Le 28/11/2016 12:39:05, Pablo Neira Ayuso a écrit :
> On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote:
> > Now that the support for inverted matching is in the kernel and in
> libnftnl, add
> > it to nftables too.
> >
> > This fixes bug #888
> >
> > Signed-off-by: Anatole Denis <[email protected]>
> > ---
> > This patch is heavily based off those of Yuxuan Shui from 2014
> > (https://marc.info/?l=netfilter-devel&m=140682484411296)
> >
> > src/evaluate.c | 14 ++++++++++++++
> > src/netlink_delinearize.c | 10 ++++++++++
> > src/netlink_linearize.c | 14 +++++++++-----
> > 3 files changed, 33 insertions(+), 5 deletions(-)
> >
> > diff --git a/src/evaluate.c b/src/evaluate.c
> > index 8b113c8..bb46615 100644
> > --- a/src/evaluate.c
> > +++ b/src/evaluate.c
> > @@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct
> eval_ctx *ctx, struct expr **expr)
> > if (byteorder_conversion(ctx, &rel->right,
> left->byteorder) < 0)
> > return -1;
> > break;
> > + case EXPR_SET:
> > + assert(rel->op == OP_NEQ);
> > + right = rel->right =
> > + implicit_set_declaration(ctx,
> "__set%d",
> > + left->dtype, left->len,
> > + right);
> > + /* fall through */
> > + case EXPR_SET_REF:
> > + assert(rel->op == OP_NEQ);
>
> Thanks for working on this.
>
> I think we're almost there, we need a bit more code here to catch
> these two error cases:
>
> "the referenced set does not exist"
I believe this error is not the best way to handle this issue. I sent a patch
to the list with a proposed change to catch it earlier, removing the need to
check for it here. In case that other patch is refused, I will send v2 with
this check added.
>
> and
>
> "datatype mismatch, expected %s, set has type %s"
This one is handled for OP_NEQ/OP_FLAGCMP in general at line 1526. The error
messages are almost identical, the lookup one being "Error: datatype mismatch,
expected %s, set has type %s" while the NEQ error is "Error: datatype mismatch,
expected %s, expression has type %s" ("set" vs "expression").
>
> See line 1481 in src/evaluate.c for the OP_LOOKUP case.
>
> If I'm on the right track, please also test that these errors cases
> work as intended.
>
The case for a lookup/inverse lookup into a nonexistent set is tested in
ip/sets.t and ip6/sets. (somewhere in patches 3 and 4). I'll send a v2 of these
tests with a test for datatype mismatch added.
Considering the previous remarks (and the other patches), do you think I still
should change the error handling code ?--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
