diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-18 13:10:55 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-20 18:50:03 +0100 |
commit | b11b6c68e61ea294eb4c313705ccfe3e7b0eda87 (patch) | |
tree | d84b4a22c6648a2bf7d2774801db85bd56c3b345 /tests/shell/testcases/nft-f/dumps/sample-ruleset.nft | |
parent | ea011231c06cbe828cf6056bc9c3d116e1f528d5 (diff) |
netlink_delinearize: restore binop syntax when listing ruleset for flags
c3d57114f119 ("parser_bison: add shortcut syntax for matching flags
without binary operations") provides a similar syntax to iptables using
a prefix representation for flag matching.
Restore original representation using binop when listing the ruleset.
The parser still accepts the prefix notation for backward compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/nft-f/dumps/sample-ruleset.nft')
-rw-r--r-- | tests/shell/testcases/nft-f/dumps/sample-ruleset.nft | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft index 480b694a..1a9f4e7a 100644 --- a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -73,7 +73,7 @@ table inet filter { chain ct_new_pre { jump rpfilter - tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop + tcp flags & (fin | syn | rst | ack) != syn counter packets 0 bytes 0 drop iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } } @@ -131,7 +131,7 @@ table inet filter { type filter hook forward priority mangle; policy accept; oifname "eth0" jump { ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } - tcp flags syn / syn,rst tcp option maxseg size set rt mtu + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu } } |