From 0d17d28bb06bf2a04862d5cd879a14bcb9a2d2dc Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 1 Apr 2025 18:11:45 +0200 Subject: [PATCH] optimize: expand expression list when merging into concatenation The following rules: udp dport 137 ct state new,untracked accept udp dport 138 ct state new,untracked accept results in: nft: src/optimize.c:670: __merge_concat: Assertion `0' failed. The logic to expand to the new,untracked list in the concatenation is missing. Fixes: 187c6d01d357 ("optimize: expand implicit set element when merging into concatenation") Signed-off-by: Pablo Neira Ayuso --- src/optimize.c | 10 +++ .../dumps/merge_stmts_concat.json-nft | 61 +++++++++++++++++++ .../dumps/merge_stmts_concat.nft | 1 + .../optimizations/merge_stmts_concat | 2 + 4 files changed, 74 insertions(+) diff --git a/src/optimize.c b/src/optimize.c index 44010f2bb..139bc2d73 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -666,6 +666,16 @@ static void __merge_concat(const struct optimize_ctx *ctx, uint32_t i, clone = expr_clone(stmt_a->expr->right); compound_expr_add(concat, clone); break; + case EXPR_LIST: + list_for_each_entry(expr, &stmt_a->expr->right->expressions, list) { + concat_clone = expr_clone(concat); + clone = expr_clone(expr); + compound_expr_add(concat_clone, clone); + list_add_tail(&concat_clone->list, &pending_list); + } + list_del(&concat->list); + expr_free(concat); + break; default: assert(0); break; diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft index 267d84eff..46e740a8f 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -181,6 +181,67 @@ ] } }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "ct": { + "key": "state" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 137, + "new" + ] + }, + { + "concat": [ + 138, + "new" + ] + }, + { + "concat": [ + 137, + "untracked" + ] + }, + { + "concat": [ + 138, + "untracked" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft index f56cea1c4..d00ac417c 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -2,6 +2,7 @@ table ip x { chain y { iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport . ct state { 137 . new, 138 . new, 137 . untracked, 138 . untracked } accept } chain c1 { diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat index 4db4a6f90..bae54e366 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_concat +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -12,6 +12,8 @@ RULESET="table ip x { meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept } }" -- 2.47.2