From 7ca3368cd7575e710114fc60e8ecc8ffba95154d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 26 Jan 2021 18:37:12 +0100
Subject: reject: Unify inet, netdev and bridge delinearization

Postprocessing for inet family did not attempt to kill any existing
payload dependency, although it is perfectly fine to do so. The mere
culprit is to not abbreviate default code rejects as that would drop
needed protocol info as a side-effect. Since postprocessing is then
almost identical to that of bridge and netdev families, merge them.

While being at it, extend tests/py/netdev/reject.t by a few more tests
taken from inet/reject.t so this covers icmpx rejects as well.

Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/netlink_delinearize.c | 24 ++++--------------------
 1 file changed, 4 insertions(+), 20 deletions(-)

(limited to 'src/netlink_delinearize.c')

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index ca4d723d..04560b97 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2473,23 +2473,6 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 			payload_dependency_release(&rctx->pdctx);
 		break;
 	case NFPROTO_INET:
-		if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
-			datatype_set(stmt->reject.expr, &icmpx_code_type);
-			break;
-		}
-		base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-		desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
-		protocol = proto_find_num(base, desc);
-		switch (protocol) {
-		case NFPROTO_IPV4:
-			datatype_set(stmt->reject.expr, &icmp_code_type);
-			break;
-		case NFPROTO_IPV6:
-			datatype_set(stmt->reject.expr, &icmpv6_code_type);
-			break;
-		}
-		stmt->reject.family = protocol;
-		break;
 	case NFPROTO_BRIDGE:
 	case NFPROTO_NETDEV:
 		if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
@@ -2506,11 +2489,13 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 		desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
 		protocol = proto_find_num(base, desc);
 		switch (protocol) {
-		case __constant_htons(ETH_P_IP):
+		case NFPROTO_IPV4:			/* INET */
+		case __constant_htons(ETH_P_IP):	/* BRIDGE, NETDEV */
 			stmt->reject.family = NFPROTO_IPV4;
 			datatype_set(stmt->reject.expr, &icmp_code_type);
 			break;
-		case __constant_htons(ETH_P_IPV6):
+		case NFPROTO_IPV6:			/* INET */
+		case __constant_htons(ETH_P_IPV6):	/* BRIDGE, NETDEV */
 			stmt->reject.family = NFPROTO_IPV6;
 			datatype_set(stmt->reject.expr, &icmpv6_code_type);
 			break;
@@ -2520,7 +2505,6 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 
 		if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR))
 			payload_dependency_release(&rctx->pdctx);
-
 		break;
 	default:
 		break;
-- 
cgit v1.2.3