Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> wrote:
> - if (set->ops->lookup(set, ®s->data[priv->sreg], &ext)) {
> + if (set->ops->lookup(set, ®s->data[priv->sreg], &ext) ^
> + priv->invert) {
> if (set->flags & NFT_SET_MAP)
> nft_data_copy(®s->data[priv->dreg],
> nft_set_ext_data(ext), set->dlen);
Whats the plan for SET_MAP here?
You enter 'lookup found a result' branch here in case we did not find
anything and invert is set.
I think its better to use a
} else if (priv->invert) {
return;
}
here.
> @@ -47,6 +49,7 @@ static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
> [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 },
> [NFTA_LOOKUP_SREG] = { .type = NLA_U32 },
> [NFTA_LOOKUP_DREG] = { .type = NLA_U32 },
> + [NFTA_LOOKUP_FLAGS] = { .type = NLA_U32 },
> };
>
> static int nft_lookup_init(const struct nft_ctx *ctx,
> @@ -55,6 +58,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
> {
> struct nft_lookup *priv = nft_expr_priv(expr);
> struct nft_set *set;
> + u32 flags;
> int err;
>
> if (tb[NFTA_LOOKUP_SET] == NULL ||
> @@ -91,6 +95,12 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
> } else if (set->flags & NFT_SET_MAP)
> return -EINVAL;
>
> + if (tb[NFTA_LOOKUP_FLAGS]) {
> + flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS]));
> + if (flags & NFT_LOOKUP_F_INV)
> + priv->invert = true;
> + }
> +
I think we should EINVAL if NFT_LOOKUP_F_INV is given with dreg/map.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
