The following rule:
nft add rule inet filter input ip6 saddr and ffff:ffff:ffff:ffff:: @allowable counter
when listing the ruleset becomes:
ip6 saddr @allowable/64 counter packets 3 bytes 212
This transformation is unparseable, allow prefix transformation only for
values.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/netlink_delinearize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index d0438f44058d..9e3ed53d09f1 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2102,7 +2102,7 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e
expr_free(binop);
} else if (binop->left->dtype->flags & DTYPE_F_PREFIX &&
- binop->op == OP_AND &&
+ binop->op == OP_AND && expr->right->etype == EXPR_VALUE &&
expr_mask_is_prefix(binop->right)) {
expr->left = expr_get(binop->left);
expr->right = prefix_expr_alloc(&expr->location,
--
2.20.1
