diff options
| author | Phil Sutter <phil@nwl.cc> | 2021-01-26 17:06:33 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2021-01-27 17:21:25 +0100 |
| commit | a206f22bdbd03a9c8dcf2f98e3ed7566b198d281 (patch) | |
| tree | afc61153b63ccfabf0f07e6c1bc8ebda1e010567 | |
| parent | 990cbbf75c40b92e6d6dc66721dfbedf33cacf8f (diff) | |
reject: Fix for missing dependencies in netdev family
Like with bridge family, rejecting with either icmp or icmpv6 must
create a dependency match on meta protocol. Upon delinearization, treat
netdev reject identical to bridge as well so no family info is lost.
This makes reject statement in netdev family fully symmetric so fix
the tests in tests/py/netdev/reject.t, adjust the related payload dumps
and add JSON equivalents which were missing altogether.
Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default")
Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases")
Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | src/evaluate.c | 3 | ||||
| -rw-r--r-- | src/netlink_delinearize.c | 1 | ||||
| -rw-r--r-- | tests/py/netdev/reject.t | 26 | ||||
| -rw-r--r-- | tests/py/netdev/reject.t.json | 137 | ||||
| -rw-r--r-- | tests/py/netdev/reject.t.payload | 42 |
5 files changed, 187 insertions, 22 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 3a91e9ea..1d5db4da 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2718,7 +2718,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt, const struct proto_desc *desc; desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; - if (desc != &proto_eth && desc != &proto_vlan) + if (desc != &proto_eth && desc != &proto_vlan && desc != &proto_netdev) return stmt_binary_error(ctx, &ctx->pctx.protocol[PROTO_BASE_LL_HDR], stmt, "unsupported link layer protocol"); @@ -2758,6 +2758,7 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt, } break; case NFPROTO_BRIDGE: + case NFPROTO_NETDEV: if (stmt_evaluate_reject_bridge(ctx, stmt, expr) < 0) return -1; break; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 73150722..ca4d723d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2491,6 +2491,7 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) stmt->reject.family = protocol; break; case NFPROTO_BRIDGE: + case NFPROTO_NETDEV: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { datatype_set(stmt->reject.expr, &icmpx_code_type); break; diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t index a4434b6c..8f8c4e03 100644 --- a/tests/py/netdev/reject.t +++ b/tests/py/netdev/reject.t @@ -2,19 +2,19 @@ *netdev;test-netdev;ingress -reject with icmp type host-unreachable;ok;reject -reject with icmp type net-unreachable;ok;reject -reject with icmp type prot-unreachable;ok;reject -reject with icmp type port-unreachable;ok;reject -reject with icmp type net-prohibited;ok;reject -reject with icmp type host-prohibited;ok;reject -reject with icmp type admin-prohibited;ok;reject +reject with icmp type host-unreachable;ok +reject with icmp type net-unreachable;ok +reject with icmp type prot-unreachable;ok +reject with icmp type port-unreachable;ok +reject with icmp type net-prohibited;ok +reject with icmp type host-prohibited;ok +reject with icmp type admin-prohibited;ok -reject with icmpv6 type no-route;ok;reject -reject with icmpv6 type admin-prohibited;ok;reject -reject with icmpv6 type addr-unreachable;ok;reject -reject with icmpv6 type port-unreachable;ok;reject -reject with icmpv6 type policy-fail;ok;reject -reject with icmpv6 type reject-route;ok;reject +reject with icmpv6 type no-route;ok +reject with icmpv6 type admin-prohibited;ok +reject with icmpv6 type addr-unreachable;ok +reject with icmpv6 type port-unreachable;ok +reject with icmpv6 type policy-fail;ok +reject with icmpv6 type reject-route;ok reject;ok diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json new file mode 100644 index 00000000..ffc72794 --- /dev/null +++ b/tests/py/netdev/reject.t.json @@ -0,0 +1,137 @@ +# reject with icmp type host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 type no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type policy-fail +[ + { + "reject": { + "expr": "policy-fail", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type reject-route +[ + { + "reject": { + "expr": "reject-route", + "type": "icmpv6" + } + } +] + +# reject +[ + { + "reject": null + } +] + diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload index d3af2f33..aead4127 100644 --- a/tests/py/netdev/reject.t.payload +++ b/tests/py/netdev/reject.t.payload @@ -1,56 +1,82 @@ # reject with icmp type host-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject -netdev - [ reject type 2 code 1 ] - -# reject with icmp type admin-prohibited -netdev - [ reject type 0 code 13 ] - # reject with icmp type net-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] # reject with icmp type prot-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] # reject with icmp type port-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] # reject with icmp type net-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] # reject with icmp type host-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] +# reject with icmp type admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 13 ] + # reject with icmpv6 type no-route netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] # reject with icmpv6 type admin-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] # reject with icmpv6 type addr-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] # reject with icmpv6 type port-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] # reject with icmpv6 type policy-fail netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 5 ] # reject with icmpv6 type reject-route netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 6 ] +# reject +netdev + [ reject type 2 code 1 ] + |