diff options
author | Florian Westphal <fw@strlen.de> | 2018-09-04 13:53:59 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-09-04 14:57:17 +0200 |
commit | 0f44d4f62753535d39d95d83778348bee4e88053 (patch) | |
tree | a8abdf198af2bd59e718283e54e84dea92aa7f03 /tests/py/ip6 | |
parent | aab7913f0e9bfd331980a4e6a478d3e350be9e89 (diff) |
proto: fix icmp/icmpv6 code datatype
Andrew A. Sabitov says:
I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code
and check incoming icmpv6 traffic against it:
add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; }
add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination
add element inet fw in_icmpv6_types { 1 . 1 } # communication with destination administratively prohibited
# ...
add rule inet fw in_icmpv6 icmpv6 type . icmpv6 code @in_icmpv6_types \
limit rate 15/minute accept
yields:
Error: can not use variable sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @in_icmpv6_types
~~~~~~~~~~~~~~^^^^^^^^^^^
Change 'code' type to the icmp/icmpv6 code type.
Needs minor change to test suite as nft will now display
human-readable names instead of numeric codes.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1276
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/py/ip6')
-rw-r--r-- | tests/py/ip6/icmpv6.t | 6 | ||||
-rw-r--r-- | tests/py/ip6/icmpv6.t.payload.ip6 | 2 |
2 files changed, 4 insertions, 4 deletions
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index a898fe30..8d794115 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,10 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok +icmpv6 code 4;ok;icmpv6 code port-unreachable icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok -icmpv6 code != {5, 6, 7} accept;ok +icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept +icmpv6 code != {policy-fail, reject-route, 7} accept;ok icmpv6 code { 3-66};ok icmpv6 code != { 3-66};ok diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index 7a630f9f..51d71f41 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -220,7 +220,7 @@ ip6 test-ip6 input [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] -# icmpv6 code != {5, 6, 7} accept +# icmpv6 code != {policy-fail, reject-route, 7} accept __set%d test-ip6 3 __set%d test-ip6 0 element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 0 [end] |