Florian Westphal <fw@xxxxxxxxx> wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > nft fails to parse certain corner-cases, for example:
> >
> > nft add rule filter input meta rtclassid daddr
> >
> > ... as it finds DADDR token. However, 'daddr' might be a valid
> > routing realm listed in iproute2/rt_realms, so this should be allowed.
> >
> > Pablo suggested to change the start conditions in the scanner
> > accordingly.
> >
> > After this patch, the following rule works:
> >
> > ct label & (foobar | saddr) == saddr ip saddr 1.2.3.4 rtclassid { 42, cosmos, rule}
>
> Note that this will not work:
>
> ct label eq foobar
This patch doesn't work, we can return from literal mode too early.
rtclassid { rule, saddr }
we will leave literal mode after 'rule' so we choke on the SADDR token.
I'm flagging this as 'rejected' and will see if this can be fixed somehow.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
