54 lines
1.7 KiB
Diff
54 lines
1.7 KiB
Diff
From 01167c393a12c74c6f9a3015b75702964ff5bcda Mon Sep 17 00:00:00 2001
|
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Date: Mon, 28 Aug 2023 22:47:05 +0200
|
|
Subject: [PATCH] evaluate: do not remove anonymous set with protocol flags and
|
|
single element
|
|
|
|
Set lookups with flags search for an exact match, however:
|
|
|
|
tcp flags { syn }
|
|
|
|
gets transformed into:
|
|
|
|
tcp flags syn
|
|
|
|
which is matching on the syn flag only (non-exact match).
|
|
|
|
This optimization is safe for ct state though, because only one bit is
|
|
ever set on in the ct state bitmask.
|
|
|
|
Since protocol flags allow for combining flags, skip this optimization
|
|
to retain exact match semantics.
|
|
|
|
Another possible solution is to turn OP_IMPLICIT into OP_EQ for exact
|
|
flag match to re-introduce this optimization and deal with this corner
|
|
case.
|
|
|
|
Fixes: fee6bda06403 ("evaluate: remove anon sets with exactly one element")
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
src/evaluate.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
index c13be824..b5326d7d 100644
|
|
--- a/src/evaluate.c
|
|
+++ b/src/evaluate.c
|
|
@@ -1817,7 +1817,12 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
|
|
set->set_flags |= NFT_SET_CONCAT;
|
|
} else if (set->size == 1) {
|
|
i = list_first_entry(&set->expressions, struct expr, list);
|
|
- if (i->etype == EXPR_SET_ELEM && list_empty(&i->stmt_list)) {
|
|
+ if (i->etype == EXPR_SET_ELEM &&
|
|
+ (!i->dtype->basetype ||
|
|
+ i->dtype->basetype->type != TYPE_BITMASK ||
|
|
+ i->dtype->type == TYPE_CT_STATE) &&
|
|
+ list_empty(&i->stmt_list)) {
|
|
+
|
|
switch (i->key->etype) {
|
|
case EXPR_PREFIX:
|
|
case EXPR_RANGE:
|
|
--
|
|
2.33.0
|
|
|