From 7f742d0a9071f932836b4f8525a6d3f7261ae083 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Jun 2019 10:28:37 +0200 Subject: ct: support for NFT_CT_{SRC,DST}_{IP,IP6} These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso --- tests/py/any/ct.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/py/any') diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 81d937d9..267eca1a 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -97,10 +97,10 @@ ct both bytes gt 1;fail ct bytes original reply;fail # missing direction -ct saddr 1.2.3.4;fail +ct ip saddr 1.2.3.4;fail # wrong base (ip6 but ipv4 address given) -meta nfproto ipv6 ct original saddr 1.2.3.4;fail +meta nfproto ipv6 ct original ip saddr 1.2.3.4;fail # direction, but must be used without ct original mark 42;fail -- cgit v1.2.3