diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-29 19:40:02 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-29 23:40:58 +0200 |
commit | 7c9bef0c03120dd8febd33e213ef2cf5626f9262 (patch) | |
tree | bef1bff74c2da2ceaac745a605566c9adbda67ec /src | |
parent | 6ea8974ff7fb822af1d9d2049c3fb2c167767a8f (diff) |
netlink_delinearize: transform binary operation to prefix only with values
The following rule:
nft add rule inet filter input ip6 saddr and ffff:ffff:ffff:ffff:: @allowable counter
when listing the ruleset becomes:
ip6 saddr @allowable/64 counter packets 3 bytes 212
This transformation is unparseable, allow prefix transformation only for
values.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/netlink_delinearize.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index d0438f44..9e3ed53d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2102,7 +2102,7 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e expr_free(binop); } else if (binop->left->dtype->flags & DTYPE_F_PREFIX && - binop->op == OP_AND && + binop->op == OP_AND && expr->right->etype == EXPR_VALUE && expr_mask_is_prefix(binop->right)) { expr->left = expr_get(binop->left); expr->right = prefix_expr_alloc(&expr->location, |