summaryrefslogtreecommitdiffstats
path: root/tests/py/inet
diff options
context:
space:
mode:
authorArturo Borrero Gonzalez <arturo@debian.org>2017-01-25 12:51:08 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2017-01-27 13:32:07 +0100
commit0011985554e269e1cc8f8e5b41eb9dcd795ebe8c (patch)
tree392226c43e6fdc546eec65c84f73186fa0b22bb1 /tests/py/inet
parentc875374f4c846fddf22026db479e73e6ddb3b5b3 (diff)
payload: explicit network ctx assignment for icmp/icmp6 in special families
In the inet, bridge and netdev families, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table inet t { chain c { icmpv6 type echo-request icmp type echo-request } } These rules we obtain can't be added again: % nft add rule inet t c icmp type echo-request <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp add rule inet t c icmp type echo-request ^^^^^^^^^ % nft add rule inet t c icmpv6 type echo-request <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 add rule inet t c icmpv6 type echo-request ^^^^^^^^^^^ Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet carrying ICMP, if the link layer is inet, the network layer protocol context can be safely update to 'ip' or 'ip6'. Moreover, nft currently generates a 'meta nfproto ipvX' depedency when using icmp or icmp6 in the inet family, and similar in netdev and bridge families. While at it, a bit of code factorization is introduced. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/inet')
-rw-r--r--tests/py/inet/icmpX.t8
-rw-r--r--tests/py/inet/icmpX.t.payload36
2 files changed, 44 insertions, 0 deletions
diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t
new file mode 100644
index 00000000..1b467a18
--- /dev/null
+++ b/tests/py/inet/icmpX.t
@@ -0,0 +1,8 @@
+:input;type filter hook input priority 0
+
+*inet;test-inet;input
+
+ip protocol icmp icmp type echo-request;ok;icmp type echo-request
+icmp type echo-request;ok
+ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;icmpv6 type echo-request
+icmpv6 type echo-request;ok
diff --git a/tests/py/inet/icmpX.t.payload b/tests/py/inet/icmpX.t.payload
new file mode 100644
index 00000000..81ca7744
--- /dev/null
+++ b/tests/py/inet/icmpX.t.payload
@@ -0,0 +1,36 @@
+# ip protocol icmp icmp type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# icmpv6 type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+