summaryrefslogtreecommitdiffstats
path: root/tests/shell
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2025-03-26 21:54:06 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2025-03-27 21:39:03 +0100
commit447ac8a3e13f4706b0900d26c5c89dfcaa6773aa (patch)
tree14409a788984b2f0283ff16f1f819fe9e5ef4f6c /tests/shell
parentabab6e60c755aef7e1ab9d3320effa714a0b49e2 (diff)
optimize: compact bitmask matching in set/map
Check if right hand side of relational is a bitmask, ie. relational / \ ... or / \ value or / \ value value then, if left hand side is a binop expression, compare left and right hand sides (not only left hand of this binop expression) to check for redundant matches in consecutive rules, ie. relational / \ and ... / \ payload value before this patch, only payload in the binop expression was compared. This allows to compact several rules matching tcp flags in a set/map, eg. # nft -c -o -f ruleset.nft Merging: ruleset.nft:7:17-76: tcp flags & (fin | syn | rst | ack | urg) == fin | ack | urg ruleset.nft:8:17-70: tcp flags & (fin | syn | rst | ack | urg) == fin | ack ruleset.nft:9:17-64: tcp flags & (fin | syn | rst | ack | urg) == fin ruleset.nft:10:17-70: tcp flags & (fin | syn | rst | ack | urg) == syn | ack ruleset.nft:11:17-64: tcp flags & (fin | syn | rst | ack | urg) == syn ruleset.nft:12:17-70: tcp flags & (fin | syn | rst | ack | urg) == rst | ack ruleset.nft:13:17-64: tcp flags & (fin | syn | rst | ack | urg) == rst ruleset.nft:14:17-70: tcp flags & (fin | syn | rst | ack | urg) == ack | urg ruleset.nft:15:17-64: tcp flags & (fin | syn | rst | ack | urg) == ack into: tcp flags & (fin | syn | rst | ack | urg) == { fin | ack | urg, fin | ack, fin, syn | ack, syn, rst | ack, rst, ack | urg, ack } Merging: ruleset.nft:17:17-61: tcp flags & (ack | urg) == ack jump ack_chain ruleset.bft:18:17-61: tcp flags & (ack | urg) == urg jump urg_chain into: tcp flags & (ack | urg) vmap { ack : jump ack_chain, urg : jump urg_chain } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
-rwxr-xr-xtests/shell/testcases/optimizations/bitmask26
-rw-r--r--tests/shell/testcases/optimizations/dumps/bitmask.nft14
2 files changed, 40 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/bitmask b/tests/shell/testcases/optimizations/bitmask
new file mode 100755
index 00000000..064d9560
--- /dev/null
+++ b/tests/shell/testcases/optimizations/bitmask
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+RULESET='table inet t {
+ chain ack_chain {}
+ chain urg_chain {}
+
+ chain c {
+ tcp flags & (syn | rst | ack | urg) == ack | urg
+ tcp flags & (fin | syn | rst | ack | urg) == fin | ack | urg
+ tcp flags & (fin | syn | rst | ack | urg) == fin | ack
+ tcp flags & (fin | syn | rst | ack | urg) == fin
+ tcp flags & (fin | syn | rst | ack | urg) == syn | ack
+ tcp flags & (fin | syn | rst | ack | urg) == syn
+ tcp flags & (fin | syn | rst | ack | urg) == rst | ack
+ tcp flags & (fin | syn | rst | ack | urg) == rst
+ tcp flags & (fin | syn | rst | ack | urg) == ack | urg
+ tcp flags & (fin | syn | rst | ack | urg) == ack
+ tcp flags & (rst | ack | urg) == rst | ack
+ tcp flags & (ack | urg) == ack jump ack_chain
+ tcp flags & (ack | urg) == urg jump urg_chain
+ }
+}'
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/dumps/bitmask.nft b/tests/shell/testcases/optimizations/dumps/bitmask.nft
new file mode 100644
index 00000000..758b32a3
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/bitmask.nft
@@ -0,0 +1,14 @@
+table inet t {
+ chain ack_chain {
+ }
+
+ chain urg_chain {
+ }
+
+ chain c {
+ tcp flags & (syn | rst | ack | urg) == ack | urg
+ tcp flags & (fin | syn | rst | ack | urg) == { fin | ack | urg, fin | ack, fin, syn | ack, syn, rst | ack, rst, ack | urg, ack }
+ tcp flags & (rst | ack | urg) == rst | ack
+ tcp flags & (ack | urg) vmap { ack : jump ack_chain, urg : jump urg_chain }
+ }
+}
generated by cgit v1.2.3 (git 2.25.0) at 2025-06-15 15:16:55 +0000