diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-12-21 13:24:09 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-01-10 23:33:24 +0100 |
| commit | b1ae6a45c9f38a60a13d9ecb88dcbeb12e5d13e0 (patch) | |
| tree | 266b5b45b82dc62ad087562088c87e96bd74b557 /extensions/libebt_ip6.t | |
| parent | f4721951baca81b7d74c5551d0f5c599dbb89bf1 (diff) | |
ebtables: Default to extrapositioned negations
ebtables-nft has always supported both intra- and extrapositioned
negations but defaulted to intrapositioned when printing/saving rules.
With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
though, it started to warn about intrapositioned negations. So change
the default to avoid mandatory warnings when e.g. loading previously
dumped rulesets.
Also adjust test cases, help texts and ebtables-nft.8 accordingly.
Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libebt_ip6.t')
| -rw-r--r-- | extensions/libebt_ip6.t | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/extensions/libebt_ip6.t b/extensions/libebt_ip6.t index 19358431..58e3c73c 100644 --- a/extensions/libebt_ip6.t +++ b/extensions/libebt_ip6.t @@ -1,22 +1,22 @@ :INPUT,FORWARD,OUTPUT --p ip6 --ip6-src ! dead::beef/64 -j ACCEPT;-p IPv6 --ip6-src ! dead::/64 -j ACCEPT;OK +-p ip6 ! --ip6-src dead::beef/64 -j ACCEPT;-p IPv6 ! --ip6-src dead::/64 -j ACCEPT;OK -p IPv6 --ip6-dst dead:beef::/64 -j ACCEPT;=;OK -p IPv6 --ip6-dst f00:ba::;=;OK --p IPv6 --ip6-dst ! f00:ba::;=;OK +-p IPv6 ! --ip6-dst f00:ba::;=;OK -p IPv6 --ip6-src 10.0.0.1;;FAIL -p IPv6 --ip6-tclass 0xFF;=;OK --p IPv6 --ip6-tclass ! 0xFF;=;OK +-p IPv6 ! --ip6-tclass 0xFF;=;OK -p IPv6 --ip6-proto tcp --ip6-dport 22;=;OK --p IPv6 --ip6-proto tcp --ip6-dport ! 22;=;OK --p IPv6 --ip6-proto tcp --ip6-sport ! 22 --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp ! --ip6-sport 22 --ip6-dport 22;=;OK -p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK -p IPv6 --ip6-proto 253;=;OK --p IPv6 --ip6-proto ! 253;=;OK +-p IPv6 ! --ip6-proto 253;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request;=;OK --p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! echo-request;=;OK +-p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type echo-request;=;OK -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1;-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type communication-prohibited -j CONTINUE;OK --p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! 1:10/0:255;=;OK +-p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;OK --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL ! -p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL -p IPv6 --ip6-proto tcp --ip6-sport 22 --ip6-icmp-type echo-request;;FAIL |