diff options
| author | Phil Sutter <phil@nwl.cc> | 2021-01-26 18:37:12 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2021-01-27 17:21:25 +0100 |
| commit | 7ca3368cd7575e710114fc60e8ecc8ffba95154d (patch) | |
| tree | 554026eda46d9f43cc58d63152934f765a03061d /src/netlink_delinearize.c | |
| parent | a206f22bdbd03a9c8dcf2f98e3ed7566b198d281 (diff) | |
reject: Unify inet, netdev and bridge delinearization
Postprocessing for inet family did not attempt to kill any existing
payload dependency, although it is perfectly fine to do so. The mere
culprit is to not abbreviate default code rejects as that would drop
needed protocol info as a side-effect. Since postprocessing is then
almost identical to that of bridge and netdev families, merge them.
While being at it, extend tests/py/netdev/reject.t by a few more tests
taken from inet/reject.t so this covers icmpx rejects as well.
Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'src/netlink_delinearize.c')
| -rw-r--r-- | src/netlink_delinearize.c | 24 |
1 files changed, 4 insertions, 20 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index ca4d723d..04560b97 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2473,23 +2473,6 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) payload_dependency_release(&rctx->pdctx); break; case NFPROTO_INET: - if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { - datatype_set(stmt->reject.expr, &icmpx_code_type); - break; - } - base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; - desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; - protocol = proto_find_num(base, desc); - switch (protocol) { - case NFPROTO_IPV4: - datatype_set(stmt->reject.expr, &icmp_code_type); - break; - case NFPROTO_IPV6: - datatype_set(stmt->reject.expr, &icmpv6_code_type); - break; - } - stmt->reject.family = protocol; - break; case NFPROTO_BRIDGE: case NFPROTO_NETDEV: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { @@ -2506,11 +2489,13 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; protocol = proto_find_num(base, desc); switch (protocol) { - case __constant_htons(ETH_P_IP): + case NFPROTO_IPV4: /* INET */ + case __constant_htons(ETH_P_IP): /* BRIDGE, NETDEV */ stmt->reject.family = NFPROTO_IPV4; datatype_set(stmt->reject.expr, &icmp_code_type); break; - case __constant_htons(ETH_P_IPV6): + case NFPROTO_IPV6: /* INET */ + case __constant_htons(ETH_P_IPV6): /* BRIDGE, NETDEV */ stmt->reject.family = NFPROTO_IPV6; datatype_set(stmt->reject.expr, &icmpv6_code_type); break; @@ -2520,7 +2505,6 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR)) payload_dependency_release(&rctx->pdctx); - break; default: break; |