diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-21 10:28:37 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-21 18:49:07 +0200 |
| commit | 7f742d0a9071f932836b4f8525a6d3f7261ae083 (patch) | |
| tree | cd972674de9ea2efbd6e39747acd435b100bf154 /tests/py/ip | |
| parent | fb5a36ad5c1032244cf76171648fdefbbe571519 (diff) | |
ct: support for NFT_CT_{SRC,DST}_{IP,IP6}
These keys are available since kernel >= 4.17.
You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.
Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.
If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:
meta nfproto ipv4 ct original saddr 1.2.3.4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/ip')
| -rw-r--r-- | tests/py/ip/ct.t.json | 24 | ||||
| -rw-r--r-- | tests/py/ip/ct.t.payload | 16 |
2 files changed, 16 insertions, 24 deletions
diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json index cc3ab692..881cd4c9 100644 --- a/tests/py/ip/ct.t.json +++ b/tests/py/ip/ct.t.json @@ -5,8 +5,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -22,8 +21,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -39,8 +37,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -56,8 +53,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -73,8 +69,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -95,8 +90,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -117,8 +111,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -139,8 +132,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index b7cd130d..d5faed4c 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -1,44 +1,44 @@ # ct original ip saddr 192.168.0.1 ip test-ip4 output - [ ct load src => reg 1 , dir original ] + [ ct load src_ip => reg 1 , dir original ] [ cmp eq reg 1 0x0100a8c0 ] # ct reply ip saddr 192.168.0.1 ip test-ip4 output - [ ct load src => reg 1 , dir reply ] + [ ct load src_ip => reg 1 , dir reply ] [ cmp eq reg 1 0x0100a8c0 ] # ct original ip daddr 192.168.0.1 ip test-ip4 output - [ ct load dst => reg 1 , dir original ] + [ ct load dst_ip => reg 1 , dir original ] [ cmp eq reg 1 0x0100a8c0 ] # ct reply ip daddr 192.168.0.1 ip test-ip4 output - [ ct load dst => reg 1 , dir reply ] + [ ct load dst_ip => reg 1 , dir reply ] [ cmp eq reg 1 0x0100a8c0 ] # ct original ip saddr 192.168.1.0/24 ip test-ip4 output - [ ct load src => reg 1 , dir original ] + [ ct load src_ip => reg 1 , dir original ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip saddr 192.168.1.0/24 ip test-ip4 output - [ ct load src => reg 1 , dir reply ] + [ ct load src_ip => reg 1 , dir reply ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct original ip daddr 192.168.1.0/24 ip test-ip4 output - [ ct load dst => reg 1 , dir original ] + [ ct load dst_ip => reg 1 , dir original ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip daddr 192.168.1.0/24 ip test-ip4 output - [ ct load dst => reg 1 , dir reply ] + [ ct load dst_ip => reg 1 , dir reply ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] |