5 files changed, 187 insertions, 22 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 3a91e9ea..1d5db4da 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2718,7 +2718,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	const struct proto_desc *desc;
 
 	desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-	if (desc != &proto_eth && desc != &proto_vlan)
+	if (desc != &proto_eth && desc != &proto_vlan && desc != &proto_netdev)
 		return stmt_binary_error(ctx,
 					 &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
 					 stmt, "unsupported link layer protocol");
@@ -2758,6 +2758,7 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 		}
 		break;
 	case NFPROTO_BRIDGE:
+	case NFPROTO_NETDEV:
 		if (stmt_evaluate_reject_bridge(ctx, stmt, expr) < 0)
 			return -1;
 		break;
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 73150722..ca4d723d 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2491,6 +2491,7 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 		stmt->reject.family = protocol;
 		break;
 	case NFPROTO_BRIDGE:
+	case NFPROTO_NETDEV:
 		if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
 			datatype_set(stmt->reject.expr, &icmpx_code_type);
 			break;
diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t
index a4434b6c..8f8c4e03 100644
--- a/tests/py/netdev/reject.t
+++ b/tests/py/netdev/reject.t
@@ -2,19 +2,19 @@
 
 *netdev;test-netdev;ingress
 
-reject with icmp type host-unreachable;ok;reject
-reject with icmp type net-unreachable;ok;reject
-reject with icmp type prot-unreachable;ok;reject
-reject with icmp type port-unreachable;ok;reject
-reject with icmp type net-prohibited;ok;reject
-reject with icmp type host-prohibited;ok;reject
-reject with icmp type admin-prohibited;ok;reject
+reject with icmp type host-unreachable;ok
+reject with icmp type net-unreachable;ok
+reject with icmp type prot-unreachable;ok
+reject with icmp type port-unreachable;ok
+reject with icmp type net-prohibited;ok
+reject with icmp type host-prohibited;ok
+reject with icmp type admin-prohibited;ok
 
-reject with icmpv6 type no-route;ok;reject
-reject with icmpv6 type admin-prohibited;ok;reject
-reject with icmpv6 type addr-unreachable;ok;reject
-reject with icmpv6 type port-unreachable;ok;reject
-reject with icmpv6 type policy-fail;ok;reject
-reject with icmpv6 type reject-route;ok;reject
+reject with icmpv6 type no-route;ok
+reject with icmpv6 type admin-prohibited;ok
+reject with icmpv6 type addr-unreachable;ok
+reject with icmpv6 type port-unreachable;ok
+reject with icmpv6 type policy-fail;ok
+reject with icmpv6 type reject-route;ok
 
 reject;ok
diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json
new file mode 100644
index 00000000..ffc72794
--- /dev/null
+++ b/tests/py/netdev/reject.t.json
@@ -0,0 +1,137 @@
+# reject with icmp type host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmpv6 type no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type policy-fail
+[
+    {
+        "reject": {
+            "expr": "policy-fail",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type reject-route
+[
+    {
+        "reject": {
+            "expr": "reject-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload
index d3af2f33..aead4127 100644
--- a/tests/py/netdev/reject.t.payload
+++ b/tests/py/netdev/reject.t.payload
@@ -1,56 +1,82 @@
 # reject with icmp type host-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 1 ]
 
-# reject
-netdev 
-  [ reject type 2 code 1 ]
-
-# reject with icmp type admin-prohibited
-netdev 
-  [ reject type 0 code 13 ]
-
 # reject with icmp type net-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 0 ]
 
 # reject with icmp type prot-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 2 ]
 
 # reject with icmp type port-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 3 ]
 
 # reject with icmp type net-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 9 ]
 
 # reject with icmp type host-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 10 ]
 
+# reject with icmp type admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 13 ]
+
 # reject with icmpv6 type no-route
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 0 ]
 
 # reject with icmpv6 type admin-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 1 ]
 
 # reject with icmpv6 type addr-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 3 ]
 
 # reject with icmpv6 type port-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 4 ]
 
 # reject with icmpv6 type policy-fail
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 5 ]
 
 # reject with icmpv6 type reject-route
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 6 ]
 
+# reject
+netdev 
+  [ reject type 2 code 1 ]
+