Trent W. Buck <trentbuck@xxxxxxxxx> wrote:
> [Resent because, I think, I screwed up gmane+gnus and sent it only to myself.]
> Date: Wed, 24 Jul 2019 19:53:13 +1000
> From: "Trent W. Buck" <trentbuck@xxxxxxxxx>
> To: "Trent W. Buck" <trentbuck@xxxxxxxxx>
> Subject: Re: ct state vmap (nft noob question)
>
> trentbuck@xxxxxxxxx (Trent W. Buck) writes:
>
> > ct state vmap { established:accept, related:accept, invalid:drop }
>
> This works.
>
> > ct state vmap { established or related: accept, invalid: drop }
>
> This doesn't. Why?
>
> In the attached output, you can see that "established,related" becomes
> 0x6 (bitwise xor of the two constants 0x2 and 0x4) in all rules.
>
> It looks to me like "ct state 0x1234" is implicitly a bitwise-and (&),
> whereas "ct state vmap { 0x1234: accept }" is implicitly an equals (==).
Yes, thats because 'state' is a bitwise type (nft describe ct state), so
'ct state establised' is really 'ct state & established != 0'.
