diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-04-01 18:11:45 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-04-01 21:06:17 +0200 |
| commit | 0d17d28bb06bf2a04862d5cd879a14bcb9a2d2dc (patch) | |
| tree | aa4c00216070e76f847a566548b932cea6677e5f | |
| parent | 2412e760826f315ada984f7ee433a2077f180c8b (diff) | |
optimize: expand expression list when merging into concatenation
The following rules:
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
results in:
nft: src/optimize.c:670: __merge_concat: Assertion `0' failed.
The logic to expand to the new,untracked list in the concatenation is
missing.
Fixes: 187c6d01d357 ("optimize: expand implicit set element when merging into concatenation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
4 files changed, 74 insertions, 0 deletions
diff --git a/src/optimize.c b/src/optimize.c index 44010f2b..139bc2d7 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -666,6 +666,16 @@ static void __merge_concat(const struct optimize_ctx *ctx, uint32_t i, clone = expr_clone(stmt_a->expr->right); compound_expr_add(concat, clone); break; + case EXPR_LIST: + list_for_each_entry(expr, &stmt_a->expr->right->expressions, list) { + concat_clone = expr_clone(concat); + clone = expr_clone(expr); + compound_expr_add(concat_clone, clone); + list_add_tail(&concat_clone->list, &pending_list); + } + list_del(&concat->list); + expr_free(concat); + break; default: assert(0); break; diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft index 267d84ef..46e740a8 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -185,6 +185,67 @@ "rule": { "family": "ip", "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "ct": { + "key": "state" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 137, + "new" + ] + }, + { + "concat": [ + 138, + "new" + ] + }, + { + "concat": [ + 137, + "untracked" + ] + }, + { + "concat": [ + 138, + "untracked" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", "chain": "c1", "handle": 0, "expr": [ diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft index f56cea1c..d00ac417 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -2,6 +2,7 @@ table ip x { chain y { iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport . ct state { 137 . new, 138 . new, 137 . untracked, 138 . untracked } accept } chain c1 { diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat index 4db4a6f9..bae54e36 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_concat +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -12,6 +12,8 @@ RULESET="table ip x { meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept } }" |