Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx> wrote: > At the moment, status_xlate_print function prints statusmask as comma-separated > sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus > condition then we have to use more complex expression (if more than one flag enabled) > because nft not supports syntax like "ct status != expected,assured". > > Examples: > ! --ctstatus CONFIRMED,ASSURED > should be translated as > ct status & (assured|confirmed) == 0 > > ! --ctstatus CONFIRMED > can be translated as > ct status != confirmed "! --ctstatus CONFIRMED" means 'true if CONFIRMED bit is not set' But "ct status != confirmed" means 'true if ct status contains any value except confirmed. Example: ct->status has confirmed and assured bits set. Then: "! --ctstatus CONFIRMED" won't match (the bit is set). ct status != confirmed returns true (3 != 1) ct (status & confirmed) == 0 won't match (the bit is set).
