diff options
author | Michael Braun <michael-dev@fami-braun.de> | 2020-05-06 11:46:24 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-28 00:04:44 +0200 |
commit | 8615ed93f6e4c4b105525f033b927b510469b987 (patch) | |
tree | 064dd3adc997e0a3c3d494b97d9dfa1146250856 | |
parent | 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (diff) |
evaluate: enable reject with 802.1q
This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 2 | ||||
-rw-r--r-- | tests/py/bridge/reject.t | 8 | ||||
-rw-r--r-- | tests/py/bridge/reject.t.payload | 20 |
3 files changed, 24 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 506f2c6a..985ae4fe 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2616,7 +2616,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt, const struct proto_desc *desc; desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; - if (desc != &proto_eth) + if (desc != &proto_eth && desc != &proto_vlan) return stmt_binary_error(ctx, &ctx->pctx.protocol[PROTO_BASE_LL_HDR], stmt, "unsupported link layer protocol"); diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index ee7e93c8..f5ed2038 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -30,15 +30,13 @@ reject with icmpx type port-unreachable;ok;reject ether type ipv6 reject with icmp type host-unreachable;fail ether type ip6 reject with icmp type host-unreachable;fail ether type ip reject with icmpv6 type no-route;fail -ether type vlan reject;fail +ether type vlan reject;ok ether type arp reject;fail -ether type vlan reject;fail -ether type arp reject;fail -ether type vlan reject with tcp reset;fail +ether type vlan reject with tcp reset;ok ether type arp reject with tcp reset;fail ip protocol udp reject with tcp reset;fail ether type ip reject with icmpx type admin-prohibited;ok ether type ip6 reject with icmpx type admin-prohibited;ok -ether type vlan reject with icmpx type admin-prohibited;fail +ether type vlan reject with icmpx type admin-prohibited;ok ether type arp reject with icmpx type admin-prohibited;fail diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload index 0d10547b..7deb6fbf 100644 --- a/tests/py/bridge/reject.t.payload +++ b/tests/py/bridge/reject.t.payload @@ -118,3 +118,23 @@ bridge test-bridge input [ cmp eq reg 1 0x0000dd86 ] [ reject type 2 code 3 ] +# ether type vlan reject +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 2 code 1 ] + +# ether type vlan reject with tcp reset +bridge + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 1 code 0 ] + +# ether type vlan reject with icmpx type admin-prohibited +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 2 code 3 ] + |