I am only assuming here. I made a mistake, and I should make it clear: Link Layer header would be: 6 bytes destination (MAC) address, 6 bytes source (MAC) address, 4 bytes likely the 802.1Q Priority tag, 2 bytes are likely the ethertype... and the packet continues after... > [ payload load 2b @ link header + 12 => reg 1 ] Means match the first half of the 802.1Q header. This is the TPID or Tag Protocol Identifier. Consider the IANA registry for IEEE registered ethernet protocols here: https://iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml A value of 0x8100 is the 'Customer VLAN' tag; a standard VLAN tag. > [ cmp eq reg 1 0x00000081 ] It appears to compare the 'tag space' to '0x81'; though, it may be 'big byte order, little endian bit order' encoding... I am unsure. If all little endian, the match is wrong, if 'big byte, little bit' endian; the match is correct. > [ payload load 1b @ link header + 14 => reg 1 ] Now, match the Priority Code Point/Drop Eligible Indicator/Virtual LAN ID. > [ bitwise reg 1 = ( reg 1 & 0x0000001f ) ^ 0x000000c0 ] Considering the input: > $ sudo nft --debug=netlink add rule netdev t out vlan pcp set 6 counter Then the result is: Source (binary LE): 00000110 AND 31 (low 5 bits): NNNYYYYY -> retain the value of 6 XOR 192 (high 2 bits): 11000110 -> Decimal value of 198 Instead of matching a priority of 6, it is matching a priority of 198. sunny
