From d4bc5a38598b479b124973a821324ce867e87760 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 2 Nov 2018 10:47:25 +0100
Subject: iptables-nft: fix bogus handling of zero saddr/daddr

rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check
mask (or negation, for that matter).

Fix this and add test cases too.

This also revealed an ip6tables-nft-save bug, it would print
' !-d', not '! -d'.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libip6t_standard.t | 5 +++++
 extensions/libxt_standard.t   | 4 ++++
 2 files changed, 9 insertions(+)
 create mode 100644 extensions/libip6t_standard.t

(limited to 'extensions')

diff --git a/extensions/libip6t_standard.t b/extensions/libip6t_standard.t
new file mode 100644
index 00000000..a528af10
--- /dev/null
+++ b/extensions/libip6t_standard.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-s ::/128;=;OK
+! -d ::;! -d ::/128;OK
+! -s ::;! -s ::/128;OK
+-s ::/64;=;OK
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 923569c3..bfdedb7a 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -1,4 +1,8 @@
 :INPUT,FORWARD,OUTPUT
+-s 127.0.0.1/32 -d 0.0.0.0/8 -j DROP;=;OK
+! -s 0.0.0.0 -j ACCEPT;! -s 0.0.0.0/32 -j ACCEPT;OK
+! -d 0.0.0.0/32 -j ACCEPT;=;OK
+-s 0.0.0.0/24 -j RETURN;=;OK
 -j DROP;=;OK
 -j ACCEPT;=;OK
 -j RETURN;=;OK
-- 
cgit v1.2.3