nftables: Add support for the reject action in Capirca's nftables g…

…enerator. PiperOrigin-RevId: 638645271
google · May 30, 2024 · 95c7301 · 95c7301
1 parent fe2f526
commit 95c7301
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/capirca/lib/nftables.py b/capirca/lib/nftables.py
@@ -105,7 +105,12 @@ class Term(aclgenerator.Term):
       'tcp', 'udp', 'icmp', 'esp', 'udp', 'ah', 'comp', 'udplite', 'dccp',
       'sctp', 'icmpv6'
   ])
-  _ACTIONS = {'accept': 'accept', 'deny': 'drop'}
+  # Keys: actions used in Capirca terms.
+  # Values: actions usable in nftables rules.
+  _ACTIONS = {
+      'accept': 'accept', 'deny': 'drop',
+      'reject': 'reject',
+  }
 
   def __init__(self, term, nf_af, nf_hook, verbose=True):
     """Individual instances of a Term for NFtables.
@@ -341,7 +346,8 @@ def _OptionsHandler(self, term):
     # Base chain already allows all return traffic of
     # state (ESTABLISHED, RELATED)
     # This should prevent invalid, untracked packets from being accepted.
-    if 'deny' not in term.action and not term.icmp_type:
+    if ('deny' not in term.action and 'reject' not in term.action and
+        not term.icmp_type):
       options.append('ct state new')
 
     # 'logging' handling.
@@ -663,6 +669,7 @@ def _BuildTokens(self):
         'action': {
             'accept',
             'deny',
+            'reject',
         },
         'icmp_type':
             set(

diff --git a/policies/pol/sample_nftables.pol b/policies/pol/sample_nftables.pol
@@ -12,6 +12,16 @@ term default-accept {
   action:: accept
 }
 
+# TODO: move test-icmp-type-ip4-reject below, once targets have been changed
+# from newnftables to nftables in a followup commit. Use of nftables means the
+# terms do not show up in generated files.
+term test-icmp-type-ip4-reject {
+  comment:: "IPv4 icmp-type - test reject action"
+  icmp-type:: router-advertisement
+  protocol:: icmp
+  action:: reject
+}
+
 header {
   comment:: "Inbound traffic nftables policy example"
   target:: newnftables inet INPUT

diff --git a/tests/lib/nftables_test.py b/tests/lib/nftables_test.py
@@ -67,7 +67,7 @@ def __init__(self, in_dict: dict):
 })
 
 SUPPORTED_SUB_TOKENS = {
-    'action': {'accept', 'deny'},
+    'action': {'accept', 'deny', 'reject'},
     'option': {'established', 'tcp-established'},
     'icmp_type': {
         'alternate-address',
@@ -358,6 +358,14 @@ def __init__(self, in_dict: dict):
 }
 """
 
+ALL_SRCIP_REJECT = """
+term all-src-addr {
+  comment:: "Test the reject action. v4/v6"
+  source-address:: TEST_IPS
+  action:: reject
+}
+"""
+
 EXCLUDE = {'ip6': [nacaddr.IP('::/3'), nacaddr.IP('::/0')]}
 
 # Print a info message when a term is set to expire in that many weeks.
@@ -928,6 +936,11 @@ def testRulesetGeneratorAF(self, policy_data: str, expected_inet: str):
           TEST_IPS,
           'ip saddr 10.2.3.4/32 drop comment "All IP address families. v4/v6"',
       ),
+      (
+          HEADER_MIXED_AF + ALL_SRCIP_REJECT,
+          TEST_IPS,
+          'ip saddr 10.2.3.4/32 reject comment "Test the reject action. v4/v6"',
+      ),
       (GOOD_HEADER_3 + ICMP_SINGLE_TYPE, TEST_IPS, 'icmp type router-solicit'),
       (
           GOOD_HEADER_1 + ICMPV6_SINGLE_TYPE,