From cc7b37d18a687d53e8724b3104b042e6767a9cef Mon Sep 17 00:00:00 2001 From: Anatole Denis Date: Thu, 24 Nov 2016 15:16:20 +0100 Subject: src: Interpret OP_NEQ against a set as OP_LOOKUP Now that the support for inverted matching is in the kernel and in libnftnl, add it to nftables too. This fixes bug #888 Signed-off-by: Anatole Denis Signed-off-by: Pablo Neira Ayuso --- src/netlink_linearize.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src/netlink_linearize.c') diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2945392b..6bc0bee8 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -278,6 +278,8 @@ static void netlink_gen_lookup(struct netlink_linearize_ctx *ctx, expr->right->set->handle.set); nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_SET_ID, expr->right->set->handle.set_id); + if (expr->op == OP_NEQ) + nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS, NFT_LOOKUP_F_INV); release_register(ctx, expr->left); nftnl_rule_add_expr(ctx->nlr, nle); @@ -346,13 +348,14 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, assert(dreg == NFT_REG_VERDICT); - if (expr->right->ops->type == EXPR_RANGE) - return netlink_gen_range(ctx, expr, dreg); - - sreg = get_register(ctx, expr->left); - switch (expr->right->ops->type) { + case EXPR_RANGE: + return netlink_gen_range(ctx, expr, dreg); + case EXPR_SET: + case EXPR_SET_REF: + return netlink_gen_lookup(ctx, expr, dreg); case EXPR_PREFIX: + sreg = get_register(ctx, expr->left); if (expr->left->dtype->type != TYPE_STRING) { len = div_round_up(expr->right->len, BITS_PER_BYTE); netlink_gen_expr(ctx, expr->left, sreg); @@ -365,6 +368,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, } break; default: + sreg = get_register(ctx, expr->left); len = div_round_up(expr->right->len, BITS_PER_BYTE); right = expr->right; netlink_gen_expr(ctx, expr->left, sreg); -- cgit v1.2.3