At 2016-07-16 17:04:39, "Florian Westphal" <fw@xxxxxxxxx> wrote:
>Liping Zhang <zlpnobody@xxxxxxx> wrote:
>>
>> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
>> nft add rule ip filter INPUT ct label set bit40 ct label != bit40 counter
>
>Should probably be:
>
>... ct label and bit40 != bit40 ...
>
>!= bit40 will be true if bit40 and another bit is set.
Right, "ct label bit40" and "ct label != bit40" have the different semantics:
# nft add rule filter input ct label bit40 --debug=netlink
ip filter input
[ ct load label => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000000 0x00000100 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp neq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
# nft add rule filter input ct label != bit40 --debug=netlink
ip filter input
[ ct load label => reg 1 ]
[ cmp neq reg 1 0x00000000 0x00000100 0x00000000 0x00000000 ]
Will send V2 later, Thanks.?韬{.n?壏煯壄?%娝?檩?w?{.n?壏租栕庄z_鉃豝n噐■?侂h櫒璀?{鄗夸z罐楘+€?zf"穐殘啳嗃i?飦?戧鐉_璁�鎗:+v墾?撸鴐
