228 lines
7.1 KiB
Diff
228 lines
7.1 KiB
Diff
|
From f47941faed177fd3943c7eaf9408e9e6481595f6 Mon Sep 17 00:00:00 2001
|
||
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
Date: Mon, 13 Aug 2018 18:58:57 +0200
|
||
|
Subject: [PATCH] evaluate: reject: Allow icmpx in inet/bridge families
|
||
|
|
||
|
Commit 3e6ab2b335142 added restraints on reject types for bridge and
|
||
|
inet families but aparently those were too strict: If a rule in e.g.
|
||
|
inet family contained a match which introduced a protocol dependency,
|
||
|
icmpx type rejects were disallowed for no obvious reason.
|
||
|
|
||
|
Allow icmpx type rejects in inet family regardless of protocol
|
||
|
dependency since we either have IPv4 or IPv6 traffic in there and for
|
||
|
both icmpx is fine.
|
||
|
|
||
|
Merge restraints in bridge family with those for TCP reset since it
|
||
|
already does what is needed, namely checking that ether proto is either
|
||
|
IPv4 or IPv6.
|
||
|
|
||
|
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
(cherry picked from commit 8d2c3c72935443228b5e0492c8d3e2e2048c0c5a)
|
||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||
|
---
|
||
|
src/evaluate.c | 7 +----
|
||
|
tests/py/bridge/reject.t | 5 ++++
|
||
|
tests/py/bridge/reject.t.json | 44 +++++++++++++++++++++++++++++
|
||
|
tests/py/bridge/reject.t.payload | 12 ++++++++
|
||
|
tests/py/inet/reject.t | 3 ++
|
||
|
tests/py/inet/reject.t.json | 42 +++++++++++++++++++++++++++
|
||
|
tests/py/inet/reject.t.payload.inet | 12 ++++++++
|
||
|
7 files changed, 119 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
||
|
index c4ee3cc94a3db..d18af34341b0d 100644
|
||
|
--- a/src/evaluate.c
|
||
|
+++ b/src/evaluate.c
|
||
|
@@ -2130,9 +2130,7 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
|
||
|
case NFT_REJECT_TCP_RST:
|
||
|
break;
|
||
|
case NFT_REJECT_ICMPX_UNREACH:
|
||
|
- return stmt_binary_error(ctx, stmt->reject.expr,
|
||
|
- &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
|
||
|
- "conflicting network protocol specified");
|
||
|
+ break;
|
||
|
case NFT_REJECT_ICMP_UNREACH:
|
||
|
base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
|
||
|
protocol = proto_find_num(base, desc);
|
||
|
@@ -2183,9 +2181,6 @@ static int stmt_evaluate_reject_bridge_family(struct eval_ctx *ctx,
|
||
|
|
||
|
switch (stmt->reject.type) {
|
||
|
case NFT_REJECT_ICMPX_UNREACH:
|
||
|
- return stmt_binary_error(ctx, stmt->reject.expr,
|
||
|
- &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
|
||
|
- "conflicting network protocol specified");
|
||
|
case NFT_REJECT_TCP_RST:
|
||
|
base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
|
||
|
protocol = proto_find_num(base, desc);
|
||
|
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
|
||
|
index 67deac8d3b5e4..13d65b115c3cb 100644
|
||
|
--- a/tests/py/bridge/reject.t
|
||
|
+++ b/tests/py/bridge/reject.t
|
||
|
@@ -37,3 +37,8 @@ ether type arp reject;fail
|
||
|
ether type vlan reject with tcp reset;fail
|
||
|
ether type arp reject with tcp reset;fail
|
||
|
ip protocol udp reject with tcp reset;fail
|
||
|
+
|
||
|
+ether type ip reject with icmpx type admin-prohibited;ok
|
||
|
+ether type ip6 reject with icmpx type admin-prohibited;ok
|
||
|
+ether type vlan reject with icmpx type admin-prohibited;fail
|
||
|
+ether type arp reject with icmpx type admin-prohibited;fail
|
||
|
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
|
||
|
index aa716f8070666..c0bed56e6ce41 100644
|
||
|
--- a/tests/py/bridge/reject.t.json
|
||
|
+++ b/tests/py/bridge/reject.t.json
|
||
|
@@ -219,3 +219,47 @@
|
||
|
}
|
||
|
]
|
||
|
|
||
|
+# ether type ip reject with icmpx type admin-prohibited
|
||
|
+[
|
||
|
+ {
|
||
|
+ "match": {
|
||
|
+ "left": {
|
||
|
+ "payload": {
|
||
|
+ "field": "type",
|
||
|
+ "protocol": "ether"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ "op": "==",
|
||
|
+ "right": "ip"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ {
