evaluate: enable reject with 802.1q

This enables the use nft bridge reject with bridge vlan filtering. It depends on a kernel patch to make the kernel preserve the vlan id in nft bridge reject generation. [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Michael Braun <michael-dev@fami-braun.de> 2020-05-06 11:46:24 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-05-28 00:04:44 +0200
commit: 8615ed93f6e4c4b105525f033b927b510469b987 (patch)
tree: 064dd3adc997e0a3c3d494b97d9dfa1146250856 /tests/py/bridge/reject.t.payload
parent: 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index 0d10547b..7deb6fbf 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -118,3 +118,23 @@ bridge test-bridge input
   [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 2 code 3 ]
 
+# ether type vlan reject
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 1 ]
+
+# ether type vlan reject with tcp reset
+bridge
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 1 code 0 ]
+
+# ether type vlan reject with icmpx type admin-prohibited
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 3 ]
+
author	Michael Braun <michael-dev@fami-braun.de>	2020-05-06 11:46:24 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-05-28 00:04:44 +0200
commit	8615ed93f6e4c4b105525f033b927b510469b987 (patch)
tree	064dd3adc997e0a3c3d494b97d9dfa1146250856 /tests/py/bridge/reject.t.payload
parent	2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (diff)