netfilter buglog - Sep 2024 - [Bug 1775] New: RAW PAYLOAD EXPRESSION offset is limited to 2048

https://bugzilla.netfilter.org/show_bug.cgi?id=1775

            Bug ID: 1775
           Summary: RAW PAYLOAD EXPRESSION offset is limited to 2048
           Product: nftables
           Version: 1.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: lev.shutov at gmail.com

RAW PAYLOAD EXPRESSION described here
https://manpages.debian.org/bookworm/nftables/nft.8.en.html#RAW_PAYLOAD_EXPRESSION

It has "offset" argument.

According to my tests it is limited to 2048.

--------------------------------------------------------------------------------
nft delete table raw-payload-test
nft add table raw-payload-test
nft add chain raw-payload-test input {type filter hook input priority filter\;}
nft add rule raw-payload-test input tcp dport 80 @ih,2047,8 1 log
nft add rule raw-payload-test input tcp dport 80 @ih,2048,8 2 log
--------------------------------------------------------------------------------

The 2nd rule throws error.

2048 bits is 256 bytes.
So RAW PAYLOAD EXPRESSION can be used only for the first 256 bytes of packet.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240926/b10704eb/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1775

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |enhancement
                 CC|                            |phil at nwl.cc
          Component|nft                         |kernel
            Version|1.0.x                       |unspecified

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Yes, this is a limitation of payload expression in kernel. Max offset and
length are 255 bytes, limited by struct nft_payload field sizes. It is like
this since day 1, I suppose the rationale was that headers usually fit into the
first 256 bytes of a packet. What's your use-case?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240926/c9718485/attachment.html>