From 99eb46969f3d7ccd37899f2755055fe7511c46b0 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 3 Mar 2022 12:20:29 +0100
Subject: optimize: fix vmap with anonymous sets

The following example ruleset crashes:

 table inet a {
        chain b {
                tcp dport { 1 } accept
                tcp dport 2-3 drop
        }
 }

because handling for EXPR_SET is missing.

Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/optimize.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/optimize.c')

diff --git a/src/optimize.c b/src/optimize.c
index 04523edb..64c0a4db 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -435,18 +435,22 @@ static void build_verdict_map(struct expr *expr, struct stmt *verdict, struct ex
 {
 	struct expr *item, *elem, *mapping;
 
-	if (expr->etype == EXPR_LIST) {
+	switch (expr->etype) {
+	case EXPR_LIST:
+	case EXPR_SET:
 		list_for_each_entry(item, &expr->expressions, list) {
 			elem = set_elem_expr_alloc(&internal_location, expr_get(item));
 			mapping = mapping_expr_alloc(&internal_location, elem,
 						     expr_get(verdict->expr));
 			compound_expr_add(set, mapping);
 		}
-	} else {
+		break;
+	default:
 		elem = set_elem_expr_alloc(&internal_location, expr_get(expr));
 		mapping = mapping_expr_alloc(&internal_location, elem,
 					     expr_get(verdict->expr));
 		compound_expr_add(set, mapping);
+		break;
 	}
 }
 
-- 
cgit v1.2.3