From eb8dc40360f0cfef56fb6947cc817a547d6d9bc6 Mon Sep 17 00:00:00 2001 From: Dave Cobbley Date: Tue, 14 Aug 2018 10:05:37 -0700 Subject: [Subtree] Removing import-layers directory As part of the move to subtrees, need to bring all the import layers content to the top level. Change-Id: I4a163d10898cbc6e11c27f776f60e1a470049d8f Signed-off-by: Dave Cobbley Signed-off-by: Brad Bishop --- ...orce-ip-ip6-protocol-depending-on-icmp-or.patch | 84 ++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch (limited to 'meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch') diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch new file mode 100644 index 000000000..00076d7ce --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch @@ -0,0 +1,84 @@ +From f21a7a4849b50c30341ec571813bd7fe37040ad3 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 18 May 2017 13:30:54 +0200 +Subject: [PATCH 4/4] payload: enforce ip/ip6 protocol depending on icmp or + icmpv6 + +After some discussion with Pablo we agreed to treat icmp/icmpv6 specially. + +in the case of a rule like 'tcp dport 22' the inet, bridge and netdev +families only care about the lower layer protocol. + +In the icmpv6 case however we'd like to also enforce an ipv6 protocol check +(and ipv4 check in icmp case). + +This extends payload_gen_special_dependency() to consider this. +With this patch: + +add rule $pf filter input meta l4proto icmpv6 +add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request +add rule $pf filter input icmpv6 type echo-request + +will work in all tables and all families. +For inet/bridge/netdev, an ipv6 protocol dependency is added; this will +not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case +of the ip family. + +Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an +explicit dependency: + +add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ... + +Implicit dependencies won't get removed at the moment, so + bridge ... icmp type echo-request +will be shown as + ether type ip meta l4proto 1 icmp type echo-request + +Signed-off-by: Florian Westphal +--- +Upstream-Status: Backport +Signed-off-by: André Draszik + src/payload.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 38db15e..8796ee5 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -264,10 +264,29 @@ payload_gen_special_dependency(struct eval_ctx *ctx, const struct expr *expr) + case PROTO_BASE_LL_HDR: + return payload_get_get_ll_hdr(ctx); + case PROTO_BASE_TRANSPORT_HDR: +- if (expr->payload.desc == &proto_icmp) +- return &proto_ip; +- if (expr->payload.desc == &proto_icmp6) +- return &proto_ip6; ++ if (expr->payload.desc == &proto_icmp || ++ expr->payload.desc == &proto_icmp6) { ++ const struct proto_desc *desc, *desc_upper; ++ struct stmt *nstmt; ++ ++ desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; ++ if (!desc) { ++ desc = payload_get_get_ll_hdr(ctx); ++ if (!desc) ++ break; ++ } ++ ++ desc_upper = &proto_ip6; ++ if (expr->payload.desc == &proto_icmp) ++ desc_upper = &proto_ip; ++ ++ if (payload_add_dependency(ctx, desc, desc_upper, ++ expr, &nstmt) < 0) ++ return NULL; ++ ++ list_add_tail(&nstmt->list, &ctx->stmt->list); ++ return desc_upper; ++ } + return &proto_inet_service; + default: + break; +-- +2.11.0 + -- cgit v1.2.3