optimize: incorrect logic in verdict comparison

Keep inspecting rule verdicts before assuming they are equal. Update
existing test to catch this bug.

Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/optimize.c b/src/optimize.c
index 4ad25fab6be44b3997baac098cc4387ceae2c066..6d6a6d6582ec6890fb5298a7273e002c844ab1c5 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -622,12 +622,14 @@ static bool stmt_verdict_cmp(const struct optimize_ctx *ctx,
                stmt_a = ctx->stmt_matrix[i][k];
                stmt_b = ctx->stmt_matrix[i + 1][k];
                if (!stmt_a && !stmt_b)
-                       return true;
-               if (stmt_verdict_eq(stmt_a, stmt_b))
-                       return true;
+                       continue;
+               if (!stmt_a || !stmt_b)
+                       return false;
+               if (!stmt_verdict_eq(stmt_a, stmt_b))
+                       return false;
        }
 
-       return false;
+       return true;
 }
 
 static void rule_optimize_print(struct output_ctx *octx,

diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
index f1ab0288ab0dafda0324137191e3062adabc126c..5c0ae60caafacbc13dee61d0d96238da6ba9bdc0 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
+++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
@@ -5,8 +5,8 @@ set -e
 RULESET="table ip x {
        chain y {
                ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
-               ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
                ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept
+               ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
        }
 }"