michael-...@fami-braun.de <michael-...@fami-braun.de> wrote: > From: "M. Braun" <michael-...@fami-braun.de> > > Given the following bridge rules: > 1. ip protocol icmp accept > 2. ether type vlan vlan type ip ip protocol icmp accept > > The are currently both dumped by "nft list ruleset" as > 1. ip protocol icmp accept > 2. ip protocol icmp accept
Yes, thats a bug, the dependency removal is incorrect. > +++ b/src/payload.c > @@ -506,6 +506,18 @@ static bool payload_may_dependency_kill(struct > payload_dep_ctx *ctx, > dep->left->payload.desc == &proto_ip6) && > expr->payload.base == PROTO_BASE_TRANSPORT_HDR) > return false; > + /* Do not kill > + * ether type vlan and vlan type ip and ip protocol icmp > + * into > + * ip protocol icmp > + * as this lacks ether type vlan. > + * More generally speaking, do not kill protocol type > + * for stacked protocols if we only have protcol type matches. > + */ > + if (dep->left->etype == EXPR_PAYLOAD && dep->op == OP_EQ && > + expr->flags & EXPR_F_PROTOCOL && > + expr->payload.base == dep->left->payload.base) > + return false; Can you please add a test case for this problem to tests/py/bridge/vlan.t so we catch this when messing with dependency handling in the future? Also, please submit v2 directly to netfilter-devel@. Thanks!
