Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx> wrote:
> status_xlate_print function prints statusmask
> without { ... } around. But if ctstatus condition is
> negative, then we have to use { ... } after "!=" operator in nft
Not really.
> Reproducer:
> $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
> $ nft list ruleset
> ...
> meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
> ...
Yes, nft can't parse that.
But ct status { expect, assured } is NOT The same as 'ct status expect,assured'.
expect, assured etc. are all bit flags, so when negating this needs to be something
like 'ct status & (expected|assured) == 0'. (ct is neither expected nor assured).
