netlink_delinearize: skip flags / mask notation for singleton bitmask again

!= operation should also be covered too.

Fixes: 347a4aa16e64 ("netlink_delinearize: skip flags / mask notation for singleton bitmask")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 49870eeadd576436187c769b5736222e869a1b1a..5b545701e8b70bfa679c6c1a9715fbed08de44ea 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2287,10 +2287,10 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx,
                                expr_free(binop);
                        } else if (binop->right->etype == EXPR_VALUE &&
                                   value->etype == EXPR_VALUE &&
-                                  expr->op == OP_EQ &&
                                   !mpz_cmp(value->value, binop->right->value)) {
                                /* Skip flag / flag representation for:
                                 * data & flag == flag
+                                * data & flag != flag
                                 */
                                ;
                        } else {

diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index afa70d85d6b4efb369ec9df2b02b32a5557d530f..aa07c3ba8ca777c651e5611344e92bf4f010685b 100644 (file)
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -75,6 +75,7 @@ tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack
 tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack
 # it should be possible to transform this to: tcp flags syn
 tcp flags & syn == syn;ok
+tcp flags & syn != syn;ok
 tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
 tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack
 tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack

diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index 615bc68f881f91922da9a92a7ef1d5e5e1e22502..8439c2b5931dd70f0a84f02b892141b6e332d0d1 100644 (file)
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -1612,6 +1612,27 @@
     }
 ]
 
+# tcp flags & syn != syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    "syn"
+                ]
+            },
+            "op": "!=",
+            "right": "syn"
+        }
+    }
+]
+
 # tcp flags & (fin | syn | rst | ack) syn
 [
     {

diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
index 8aeeaee39aea96c9c7e675e34c0c8cda77a595f9..1cfe500bff1ae5f3fd6223f6d2bd0f2556f2d5e1 100644 (file)
--- a/tests/py/inet/tcp.t.payload
+++ b/tests/py/inet/tcp.t.payload
@@ -410,6 +410,14 @@ inet test-inet input
   [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x00000002 ]
 
+# tcp flags & syn != syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
 # tcp flags & (fin | syn | rst | ack) syn
 inet test-inet input
   [ meta load l4proto => reg 1 ]