]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2412e76)
optimize: expand expression list when merging into concatenation
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 1 Apr 2025 16:11:45 +0000 (18:11 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 1 Apr 2025 19:06:17 +0000 (21:06 +0200)
The following rules:

    udp dport 137 ct state new,untracked accept
    udp dport 138 ct state new,untracked accept

results in:

  nft: src/optimize.c:670: __merge_concat: Assertion `0' failed.

The logic to expand to the new,untracked list in the concatenation is
missing.

Fixes: 187c6d01d357 ("optimize: expand implicit set element when merging into concatenation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/optimize.c patch | blob | blame | history
tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft patch | blob | blame | history
tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft patch | blob | blame | history
tests/shell/testcases/optimizations/merge_stmts_concat patch | blob | blame | history

diff --git a/src/optimize.c b/src/optimize.c
index 44010f2bb3773969ee042609f8e787707044f933..139bc2d73c3c0230d0dfe656505b37cb2a235855 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -666,6 +666,16 @@ static void __merge_concat(const struct optimize_ctx *ctx, uint32_t i,
                                clone = expr_clone(stmt_a->expr->right);
                                compound_expr_add(concat, clone);
                                break;
+                       case EXPR_LIST:
+                               list_for_each_entry(expr, &stmt_a->expr->right->expressions, list) {
+                                       concat_clone = expr_clone(concat);
+                                       clone = expr_clone(expr);
+                                       compound_expr_add(concat_clone, clone);
+                                       list_add_tail(&concat_clone->list, &pending_list);
+                               }
+                               list_del(&concat->list);
+                               expr_free(concat);
+                               break;
                        default:
                                assert(0);
                                break;
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft
index 267d84efffa3f23f3d5e52ec65687eb39a257598..46e740a8f5b5a6cbc3a336ae98872bc65a263364 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft
@@ -181,6 +181,67 @@
         ]
       }
     },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "x",
+        "chain": "y",
+        "handle": 0,
+        "expr": [
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "concat": [
+                  {
+                    "payload": {
+                      "protocol": "udp",
+                      "field": "dport"
+                    }
+                  },
+                  {
+                    "ct": {
+                      "key": "state"
+                    }
+                  }
+                ]
+              },
+              "right": {
+                "set": [
+                  {
+                    "concat": [
+                      137,
+                      "new"
+                    ]
+                  },
+                  {
+                    "concat": [
+                      138,
+                      "new"
+                    ]
+                  },
+                  {
+                    "concat": [
+                      137,
+                      "untracked"
+                    ]
+                  },
+                  {
+                    "concat": [
+                      138,
+                      "untracked"
+                    ]
+                  }
+                ]
+              }
+            }
+          },
+          {
+            "accept": null
+          }
+        ]
+      }
+    },
     {
       "rule": {
         "family": "ip",
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
index f56cea1c4fd7b24af659e3a9ae45b58cde8a38b5..d00ac417ca759b1bd94715bc46bbf9c7db522104 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
@@ -2,6 +2,7 @@ table ip x {
        chain y {
                iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept
                ip protocol . th dport { tcp . 22, udp . 67 }
+               udp dport . ct state { 137 . new, 138 . new, 137 . untracked, 138 . untracked } accept
        }
 
        chain c1 {
diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat
index 4db4a6f90944bc8c9fe7e0367f7fda805912e70f..bae54e3665e02f00f2ccca8ee441864f1a181566 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_stmts_concat
+++ b/tests/shell/testcases/optimizations/merge_stmts_concat
@@ -12,6 +12,8 @@ RULESET="table ip x {
                meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
                meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
                ip protocol . th dport { tcp . 22, udp . 67 }
+               udp dport 137 ct state new,untracked accept
+               udp dport 138 ct state new,untracked accept
        }
 }"
 
Mirror of git://git.netfilter.org/nftables