#!/bin/bash [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } set -e # reduce noise in debug output $XT_MULTI iptables -t raw -A OUTPUT $XT_MULTI iptables -t raw -F # add all the things which were "optimized" here RULE='-t raw -A OUTPUT' # prefix matches on class (actually: byte) boundaries no longer need a bitwise RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' # these were turned into native matches meanwhile # (plus -m tcp, but it conflicts with -m udp) RULE+=' -m limit --limit 1/min' RULE+=' -p udp -m udp --sport 1024:65535' RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' RULE+=' -j TRACE' EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe ip raw OUTPUT' EXPECT="$EXPECT_COMMON [ payload load 1b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 16 => reg 1 ] [ cmp eq reg 1 0x0000a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ limit rate 1/minute burst 5 type packets flags 0x0 ] [ payload load 2b @ transport header + 0 => reg 1 ] [ range eq reg 1 0x00000004 0x0000ffff ] [ meta load mark => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] [ cmp eq reg 1 0xfeedcafe ] [ counter pkts 0 bytes 0 ] [ immediate reg 9 0x00000001 ] [ meta set nftrace with reg 9 ] " diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) EXPECT="$EXPECT_COMMON [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] [ payload load 4b @ network header + 16 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ match name limit rev 0 ] [ match name udp rev 0 ] [ match name mark rev 1 ] [ counter pkts 0 bytes 0 ] [ target name TRACE rev 0 ] " diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE)