From ea046380431f5cc623daf8c9d7b2c5438a90a84f Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 18 Jun 2019 20:43:57 +0200
Subject: netlink_delinerize: remove network header dep for reject statement
 also in bridge family

add rule bridge test-bridge input reject with icmp type ...

is shown as

ether type ip reject type ...

i.e., the dependency is not removed.

Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.

Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/netlink_delinearize.c')

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1f63d9d5..4d720d29 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2217,6 +2217,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 		default:
 			break;
 		}
+
+		if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR))
+			payload_dependency_release(&rctx->pdctx);
+
 		break;
 	default:
 		break;
-- 
cgit v1.2.3