 dport 123 @ih,2,3 0x4 @ih,5,3 0x4 @ih,8,8 0x1
>
> In english, this is: "ntpv4 mode server stratum 1" (there are additional checks for poll, precision and reference, though they're not neccesary here)
>
> After loading the rule (among others) with /usr/sbin/nft -f (in a config file) on Debian 12 Bookworm (not yet updated); the rule shows as:
>
> ip daddr 10.0.0.5 udp sport 123 udp dport 123 ct state established meta skuid 996 @ih,0,8 & 0x38 == 0x20 @ih,0,8 & 0x7 == 0x4 @ih,8,8 0x1
>
> It seems bit-level checks were aligned to '8 bit boundaries'. The resulting expression is technically correct, though it is (as far as I'm aware), only minimally faster.
raw expressions only support operations at byte boundary, you have to
use bitwise (&) expression to narrow down the scope of your matching.
> I would prefer the output to remain as I had typed; as I did not ask for NFT to optimise the ruleset as of yet, and I need to spend much more time validating the configuration.
>
> Is this optimisation able to be toggled off?
No.
You can file a bugzilla ticket to request an enhancement, maybe
someone will pick it up at some point.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-01-28 12:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-03 7:58 Raw payload expressions are mangled Sunny73Cr
2024-09-03 9:43 ` Pablo Neira Ayuso
2025-01-28 5:48 ` Sunny73Cr
2025-01-28 12:29 ` Sunny73Cr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox