payload: fix transport matching with no network layer info in bridge family

 # nft --debug=netlink add rule bridge filter input tcp dport 22
 bridge filter input
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ payload load 2b @ transport header + 2 => reg 1 ]
  [ cmp eq reg 1 0x00001600 ]

Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/payload.c b/src/payload.c
index 08578fd86b22eb40d36910a7604751b193959ba2..e67ef17c802435a64916058482562a99677f57c6 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -219,6 +219,9 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
                        case PROTO_BASE_LL_HDR:
                                desc = &proto_eth;
                                break;
+                       case PROTO_BASE_TRANSPORT_HDR:
+                               desc = &proto_inet_service;
+                               break;
                        default:
                                break;
                        }