diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-27 17:23:34 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-27 17:35:09 +0200 |
commit | 08c596ce6f4f912e823d65edca761c27df7cb511 (patch) | |
tree | 5bc00f6650f2644f66740c823bf5c7f4567547e7 /src/evaluate.c | |
parent | 93c824172a975ed03c66649c3513f446a9ff07b2 (diff) |
evaluate: disallow negation with binary operation
The negation was introduced to provide a simple shortcut. Extend
e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to
disallow negation with binary operations too.
# nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn'
Error: cannot combine negation with binary expression
add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 4609576b..8b5f51ce 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2016,12 +2016,16 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) /* fall through */ case OP_NEQ: case OP_NEG: - if (rel->op == OP_NEG && - (right->etype != EXPR_VALUE || - right->dtype->basetype == NULL || - right->dtype->basetype->type != TYPE_BITMASK)) - return expr_binary_error(ctx->msgs, left, right, - "negation can only be used with singleton bitmask values"); + if (rel->op == OP_NEG) { + if (left->etype == EXPR_BINOP) + return expr_binary_error(ctx->msgs, left, right, + "cannot combine negation with binary expression"); + if (right->etype != EXPR_VALUE || + right->dtype->basetype == NULL || + right->dtype->basetype->type != TYPE_BITMASK) + return expr_binary_error(ctx->msgs, left, right, + "negation can only be used with singleton bitmask values"); + } switch (right->etype) { case EXPR_RANGE: |