From cc7b37d18a687d53e8724b3104b042e6767a9cef Mon Sep 17 00:00:00 2001 From: Anatole Denis Date: Thu, 24 Nov 2016 15:16:20 +0100 Subject: src: Interpret OP_NEQ against a set as OP_LOOKUP Now that the support for inverted matching is in the kernel and in libnftnl, add it to nftables too. This fixes bug #888 Signed-off-by: Anatole Denis Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/netlink_delinearize.c') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 0ebe3683..cb0f6ac7 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -292,6 +292,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, const char *name; struct expr *expr, *left, *right; struct set *set; + uint32_t flag; name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET); set = set_lookup(ctx->table, name); @@ -323,6 +324,12 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, expr = relational_expr_alloc(loc, OP_LOOKUP, left, right); } + if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) { + flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS); + if (flag & NFT_LOOKUP_F_INV) + expr->op = OP_NEQ; + } + ctx->stmt = expr_stmt_alloc(loc, expr); } @@ -1316,6 +1323,9 @@ static void ct_meta_common_postprocess(const struct expr *expr) struct expr *right = expr->right; switch (expr->op) { + case OP_NEQ: + if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) + break; case OP_LOOKUP: expr_set_type(right, left->dtype, left->byteorder); if (right->dtype == &integer_type) -- cgit v1.2.3