summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-133-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix wrong conversion to "list" in ct markFernando Fernandez Mancera2019-09-102-0/+7
| | | | | | | | | | | We only prefer "list" representation in "ct event". For any other type of "ct" use the "or" representation so nft prints "ct mark set ct mark | 0x00000001" instead of "ct mark set ct mark,0x00000001". Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: catch invalid 'meta day' values in eval stepFlorian Westphal2019-09-061-0/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add meta time test casesAnder Juaristi2019-09-064-0/+559
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: add ibrpvid and ibrvproto supportwenxu2019-08-303-0/+37
| | | | | | | | | | | This allows you to match the bridge pvid and vlan protocol, for instance: nft add rule bridge firewall zones meta ibrvproto vlan nft add rule bridge firewall zones meta ibrpvid 100 Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: add support for element deletionFlorian Westphal2019-08-295-0/+47
| | | | | | | | also add a test case. Fixes: a87f2a2227be2 ("netfilter: support for element deletion") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* tests: make sure i is definedFlorian Westphal2019-08-161-0/+1
| | | | | | | | | | | The test script can die in case there are severe problems, such as rlen being 0 -- in that case i is undefined and script evaluation is aborted. Found during nft development, no existing test case shows this problem. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add json test for vlan rule fixM. Braun2019-08-122-0/+62
| | | | | | | | | | | | | | | This fixes ERROR: did not find JSON equivalent for rule 'ether type vlan ip protocol 1 accept' when running ./nft-test.py -j bridge/vlan.t Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix dumping vlan rulesM. Braun2019-07-313-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Given the following bridge rules: 1. ip protocol icmp accept 2. ether type vlan vlan type ip ip protocol icmp accept The are currently both dumped by "nft list ruleset" as 1. ip protocol icmp accept 2. ip protocol icmp accept Though, the netlink code actually is different bridge filter FORWARD 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] bridge filter FORWARD 5 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] What happens here is that: 1. vlan type ip kills ether type vlan 2. ip protocol icmp kills vlan type ip Fix this by avoiding the removal of all vlan statements in the given example. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: support prefix expression in statementsFlorian Westphal2019-07-223-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | Currently nft dumps core when it encounters a prefix expression as part of a statement, e.g. iifname ens3 snat to 10.0.0.0/28 yields: BUG: unknown expression type prefix nft: netlink_linearize.c:688: netlink_gen_expr: Assertion `0' failed. This assertion is correct -- we can't linearize a prefix because kernel doesn't know what that is. For LHS prefixes, they get converted to a binary 'and' such as '10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar and convert them into a range. snat to 10.0.0.0/28 will be converted into: iifname "ens3" snat to 10.0.0.0-10.0.0.15 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1187 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing json outputsFernando Fernandez Mancera2019-07-171-0/+25
| | | | | | Fixes: 1188a69604c3 ("src: introduce SYNPROXY matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce SYNPROXY matchingFernando Fernandez Mancera2019-07-173-0/+156
| | | | | | | | | | | | | | | | | | | | Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up two broken json test casesFlorian Westphal2019-07-172-3/+25
| | | | | | | | | Forgot to add a json test case for the recently added ct ip addr in map case. Fix up rawpayload.t for json, it needs to expect new "th dport" when listing. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add ct expectations supportStéphane Veyret2019-07-164-0/+24
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src/ct: provide fixed data lengh sizes for ip/ip6 keysFlorian Westphal2019-07-122-0/+10
| | | | | | | | | | | | | | | | | | nft can load but not list this: table inet filter { chain input { ct original ip daddr {1.2.3.4} accept } } Problem is that the ct template length is 0, so we believe the right hand side is a concatenation because left->len < set->key->len is true. nft then calls abort() during concatenation parsing. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: add support for matching IPv4 optionsStephen Suryaputra2019-07-0412-331/+331
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: fix python3Shekhar Sharma2019-07-011-33/+33
| | | | | | | This converts the nft-test.py file to run on both py2 and py3. Signed-off-by: Shekhar Sharma <shekhar250198@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2019-06-216-32/+21
| | | | | | | | | | | | | | | | | These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: prefer meta protocol as bridge l3 dependencyFlorian Westphal2019-06-197-120/+128
