diff options
| author | Florian Westphal <fw@strlen.de> | 2017-05-07 01:09:19 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2017-05-18 18:15:06 +0200 |
| commit | 3f0324f0a2a727fe4b86333306634a78593ccb80 (patch) | |
| tree | e410a3f967c9f41f210bb53ab8f91f33f9a93deb | |
| parent | 50323910f2214de6fa333c3bf0c1452842b5a924 (diff) | |
netlink_delinearize: reject: remove dependency for tcp-resets
We can remove a l4 dependency in ip/ipv6 families.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/netlink_delinearize.c | 6 | ||||
| -rw-r--r-- | tests/py/ip6/reject.t | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index f0288cd4..49dc6a60 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1856,10 +1856,16 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) case NFPROTO_IPV4: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmp_code_type; + if (stmt->reject.type == NFT_REJECT_TCP_RST) + __payload_dependency_kill(&rctx->pdctx, + PROTO_BASE_TRANSPORT_HDR); break; case NFPROTO_IPV6: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmpv6_code_type; + if (stmt->reject.type == NFT_REJECT_TCP_RST) + __payload_dependency_kill(&rctx->pdctx, + PROTO_BASE_TRANSPORT_HDR); break; case NFPROTO_INET: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t index 7d21aa8e..de09fd97 100644 --- a/tests/py/ip6/reject.t +++ b/tests/py/ip6/reject.t @@ -9,7 +9,7 @@ reject with icmpv6 type addr-unreachable;ok reject with icmpv6 type port-unreachable;ok;reject reject with icmpv6 type policy-fail;ok reject with icmpv6 type reject-route;ok -reject with tcp reset;ok;ip6 nexthdr 6 reject with tcp reset +reject with tcp reset;ok reject with icmpv6 type host-unreachable;fail reject with icmp type host-unreachable;fail |