git.ipfire.org Git - thirdparty/nftables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Thu, 15 Mar 2018 23:03:19 +0000 (00:03 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 16 Mar 2018 08:58:39 +0000 (09:58 +0100)
commit	6979625686ec8d915f5ad5fdc28f24f55b6be3f7
tree	e358bb0c0335622f99c374386ba2f1d8d2dbf20d	tree
parent	70b31b1ce73e704d4387b1262e8b97785ffe64f7	commit \| diff

relational: Eliminate meta OPs

With a bit of code reorganization, relational meta OPs OP_RANGE,
OP_FLAGCMP and OP_LOOKUP become unused and can be removed. The only meta
OP left is OP_IMPLICIT which is usually treated as alias to OP_EQ.
Though it needs to stay in place for one reason: When matching against a
bitmask (e.g. TCP flags or conntrack states), it has a different
meaning:

| nft --debug=netlink add rule ip t c tcp flags syn
| ip t c
|   [ meta load l4proto => reg 1 ]
|   [ cmp eq reg 1 0x00000006 ]
|   [ payload load 1b @ transport header + 13 => reg 1 ]
|   [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ]
|   [ cmp neq reg 1 0x00000000 ]

| nft --debug=netlink add rule ip t c tcp flags == syn
| ip t c
|   [ meta load l4proto => reg 1 ]
|   [ cmp eq reg 1 0x00000006 ]
|   [ payload load 1b @ transport header + 13 => reg 1 ]
|   [ cmp eq reg 1 0x00000002 ]

OP_IMPLICIT creates a match which just checks the given flag is present,
while OP_EQ creates a match which ensures the given flag and no other is
present.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/expression.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/expression.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/netlink_linearize.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history