summaryrefslogtreecommitdiffstats
path: root/tests/py/bridge/reject.t.payload
Commit message (Collapse)AuthorAgeFilesLines
* evaluate: enable reject with 802.1qMichael Braun2020-05-281-0/+20
| | | | | | | | | | | | This enables the use nft bridge reject with bridge vlan filtering. It depends on a kernel patch to make the kernel preserve the vlan id in nft bridge reject generation. [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: prefer meta protocol as bridge l3 dependencyFlorian Westphal2019-06-191-12/+12
| | | | | | | | | | | | | | | | | | | On families other than 'ip', the rule ip protocol icmp needs a dependency on the ip protocol so we do not treat e.g. an ipv6 header as ip. Bridge currently uses eth_hdr.type for this, but that will cause the rule above to not match in case the ip packet is within a VLAN tagged frame -- ether.type will appear as ETH_P_8021Q. Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer to use this instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject: Allow icmpx in inet/bridge familiesPhil Sutter2018-08-141-0/+12
| | | | | | | | | | | | | | | | | | | Commit 3e6ab2b335142 added restraints on reject types for bridge and inet families but aparently those were too strict: If a rule in e.g. inet family contained a match which introduced a protocol dependency, icmpx type rejects were disallowed for no obvious reason. Allow icmpx type rejects in inet family regardless of protocol dependency since we either have IPv4 or IPv6 traffic in there and for both icmpx is fine. Merge restraints in bridge family with those for TCP reset since it already does what is needed, namely checking that ether proto is either IPv4 or IPv6. Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add ip reject with tcp and check for mark tooFlorian Westphal2017-05-181-1/+3
| | | | | | | ... to avoid resetting e.g. the ssh session to the vm that runs nft-test.py. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/: rearrange tests directoryArturo Borrero2015-12-151-0/+106
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>