On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote: > Now that the support for inverted matching is in the kernel and in libnftnl, add > it to nftables too. > > This fixes bug #888 > > Signed-off-by: Anatole Denis <anatole@xxxxxxxxx> > --- > This patch is heavily based off those of Yuxuan Shui from 2014 > (https://marc.info/?l=netfilter-devel&m=140682484411296) > > src/evaluate.c | 14 ++++++++++++++ > src/netlink_delinearize.c | 10 ++++++++++ > src/netlink_linearize.c | 14 +++++++++----- > 3 files changed, 33 insertions(+), 5 deletions(-) > > diff --git a/src/evaluate.c b/src/evaluate.c > index 8b113c8..bb46615 100644 > --- a/src/evaluate.c > +++ b/src/evaluate.c > @@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) > if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0) > return -1; > break; > + case EXPR_SET: > + assert(rel->op == OP_NEQ); > + right = rel->right = > + implicit_set_declaration(ctx, "__set%d", > + left->dtype, left->len, > + right); > + /* fall through */ > + case EXPR_SET_REF: > + assert(rel->op == OP_NEQ); Thanks for working on this. I think we're almost there, we need a bit more code here to catch these two error cases: "the referenced set does not exist" and "datatype mismatch, expected %s, set has type %s" See line 1481 in src/evaluate.c for the OP_LOOKUP case. If I'm on the right track, please also test that these errors cases work as intended. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
