optimize: do not merge rules with set reference in rhs

Otherwise set reference ends up included in an anonymous set, as an element, which is not supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-17 17:20:26 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-23 19:00:02 +0200
commit: 3ac932e90b23402b3b18952123fbed97d8d50920 (patch)
tree: bb1daf2cd9ad892ccbd0a43129d8eb016175b0d3 /src
parent: 64ebb03a8c87af4f664f8b7e190dee4cbbefb962 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/optimize.c b/src/optimize.c
index a2a4e587..543d3ca5 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -105,6 +105,12 @@ static bool stmt_expr_supported(const struct expr *expr)
 	return false;
 }
 
+static bool expr_symbol_set(const struct expr *expr)
+{
+	return expr->right->etype == EXPR_SYMBOL &&
+	       expr->right->symtype == SYMBOL_SET;
+}
+
 static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b,
 			   bool fully_compare)
 {
@@ -122,6 +128,10 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b,
 			if (!stmt_expr_supported(expr_a) ||
 			    !stmt_expr_supported(expr_b))
 				return false;
+
+			if (expr_symbol_set(expr_a) ||
+			    expr_symbol_set(expr_b))
+				return false;
 		}
 
 		return __expr_cmp(expr_a->left, expr_b->left);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2022-06-17 17:20:26 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-06-23 19:00:02 +0200
commit	3ac932e90b23402b3b18952123fbed97d8d50920 (patch)
tree	bb1daf2cd9ad892ccbd0a43129d8eb016175b0d3 /src
parent	64ebb03a8c87af4f664f8b7e190dee4cbbefb962 (diff)