@@ -38,6 +38,8 @@ static bool __expr_cmp(const struct expr *expr_a, const struct expr *expr_b)
{
if (expr_a->etype != expr_b->etype)
return false;
+ if (expr_a->len != expr_b->len)
+ return false;
switch (expr_a->etype) {
case EXPR_PAYLOAD:
new file mode 100755
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ chain y {
+ type filter hook prerouting priority raw; policy accept;
+ @th,160,32 0x02736c00 drop comment \"sl\"
+ @th,160,112 0x870697a7a6173656f03636f6d00 drop comment \"pizzaseo.com\"
+ }
+}"
+
+$NFT -o -f - <<< $RULESET
do not merge raw payload expressions with different length. Other expression rely on key comparison which is assumed to have the same length already. Fixes: 60dcc01d6351 ("optimize: add __expr_cmp()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/optimize.c | 2 ++ .../testcases/optimizations/nomerge_raw_payload | 13 +++++++++++++ 2 files changed, 15 insertions(+) create mode 100755 tests/shell/testcases/optimizations/nomerge_raw_payload