summaryrefslogtreecommitdiffstats
path: root/tests/py/any/rawpayload.t
Commit message (Collapse)AuthorAgeFilesLines
* payload: do not kill dependency for proto_unknownPablo Neira Ayuso2022-10-311-0/+2
| | | | | | | | | | | | | Unsupported meta match on layer 4 protocol sets on protocol context to proto_unknown, handle anything coming after it as a raw expression in payload_expr_expand(). Moreover, payload_dependency_kill() skips dependency removal if protocol is unknown, so raw payload expression leaves meta layer 4 protocol remains in place. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: add raw payload inner header match supportPablo Neira Ayuso2021-11-171-0/+2
| | | | | | | Add missing "ih" base raw payload and extend tests/py to cover this new usecase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add xinteger_type alias to print in hexadecimalPablo Neira Ayuso2021-11-031-5/+5
| | | | | | | | | Add an alias of the integer type to print raw payload expressions in hexadecimal. Update tests/py. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Support netdev egress hookLukas Wunner2021-10-281-1/+2
| | | | | | | | | Add userspace support for the netdev egress hook which is queued up for v5.16-rc1, complete with documentation and tests. Usage is identical to the ingress hook. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add raw payload test cases.Florian Westphal2018-02-261-0/+19
Signed-off-by: Florian Westphal <fw@strlen.de>