iptables - iptables tree

diff options

author	Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>	2021-04-01 16:47:07 +0300
committer	Florian Westphal <fw@strlen.de>	2021-04-02 17:04:34 +0200
commit	18e334da7363ba186edb1700056e26ded27ca5ba (patch)
tree	6414b4336a8e9879edcb7bdebda37dd8ebe54dd4 /iptables/nft.h
parent	831f57c7fbdc8d79e34b1d7d81ca6f6a8e6bae87 (diff)

extensions: libxt_conntrack: use bitops for state negation

Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>

Diffstat (limited to 'iptables/nft.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: