From: Florian Westphal <fw@strlen.de>
Date: Sun, 7 May 2017 02:04:10 +0000 (+0200)
Subject: netlink_delink_delinearize: don't store dependency unless relop checks is eq check
X-Git-Tag: v0.8~170
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=723c4222b8771a5474307596dd4c09dbe428607b;p=thirdparty%2Fnftables.git

netlink_delink_delinearize: don't store dependency unless relop checks is eq check

'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.

Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index a65a97da8..f0288cd49 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1332,7 +1332,7 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
 			payload_dependency_store(&ctx->pdctx, nstmt, base - stacked);
 		} else {
 			payload_dependency_kill(&ctx->pdctx, nexpr->left);
-			if (left->flags & EXPR_F_PROTOCOL)
+			if (expr->op == OP_EQ && left->flags & EXPR_F_PROTOCOL)
 				payload_dependency_store(&ctx->pdctx, nstmt, base - stacked);
 		}
 	}