diff options
| author | Florian Westphal <fw@strlen.de> | 2017-05-25 09:14:58 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2017-05-25 09:16:38 +0200 |
| commit | bb6a7f201a817652dd2c795539236c9319a23ad7 (patch) | |
| tree | 1d56b003ba39a44ef0acca8f777389b7eccad394 /tests/py/inet/udp.t.payload.ip6 | |
| parent | 1e6ae0e42bdc161d178277c336886e18c259caf5 (diff) | |
| parent | 5f46b18745d18c486e959c93da649c18c8b10fe0 (diff) | |
Merge branch 'meta_l4_dependency'
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.
The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.
We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/py/inet/udp.t.payload.ip6')
| -rw-r--r-- | tests/py/inet/udp.t.payload.ip6 | 330 |
1 files changed, 0 insertions, 330 deletions
diff --git a/tests/py/inet/udp.t.payload.ip6 b/tests/py/inet/udp.t.payload.ip6 deleted file mode 100644 index d16e0075..00000000 --- a/tests/py/inet/udp.t.payload.ip6 +++ /dev/null @@ -1,330 +0,0 @@ -# udp sport 80 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00005000 ] - [ immediate reg 0 accept ] - -# udp sport != 60 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp neq reg 1 0x00003c00 ] - [ immediate reg 0 accept ] - -# udp sport 50-70 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00003200 ] - [ cmp lte reg 1 0x00004600 ] - [ immediate reg 0 accept ] - -# udp sport != 50-60 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - -# udp sport { 49, 50} drop -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003100 : 0 [end] element 00003200 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 drop ] - -# udp sport != { 50, 60} accept -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003200 : 0 [end] element 00003c00 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# udp sport { 12-40} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp sport != { 13-24} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# udp dport 80 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00005000 ] - [ immediate reg 0 accept ] - -# udp dport != 60 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp neq reg 1 0x00003c00 ] - [ immediate reg 0 accept ] - -# udp dport 70-75 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004600 ] - [ cmp lte reg 1 0x00004b00 ] - [ immediate reg 0 accept ] - -# udp dport != 50-60 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - -# udp dport { 49, 50} drop -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003100 : 0 [end] element 00003200 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 drop ] - -# udp dport != { 50, 60} accept -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003200 : 0 [end] element 00003c00 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# udp dport { 70-75} accept -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udp dport != { 50-60} accept -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# udp length 6666 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp eq reg 1 0x00000a1a ] - -# udp length != 6666 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp neq reg 1 0x00000a1a ] - -# udp length 50-65 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x00003200 ] - [ cmp lte reg 1 0x00004100 ] - [ immediate reg 0 accept ] - -# udp length != 50-65 accept -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ range neq reg 1 0x00003200 0x00004100 ] - [ immediate reg 0 accept ] - -# udp length { 50, 65} accept -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003200 : 0 [end] element 00004100 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udp length != { 50, 65} accept -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00003200 : 0 [end] element 00004100 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# udp length { 35-50} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp length != { 35-50} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# udp checksum 6666 drop -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000a1a ] - [ immediate reg 0 drop ] - -# udp checksum != { 444, 555} accept -__set%d test-ip6 3 -__set%d test-ip6 0 - element 0000bc01 : 0 [end] element 00002b02 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# udp checksum 22 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - -# udp checksum != 233 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp neq reg 1 0x0000e900 ] - -# udp checksum 33-45 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] - -# udp checksum != 33-45 -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ range neq reg 1 0x00002100 0x00002d00 ] - -# udp checksum { 33, 55, 67, 88} -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp checksum != { 33, 55, 67, 88} -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# udp checksum { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp checksum != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# iif "lo" udp checksum set 0 -ip6 test-ip6 input - [ meta load iif => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ immediate reg 1 0x00000000 ] - [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ] - -# iif "lo" udp dport set 65535 -ip test-ip4 input - [ meta load iif => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ immediate reg 1 0x0000ffff ] - [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 csum_flags 0x0 ] |