evaluate: disallow ct original {s,d}ddr from concatenations

Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from maps") to cover concatenations too. Error: specify either ip or ip6 for address matching add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 } ^^^^^^^^^^^^^^^^^ The old syntax for ct original saddr without either ip or ip6 results in unknown key size, which breaks the listing. The old syntax is only allowed in simple rules for backward compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2021-01-21 16:41:35 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-01-25 23:42:40 +0100
commit: 7d3a0799cfd0a7dbd179f2742b6632e66d1e9b6a (patch)
tree: 5b20174b9a649ab55a880b122256e4d8742dcb9d /tests/py/ip/ct.t
parent: f5dd3ce30c306cac0cf0d0d33ab4867347e6f2db (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index c5ce1274..a387863e 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -24,3 +24,7 @@ ct reply ip daddr dead::beef;fail
 
 meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
 meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
+meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
+ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
+ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok
author	Pablo Neira Ayuso <pablo@netfilter.org>	2021-01-21 16:41:35 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-01-25 23:42:40 +0100
commit	7d3a0799cfd0a7dbd179f2742b6632e66d1e9b6a (patch)
tree	5b20174b9a649ab55a880b122256e4d8742dcb9d /tests/py/ip/ct.t
parent	f5dd3ce30c306cac0cf0d0d33ab4867347e6f2db (diff)