evaluate: add ethernet header size offset for implicit vlan dependency

'vlan id 1'

must also add a ethernet header dep, else nft fetches the payload from
header offset 0 instead of 14.

Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/evaluate.c b/src/evaluate.c
index ca6e5883a1f984005dda438b40c53ca6234fe72a..a52867b33be01129697c648b6b231d80cac22e81 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -723,7 +723,25 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
 
                rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
                desc = ctx->pctx.protocol[base].desc;
-               goto check_icmp;
+
+               if (desc == expr->payload.desc)
+                       goto check_icmp;
+
+               if (base == PROTO_BASE_LL_HDR) {
+                       int link;
+
+                       link = proto_find_num(desc, payload->payload.desc);
+                       if (link < 0 ||
+                           conflict_resolution_gen_dependency(ctx, link, payload, &nstmt) < 0)
+                               return expr_error(ctx->msgs, payload,
+                                                 "conflicting protocols specified: %s vs. %s",
+                                                 desc->name,
+                                                 payload->payload.desc->name);
+
+                       payload->payload.offset += ctx->pctx.stacked_ll[0]->length;
+                       rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
+                       return 1;
+               }
        }
 
        if (payload->payload.base == desc->base &&