From 6454d7dc89f83920cd08606fdff43358c7e64a53 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 8 May 2018 10:15:11 +0200
Subject: ebtables-translate: suppress redundant protocols

kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it.  On reverse, search the match list to decide if -p
has to be translated or not.

Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-bridge.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

(limited to 'iptables/nft-bridge.c')

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index bf8949a5..fb19fea3 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -650,9 +650,26 @@ static int nft_bridge_xlate(const void *data, struct xt_xlate *xl)
 		     cs->eb.invflags & EBT_ILOGICALOUT);
 
 	if ((cs->eb.bitmask & EBT_NOPROTO) == 0) {
-		xt_xlate_add(xl, "ether type %s 0x%x ",
-			     cs->eb.invflags & EBT_IPROTO ? "!= " : "",
-			     ntohs(cs->eb.ethproto));
+		const char *implicit = NULL;
+
+		switch (ntohs(cs->eb.ethproto)) {
+		case ETH_P_IP:
+			implicit = "ip";
+			break;
+		case ETH_P_IPV6:
+			implicit = "ip6";
+			break;
+		case ETH_P_8021Q:
+			implicit = "vlan";
+			break;
+		default:
+			break;
+		}
+
+		if (!implicit || !xlate_find_match(cs, implicit))
+			xt_xlate_add(xl, "ether type %s 0x%x ",
+				     cs->eb.invflags & EBT_IPROTO ? "!= " : "",
+				     ntohs(cs->eb.ethproto));
 	}
 
 	if (cs->eb.bitmask & EBT_802_3)
-- 
cgit v1.2.3