Le 28/11/2016 12:39:05, Pablo Neira Ayuso a écrit : > On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote: > > Now that the support for inverted matching is in the kernel and in > libnftnl, add > > it to nftables too. > > > > This fixes bug #888 > > > > Signed-off-by: Anatole Denis <anatole@xxxxxxxxx> > > --- > > This patch is heavily based off those of Yuxuan Shui from 2014 > > (https://marc.info/?l=netfilter-devel&m=140682484411296) > > > > src/evaluate.c | 14 ++++++++++++++ > > src/netlink_delinearize.c | 10 ++++++++++ > > src/netlink_linearize.c | 14 +++++++++----- > > 3 files changed, 33 insertions(+), 5 deletions(-) > > > > diff --git a/src/evaluate.c b/src/evaluate.c > > index 8b113c8..bb46615 100644 > > --- a/src/evaluate.c > > +++ b/src/evaluate.c > > @@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct > eval_ctx *ctx, struct expr **expr) > > if (byteorder_conversion(ctx, &rel->right, > left->byteorder) < 0) > > return -1; > > break; > > + case EXPR_SET: > > + assert(rel->op == OP_NEQ); > > + right = rel->right = > > + implicit_set_declaration(ctx, > "__set%d", > > + left->dtype, left->len, > > + right); > > + /* fall through */ > > + case EXPR_SET_REF: > > + assert(rel->op == OP_NEQ); > > Thanks for working on this. > > I think we're almost there, we need a bit more code here to catch > these two error cases: > > "the referenced set does not exist" I believe this error is not the best way to handle this issue. I sent a patch to the list with a proposed change to catch it earlier, removing the need to check for it here. In case that other patch is refused, I will send v2 with this check added. > > and > > "datatype mismatch, expected %s, set has type %s" This one is handled for OP_NEQ/OP_FLAGCMP in general at line 1526. The error messages are almost identical, the lookup one being "Error: datatype mismatch, expected %s, set has type %s" while the NEQ error is "Error: datatype mismatch, expected %s, expression has type %s" ("set" vs "expression"). > > See line 1481 in src/evaluate.c for the OP_LOOKUP case. > > If I'm on the right track, please also test that these errors cases > work as intended. > The case for a lookup/inverse lookup into a nonexistent set is tested in ip/sets.t and ip6/sets. (somewhere in patches 3 and 4). I'll send a v2 of these tests with a test for datatype mismatch added. Considering the previous remarks (and the other patches), do you think I still should change the error handling code ?-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
