]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aceea86)
evaluate: skip optimization if anonymous set uses stateful statement
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 7 May 2023 17:34:19 +0000 (19:34 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 10 May 2023 06:05:50 +0000 (08:05 +0200)
fee6bda06403 ("evaluate: remove anon sets with exactly one element")
introduces an optimization to remove use of sets with single element.
Skip this optimization if set element contains stateful statements.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/evaluate.c patch | blob | blame | history
tests/shell/testcases/optimizations/dumps/single_anon_set.nft patch | blob | blame | history
tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input patch | blob | blame | history

diff --git a/src/evaluate.c b/src/evaluate.c
index bc8f437ee7eacdde91a3c9924aa5772bd334b420..08243220f15943bb2cb9726f3dc43bd1dc4cf5da 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1802,7 +1802,7 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
                        set->set_flags |= NFT_SET_CONCAT;
        } else if (set->size == 1) {
                i = list_first_entry(&set->expressions, struct expr, list);
-               if (i->etype == EXPR_SET_ELEM) {
+               if (i->etype == EXPR_SET_ELEM && list_empty(&i->stmt_list)) {
                        switch (i->key->etype) {
                        case EXPR_PREFIX:
                        case EXPR_RANGE:
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
index 35e3f36e1a548fe859f0a7ee65fae4ac0dcce689..3f703034d80f6a8cafd9d744a746614bf4c9da5a 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
@@ -11,5 +11,6 @@ table ip test {
                ip daddr . tcp dport { 192.168.0.1 . 22 } accept
                meta mark set ip daddr map { 192.168.0.1 : 0x00000001 }
                ct state { established, related } accept
+               meta mark { 0x0000000a counter packets 0 bytes 0 }
        }
 }
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
index 35b93832420fbea3271c81918e99119a1eabe171..ecc5691ba5811c764b1e3be05ab295745803f9a1 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
@@ -31,5 +31,8 @@ table ip test {
                # ct state cannot be both established and related
                # at the same time, but this needs extra work.
                ct state { established, related } accept
+
+               # with stateful statement
+               meta mark { 0x0000000a counter }
        }
 }
Mirror of git://git.netfilter.org/nftables