diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-14 16:26:50 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-15 16:29:32 +0100 |
commit | 477a2d86c54ee8e1a8426838439e9960f892ac29 (patch) | |
tree | e1b176707b5bb5c82ce50474c5db292ec52c7d89 /src/netlink_delinearize.c | |
parent | a5112cc040f81806ab76d5fa0a34a2cc34da9b84 (diff) |
src: add payload_dependency_exists()
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be removed in the ip family since it is redundant,
but not in the netdev, bridge and inet families, where we cannot make
assumptions on the layer 3 protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_delinearize.c')
-rw-r--r-- | src/netlink_delinearize.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 8d11969e..f4b94396 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1407,8 +1407,9 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, left->flags & EXPR_F_PROTOCOL) { payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } else if (ctx->pdctx.pbase < PROTO_BASE_TRANSPORT_HDR) { - __payload_dependency_kill(&ctx->pdctx, base, - ctx->pctx.family); + if (payload_dependency_exists(&ctx->pdctx, base)) + __payload_dependency_kill(&ctx->pdctx, + ctx->pctx.family); if (left->flags & EXPR_F_PROTOCOL) payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } @@ -1870,17 +1871,19 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) case NFPROTO_IPV4: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmp_code_type; - if (stmt->reject.type == NFT_REJECT_TCP_RST) + if (stmt->reject.type == NFT_REJECT_TCP_RST && + payload_dependency_exists(&rctx->pdctx, + PROTO_BASE_TRANSPORT_HDR)) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR, rctx->pctx.family); break; case NFPROTO_IPV6: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmpv6_code_type; - if (stmt->reject.type == NFT_REJECT_TCP_RST) + if (stmt->reject.type == NFT_REJECT_TCP_RST && + payload_dependency_exists(&rctx->pdctx, + PROTO_BASE_TRANSPORT_HDR)) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR, rctx->pctx.family); break; case NFPROTO_INET: |