diff options
author | Anatole Denis <anatole@rezel.net> | 2016-11-24 15:16:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-29 22:49:01 +0100 |
commit | cc7b37d18a687d53e8724b3104b042e6767a9cef (patch) | |
tree | f28e1f4934a30d1b3aff0f6aad3beebea8d85ec5 /src/evaluate.c | |
parent | 601506d95267059c707685a998416221768ae4cf (diff) |
src: Interpret OP_NEQ against a set as OP_LOOKUP
Now that the support for inverted matching is in the kernel and in libnftnl, add
it to nftables too.
This fixes bug #888
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 51d644fe..c841aafd 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1526,6 +1526,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0) return -1; break; + case EXPR_SET: + assert(rel->op == OP_NEQ); + right = rel->right = + implicit_set_declaration(ctx, "__set%d", + left->dtype, left->len, + right); + /* fall through */ + case EXPR_SET_REF: + assert(rel->op == OP_NEQ); + /* Data for range lookups needs to be in big endian order */ + if (right->set->flags & SET_F_INTERVAL && + byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0) + return -1; + break; default: BUG("invalid expression type %s\n", right->ops->name); } |