evaluate: enforce ip6 proto with exthdr expression

Don't allow use of exthdr with e.g. ip family.
Move frag.t to ip6 directory and don't use it with ipv4 anymore.

This change causes major test failures for all exthdr users
since they now fail with inet/bridge/netdev families.

Will be resolved in a later patch -- we need to add
an ipv6 dependency for them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

3 files changed, 45 insertions, 33 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index a49cdd93..47a1f8ca 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -343,6 +343,21 @@ conflict_resolution_gen_dependency(struct eval_ctx *ctx, int protocol,
 	return 0;
 }
 
+/*
+ * Exthdr expression: check whether dependencies are fulfilled.
+ */
+static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **expr)
+{
+	const struct proto_desc *base;
+
+	base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+	if (base == &proto_ip6)
+		return expr_evaluate_primary(ctx, expr);
+
+	return expr_error(ctx->msgs, *expr,
+			  "exthdr can only be used with ipv6");
+}
+
 /* dependency supersede.
  *
  * 'inet' is a 'phony' l2 dependeny used by NFPROTO_INET to fulfill network
@@ -1320,8 +1335,9 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
 		return 0;
 	case EXPR_VALUE:
 		return expr_evaluate_value(ctx, expr);
-	case EXPR_VERDICT:
 	case EXPR_EXTHDR:
+		return expr_evaluate_exthdr(ctx, expr);
+	case EXPR_VERDICT:
 	case EXPR_META:
 		return expr_evaluate_primary(ctx, expr);
 	case EXPR_PAYLOAD:
diff --git a/tests/py/any/frag.t b/tests/py/ip6/frag.t
index 8b5e34ab..56801ed8 100644
--- a/tests/py/any/frag.t
+++ b/tests/py/ip6/frag.t
@@ -1,12 +1,8 @@
 :output;type filter hook output priority 0
 :ingress;type filter hook ingress device lo priority 0
 
-*ip;test-ip4;output
 *ip6;test-ip6;output
 *inet;test-inet;output
-*arp;test-arp;output
-*bridge;test-bridge;output
-*netdev;test-netdev;ingress
 
 frag nexthdr tcp;ok;frag nexthdr 6
 frag nexthdr != icmp;ok;frag nexthdr != 1
diff --git a/tests/py/any/frag.t.payload b/tests/py/ip6/frag.t.payload.ip6
index a91ab3fa..f2d04b6b 100644
--- a/tests/py/any/frag.t.payload
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -1,109 +1,109 @@
 # frag nexthdr tcp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
 
 # frag nexthdr != icmp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp neq reg 1 0x00000001 ]
 
 # frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
 	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag nexthdr esp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000032 ]
 
 # frag nexthdr ah
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000033 ]
 
 # frag reserved 22
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp eq reg 1 0x00000016 ]
 
 # frag reserved != 233
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp neq reg 1 0x000000e9 ]
 
 # frag reserved 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp gte reg 1 0x00000021 ]
   [ cmp lte reg 1 0x0000002d ]
 
 # frag reserved != 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp lt reg 1 0x00000021 ]
   [ cmp gt reg 1 0x0000002d ]
 
 # frag reserved { 33, 55, 67, 88}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
 	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag reserved { 33-55}
-set%d test-ip4 7
-set%d test-ip4 0
+set%d test-ip6 7
+set%d test-ip6 0
 	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag id 1
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp eq reg 1 0x01000000 ]
 
 # frag id 22
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp eq reg 1 0x16000000 ]
 
 # frag id != 33
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp neq reg 1 0x21000000 ]
 
 # frag id 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp gte reg 1 0x21000000 ]
   [ cmp lte reg 1 0x2d000000 ]
 
 # frag id != 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp lt reg 1 0x21000000 ]
   [ cmp gt reg 1 0x2d000000 ]
 
 # frag id { 33, 55, 67, 88}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
 	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag id { 33-55}
-set%d test-ip4 7
-set%d test-ip4 0
+set%d test-ip6 7
+set%d test-ip6 0
 	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set set%d ]