Re: [PATCH nft 2/2] payload: check icmp dependency before removing previous icmp expression

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 02.02.21 um 14:21 schrieb Eric Garver:
On Mon, Feb 01, 2021 at 10:50:04PM +0100, Florian Westphal wrote:
nft is too greedy when removing icmp dependencies.
'icmp code 1 type 2' did remove the type when printing.

Be more careful and check that the icmp type dependency of the
candidate expression (earlier icmp payload expression) has the same
type dependency as the new expression.

Reported-by: Eric Garver <eric@xxxxxxxxxxx>
Reported-by: Michael Biebl <biebl@xxxxxxxxxx>
Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---

Tested-by: Eric Garver <eric@xxxxxxxxxxx>

Thanks Florian. This fixes the issue [1] reported against firewalld.

[1]: https://github.com/firewalld/firewalld/issues/752

I can confirm that as well.


Regards,
Michael

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux