Message ID | 148491481186.20302.13599222282579510532.stgit@nfdev2.cica.es |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Fri, Jan 20, 2017 at 01:20:11PM +0100, Arturo Borrero Gonzalez wrote: > In the inet family, we can add rules like these: > > % nft add rule inet t c ip protocol icmp icmp type echo-request > % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request > > However, when we print the ruleset: > > % nft list ruleset > table inet t { > chain c { > icmpv6 type echo-request > icmp type echo-request > } > } > > These rules we obtain can't be added again: > > % nft add rule inet t c icmp type echo-request > <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp > add rule inet t c icmp type echo-request > ^^^^^^^^^ > > % nft add rule inet t c icmpv6 type echo-request > <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 > add rule inet t c icmpv6 type echo-request > ^^^^^^^^^^^ > > Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet > carrying ICMP, if the link layer is inet, the network layer protocol context > can be safely update to 'ip' or 'ip6'. > > Moreover, nft currently generates a 'meta nfproto ipvX' depedency when > using icmp or icmp6 in the inet family. Applied, thanks Arturo. BTW, it would be great if you can cook a patch with new tests/py lines covering this case. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jan 24, 2017 at 08:48:54PM +0100, Pablo Neira Ayuso wrote: > On Fri, Jan 20, 2017 at 01:20:11PM +0100, Arturo Borrero Gonzalez wrote: > > In the inet family, we can add rules like these: > > > > % nft add rule inet t c ip protocol icmp icmp type echo-request > > % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request > > > > However, when we print the ruleset: > > > > % nft list ruleset > > table inet t { > > chain c { > > icmpv6 type echo-request > > icmp type echo-request > > } > > } > > > > These rules we obtain can't be added again: > > > > % nft add rule inet t c icmp type echo-request > > <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp > > add rule inet t c icmp type echo-request > > ^^^^^^^^^ > > > > % nft add rule inet t c icmpv6 type echo-request > > <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 > > add rule inet t c icmpv6 type echo-request > > ^^^^^^^^^^^ > > > > Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet > > carrying ICMP, if the link layer is inet, the network layer protocol context > > can be safely update to 'ip' or 'ip6'. > > > > Moreover, nft currently generates a 'meta nfproto ipvX' depedency when > > using icmp or icmp6 in the inet family. > > Applied, thanks Arturo. > > BTW, it would be great if you can cook a patch with new tests/py lines > covering this case. Wait. This only solves the inet case. Bridge and netdev still remain broken. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/payload.c b/src/payload.c index af533b2..9cca838 100644 --- a/src/payload.c +++ b/src/payload.c @@ -284,7 +284,12 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, desc = &proto_inet; break; case PROTO_BASE_TRANSPORT_HDR: - desc = &proto_inet_service; + if (expr->payload.desc == &proto_icmp) + desc = &proto_ip; + else if (expr->payload.desc == &proto_icmp6) + desc = &proto_ip6; + else + desc = &proto_inet_service; break; default: break;
In the inet family, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table inet t { chain c { icmpv6 type echo-request icmp type echo-request } } These rules we obtain can't be added again: % nft add rule inet t c icmp type echo-request <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp add rule inet t c icmp type echo-request ^^^^^^^^^ % nft add rule inet t c icmpv6 type echo-request <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 add rule inet t c icmpv6 type echo-request ^^^^^^^^^^^ Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet carrying ICMP, if the link layer is inet, the network layer protocol context can be safely update to 'ip' or 'ip6'. Moreover, nft currently generates a 'meta nfproto ipvX' depedency when using icmp or icmp6 in the inet family. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> --- src/payload.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html