diff options
author | Florian Westphal <fw@strlen.de> | 2019-07-22 11:37:40 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-07-22 14:34:46 +0200 |
commit | f793ca54017f823a4f34df7f75e1df369b726326 (patch) | |
tree | e4a5b037b38d3f093248e0a9320f4a0ae0d323ce /tests | |
parent | 47a81d90a780269710266c2669388fb827ee5a0e (diff) |
src: evaluate: support prefix expression in statements
Currently nft dumps core when it encounters a prefix expression as
part of a statement, e.g.
iifname ens3 snat to 10.0.0.0/28
yields:
BUG: unknown expression type prefix
nft: netlink_linearize.c:688: netlink_gen_expr: Assertion `0' failed.
This assertion is correct -- we can't linearize a prefix because
kernel doesn't know what that is.
For LHS prefixes, they get converted to a binary 'and' such as
'10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar
and convert them into a range.
snat to 10.0.0.0/28 will be converted into:
iifname "ens3" snat to 10.0.0.0-10.0.0.15
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1187
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/py/ip6/dnat.t | 2 | ||||
-rw-r--r-- | tests/py/ip6/dnat.t.json | 27 | ||||
-rw-r--r-- | tests/py/ip6/dnat.t.payload.ip6 | 12 |
3 files changed, 41 insertions, 0 deletions
diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t index 78d6d0ad..db5fde58 100644 --- a/tests/py/ip6/dnat.t +++ b/tests/py/ip6/dnat.t @@ -5,3 +5,5 @@ tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok;tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100 tcp dport 80-90 dnat to [2001:838:35f:1::]:80;ok +dnat to [2001:838:35f:1::]/64;ok;dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff +dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff;ok diff --git a/tests/py/ip6/dnat.t.json b/tests/py/ip6/dnat.t.json index a5c01fd2..3419b60f 100644 --- a/tests/py/ip6/dnat.t.json +++ b/tests/py/ip6/dnat.t.json @@ -76,3 +76,30 @@ } ] +# dnat to [2001:838:35f:1::]/64 +[ + { + "dnat": { + "addr": { + "range": [ + "2001:838:35f:1::", + "2001:838:35f:1:ffff:ffff:ffff:ffff" + ] + } + } + } +] + +# dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff +[ + { + "dnat": { + "addr": { + "range": [ + "2001:838:35f:1::", + "2001:838:35f:1:ffff:ffff:ffff:ffff" + ] + } + } + } +] diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6 index 4d3fafe2..985159e2 100644 --- a/tests/py/ip6/dnat.t.payload.ip6 +++ b/tests/py/ip6/dnat.t.payload.ip6 @@ -33,3 +33,15 @@ ip6 test-ip6 prerouting [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x00005000 ] [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ] + +# dnat to [2001:838:35f:1::]/64 +ip6 test-ip6 prerouting + [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] + [ immediate reg 2 0x38080120 0x01005f03 0xffffffff 0xffffffff ] + [ nat dnat ip6 addr_min reg 1 addr_max reg 2 ] + +# dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff +ip6 test-ip6 prerouting + [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] + [ immediate reg 2 0x38080120 0x01005f03 0xffffffff 0xffffffff ] + [ nat dnat ip6 addr_min reg 1 addr_max reg 2 ] |