evaluate: enforce ip6 proto with exthdr expression

Don't allow use of exthdr with e.g. ip family.
Move frag.t to ip6 directory and don't use it with ipv4 anymore.

This change causes major test failures for all exthdr users
since they now fail with inet/bridge/netdev families.

Will be resolved in a later patch -- we need to add
an ipv6 dependency for them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index a49cdd9337e1b3b603cc0f8f0ac9c5d65f8a23a6..47a1f8ca82fd61b1af35a6b61a9c8aab5599e828 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -343,6 +343,21 @@ conflict_resolution_gen_dependency(struct eval_ctx *ctx, int protocol,
        return 0;
 }
 
+/*
+ * Exthdr expression: check whether dependencies are fulfilled.
+ */
+static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **expr)
+{
+       const struct proto_desc *base;
+
+       base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+       if (base == &proto_ip6)
+               return expr_evaluate_primary(ctx, expr);
+
+       return expr_error(ctx->msgs, *expr,
+                         "exthdr can only be used with ipv6");
+}
+
 /* dependency supersede.
  *
  * 'inet' is a 'phony' l2 dependeny used by NFPROTO_INET to fulfill network
@@ -1320,8 +1335,9 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
                return 0;
        case EXPR_VALUE:
                return expr_evaluate_value(ctx, expr);
-       case EXPR_VERDICT:
        case EXPR_EXTHDR:
+               return expr_evaluate_exthdr(ctx, expr);
+       case EXPR_VERDICT:
        case EXPR_META:
                return expr_evaluate_primary(ctx, expr);
        case EXPR_PAYLOAD:

diff --git a/tests/py/any/frag.t b/tests/py/ip6/frag.t
similarity index 95%
rename from tests/py/any/frag.t
rename to tests/py/ip6/frag.t
index 8b5e34abc02014237eda33504f26223ffc6e97c3..56801ed8e7bf0540469ed86e85ccf64c559c8858 100644 (file)
--- a/tests/py/any/frag.t
+++ b/tests/py/ip6/frag.t
@@ -1,12 +1,8 @@
 :output;type filter hook output priority 0
 :ingress;type filter hook ingress device lo priority 0
 
-*ip;test-ip4;output
 *ip6;test-ip6;output
 *inet;test-inet;output
-*arp;test-arp;output
-*bridge;test-bridge;output
-*netdev;test-netdev;ingress
 
 frag nexthdr tcp;ok;frag nexthdr 6
 frag nexthdr != icmp;ok;frag nexthdr != 1

diff --git a/tests/py/any/frag.t.payload b/tests/py/ip6/frag.t.payload.ip6
similarity index 82%
rename from tests/py/any/frag.t.payload
rename to tests/py/ip6/frag.t.payload.ip6
index a91ab3fa268b67d9d051f91d835ec11dd8eb9c88..f2d04b6b994dd57015211c81ff2e57a9b3a47564 100644 (file)
--- a/tests/py/any/frag.t.payload
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -1,109 +1,109 @@
 # frag nexthdr tcp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
 
 # frag nexthdr != icmp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp neq reg 1 0x00000001 ]
 
 # frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
        element 00000032  : 0 [end]     element 00000033  : 0 [end]     element 0000006c  : 0 [end]     element 00000011  : 0 [end]     element 00000088  : 0 [end]     element 00000006  : 0 [end]     element 00000021  : 0 [end]     element 00000084  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag nexthdr esp
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000032 ]
 
 # frag nexthdr ah
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000033 ]
 
 # frag reserved 22
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp eq reg 1 0x00000016 ]
 
 # frag reserved != 233
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp neq reg 1 0x000000e9 ]
 
 # frag reserved 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp gte reg 1 0x00000021 ]
   [ cmp lte reg 1 0x0000002d ]
 
 # frag reserved != 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ cmp lt reg 1 0x00000021 ]
   [ cmp gt reg 1 0x0000002d ]
 
 # frag reserved { 33, 55, 67, 88}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
        element 00000021  : 0 [end]     element 00000037  : 0 [end]     element 00000043  : 0 [end]     element 00000058  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag reserved { 33-55}
-set%d test-ip4 7
-set%d test-ip4 0
+set%d test-ip6 7
+set%d test-ip6 0
        element 00000000  : 1 [end]     element 00000021  : 0 [end]     element 00000038  : 1 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag id 1
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp eq reg 1 0x01000000 ]
 
 # frag id 22
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp eq reg 1 0x16000000 ]
 
 # frag id != 33
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp neq reg 1 0x21000000 ]
 
 # frag id 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp gte reg 1 0x21000000 ]
   [ cmp lte reg 1 0x2d000000 ]
 
 # frag id != 33-45
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ cmp lt reg 1 0x21000000 ]
   [ cmp gt reg 1 0x2d000000 ]
 
 # frag id { 33, 55, 67, 88}
-set%d test-ip4 3
-set%d test-ip4 0
+set%d test-ip6 3
+set%d test-ip6 0
        element 21000000  : 0 [end]     element 37000000  : 0 [end]     element 43000000  : 0 [end]     element 58000000  : 0 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
 # frag id { 33-55}
-set%d test-ip4 7
-set%d test-ip4 0
+set%d test-ip6 7
+set%d test-ip6 0
        element 00000000  : 1 [end]     element 21000000  : 0 [end]     element 38000000  : 1 [end]
-ip test-ip4 output
+ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set set%d ]