git.ipfire.org Git - thirdparty/nftables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Mon, 13 Aug 2018 16:58:57 +0000 (18:58 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 14 Aug 2018 14:17:32 +0000 (16:17 +0200)
commit	8d2c3c72935443228b5e0492c8d3e2e2048c0c5a
tree	7dca84cd3a7a5405e87fb0692db1a3410612b7f4	tree \| snapshot
parent	c8a0e8c90e2d1188e6fcdd8951b295722e56d542	commit \| diff

evaluate: reject: Allow icmpx in inet/bridge families

Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.

Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.

Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.

Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/evaluate.c		diff \| blob \| blame \| history
tests/py/bridge/reject.t		diff \| blob \| blame \| history
tests/py/bridge/reject.t.json		diff \| blob \| blame \| history
tests/py/bridge/reject.t.payload		diff \| blob \| blame \| history
tests/py/inet/reject.t		diff \| blob \| blame \| history
tests/py/inet/reject.t.json		diff \| blob \| blame \| history
tests/py/inet/reject.t.payload.inet		diff \| blob \| blame \| history