payload: don't remove icmp family dependency in special cases

When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we erronously removed the dependency, i.e. "lis ruleset" shows table ip6 filter { chain output { type filter hook output priority 0; policy accept; icmp type destination-unreachable } } but that won't restore because of ip vs ipv6 conflict. After this patch, this lists as meta l4proto icmp icmp type destination-unreachable instead. We still remove the dependency in "ip" family. Same applies to icmpv6-in-ip. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2018-03-27 10:18:18 +0200
committer: Florian Westphal <fw@strlen.de> 2018-03-27 12:13:21 +0200
commit: 126706c23c0458b07d54550dc27561b30f8a43f2 (patch)
tree: 6376c2007c5fe725d21219faf3f01e8501dbb222 /src/payload.c
parent: debb5c542918492545ca3243b49afeb0bde83609 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/payload.c b/src/payload.c
index 09665a0e..34202d18 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -467,6 +467,15 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 	 * IPv6 for the bridge, inet and netdev families.
 	 */
 	switch (family) {
+	case NFPROTO_IPV4:
+	case NFPROTO_IPV6:
+		if (expr->payload.desc == &proto_icmp &&
+		    family != NFPROTO_IPV4)
+			return false;
+		if (expr->payload.desc == &proto_icmp6 &&
+		    family != NFPROTO_IPV6)
+			return false;
+		break;
 	case NFPROTO_BRIDGE:
 	case NFPROTO_NETDEV:
 	case NFPROTO_INET:
author	Florian Westphal <fw@strlen.de>	2018-03-27 10:18:18 +0200
committer	Florian Westphal <fw@strlen.de>	2018-03-27 12:13:21 +0200
commit	126706c23c0458b07d54550dc27561b30f8a43f2 (patch)
tree	6376c2007c5fe725d21219faf3f01e8501dbb222 /src/payload.c
parent	debb5c542918492545ca3243b49afeb0bde83609 (diff)