summaryrefslogtreecommitdiffstats
path: root/tests/py/inet/icmpX.t.payload
Commit message (Collapse)AuthorAgeFilesLines
* tests: add test case that checks icmp6 in-ipv4Florian Westphal2017-10-261-0/+10
| | | | | | | | | | | | | nft does not handle this correctly. This test fails. In: inet input ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 Out: meta l4proto 58 icmpv6 type destination-unreachable which loses the "ipv4" dependency, i.e. listing should show the rule as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix up meta l4proto change for ip familyFlorian Westphal2017-05-191-1/+1
| | | | | | | We can delete some of the payload files now as ip/ip6/inet produce same implicit meta l4proto dep. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix up meta l4proto change for ip6 familyFlorian Westphal2017-05-191-1/+1
| | | | | | | | | | | | After previous commit nft generates meta l4proto for ipv6 dependencies instead of checking the (first) nexthdr value. This fixes up all tests cases accordingly except one which fails with ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset' This will be fixed by removing the implicit dependency in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: explicit network ctx assignment for icmp/icmp6 in special familiesArturo Borrero Gonzalez2017-01-271-0/+36
In the inet, bridge and netdev families, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table inet t { chain c { icmpv6 type echo-request icmp type echo-request } } These rules we obtain can't be added again: % nft add rule inet t c icmp type echo-request <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp add rule inet t c icmp type echo-request ^^^^^^^^^ % nft add rule inet t c icmpv6 type echo-request <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 add rule inet t c icmpv6 type echo-request ^^^^^^^^^^^ Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet carrying ICMP, if the link layer is inet, the network layer protocol context can be safely update to 'ip' or 'ip6'. Moreover, nft currently generates a 'meta nfproto ipvX' depedency when using icmp or icmp6 in the inet family, and similar in netdev and bridge families. While at it, a bit of code factorization is introduced. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>