rpms / nftables

Clone
Source Code
GIT

Blame SOURCES/0039-proto-fix-icmp-icmpv6-code-datatype.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bacbc8826d0876104302f8f43bd8ff3e77c3651f
  2.   SOURCES
  3.   0039-proto-fix-icmp-icmpv6-code-datatype.patch
Blob History Raw
bacbc8 
From f314ae8d3cc29d473ff5ce67ad4aa3776283e3d6 Mon Sep 17 00:00:00 2001
bacbc8 
From: Florian Westphal <fw@strlen.de>
bacbc8 
Date: Tue, 4 Sep 2018 13:53:59 +0200
bacbc8 
Subject: [PATCH] proto: fix icmp/icmpv6 code datatype
bacbc8
bacbc8 
Andrew A. Sabitov says:
bacbc8 
  I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code
bacbc8 
  and check incoming icmpv6 traffic against it:
bacbc8
bacbc8 
  add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; }
bacbc8 
  add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination
bacbc8 
  add element inet fw in_icmpv6_types { 1 . 1 } # communication with destination administratively prohibited
bacbc8 
  # ...
bacbc8
bacbc8 
 add rule inet fw in_icmpv6 icmpv6 type . icmpv6 code @in_icmpv6_types \
bacbc8 
   limit rate 15/minute accept
bacbc8
bacbc8 
yields:
bacbc8 
Error: can not use variable sized data types (integer) in concat expressions
bacbc8 
        icmpv6 type . icmpv6 code @in_icmpv6_types
bacbc8 
         ~~~~~~~~~~~~~~^^^^^^^^^^^
bacbc8
bacbc8 
Change 'code' type to the icmp/icmpv6 code type.
bacbc8 
Needs minor change to test suite as nft will now display
bacbc8 
human-readable names instead of numeric codes.
bacbc8
bacbc8 
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1276
bacbc8 
Signed-off-by: Florian Westphal <fw@strlen.de>
bacbc8 
(cherry picked from commit 0f44d4f62753535d39d95d83778348bee4e88053)
bacbc8 
Signed-off-by: Phil Sutter <psutter@redhat.com>
bacbc8 
---
bacbc8 
 src/proto.c                       | 4 ++--
bacbc8 
 tests/py/ip/icmp.t                | 4 ++--
bacbc8 
 tests/py/ip/icmp.t.payload.ip     | 2 +-
bacbc8 
 tests/py/ip6/icmpv6.t             | 6 +++---
bacbc8 
 tests/py/ip6/icmpv6.t.payload.ip6 | 2 +-
bacbc8 
 5 files changed, 9 insertions(+), 9 deletions(-)
bacbc8
bacbc8 
diff --git a/src/proto.c b/src/proto.c
bacbc8 
index ed011efab2229..d178bf39ea907 100644
bacbc8 
--- a/src/proto.c
bacbc8 
+++ b/src/proto.c
bacbc8 
@@ -347,7 +347,7 @@ const struct proto_desc proto_icmp = {
bacbc8 
 	.checksum_key	= ICMPHDR_CHECKSUM,
bacbc8 
 	.templates	= {
bacbc8 
 		[ICMPHDR_TYPE]		= ICMPHDR_TYPE("type", &icmp_type_type, type),
bacbc8 
-		[ICMPHDR_CODE]		= ICMPHDR_FIELD("code", code),
bacbc8 
+		[ICMPHDR_CODE]		= ICMPHDR_TYPE("code", &icmp_code_type, code),
bacbc8 
 		[ICMPHDR_CHECKSUM]	= ICMPHDR_FIELD("checksum", checksum),
bacbc8 
 		[ICMPHDR_ID]		= ICMPHDR_FIELD("id", un.echo.id),
bacbc8 
 		[ICMPHDR_SEQ]		= ICMPHDR_FIELD("sequence", un.echo.sequence),
bacbc8 
@@ -686,7 +686,7 @@ const struct proto_desc proto_icmp6 = {
bacbc8 
 	.checksum_key	= ICMP6HDR_CHECKSUM,
bacbc8 
 	.templates	= {
bacbc8 
 		[ICMP6HDR_TYPE]		= ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type),
bacbc8 
-		[ICMP6HDR_CODE]		= ICMP6HDR_FIELD("code", icmp6_code),