|
||
|
+ "reject": {
|
||
|
+ "expr": "admin-prohibited",
|
||
|
+ "type": "icmpx"
|
||
|
+ }
|
||
|
+ }
|
||
|
+]
|
||
|
+
|
||
|
+# ether type ip6 reject with icmpx type admin-prohibited
|
||
|
+[
|
||
|
+ {
|
||
|
+ "match": {
|
||
|
+ "left": {
|
||
|
+ "payload": {
|
||
|
+ "field": "type",
|
||
|
+ "protocol": "ether"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ "op": "==",
|
||
|
+ "right": "ip6"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ {
|
||
|
+ "reject": {
|
||
|
+ "expr": "admin-prohibited",
|
||
|
+ "type": "icmpx"
|
||
|
+ }
|
||
|
+ }
|
||
|
+]
|
||
|
+
|
||
|
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
|
||
|
index b984f6f8de4d6..888179df9c977 100644
|
||
|
--- a/tests/py/bridge/reject.t.payload
|
||
|
+++ b/tests/py/bridge/reject.t.payload
|
||
|
@@ -106,3 +106,15 @@ bridge test-bridge input
|
||
|
bridge test-bridge input
|
||
|
[ reject type 2 code 1 ]
|
||
|
|
||
|
+# ether type ip reject with icmpx type admin-prohibited
|
||
|
+bridge test-bridge input
|
||
|
+ [ payload load 2b @ link header + 12 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000008 ]
|
||
|
+ [ reject type 2 code 3 ]
|
||
|
+
|
||
|
+# ether type ip6 reject with icmpx type admin-prohibited
|
||
|
+bridge test-bridge input
|
||
|
+ [ payload load 2b @ link header + 12 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000dd86 ]
|
||
|
+ [ reject type 2 code 3 ]
|
||
|
+
|
||
|
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
|
||
|
index 7679407e6f8d4..a88c5a4afae51 100644
|
||
|
--- a/tests/py/inet/reject.t
|
||
|
+++ b/tests/py/inet/reject.t
|
||
|
@@ -34,3 +34,6 @@ meta nfproto ipv6 reject with icmp type host-unreachable;fail
|
||
|
meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
|
||
|
meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
|
||
|
meta l4proto udp reject with tcp reset;fail
|
||
|
+
|
||
|
+meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
|
||
|
+meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
|
||
|
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
|
||
|
index 0939f4450509b..46d4857a57c99 100644
|
||
|
--- a/tests/py/inet/reject.t.json
|
||
|
+++ b/tests/py/inet/reject.t.json
|
||
|
@@ -238,3 +238,45 @@
|
||
|
}
|
||
|
]
|
||
|
|
||
|
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
|
||
|
+[
|
||
|
+ {
|
||
|
+ "match": {
|
||
|
+ "left": {
|
||
|
+ "meta": {
|
||
|
+ "key": "nfproto"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ "op": "==",
|
||
|
+ "right": "ipv4"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ {
|
||
|
+ "reject": {
|
||
|
+ "expr": "admin-prohibited",
|
||
|
+ "type": "icmpx"
|
||
|
+ }
|
||
|
+ }
|
||
|
+]
|
||
|
+
|
||
|
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
|
||
|
+[
|
||
|
+ {
|
||
|
+ "match": {
|
||
|
+ "left": {
|
||
|
+ "meta": {
|
||
|
+ "key": "nfproto"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ "op": "==",
|
||
|
+ "right": "ipv6"
|
||
|
+ }
|
||
|
+ },
|
||
|
+ {
|
||
|
+ "reject": {
|
||
|
+ "expr": "admin-prohibited",
|
||
|
+ "type": "icmpx"
|
||
|
+ }
|
||
|
+ }
|
||
|
+]
|
||
|
+
|
||
|
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
|
||
|
index 7a6468e81f9e7..ee1aae02f1e1d 100644
|
||
|
--- a/tests/py/inet/reject.t.payload.inet
|
||
|
+++ b/tests/py/inet/reject.t.payload.inet
|
||
|
@@ -220,3 +220,15 @@ inet test-inet input
|
||
|
[ cmp eq reg 1 0x0000000a ]
|
||
|
[ reject type 0 code 0 ]
|
||
|
|
||
|
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
|
||
|
+inet test-inet input
|
||
|
+ [ meta load nfproto => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000002 ]
|
||
|
+ [ reject type 2 code 3 ]
|
||
|
+
|
||
|
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
|
||
|
+inet test-inet input
|
||
|
+ [ meta load nfproto => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000000a ]
|
||
|
+ [ reject type 2 code 3 ]
|
||
|
+
|
||
|
--
|
||
|
2.21.0
|
||
|
|