path: root/tests
diff options
authorPablo Neira Ayuso <>2020-10-27 13:28:23 +0100
committerPablo Neira Ayuso <>2020-10-27 15:12:42 +0100
commit4edc838408a34a8958671103e7446ddc2dae918b (patch)
treea6859c5dc14f4bdb54695e85fd1927fc1a99e95e /tests
parenta08af5d26297eb85218a3c3a9e0991001a88cf10 (diff)
conntrack: default to unspec family for dualstack setups
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the fallback to IPv4 if -f is not specified, which was the original behaviour. This patch modifies the default to use the unspec family if -f is not specified for the following ct commands: - list - update - delete - get (these two commands below do not support for -f though, but in case this is extended in the future to support it): - flush - event The existing code that parses IPv4 and IPv6 addresses already infers the family, which simplifies the introduction of this update. The expect commands are not updated, they still require many mandatory options for filtering. This patch includes a few test updates too. Based on patch from Mikhail Sennikovsky. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'tests')
2 files changed, 13 insertions, 0 deletions
diff --git a/tests/conntrack/testsuite/01delete b/tests/conntrack/testsuite/01delete
index 2755491..64dbb10 100644
--- a/tests/conntrack/testsuite/01delete
+++ b/tests/conntrack/testsuite/01delete
@@ -30,3 +30,8 @@
-D -s -d ; OK
# try same command again but with CIDR (no matching found)
-D -s -d ; BAD
+# try to delete mismatching address family
+-D -s ::1 -d ; BAD
+# try to delete IPv6 address without specifying IPv6 family
+-I -s ::1 -d ::2 -p tcp --sport 20 --dport 10 --state LISTEN -u SEEN_REPLY -t 40 ; OK
+-D -s ::1 ; OK
diff --git a/tests/conntrack/testsuite/02filter b/tests/conntrack/testsuite/02filter
index 91a75eb..d58637f 100644
--- a/tests/conntrack/testsuite/02filter
+++ b/tests/conntrack/testsuite/02filter
@@ -23,5 +23,13 @@ conntrack -L --mark 0/0xffffffff; OK
conntrack -L -s --mask-src -d --mask-dst ; OK
conntrack -L -s -d ; OK
conntrack -L -s -d ; OK
+# filter filter mismatching address family
+conntrack -L -s -d ::1 ; BAD
+# filter by IPv6 address, it implicitly sets IPv6 family
+conntrack -L -s ::1 ; OK
+# filter by IPv6 address mask, it implicitly sets IPv6 family
+conntrack -L -s abcd:abcd:abcd:: --mask-src ffff:ffff:ffff:: ; OK
+# filter filter mismatching address family
+conntrack -L --mask-src ffff:ffff:ffff:: --mask-dst ; BAD
# delete dummy
conntrack -D -d ; OK