On Mon, Feb 01, 2021 at 10:50:04PM +0100, Florian Westphal wrote:
> nft is too greedy when removing icmp dependencies.
> 'icmp code 1 type 2' did remove the type when printing.
>
> Be more careful and check that the icmp type dependency of the
> candidate expression (earlier icmp payload expression) has the same
> type dependency as the new expression.
>
> Reported-by: Eric Garver <eric@xxxxxxxxxxx>
> Reported-by: Michael Biebl <biebl@xxxxxxxxxx>
> Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
Tested-by: Eric Garver <eric@xxxxxxxxxxx>
Thanks Florian. This fixes the issue [1] reported against firewalld.
[1]: https://github.com/firewalld/firewalld/issues/752
--->8---
--- - 2021-02-01 16:02:58.854101473 +0000
+++ /tmp/autopkgtest.PRXtPH/build.yiS/src/src/tests/testsuite.dir/at-groups/97/stdout 2021-02-01 16:02:58.846718150 +0000
@@ -1,6 +1,6 @@
table inet firewalld {
chain filter_IN_public_deny {
-icmp type destination-unreachable icmp code host-prohibited reject with icmpx type admin-prohibited
+icmp code host-prohibited reject with icmpx type admin-prohibited
}
}
