From ea046380431f5cc623daf8c9d7b2c5438a90a84f Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 18 Jun 2019 20:43:57 +0200 Subject: netlink_delinerize: remove network header dep for reject statement also in bridge family add rule bridge test-bridge input reject with icmp type ... is shown as ether type ip reject type ... i.e., the dependency is not removed. Allow dependency removal -- this adds a problem where some icmp types will be shortened to 'reject', losing the icmp ipv4 dependency. Next patch resolves this problem by disabling short-hand abbreviations for bridge reject statements. Signed-off-by: Florian Westphal Acked-by: Pablo Neira Ayuso --- tests/py/bridge/ether.t.json.output | 48 +--------- tests/py/bridge/reject.t | 28 +++--- tests/py/bridge/reject.t.json.output | 169 ++++++----------------------------- 3 files changed, 45 insertions(+), 200 deletions(-) (limited to 'tests') diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output index 05e568f6..5bb2e47a 100644 --- a/tests/py/bridge/ether.t.json.output +++ b/tests/py/bridge/ether.t.json.output @@ -8,22 +8,10 @@ "protocol": "tcp" } }, - "op": "==", + "op": "==", "right": 22 } }, - { - "match": { - "left": { - "payload": { - "field": "saddr", - "protocol": "ether" - } - }, - "op": "==", - "right": "00:0f:54:0c:11:04" - } - }, { "match": { "left": { @@ -32,29 +20,10 @@ "protocol": "ip" } }, - "op": "==", + "op": "==", "right": "1.2.3.4" } }, - { - "accept": null - } -] - -# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "==", - "right": 22 - } - }, { "match": { "left": { @@ -63,21 +32,12 @@ "protocol": "ether" } }, - "op": "==", + "op": "==", "right": "00:0f:54:0c:11:04" } }, { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "==", - "right": "1.2.3.4" - } + "accept": null } ] diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index ad5280f7..ee7e93c8 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -3,24 +3,24 @@ *bridge;test-bridge;input # The output is specific for bridge family -reject with icmp type host-unreachable;ok;ether type ip reject with icmp type host-unreachable -reject with icmp type net-unreachable;ok;ether type ip reject with icmp type net-unreachable -reject with icmp type prot-unreachable;ok;ether type ip reject with icmp type prot-unreachable -reject with icmp type port-unreachable;ok;ether type ip reject -reject with icmp type net-prohibited;ok;ether type ip reject with icmp type net-prohibited -reject with icmp type host-prohibited;ok;ether type ip reject with icmp type host-prohibited -reject with icmp type admin-prohibited;ok;ether type ip reject with icmp type admin-prohibited - -reject with icmpv6 type no-route;ok;ether type ip6 reject with icmpv6 type no-route -reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 type admin-prohibited -reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable -reject with icmpv6 type port-unreachable;ok;ether type ip6 reject +reject with icmp type host-unreachable;ok +reject with icmp type net-unreachable;ok +reject with icmp type prot-unreachable;ok +reject with icmp type port-unreachable;ok +reject with icmp type net-prohibited;ok +reject with icmp type host-prohibited;ok +reject with icmp type admin-prohibited;ok + +reject with icmpv6 type no-route;ok +reject with icmpv6 type admin-prohibited;ok +reject with icmpv6 type addr-unreachable;ok +reject with icmpv6 type port-unreachable;ok mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok -ether type ip reject;ok -ether type ip6 reject;ok +ether type ip reject;ok;reject with icmp type port-unreachable +ether type ip6 reject;ok;reject with icmpv6 type port-unreachable reject with icmpx type host-unreachable;ok reject with icmpx type no-route;ok diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output index 08dfaf6a..4f83f803 100644 --- a/tests/py/bridge/reject.t.json.output +++ b/tests/py/bridge/reject.t.json.output @@ -1,17 +1,5 @@ # reject with icmp type host-unreachable [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "host-unreachable", @@ -22,18 +10,6 @@ # reject with icmp type net-unreachable [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "net-unreachable", @@ -44,18 +20,6 @@ # reject with icmp type prot-unreachable [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "prot-unreachable", @@ -64,39 +28,8 @@ } ] -# reject with icmp type port-unreachable -[ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { - "reject": null - } -] - # reject with icmp type net-prohibited [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "net-prohibited", @@ -107,18 +40,6 @@ # reject with icmp type host-prohibited [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "host-prohibited", @@ -129,18 +50,6 @@ # reject with icmp type admin-prohibited [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, { "reject": { "expr": "admin-prohibited", @@ -151,18 +60,6 @@ # reject with icmpv6 type no-route [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, { "reject": { "expr": "no-route", @@ -173,18 +70,6 @@ # reject with icmpv6 type admin-prohibited [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, { "reject": { "expr": "admin-prohibited", @@ -195,18 +80,6 @@ # reject with icmpv6 type addr-unreachable [ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, { "reject": { "expr": "addr-unreachable", @@ -218,19 +91,10 @@ # reject with icmpv6 type port-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" } - }, - { - "reject": null } ] @@ -239,9 +103,11 @@ { "match": { "left": { - "meta": { "key": "mark" } + "meta": { + "key": "mark" + } }, - "op": "==", + "op": "==", "right": 12345 } }, @@ -253,7 +119,7 @@ "protocol": "ip" } }, - "op": "==", + "op": "==", "right": 6 } }, @@ -271,3 +137,22 @@ } ] +# ether type ip reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# ether type ip6 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] -- cgit v1.2.3