diff options
author | Florian Westphal <fw@strlen.de> | 2017-05-25 09:14:58 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-05-25 09:16:38 +0200 |
commit | bb6a7f201a817652dd2c795539236c9319a23ad7 (patch) | |
tree | 1d56b003ba39a44ef0acca8f777389b7eccad394 /tests/py/inet/comp.t.payload.netdev | |
parent | 1e6ae0e42bdc161d178277c336886e18c259caf5 (diff) | |
parent | 5f46b18745d18c486e959c93da649c18c8b10fe0 (diff) |
Merge branch 'meta_l4_dependency'
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.
The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.
We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/py/inet/comp.t.payload.netdev')
-rw-r--r-- | tests/py/inet/comp.t.payload.netdev | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/tests/py/inet/comp.t.payload.netdev b/tests/py/inet/comp.t.payload.netdev deleted file mode 100644 index dec38aea..00000000 --- a/tests/py/inet/comp.t.payload.netdev +++ /dev/null @@ -1,145 +0,0 @@ -# comp nexthdr != esp -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp neq reg 1 0x00000032 ] - -# comp flags 0x0 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# comp flags != 0x23 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp neq reg 1 0x00000023 ] - -# comp flags 0x33-0x45 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp gte reg 1 0x00000033 ] - [ cmp lte reg 1 0x00000045 ] - -# comp flags != 0x33-0x45 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ range neq reg 1 0x00000033 0x00000045 ] - -# comp flags {0x33, 0x55, 0x67, 0x88} -__set%d test-inet 3 -__set%d test-inet 0 - element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp flags != {0x33, 0x55, 0x67, 0x88} -__set%d test-inet 3 -__set%d test-inet 0 - element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# comp flags { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp flags != { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# comp cpi 22 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - -# comp cpi != 233 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp neq reg 1 0x0000e900 ] - -# comp cpi 33-45 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] - -# comp cpi != 33-45 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ range neq reg 1 0x00002100 0x00002d00 ] - -# comp cpi {33, 55, 67, 88} -__set%d test-inet 3 -__set%d test-inet 0 - element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp cpi != {33, 55, 67, 88} -__set%d test-inet 3 -__set%d test-inet 0 - element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# comp cpi { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp cpi != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - |