| Message ID | 20180327115331.916-1-fw@strlen.de |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nft] payload: don't remove icmp family dependency in special cases | expand |
Hi Florian, On Tue, 27 Mar 2018, Florian Westphal wrote: > When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we > erronously removed the dependency, i.e. "lis ruleset" shows > > table ip6 filter { chain output { > type filter hook output priority 0; policy accept; > icmp type destination-unreachable > } } > > but that won't restore because of ip vs ipv6 conflict. > > After this patch, this lists as > > meta l4proto icmp icmp type destination-unreachable Just a general comment, independently from the patch: I fully understand that technically this is the expression to be used. But it's highly error prone and also difficult to read. The language could be made more readable by allowing (and by default printing) a comma between the expression parts, like this: meta l4proto icmp, icmp type destination-unreachable Just a suggestion. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/payload.c b/src/payload.c index 09665a0..34202d1 100644 --- a/src/payload.c +++ b/src/payload.c @@ -467,6 +467,15 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx, * IPv6 for the bridge, inet and netdev families. */ switch (family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: + if (expr->payload.desc == &proto_icmp && + family != NFPROTO_IPV4) + return false; + if (expr->payload.desc == &proto_icmp6 && + family != NFPROTO_IPV6) + return false; + break; case NFPROTO_BRIDGE: case NFPROTO_NETDEV: case NFPROTO_INET:
When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we erronously removed the dependency, i.e. "lis ruleset" shows table ip6 filter { chain output { type filter hook output priority 0; policy accept; icmp type destination-unreachable } } but that won't restore because of ip vs ipv6 conflict. After this patch, this lists as meta l4proto icmp icmp type destination-unreachable instead. We still remove the dependency in "ip" family. Same applies to icmpv6-in-ip. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> --- I will commit a 2nd patch to take care of test suite too. src/payload.c | 9 +++++++++ 1 file changed, 9 insertions(+)