diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-18 13:10:55 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-20 18:50:03 +0100 |
commit | b11b6c68e61ea294eb4c313705ccfe3e7b0eda87 (patch) | |
tree | d84b4a22c6648a2bf7d2774801db85bd56c3b345 /tests/shell/testcases | |
parent | ea011231c06cbe828cf6056bc9c3d116e1f528d5 (diff) |
netlink_delinearize: restore binop syntax when listing ruleset for flags
c3d57114f119 ("parser_bison: add shortcut syntax for matching flags
without binary operations") provides a similar syntax to iptables using
a prefix representation for flag matching.
Restore original representation using binop when listing the ruleset.
The parser still accepts the prefix notation for backward compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
-rw-r--r-- | tests/shell/testcases/nft-f/dumps/sample-ruleset.nft | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/tcp_options | 16 |
2 files changed, 10 insertions, 10 deletions
diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft index 480b694a..1a9f4e7a 100644 --- a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -73,7 +73,7 @@ table inet filter { chain ct_new_pre { jump rpfilter - tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop + tcp flags & (fin | syn | rst | ack) != syn counter packets 0 bytes 0 drop iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } } @@ -131,7 +131,7 @@ table inet filter { type filter hook forward priority mangle; policy accept; oifname "eth0" jump { ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } - tcp flags syn / syn,rst tcp option maxseg size set rt mtu + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu } } diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options index 1c9ee532..88552226 100755 --- a/tests/shell/testcases/packetpath/tcp_options +++ b/tests/shell/testcases/packetpath/tcp_options @@ -15,14 +15,14 @@ table inet t { chain c { type filter hook output priority 0; tcp dport != 22345 accept - tcp flags syn / fin,syn,rst,ack tcp option 254 length ge 4 counter name nomatchc drop - tcp flags syn / fin,syn,rst,ack tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc - tcp flags syn / fin,syn,rst,ack tcp option sack-perm missing counter name nomatchc - tcp flags syn / fin,syn,rst,ack tcp option sack-perm exists counter name sackpermc - tcp flags syn / fin,syn,rst,ack tcp option maxseg size gt 1400 counter name maxsegc - tcp flags syn / fin,syn,rst,ack tcp option nop missing counter name nomatchc - tcp flags syn / fin,syn,rst,ack tcp option nop exists counter name nopc - tcp flags syn / fin,syn,rst,ack drop + tcp flags & (fin | syn | rst | ack ) == syn tcp option 254 length ge 4 counter name nomatchc drop + tcp flags & (fin | syn | rst | ack ) == syn tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc + tcp flags & (fin | syn | rst | ack ) == syn tcp option sack-perm missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option sack-perm exists counter name sackpermc + tcp flags & (fin | syn | rst | ack) == syn tcp option maxseg size gt 1400 counter name maxsegc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop exists counter name nopc + tcp flags & (fin | syn | rst | ack) == syn drop } } EOF |