bugzilla-daemon at netfilter.org
2025-Jan-09  11:46 UTC
[Bug 1784] New: nft -o optimizer fails to optimize birmasks
https://bugzilla.netfilter.org/show_bug.cgi?id=1784
            Bug ID: 1784
           Summary: nft -o optimizer fails to optimize birmasks
           Product: nftables
           Version: 1.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: neandris at gmail.com
Lets feed following table (borrowed from tcp conntrack valid flags)
table inet t {
 chain c {
  tcp flags syn / fin,syn,rst,ack,urg
  tcp flags syn,urg / fin,syn,rst,ack,urg
  tcp flags syn,ack / fin,syn,rst,ack,urg
  tcp flags rst / fin,syn,rst,ack,urg
  tcp flags rst,ack / fin,syn,rst,ack,urg
  tcp flags fin,ack / fin,syn,rst,ack,urg
  tcp flags fin,ack,urg / fin,syn,rst,ack,urg
  tcp flags ack / fin,syn,rst,ack,urg
  tcp flags ack,urg / fin,syn,rst,ack,urg
 }
}
Outcome
Merging:
/dev/stdin:3:3-37:   tcp flags syn / fin,syn,rst,ack,urg
/dev/stdin:4:3-41:   tcp flags syn,urg / fin,syn,rst,ack,urg
/dev/stdin:5:3-41:   tcp flags syn,ack / fin,syn,rst,ack,urg
/dev/stdin:6:3-37:   tcp flags rst / fin,syn,rst,ack,urg
/dev/stdin:7:3-41:   tcp flags rst,ack / fin,syn,rst,ack,urg
/dev/stdin:8:3-41:   tcp flags fin,ack / fin,syn,rst,ack,urg
/dev/stdin:9:3-45:   tcp flags fin,ack,urg / fin,syn,rst,ack,urg
/dev/stdin:10:3-37:   tcp flags ack / fin,syn,rst,ack,urg
/dev/stdin:11:3-41:   tcp flags ack,urg / fin,syn,rst,ack,urg
into:
        tcp flags syn / { fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg, fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg, fin,syn,rst,ack,urg, fin,syn,rst,ack,urg,
fin,syn,rst,ack,urg }
/dev/stdin:3:3-11: Error: Binary operation (&) is undefined for set
expressions
  tcp flags syn / fin,syn,rst,ack,urg
  ^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~
Expected - futile optimisation is not attempted. or skipped with warning
keeping original ruleset, or some syntax enhancement to make a set of comma
separated value groups (neither hex values work here) separated by commas /
mask.
-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20250109/4d29c46e/attachment.html>