When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we
erronously removed the dependency, i.e. "lis ruleset" shows
table ip6 filter { chain output {
type filter hook output priority 0; policy accept;
icmp type destination-unreachable
} }
but that won't restore because of ip vs ipv6 conflict.
After this patch, this lists as
meta l4proto icmp icmp type destination-unreachable
instead. We still remove the dependency in "ip" family.
Same applies to icmpv6-in-ip.
Reported-by: Phil Sutter <phil@xxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
I will commit a 2nd patch to take care of test suite too.
src/payload.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/payload.c b/src/payload.c
index 09665a0..34202d1 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -467,6 +467,15 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
* IPv6 for the bridge, inet and netdev families.
*/
switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ if (expr->payload.desc == &proto_icmp &&
+ family != NFPROTO_IPV4)
+ return false;
+ if (expr->payload.desc == &proto_icmp6 &&
+ family != NFPROTO_IPV6)
+ return false;
+ break;
case NFPROTO_BRIDGE:
case NFPROTO_NETDEV:
case NFPROTO_INET:
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
