git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Sun, 16 Mar 2025 13:10:26 +0000 (14:10 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 31 Jul 2025 22:54:28 +0000 (00:54 +0200)
commit	58ca69f04b3fb73aa8cc580a46de957400ad9064
tree	06ac86be05e09dbedbe3000a3c50bb2ab0e18634	tree \| snapshot
parent	85a0f65b442c3d9264c42c29347e5b4e434a5e78	commit \| diff

netlink_delinerize: add more restrictions on meta nfproto removal

commit 7b3ee497040ff8efb131c566e1c6b466e16f45cc upstream.

We can't remove 'meta nfproto' dependencies for all cases.
Its removed for ip/ip6 families, this works fine.

But for others, e.g. inet, removal is not as simple.
For example

meta nfproto ipv4 ct protocol tcp

is listed as 'ct protocol tcp', even when this is uses in the inet
table.

Meta L4PROTO removal checks were correct, but refactor this
into a helper function to split meta/ct checks from the common
calling function.

Ct check was lacking, we need to examine ct keys more closely
to figure out if they need to retain the network protocol depenency
or not. Elide for NFT_CT_SRC/DST and its variants, as those imply
the network protocol to use, all others must keep it as-is.

Also extend test coverage for this.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1783
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/ct.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
tests/py/inet/ct.t		diff \| blob \| blame \| history
tests/py/inet/ct.t.json		diff \| blob \| blame \| history
tests/py/inet/ct.t.payload		diff \| blob \| blame \| history