Patrick McHardy <kaber@xxxxxxxxx> wrote: > > So, same problem there: EXPR_LIST == cmp neq. Is that intentional? > > It seems wrong to me, e.g. "tcp flags fin,syn" will match virtually all > > tcp packets. > > > > Maybe netlink_gen_flagcmp() should generate NFT_CMP_GT i.e.: > > [ bitwise reg 1 = (reg=1 & 0x00000012 ) ^ 0x00000000 ] > > [ cmp gt reg 1 0x00000000 ] > > > > At least that would be what I would have expected :-} > > > > Am I wrong? > > It should actually generate a NEQ 0. Seems this was broken in commit > aae836a7 (src: use libnftables). > > Try the attached patch please. Thanks, 'tcp flags syn,fin' now behaves as expected. > > As a side note, experimenting a bit with tcp flags: > > > > add rule filter output tcp flags & (syn|ack) == (syn|ack) > > > > works fine with current master branch. But list shows > > > > "tcp flags & 18 == 18", i.e. no symbol translation. > > > > Shouldn't it restore the symbolic names? > > I think this is the very same problem that I had with my connlabel > > dabbling, so it would be nice if it could be solved in generic way. > > Most likely. Please see if the attached patch solves this. No: add rule filter output tcp flags & (syn|ack) == (syn|ack) list table filter tcp flags & 18 == 18 The expression works. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
