diff options
author | Florian Westphal <fw@strlen.de> | 2018-11-05 17:51:18 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-11-12 16:30:22 +0100 |
commit | 5aecb2d8bfdda4a6eea9d93079e33fc414afd8d0 (patch) | |
tree | ccedeeb94711207b6f7fbf81b9841a4a44ba0d19 /iptables/tests | |
parent | 9677ed12a93f165fa9840fd9f8fa183390a3bd04 (diff) |
arptables: pre-init hlen and ethertype
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).
code does:
op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...
but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).
Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd. Otherwise, src/dst mac can't be used:
arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT
This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/tests')
-rwxr-xr-x | iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 index 67265c83..73b3b0cf 100755 --- a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 +++ b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 @@ -11,11 +11,12 @@ set -e $XT_MULTI arptables -F $XT_MULTI arptables -A INPUT -s 10.0.0.0/8 -j ACCEPT $XT_MULTI arptables -A INPUT -d 192.168.123.1 -j ACCEPT -#$XT_MULTI arptables -A INPUT --source-mac fe:ed:ba:be:00:01 -j ACCEPT -#$XT_MULTI arptables -A INPUT --destination-mac fe:ed:ba:be:00:01 -j ACCEPT +$XT_MULTI arptables -A INPUT --source-mac fe:ed:ba:be:00:01 -j ACCEPT +$XT_MULTI arptables -A INPUT --destination-mac fe:ed:ba:be:00:01 -j ACCEPT $XT_MULTI arptables -N foo $XT_MULTI arptables -A foo -i lo -j ACCEPT $XT_MULTI arptables -A foo -l 6 -j ACCEPT +$XT_MULTI arptables -A foo -j MARK --set-mark 12345 $XT_MULTI arptables -A foo --opcode Request -j ACCEPT $XT_MULTI arptables -A foo --h-type 1 --proto-type 0x800 -j ACCEPT $XT_MULTI arptables -A foo -l 6 --h-type 1 --proto-type 0x800 -i lo --opcode Request -j ACCEPT @@ -34,18 +35,21 @@ DUMP='*filter :INPUT ACCEPT :OUTPUT DROP :foo - --A INPUT -s 10.0.0.0/8 -j ACCEPT --A INPUT -d 192.168.123.1 -j ACCEPT --A INPUT -j foo --A INPUT --A OUTPUT -o lo -j ACCEPT --A OUTPUT -o eth134 -j mangle --mangle-ip-s 10.0.0.1 --A OUTPUT -o eth432 -j CLASSIFY --set-class feed:babe --A OUTPUT -o eth432 --opcode 1 -j CLASSIFY --set-class feed:babe --A foo -i lo -j ACCEPT --A foo --h-length 6 -j ACCEPT --A foo --opcode 1 -j ACCEPT --A foo --h-type 1 --proto-type 0x800 -j ACCEPT +-A INPUT -s 10.0.0.0/8 --h-length 6 --h-type 1 -j ACCEPT +-A INPUT -d 192.168.123.1 --h-length 6 --h-type 1 -j ACCEPT +-A INPUT --src-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1 -j ACCEPT +-A INPUT --dst-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1 -j ACCEPT +-A INPUT --h-length 6 --h-type 1 -j foo +-A INPUT --h-length 6 --h-type 1 +-A OUTPUT -o lo --h-length 6 --h-type 1 -j ACCEPT +-A OUTPUT -o eth134 --h-length 6 --h-type 1 -j mangle --mangle-ip-s 10.0.0.1 +-A OUTPUT -o eth432 --h-length 6 --h-type 1 -j CLASSIFY --set-class feed:babe +-A OUTPUT -o eth432 --h-length 6 --opcode 1 --h-type 1 -j CLASSIFY --set-class feed:babe +-A foo -i lo --h-length 6 --h-type 1 -j ACCEPT +-A foo --h-length 6 --h-type 1 -j ACCEPT +-A foo --h-length 6 --h-type 1 -j MARK --set-xmark 0x3039/0xffffffff +-A foo --h-length 6 --opcode 1 --h-type 1 -j ACCEPT +-A foo --h-length 6 --h-type 1 --proto-type 0x800 -j ACCEPT -A foo -i lo --h-length 6 --opcode 1 --h-type 1 --proto-type 0x800 -j ACCEPT ' |