netlink_delinerize: remove network header dep for reject statement also in bridge family

add rule bridge test-bridge input reject with icmp type ...

is shown as

ether type ip reject type ...

i.e., the dependency is not removed.

Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.

Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1f63d9d5..4d720d29 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2217,6 +2217,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 		default:
 			break;
 		}
+
+		if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR))
+			payload_dependency_release(&rctx->pdctx);
+
 		break;
 	default:
 		break;