diff options
author | Florian Westphal <fw@strlen.de> | 2017-05-25 09:14:58 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-05-25 09:16:38 +0200 |
commit | bb6a7f201a817652dd2c795539236c9319a23ad7 (patch) | |
tree | 1d56b003ba39a44ef0acca8f777389b7eccad394 /tests/py/ip6/tcpopt.t.payload | |
parent | 1e6ae0e42bdc161d178277c336886e18c259caf5 (diff) | |
parent | 5f46b18745d18c486e959c93da649c18c8b10fe0 (diff) |
Merge branch 'meta_l4_dependency'
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.
The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.
We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/py/ip6/tcpopt.t.payload')
-rw-r--r-- | tests/py/ip6/tcpopt.t.payload | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/tests/py/ip6/tcpopt.t.payload b/tests/py/ip6/tcpopt.t.payload index 88e277d1..4b189197 100644 --- a/tests/py/ip6/tcpopt.t.payload +++ b/tests/py/ip6/tcpopt.t.payload @@ -1,181 +1,181 @@ # tcp option eol kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 0 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option noop kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 1 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option maxseg kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 2 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option maxseg length 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option maxseg size 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] [ cmp eq reg 1 0x00000100 ] # tcp option window kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 3 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option window length 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option window count 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack-permitted kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 4 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack-permitted length 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 5 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack length 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack left 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack0 left 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack1 left 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack2 left 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack3 left 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack right 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack0 right 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack1 right 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack2 right 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option sack3 right 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option timestamp kind 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 8 + 0 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option timestamp length 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option timestamp tsval 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # tcp option timestamp tsecr 1 ip6 test-ip input - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ] [ cmp eq reg 1 0x01000000 ] |