We can remove a l4 dependency in ip/ipv6 families.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/netlink_delinearize.c | 6 ++++++
tests/py/ip6/reject.t | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index f0288cd49914..49dc6a6016ba 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1856,10 +1856,16 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
case NFPROTO_IPV4:
stmt->reject.family = rctx->pctx.family;
stmt->reject.expr->dtype = &icmp_code_type;
+ if (stmt->reject.type == NFT_REJECT_TCP_RST)
+ __payload_dependency_kill(&rctx->pdctx,
+ PROTO_BASE_TRANSPORT_HDR);
break;
case NFPROTO_IPV6:
stmt->reject.family = rctx->pctx.family;
stmt->reject.expr->dtype = &icmpv6_code_type;
+ if (stmt->reject.type == NFT_REJECT_TCP_RST)
+ __payload_dependency_kill(&rctx->pdctx,
+ PROTO_BASE_TRANSPORT_HDR);
break;
case NFPROTO_INET:
if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t
index 7d21aa8ef160..de09fd978418 100644
--- a/tests/py/ip6/reject.t
+++ b/tests/py/ip6/reject.t
@@ -9,7 +9,7 @@ reject with icmpv6 type addr-unreachable;ok
reject with icmpv6 type port-unreachable;ok;reject
reject with icmpv6 type policy-fail;ok
reject with icmpv6 type reject-route;ok
-reject with tcp reset;ok;ip6 nexthdr 6 reject with tcp reset
+reject with tcp reset;ok
reject with icmpv6 type host-unreachable;fail
reject with icmp type host-unreachable;fail
--
2.10.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
