Jan Engelhardt <jengelh@xxxxxxx> wrote:
>
> On Wednesday 2016-06-22 18:14, Florian Westphal wrote:
> >Laura Garcia Liebana <nevola@xxxxxxxxx> wrote:
> >> Add support for inverted state and status bitwise value list required in the
> >> ct match.
> >>
> >> Before this patch, nft didn't support the rule:
> >>
> >> $ nft add rule ip filter INPUT ct state != new,related counter accept
> >> <cmdline>:1:41-41: Error: syntax error, unexpected comma, expecting end of file or newline or semicolon
> >> add rule ip filter INPUT ct state != new,related counter accept
> > ^
> >I don't like nft foo,bar syntax since
> >
> >'state new,related' looks a lot like 'state { new, related }' but its not the same...
>
> What is the difference? More specifically, why is there a difference?
state { new, related } asks nft to perform a lookup in an anonymous set with the
key values new and related and check if there is a matching key.
> That appears to be a bad pitfall for users. (And as such, choosing
> different symbols like the pipe symbol does not cure the issue of
> confusion.)
The | already works, and in fact 'state new|related' is displayed as
'state new, related'.
state { new | related } would ask nft to perform a lookup in anonymous
set, but that set would have just one value, namely the result of '4|8': 12.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
