From f47941faed177fd3943c7eaf9408e9e6481595f6 Mon Sep 17 00:00:00 2001

From: Phil Sutter <phil@nwl.cc>

Date: Mon, 13 Aug 2018 18:58:57 +0200

Subject: [PATCH] evaluate: reject: Allow icmpx in inet/bridge families

Commit 3e6ab2b335142 added restraints on reject types for bridge and

inet families but aparently those were too strict: If a rule in e.g.

inet family contained a match which introduced a protocol dependency,

icmpx type rejects were disallowed for no obvious reason.

Allow icmpx type rejects in inet family regardless of protocol

dependency since we either have IPv4 or IPv6 traffic in there and for

both icmpx is fine.

Merge restraints in bridge family with those for TCP reset since it

already does what is needed, namely checking that ether proto is either

IPv4 or IPv6.

Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")

Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

(cherry picked from commit 8d2c3c72935443228b5e0492c8d3e2e2048c0c5a)

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 src/evaluate.c                      |  7 +----

 tests/py/bridge/reject.t            |  5 ++++

 tests/py/bridge/reject.t.json       | 44 +++++++++++++++++++++++++++++

 tests/py/bridge/reject.t.payload    | 12 ++++++++

 tests/py/inet/reject.t              |  3 ++

 tests/py/inet/reject.t.json         | 42 +++++++++++++++++++++++++++

 tests/py/inet/reject.t.payload.inet | 12 ++++++++

 7 files changed, 119 insertions(+), 6 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c

index c4ee3cc94a3db..d18af34341b0d 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -2130,9 +2130,7 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,

 	case NFT_REJECT_TCP_RST:

 		break;

 	case NFT_REJECT_ICMPX_UNREACH:

-		return stmt_binary_error(ctx, stmt->reject.expr,

-				    &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],

-				    "conflicting network protocol specified");

+		break;

 	case NFT_REJECT_ICMP_UNREACH:

 		base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;

 		protocol = proto_find_num(base, desc);

@@ -2183,9 +2181,6 @@ static int stmt_evaluate_reject_bridge_family(struct eval_ctx *ctx,

 	switch (stmt->reject.type) {

 	case NFT_REJECT_ICMPX_UNREACH:

-		return stmt_binary_error(ctx, stmt->reject.expr,

-				    &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],

-				    "conflicting network protocol specified");

 	case NFT_REJECT_TCP_RST:

 		base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;

 		protocol = proto_find_num(base, desc);

diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t

index 67deac8d3b5e4..13d65b115c3cb 100644

--- a/tests/py/bridge/reject.t

+++ b/tests/py/bridge/reject.t

@@ -37,3 +37,8 @@ ether type arp reject;fail

 ether type vlan reject with tcp reset;fail

 ether type arp reject with tcp reset;fail

 ip protocol udp reject with tcp reset;fail

+

+ether type ip reject with icmpx type admin-prohibited;ok

+ether type ip6 reject with icmpx type admin-prohibited;ok

+ether type vlan reject with icmpx type admin-prohibited;fail

+ether type arp reject with icmpx type admin-prohibited;fail

diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json

index aa716f8070666..c0bed56e6ce41 100644

--- a/tests/py/bridge/reject.t.json

+++ b/tests/py/bridge/reject.t.json

@@ -219,3 +219,47 @@

     }

 ]

+# ether type ip reject with icmpx type admin-prohibited

+[

+    {

+        "match": {

+            "left": {

+                "payload": {

+                    "field": "type",

+                    "protocol": "ether"

+                }

+            },

+            "op": "==",

+            "right": "ip"

+        }

+    },

+    {

+        "reject": {

+            "expr": "admin-prohibited",

+            "type": "icmpx"

+        }

+    }

+]

+

+# ether type ip6 reject with icmpx type admin-prohibited

+[

+    {

+        "match": {

+            "left": {

+                "payload": {

+                    "field": "type",

+                    "protocol": "ether"

+                }

+            },

+            "op": "==",

+            "right": "ip6"

+        }

+    },

+    {

+        "reject": {

+            "expr": "admin-prohibited",

+            "type": "icmpx"

+        }

+    }

+]

+

diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload

index b984f6f8de4d6..888179df9c977 100644

--- a/tests/py/bridge/reject.t.payload

+++ b/tests/py/bridge/reject.t.payload

@@ -106,3 +106,15 @@ bridge test-bridge input

 bridge test-bridge input

   [ reject type 2 code 1 ]

+# ether type ip reject with icmpx type admin-prohibited

+bridge test-bridge input

+  [ payload load 2b @ link header + 12 => reg 1 ]

+  [ cmp eq reg 1 0x00000008 ]

+  [ reject type 2 code 3 ]

+

+# ether type ip6 reject with icmpx type admin-prohibited

+bridge test-bridge input

+  [ payload load 2b @ link header + 12 => reg 1 ]

+  [ cmp eq reg 1 0x0000dd86 ]

+  [ reject type 2 code 3 ]

+

diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t

index 7679407e6f8d4..a88c5a4afae51 100644

--- a/tests/py/inet/reject.t

+++ b/tests/py/inet/reject.t

@@ -34,3 +34,6 @@ meta nfproto ipv6 reject with icmp type host-unreachable;fail

 meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail

 meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail

 meta l4proto udp reject with tcp reset;fail

+

+meta nfproto ipv4 reject with icmpx type admin-prohibited;ok

+meta nfproto ipv6 reject with icmpx type admin-prohibited;ok

diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json

index 0939f4450509b..46d4857a57c99 100644

--- a/tests/py/inet/reject.t.json

+++ b/tests/py/inet/reject.t.json

@@ -238,3 +238,45 @@

     }

 ]

+# meta nfproto ipv4 reject with icmpx type admin-prohibited

+[

+    {

+        "match": {

+            "left": {

+                "meta": {

+                    "key": "nfproto"

+                }

+            },

+            "op": "==",

+            "right": "ipv4"

+        }

+    },

+    {

+        "reject": {

+            "expr": "admin-prohibited",

+            "type": "icmpx"

+        }

+    }

+]

+

+# meta nfproto ipv6 reject with icmpx type admin-prohibited

+[

+    {

+        "match": {

+            "left": {

+                "meta": {

+                    "key": "nfproto"

+                }

+            },

+            "op": "==",

+            "right": "ipv6"

+        }

+    },

+    {

+        "reject": {

+            "expr": "admin-prohibited",

+            "type": "icmpx"

+        }

+    }

+]

+

diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet

index 7a6468e81f9e7..ee1aae02f1e1d 100644

--- a/tests/py/inet/reject.t.payload.inet

+++ b/tests/py/inet/reject.t.payload.inet

@@ -220,3 +220,15 @@ inet test-inet input

   [ cmp eq reg 1 0x0000000a ]

   [ reject type 0 code 0 ]

+# meta nfproto ipv4 reject with icmpx type admin-prohibited

+inet test-inet input

+  [ meta load nfproto => reg 1 ]

+  [ cmp eq reg 1 0x00000002 ]

+  [ reject type 2 code 3 ]

+

+# meta nfproto ipv6 reject with icmpx type admin-prohibited

+inet test-inet input

+  [ meta load nfproto => reg 1 ]

+  [ cmp eq reg 1 0x0000000a ]

+  [ reject type 2 code 3 ]

+

-- 

2.21.0