netlink_delinearize: incorrect meta protocol dependency kill

meta protocol is meaningful in bridge, netdev and inet families, do
not remove this.

Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 19 insertions, 3 deletions

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 5b545701..92617a46 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1993,7 +1993,7 @@ static bool meta_may_dependency_kill(struct payload_dep_ctx *ctx,
 				     const struct expr *expr)
 {
 	struct expr *dep = ctx->pdep->expr;
-	uint16_t l3proto;
+	uint16_t l3proto, protocol;
 	uint8_t l4proto;
 
 	if (ctx->pbase != PROTO_BASE_NETWORK_HDR)
@@ -2005,7 +2005,22 @@ static bool meta_may_dependency_kill(struct payload_dep_ctx *ctx,
 	case NFPROTO_BRIDGE:
 		break;
 	default:
-		return true;
+		if (dep->left->etype != EXPR_META ||
+		    dep->right->etype != EXPR_VALUE)
+			return false;
+
+		if (dep->left->meta.key == NFT_META_PROTOCOL) {
+			protocol = mpz_get_uint16(dep->right->value);
+
+			if (family == NFPROTO_IPV4 &&
+			    protocol == ETH_P_IP)
+				return true;
+			else if (family == NFPROTO_IPV6 &&
+				 protocol == ETH_P_IPV6)
+				return true;
+		}
+
+		return false;
 	}
 
 	if (expr->left->meta.key != NFT_META_L4PROTO)
@@ -2015,7 +2030,8 @@ static bool meta_may_dependency_kill(struct payload_dep_ctx *ctx,
 
 	switch (dep->left->etype) {
 	case EXPR_META:
-		if (dep->left->meta.key != NFT_META_NFPROTO)
+		if (dep->left->meta.key != NFT_META_NFPROTO &&
+		    dep->left->meta.key != NFT_META_PROTOCOL)
 			return true;
 		break;
 	case EXPR_PAYLOAD: