diff options
author | Phil Sutter <phil@nwl.cc> | 2018-03-16 00:03:19 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-16 09:58:39 +0100 |
commit | 6979625686ec8d915f5ad5fdc28f24f55b6be3f7 (patch) | |
tree | e358bb0c0335622f99c374386ba2f1d8d2dbf20d /src/expression.c | |
parent | 70b31b1ce73e704d4387b1262e8b97785ffe64f7 (diff) |
relational: Eliminate meta OPs
With a bit of code reorganization, relational meta OPs OP_RANGE,
OP_FLAGCMP and OP_LOOKUP become unused and can be removed. The only meta
OP left is OP_IMPLICIT which is usually treated as alias to OP_EQ.
Though it needs to stay in place for one reason: When matching against a
bitmask (e.g. TCP flags or conntrack states), it has a different
meaning:
| nft --debug=netlink add rule ip t c tcp flags syn
| ip t c
| [ meta load l4proto => reg 1 ]
| [ cmp eq reg 1 0x00000006 ]
| [ payload load 1b @ transport header + 13 => reg 1 ]
| [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ]
| [ cmp neq reg 1 0x00000000 ]
| nft --debug=netlink add rule ip t c tcp flags == syn
| ip t c
| [ meta load l4proto => reg 1 ]
| [ cmp eq reg 1 0x00000006 ]
| [ payload load 1b @ transport header + 13 => reg 1 ]
| [ cmp eq reg 1 0x00000002 ]
OP_IMPLICIT creates a match which just checks the given flag is present,
while OP_EQ creates a match which ensures the given flag and no other is
present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/expression.c')
-rw-r--r-- | src/expression.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/src/expression.c b/src/expression.c index d7f54ad7..5f023d2a 100644 --- a/src/expression.c +++ b/src/expression.c @@ -496,8 +496,6 @@ const char *expr_op_symbols[] = { [OP_GT] = ">", [OP_LTE] = "<=", [OP_GTE] = ">=", - [OP_RANGE] = "within range", - [OP_LOOKUP] = NULL, }; static void unary_expr_print(const struct expr *expr, struct output_ctx *octx) @@ -562,10 +560,6 @@ static void binop_arg_print(const struct expr *op, const struct expr *arg, static bool must_print_eq_op(const struct expr *expr) { - if (expr->right->dtype->basetype != NULL && - expr->right->dtype->basetype->type == TYPE_BITMASK) - return true; - return expr->left->ops->type == EXPR_BINOP; } @@ -645,7 +639,7 @@ void relational_expr_pctx_update(struct proto_ctx *ctx, const struct expr *left = expr->left; assert(expr->ops->type == EXPR_RELATIONAL); - assert(expr->op == OP_EQ); + assert(expr->op == OP_EQ || expr->op == OP_IMPLICIT); if (left->ops->pctx_update && (left->flags & EXPR_F_PROTOCOL)) |