diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-27 17:23:34 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-27 17:35:09 +0200 |
| commit | 08c596ce6f4f912e823d65edca761c27df7cb511 (patch) | |
| tree | 5bc00f6650f2644f66740c823bf5c7f4567547e7 | |
| parent | 93c824172a975ed03c66649c3513f446a9ff07b2 (diff) | |
evaluate: disallow negation with binary operation
The negation was introduced to provide a simple shortcut. Extend
e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to
disallow negation with binary operations too.
# nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn'
Error: cannot combine negation with binary expression
add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/evaluate.c | 16 | ||||
| -rw-r--r-- | tests/py/inet/tcp.t | 1 |
2 files changed, 11 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 4609576b..8b5f51ce 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2016,12 +2016,16 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) /* fall through */ case OP_NEQ: case OP_NEG: - if (rel->op == OP_NEG && - (right->etype != EXPR_VALUE || - right->dtype->basetype == NULL || - right->dtype->basetype->type != TYPE_BITMASK)) - return expr_binary_error(ctx->msgs, left, right, - "negation can only be used with singleton bitmask values"); + if (rel->op == OP_NEG) { + if (left->etype == EXPR_BINOP) + return expr_binary_error(ctx->msgs, left, right, + "cannot combine negation with binary expression"); + if (right->etype != EXPR_VALUE || + right->dtype->basetype == NULL || + right->dtype->basetype->type != TYPE_BITMASK) + return expr_binary_error(ctx->msgs, left, right, + "negation can only be used with singleton bitmask values"); + } switch (right->etype) { case EXPR_RANGE: diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index 983564ec..13b84215 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -75,6 +75,7 @@ tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | tcp flags { syn, syn | ack };ok tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok tcp flags ! fin,rst;ok +tcp flags & (fin | syn | rst | ack) ! syn;fail tcp window 22222;ok tcp window 22;ok |