expr: immediate: Fix verdict comparison

An immediate expression of type 'DATA_VERDICT' can have set a chain (jump
or goto), in this cases we must compare its 'union nftnl_data_reg' using
'DATA_CHAIN' flag instead of 'DATA_VERDICT'

Before this patch compare expressions "jump -> chain_a" and
"jump -> chain_b" returns they are equals.

Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index cb8a81b0b2166b145b04f915b4d2e557ca3b72db..2fdae9cfa2c863b994e855628075e66cab4cd78c 100644 (file)
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -326,13 +326,20 @@ static bool nftnl_expr_immediate_cmp(const struct nftnl_expr *e1,
        struct nftnl_expr_immediate *i1 = nftnl_expr_data(e1);
        struct nftnl_expr_immediate *i2 = nftnl_expr_data(e2);
        bool eq = true;
+       int type = DATA_NONE;
 
        if (e1->flags & (1 << NFTNL_EXPR_IMM_DREG))
                eq &= (i1->dreg == i2->dreg);
        if (e1->flags & (1 << NFTNL_EXPR_IMM_VERDICT))
-               eq &= nftnl_data_reg_cmp(&i1->data, &i2->data, DATA_VERDICT);
+               if (e1->flags & (1 << NFTNL_EXPR_IMM_CHAIN))
+                       type = DATA_CHAIN;
+               else
+                       type = DATA_VERDICT;
        else if (e1->flags & (1 << NFTNL_EXPR_IMM_DATA))
-               eq &= nftnl_data_reg_cmp(&i1->data, &i2->data, DATA_VALUE);
+               type = DATA_VALUE;
+
+       if (type != DATA_NONE)
+               eq &= nftnl_data_reg_cmp(&i1->data, &i2->data, type);
 
        return eq;
 }