On Wed, 31 Mar 2021 12:58:52 +0200 Florian Westphal <fw@xxxxxxxxx> wrote: > Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx> wrote: > > At the moment, status_xlate_print function prints statusmask as comma-separated > > sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus > > condition then we have to use more complex expression (if more than one flag enabled) > > because nft not supports syntax like "ct status != expected,assured". > > > > Examples: > > ! --ctstatus CONFIRMED,ASSURED > > should be translated as > > ct status & (assured|confirmed) == 0 > > > > ! --ctstatus CONFIRMED > > can be translated as > > ct status != confirmed > > "! --ctstatus CONFIRMED" means 'true if CONFIRMED bit is not set' > But "ct status != confirmed" means 'true if ct status contains any value > except confirmed. > > Example: ct->status has confirmed and assured bits set. > Then: > "! --ctstatus CONFIRMED" won't match (the bit is set). > ct status != confirmed returns true (3 != 1) > ct (status & confirmed) == 0 won't match (the bit is set). > Ah, sure. Fixed ;) Alex.
