Hi Pablo,
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nft_dynset-allow-to-invert-match-criteria/20160819-114223
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-rhel
The dynset expression matches if we can fit a new entry into the set.
If there is not room for it, then it breaks the rule evaluation.
This patch introduces the inversion flag to obtain the opposite
behaviour, ie. explicity drop packets that don't fit into set.
For example:
# nft filter input
