On Fri, Oct 13, 2023 at 12:41:49PM +0200, Florian Westphal wrote: > when I run sudo nft insert rule filter FORWARD iifname "ens2f1" ip saddr not @ip_macs counter drop comment \" BLOCK ALL NON REGISTERED IP/MACS \" > I get: Error: negation can only be used with singleton bitmask values > > And even I did not spot the problem immediately. > > I don't think "not" should have been added, its easily confused with > "not equal"/"neq"/!= and hides that this is (allegedly) a bit operation. > > At least suggest to use != instead in the error message, I suspect it > might lessen the pain. LGTM.