From 0379244930035b3bff95281a58fa7efd7e50dd51 Mon Sep 17 00:00:00 2001 From: Jeremy Sowden Date: Sat, 11 Dec 2021 18:55:25 +0000 Subject: evaluate: reject: support ethernet as L2 protocol for inet table When we are evaluating a `reject` statement in the `inet` family, we may have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the evaluation context: table inet filter { chain input { type filter hook input priority filter; ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject } } Since no `reject` option is given, nft attempts to infer one and fails: BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed. Aborted The reason it fails is that the ethernet protocol numbers for IPv4 and IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and `NFPROTO_IPV6`. Add support for the ethernet protocol numbers. Replace the current `BUG("unsupported family")` error message with something more informative that tells the user to provide an explicit reject option. Add a Python test case. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360 Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso --- tests/py/inet/reject.t.json | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'tests/py/inet/reject.t.json') diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json index 76cd1bf5..02ac9007 100644 --- a/tests/py/inet/reject.t.json +++ b/tests/py/inet/reject.t.json @@ -295,3 +295,37 @@ } ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + -- cgit v1.2.3