From 7ca3368cd7575e710114fc60e8ecc8ffba95154d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 26 Jan 2021 18:37:12 +0100
Subject: reject: Unify inet, netdev and bridge delinearization

Postprocessing for inet family did not attempt to kill any existing
payload dependency, although it is perfectly fine to do so. The mere
culprit is to not abbreviate default code rejects as that would drop
needed protocol info as a side-effect. Since postprocessing is then
almost identical to that of bridge and netdev families, merge them.

While being at it, extend tests/py/netdev/reject.t by a few more tests
taken from inet/reject.t so this covers icmpx rejects as well.

Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/py/inet/reject.t.json.output | 195 +++----------------------------------
 1 file changed, 16 insertions(+), 179 deletions(-)

(limited to 'tests/py/inet/reject.t.json.output')

diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output
index 73846fb0..6e18b96b 100644
--- a/tests/py/inet/reject.t.json.output
+++ b/tests/py/inet/reject.t.json.output
@@ -1,144 +1,69 @@
-# reject with icmp type host-unreachable
+# mark 12345 reject with tcp reset
 [
     {
         "match": {
             "left": {
-                "meta": { "key": "nfproto" }
+                "meta": { "key": "l4proto" }
             },
 	    "op": "==",
-            "right": "ipv4"
+            "right": 6
         }
     },
-    {
-        "reject": {
-            "expr": "host-unreachable",
-            "type": "icmp"
-        }
-    }
-]
-
-# reject with icmp type net-unreachable
-[
     {
         "match": {
             "left": {
-                "meta": { "key": "nfproto" }
+                "meta": { "key": "mark" }
             },
 	    "op": "==",
-            "right": "ipv4"
+            "right": 12345
         }
     },
     {
         "reject": {
-            "expr": "net-unreachable",
-            "type": "icmp"
+            "type": "tcp reset"
         }
     }
 ]
 
-# reject with icmp type prot-unreachable
+# meta nfproto ipv4 reject
 [
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv4"
-        }
-    },
     {
         "reject": {
-            "expr": "prot-unreachable",
+            "expr": "port-unreachable",
             "type": "icmp"
         }
     }
 ]
 
-# reject with icmp type port-unreachable
+# meta nfproto ipv6 reject
 [
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv4"
-        }
-    },
-    {
-        "reject": null
-    }
-]
-
-# reject with icmp type net-prohibited
-[
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv4"
-        }
-    },
     {
         "reject": {
-            "expr": "net-prohibited",
-            "type": "icmp"
+            "expr": "port-unreachable",
+            "type": "icmpv6"
         }
     }
 ]
 
-# reject with icmp type host-prohibited
+# reject with icmpx type port-unreachable
 [
     {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv4"
-        }
-    },
-    {
-        "reject": {
-            "expr": "host-prohibited",
-            "type": "icmp"
-        }
+        "reject": null
     }
 ]
 
-# reject with icmp type admin-prohibited
+# meta nfproto ipv4 reject with icmp type host-unreachable
 [
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv4"
-        }
-    },
     {
         "reject": {
-            "expr": "admin-prohibited",
+            "expr": "host-unreachable",
             "type": "icmp"
         }
     }
 ]
 
-# reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 type no-route
 [
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv6"
-        }
-    },
     {
         "reject": {
             "expr": "no-route",
@@ -147,91 +72,3 @@
     }
 ]
 
-# reject with icmpv6 type admin-prohibited
-[
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv6"
-        }
-    },
-    {
-        "reject": {
-            "expr": "admin-prohibited",
-            "type": "icmpv6"
-        }
-    }
-]
-
-# reject with icmpv6 type addr-unreachable
-[
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv6"
-        }
-    },
-    {
-        "reject": {
-            "expr": "addr-unreachable",
-            "type": "icmpv6"
-        }
-    }
-]
-
-# reject with icmpv6 type port-unreachable
-[
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "nfproto" }
-            },
-	    "op": "==",
-            "right": "ipv6"
-        }
-    },
-    {
-        "reject": null
-    }
-]
-
-# mark 12345 reject with tcp reset
-[
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "l4proto" }
-            },
-	    "op": "==",
-            "right": 6
-        }
-    },
-    {
-        "match": {
-            "left": {
-                "meta": { "key": "mark" }
-            },
-	    "op": "==",
-            "right": 12345
-        }
-    },
-    {
-        "reject": {
-            "type": "tcp reset"
-        }
-    }
-]
-
-# reject with icmpx type port-unreachable
-[
-    {
-        "reject": null
-    }
-]
-
-- 
cgit v1.2.3