bacbc8 
+		[ICMP6HDR_CODE]		= ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code),
bacbc8 
 		[ICMP6HDR_CHECKSUM]	= ICMP6HDR_FIELD("checksum", icmp6_cksum),
bacbc8 
 		[ICMP6HDR_PPTR]		= ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
bacbc8 
 		[ICMP6HDR_MTU]		= ICMP6HDR_FIELD("mtu", icmp6_mtu),
bacbc8 
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
bacbc8 
index 5a7ce7e08bac0..6c05fb9d0fbca 100644
bacbc8 
--- a/tests/py/ip/icmp.t
bacbc8 
+++ b/tests/py/ip/icmp.t
bacbc8 
@@ -28,8 +28,8 @@ icmp code 33-55;ok
bacbc8 
 icmp code != 33-55;ok
bacbc8 
 icmp code { 33-55};ok
bacbc8 
 icmp code != { 33-55};ok
bacbc8 
-icmp code { 2, 4, 54, 33, 56};ok
bacbc8 
-icmp code != { 2, 4, 54, 33, 56};ok
bacbc8 
+icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56}
bacbc8 
+icmp code != { prot-unreachable, 4, 33, 54, 56};ok
bacbc8
bacbc8 
 icmp checksum 12343 accept;ok
bacbc8 
 icmp checksum != 12343 accept;ok
bacbc8 
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
bacbc8 
index f959cf338295c..27f222072d5dc 100644
bacbc8 
--- a/tests/py/ip/icmp.t.payload.ip
bacbc8 
+++ b/tests/py/ip/icmp.t.payload.ip
bacbc8 
@@ -184,7 +184,7 @@ ip test-ip4 input
bacbc8 
   [ payload load 1b @ transport header + 1 => reg 1 ]
bacbc8 
   [ lookup reg 1 set __set%d ]
bacbc8
bacbc8 
-# icmp code != { 2, 4, 54, 33, 56}
bacbc8 
+# icmp code != { prot-unreachable, 4, 33, 54, 56}
bacbc8 
 __set%d test-ip4 3
bacbc8 
 __set%d test-ip4 0
bacbc8 
 	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000036  : 0 [end]	element 00000021  : 0 [end]	element 00000038  : 0 [end]
bacbc8 
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
bacbc8 
index a898fe30c24c7..8d794115d51e9 100644
bacbc8 
--- a/tests/py/ip6/icmpv6.t
bacbc8 
+++ b/tests/py/ip6/icmpv6.t
bacbc8 
@@ -28,10 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol
bacbc8 
 icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
bacbc8 
 icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
bacbc8
bacbc8 
-icmpv6 code 4;ok
bacbc8 
+icmpv6 code 4;ok;icmpv6 code port-unreachable
bacbc8 
 icmpv6 code 3-66;ok
bacbc8 
-icmpv6 code {5, 6, 7} accept;ok
bacbc8 
-icmpv6 code != {5, 6, 7} accept;ok
bacbc8 
+icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept
bacbc8 
+icmpv6 code != {policy-fail, reject-route, 7} accept;ok
bacbc8 
 icmpv6 code { 3-66};ok
bacbc8 
 icmpv6 code != { 3-66};ok
bacbc8
bacbc8 
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
bacbc8 
index 7a630f9f8b097..51d71f4149b56 100644
bacbc8 
--- a/tests/py/ip6/icmpv6.t.payload.ip6
bacbc8 
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
bacbc8 
@@ -220,7 +220,7 @@ ip6 test-ip6 input
bacbc8 
   [ lookup reg 1 set __set%d ]
bacbc8 
   [ immediate reg 0 accept ]
bacbc8
bacbc8 
-# icmpv6 code != {5, 6, 7} accept
bacbc8 
+# icmpv6 code != {policy-fail, reject-route, 7} accept
bacbc8 
 __set%d test-ip6 3
bacbc8 
 __set%d test-ip6 0
bacbc8 
 	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]
bacbc8 
--
bacbc8 
2.21.0
bacbc8

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation