diff options
| author | Florian Westphal <fw@strlen.de> | 2019-06-18 20:43:57 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-06-19 22:49:36 +0200 |
| commit | ea046380431f5cc623daf8c9d7b2c5438a90a84f (patch) | |
| tree | 818619874ae94cf0561105500f078bf4eae8388b /tests/py/bridge | |
| parent | 29740423f948b6f8ca11b250b6088df689d882dc (diff) | |
netlink_delinerize: remove network header dep for reject statement also in bridge family
add rule bridge test-bridge input reject with icmp type ...
is shown as
ether type ip reject type ...
i.e., the dependency is not removed.
Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.
Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/bridge')
| -rw-r--r-- | tests/py/bridge/ether.t.json.output | 48 | ||||
| -rw-r--r-- | tests/py/bridge/reject.t | 28 | ||||
| -rw-r--r-- | tests/py/bridge/reject.t.json.output | 169 |
3 files changed, 45 insertions, 200 deletions
diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output index 05e568f6..5bb2e47a 100644 --- a/tests/py/bridge/ether.t.json.output +++ b/tests/py/bridge/ether.t.json.output @@ -8,7 +8,7 @@ "protocol": "tcp" } }, - "op": "==", + "op": "==", "right": 22 } }, @@ -16,46 +16,15 @@ "match": { "left": { "payload": { - "field": "saddr", - "protocol": "ether" - } - }, - "op": "==", - "right": "00:0f:54:0c:11:04" - } - }, - { - "match": { - "left": { - "payload": { "field": "daddr", "protocol": "ip" } }, - "op": "==", + "op": "==", "right": "1.2.3.4" } }, { - "accept": null - } -] - -# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "==", - "right": 22 - } - }, - { "match": { "left": { "payload": { @@ -63,21 +32,12 @@ "protocol": "ether" } }, - "op": "==", + "op": "==", "right": "00:0f:54:0c:11:04" } }, { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "==", - "right": "1.2.3.4" - } + "accept": null } ] diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index ad5280f7..ee7e93c8 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -3,24 +3,24 @@ *bridge;test-bridge;input # The output is specific for bridge family -reject with icmp type host-unreachable;ok;ether type ip reject with icmp type host-unreachable -reject with icmp type net-unreachable;ok;ether type ip reject with icmp type net-unreachable -reject with icmp type prot-unreachable;ok;ether type ip reject with icmp type prot-unreachable -reject with icmp type port-unreachable;ok;ether type ip reject -reject with icmp type net-prohibited;ok;ether type ip reject with icmp type net-prohibited -reject with icmp type host-prohibited;ok;ether type ip reject with icmp type host-prohibited -reject with icmp type admin-prohibited;ok;ether type ip reject with icmp type admin-prohibited - -reject with icmpv6 type no-route;ok;ether type ip6 reject with icmpv6 type no-route -reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 type admin-prohibited -reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable -reject with icmpv6 type port-unreachable;ok;ether type ip6 reject +reject with icmp type host-unreachable;ok +reject with icmp type net-unreachable;ok +reject with icmp type prot-unreachable;ok +reject with icmp type port-unreachable;ok +reject with icmp type net-prohibited;ok +reject with icmp type host-prohibited;ok +reject with icmp type admin-prohibited;ok + +reject with icmpv6 type no-route;ok +reject with icmpv6 type admin-prohibited;ok +reject with icmpv6 type addr-unreachable;ok +reject with icmpv6 type port-unreachable;ok mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok -ether type ip reject;ok -ether type ip6 reject;ok +ether type ip reject;ok;reject with icmp type port-unreachable +ether type ip6 reject;ok;reject with icmpv6 type port-unreachable reject with icmpx type host-unreachable;ok reject with icmpx type no-route;ok diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output index 08dfaf6a..4f83f803 100644 --- a/tests/py/bridge/reject.t.json.output +++ b/tests/py/bridge/reject.t.json.output @@ -1,18 +1,6 @@ # reject with icmp type host-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "host-unreachable", "type": "icmp" @@ -23,18 +11,6 @@ # reject with icmp type net-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "net-unreachable", "type": "icmp" @@ -45,18 +21,6 @@ # reject with icmp type prot-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "prot-unreachable", "type": "icmp" @@ -64,40 +28,9 @@ } ] -# reject with icmp type port-unreachable -[ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { - "reject": null - } -] - # reject with icmp type net-prohibited [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "net-prohibited", "type": "icmp" @@ -108,18 +41,6 @@ # reject with icmp type host-prohibited [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "host-prohibited", "type": "icmp" @@ -130,18 +51,6 @@ # reject with icmp type admin-prohibited [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "admin-prohibited", "type": "icmp" @@ -152,18 +61,6 @@ # reject with icmpv6 type no-route [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, - { "reject": { "expr": "no-route", "type": "icmpv6" @@ -174,18 +71,6 @@ # reject with icmpv6 type admin-prohibited [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, - { "reject": { "expr": "admin-prohibited", "type": "icmpv6" @@ -196,18 +81,6 @@ # reject with icmpv6 type addr-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" - } - }, - { "reject": { "expr": "addr-unreachable", "type": "icmpv6" @@ -218,19 +91,10 @@ # reject with icmpv6 type port-unreachable [ { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "ether" - } - }, - "op": "==", - "right": "ip6" + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" } - }, - { - "reject": null } ] @@ -239,9 +103,11 @@ { "match": { "left": { - "meta": { "key": "mark" } + "meta": { + "key": "mark" + } }, - "op": "==", + "op": "==", "right": 12345 } }, @@ -253,7 +119,7 @@ "protocol": "ip" } }, - "op": "==", + "op": "==", "right": 6 } }, @@ -271,3 +137,22 @@ } ] +# ether type ip reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# ether type ip6 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] |