summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_conntrack.t
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: Reject negative port rangesPhil Sutter2024-02-021-4/+4
| | | | | | | Analogous to XTTYPE_UINT*RC value parsing, assert consecutive port values are not lower than previous ones. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: xtoptions: Assert ranges are monotonic increasingPhil Sutter2024-02-021-1/+1
| | | | | | | | | | | Extensions commonly require the upper range value to be larger or equal to the lower one. Performing this check in the parser is easier and covers all extensions at once. One notable exception is NFQUEUE which requires strict monotonicity. Hence leave its checks in place. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: *.t/*.txlate: Test range corner-casesPhil Sutter2024-02-021-0/+26
| | | | | | | | | | | For every extension option accepting a range, test open and half-open as well as single element and invalid (negative) ranges. The added tests merely reflect the status quo, not the expected outcome. Following patches will fix results and the already existing test cases highlight the fixes' effects. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Fix checking of conntrack --ctproto 0Quentin Armitage2023-09-141-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are three issues in the code: 1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask 2) in conntrack_mt_parse it is testing (info->invert_flags & XT_INV_PROTO) before the invert bit has been set. 3) the sense of the error message is the wrong way round 1) To get the error, ! -ctstatus XXX has to be specified, since XT_INV_PROTO == XT_CONNTRACK_STATUS e.g. | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ... 3) Unlike --proto 0 (where 0 means all protocols), in the conntrack match --ctproto 0 appears to mean protocol 0, which can never be. Therefore --ctproto 0 could never match and ! --ctproto 0 will always match. Both of these should be rejected, since the user clearly cannot be intending what was specified. The attached patch resolves the issue, and also produces an error message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since --ctproto 0 will never match, and ! --ctproto 0 will always match. [Phil: - Added Fixes: tag - it's a day 1 bug - Copied patch description from Bugzilla - Reorganized changes to reduce diff - Added test cases] Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874 Fixes: 5054e85be3068 ("general conntrack match module userspace support files") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_conntrack: add unit testPablo Neira Ayuso2013-10-071-0/+27
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>