diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:22:32 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:50:19 +0200 |
commit | 08d2f049367153d2c3b03c95b2ca7256cdf3521d (patch) | |
tree | 35b291e94c051a50d1473d21932f6a27ff8498b5 /tests/py/bridge | |
parent | 1ab1fcbc19a82e03d229586b8fd5b16396a9fab7 (diff) |
src: promote 'reject with icmp CODE' syntax
The kernel already assumes that that ICMP type to reject a packet is
destination-unreachable, hence the user specifies the *ICMP code*.
Simplify the syntax to:
... reject with icmp port-unreachable
this removes the 'type' keyword before the ICMP code to reject the
packet with.
IIRC, the original intention is to leave room for future extensions that
allow to specify both the ICMP type and the ICMP code, this is however
not possible with the current inconsistent syntax.
Update manpages which also refer to ICMP type.
Adjust tests/py to the new syntax.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/bridge')
-rw-r--r-- | tests/py/bridge/reject.t | 50 | ||||
-rw-r--r-- | tests/py/bridge/reject.t.json | 36 | ||||
-rw-r--r-- | tests/py/bridge/reject.t.payload | 36 |
3 files changed, 61 insertions, 61 deletions
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index b242eef4..336b51bb 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -3,40 +3,40 @@ *bridge;test-bridge;input # The output is specific for bridge family -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok - -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok -ether type ip reject;ok;reject with icmp type port-unreachable -ether type ip6 reject;ok;reject with icmpv6 type port-unreachable +ether type ip reject;ok;reject with icmp port-unreachable +ether type ip6 reject;ok;reject with icmpv6 port-unreachable -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject -ether type ipv6 reject with icmp type host-unreachable;fail -ether type ip6 reject with icmp type host-unreachable;fail -ether type ip reject with icmpv6 type no-route;fail +ether type ipv6 reject with icmp host-unreachable;fail +ether type ip6 reject with icmp host-unreachable;fail +ether type ip reject with icmpv6 no-route;fail ether type vlan reject;ok;ether type 8021q reject ether type arp reject;fail ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset ether type arp reject with tcp reset;fail ip protocol udp reject with tcp reset;fail -ether type ip reject with icmpx type admin-prohibited;ok -ether type ip6 reject with icmpx type admin-prohibited;ok -ether type 8021q reject with icmpx type admin-prohibited;ok -ether type arp reject with icmpx type admin-prohibited;fail +ether type ip reject with icmpx admin-prohibited;ok +ether type ip6 reject with icmpx admin-prohibited;ok +ether type 8021q reject with icmpx admin-prohibited;ok +ether type arp reject with icmpx admin-prohibited;fail diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json index fe21734d..9f9e6c1e 100644 --- a/tests/py/bridge/reject.t.json +++ b/tests/py/bridge/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -183,7 +183,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -193,7 +193,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -203,7 +203,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -213,7 +213,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -223,7 +223,7 @@ } ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited [ { "match": { @@ -245,7 +245,7 @@ } ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited [ { "match": { @@ -318,7 +318,7 @@ } ] -# ether type 8021q reject with icmpx type admin-prohibited +# ether type 8021q reject with icmpx admin-prohibited [ { "match": { diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload index 22569877..bad9adc0 100644 --- a/tests/py/bridge/reject.t.payload +++ b/tests/py/bridge/reject.t.payload @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -90,29 +90,29 @@ bridge test-bridge input [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable bridge test-bridge input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route bridge test-bridge input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited bridge test-bridge input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable bridge test-bridge input [ reject type 2 code 1 ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 2 code 3 ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -132,7 +132,7 @@ bridge [ cmp eq reg 1 0x00000081 ] [ reject type 1 code 0 ] -# ether type 8021q reject with icmpx type admin-prohibited +# ether type 8021q reject with icmpx admin-prohibited bridge [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] |