From e6c32b2fa0b820bc81cbb99e8ed601eabbbfac69 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 1 Feb 2021 22:21:41 +0100
Subject: src: add negation match on singleton bitmask value

This patch provides a shortcut for:

	ct status and dnat == 0

which allows to check for the packet whose dnat bit is unset:

  # nft add rule x y ct status ! dnat counter

This operation is only available for expression with a bitmask basetype, eg.

  # nft describe ct status
  ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/any/ct.t | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tests/py/any/ct.t')

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 0ec027f5..a44142ac 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -30,6 +30,7 @@ ct status != {expected, seen-reply, assured, confirmed, dying};ok
 ct status expected,seen-reply,assured,confirmed,snat,dnat,dying;ok
 ct status snat;ok
 ct status dnat;ok
+ct status ! dnat;ok
 ct status xxx;fail
 
 ct mark 0;ok;ct mark 0x00000000
-- 
cgit v1.2.3