proto: permit icmp-in-ipv6 and icmpv6-in-ipv4

Jozsef points out that
 meta l4proto icmp icmp type destination-unreachable

is hard to read.  So, lets just add icmp/icmpv6 to
ip/ip6 protocol base so users can just go with

 icmp type destination-unreachable

and let nft fill in needed dependency.
After this patch, the recent patch to not remove the
dependency can be reverted again.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/proto.c b/src/proto.c
index a54090a3b7bf51959fb4df3d8aebfff706f43260..8cf29d2014dce53b9051556e52cfe279b43139a1 100644 (file)
--- a/src/proto.c
+++ b/src/proto.c
@@ -591,6 +591,7 @@ const struct proto_desc proto_ip = {
        .checksum_key   = IPHDR_CHECKSUM,
        .protocols      = {
                PROTO_LINK(IPPROTO_ICMP,        &proto_icmp),
+               PROTO_LINK(IPPROTO_ICMPV6,      &proto_icmp6),
                PROTO_LINK(IPPROTO_ESP,         &proto_esp),
                PROTO_LINK(IPPROTO_AH,          &proto_ah),
                PROTO_LINK(IPPROTO_COMP,        &proto_comp),
@@ -718,6 +719,7 @@ const struct proto_desc proto_ip6 = {
                PROTO_LINK(IPPROTO_TCP,         &proto_tcp),
                PROTO_LINK(IPPROTO_DCCP,        &proto_dccp),
                PROTO_LINK(IPPROTO_SCTP,        &proto_sctp),
+               PROTO_LINK(IPPROTO_ICMP,        &proto_icmp),
                PROTO_LINK(IPPROTO_ICMPV6,      &proto_icmp6),
        },
        .templates      = {

diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t
index 31c99500a7038857180e04afb9801ad27acf8a89..d0682adf1366c749270fc257b9654b5ba91fe51a 100644 (file)
--- a/tests/py/ip/meta.t
+++ b/tests/py/ip/meta.t
@@ -4,6 +4,6 @@
 
 icmp type echo-request;ok
 meta l4proto icmp icmp type echo-request;ok;icmp type echo-request
-meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;meta l4proto 58 icmpv6 type nd-router-advert
-meta l4proto 58 icmpv6 type nd-router-advert;ok
-icmpv6 type nd-router-advert;fail
+meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
+meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
+icmpv6 type nd-router-advert;ok

diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload
index b186b4b5e03d9a7127351ee8a16eef1e4cfd0e06..322c0878f2c90bb4fd8831ac849147dc02df1532 100644 (file)
--- a/tests/py/ip/meta.t.payload
+++ b/tests/py/ip/meta.t.payload
@@ -26,3 +26,10 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 0 => reg 1 ]
   [ cmp eq reg 1 0x00000086 ]
 
+# icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+

diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t
index 68fa89f50938670b989b0ad84744888e54dd92e6..24445084890bbbbc2dd09bfa9c428926a4cc5c30 100644 (file)
--- a/tests/py/ip6/meta.t
+++ b/tests/py/ip6/meta.t
@@ -5,7 +5,6 @@
 icmpv6 type nd-router-advert;ok
 meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
 
-meta l4proto icmp icmp type echo-request;ok;meta l4proto 1 icmp type echo-request
-meta l4proto 1 icmp type echo-request;ok
-
-icmp type echo-request;fail
+meta l4proto icmp icmp type echo-request;ok;icmp type echo-request
+meta l4proto 1 icmp type echo-request;ok;icmp type echo-request
+icmp type echo-request;ok

diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload
new file mode 100644 (file)
index 0000000..f203baa
--- /dev/null
+++ b/tests/py/ip6/meta.t.payload
@@ -0,0 +1,34 @@
+# icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta l4proto icmp icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta l4proto 1 icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]