From 6979625686ec8d915f5ad5fdc28f24f55b6be3f7 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 16 Mar 2018 00:03:19 +0100 Subject: relational: Eliminate meta OPs With a bit of code reorganization, relational meta OPs OP_RANGE, OP_FLAGCMP and OP_LOOKUP become unused and can be removed. The only meta OP left is OP_IMPLICIT which is usually treated as alias to OP_EQ. Though it needs to stay in place for one reason: When matching against a bitmask (e.g. TCP flags or conntrack states), it has a different meaning: | nft --debug=netlink add rule ip t c tcp flags syn | ip t c | [ meta load l4proto => reg 1 ] | [ cmp eq reg 1 0x00000006 ] | [ payload load 1b @ transport header + 13 => reg 1 ] | [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ] | [ cmp neq reg 1 0x00000000 ] | nft --debug=netlink add rule ip t c tcp flags == syn | ip t c | [ meta load l4proto => reg 1 ] | [ cmp eq reg 1 0x00000006 ] | [ payload load 1b @ transport header + 13 => reg 1 ] | [ cmp eq reg 1 0x00000002 ] OP_IMPLICIT creates a match which just checks the given flag is present, while OP_EQ creates a match which ensures the given flag and no other is present. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/expression.h | 6 ------ 1 file changed, 6 deletions(-) (limited to 'include/expression.h') diff --git a/include/expression.h b/include/expression.h index 29dd0346..f0ba6fc1 100644 --- a/include/expression.h +++ b/include/expression.h @@ -85,12 +85,6 @@ enum ops { OP_GT, OP_LTE, OP_GTE, - /* Range comparison */ - OP_RANGE, - /* Flag comparison */ - OP_FLAGCMP, - /* Set lookup */ - OP_LOOKUP, __OP_MAX }; #define OP_MAX (__OP_MAX - 1) -- cgit v1.2.3