diff options
author | Jeremy Sowden <jeremy@azazel.net> | 2021-12-11 18:55:25 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-12-15 22:50:07 +0100 |
commit | 0379244930035b3bff95281a58fa7efd7e50dd51 (patch) | |
tree | a6866a1c9ce58a5c76a43433b6c618e80a213894 /tests/py | |
parent | 368c8ba1bd9765d9ad225c63b40423c321ffd5d4 (diff) |
evaluate: reject: support ethernet as L2 protocol for inet table
When we are evaluating a `reject` statement in the `inet` family, we may
have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the
evaluation context:
table inet filter {
chain input {
type filter hook input priority filter;
ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
}
}
Since no `reject` option is given, nft attempts to infer one and fails:
BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed.
Aborted
The reason it fails is that the ethernet protocol numbers for IPv4 and
IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and
`NFPROTO_IPV6`. Add support for the ethernet protocol numbers.
Replace the current `BUG("unsupported family")` error message with
something more informative that tells the user to provide an explicit
reject option.
Add a Python test case.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py')
-rw-r--r-- | tests/py/inet/reject.t | 2 | ||||
-rw-r--r-- | tests/py/inet/reject.t.json | 34 | ||||
-rw-r--r-- | tests/py/inet/reject.t.payload.inet | 10 |
3 files changed, 46 insertions, 0 deletions
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index 1c8aeebe..61a6d556 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -37,3 +37,5 @@ meta l4proto udp reject with tcp reset;fail meta nfproto ipv4 reject with icmpx admin-prohibited;ok meta nfproto ipv6 reject with icmpx admin-prohibited;ok + +ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json index 76cd1bf5..02ac9007 100644 --- a/tests/py/inet/reject.t.json +++ b/tests/py/inet/reject.t.json @@ -295,3 +295,37 @@ } ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet index 62078d91..828cb839 100644 --- a/tests/py/inet/reject.t.payload.inet +++ b/tests/py/inet/reject.t.payload.inet @@ -132,3 +132,13 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ reject type 2 code 3 ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0xddccbbaa 0x0008ffee ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ reject type 0 code 3 ] + |