From 6dd848339444fecf95122579c1a1fe944a819b6d Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 3 Jul 2018 16:16:51 +0200 Subject: src: meta: always prefix 'meta' for almost all tokens got following bug report: nft add ... ct mark set mark and 0x10 ... always sets 0. What reporter meant to write instead was 'ct mark', not 'mark'. We can't just remove support for 'mark' and force 'meta mark', but we can start to discourage it by printing meta prefix too. Later on, we could start to print deprecation warning if needed. Followup patch can also change "iifname" etc. to "meta iifname". Signed-off-by: Florian Westphal --- doc/nft.xml | 2 +- src/meta.c | 29 ++++---- tests/py/any/ct.t | 6 +- tests/py/any/dup.t | 2 +- tests/py/any/dup.t.json | 2 +- tests/py/any/dup.t.payload | 2 +- tests/py/any/fwd.t | 2 +- tests/py/any/fwd.t.json | 2 +- tests/py/any/fwd.t.json.output | 2 +- tests/py/any/fwd.t.payload | 2 +- tests/py/any/meta.t | 160 ++++++++++++++++++++--------------------- tests/py/bridge/meta.t | 4 +- tests/py/bridge/reject.t | 2 +- tests/py/inet/map.t | 4 +- tests/py/inet/reject.t | 2 +- tests/py/ip/ip_tcp.t | 2 +- tests/py/ip/reject.t | 2 +- tests/py/ip6/map.t | 2 +- tests/py/ip6/reject.t | 2 +- 19 files changed, 114 insertions(+), 117 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index 190a8eec..6fbf0399 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3148,7 +3148,7 @@ filter prerouting fib saddr . iif oif missing drop filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) -filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } +filter prerouting meta mark set 0xdead fib daddr . meta mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } diff --git a/src/meta.c b/src/meta.c index ff0cb122..1bd91db2 100644 --- a/src/meta.c +++ b/src/meta.c @@ -446,18 +446,15 @@ const struct meta_template meta_templates[] = { BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), }; -static bool meta_key_is_qualified(enum nft_meta_keys key) +static bool meta_key_is_unqualified(enum nft_meta_keys key) { switch (key) { - case NFT_META_LEN: - case NFT_META_NFPROTO: - case NFT_META_L4PROTO: - case NFT_META_PROTOCOL: - case NFT_META_PRIORITY: - case NFT_META_PRANDOM: - case NFT_META_SECPATH: - case NFT_META_BRI_IIFNAME: - case NFT_META_BRI_OIFNAME: + case NFT_META_IIF: + case NFT_META_OIF: + case NFT_META_IIFNAME: + case NFT_META_OIFNAME: + case NFT_META_IIFGROUP: + case NFT_META_OIFGROUP: return true; default: return false; @@ -466,11 +463,11 @@ static bool meta_key_is_qualified(enum nft_meta_keys key) static void meta_expr_print(const struct expr *expr, struct output_ctx *octx) { - if (meta_key_is_qualified(expr->meta.key)) - nft_print(octx, "meta %s", + if (meta_key_is_unqualified(expr->meta.key)) + nft_print(octx, "%s", meta_templates[expr->meta.key].token); else - nft_print(octx, "%s", + nft_print(octx, "meta %s", meta_templates[expr->meta.key].token); } @@ -594,11 +591,11 @@ struct expr *meta_expr_alloc(const struct location *loc, enum nft_meta_keys key) static void meta_stmt_print(const struct stmt *stmt, struct output_ctx *octx) { - if (meta_key_is_qualified(stmt->meta.key)) - nft_print(octx, "meta %s set ", + if (meta_key_is_unqualified(stmt->meta.key)) + nft_print(octx, "%s set ", meta_templates[stmt->meta.key].token); else - nft_print(octx, "%s set ", + nft_print(octx, "meta %s set ", meta_templates[stmt->meta.key].token); expr_print(stmt->meta.expr, octx); diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 5ed3b4a0..b5c13524 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -55,8 +55,8 @@ ct mark set 0x11 xor 0x1331;ok;ct mark set 0x00001320 ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011 ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013 ct mark set 0x11;ok;ct mark set 0x00000011 -ct mark set mark;ok;ct mark set mark -ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a} +ct mark set mark;ok;ct mark set meta mark +ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set meta mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a} ct mark set {0x11333, 0x11};fail ct zone set {123, 127};fail @@ -130,7 +130,7 @@ ct reply zone 1;ok ct zone set 1;ok ct original zone set 1;ok ct reply zone set 1;ok -ct zone set mark map { 1 : 1, 2 : 2 };ok;ct zone set mark map { 0x00000001 : 1, 0x00000002 : 2} +ct zone set mark map { 1 : 1, 2 : 2 };ok;ct zone set meta mark map { 0x00000001 : 1, 0x00000002 : 2} ct both zone set 1;fail ct invalid;fail diff --git a/tests/py/any/dup.t b/tests/py/any/dup.t index d42cf343..181b4195 100644 --- a/tests/py/any/dup.t +++ b/tests/py/any/dup.t @@ -3,5 +3,5 @@ *netdev;test-netdev;ingress dup to "lo";ok -dup to mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok +dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok diff --git a/tests/py/any/dup.t.json b/tests/py/any/dup.t.json index 5927f7ea..03093858 100644 --- a/tests/py/any/dup.t.json +++ b/tests/py/any/dup.t.json @@ -7,7 +7,7 @@ } ] -# dup to mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} [ { "dup": { diff --git a/tests/py/any/dup.t.payload b/tests/py/any/dup.t.payload index 4a615b2f..51ff782c 100644 --- a/tests/py/any/dup.t.payload +++ b/tests/py/any/dup.t.payload @@ -3,7 +3,7 @@ netdev test-netdev ingress [ immediate reg 1 0x00000001 ] [ dup sreg_dev 1 ] -# dup to mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} __map%d test-netdev b __map%d test-netdev 0 element 00000001 : 00000001 0 [end] element 00000002 : 00000001 0 [end] diff --git a/tests/py/any/fwd.t b/tests/py/any/fwd.t index 986a16d9..2e34d55a 100644 --- a/tests/py/any/fwd.t +++ b/tests/py/any/fwd.t @@ -3,6 +3,6 @@ *netdev;test-netdev;ingress fwd to "lo";ok -fwd to mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok +fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok fwd ip to 192.168.2.200 device "lo";ok diff --git a/tests/py/any/fwd.t.json b/tests/py/any/fwd.t.json index e58a8ad2..c4ad430f 100644 --- a/tests/py/any/fwd.t.json +++ b/tests/py/any/fwd.t.json @@ -7,7 +7,7 @@ } ] -# fwd to mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} [ { "fwd": { diff --git a/tests/py/any/fwd.t.json.output b/tests/py/any/fwd.t.json.output index e4bad620..e5f66a36 100644 --- a/tests/py/any/fwd.t.json.output +++ b/tests/py/any/fwd.t.json.output @@ -1,4 +1,4 @@ -# fwd to mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} [ { "fwd": { diff --git a/tests/py/any/fwd.t.payload b/tests/py/any/fwd.t.payload index 966c08b0..f03077a6 100644 --- a/tests/py/any/fwd.t.payload +++ b/tests/py/any/fwd.t.payload @@ -3,7 +3,7 @@ netdev test-netdev ingress [ immediate reg 1 0x00000001 ] [ fwd sreg_dev 1 ] -# fwd to mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} __map%d test-netdev b __map%d test-netdev 0 element 00000001 : 00000001 0 [end] element 00000002 : 00000001 0 [end] diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index b3bb0504..d69b8b4e 100644 --- a/tests/py/any/meta.t +++ b/tests/py/any/meta.t @@ -49,17 +49,17 @@ meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok meta priority set cafe:beef;ok meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok -meta mark 0x4;ok;mark 0x00000004 -meta mark 0x32;ok;mark 0x00000032 -meta mark and 0x03 == 0x01;ok;mark & 0x00000003 == 0x00000001 -meta mark and 0x03 != 0x01;ok;mark & 0x00000003 != 0x00000001 -meta mark 0x10;ok;mark 0x00000010 -meta mark != 0x10;ok;mark != 0x00000010 - -meta mark or 0x03 == 0x01;ok;mark | 0x00000003 == 0x00000001 -meta mark or 0x03 != 0x01;ok;mark | 0x00000003 != 0x00000001 -meta mark xor 0x03 == 0x01;ok;mark 0x00000002 -meta mark xor 0x03 != 0x01;ok;mark != 0x00000002 +meta mark 0x4;ok;meta mark 0x00000004 +meta mark 0x32;ok;meta mark 0x00000032 +meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001 +meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001 +meta mark 0x10;ok;meta mark 0x00000010 +meta mark != 0x10;ok;meta mark != 0x00000010 + +meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001 +meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001 +meta mark xor 0x03 == 0x01;ok;meta mark 0x00000002 +meta mark xor 0x03 != 0x01;ok;meta mark != 0x00000002 meta iif "lo" accept;ok;iif "lo" accept meta iif != "lo" accept;ok;iif != "lo" accept @@ -72,12 +72,12 @@ meta iifname "dummy*";ok;iifname "dummy*" meta iifname "dummy\*";ok;iifname "dummy\*" meta iifname "";fail -meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre} -meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre} -meta iiftype != ether;ok;iiftype != ether -meta iiftype ether;ok;iiftype ether -meta iiftype != ppp;ok;iiftype != ppp -meta iiftype ppp;ok;iiftype ppp +meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok +meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok +meta iiftype != ether;ok +meta iiftype ether;ok +meta iiftype != ppp;ok +meta iiftype ppp;ok meta oif "lo" accept;ok;oif "lo" accept meta oif != "lo" accept;ok;oif != "lo" accept @@ -91,34 +91,34 @@ meta oifname "dummy*";ok;oifname "dummy*" meta oifname "dummy\*";ok;oifname "dummy\*" meta oifname "";fail -meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre} -meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre} -meta oiftype != ether;ok;oiftype != ether -meta oiftype ether;ok;oiftype ether - -meta skuid {"bin", "root", "daemon"} accept;ok;skuid { 0, 1, 2} accept -meta skuid != {"bin", "root", "daemon"} accept;ok;skuid != { 1, 0, 2} accept -meta skuid "root";ok;skuid 0 -meta skuid != "root";ok;skuid != 0 -meta skuid lt 3000 accept;ok;skuid < 3000 accept -meta skuid gt 3000 accept;ok;skuid > 3000 accept -meta skuid eq 3000 accept;ok;skuid 3000 accept -meta skuid 3001-3005 accept;ok;skuid 3001-3005 accept -meta skuid != 2001-2005 accept;ok;skuid != 2001-2005 accept -meta skuid { 2001-2005} accept;ok;skuid { 2001-2005} accept -meta skuid != { 2001-2005} accept;ok;skuid != { 2001-2005} accept - -meta skgid {"bin", "root", "daemon"} accept;ok;skgid { 0, 1, 2} accept -meta skgid != {"bin", "root", "daemon"} accept;ok;skgid != { 1, 0, 2} accept -meta skgid "root";ok;skgid 0 -meta skgid != "root";ok;skgid != 0 -meta skgid lt 3000 accept;ok;skgid < 3000 accept -meta skgid gt 3000 accept;ok;skgid > 3000 accept -meta skgid eq 3000 accept;ok;skgid 3000 accept -meta skgid 2001-2005 accept;ok;skgid 2001-2005 accept -meta skgid != 2001-2005 accept;ok;skgid != 2001-2005 accept -meta skgid { 2001-2005} accept;ok;skgid { 2001-2005} accept -meta skgid != { 2001-2005} accept;ok;skgid != { 2001-2005} accept +meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok +meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok +meta oiftype != ether;ok +meta oiftype ether;ok + +meta skuid {"bin", "root", "daemon"} accept;ok;meta skuid { 0, 1, 2} accept +meta skuid != {"bin", "root", "daemon"} accept;ok;meta skuid != { 1, 0, 2} accept +meta skuid "root";ok;meta skuid 0 +meta skuid != "root";ok;meta skuid != 0 +meta skuid lt 3000 accept;ok;meta skuid < 3000 accept +meta skuid gt 3000 accept;ok;meta skuid > 3000 accept +meta skuid eq 3000 accept;ok;meta skuid 3000 accept +meta skuid 3001-3005 accept;ok;meta skuid 3001-3005 accept +meta skuid != 2001-2005 accept;ok;meta skuid != 2001-2005 accept +meta skuid { 2001-2005} accept;ok;meta skuid { 2001-2005} accept +meta skuid != { 2001-2005} accept;ok;meta skuid != { 2001-2005} accept + +meta skgid {"bin", "root", "daemon"} accept;ok;meta skgid { 0, 1, 2} accept +meta skgid != {"bin", "root", "daemon"} accept;ok;meta skgid != { 1, 0, 2} accept +meta skgid "root";ok;meta skgid 0 +meta skgid != "root";ok;meta skgid != 0 +meta skgid lt 3000 accept;ok;meta skgid < 3000 accept +meta skgid gt 3000 accept;ok;meta skgid > 3000 accept +meta skgid eq 3000 accept;ok;meta skgid 3000 accept +meta skgid 2001-2005 accept;ok;meta skgid 2001-2005 accept +meta skgid != 2001-2005 accept;ok;meta skgid != 2001-2005 accept +meta skgid { 2001-2005} accept;ok;meta skgid { 2001-2005} accept +meta skgid != { 2001-2005} accept;ok;meta skgid != { 2001-2005} accept # BUG: meta nftrace 