From 8615ed93f6e4c4b105525f033b927b510469b987 Mon Sep 17 00:00:00 2001
From: Michael Braun <michael-dev@fami-braun.de>
Date: Wed, 6 May 2020 11:46:24 +0200
Subject: evaluate: enable reject with 802.1q

This enables the use nft bridge reject with bridge vlan filtering.

It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.

[ pablo: update tests/py ]

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/bridge/reject.t         |  8 +++-----
 tests/py/bridge/reject.t.payload | 20 ++++++++++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

(limited to 'tests')

diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index ee7e93c8..f5ed2038 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -30,15 +30,13 @@ reject with icmpx type port-unreachable;ok;reject
 ether type ipv6 reject with icmp type host-unreachable;fail
 ether type ip6 reject with icmp type host-unreachable;fail
 ether type ip reject with icmpv6 type no-route;fail
-ether type vlan reject;fail
+ether type vlan reject;ok
 ether type arp reject;fail
-ether type vlan reject;fail
-ether type arp reject;fail
-ether type vlan reject with tcp reset;fail
+ether type vlan reject with tcp reset;ok
 ether type arp reject with tcp reset;fail
 ip protocol udp reject with tcp reset;fail
 
 ether type ip reject with icmpx type admin-prohibited;ok
 ether type ip6 reject with icmpx type admin-prohibited;ok
-ether type vlan reject with icmpx type admin-prohibited;fail
+ether type vlan reject with icmpx type admin-prohibited;ok
 ether type arp reject with icmpx type admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index 0d10547b..7deb6fbf 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -118,3 +118,23 @@ bridge test-bridge input
   [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 2 code 3 ]
 
+# ether type vlan reject
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 1 ]
+
+# ether type vlan reject with tcp reset
+bridge
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 1 code 0 ]
+
+# ether type vlan reject with icmpx type admin-prohibited
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 3 ]
+
-- 
cgit v1.2.3