diff options
author | Anatole Denis <anatole@rezel.net> | 2016-11-24 15:16:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-29 22:49:01 +0100 |
commit | cc7b37d18a687d53e8724b3104b042e6767a9cef (patch) | |
tree | f28e1f4934a30d1b3aff0f6aad3beebea8d85ec5 /src/netlink_delinearize.c | |
parent | 601506d95267059c707685a998416221768ae4cf (diff) |
src: Interpret OP_NEQ against a set as OP_LOOKUP
Now that the support for inverted matching is in the kernel and in libnftnl, add
it to nftables too.
This fixes bug #888
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_delinearize.c')
-rw-r--r-- | src/netlink_delinearize.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 0ebe3683..cb0f6ac7 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -292,6 +292,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, const char *name; struct expr *expr, *left, *right; struct set *set; + uint32_t flag; name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET); set = set_lookup(ctx->table, name); @@ -323,6 +324,12 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, expr = relational_expr_alloc(loc, OP_LOOKUP, left, right); } + if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) { + flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS); + if (flag & NFT_LOOKUP_F_INV) + expr->op = OP_NEQ; + } + ctx->stmt = expr_stmt_alloc(loc, expr); } @@ -1316,6 +1323,9 @@ static void ct_meta_common_postprocess(const struct expr *expr) struct expr *right = expr->right; switch (expr->op) { + case OP_NEQ: + if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) + break; case OP_LOOKUP: expr_set_type(right, left->dtype, left->byteorder); if (right->dtype == &integer_type) |