2 and meta nftrace 1 # $ sudo nft add rule ip test input meta nftrace 2 @@ -130,14 +130,14 @@ meta skgid != { 2001-2005} accept;ok;skgid != { 2001-2005} accept # add rule ip test input meta nftrace 1 # -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -meta mark set 0xffffffc8 xor 0x16;ok;mark set 0xffffffde -meta mark set 0x16 and 0x16;ok;mark set 0x00000016 -meta mark set 0xffffffe9 or 0x16;ok;mark set 0xffffffff -meta mark set 0xffffffde and 0x16;ok;mark set 0x00000016 -meta mark set 0xf045ffde or 0x10;ok;mark set 0xf045ffde -meta mark set 0xffffffde or 0x16;ok;mark set 0xffffffde -meta mark set 0x32 or 0xfffff;ok;mark set 0x000fffff -meta mark set 0xfffe xor 0x16;ok;mark set 0x0000ffe8 +meta mark set 0xffffffc8 xor 0x16;ok;meta mark set 0xffffffde +meta mark set 0x16 and 0x16;ok;meta mark set 0x00000016 +meta mark set 0xffffffe9 or 0x16;ok;meta mark set 0xffffffff +meta mark set 0xffffffde and 0x16;ok;meta mark set 0x00000016 +meta mark set 0xf045ffde or 0x10;ok;meta mark set 0xf045ffde +meta mark set 0xffffffde or 0x16;ok;meta mark set 0xffffffde +meta mark set 0x32 or 0xfffff;ok;meta mark set 0x000fffff +meta mark set 0xfffe xor 0x16;ok;meta mark set 0x0000ffe8 meta mark set {0xffff, 0xcc};fail meta pkttype set {unicast, multicast, broadcast};fail @@ -145,29 +145,29 @@ meta pkttype set {unicast, multicast, broadcast};fail meta iif "lo";ok;iif "lo" meta oif "lo";ok;oif "lo" meta oifname "dummy2" accept;ok;oifname "dummy2" accept -meta skuid 3000;ok;skuid 3000 -meta skgid 3000;ok;skgid 3000 +meta skuid 3000;ok +meta skgid 3000;ok # BUG: meta nftrace 1;ok # :1:1-37: Error: Could not process rule: Operation not supported - meta nftrace 1;ok -meta rtclassid "cosmos";ok;rtclassid "cosmos" - -meta pkttype broadcast;ok;pkttype broadcast -meta pkttype host;ok;pkttype host -meta pkttype multicast;ok;pkttype multicast -meta pkttype != broadcast;ok;pkttype != broadcast -meta pkttype != host;ok;pkttype != host -meta pkttype != multicast;ok;pkttype != multicast +meta rtclassid "cosmos";ok + +meta pkttype broadcast;ok +meta pkttype host;ok +meta pkttype multicast;ok +meta pkttype != broadcast;ok +meta pkttype != host;ok +meta pkttype != multicast;ok meta pkttype broadcastttt;fail -pkttype { broadcast, multicast} accept;ok +pkttype { broadcast, multicast} accept;ok;meta pkttype { broadcast, multicast} accept -meta cpu 1;ok;cpu 1 -meta cpu != 1;ok;cpu != 1 -meta cpu 1-3;ok;cpu 1-3 -meta cpu != 1-2;ok;cpu != 1-2 -meta cpu { 2,3};ok;cpu { 2,3} -meta cpu { 2-3, 5-7};ok;cpu { 2-3, 5-7} -meta cpu != { 2,3};ok;cpu != { 2,3} +meta cpu 1;ok +meta cpu != 1;ok +meta cpu 1-3;ok +meta cpu != 1-2;ok +meta cpu { 2,3};ok +meta cpu { 2-3, 5-7};ok +meta cpu != { 2,3};ok meta iifgroup 0;ok;iifgroup "default" meta iifgroup != 0;ok;iifgroup != "default" @@ -190,17 +190,17 @@ meta oifgroup {11-33};ok;oifgroup {11-33} meta oifgroup != { 11,33};ok;oifgroup != { 11,33} meta oifgroup != {11-33};ok;oifgroup != {11-33} -meta cgroup 1048577;ok;cgroup 1048577 -meta cgroup != 1048577;ok;cgroup != 1048577 -meta cgroup { 1048577, 1048578 };ok;cgroup { 1048577, 1048578} -meta cgroup != { 1048577, 1048578};ok;cgroup != { 1048577, 1048578} -meta cgroup 1048577-1048578;ok;cgroup 1048577-1048578 -meta cgroup != 1048577-1048578;ok;cgroup != 1048577-1048578 -meta cgroup {1048577-1048578};ok;cgroup { 1048577-1048578} -meta cgroup != { 1048577-1048578};ok;cgroup != { 1048577-1048578} +meta cgroup 1048577;ok;meta cgroup 1048577 +meta cgroup != 1048577;ok;meta cgroup != 1048577 +meta cgroup { 1048577, 1048578 };ok;meta cgroup { 1048577, 1048578} +meta cgroup != { 1048577, 1048578};ok;meta cgroup != { 1048577, 1048578} +meta cgroup 1048577-1048578;ok;meta cgroup 1048577-1048578 +meta cgroup != 1048577-1048578;ok;meta cgroup != 1048577-1048578 +meta cgroup {1048577-1048578};ok;meta cgroup { 1048577-1048578} +meta cgroup != { 1048577-1048578};ok;meta cgroup != { 1048577-1048578} meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" } -meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . mark { "lo" . "lo" . 0x0000000a } +meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a } meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo" : drop } meta random eq 1;ok;meta random 1 diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index f8710b25..88e819f7 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -2,5 +2,5 @@ *bridge;test-bridge;input -meta obrname "br0";ok;meta obrname "br0" -meta ibrname "br0";ok;meta ibrname "br0" +meta obrname "br0";ok +meta ibrname "br0";ok diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index 67deac8d..d1c2ecab 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -16,7 +16,7 @@ reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 ty reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable reject with icmpv6 type port-unreachable;ok;ether type ip6 reject -mark 12345 ip protocol tcp reject with tcp reset;ok;mark 0x00003039 ip protocol 6 reject with tcp reset +mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok ether type ip reject;ok diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t index 5075540b..e83490a8 100644 --- a/tests/py/inet/map.t +++ b/tests/py/inet/map.t @@ -5,5 +5,5 @@ *inet;test-inet;input *netdev;test-netdev;ingress -mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} -mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} +mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} +mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index 7679407e..cb3caa4a 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -16,7 +16,7 @@ reject with icmpv6 type admin-prohibited;ok;meta nfproto ipv6 reject with icmpv6 reject with icmpv6 type addr-unreachable;ok;meta nfproto ipv6 reject with icmpv6 type addr-unreachable reject with icmpv6 type port-unreachable;ok;meta nfproto ipv6 reject -mark 12345 reject with tcp reset;ok;meta l4proto 6 mark 0x00003039 reject with tcp reset +mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset reject;ok meta nfproto ipv4 reject;ok diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t index 450df727..467da3ef 100644 --- a/tests/py/ip/ip_tcp.t +++ b/tests/py/ip/ip_tcp.t @@ -7,4 +7,4 @@ ip protocol tcp tcp dport 22;ok;tcp dport 22 # but not here -ip protocol tcp meta mark set 1 tcp dport 22;ok;ip protocol 6 mark set 0x00000001 tcp dport 22 +ip protocol tcp meta mark set 1 tcp dport 22;ok;ip protocol 6 meta mark set 0x00000001 tcp dport 22 diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t index 7befe697..cc5561a0 100644 --- a/tests/py/ip/reject.t +++ b/tests/py/ip/reject.t @@ -10,7 +10,7 @@ reject with icmp type port-unreachable;ok;reject reject with icmp type net-prohibited;ok reject with icmp type host-prohibited;ok reject with icmp type admin-prohibited;ok -mark 0x80000000 reject with tcp reset;ok +mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset reject with icmp type no-route;fail reject with icmpv6 type no-route;fail diff --git a/tests/py/ip6/map.t b/tests/py/ip6/map.t index 3377f8d3..4d06e87f 100644 --- a/tests/py/ip6/map.t +++ b/tests/py/ip6/map.t @@ -1,5 +1,5 @@ :input;type filter hook input priority 0 *ip6;test-ip6;input -mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017};ok;mark set ip6 saddr & ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017} +mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017};ok;meta mark set ip6 saddr & ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017} diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t index a95f2e3f..7fa04eec 100644 --- a/tests/py/ip6/reject.t +++ b/tests/py/ip6/reject.t @@ -9,7 +9,7 @@ reject with icmpv6 type addr-unreachable;ok reject with icmpv6 type port-unreachable;ok;reject reject with icmpv6 type policy-fail;ok reject with icmpv6 type reject-route;ok -mark 0x80000000 reject with tcp reset;ok +mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset reject with icmpv6 type host-unreachable;fail reject with icmp type host-unreachable;fail -- cgit v1.2.3