Conntrack translation to nft

One more translation for the conntrack expression.

extensions: libxt_conntrack: Add translation to nft

This patch raises an issue with the inverted list of bitwise values. The syntax parser of nft returns an error when an inverted list of conntrack states are passed to nft.

 $ nft add rule ip filter INPUT ct state != new,related counter accept
 <cmdline>:1:41-41: Error: syntax error, unexpected comma, expecting end of file or newline or semicolon
 add rule ip filter INPUT ct state != new,related counter accept
                                         ^

After several days working of this issue I sent a patch to make it work, but it seems that the byte code regenerated is not correct.

 nft --debug=netlink add rule ip filter INPUT ct state != new,related,established,untracked counter accept
 ip filter INPUT
   [ ct load state => reg 1 ]
   [ cmp neq reg 1 0x0000004e ]
   [ counter pkts 0 bytes 0 ]
   [ immediate reg 0 accept ]

It should be something like:

 nft --debug=netlink add rule ip filter INPUT ct state new,related,established,untracked
 ip filter INPUT
   [ ct load state => reg 1 ]
   [ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x00000000 ]

I’ll be working further on this issue. To be continued…

 

 

Advertisements

One thought on “Conntrack translation to nft

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s