I’m still banging my head providing support for the inverted bitwise that I referenced in an older post. Now the challenge is not only provides such functionality but also simplify the code.
In the nftables source code we can currently see a function called
in the file netlink_linearize.c which is called to generate the bitwise and cmp operations needed when the list of bitwise is positive, like is shown below:
nft --debug=netlink add rule ip filter INPUT ct state new,related,established,untracked ip filter INPUT [ ct load state => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ]
Now, the challenge is to improve the behavior in order to generate both operations in the evaluation phase, within the file evaluate.c creating the logic structure:
relational (OP_NEQ) / \ / \ / \ bitwise value / \ / \ ct state mask
No luck until now, but I’ll upgrade the state of this development.