diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-29 13:46:21 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-30 13:09:01 +0200 |
commit | 187c6d01d35722618c2711bbc49262c286472c8f (patch) | |
tree | b807d4e649ab7e677a400b99440bd2c5592f766e /tests/shell/testcases/optimizations/merge_stmts_concat | |
parent | 9a20f17a7a82ce5ba47047e6c3d2fc921cc1087d (diff) |
optimize: expand implicit set element when merging into concatenation
Generalize the existing code to deal with implicit sets. When merging a
ruleset like the following:
udp dport 128 iifname "foo" #1
udp dport { 67, 123 } iifname "bar" #2
into a concatenation of statements, the following expansion need to
be done for rule #2:
67 . "bar"
123 . "bar"
The expansion logic consists of cloning the existing concatenation being
built and then append each element in the implicit set. A list of
ongoing concatenations being built is maintained, so further expansions
are also supported.
Extend test to cover for this use-case.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1628
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/optimizations/merge_stmts_concat')
-rwxr-xr-x | tests/shell/testcases/optimizations/merge_stmts_concat | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat index 623fdff9..0bcd9562 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_concat +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -12,3 +12,22 @@ RULESET="table ip x { }" $NFT -o -f - <<< $RULESET + +RULESET="table ip x { + chain c1 { + udp dport 51820 iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c2 { + udp dport { 51820, 100 } iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c3 { + udp dport { 51820, 100 } iifname { "foo", "test" } accept + udp dport { 67, 514 } iifname "bar" accept + } +}" + +$NFT -o -f - <<< $RULESET |