ab440e86fa
* Thu Nov 20 2025 Phil Sutter <psutter@redhat.com> [1.1.5-1.el10] - doc: libnftables-json: Describe RULESET object (Phil Sutter) [RHEL-121194] - doc: don't suggest to disable GSO (Phil Sutter) [RHEL-121194] - build: don't install ancillary files without systemd service file (Phil Sutter) [RHEL-121194] - tests: shell: fix typo in vmap_timeout test script (Phil Sutter) [RHEL-121194] - tests: py: inet/osf.t: Fix element ordering in JSON equivalents (Phil Sutter) [RHEL-121194] - tests: py: any/ct.t.json.output: Drop leftover entry (Phil Sutter) [RHEL-121194] - tests: py: any/tcpopt.t.json: Fix JSON equivalent (Phil Sutter) [RHEL-121194] - optimize: Fix verdict expression comparison (Phil Sutter) [RHEL-121194] - datatype: Fix boolean type on Big Endian (Phil Sutter) [RHEL-121194] - src: parser_json: fix format string bugs (Phil Sutter) [RHEL-121194] - doc: fix tcpdump example (Phil Sutter) [RHEL-121194] - libnftables: do not re-add default include directory in include search path (Phil Sutter) [RHEL-121194] - monitor: Inform JSON printer when reporting an object delete event (Phil Sutter) [RHEL-121194] - tests: shell: skip two bitwise tests if multi-register support isn't available (Phil Sutter) [RHEL-121194] - tests: monitor: Fix regex collecting expected echo output (Phil Sutter) [RHEL-121194] - monitor: Quote device names in chain declarations, too (Phil Sutter) [RHEL-121194] - tools: gitignore nftables.service file (Phil Sutter) [RHEL-121194] - parser_bison: remove leftover utf-8 character in error (Phil Sutter) [RHEL-121194] - Rebase onto version 1.1.5 (Phil Sutter) [RHEL-121194] Resolves: RHEL-121194
57 lines
2.1 KiB
Diff
57 lines
2.1 KiB
Diff
From 0550a1f430aa42cc4195adb3ac505d515d570a3a Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Thu, 20 Nov 2025 20:10:59 +0100
|
|
Subject: [PATCH] optimize: Fix verdict expression comparison
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-121194
|
|
Upstream Status: nftables commit 695ee5a8b174f86e2e64786530147e56d8d27f19
|
|
|
|
commit 695ee5a8b174f86e2e64786530147e56d8d27f19
|
|
Author: Phil Sutter <phil@nwl.cc>
|
|
Date: Wed Oct 22 14:03:37 2025 +0200
|
|
|
|
optimize: Fix verdict expression comparison
|
|
|
|
In verdict expression, 'chain' points at a constant expression of
|
|
verdict_type, not a symbol expression. Therefore 'chain->identifier'
|
|
points eight bytes (on 64bit systems) into the mpz_t 'value' holding the
|
|
chain name. This matches the '_mp_d' data pointer, so works by accident.
|
|
|
|
Fix this by copying what verdict_jump_chain_print() does and export
|
|
chain names before comparing.
|
|
|
|
Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure")
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
src/optimize.c | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/optimize.c b/src/optimize.c
|
|
index 40756ce..ffad525 100644
|
|
--- a/src/optimize.c
|
|
+++ b/src/optimize.c
|
|
@@ -341,13 +341,18 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b,
|
|
|
|
static bool expr_verdict_eq(const struct expr *expr_a, const struct expr *expr_b)
|
|
{
|
|
+ char chain_a[NFT_CHAIN_MAXNAMELEN];
|
|
+ char chain_b[NFT_CHAIN_MAXNAMELEN];
|
|
+
|
|
if (expr_a->verdict != expr_b->verdict)
|
|
return false;
|
|
if (expr_a->chain && expr_b->chain) {
|
|
- if (expr_a->chain->etype != expr_b->chain->etype)
|
|
+ if (expr_a->chain->etype != EXPR_VALUE ||
|
|
+ expr_a->chain->etype != expr_b->chain->etype)
|
|
return false;
|
|
- if (expr_a->chain->etype == EXPR_VALUE &&
|
|
- strcmp(expr_a->chain->identifier, expr_b->chain->identifier))
|
|
+ expr_chain_export(expr_a->chain, chain_a);
|
|
+ expr_chain_export(expr_b->chain, chain_b);
|
|
+ if (strcmp(chain_a, chain_b))
|
|
return false;
|
|
} else if (expr_a->chain || expr_b->chain) {
|
|
return false;
|