instead just let the eval loop continue with remaining expressions, if any.
This allows to catch non-matching packets in the same rule, e.g.:
ip protocol vmap { tcp : jump tcp_tests,
udp : jump udp_tests } counter jump other
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nft_lookup.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 227b2b15a19c..2d7c560343da 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -37,15 +37,19 @@ void nft_lookup_eval(const struct nft_expr *expr,
found = set->ops->lookup(nft_net(pkt), set, ®s->data[priv->sreg],
&ext) ^ priv->invert;
- if (!found) {
- regs->verdict.code = NFT_BREAK;
- return;
- }
- if (set->flags & NFT_SET_MAP)
- nft_data_copy(®s->data[priv->dreg],
- nft_set_ext_data(ext), set->dlen);
+ if (set->flags & NFT_SET_MAP) {
+ if (!found) {
+ if (priv->dreg != NFT_REG_VERDICT)
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ nft_data_copy(®s->data[priv->dreg],
+ nft_set_ext_data(ext), set->dlen);
+ } else if (!found) {
+ regs->verdict.code = NFT_BREAK;
+ }
}
static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
--
2.19.2
