6 files changed, 118 insertions, 0 deletions

diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index d1c2ecab..ad5280f7 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -37,3 +37,8 @@ ether type arp reject;fail
 ether type vlan reject with tcp reset;fail
 ether type arp reject with tcp reset;fail
 ip protocol udp reject with tcp reset;fail
+
+ether type ip reject with icmpx type admin-prohibited;ok
+ether type ip6 reject with icmpx type admin-prohibited;ok
+ether type vlan reject with icmpx type admin-prohibited;fail
+ether type arp reject with icmpx type admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
index aa716f80..c0bed56e 100644
--- a/tests/py/bridge/reject.t.json
+++ b/tests/py/bridge/reject.t.json
@@ -219,3 +219,47 @@
     }
 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index b984f6f8..888179df 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -106,3 +106,15 @@ bridge test-bridge input
 bridge test-bridge input
   [ reject type 2 code 1 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 2 code 3 ]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 2 code 3 ]
+
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
index cb3caa4a..0e8966c9 100644
--- a/tests/py/inet/reject.t
+++ b/tests/py/inet/reject.t
@@ -34,3 +34,6 @@ meta nfproto ipv6 reject with icmp type host-unreachable;fail
 meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
 meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
 meta l4proto udp reject with tcp reset;fail
+
+meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
index 0939f445..46d4857a 100644
--- a/tests/py/inet/reject.t.json
+++ b/tests/py/inet/reject.t.json
@@ -238,3 +238,45 @@
     }
 ]
 
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
index 7a6468e8..ee1aae02 100644
--- a/tests/py/inet/reject.t.payload.inet
+++ b/tests/py/inet/reject.t.payload.inet
@@ -220,3 +220,15 @@ inet test-inet input
   [ cmp eq reg 1 0x0000000a ]
   [ reject type 0 code 0 ]
 
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 2 code 3 ]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 2 code 3 ]
+