| | | | | | | | | | | | | | | | | | | On families other than 'ip', the rule ip protocol icmp needs a dependency on the ip protocol so we do not treat e.g. an ipv6 header as ip. Bridge currently uses eth_hdr.type for this, but that will cause the rule above to not match in case the ip packet is within a VLAN tagged frame -- ether.type will appear as ETH_P_8021Q. Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer to use this instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinerize: remove network header dep for reject statement also in ↵Florian Westphal2019-06-193-200/+45
| | | | | | | | | | | | | | | | | | | | | bridge family add rule bridge test-bridge input reject with icmp type ... is shown as ether type ip reject type ... i.e., the dependency is not removed. Allow dependency removal -- this adds a problem where some icmp types will be shortened to 'reject', losing the icmp ipv4 dependency. Next patch resolves this problem by disabling short-hand abbreviations for bridge reject statements. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add missing json arp operation outputFlorian Westphal2019-06-181-0/+21
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: fix print of raw numerical symbol valuesFlorian Westphal2019-06-173-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The two rules: arp operation 1-2 accept arp operation 256-512 accept are both shown as 256-512: chain in_public { arp operation 256-512 accept arp operation 256-512 accept meta mark "1" tcp flags 2,4 } This is because range expression enforces numeric output, yet nft_print doesn't respect byte order. Behave as if we had no symbol in the first place and call the base type print function instead. This means we now respect format specifier as well: chain in_public { arp operation 1-2 accept arp operation 256-512 accept meta mark 0x00000001 tcp flags 0x2,0x4 } Without fix, added test case will fail: 'add rule arp test-arp input arp operation 1-2': 'arp operation 1-2' mismatches 'arp operation 256-512' v2: in case of -n, also elide quotation marks, just as if we would not have found a symbolic name. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing arp.t JSON equivalentsPhil Sutter2019-06-082-8/+70
| | | | | | Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON equivalentsPhil Sutter2019-06-083-80/+86
| | | | | | | | | Recent patch removing single element set use missed to adjust JSON equivalents accordingly. Fixes: 27f6a4c68b4fd ("tests: replace single element sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Support JSON validationPhil Sutter2019-05-311-1/+24
| | | | | | | | | | Introduce a new flag -s/--schema to nft-test.py which enables validation of any JSON input and output against our schema. Make use of traceback module to get more details if validation fails. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: replace single element setsPablo Neira Ayuso2019-05-314-227/+250
| | | | | | Add at least two elements to sets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for arp sender and target ethernet and IPv4 addressesPablo Neira Ayuso2019-05-243-1/+55
| | | | | | | | | | | | | | | | | | | | | | | | # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp saddr ip 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } You can also specify hardware sender address, eg. # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "tests: py: remove single-value-anon-set test cases"Pablo Neira Ayuso2019-05-2468-2/+5168
| | | | This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.
* tests: py: remove single-value-anon-set test casesFlorian Westphal2019-05-1968-5168/+2
| | | | | | | | future change will rewrite all single-element anon sets to a cmp op. Retain a few test cases to later check that the rewrite is correct, but remove all others. Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "proto: support for draft-ietf-tsvwg-le-phb-10.txt"Pablo Neira Ayuso2019-05-0911-14/+11
| | | | | | | | This reverts commit 55715486efba424e97361c81d8d47e854f45a5a6. This breaks tests/py. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON expected output for icmpv6 code valuesPhil Sutter2019-05-091-0/+59
| | | | | | | | | | Reverse translation is happening for values which are known, even if they are part of a range. In contrast to standard output, this is OK because in JSON lower and upper bounds are properties and there is no ambiguity if names contain a dash. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON expected output after expr merge changePhil Sutter2019-05-091-42/+2
| | | | | | | | Looks like original patch missed this one. Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix tproxy support regarding latest changesPhil Sutter2019-05-099-10/+251
| | | | | | | | | | | | | | | | | | | Family may be specified also if no address is given at the same time, make parser/printer tolerant to that. Also fix for missing/incorrect JSON equivalents in tests/py. While being at it, fix two issues in non-JSON tests: * Ruleset is printed in numeric mode, so use 'l4proto 6' instead of 'l4proto tcp' in rules to avoid having to specify expected output for that unrelated bit. * In ip and ip6 family tables, family parameter is not deserialized on output. Fixes: 3edb96200690b ("parser_bison: missing tproxy syntax with port only for inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON equivalents of osf testsPhil Sutter2019-05-091-2/+57
