diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-08-13 18:58:57 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-14 16:17:32 +0200 |
| commit | 8d2c3c72935443228b5e0492c8d3e2e2048c0c5a (patch) | |
| tree | 7dca84cd3a7a5405e87fb0692db1a3410612b7f4 /tests/py/inet/reject.t | |
| parent | c8a0e8c90e2d1188e6fcdd8951b295722e56d542 (diff) | |
evaluate: reject: Allow icmpx in inet/bridge families
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/inet/reject.t')
| -rw-r--r-- | tests/py/inet/reject.t | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index cb3caa4a..0e8966c9 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -34,3 +34,6 @@ meta nfproto ipv6 reject with icmp type host-unreachable;fail meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail meta l4proto udp reject with tcp reset;fail + +meta nfproto ipv4 reject with icmpx type admin-prohibited;ok +meta nfproto ipv6 reject with icmpx type admin-prohibited;ok |