evaluate: reject: Allow icmpx in inet/bridge families

Commit 3e6ab2b335142 added restraints on reject types for bridge and inet families but aparently those were too strict: If a rule in e.g. inet family contained a match which introduced a protocol dependency, icmpx type rejects were disallowed for no obvious reason. Allow icmpx type rejects in inet family regardless of protocol dependency since we either have IPv4 or IPv6 traffic in there and for both icmpx is fine. Merge restraints in bridge family with those for TCP reset since it already does what is needed, namely checking that ether proto is either IPv4 or IPv6. Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2018-08-13 18:58:57 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-14 16:17:32 +0200
commit: 8d2c3c72935443228b5e0492c8d3e2e2048c0c5a (patch)
tree: 7dca84cd3a7a5405e87fb0692db1a3410612b7f4 /tests/py/bridge
parent: c8a0e8c90e2d1188e6fcdd8951b295722e56d542 (diff)
3 files changed, 61 insertions, 0 deletions
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index d1c2ecab..ad5280f7 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -37,3 +37,8 @@ ether type arp reject;fail
 ether type vlan reject with tcp reset;fail
 ether type arp reject with tcp reset;fail
 ip protocol udp reject with tcp reset;fail
+
+ether type ip reject with icmpx type admin-prohibited;ok
+ether type ip6 reject with icmpx type admin-prohibited;ok
+ether type vlan reject with icmpx type admin-prohibited;fail
+ether type arp reject with icmpx type admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
index aa716f80..c0bed56e 100644
--- a/tests/py/bridge/reject.t.json
+++ b/tests/py/bridge/reject.t.json
@@ -219,3 +219,47 @@
     }
 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index b984f6f8..888179df 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -106,3 +106,15 @@ bridge test-bridge input
 bridge test-bridge input
   [ reject type 2 code 1 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 2 code 3 ]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 2 code 3 ]
+
author	Phil Sutter <phil@nwl.cc>	2018-08-13 18:58:57 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-14 16:17:32 +0200
commit	8d2c3c72935443228b5e0492c8d3e2e2048c0c5a (patch)
tree	7dca84cd3a7a5405e87fb0692db1a3410612b7f4 /tests/py/bridge
parent	c8a0e8c90e2d1188e6fcdd8951b295722e56d542 (diff)