diff options
author | Anatole Denis <anatole@rezel.net> | 2016-11-24 15:16:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-29 22:49:01 +0100 |
commit | cc7b37d18a687d53e8724b3104b042e6767a9cef (patch) | |
tree | f28e1f4934a30d1b3aff0f6aad3beebea8d85ec5 /src/netlink_linearize.c | |
parent | 601506d95267059c707685a998416221768ae4cf (diff) |
src: Interpret OP_NEQ against a set as OP_LOOKUP
Now that the support for inverted matching is in the kernel and in libnftnl, add
it to nftables too.
This fixes bug #888
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
-rw-r--r-- | src/netlink_linearize.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2945392b..6bc0bee8 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -278,6 +278,8 @@ static void netlink_gen_lookup(struct netlink_linearize_ctx *ctx, expr->right->set->handle.set); nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_SET_ID, expr->right->set->handle.set_id); + if (expr->op == OP_NEQ) + nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS, NFT_LOOKUP_F_INV); release_register(ctx, expr->left); nftnl_rule_add_expr(ctx->nlr, nle); @@ -346,13 +348,14 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, assert(dreg == NFT_REG_VERDICT); - if (expr->right->ops->type == EXPR_RANGE) - return netlink_gen_range(ctx, expr, dreg); - - sreg = get_register(ctx, expr->left); - switch (expr->right->ops->type) { + case EXPR_RANGE: + return netlink_gen_range(ctx, expr, dreg); + case EXPR_SET: + case EXPR_SET_REF: + return netlink_gen_lookup(ctx, expr, dreg); case EXPR_PREFIX: + sreg = get_register(ctx, expr->left); if (expr->left->dtype->type != TYPE_STRING) { len = div_round_up(expr->right->len, BITS_PER_BYTE); netlink_gen_expr(ctx, expr->left, sreg); @@ -365,6 +368,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, } break; default: + sreg = get_register(ctx, expr->left); len = div_round_up(expr->right->len, BITS_PER_BYTE); right = expr->right; netlink_gen_expr(ctx, expr->left, sreg); |