ct: support for NFT_CT_{SRC,DST}_{IP,IP6}

These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2019-06-21 10:28:37 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-06-21 18:49:07 +0200
commit: 7f742d0a9071f932836b4f8525a6d3f7261ae083 (patch)
tree: cd972674de9ea2efbd6e39747acd435b100bf154 /tests/py/any
parent: fb5a36ad5c1032244cf76171648fdefbbe571519 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 81d937d9..267eca1a 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -97,10 +97,10 @@ ct both bytes gt 1;fail
 ct bytes original reply;fail
 
 # missing direction
-ct saddr 1.2.3.4;fail
+ct ip saddr 1.2.3.4;fail
 
 # wrong base (ip6 but ipv4 address given)
-meta nfproto ipv6 ct original saddr 1.2.3.4;fail
+meta nfproto ipv6 ct original ip saddr 1.2.3.4;fail
 
 # direction, but must be used without
 ct original mark 42;fail
author	Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-21 10:28:37 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-21 18:49:07 +0200
commit	7f742d0a9071f932836b4f8525a6d3f7261ae083 (patch)
tree	cd972674de9ea2efbd6e39747acd435b100bf154 /tests/py/any
parent	fb5a36ad5c1032244cf76171648fdefbbe571519 (diff)