Shivani Bhardwaj <shivanib134@xxxxxxxxx> wrote: > Add translation for connlabel to nftables. > Full translation for this match awaits the support for --set option. Hmm, I sent patches for that a while ago, don't know why they were not applied... Pablo? > Examples: > > $ sudo iptables-translate -A INPUT -m connlabel --label eth0-in > nft add rule ip filter INPUT ct label eth0-in counter Looks good, thanks! > $ sudo iptables-translate -A INPUT -m connlabel ! --label eth0-out > nft add rule ip filter INPUT ct label != eth0-out counter This one however is not correct. It will match when eth0-out is not set, yes, but it will also match if eth0-out and something else is also set. (!= generates [ cmp neq reg 1 0x00000004 0x00000000 0x00000000 0x00000000 ] This should do the same thing as the -m connlabel ! --label ... command: nft add rule ip filter INPUT ct label & eth0-in != eth0-in counter [ ct load label => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000004 0x00000000 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp neq reg 1 0x00000004 0x00000000 0x00000000 0x00000000 ] ... so we load labels, then mask out everything except eth0-in, then we check that this bit was not set. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
