summaryrefslogtreecommitdiffstats
path: root/tests/py/ip6/ip6.t.payload.ip6
Commit message (Collapse)AuthorAgeFilesLines
* src: add dscp supportPablo Neira Ayuso2016-05-111-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule filter forward ip dscp cs1 counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] [ counter pkts 0 bytes 0 ] And also IPv6, note that in this case we take two bytes from the payload: # nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter ip6 filter input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000008 ] [ counter pkts 0 bytes 0 ] Given the DSCP is split in two bytes, the less significant nibble of the first byte and the two most significant 2 bits of the second byte. The 8 bit traffic class in RFC2460 after the version field are used for DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: update IPv6 flowlabel offset and length according to RFC2460Pablo Neira Ayuso2016-05-111-0/+4
| | | | | | This is a 20 bit field according to Section 3. IPv6 Header Format. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: only merge if adjacent and combined size fits into a registerFlorian Westphal2016-04-191-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add rule ip6 filter input ip6 saddr ::1/128 ip6 daddr ::1/128 fails, we ask to compare a 32byte immediate which is not supported: [ payload load 32b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 0x00000000 0x00000000 0x00000000 0x02000000 ] We would need to use two cmps in this case, i.e.: [ payload load 32b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] [ cmp eq reg 2 0x00000000 0x00000000 0x00000000 0x02000000 ] Seems however that this requires a bit more changes to how nft handles register allocations, we'd also need to undo the constant merge. Lets disable merging for now so that we generate [ payload load 16b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] [ payload load 16b @ network header + 24 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ] ... if merge would bring us over the 128 bit register size. Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1032 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: don't test log statement from protocol matchPablo Neira Ayuso2016-01-131-4/+2
| | | | | | | | | | | | I think this unit tests should be self-contained at some level. The shell/ directory should be used to catch regressions at ruleset level, ie. these kind of combinations. Another motivation is that I want that netdev/ingress gets tested (coming in a follow up patch), and we don't support log there yet, so I would need to skip this test for that case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-151-0/+339
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>