From c8b350392e23c3d33bdc65e6fed49bded672c181 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 3 May 2022 11:30:57 +0200 Subject: optimize: incorrect logic in verdict comparison Keep inspecting rule verdicts before assuming they are equal. Update existing test to catch this bug. Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso --- src/optimize.c | 10 ++++++---- tests/shell/testcases/optimizations/merge_stmts_concat_vmap | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/optimize.c b/src/optimize.c index 4ad25fab..6d6a6d65 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -622,12 +622,14 @@ static bool stmt_verdict_cmp(const struct optimize_ctx *ctx, stmt_a = ctx->stmt_matrix[i][k]; stmt_b = ctx->stmt_matrix[i + 1][k]; if (!stmt_a && !stmt_b) - return true; - if (stmt_verdict_eq(stmt_a, stmt_b)) - return true; + continue; + if (!stmt_a || !stmt_b) + return false; + if (!stmt_verdict_eq(stmt_a, stmt_b)) + return false; } - return false; + return true; } static void rule_optimize_print(struct output_ctx *octx, diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap index f1ab0288..5c0ae60c 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap +++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap @@ -5,8 +5,8 @@ set -e RULESET="table ip x { chain y { ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept - ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept + ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop } }" -- cgit v1.2.3