[Bug 1784] New: nft -o optimizer fails to optimize birmasks
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Jan 9 12:46:44 CET 2025
https://bugzilla.netfilter.org/show_bug.cgi?id=1784
Bug ID: 1784
Summary: nft -o optimizer fails to optimize birmasks
Product: nftables
Version: 1.0.x
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: neandris at gmail.com
Lets feed following table (borrowed from tcp conntrack valid flags)
table inet t {
chain c {
tcp flags syn / fin,syn,rst,ack,urg
tcp flags syn,urg / fin,syn,rst,ack,urg
tcp flags syn,ack / fin,syn,rst,ack,urg
tcp flags rst / fin,syn,rst,ack,urg
tcp flags rst,ack / fin,syn,rst,ack,urg
tcp flags fin,ack / fin,syn,rst,ack,urg
tcp flags fin,ack,urg / fin,syn,rst,ack,urg
tcp flags ack / fin,syn,rst,ack,urg
tcp flags ack,urg / fin,syn,rst,ack,urg
}
}
Outcome
Merging:
/dev/stdin:3:3-37: tcp flags syn / fin,syn,rst,ack,urg
/dev/stdin:4:3-41: tcp flags syn,urg / fin,syn,rst,ack,urg
/dev/stdin:5:3-41: tcp flags syn,ack / fin,syn,rst,ack,urg
/dev/stdin:6:3-37: tcp flags rst / fin,syn,rst,ack,urg
/dev/stdin:7:3-41: tcp flags rst,ack / fin,syn,rst,ack,urg
/dev/stdin:8:3-41: tcp flags fin,ack / fin,syn,rst,ack,urg
/dev/stdin:9:3-45: tcp flags fin,ack,urg / fin,syn,rst,ack,urg
/dev/stdin:10:3-37: tcp flags ack / fin,syn,rst,ack,urg
/dev/stdin:11:3-41: tcp flags ack,urg / fin,syn,rst,ack,urg
into:
tcp flags syn / { fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg, fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg, fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg }
/dev/stdin:3:3-11: Error: Binary operation (&) is undefined for set expressions
tcp flags syn / fin,syn,rst,ack,urg
^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~
Expected - futile optimisation is not attempted. or skipped with warning
keeping original ruleset, or some syntax enhancement to make a set of comma
separated value groups (neither hex values work here) separated by commas /
mask.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20250109/4d29c46e/attachment.html>
More information about the netfilter-buglog
mailing list