netfilter buglog - Sep 2023 - [Bug 1704] New: Feature request - support missing and exists keywords for meta skuid

https://bugzilla.netfilter.org/show_bug.cgi?id=1704

            Bug ID: 1704
           Summary: Feature request - support missing and exists keywords
                    for meta skuid
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: thesashok724 at gmail.com

According to the nft(8) man page
(https://man.archlinux.org/man/nft.8.en#BOOLEAN_TYPE), it is possible to only
check the existence of `fib`, `exthdr`, and `tcp option` of a packet.
It would be very useful to check the existence of other fields, for example
`meta skuid`/`meta skgid`, which are not present for packets sent by the
kernel. Currently, loading the following nftables rules throws an error:

```
#!/usr/bin/nft -f

table inet test
delete table inet test

table inet test {
    chain output_test {
        type filter hook output priority filter
        policy accept

        meta skuid missing log counter # log kernel packets
    }
}

```

nft -f test.conf:
```
test.conf:11:20-26: Error: datatype mismatch, expected user ID, expression has
type boolean type
        meta skuid missing log counter
        ~~~~~~~~~~ ^^^^^^^
```

OS: Arch Linux

uname -a:
`Linux pc.s724 6.5.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 13 Sep 2023 08:37:40
+0000 x86_64 GNU/Linux`

nft -v:
`nftables v1.0.8 (Old Doc Yak #2)`

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230917/0ccd653d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1704

thesashok724 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |thesashok724 at gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230917/e150a899/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1704

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,

meta skuid datatype is a 32-bits unsiugned integer:

# nft describe meta skuid
meta expression, datatype uid (user ID) (basetype integer), 32 bits

not a boolean type.
> According to the nft(8) man page (https://man.archlinux.org
> /man/nft.8.en#BOOLEAN_TYPE), it is possible to only check the existence of
> `fib`, `exthdr`, and `tcp option` of a packet.
Yes, these selector might return a boolean, but not meta skuid.

What is the intention? Are you aiming at checking if the skbuff is attached to
a socket?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230926/dedd540a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1704

--- Comment #2 from thesashok724 at gmail.com ---
I want to match all packets that are sent by the kernel (that is, the packets
that do not have `meta skuid`/`meta skgid`). Currently, the only working
approach I've found is to match the opposite with vmap, like this:

```
meta skuid vmap {
    root: goto handle_root_packet,
    *: goto handle_user_packet,
}
goto handle_kernel_packet
```

I think it would be much more convenient to check the existence of these and
other fields with `missing`/`existing` or similar keywords, like this: `meta
skuid missing log`.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231002/b79a2f16/attachment.html>