diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-02-01 22:21:41 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-02-05 13:38:20 +0100 |
commit | e6c32b2fa0b820bc81cbb99e8ed601eabbbfac69 (patch) | |
tree | 47e56d582bde34804b3913716a6c7745faa3c582 /src/evaluate.c | |
parent | 0c189656148d834b17aa9d98b0b11018bc9d2465 (diff) |
src: add negation match on singleton bitmask value
This patch provides a shortcut for:
ct status and dnat == 0
which allows to check for the packet whose dnat bit is unset:
# nft add rule x y ct status ! dnat counter
This operation is only available for expression with a bitmask basetype, eg.
# nft describe ct status
ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index ccee7e21..030bbde4 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1958,6 +1958,14 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) /* fall through */ case OP_NEQ: + case OP_NEG: + if (rel->op == OP_NEG && + (right->etype != EXPR_VALUE || + right->dtype->basetype == NULL || + right->dtype->basetype->type != TYPE_BITMASK)) + return expr_binary_error(ctx->msgs, left, right, + "negation can only be used with singleton bitmask values"); + switch (right->etype) { case EXPR_RANGE: if (byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0) |