All of lore.kernel.org
 help / color / mirror / Atom feed
From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org,
	"Jose M . Guisado Gomez" <guigom@riseup.net>
Subject: [nft PATCH 1/2] reject: Fix for missing dependencies in netdev family
Date: Tue, 26 Jan 2021 18:55:39 +0100	[thread overview]
Message-ID: <20210126175540.9557-1-phil@nwl.cc> (raw)

Like with bridge family, rejecting with either icmp or icmpv6 must
create a dependency match on meta protocol. Upon delinearization, treat
netdev reject identical to bridge as well so no family info is lost.

This makes reject statement in netdev family fully symmetric so fix
the tests in tests/py/netdev/reject.t, adjust the related payload dumps
and add JSON equivalents which were missing altogether.

Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default")
Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases")
Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/evaluate.c                   |   3 +-
 src/netlink_delinearize.c        |   1 +
 tests/py/netdev/reject.t         |  26 +++---
 tests/py/netdev/reject.t.json    | 137 +++++++++++++++++++++++++++++++
 tests/py/netdev/reject.t.payload |  42 ++++++++--
 5 files changed, 187 insertions(+), 22 deletions(-)
 create mode 100644 tests/py/netdev/reject.t.json

diff --git a/src/evaluate.c b/src/evaluate.c
index 53f636b7ebe79..c06de4d9b8d03 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2720,7 +2720,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	const struct proto_desc *desc;
 
 	desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-	if (desc != &proto_eth && desc != &proto_vlan)
+	if (desc != &proto_eth && desc != &proto_vlan && desc != &proto_netdev)
 		return stmt_binary_error(ctx,
 					 &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
 					 stmt, "unsupported link layer protocol");
@@ -2760,6 +2760,7 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 		}
 		break;
 	case NFPROTO_BRIDGE:
+	case NFPROTO_NETDEV:
 		if (stmt_evaluate_reject_bridge(ctx, stmt, expr) < 0)
 			return -1;
 		break;
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 7315072284119..ca4d723dea0ec 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2491,6 +2491,7 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
 		stmt->reject.family = protocol;
 		break;
 	case NFPROTO_BRIDGE:
+	case NFPROTO_NETDEV:
 		if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
 			datatype_set(stmt->reject.expr, &icmpx_code_type);
 			break;
diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t
index a4434b6c126b6..8f8c4e0375977 100644
--- a/tests/py/netdev/reject.t
+++ b/tests/py/netdev/reject.t
@@ -2,19 +2,19 @@
 
 *netdev;test-netdev;ingress
 
-reject with icmp type host-unreachable;ok;reject
-reject with icmp type net-unreachable;ok;reject
-reject with icmp type prot-unreachable;ok;reject
-reject with icmp type port-unreachable;ok;reject
-reject with icmp type net-prohibited;ok;reject
-reject with icmp type host-prohibited;ok;reject
-reject with icmp type admin-prohibited;ok;reject
+reject with icmp type host-unreachable;ok
+reject with icmp type net-unreachable;ok
+reject with icmp type prot-unreachable;ok
+reject with icmp type port-unreachable;ok
+reject with icmp type net-prohibited;ok
+reject with icmp type host-prohibited;ok
+reject with icmp type admin-prohibited;ok
 
-reject with icmpv6 type no-route;ok;reject
-reject with icmpv6 type admin-prohibited;ok;reject
-reject with icmpv6 type addr-unreachable;ok;reject
-reject with icmpv6 type port-unreachable;ok;reject
-reject with icmpv6 type policy-fail;ok;reject
-reject with icmpv6 type reject-route;ok;reject
+reject with icmpv6 type no-route;ok
+reject with icmpv6 type admin-prohibited;ok
+reject with icmpv6 type addr-unreachable;ok
+reject with icmpv6 type port-unreachable;ok
+reject with icmpv6 type policy-fail;ok
+reject with icmpv6 type reject-route;ok
 
 reject;ok
diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json
new file mode 100644
index 0000000000000..ffc72794ac611
--- /dev/null
+++ b/tests/py/netdev/reject.t.json
@@ -0,0 +1,137 @@
+# reject with icmp type host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp type admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmpv6 type no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type policy-fail
+[
+    {
+        "reject": {
+            "expr": "policy-fail",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 type reject-route
+[
+    {
+        "reject": {
+            "expr": "reject-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload
index d3af2f33b43a7..aead412772c0d 100644
--- a/tests/py/netdev/reject.t.payload
+++ b/tests/py/netdev/reject.t.payload
@@ -1,56 +1,82 @@
 # reject with icmp type host-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 1 ]
 
-# reject
-netdev 
-  [ reject type 2 code 1 ]
-
-# reject with icmp type admin-prohibited
-netdev 
-  [ reject type 0 code 13 ]
-
 # reject with icmp type net-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 0 ]
 
 # reject with icmp type prot-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 2 ]
 
 # reject with icmp type port-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 3 ]
 
 # reject with icmp type net-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 9 ]
 
 # reject with icmp type host-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
   [ reject type 0 code 10 ]
 
+# reject with icmp type admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 13 ]
+
 # reject with icmpv6 type no-route
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 0 ]
 
 # reject with icmpv6 type admin-prohibited
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 1 ]
 
 # reject with icmpv6 type addr-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 3 ]
 
 # reject with icmpv6 type port-unreachable
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 4 ]
 
 # reject with icmpv6 type policy-fail
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 5 ]
 
 # reject with icmpv6 type reject-route
 netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
   [ reject type 0 code 6 ]
 
+# reject
+netdev 
+  [ reject type 2 code 1 ]
+
-- 
2.28.0


             reply	other threads:[~2021-01-27 10:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-26 17:55 Phil Sutter [this message]
2021-01-26 17:55 ` [nft PATCH 2/2] reject: Unify inet, netdev and bridge delinearization Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210126175540.9557-1-phil@nwl.cc \
    --to=phil@nwl.cc \
    --cc=guigom@riseup.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.