netlink_delink_delinearize: don't store dependency unless relop checks is eq check

'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.

Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index a65a97da89fbab48a869f1a53ceb1007cfd8354d..f0288cd4991428012be0cb1c0df8d467bc3126ee 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1332,7 +1332,7 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
                        payload_dependency_store(&ctx->pdctx, nstmt, base - stacked);
                } else {
                        payload_dependency_kill(&ctx->pdctx, nexpr->left);
-                       if (left->flags & EXPR_F_PROTOCOL)
+                       if (expr->op == OP_EQ && left->flags & EXPR_F_PROTOCOL)
                                payload_dependency_store(&ctx->pdctx, nstmt, base - stacked);
                }
        }