Hi,
The following patchset contains a batch with fix/improvements for
-o/--optimize.
1) Fix statement comparison, leading to incorrect rule matching to be merged.
2) Do not merge rules using set reference.
3) Do not print stateful information, eg. counter packets 0 bytes 0
4) Drop comments when merging.
5) Fix reject statement comparison.
6) Do not fully compare verdict statement, otherwise statement vs rule matrix
gets multiple occurrences of this statement.
7) Add missing expressions used in relationals: osf, xfrm, fib, numgen, hash.
8) Add binary expression support.
9) Add unsupported statement, to avoid merging rules with statements that are
not yet supported.
10) Only merge relationals with OP_IMPLICIT and OP_EQ.
11) Assume verdict is the same when rule specifies no verdict.
12) Remove support for limit statement, not actually supported yet. Merging
rules with the limit statement require a new class of transformation not
yet supported.
13) Release top level scope to avoid a bogus variable redefinition error
when using -c and -o.
And many new tests.
This infrastructure is new code, please help testing and reporting bugs
running it on your existing rulesets.
Thanks.
Pablo Neira Ayuso (18):
optimize: do not compare relational expression rhs when collecting statements
optimize: do not merge rules with set reference in rhs
optimize: do not print stateful information
optimize: remove comment after merging
optimize: fix reject statement
optimize: fix verdict map merging
optimize: add osf expression support
optimize: add xfrm expression support
optimize: add fib expression support
optimize: add binop expression support
optimize: add numgen expression support
optimize: add hash expression support
optimize: add unsupported statement
tests: shell: run -c -o on ruleset
optimize: only merge OP_IMPLICIT and OP_EQ relational
optimize: assume verdict is same when rules have no verdict
optimize: limit statement is not supported yet
libnftables: release top level scope
src/libnftables.c | 2 +
src/optimize.c | 205 ++++++++++++++----
.../optimizations/dumps/merge_reject.nft | 13 ++
.../optimizations/dumps/skip_merge.nft | 23 ++
.../optimizations/dumps/skip_non_eq.nft | 6 +
.../optimizations/dumps/skip_unsupported.nft | 7 +
.../testcases/optimizations/merge_reject | 26 +++
.../shell/testcases/optimizations/merge_stmts | 6 +-
tests/shell/testcases/optimizations/ruleset | 168 ++++++++++++++
.../shell/testcases/optimizations/skip_merge | 34 +++
.../shell/testcases/optimizations/skip_non_eq | 12 +
.../testcases/optimizations/skip_unsupported | 14 ++
tests/shell/testcases/optimizations/variables | 15 ++
13 files changed, 488 insertions(+), 43 deletions(-)
create mode 100644 tests/shell/testcases/optimizations/dumps/merge_reject.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/skip_merge.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/skip_non_eq.nft
create mode 100644 tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
create mode 100755 tests/shell/testcases/optimizations/merge_reject
create mode 100755 tests/shell/testcases/optimizations/ruleset
create mode 100755 tests/shell/testcases/optimizations/skip_merge
create mode 100755 tests/shell/testcases/optimizations/skip_non_eq
create mode 100755 tests/shell/testcases/optimizations/skip_unsupported
create mode 100755 tests/shell/testcases/optimizations/variables
--
2.30.2
