tests: nft removes required payload protocol expressions

This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* same as 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required, as it restricts matching to ipv4. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2017-03-23 00:50:45 +0100
committer: Florian Westphal <fw@strlen.de> 2017-10-26 23:46:10 +0200
commit: 947011e7454df6aabb67ef6f240eec670384395d (patch)
tree: 64c3aee1920b7071fab76e0ba2d570d93da85507 /tests/py/inet/ip_tcp.t
parent: f94c2f69102fc5249ee18565fa6ad3bd4b82441e (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t
new file mode 100644
index 00000000..828d9d92
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t
@@ -0,0 +1,18 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress
+
+# must not remove ip dependency -- ONLY ipv4 packets should be matched
+ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22
+
+# can remove it here, ip protocol is implied via saddr.
+ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip saddr 1.2.3.4 tcp dport 22
+
+# but not here.
+ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22
+
+# or here.
+ip protocol tcp counter tcp dport 22;ok;ip protocol 6 counter tcp dport 22
author	Florian Westphal <fw@strlen.de>	2017-03-23 00:50:45 +0100
committer	Florian Westphal <fw@strlen.de>	2017-10-26 23:46:10 +0200
commit	947011e7454df6aabb67ef6f240eec670384395d (patch)
tree	64c3aee1920b7071fab76e0ba2d570d93da85507 /tests/py/inet/ip_tcp.t
parent	f94c2f69102fc5249ee18565fa6ad3bd4b82441e (diff)