diff options
-rw-r--r-- | src/evaluate.c | 27 | ||||
-rw-r--r-- | tests/py/any/ct.t | 4 | ||||
-rw-r--r-- | tests/py/any/ct.t.payload | 7 |
3 files changed, 31 insertions, 7 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 4ca14842..311c86c5 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -649,6 +649,13 @@ static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp) return 0; } +static int expr_error_base(struct list_head *msgs, const struct expr *e) +{ + return expr_error(msgs, e, + "meta nfproto ipv4 or ipv6 must be specified " + "before %s expression", e->ops->name); +} + /* * RT expression: validate protocol dependencies. */ @@ -663,22 +670,17 @@ static int expr_evaluate_rt(struct eval_ctx *ctx, struct expr **expr) switch (rt->rt.key) { case NFT_RT_NEXTHOP4: if (base != &proto_ip) - goto err; + return expr_error_base(ctx->msgs, rt); break; case NFT_RT_NEXTHOP6: if (base != &proto_ip6) - goto err; + return expr_error_base(ctx->msgs, rt); break; default: break; } return expr_evaluate_primary(ctx, expr); - -err: - return expr_error(ctx->msgs, rt, - "meta nfproto ipv4 or ipv6 must be specified " - "before routing expression"); } /* @@ -687,10 +689,21 @@ err: */ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr) { + const struct proto_desc *base; struct expr *ct = *expr; ct_expr_update_type(&ctx->pctx, ct); + base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + switch (ct->ct.key) { + case NFT_CT_SRC: + case NFT_CT_DST: + if (base != &proto_ip && base != &proto_ip6) + return expr_error_base(ctx->msgs, ct); + default: + break; + } + return expr_evaluate_primary(ctx, expr); } diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 96a80f84..667126e6 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -91,6 +91,10 @@ ct bytes original reply;fail # missing direction ct saddr 1.2.3.4;fail +meta nfproto ipv4 ct original saddr 1.2.3.4;ok +# wrong base (ip6 but ipv4 address given) +meta nfproto ipv6 ct original saddr 1.2.3.4;fail + # direction, but must be used without ct original mark 42;fail # swapped key and direction diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index 6077e5da..c5fa7c8d 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -373,6 +373,13 @@ ip test-ip4 output [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp lt reg 1 0x00000000 0xf4010000 ] +# meta nfproto ipv4 ct original saddr 1.2.3.4 +ip test-ip4 output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ ct load src => reg 1 , dir original ] + [ cmp eq reg 1 0x04030201 ] + # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ] |