From 7f742d0a9071f932836b4f8525a6d3f7261ae083 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Jun 2019 10:28:37 +0200
Subject: ct: support for NFT_CT_{SRC,DST}_{IP,IP6}

These keys are available since kernel >= 4.17.

You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.

Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.

If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:

	meta nfproto ipv4 ct original saddr 1.2.3.4

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/inet/ct.t.json        | 3 +--
 tests/py/inet/ct.t.json.output | 1 -
 tests/py/inet/ct.t.payload     | 5 ++---
 3 files changed, 3 insertions(+), 6 deletions(-)

(limited to 'tests/py/inet')

diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json
index 02bb2d27..d0c26aef 100644
--- a/tests/py/inet/ct.t.json
+++ b/tests/py/inet/ct.t.json
@@ -30,8 +30,7 @@
             "left": {
                 "ct": {
                     "dir": "original",
-                    "family": "ip6",
-                    "key": "saddr"
+                    "key": "ip6 saddr"
                 }
             },
 	    "op": "==",
diff --git a/tests/py/inet/ct.t.json.output b/tests/py/inet/ct.t.json.output
index 8b71519e..74c436a3 100644
--- a/tests/py/inet/ct.t.json.output
+++ b/tests/py/inet/ct.t.json.output
@@ -5,7 +5,6 @@
             "left": {
                 "ct": {
                     "dir": "original",
-                    "family": "ip",
                     "key": "saddr"
                 }
             },
diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload
index 97128ecc..83146869 100644
--- a/tests/py/inet/ct.t.payload
+++ b/tests/py/inet/ct.t.payload
@@ -7,7 +7,6 @@ ip test-ip4 output
 
 # ct original ip6 saddr ::1
 inet test-inet input
-  [ ct load l3protocol => reg 1 , dir original ]
-  [ cmp eq reg 1 0x0000000a ]
-  [ ct load src => reg 1 , dir original ]
+  [ ct load src_ip6 => reg 1 , dir original ]
   [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+
-- 
cgit v1.2.3