diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-30 23:31:59 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-09-03 18:33:11 +0200 |
| commit | e2a5f72549cc5c45f16883fc82a799b0f09d66d9 (patch) | |
| tree | 78896fa4d6e6792eecc8dd60e6d34d7f81367953 /tests/shell/testcases | |
| parent | 9fe5d1bc18cfaed2ecf717e3dd9a97ff5b0e183c (diff) | |
netlink_delinearize: incorrect meta protocol dependency kill again
This patch adds __meta_dependency_may_kill() to consolidate inspection
of the meta protocol, nfproto and ether type expression to validate
dependency removal on listings.
Phil reports that 567ea4774e13 includes an update on the ip and ip6
families that is not described in the patch, moreover, it flips the
default verdict from true to false.
Fixes: 567ea4774e13 ("netlink_delinearize: incorrect meta protocol dependency kill")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
| -rwxr-xr-x | tests/shell/testcases/optimizations/dependency_kill | 48 | ||||
| -rw-r--r-- | tests/shell/testcases/optimizations/dumps/dependency_kill.nft | 42 |
2 files changed, 90 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/dependency_kill b/tests/shell/testcases/optimizations/dependency_kill new file mode 100755 index 00000000..904eecf8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dependency_kill @@ -0,0 +1,48 @@ +#!/bin/bash + +set -e + +RULESET="table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft new file mode 100644 index 00000000..1781f7be --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft @@ -0,0 +1,42 @@ +table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + udp dport 67 + meta protocol ip6 udp dport 67 + udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + udp dport 67 + ether type ip udp dport 67 + udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +} |