| | | | | | Fixes: 12adf747a3f62 ("tests: py: add osf tests with versions") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Fix igmp supportPhil Sutter2019-05-091-0/+323
| | | | | | | | | Parser didn't know about that protocol, also testsuite bits were missing. Fixes: bad27ca386276 ("src: add igmp support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Support nat in inet familyPhil Sutter2019-05-092-0/+297
| | | | | | | | Add the missing bits to JSON parser, printer, man page and testsuite. Fixes: fbe27464dee45 ("src: add nat support for the inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: support for draft-ietf-tsvwg-le-phb-10.txtLoganaden Velvindron2019-05-0311-11/+14
| | | | | | | | | | Upcoming dscp codepoint for background traffic of low precendence such as bulk data transfers with low priority in time, non time-critical backups, larger software updates, web search engines while gathering information from web servers and so on. Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix error messages in chain_delete()Phil Sutter2019-04-301-2/+2
| | | | | | | | | | Adding string and chain object is an illegal operation in Python. Instead concatenate with cmd string since that contains all required information already. Fixes: 820fd08b5f1d4 ("tests/py: Review print statements in nft-test.py") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat support for the inet familyFlorian Westphal2019-04-094-0/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | consider a simple ip6 nat table: table ip6 nat { chain output { type nat hook output priority 0; policy accept; dnat to dead:2::99 } Now consider same ruleset, but using 'table inet nat': nft now lacks context to determine address family to parse 'to $address'. This adds code to make the following work: table inet nat { [ .. ] # detect af from network protocol context: ip6 daddr dead::2::1 dnat to dead:2::99 # use new dnat ip6 keyword: dnat ip6 to dead:2::99 } On list side, the keyword is only shown in the inet family, else the short version (dnat to ...) is used as the family is redundant when the table already mandates the ip protocol version supported. Address mismatches such as table ip6 { .. dnat ip to 1.2.3.4 are detected/handled during the evaluation phase. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add osf tests with versionsFernando Fernandez Mancera2019-04-083-0/+85
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing tproxy syntax with port only for inet familyPablo Neira Ayuso2019-04-046-4/+46
| | | | | | | | | | | | | | | | | # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 Error: syntax error, unexpected colon add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 ^ Syntax with no protocol for tproxy complains with: # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 Error: Conflicting network layer protocols. add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 ^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up expected payloads after expr merge changeFlorian Westphal2019-01-258-20/+38
| | | | | | | | nft currently doesn't do payload merging anymore in some cases, so fix up the expected output. Fixes: ce2651222911 ("payload: refine payload expr merging") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add igmp supportPablo Neira Ayuso2019-01-092-0/+391
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: bail out on incorrect burst unitPablo Neira Ayuso2018-12-031-0/+2
| | | | | | | | | | | | Burst can be either bytes or packets, depending on the rate limit unit. # nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets Error: syntax error, unexpected packets, expecting string or bytes add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets ^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Adjust Nftables class to output flags changesPhil Sutter2018-10-311-18/+11
| | | | | | | | | | | | | Introduce setter/getter methods for each introduced output flag. Ignore NFT_CTX_OUTPUT_NUMERIC_ALL for now since it's main purpose is for internal use. Adjust the script in tests/py accordingly: Due to the good defaults, only numeric proto output has to be selected - this is not a must, but allows for the test cases to remain unchanged. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix osf ttl supportPhil Sutter2018-10-241-3/+32
| | | | | | | | | | | | | | Having to use numerical values for ttl property in JSON is not practical as these values are arbitrary and meaningful only in netfilter. Instead align JSON output/input with standard API, accepting names for TTL matching strategy. Also add missing documentation in libnftables-json man page and fix JSON equivalent in tests/py. Fixes: 03eafe098d5ee ("osf: add ttl option support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* osf: add ttl option supportFernando Fernandez Mancera2018-10-233-2/+72
| | | | | | | | | | | | | | Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Add ct timeout supportPhil Sutter2018-10-151-0/+7
| | | | | | | Add support for printing and parsing ct timeout objects to JSON API. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing JSON bits for inet/meta.tPhil Sutter2018-10-152-3/+20
| | | | | | | | Those were forgotten when renaming meta secpath to meta ipsec. Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>