diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-05-07 19:34:19 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-05-10 08:05:50 +0200 |
commit | 033a664e89362e8c0c191a823bc37a6f92e8c89e (patch) | |
tree | ef7325841cc6e85c92019ae0026da8e64ca50edb | |
parent | aceea86de797bcc315d3e759a44b97cbfb724435 (diff) |
evaluate: skip optimization if anonymous set uses stateful statement
fee6bda06403 ("evaluate: remove anon sets with exactly one element")
introduces an optimization to remove use of sets with single element.
Skip this optimization if set element contains stateful statements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 2 | ||||
-rw-r--r-- | tests/shell/testcases/optimizations/dumps/single_anon_set.nft | 1 | ||||
-rw-r--r-- | tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input | 3 |
3 files changed, 5 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index bc8f437e..08243220 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1802,7 +1802,7 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) set->set_flags |= NFT_SET_CONCAT; } else if (set->size == 1) { i = list_first_entry(&set->expressions, struct expr, list); - if (i->etype == EXPR_SET_ELEM) { + if (i->etype == EXPR_SET_ELEM && list_empty(&i->stmt_list)) { switch (i->key->etype) { case EXPR_PREFIX: case EXPR_RANGE: diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft index 35e3f36e..3f703034 100644 --- a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft @@ -11,5 +11,6 @@ table ip test { ip daddr . tcp dport { 192.168.0.1 . 22 } accept meta mark set ip daddr map { 192.168.0.1 : 0x00000001 } ct state { established, related } accept + meta mark { 0x0000000a counter packets 0 bytes 0 } } } diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input index 35b93832..ecc5691b 100644 --- a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input @@ -31,5 +31,8 @@ table ip test { # ct state cannot be both established and related # at the same time, but this needs extra work. ct state { established, related } accept + + # with stateful statement + meta mark { 0x0000000a counter } } } |