On 16. Februar 2014 17:51:32 GMT+00:00, Florian Westphal <fw@xxxxxxxxx> wrote: >Patrick McHardy <kaber@xxxxxxxxx> wrote: >> > So, same problem there: EXPR_LIST == cmp neq. Is that intentional? >> > It seems wrong to me, e.g. "tcp flags fin,syn" will match >virtually all >> > tcp packets. >> > >> > Maybe netlink_gen_flagcmp() should generate NFT_CMP_GT i.e.: >> > [ bitwise reg 1 = (reg=1 & 0x00000012 ) ^ 0x00000000 ] >> > [ cmp gt reg 1 0x00000000 ] >> > >> > At least that would be what I would have expected :-} >> > >> > Am I wrong? >> >> It should actually generate a NEQ 0. Seems this was broken in commit >> aae836a7 (src: use libnftables). >> >> Try the attached patch please. > >Thanks, 'tcp flags syn,fin' now behaves as expected. I'll push the patch, thanks. >> > As a side note, experimenting a bit with tcp flags: >> > >> > add rule filter output tcp flags & (syn|ack) == (syn|ack) >> > >> > works fine with current master branch. But list shows >> > >> > "tcp flags & 18 == 18", i.e. no symbol translation. >> > >> > Shouldn't it restore the symbolic names? >> > I think this is the very same problem that I had with my connlabel >> > dabbling, so it would be nice if it could be solved in generic way. >> >> Most likely. Please see if the attached patch solves this. > >No: >add rule filter output tcp flags & (syn|ack) == (syn|ack) >list table filter >tcp flags & 18 == 18 > >The expression works. I'll look into it in about an hour. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
