Florian Westphal <fw@xxxxxxxxx> wrote:
> nft fails to parse certain corner-cases, for example:
>
> nft add rule filter input meta rtclassid daddr
>
> ... as it finds DADDR token. However, 'daddr' might be a valid
> routing realm listed in iproute2/rt_realms, so this should be allowed.
>
> Pablo suggested to change the start conditions in the scanner
> accordingly.
>
> After this patch, the following rule works:
>
> ct label & (foobar | saddr) == saddr ip saddr 1.2.3.4 rtclassid { 42, cosmos, rule}
Note that this will not work:
ct label eq foobar
(we disabled eq token, eq is expected to be name of label).
&, ==, !=, etc. will continue to work.
Not sure if thats a bug or feature -- it would be easy to just
remove the <INITIAL> from "eq" so that we continue to recognize
it as "==", but it means that its not possible to use eq, lt, gt,
and so on as usernames, rtclassids, etc etc.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
