diff mbox series

[nft,1/3] optimize: incorrect logic in verdict comparison

Message ID 20220503161017.54258-1-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [nft,1/3] optimize: incorrect logic in verdict comparison | expand

Commit Message

Pablo Neira Ayuso May 3, 2022, 4:10 p.m. UTC 
Keep inspecting rule verdicts before assuming they are equal. Update
existing test to catch this bug.

Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/optimize.c                                         | 10 +++++-----
 .../testcases/optimizations/merge_stmts_concat_vmap    |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/src/optimize.c b/src/optimize.c
index 4ad25fab6be4..a6c26d21eb6b 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -621,13 +621,13 @@  static bool stmt_verdict_cmp(const struct optimize_ctx *ctx,
 	for (i = from; i + 1 <= to; i++) {
 		stmt_a = ctx->stmt_matrix[i][k];
 		stmt_b = ctx->stmt_matrix[i + 1][k];
-		if (!stmt_a && !stmt_b)
-			return true;
-		if (stmt_verdict_eq(stmt_a, stmt_b))
-			return true;
+		if (!stmt_a || !stmt_b)
+			return false;
+		if (!stmt_verdict_eq(stmt_a, stmt_b))
+			return false;
 	}
 
-	return false;
+	return true;
 }
 
 static void rule_optimize_print(struct output_ctx *octx,
diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
index f1ab0288ab0d..5c0ae60caafa 100755
--- a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
+++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
@@ -5,8 +5,8 @@  set -e
 RULESET="table ip x {
 	chain y {
 		ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
-		ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
 		ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept
+		ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
 	}
 }"