[Bug 1704] New: Feature request - support missing and exists keywords for meta skuid
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Sep 17 13:42:12 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1704
Bug ID: 1704
Summary: Feature request - support missing and exists keywords
for meta skuid
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: other
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: thesashok724 at gmail.com
According to the nft(8) man page
(https://man.archlinux.org/man/nft.8.en#BOOLEAN_TYPE), it is possible to only
check the existence of `fib`, `exthdr`, and `tcp option` of a packet.
It would be very useful to check the existence of other fields, for example
`meta skuid`/`meta skgid`, which are not present for packets sent by the
kernel. Currently, loading the following nftables rules throws an error:
```
#!/usr/bin/nft -f
table inet test
delete table inet test
table inet test {
chain output_test {
type filter hook output priority filter
policy accept
meta skuid missing log counter # log kernel packets
}
}
```
nft -f test.conf:
```
test.conf:11:20-26: Error: datatype mismatch, expected user ID, expression has
type boolean type
meta skuid missing log counter
~~~~~~~~~~ ^^^^^^^
```
OS: Arch Linux
uname -a:
`Linux pc.s724 6.5.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 13 Sep 2023 08:37:40
+0000 x86_64 GNU/Linux`
nft -v:
`nftables v1.0.8 (Old Doc Yak #2)`
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230917/0ccd653d/attachment.html>
More information about the netfilter-buglog
mailing list