From 567ea4774e13b1f3b06f42c74b9bd32453d70164 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 26 Aug 2021 12:24:37 +0200 Subject: netlink_delinearize: incorrect meta protocol dependency kill meta protocol is meaningful in bridge, netdev and inet families, do not remove this. Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()") Signed-off-by: Pablo Neira Ayuso --- tests/py/bridge/meta.t | 3 +++ tests/py/bridge/meta.t.json | 54 ++++++++++++++++++++++++++++++++++++++++++ tests/py/bridge/meta.t.payload | 18 ++++++++++++++ tests/py/inet/meta.t | 4 ++++ tests/py/inet/meta.t.json | 54 ++++++++++++++++++++++++++++++++++++++++++ tests/py/inet/meta.t.payload | 18 ++++++++++++++ tests/py/ip/meta.t | 2 ++ tests/py/ip/meta.t.json | 16 +++++++++++++ tests/py/ip/meta.t.payload | 9 +++++++ tests/py/ip6/meta.t | 3 +++ tests/py/ip6/meta.t.json | 54 ++++++++++++++++++++++++++++++++++++++++++ tests/py/ip6/meta.t.payload | 18 ++++++++++++++ 12 files changed, 253 insertions(+) (limited to 'tests') diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index eda7082f..d77ebd89 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -6,3 +6,6 @@ meta obrname "br0";ok meta ibrname "br0";ok meta ibrvproto vlan;ok;meta ibrvproto 8021q meta ibrpvid 100;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json index 3122774e..d7dc9d7b 100644 --- a/tests/py/bridge/meta.t.json +++ b/tests/py/bridge/meta.t.json @@ -49,3 +49,57 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/bridge/meta.t.payload b/tests/py/bridge/meta.t.payload index aa8c994b..0a39842a 100644 --- a/tests/py/bridge/meta.t.payload +++ b/tests/py/bridge/meta.t.payload @@ -17,3 +17,21 @@ bridge test-bridge input bridge test-bridge input [ meta load bri_iifpvid => reg 1 ] [ cmp eq reg 1 0x00000064 ] + +# meta protocol ip udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index 3638898b..423cc5f3 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -12,6 +12,10 @@ meta nfproto ipv4 tcp dport 22;ok meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 meta nfproto ipv4 counter ip saddr 1.2.3.4;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + meta ipsec exists;ok meta secpath missing;ok;meta ipsec missing meta ibrname "br0";fail diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json index 5c0e7d2e..723a36f7 100644 --- a/tests/py/inet/meta.t.json +++ b/tests/py/inet/meta.t.json @@ -235,3 +235,57 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index 6ccf6d24..fd054549 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -79,3 +79,21 @@ inet test-inet input [ ct load mark => reg 1 ] [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] [ meta set mark with reg 1 ] + +# meta protocol ip udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index f733d22d..fecd0caf 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -8,6 +8,8 @@ meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-adv meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert icmpv6 type nd-router-advert;ok +meta protocol ip udp dport 67;ok + meta ibrname "br0";fail meta obrname "br0";fail diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index f83864f6..3df31ce3 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -140,3 +140,19 @@ "accept": null } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index 7bc69a29..a1fd0086 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -44,3 +44,12 @@ ip6 test-ip4 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip test-ip4 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t index dce97f5b..2c1aee23 100644 --- a/tests/py/ip6/meta.t +++ b/tests/py/ip6/meta.t @@ -9,5 +9,8 @@ meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto 1 icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json index e72350f3..351320d7 100644 --- a/tests/py/ip6/meta.t.json +++ b/tests/py/ip6/meta.t.json @@ -140,3 +140,57 @@ "accept": null } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload index be04816e..59c20d99 100644 --- a/tests/py/ip6/meta.t.payload +++ b/tests/py/ip6/meta.t.payload @@ -44,3 +44,21 @@ ip6 test-ip6 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip6 test-ip6 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +ip6 test-ip6 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] -- cgit v1.2.3