At 2016-07-16 17:04:39, "Florian Westphal" <f...@strlen.de> wrote: >Liping Zhang <zlpnob...@163.com> wrote: >> >> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set >> nft add rule ip filter INPUT ct label set bit40 ct label != bit40 counter > >Should probably be: > >... ct label and bit40 != bit40 ... > >!= bit40 will be true if bit40 and another bit is set.
Right, "ct label bit40" and "ct label != bit40" have the different semantics: # nft add rule filter input ct label bit40 --debug=netlink ip filter input [ ct load label => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000000 0x00000100 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp neq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] # nft add rule filter input ct label != bit40 --debug=netlink ip filter input [ ct load label => reg 1 ] [ cmp neq reg 1 0x00000000 0x00000100 0x00000000 0x00000000 ] Will send V2 later, Thanks.
