From 126706c23c0458b07d54550dc27561b30f8a43f2 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 27 Mar 2018 10:18:18 +0200
Subject: payload: don't remove icmp family dependency in special cases

When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we
erronously removed the dependency, i.e. "lis ruleset" shows

table ip6 filter { chain output {
		type filter hook output priority 0; policy accept;
		icmp type destination-unreachable
} }

but that won't restore because of ip vs ipv6 conflict.

After this patch, this lists as

 meta l4proto icmp icmp type destination-unreachable

instead.  We still remove the dependency in "ip" family.

Same applies to icmpv6-in-ip.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/payload.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'src')

diff --git a/src/payload.c b/src/payload.c
index 09665a0e..34202d18 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -467,6 +467,15 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 	 * IPv6 for the bridge, inet and netdev families.
 	 */
 	switch (family) {
+	case NFPROTO_IPV4:
+	case NFPROTO_IPV6:
+		if (expr->payload.desc == &proto_icmp &&
+		    family != NFPROTO_IPV4)
+			return false;
+		if (expr->payload.desc == &proto_icmp6 &&
+		    family != NFPROTO_IPV6)
+			return false;
+		break;
 	case NFPROTO_BRIDGE:
 	case NFPROTO_NETDEV:
 	case NFPROTO_INET:
-- 
cgit v1.2.3