The protocol expression that should be killed when payload parsing
isn't the first one but the last one. Look at the result of this command:
nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
nft> list table ip filter
table ip filter {
chain input {
type filter hook input priority 0;
ip protocol tcp tcp sport http drop
}
}
nft>
With this patch, the result is:
nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
nft> list table ip filter
table ip filter {
chain input {
type filter hook input priority 0;
ip protocol != tcp tcp sport http drop
}
}
nft>
Signed-off-by: Yanchuan Nian <ycnian@xxxxxxxxx>
---
src/netlink_delinearize.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 195d432..322c7cc 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -671,12 +671,11 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
nstmt = expr_stmt_alloc(&stmt->location, nexpr);
list_add_tail(&nstmt->list, &stmt->list);
- /* Remember the first payload protocol expression to
+ /* Remember the last payload protocol expression to
* kill it later on if made redundant by a higher layer
* payload expression.
*/
- if (ctx->pbase == PROTO_BASE_INVALID &&
- left->flags & EXPR_F_PROTOCOL)
+ if (left->flags & EXPR_F_PROTOCOL)
payload_dependency_store(ctx, nstmt,
left->payload.base);
else
--
1.9.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
