[nft,0/3] inet reject statement fix

Message ID	20211211185525.20527-1-jeremy@azazel.net
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Jeremy Sowden <jeremy@azazel.net> To: Netfilter Devel <netfilter-devel@vger.kernel.org> Subject: [nft PATCH 0/3] inet reject statement fix Date: Sat, 11 Dec 2021 18:55:22 +0000 Message-Id: <20211211185525.20527-1-jeremy@azazel.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	inet reject statement fix \| expand [nft,0/3] inet reject statement fix [nft,1/3] proto: short-circuit loops over upper protocols [nft,2/3] evaluate: correct typo's [nft,3/3] evaluate: reject: support ethernet as L2 protcol for inet table

Message ID

20211211185525.20527-1-jeremy@azazel.net

Headers

From: Jeremy Sowden <jeremy@azazel.net>
To: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: [nft PATCH 0/3] inet reject statement fix
Date: Sat, 11 Dec 2021 18:55:22 +0000
Message-Id: <20211211185525.20527-1-jeremy@azazel.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

inet reject statement fix | expand

Message

Jeremy Sowden Dec. 11, 2021, 6:55 p.m. UTC

The first two patches contain small improvements that I noticed while
looking into a Debian bug-report.  The third contains a fix for the
reported bug, that `inet` `reject` rules of the form:

  table inet filter {
    chain input {
      type filter hook input priority filter;
      ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
    }
  }

fail with:

  BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed.
  Aborted

Here's the bug-report:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360

Jeremy Sowden (3):
  proto: short-circuit loops over upper protocols
  evaluate: correct typo's
  evaluate: reject: support ethernet as L2 protcol for inet table

 src/evaluate.c                      | 11 +++++++---
 src/proto.c                         | 10 ++++++---
 tests/py/inet/reject.t              |  2 ++
 tests/py/inet/reject.t.json         | 34 +++++++++++++++++++++++++++++
 tests/py/inet/reject.t.payload.inet | 10 +++++++++
 5 files changed, 61 insertions(+), 6 deletions(-)

Comments

Pablo Neira Ayuso Dec. 15, 2021, 9:50 p.m. UTC | #1

On Sat, Dec 11, 2021 at 06:55:22PM +0000, Jeremy Sowden wrote:
> The first two patches contain small improvements that I noticed while
> looking into a Debian bug-report.  The third contains a fix for the
> reported bug, that `inet` `reject` rules of the form:
> 
>   table inet filter {
>     chain input {
>       type filter hook input priority filter;
>       ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
>     }
>   }
> 
> fail with:
> 
>   BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed.
>   Aborted

Series applied, thanks.