diff options
| author | Florian Westphal <fw@strlen.de> | 2019-06-18 20:43:59 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-06-19 22:52:45 +0200 |
| commit | fb5a36ad5c1032244cf76171648fdefbbe571519 (patch) | |
| tree | bf6972f5c6d3be9f5128a337daa649c227ab86c1 /tests/py/bridge/reject.t.payload | |
| parent | b65ea148d8f8edc4ef5774154b1aca25d884d500 (diff) | |
src: prefer meta protocol as bridge l3 dependency
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/bridge/reject.t.payload')
| -rw-r--r-- | tests/py/bridge/reject.t.payload | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload index 888179df..0d10547b 100644 --- a/tests/py/bridge/reject.t.payload +++ b/tests/py/bridge/reject.t.payload @@ -1,66 +1,66 @@ # reject with icmp type host-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] # reject with icmp type net-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] # reject with icmp type prot-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] # reject with icmp type port-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] # reject with icmp type net-prohibited bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] # reject with icmp type host-prohibited bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] # reject with icmp type admin-prohibited bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 13 ] # reject with icmpv6 type no-route bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] # reject with icmpv6 type admin-prohibited bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] # reject with icmpv6 type addr-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] # reject with icmpv6 type port-unreachable bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] @@ -68,7 +68,7 @@ bridge test-bridge input bridge test-bridge input [ meta load mark => reg 1 ] [ cmp eq reg 1 0x00003039 ] - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] |