Merge branch 'meta_l4_dependency'

Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.

For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine.  The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.

The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.

We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 0 insertions, 276 deletions

diff --git a/tests/py/inet/sctp.t.payload.ip b/tests/py/inet/sctp.t.payload.ip
deleted file mode 100644
index 4d8a7246..00000000
--- a/tests/py/inet/sctp.t.payload.ip
+++ /dev/null
@@ -1,276 +0,0 @@
-# sctp sport 23
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ cmp eq reg 1 0x00001700 ]
-
-# sctp sport != 23
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ cmp neq reg 1 0x00001700 ]
-
-# sctp sport 23-44
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ cmp gte reg 1 0x00001700 ]
-  [ cmp lte reg 1 0x00002c00 ]
-
-# sctp sport != 23-44
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ range neq reg 1 0x00001700 0x00002c00 ]
-
-# sctp sport { 23, 24, 25}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp sport != { 23, 24, 25}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp sport { 23-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp sport != { 23-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp dport 23
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ cmp eq reg 1 0x00001700 ]
-
-# sctp dport != 23
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ cmp neq reg 1 0x00001700 ]
-
-# sctp dport 23-44
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ cmp gte reg 1 0x00001700 ]
-  [ cmp lte reg 1 0x00002c00 ]
-
-# sctp dport != 23-44
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ range neq reg 1 0x00001700 0x00002c00 ]
-
-# sctp dport { 23, 24, 25}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp dport != { 23, 24, 25}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp dport { 23-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp dport != { 23-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 2b @ transport header + 2 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp checksum 1111
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ cmp eq reg 1 0x57040000 ]
-
-# sctp checksum != 11
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ cmp neq reg 1 0x0b000000 ]
-
-# sctp checksum 21-333
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ cmp gte reg 1 0x15000000 ]
-  [ cmp lte reg 1 0x4d010000 ]
-
-# sctp checksum != 32-111
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ range neq reg 1 0x20000000 0x6f000000 ]
-
-# sctp checksum { 22, 33, 44}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp checksum != { 22, 33, 44}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp checksum { 22-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp checksum != { 22-44}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 8 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp vtag 22
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ cmp eq reg 1 0x16000000 ]
-
-# sctp vtag != 233
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ cmp neq reg 1 0xe9000000 ]
-
-# sctp vtag 33-45
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ cmp gte reg 1 0x21000000 ]
-  [ cmp lte reg 1 0x2d000000 ]
-
-# sctp vtag != 33-45
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ range neq reg 1 0x21000000 0x2d000000 ]
-
-# sctp vtag {33, 55, 67, 88}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp vtag != {33, 55, 67, 88}
-__set%d test-ip4 3
-__set%d test-ip4 0
-	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-
-# sctp vtag { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ lookup reg 1 set __set%d ]
-
-# sctp vtag != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
-	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
-ip test-ip4 input
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000084 ]
-  [ payload load 4b @ transport header + 4 => reg 1 ]
-  [ lookup reg 1 set __set%d 0x1 ]
-