diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-17 17:42:58 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-23 19:00:02 +0200 |
commit | d07fe8e8ab5f52964449cbb29d86aec46f780029 (patch) | |
tree | d3e638c9f6634dd5081359d33a4ea3d277fbdccd | |
parent | 38d48fe57fff4e7a4ecd060b23b898c693236d29 (diff) |
optimize: fix verdict map merging
Skip comparison when collecting the statement and building the rule vs
statement matrix. Compare verdict type when merging rules.
When infering rule mergers, honor the STMT_VERDICT with map (ie. vmap).
Fixes: 561aa3cfa8da ("optimize: merge verdict maps with same lookup key")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/optimize.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/optimize.c b/src/optimize.c index 42762584..747282b4 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -139,6 +139,9 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b, case STMT_NOTRACK: break; case STMT_VERDICT: + if (!fully_compare) + break; + expr_a = stmt_a->expr; expr_b = stmt_b->expr; @@ -276,10 +279,6 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule) if (stmt_type_find(ctx, stmt)) continue; - if (stmt->ops->type == STMT_VERDICT && - stmt->expr->etype == EXPR_MAP) - continue; - /* No refcounter available in statement objects, clone it to * to store in the array of selectors. */ @@ -999,6 +998,10 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules) case STMT_EXPRESSION: merge[k].stmt[merge[k].num_stmts++] = m; break; + case STMT_VERDICT: + if (ctx->stmt_matrix[i][m]->expr->etype == EXPR_MAP) + merge[k].stmt[merge[k].num_stmts++] = m; + break; default: break; } |