evaluate: skip anonymous set optimization for concatenations

commit 6bc6673fc88c8a3e3dd5504b2d24a6d6bc2f8427 upstream.

Concatenation is only supported with sets. Moreover, stripping of the
set leads to broken ruleset listing, therefore, skip this optimization
for the concatenations.

Fixes: fa17b17ea74a ("evaluate: revisit anonymous set with single element optimization")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 6546fe1610957f1a9427482d48c103a290721366..60d8cf9d76b2a2a5840208af6e65491b3e073e01 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2417,15 +2417,17 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
                return expr_binary_error(ctx->msgs, right, left,
                                         "Cannot be used with right hand side constant value");
 
-       switch (rel->op) {
-       case OP_EQ:
-       case OP_IMPLICIT:
-       case OP_NEQ:
-               if (right->etype == EXPR_SET && right->size == 1)
-                       optimize_singleton_set(rel, &right);
-               break;
-       default:
-               break;
+       if (left->etype != EXPR_CONCAT) {
+               switch (rel->op) {
+               case OP_EQ:
+               case OP_IMPLICIT:
+               case OP_NEQ:
+                       if (right->etype == EXPR_SET && right->size == 1)
+                               optimize_singleton_set(rel, &right);
+                       break;
+               default:
+                       break;
+               }
        }
 
        switch (rel->op) {