From b11b6c68e61ea294eb4c313705ccfe3e7b0eda87 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 18 Mar 2024 13:10:55 +0100
Subject: netlink_delinearize: restore binop syntax when listing ruleset for
 flags

c3d57114f119 ("parser_bison: add shortcut syntax for matching flags
without binary operations") provides a similar syntax to iptables using
a prefix representation for flag matching.

Restore original representation using binop when listing the ruleset.
The parser still accepts the prefix notation for backward compatibility.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/nft-f/dumps/sample-ruleset.nft |  4 ++--
 tests/shell/testcases/packetpath/tcp_options         | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'tests/shell/testcases')

diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft
index 480b694a..1a9f4e7a 100644
--- a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft
+++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft
@@ -73,7 +73,7 @@ table inet filter {
 
 	chain ct_new_pre {
 		jump rpfilter
-		tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop
+		tcp flags & (fin | syn | rst | ack) != syn counter packets 0 bytes 0 drop
 		iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 }
 	}
 
@@ -131,7 +131,7 @@ table inet filter {
 		type filter hook forward priority mangle; policy accept;
 		oifname "eth0" jump {
 			ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 }
-			tcp flags syn / syn,rst tcp option maxseg size set rt mtu
+			tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu
 		}
 	}
 
diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options
index 1c9ee532..88552226 100755
--- a/tests/shell/testcases/packetpath/tcp_options
+++ b/tests/shell/testcases/packetpath/tcp_options
@@ -15,14 +15,14 @@ table inet t {
 	chain c {
 		type filter hook output priority 0;
 		tcp dport != 22345 accept
-		tcp flags syn / fin,syn,rst,ack tcp option 254  length ge 4 counter name nomatchc drop
-		tcp flags syn / fin,syn,rst,ack tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc
-		tcp flags syn / fin,syn,rst,ack tcp option sack-perm missing counter name nomatchc
-		tcp flags syn / fin,syn,rst,ack tcp option sack-perm exists counter name sackpermc
-		tcp flags syn / fin,syn,rst,ack tcp option maxseg size gt 1400 counter name maxsegc
-		tcp flags syn / fin,syn,rst,ack tcp option nop missing counter name nomatchc
-		tcp flags syn / fin,syn,rst,ack tcp option nop exists counter name nopc
-		tcp flags syn / fin,syn,rst,ack drop
+		tcp flags & (fin | syn | rst | ack ) == syn tcp option 254  length ge 4 counter name nomatchc drop
+		tcp flags & (fin | syn | rst | ack ) == syn tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc
+		tcp flags & (fin | syn | rst | ack ) == syn tcp option sack-perm missing counter name nomatchc
+		tcp flags & (fin | syn | rst | ack) == syn tcp option sack-perm exists counter name sackpermc
+		tcp flags & (fin | syn | rst | ack) == syn tcp option maxseg size gt 1400 counter name maxsegc
+		tcp flags & (fin | syn | rst | ack) == syn tcp option nop missing counter name nomatchc
+		tcp flags & (fin | syn | rst | ack) == syn tcp option nop exists counter name nopc
+		tcp flags & (fin | syn | rst | ack) == syn drop
 	}
 }
 EOF
-- 
cgit v1.2.3