From 1ab1fcbc19a82e03d229586b8fd5b16396a9fab7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 26 Jul 2021 16:29:58 +0200 Subject: parser_bison: parse number as reject icmp code Extend parser to accept a numeric icmp code, instead of bailing out: # nft add rule inet filter input reject with icmpx type 3 Error: syntax error, unexpected number, expecting string add rule inet filter input reject with icmpx type 3 ^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1555 Signed-off-by: Pablo Neira Ayuso --- tests/py/inet/reject.t | 1 + tests/py/inet/reject.t.payload.inet | 4 ++++ tests/py/ip/reject.t | 1 + tests/py/ip/reject.t.payload | 4 ++++ tests/py/ip6/reject.t | 1 + tests/py/ip6/reject.t.payload.ip6 | 4 ++++ 6 files changed, 15 insertions(+) (limited to 'tests/py') diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index a9ecd2ea..bae8fc2e 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -25,6 +25,7 @@ reject with icmpx type host-unreachable;ok reject with icmpx type no-route;ok reject with icmpx type admin-prohibited;ok reject with icmpx type port-unreachable;ok;reject +reject with icmpx type 3;ok;reject with icmpx type admin-prohibited meta nfproto ipv4 reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable meta nfproto ipv6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet index 3f220282..be6ad394 100644 --- a/tests/py/inet/reject.t.payload.inet +++ b/tests/py/inet/reject.t.payload.inet @@ -104,6 +104,10 @@ inet test-inet input inet test-inet input [ reject type 2 code 1 ] +# reject with icmpx type 3 +inet test-inet input + [ reject type 2 code 3 ] + # meta nfproto ipv4 reject with icmp type host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t index cc5561a0..74a5a041 100644 --- a/tests/py/ip/reject.t +++ b/tests/py/ip/reject.t @@ -10,6 +10,7 @@ reject with icmp type port-unreachable;ok;reject reject with icmp type net-prohibited;ok reject with icmp type host-prohibited;ok reject with icmp type admin-prohibited;ok +reject with icmp type 3;ok;reject mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset reject with icmp type no-route;fail diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload index 07e4cc8d..80fc5042 100644 --- a/tests/py/ip/reject.t.payload +++ b/tests/py/ip/reject.t.payload @@ -30,6 +30,10 @@ ip test-ip4 output ip test-ip4 output [ reject type 0 code 13 ] +# reject with icmp type 3 +ip test-ip4 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip test-ip4 output [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t index 7fa04eec..79f3d557 100644 --- a/tests/py/ip6/reject.t +++ b/tests/py/ip6/reject.t @@ -9,6 +9,7 @@ reject with icmpv6 type addr-unreachable;ok reject with icmpv6 type port-unreachable;ok;reject reject with icmpv6 type policy-fail;ok reject with icmpv6 type reject-route;ok +reject with icmpv6 type 3;ok;reject with icmpv6 type addr-unreachable mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset reject with icmpv6 type host-unreachable;fail diff --git a/tests/py/ip6/reject.t.payload.ip6 b/tests/py/ip6/reject.t.payload.ip6 index dd4491ae..9f90734e 100644 --- a/tests/py/ip6/reject.t.payload.ip6 +++ b/tests/py/ip6/reject.t.payload.ip6 @@ -26,6 +26,10 @@ ip6 test-ip6 output ip6 test-ip6 output [ reject type 0 code 6 ] +# reject with icmpv6 type 3 +ip6 test-ip6 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip6 test-ip6 output [ meta load l4proto => reg 1 ] -- cgit v1.2.3