diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-17 17:28:00 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-23 19:00:02 +0200 |
commit | 38d48fe57fff4e7a4ecd060b23b898c693236d29 (patch) | |
tree | cd0ff7d534336dc6fb4faffa345238b3734283fa /src/optimize.c | |
parent | f9939f8954f800b865a0463c65f8c3e9a86aa296 (diff) |
optimize: fix reject statement
Add missing code to the statement collection routine. Compare reject
expressions when available. Add tests/shell.
Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/optimize.c')
-rw-r--r-- | src/optimize.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/optimize.c b/src/optimize.c index 94242ee5..42762584 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -178,13 +178,19 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b, return false; break; case STMT_REJECT: - if (stmt_a->reject.expr || stmt_b->reject.expr) - return false; - if (stmt_a->reject.family != stmt_b->reject.family || stmt_a->reject.type != stmt_b->reject.type || stmt_a->reject.icmp_code != stmt_b->reject.icmp_code) return false; + + if (!!stmt_a->reject.expr ^ !!stmt_b->reject.expr) + return false; + + if (!stmt_a->reject.expr) + return true; + + if (__expr_cmp(stmt_a->reject.expr, stmt_b->reject.expr)) + return false; break; case STMT_NAT: if (stmt_a->nat.type != stmt_b->nat.type || @@ -304,6 +310,13 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule) clone->nat.flags = stmt->nat.flags; clone->nat.type_flags = stmt->nat.type_flags; break; + case STMT_REJECT: + if (stmt->reject.expr) + clone->reject.expr = expr_get(stmt->reject.expr); + clone->reject.type = stmt->reject.type; + clone->reject.icmp_code = stmt->reject.icmp_code; + clone->reject.family = stmt->reject.family; + break; default: xfree(clone); continue; |