Commit
3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
case NFT_REJECT_TCP_RST:
break;
case NFT_REJECT_ICMPX_UNREACH:
- return stmt_binary_error(ctx, stmt->reject.expr,
- &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
- "conflicting network protocol specified");
+ break;
case NFT_REJECT_ICMP_UNREACH:
base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
protocol = proto_find_num(base, desc);
switch (stmt->reject.type) {
case NFT_REJECT_ICMPX_UNREACH:
- return stmt_binary_error(ctx, stmt->reject.expr,
- &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
- "conflicting network protocol specified");
case NFT_REJECT_TCP_RST:
base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
protocol = proto_find_num(base, desc);
ether type vlan reject with tcp reset;fail
ether type arp reject with tcp reset;fail
ip protocol udp reject with tcp reset;fail
+
+ether type ip reject with icmpx type admin-prohibited;ok
+ether type ip6 reject with icmpx type admin-prohibited;ok
+ether type vlan reject with icmpx type admin-prohibited;fail
+ether type arp reject with icmpx type admin-prohibited;fail
}
]
+# ether type ip reject with icmpx type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
bridge test-bridge input
[ reject type 2 code 1 ]
+# ether type ip reject with icmpx type admin-prohibited
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ reject type 2 code 3 ]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000dd86 ]
+ [ reject type 2 code 3 ]
+
meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
meta l4proto udp reject with tcp reset;fail
+
+meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
}
]
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "nfproto"
+ }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "nfproto"
+ }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 0 ]
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 2 code 3 ]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 2 code 3 ]
+
projects / thirdparty / nftables.git / commitdiff
