src: add negation match on singleton bitmask value

This patch provides a shortcut for:

	ct status and dnat == 0

which allows to check for the packet whose dnat bit is unset:

  # nft add rule x y ct status ! dnat counter

This operation is only available for expression with a bitmask basetype, eg.

  # nft describe ct status
  ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 7 insertions, 0 deletions

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 0ec027f5..a44142ac 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -30,6 +30,7 @@ ct status != {expected, seen-reply, assured, confirmed, dying};ok
 ct status expected,seen-reply,assured,confirmed,snat,dnat,dying;ok
 ct status snat;ok
 ct status dnat;ok
+ct status ! dnat;ok
 ct status xxx;fail
 
 ct mark 0;ok;ct mark 0x00000000
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 9223201f..a80e5a8d 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -502,3 +502,9 @@ ip test-ip4 output
   [ ct load unknown => reg 1 ]
   [ cmp eq reg 1 0x39300000 ]
 
+# ct status ! dnat
+ip6
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+