optimize: fix verdict map merging

Skip comparison when collecting the statement and building the rule vs
statement matrix. Compare verdict type when merging rules.

When infering rule mergers, honor the STMT_VERDICT with map (ie. vmap).

Fixes: 561aa3cfa8da ("optimize: merge verdict maps with same lookup key")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/optimize.c b/src/optimize.c
index 4276258464843b84e386a2fc236f6674b595268c..747282b4d7f4acb9926785cd2e8621c3af11c0fc 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -139,6 +139,9 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b,
        case STMT_NOTRACK:
                break;
        case STMT_VERDICT:
+               if (!fully_compare)
+                       break;
+
                expr_a = stmt_a->expr;
                expr_b = stmt_b->expr;
 
@@ -276,10 +279,6 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
                if (stmt_type_find(ctx, stmt))
                        continue;
 
-               if (stmt->ops->type == STMT_VERDICT &&
-                   stmt->expr->etype == EXPR_MAP)
-                       continue;
-
                /* No refcounter available in statement objects, clone it to
                 * to store in the array of selectors.
                 */
@@ -999,6 +998,10 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules)
                        case STMT_EXPRESSION:
                                merge[k].stmt[merge[k].num_stmts++] = m;
                                break;
+                       case STMT_VERDICT:
+                               if (ctx->stmt_matrix[i][m]->expr->etype == EXPR_MAP)
+                                       merge[k].stmt[merge[k].num_stmts++] = m;
+                               break;
                        default:
                                break;
                        }