<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Nftables matching packet header fields and unexpected '(': wrong wiki info or bug?"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1086">1086</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Nftables matching packet header fields and unexpected '(': wrong wiki info or bug?
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Debian GNU/Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>1000.ontheroad@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Official nftables "wiki", on the Matching-packet-header-fields section
(<a href="https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_header_fields">https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_header_fields</a>),
suggests the following example to match packets with flags SYN and ACK set:

% nft -i
nft> add rule filter output tcp flags & (syn | ack) == (syn | ack) counter log

When putting it into practice, it fails:

<cli>:1:51-51: Error: syntax error, unexpected '('
add rule filter output tcp flags & (syn | ack) == (syn | ack) counter log
                                                  ^

I've discovered a workaround, removing the second brackets:
nft> add rule filter output tcp flags & (syn | ack) == syn | ack counter log

NFT CLI seems to accept it. I did not check if it works, but I've set a similar
rule to block "Xmas scans" and, checked against a Hping3 scan (-UPF option), it
seems to work fine:
nft> add rule filter input tcp flags & (fin | syn | rst | psh | ack | urg) ==
fin | psh | urg log drop

Since I've watched that erroneus syntax on other Nftables tutorials around the
net, I guess it *did* work sometime in the past, but now it's broken.

Debian Testing/Strech
kernel 4.6.0-1-amd64
nftables 0.6-2</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>