]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f92636d)
evaluate: allow == and != in the new shortcut syntax to match for flags
authorPablo Neira Ayuso <pablo@netfilter.org>
Mon, 24 May 2021 19:54:36 +0000 (21:54 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 24 May 2021 20:16:13 +0000 (22:16 +0200)
The flags / mask syntax only allows for ==, !=  and the implicit
operation (which is == in this case).

 # nft add rule x y tcp flags ! syn / syn,ack
 Error: either == or != is allowed
 add rule x y tcp flags ! syn / syn,ack
              ^^^^^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/evaluate.c patch | blob | blame | history

diff --git a/src/evaluate.c b/src/evaluate.c
index 006b04affbd76caa79767652cf9394a637112a7e..384e2fa786e065d796d32ad195d4aca5c53a942b 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2139,6 +2139,10 @@ static int expr_evaluate_flagcmp(struct eval_ctx *ctx, struct expr **exprp)
 {
        struct expr *expr = *exprp, *binop, *rel;
 
+       if (expr->op != OP_EQ &&
+           expr->op != OP_NEQ)
+               return expr_error(ctx->msgs, expr, "either == or != is allowed");
+
        binop = binop_expr_alloc(&expr->location, OP_AND,
                                 expr_get(expr->flagcmp.expr),
                                 expr_get(expr->flagcmp.mask));
Mirror of git://git.netfilter.org/nftables