81 lines
2.8 KiB
Diff
81 lines
2.8 KiB
Diff
From 0379244930035b3bff95281a58fa7efd7e50dd51 Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Sowden <jeremy@azazel.net>
|
|
Date: Sat, 11 Dec 2021 18:55:25 +0000
|
|
Subject: [PATCH] evaluate: reject: support ethernet as L2 protocol for inet
|
|
table
|
|
|
|
When we are evaluating a `reject` statement in the `inet` family, we may
|
|
have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the
|
|
evaluation context:
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter;
|
|
ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
|
|
}
|
|
}
|
|
|
|
Since no `reject` option is given, nft attempts to infer one and fails:
|
|
|
|
BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed.
|
|
Aborted
|
|
|
|
The reason it fails is that the ethernet protocol numbers for IPv4 and
|
|
IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and
|
|
`NFPROTO_IPV6`. Add support for the ethernet protocol numbers.
|
|
|
|
Replace the current `BUG("unsupported family")` error message with
|
|
something more informative that tells the user to provide an explicit
|
|
reject option.
|
|
|
|
Add a Python test case.
|
|
|
|
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
|
|
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360
|
|
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
src/evaluate.c | 7 +++++-
|
|
4 files changed, 52 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
index 4d4dcc2e..8edefbd1 100644
|
|
--- a/src/evaluate.c
|
|
+++ b/src/evaluate.c
|
|
@@ -2751,19 +2751,22 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
|
|
protocol = proto_find_num(base, desc);
|
|
switch (protocol) {
|
|
case NFPROTO_IPV4:
|
|
+ case __constant_htons(ETH_P_IP):
|
|
if (stmt->reject.family == NFPROTO_IPV4)
|
|
break;
|
|
return stmt_binary_error(ctx, stmt->reject.expr,
|
|
&ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
|
|
"conflicting protocols specified: ip vs ip6");
|
|
case NFPROTO_IPV6:
|
|
+ case __constant_htons(ETH_P_IPV6):
|
|
if (stmt->reject.family == NFPROTO_IPV6)
|
|
break;
|
|
return stmt_binary_error(ctx, stmt->reject.expr,
|
|
&ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
|
|
"conflicting protocols specified: ip vs ip6");
|
|
default:
|
|
- BUG("unsupported family");
|
|
+ return stmt_error(ctx, stmt,
|
|
+ "cannot infer ICMP reject variant to use: explicit value required.\n");
|
|
}
|
|
break;
|
|
}
|
|
@@ -2923,10 +2926,12 @@ static int stmt_evaluate_reject_default(struct eval_ctx *ctx,
|
|
protocol = proto_find_num(base, desc);
|
|
switch (protocol) {
|
|
case NFPROTO_IPV4:
|
|
+ case __constant_htons(ETH_P_IP):
|
|
stmt->reject.family = NFPROTO_IPV4;
|
|
stmt->reject.icmp_code = ICMP_PORT_UNREACH;
|
|
break;
|
|
case NFPROTO_IPV6:
|
|
+ case __constant_htons(ETH_P_IPV6):
|
|
stmt->reject.family = NFPROTO_IPV6;
|
|
stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT;
|
|
break;
|