iptables-nft: fix bogus handling of zero saddr/daddr

rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2018-11-02 10:47:25 +0100
committer: Florian Westphal <fw@strlen.de> 2018-11-03 12:09:21 +0100
commit: d4bc5a38598b479b124973a821324ce867e87760 (patch)
tree: cb79ff0f7aea4c910111825c231db126054978e1 /extensions
parent: 9ff99156b63ee39af3e8fce5ae5b0a2e2e8f0170 (diff)
2 files changed, 9 insertions, 0 deletions
diff --git a/extensions/libip6t_standard.t b/extensions/libip6t_standard.t
new file mode 100644
index 00000000..a528af10
--- /dev/null
+++ b/extensions/libip6t_standard.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-s ::/128;=;OK
+! -d ::;! -d ::/128;OK
+! -s ::;! -s ::/128;OK
+-s ::/64;=;OK
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 923569c3..bfdedb7a 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -1,4 +1,8 @@
 :INPUT,FORWARD,OUTPUT
+-s 127.0.0.1/32 -d 0.0.0.0/8 -j DROP;=;OK
+! -s 0.0.0.0 -j ACCEPT;! -s 0.0.0.0/32 -j ACCEPT;OK
+! -d 0.0.0.0/32 -j ACCEPT;=;OK
+-s 0.0.0.0/24 -j RETURN;=;OK
 -j DROP;=;OK
 -j ACCEPT;=;OK
 -j RETURN;=;OK
author	Florian Westphal <fw@strlen.de>	2018-11-02 10:47:25 +0100
committer	Florian Westphal <fw@strlen.de>	2018-11-03 12:09:21 +0100
commit	d4bc5a38598b479b124973a821324ce867e87760 (patch)
tree	cb79ff0f7aea4c910111825c231db126054978e1 /extensions
parent	9ff99156b63ee39af3e8fce5ae5b0a2e2e8f0170 (diff)