On Mon, Feb 17, 2014 at 11:16:44AM +0100, Pablo Neira Ayuso wrote:
> On Sun, Feb 16, 2014 at 10:43:32PM +0000, Patrick McHardy wrote:
> > On Sun, Feb 16, 2014 at 11:42:02PM +0100, Pablo Neira Ayuso wrote:
> > > nft add rule filter input ct state established,related counter drop
> > >
> > > is not matching here due to a wrong comparison in the rule:
> > >
> > > ip filter input 20 19
> > > [ ct load state => reg 1 ]
> > > [ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ]
> > > [ cmp neq reg 1 0x00000006 ] <----- this has to be zero
> > > [ counter pkts 0 bytes 0 ]
> > > [ immediate reg 0 drop ]
> > >
> > > There's a line that generates the value from the right-hand
> > > expression which was not in the original code. This bug was
> > > introduced in aae836a ("src: use libnftables").
> >
> > I already pushed that patch two or three hours ago.
>
> Thanks Patrick. I noticed this when testing state established,related.
> Please, send your patches to nf-devel next time, I would have noticed
> and saved that time.
I actually did, but it was burried inside a thread with Florian. Some
related patches coming up soon ...
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
