git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Sun, 16 Mar 2025 13:10:26 +0000 (14:10 +0100)
committer	Florian Westphal <fw@strlen.de>
	Thu, 20 Mar 2025 08:27:00 +0000 (09:27 +0100)
commit	7b3ee497040ff8efb131c566e1c6b466e16f45cc
tree	88d849770230591a00161972d48d68e1fd57ca03	tree \| snapshot
parent	a1bb1814148c5011d50cb566a92b3b30fff118b0	commit \| diff

netlink_delinerize: add more restrictions on meta nfproto removal

We can't remove 'meta nfproto' dependencies for all cases.
Its removed for ip/ip6 families, this works fine.

But for others, e.g. inet, removal is not as simple.
For example

meta nfproto ipv4 ct protocol tcp

is listed as 'ct protocol tcp', even when this is uses in the inet
table.

Meta L4PROTO removal checks were correct, but refactor this
into a helper function to split meta/ct checks from the common
calling function.

Ct check was lacking, we need to examine ct keys more closely
to figure out if they need to retain the network protocol depenency
or not. Elide for NFT_CT_SRC/DST and its variants, as those imply
the network protocol to use, all others must keep it as-is.

Also extend test coverage for this.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1783
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/ct.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
tests/py/inet/ct.t		diff \| blob \| blame \| history
tests/py/inet/ct.t.json		diff \| blob \| blame \| history
tests/py/inet/ct.t.payload		diff \| blob \| blame \| history