* Feature Request: nft: support non-immediate second operand
@ 2022-03-15 21:15 Kevin 'ldir' Darbyshire-Bryant
2022-03-16 11:48 ` Jeremy Sowden
0 siblings, 1 reply; 2+ messages in thread
From: Kevin 'ldir' Darbyshire-Bryant @ 2022-03-15 21:15 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 765 bytes --]
Hi there,
I’m trying to migrate to using nftables and hitting some good things but also a bad thing. I have a firewall that makes use of conntrack marks that get bit-wise manipulated by iptables. I don’t appear to be able to get the same functionality in nftables. eg:
The following stores the DSCP into the conntrack mark and sets another bit as a flag. Unfortunately it destroys any prior value stored in say the upper 16 bits.
meta nfproto ipv4 ct mark set @nh,8,6 or 0x200 counter
What I’d like to do instead is something more like:
meta nfproto ipv4 ct mark set ct mark or @nh,8,6 ct mark set ct mark or 0x200 counter
Thanks for your time.
Cheers,
Kevin D-B
gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Feature Request: nft: support non-immediate second operand
2022-03-15 21:15 Feature Request: nft: support non-immediate second operand Kevin 'ldir' Darbyshire-Bryant
@ 2022-03-16 11:48 ` Jeremy Sowden
0 siblings, 0 replies; 2+ messages in thread
From: Jeremy Sowden @ 2022-03-16 11:48 UTC (permalink / raw)
To: Kevin 'ldir' Darbyshire-Bryant; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1038 bytes --]
On 2022-03-15, at 21:15:58 +0000, Kevin 'ldir' Darbyshire-Bryant wrote:
> I’m trying to migrate to using nftables and hitting some good things
> but also a bad thing. I have a firewall that makes use of conntrack
> marks that get bit-wise manipulated by iptables. I don’t appear to be
> able to get the same functionality in nftables. eg:
>
> The following stores the DSCP into the conntrack mark and sets another
> bit as a flag. Unfortunately it destroys any prior value stored in
> say the upper 16 bits.
>
> meta nfproto ipv4 ct mark set @nh,8,6 or 0x200 counter
>
> What I’d like to do instead is something more like:
>
> meta nfproto ipv4 ct mark set ct mark or @nh,8,6 ct mark set ct mark or 0x200 counter
Funnily enough, I picked the work I did on this two years ago recently.
I was going to post it again last month when I noticed there was a bug
in the ipv6 delinearization. I'll see if I can fix it this week-end.
If not, I'll post the patches as an RFC to get some feedback at least.
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-16 11:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-15 21:15 Feature Request: nft: support non-immediate second operand Kevin 'ldir' Darbyshire-Bryant
2022-03-16 11:48 ` Jeremy Sowden
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.