nftables: do mot merge payloads on negation

else, a rule like
  tcp sport != 22 tcp dport != 23

will match even if the destination is 23 as long as sport is != 22.
(or vice versa).

Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/rule.c b/src/rule.c
index 9e418d8c2f2f662ef4c25e2d3c50f2188e249d9b..45289cc01dce8be6af849d2d844f0551eda99e40 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -2766,7 +2766,6 @@ static void stmt_reduce(const struct rule *rule)
                        switch (stmt->expr->op) {
                        case OP_EQ:
                        case OP_IMPLICIT:
-                       case OP_NEQ:
                                break;
                        default:
                                continue;