diff options
-rw-r--r-- | src/evaluate.c | 3 | ||||
-rw-r--r-- | src/netlink_delinearize.c | 1 | ||||
-rw-r--r-- | tests/py/netdev/reject.t | 26 | ||||
-rw-r--r-- | tests/py/netdev/reject.t.json | 137 | ||||
-rw-r--r-- | tests/py/netdev/reject.t.payload | 42 |
5 files changed, 187 insertions, 22 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 3a91e9ea..1d5db4da 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2718,7 +2718,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt, const struct proto_desc *desc; desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; - if (desc != &proto_eth && desc != &proto_vlan) + if (desc != &proto_eth && desc != &proto_vlan && desc != &proto_netdev) return stmt_binary_error(ctx, &ctx->pctx.protocol[PROTO_BASE_LL_HDR], stmt, "unsupported link layer protocol"); @@ -2758,6 +2758,7 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt, } break; case NFPROTO_BRIDGE: + case NFPROTO_NETDEV: if (stmt_evaluate_reject_bridge(ctx, stmt, expr) < 0) return -1; break; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 73150722..ca4d723d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2491,6 +2491,7 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) stmt->reject.family = protocol; break; case NFPROTO_BRIDGE: + case NFPROTO_NETDEV: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { datatype_set(stmt->reject.expr, &icmpx_code_type); break; diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t index a4434b6c..8f8c4e03 100644 --- a/tests/py/netdev/reject.t +++ b/tests/py/netdev/reject.t @@ -2,19 +2,19 @@ *netdev;test-netdev;ingress -reject with icmp type host-unreachable;ok;reject -reject with icmp type net-unreachable;ok;reject -reject with icmp type prot-unreachable;ok;reject -reject with icmp type port-unreachable;ok;reject -reject with icmp type net-prohibited;ok;reject -reject with icmp type host-prohibited;ok;reject -reject with icmp type admin-prohibited;ok;reject +reject with icmp type host-unreachable;ok +reject with icmp type net-unreachable;ok +reject with icmp type prot-unreachable;ok +reject with icmp type port-unreachable;ok +reject with icmp type net-prohibited;ok +reject with icmp type host-prohibited;ok +reject with icmp type admin-prohibited;ok -reject with icmpv6 type no-route;ok;reject -reject with icmpv6 type admin-prohibited;ok;reject -reject with icmpv6 type addr-unreachable;ok;reject -reject with icmpv6 type port-unreachable;ok;reject -reject with icmpv6 type policy-fail;ok;reject -reject with icmpv6 type reject-route;ok;reject +reject with icmpv6 type no-route;ok +reject with icmpv6 type admin-prohibited;ok +reject with icmpv6 type addr-unreachable;ok +reject with icmpv6 type port-unreachable;ok +reject with icmpv6 type policy-fail;ok +reject with icmpv6 type reject-route;ok reject;ok diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json new file mode 100644 index 00000000..ffc72794 --- /dev/null +++ b/tests/py/netdev/reject.t.json @@ -0,0 +1,137 @@ +# reject with icmp type host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 type no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type policy-fail +[ + { + "reject": { + "expr": "policy-fail", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type reject-route +[ + { + "reject": { + "expr": "reject-route", + "type": "icmpv6" + } + } +] + +# reject +[ + { + "reject": null + } +] + diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload index d3af2f33..aead4127 100644 --- a/tests/py/netdev/reject.t.payload +++ b/tests/py/netdev/reject.t.payload @@ -1,56 +1,82 @@ # reject with icmp type host-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject -netdev - [ reject type 2 code 1 ] - -# reject with icmp type admin-prohibited -netdev - [ reject type 0 code 13 ] - # reject with icmp type net-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] # reject with icmp type prot-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] # reject with icmp type port-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] # reject with icmp type net-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] # reject with icmp type host-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] +# reject with icmp type admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 13 ] + # reject with icmpv6 type no-route netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] # reject with icmpv6 type admin-prohibited netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] # reject with icmpv6 type addr-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] # reject with icmpv6 type port-unreachable netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] # reject with icmpv6 type policy-fail netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 5 ] # reject with icmpv6 type reject-route netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 6 ] +# reject +netdev + [ reject type 2 code 1 ] + |