From 8b043938e77b1f421beccff595117d6e4ff8eecc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 15 Jan 2021 18:40:11 +0100
Subject: evaluate: disallow ct original {s,d}ddr from maps

test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
                                                      ^^^^^^^^^^^^^^^^^

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/ip/ct.t | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'tests/py/ip/ct.t')

diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index d3247f79..c5ce1274 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -21,3 +21,6 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s
 
 # wrong address family
 ct reply ip daddr dead::beef;fail
+
+meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
+meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
-- 
cgit v1.2.3