From 8d2c3c72935443228b5e0492c8d3e2e2048c0c5a Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Mon, 13 Aug 2018 18:58:57 +0200 Subject: evaluate: reject: Allow icmpx in inet/bridge families Commit 3e6ab2b335142 added restraints on reject types for bridge and inet families but aparently those were too strict: If a rule in e.g. inet family contained a match which introduced a protocol dependency, icmpx type rejects were disallowed for no obvious reason. Allow icmpx type rejects in inet family regardless of protocol dependency since we either have IPv4 or IPv6 traffic in there and for both icmpx is fine. Merge restraints in bridge family with those for TCP reset since it already does what is needed, namely checking that ether proto is either IPv4 or IPv6. Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'src') diff --git a/src/evaluate.c b/src/evaluate.c index 3f57ef60..3f15b322 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2143,9 +2143,7 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx, case NFT_REJECT_TCP_RST: break; case NFT_REJECT_ICMPX_UNREACH: - return stmt_binary_error(ctx, stmt->reject.expr, - &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR], - "conflicting network protocol specified"); + break; case NFT_REJECT_ICMP_UNREACH: base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; protocol = proto_find_num(base, desc); @@ -2196,9 +2194,6 @@ static int stmt_evaluate_reject_bridge_family(struct eval_ctx *ctx, switch (stmt->reject.type) { case NFT_REJECT_ICMPX_UNREACH: - return stmt_binary_error(ctx, stmt->reject.expr, - &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR], - "conflicting network protocol specified"); case NFT_REJECT_TCP_RST: base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; protocol = proto_find_num(base, desc); -- cgit v1.2.3