From f314ae8d3cc29d473ff5ce67ad4aa3776283e3d6 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 4 Sep 2018 13:53:59 +0200 Subject: [PATCH] proto: fix icmp/icmpv6 code datatype Andrew A. Sabitov says: I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code and check incoming icmpv6 traffic against it: add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; } add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination add element inet fw in_icmpv6_types { 1 . 1 } # communication with destination administratively prohibited # ... add rule inet fw in_icmpv6 icmpv6 type . icmpv6 code @in_icmpv6_types \ limit rate 15/minute accept yields: Error: can not use variable sized data types (integer) in concat expressions icmpv6 type . icmpv6 code @in_icmpv6_types ~~~~~~~~~~~~~~^^^^^^^^^^^ Change 'code' type to the icmp/icmpv6 code type. Needs minor change to test suite as nft will now display human-readable names instead of numeric codes. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1276 Signed-off-by: Florian Westphal (cherry picked from commit 0f44d4f62753535d39d95d83778348bee4e88053) Signed-off-by: Phil Sutter --- src/proto.c | 4 ++-- tests/py/ip/icmp.t | 4 ++-- tests/py/ip/icmp.t.payload.ip | 2 +- tests/py/ip6/icmpv6.t | 6 +++--- tests/py/ip6/icmpv6.t.payload.ip6 | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/proto.c b/src/proto.c index ed011efab2229..d178bf39ea907 100644 --- a/src/proto.c +++ b/src/proto.c @@ -347,7 +347,7 @@ const struct proto_desc proto_icmp = { .checksum_key = ICMPHDR_CHECKSUM, .templates = { [ICMPHDR_TYPE] = ICMPHDR_TYPE("type", &icmp_type_type, type), - [ICMPHDR_CODE] = ICMPHDR_FIELD("code", code), + [ICMPHDR_CODE] = ICMPHDR_TYPE("code", &icmp_code_type, code), [ICMPHDR_CHECKSUM] = ICMPHDR_FIELD("checksum", checksum), [ICMPHDR_ID] = ICMPHDR_FIELD("id", un.echo.id), [ICMPHDR_SEQ] = ICMPHDR_FIELD("sequence", un.echo.sequence), @@ -686,7 +686,7 @@ const struct proto_desc proto_icmp6 = { .checksum_key = ICMP6HDR_CHECKSUM, .templates = { [ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type), - [ICMP6HDR_CODE] = ICMP6HDR_FIELD("code", icmp6_code), + [ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code), [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD("checksum", icmp6_cksum), [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr), [ICMP6HDR_MTU] = ICMP6HDR_FIELD("mtu", icmp6_mtu), diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 5a7ce7e08bac0..6c05fb9d0fbca 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -28,8 +28,8 @@ icmp code 33-55;ok icmp code != 33-55;ok icmp code { 33-55};ok icmp code != { 33-55};ok -icmp code { 2, 4, 54, 33, 56};ok -icmp code != { 2, 4, 54, 33, 56};ok +icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56} +icmp code != { prot-unreachable, 4, 33, 54, 56};ok icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index f959cf338295c..27f222072d5dc 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -184,7 +184,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d ] -# icmp code != { 2, 4, 54, 33, 56} +# icmp code != { prot-unreachable, 4, 33, 54, 56} __set%d test-ip4 3 __set%d test-ip4 0 element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index a898fe30c24c7..8d794115d51e9 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,10 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok +icmpv6 code 4;ok;icmpv6 code port-unreachable icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok -icmpv6 code != {5, 6, 7} accept;ok +icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept +icmpv6 code != {policy-fail, reject-route, 7} accept;ok icmpv6 code { 3-66};ok icmpv6 code != { 3-66};ok diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index 7a630f9f8b097..51d71f4149b56 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -220,7 +220,7 @@ ip6 test-ip6 input [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] -# icmpv6 code != {5, 6, 7} accept +# icmpv6 code != {policy-fail, reject-route, 7} accept __set%d test-ip6 3 __set%d test-ip6 0 element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 0 [end] -- 2.21.0