payload: don't remove icmp family dependency in special cases

When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we
erronously removed the dependency, i.e. "lis ruleset" shows

table ip6 filter { chain output {
		type filter hook output priority 0; policy accept;
		icmp type destination-unreachable
} }

but that won't restore because of ip vs ipv6 conflict.

After this patch, this lists as

 meta l4proto icmp icmp type destination-unreachable

instead.  We still remove the dependency in "ip" family.

Same applies to icmpv6-in-ip.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/payload.c b/src/payload.c
index 09665a0e815689111a23415bf608ac28a1c4915c..34202d1809ef4e5c0f60af32abf4d44b094a60e5 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -467,6 +467,15 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
         * IPv6 for the bridge, inet and netdev families.
         */
        switch (family) {
+       case NFPROTO_IPV4:
+       case NFPROTO_IPV6:
+               if (expr->payload.desc == &proto_icmp &&
+                   family != NFPROTO_IPV4)
+                       return false;
+               if (expr->payload.desc == &proto_icmp6 &&
+                   family != NFPROTO_IPV6)
+                       return false;
+               break;
        case NFPROTO_BRIDGE:
        case NFPROTO_NETDEV:
        case NFPROTO_INET: