Projects
home:Eustace:branches:Eulaceura:Factory
nftables
_service:obs_scm:backport-evaluate-do-not-remov...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-evaluate-do-not-remove-anonymous-set-with-protocol-f.patch of Package nftables
From 01167c393a12c74c6f9a3015b75702964ff5bcda Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 28 Aug 2023 22:47:05 +0200 Subject: [PATCH] evaluate: do not remove anonymous set with protocol flags and single element Set lookups with flags search for an exact match, however: tcp flags { syn } gets transformed into: tcp flags syn which is matching on the syn flag only (non-exact match). This optimization is safe for ct state though, because only one bit is ever set on in the ct state bitmask. Since protocol flags allow for combining flags, skip this optimization to retain exact match semantics. Another possible solution is to turn OP_IMPLICIT into OP_EQ for exact flag match to re-introduce this optimization and deal with this corner case. Fixes: fee6bda06403 ("evaluate: remove anon sets with exactly one element") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/evaluate.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index c13be824..b5326d7d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1817,7 +1817,12 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) set->set_flags |= NFT_SET_CONCAT; } else if (set->size == 1) { i = list_first_entry(&set->expressions, struct expr, list); - if (i->etype == EXPR_SET_ELEM && list_empty(&i->stmt_list)) { + if (i->etype == EXPR_SET_ELEM && + (!i->dtype->basetype || + i->dtype->basetype->type != TYPE_BITMASK || + i->dtype->type == TYPE_CT_STATE) && + list_empty(&i->stmt_list)) { + switch (i->key->etype) { case EXPR_PREFIX: case EXPR_RANGE: -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2