Re: [iptables PATCH v2 2/2] extensions: libxt_conntrack: print xlate status as set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Florian,

Thank you!
So, I need to fix nft and support that syntax?

Do I understand correctly, that the same issue for state flags like
"established, related, ..."?

Regards,
Alex

________________________________________
From: Florian Westphal <fw@xxxxxxxxx>
Sent: Tuesday, March 30, 2021 20:39
To: Alexander Mikhalitsyn
Cc: netfilter-devel@xxxxxxxxxxxxxxx; pablo@xxxxxxxxxxxxx; fw@xxxxxxxxx
Subject: Re: [iptables PATCH v2 2/2] extensions: libxt_conntrack: print xlate status as set

Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx> wrote:
> status_xlate_print function prints statusmask
> without { ... } around. But if ctstatus condition is
> negative, then we have to use { ... } after "!=" operator in nft

Not really.

> Reproducer:
> $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
> $ nft list ruleset
> ...
> meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
> ...

Yes, nft can't parse that.

But ct status { expect, assured } is NOT The same as 'ct status expect,assured'.

expect, assured etc. are all bit flags, so when negating this needs to be something
like  'ct status & (expected|assured) == 0'. (ct is neither expected nor assured).
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux