netlink_delinerize: remove network header dep for reject statement also in bridge...

add rule bridge test-bridge input reject with icmp type ...

is shown as

ether type ip reject type ...

i.e., the dependency is not removed.

Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.

Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1f63d9d5e2c2f426245ffee01618855fa6eca029..4d720d2938fc0b834400da10eb3de866a88cbd28 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2217,6 +2217,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
                default:
                        break;
                }
+
+               if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR))
+                       payload_dependency_release(&rctx->pdctx);
+
                break;
        default:
                break;

diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output
index 05e568f6592decfd606aefa8877a6a0f4dea1519..5bb2e47a458ad5f99848fc35e0c0fae20e140c66 100644 (file)
--- a/tests/py/bridge/ether.t.json.output
+++ b/tests/py/bridge/ether.t.json.output
@@ -8,22 +8,10 @@
                     "protocol": "tcp"
                 }
             },
-           "op": "==",
+            "op": "==",
             "right": 22
         }
     },
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "saddr",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "00:0f:54:0c:11:04"
-        }
-    },
     {
         "match": {
             "left": {
@@ -32,29 +20,10 @@
                     "protocol": "ip"
                 }
             },
-           "op": "==",
+            "op": "==",
             "right": "1.2.3.4"
         }
     },
-    {
-        "accept": null
-    }
-]
-
-# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
-[
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "dport",
-                    "protocol": "tcp"
-                }
-            },
-           "op": "==",
-            "right": 22
-        }
-    },
     {
         "match": {
             "left": {
@@ -63,21 +32,12 @@
                     "protocol": "ether"
                 }
             },
-           "op": "==",
+            "op": "==",
             "right": "00:0f:54:0c:11:04"
         }
     },
     {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "daddr",
-                    "protocol": "ip"
-                }
-            },
-           "op": "==",
-            "right": "1.2.3.4"
-        }
+        "accept": null
     }
 ]
 

diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index ad5280f7d5730e1a6307bcd88769b152eeab363f..ee7e93c814497da4d0bf6b5add71e14789eb24d0 100644 (file)
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -3,24 +3,24 @@
 *bridge;test-bridge;input
 
 # The output is specific for bridge family
-reject with icmp type host-unreachable;ok;ether type ip reject with icmp type host-unreachable
-reject with icmp type net-unreachable;ok;ether type ip reject with icmp type net-unreachable
-reject with icmp type prot-unreachable;ok;ether type ip reject with icmp type prot-unreachable
-reject with icmp type port-unreachable;ok;ether type ip reject
-reject with icmp type net-prohibited;ok;ether type ip reject with icmp type net-prohibited
-reject with icmp type host-prohibited;ok;ether type ip reject with icmp type host-prohibited
-reject with icmp type admin-prohibited;ok;ether type ip reject with icmp type admin-prohibited
-
-reject with icmpv6 type no-route;ok;ether type ip6 reject with icmpv6 type no-route
-reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 type admin-prohibited
-reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable
-reject with icmpv6 type port-unreachable;ok;ether type ip6 reject
+reject with icmp type host-unreachable;ok
+reject with icmp type net-unreachable;ok
+reject with icmp type prot-unreachable;ok
+reject with icmp type port-unreachable;ok
+reject with icmp type net-prohibited;ok
+reject with icmp type host-prohibited;ok
+reject with icmp type admin-prohibited;ok
+
+reject with icmpv6 type no-route;ok
+reject with icmpv6 type admin-prohibited;ok
+reject with icmpv6 type addr-unreachable;ok
+reject with icmpv6 type port-unreachable;ok
 
 mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset
 
 reject;ok
-ether type ip reject;ok
-ether type ip6 reject;ok
+ether type ip reject;ok;reject with icmp type port-unreachable
+ether type ip6 reject;ok;reject with icmpv6 type port-unreachable
 
 reject with icmpx type host-unreachable;ok
 reject with icmpx type no-route;ok

diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output
index 08dfaf6a1778f7d53e2b102c050c5cfd7b9ef291..4f83f80374b9a5d2e42097509697cbf2ea35f60e 100644 (file)
--- a/tests/py/bridge/reject.t.json.output
+++ b/tests/py/bridge/reject.t.json.output
@@ -1,17 +1,5 @@
 # reject with icmp type host-unreachable
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "host-unreachable",
@@ -22,18 +10,6 @@
 
 # reject with icmp type net-unreachable
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "net-unreachable",
@@ -44,18 +20,6 @@
 
 # reject with icmp type prot-unreachable
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "prot-unreachable",
@@ -64,39 +28,8 @@
     }
 ]
 
-# reject with icmp type port-unreachable
-[
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
-    {
-        "reject": null
-    }
-]
-
 # reject with icmp type net-prohibited
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "net-prohibited",
@@ -107,18 +40,6 @@
 
 # reject with icmp type host-prohibited
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "host-prohibited",
@@ -129,18 +50,6 @@
 
 # reject with icmp type admin-prohibited
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip"
-        }
-    },
     {
         "reject": {
             "expr": "admin-prohibited",
@@ -151,18 +60,6 @@
 
 # reject with icmpv6 type no-route
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip6"
-        }
-    },
     {
         "reject": {
             "expr": "no-route",
@@ -173,18 +70,6 @@
 
 # reject with icmpv6 type admin-prohibited
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip6"
-        }
-    },
     {
         "reject": {
             "expr": "admin-prohibited",
@@ -195,18 +80,6 @@
 
 # reject with icmpv6 type addr-unreachable
 [
-    {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip6"
-        }
-    },
     {
         "reject": {
             "expr": "addr-unreachable",
@@ -218,19 +91,10 @@
 # reject with icmpv6 type port-unreachable
 [
     {
-        "match": {
-            "left": {
-                "payload": {
-                    "field": "type",
-                    "protocol": "ether"
-                }
-            },
-           "op": "==",
-            "right": "ip6"
+         "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
         }
-    },
-    {
-        "reject": null
     }
 ]
 
@@ -239,9 +103,11 @@
     {
         "match": {
             "left": {
-                "meta": { "key": "mark" }
+                "meta": {
+                    "key": "mark"
+                }
             },
-           "op": "==",
+            "op": "==",
             "right": 12345
         }
     },
@@ -253,7 +119,7 @@
                     "protocol": "ip"
                 }
             },
-           "op": "==",
+            "op": "==",
             "right": 6
         }
     },
@@ -271,3 +137,22 @@
     }
 ]
 
+# ether type ip reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# ether type ip6 reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]