]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fa40917)
optimize: assume verdict is same when rules have no verdict
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 17 Jun 2022 16:51:40 +0000 (18:51 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 23 Jun 2022 17:00:02 +0000 (19:00 +0200)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/optimize.c patch | blob | blame | history
tests/shell/testcases/optimizations/dumps/merge_reject.nft patch | blob | blame | history
tests/shell/testcases/optimizations/merge_reject patch | blob | blame | history

diff --git a/src/optimize.c b/src/optimize.c
index e4508fa5116a96f61ec55de0e32674027b15c404..c6b85d74d30287650a822f106de883dde99df869 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -944,7 +944,8 @@ static enum stmt_types merge_stmt_type(const struct optimize_ctx *ctx)
                }
        }
 
-       return STMT_INVALID;
+       /* actually no verdict, this assumes rules have the same verdict. */
+       return STMT_VERDICT;
 }
 
 static void merge_rules(const struct optimize_ctx *ctx,
diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.nft b/tests/shell/testcases/optimizations/dumps/merge_reject.nft
index 9a13e2b96faa05af15f39011b5d05c291aa7a1bc..c29ad6d5648b67d7748d32ff07ef3b7ddcdae927 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_reject.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_reject.nft
@@ -5,3 +5,9 @@ table ip x {
                ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
        }
 }
+table ip6 x {
+       chain y {
+               meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject
+               ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+       }
+}
diff --git a/tests/shell/testcases/optimizations/merge_reject b/tests/shell/testcases/optimizations/merge_reject
index 497e8f64dc5df693f0209e06702dccb923c22889..c0ef9cacbbf08a324cd258a3b2a6c0908cb6e31a 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_reject
+++ b/tests/shell/testcases/optimizations/merge_reject
@@ -13,3 +13,14 @@ RULESET="table ip x {
 }"
 
 $NFT -o -f - <<< $RULESET
+
+RULESET="table ip6 x {
+       chain y {
+               meta l4proto tcp ip6 daddr aaaa::2 tcp dport 3306 counter packets 0 bytes 0 reject
+               meta l4proto tcp ip6 daddr aaaa::3 tcp dport 8080 counter packets 0 bytes 0 reject
+               meta l4proto tcp ip6 daddr aaaa::4 tcp dport 3306 counter packets 0 bytes 0 reject
+               meta l4proto tcp ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+       }
+}"
+
+$NFT -o -f - <<< $RULESET
Mirror of git://git.netfilter.org/nftables