From 7c9bef0c03120dd8febd33e213ef2cf5626f9262 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 29 Jul 2020 19:40:02 +0200 Subject: netlink_delinearize: transform binary operation to prefix only with values The following rule: nft add rule inet filter input ip6 saddr and ffff:ffff:ffff:ffff:: @allowable counter when listing the ruleset becomes: ip6 saddr @allowable/64 counter packets 3 bytes 212 This transformation is unparseable, allow prefix transformation only for values. Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/netlink_delinearize.c') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index d0438f44..9e3ed53d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2102,7 +2102,7 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e expr_free(binop); } else if (binop->left->dtype->flags & DTYPE_F_PREFIX && - binop->op == OP_AND && + binop->op == OP_AND && expr->right->etype == EXPR_VALUE && expr_mask_is_prefix(binop->right)) { expr->left = expr_get(binop->left); expr->right = prefix_expr_alloc(&expr->location, -- cgit v1.2.3