On Wed, Jun 01, 2016 at 05:23:02PM +0200, Arturo Borrero Gonzalez wrote:
> @@ -32,14 +33,19 @@ static void nft_lookup_eval(const struct nft_expr *expr,
> const struct nft_lookup *priv = nft_expr_priv(expr);
> const struct nft_set *set = priv->set;
> const struct nft_set_ext *ext;
> + bool found;
>
> - if (set->ops->lookup(set, ®s->data[priv->sreg], &ext)) {
> - if (set->flags & NFT_SET_MAP)
> - nft_data_copy(®s->data[priv->dreg],
> - nft_set_ext_data(ext), set->dlen);
> + found = set->ops->lookup(set, ®s->data[priv->sreg], &ext);
> +
> + if (!(found ^ priv->invert)) {
> + regs->verdict.code = NFT_BREAK;
> return;
> }
> - regs->verdict.code = NFT_BREAK;
> +
> + if (set->flags & NFT_SET_MAP && found && !priv->invert)
I think this is a bit defensive: if set->flags & NFT_SET_MAP evaluates
true, then we can assume priv->invert is always false. We can just add
a comment on top of this.
Note that, from the _init() path, we reject inversions with maps.
So probably something like:
/* nft_lookup_init() already rejects maps with inverted lookups.
* We assume that inversion is always false with maps.
*/
found = set->ops->lookup(set, ®s->data[priv->sreg], &ext) ^
priv->invert;
if (found && set->flags & NFT_SET_MAP)
nft_data_copy(...);
would be a bit more simple.
> + nft_data_copy(®s->data[priv->dreg],
> + nft_set_ext_data(ext), set->dlen);
> +
> }
>
> static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
