[Bug 1238] New: meta limits protocols when it shouldn't

Sat Mar 31 02:18:11 CEST 2018

https://bugzilla.netfilter.org/show_bug.cgi?id=1238

            Bug ID: 1238
           Summary: meta limits protocols when it shouldn't
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Fedora
            Status: NEW
          Severity: minor
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: ian.kumlien at gmail.com

Reading about the raw payload, which has the examples:

inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http }

and

input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4
@nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept

Makes you think that something like:
meta l4proto udp @th,64,4 0x0 @th,16,16 set 5301 accept

should work for detecting a dns query

It's a variant of:
-p udp -m udp --dport 53 -m u32 --u32 0x0>>0x16&0x3c at 0x8&0xf8=0x0 -j REDIRECT
--to-ports 5301

Which I agree is a very, very special example but i DIDN'T expect this:
/etc/rc.nft:52:34-41: Error: conflicting protocols specified: udp vs. unknown
        meta l4proto udp @th,64,4 0x0 accept
                                 ^^^^^^^^

This aspect of nft is not really well documented you could say but...

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180331/b82c5f9f/attachment.html>