All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

* payload expressions, netlink debug output
@ 2025-02-14  4:17 Sunny73Cr
  2025-02-14  7:20 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Sunny73Cr @ 2025-02-14  4:17 UTC (permalink / raw)
  To: netfilter-devel@vger.kernel.org

Hi,

It appears that the incorrect register is accepted when data is modified.

Running Debian 12.9.

/etc/nftables.conf:

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
 chain output {
  type filter hook output priority filter;

  @ih,0,128 set 0 \
  accept;
 }
}

output (viewable with /usr/sbin/nft -d all -f /etc/nftables.conf):

[ immediate reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ payload write reg 1 => 16b @ inner header + 0 csum_type 0 csum_off 0 csum_flags 0x1 ]
[ immediate reg 0 accept ]

If reg 1 was modified, I believe it should be reg 1 that is accepted.

Please, may somebody with more experience check my assumption?

sunny

^ permalink raw reply	[flat|nested] 3+ messages in thread

• * Re: payload expressions, netlink debug output
    2025-02-14  4:17 payload expressions, netlink debug output Sunny73Cr
  @ 2025-02-14  7:20 ` Florian Westphal
    2025-02-15  4:04   ` Sunny73Cr
    0 siblings, 1 reply; 3+ messages in thread
  From: Florian Westphal @ 2025-02-14  7:20 UTC (permalink / raw)
    To: Sunny73Cr; +Cc: netfilter-devel@vger.kernel.org
  
  Sunny73Cr <Sunny73Cr@protonmail.com> wrote:
  > It appears that the incorrect register is accepted when data is modified.
  > 
  > Running Debian 12.9.
  > 
  > /etc/nftables.conf:
  > 
  > #!/usr/sbin/nft -f
  > flush ruleset
  > table inet filter {
  >  chain output {
  >   type filter hook output priority filter;
  > 
  >   @ih,0,128 set 0 \
  >   accept;
  >  }
  > }
  > 
  > output (viewable with /usr/sbin/nft -d all -f /etc/nftables.conf):
  > 
  > [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
  > [ payload write reg 1 => 16b @ inner header + 0 csum_type 0 csum_off 0 csum_flags 0x1 ]
  > [ immediate reg 0 accept ]
  > 
  > If reg 1 was modified, I believe it should be reg 1 that is accepted.
  
  No, never.  reg0 is the verdict register.
  "immediate reg 1 0x0000...." means we store 0 in reg 1.
  "immediate reg 0 accept" means we store "accept" in reg 0.
  
  Those are stores, not loads.
  
  ^ permalink raw reply	[flat|nested] 3+ messages in thread

• • * Re: payload expressions, netlink debug output
      2025-02-14  7:20 ` Florian Westphal
    @ 2025-02-15  4:04   ` Sunny73Cr
      0 siblings, 0 replies; 3+ messages in thread
    From: Sunny73Cr @ 2025-02-15  4:04 UTC (permalink / raw)
      To: Florian Westphal; +Cc: netfilter-devel@vger.kernel.org
    
    > Those are stores, not loads.
    
    Ah, thank you.
    
    ^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-02-15  4:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-14  4:17 payload expressions, netlink debug output Sunny73Cr
2025-02-14  7:20 ` Florian Westphal
2025-02-15  4:04   ` Sunny73Cr

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.