[Bug 888] Assertion errors attempting a statement which (I believe) is grammatically correct.
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Jun 5 21:05:12 CEST 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=888
--- Comment #5 from Yuxuan Shui <yshuiv7 at gmail.com> 2014-06-05 21:05:11 CEST ---
(In reply to comment #4)
> Including Patrick in this bug, in case he's got some better idea to address
> this.
>
> Currently, we can only use the implement 'eq', ie.
>
> ip saddr { 1.1.1.0/24 }
This is not actually an OP_EQ, it's an OP_IMPLICIT which later tranlated to
OP_LOOKUP. Currently there's no way to explicitly specify OP_LOOKUP.
>
> But we should be able to support this:
>
> nft add rule ip filter input ip saddr != { 192.168.1.0/24 }
It seems there're no negative lookup implementation in nft now. If we are going
to support this we have to implement a negative lookup operation.
Also I think '!=' is not a good operator for this, what about "notin" (also use
"in" for OP_LOOKUP)?
>
> it says:
>
> BUG: invalid expression type set
> nft: src/evaluate.c:955: expr_evaluate_relational: Assertion `0' failed.
> Aborted
>
> My proposal is to add a NFT_LOOKUP_NEG whose attribute type is NLA_FLAG when
> validating in nft_lookup.c to support "negative" lookups. The corresponding
> libnftnl and nftables are required as well.
(Well I didn't read this part when typing above paragraphs). I think I could do
this.
>
> Please, Shui let us know how this is going.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list