From 7f742d0a9071f932836b4f8525a6d3f7261ae083 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Jun 2019 10:28:37 +0200 Subject: ct: support for NFT_CT_{SRC,DST}_{IP,IP6} These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso --- tests/py/ip/ct.t.json | 24 ++++++++---------------- tests/py/ip/ct.t.payload | 16 ++++++++-------- 2 files changed, 16 insertions(+), 24 deletions(-) (limited to 'tests/py/ip') diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json index cc3ab692..881cd4c9 100644 --- a/tests/py/ip/ct.t.json +++ b/tests/py/ip/ct.t.json @@ -5,8 +5,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -22,8 +21,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -39,8 +37,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -56,8 +53,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -73,8 +69,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -95,8 +90,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "saddr" + "key": "ip saddr" } }, "op": "==", @@ -117,8 +111,7 @@ "left": { "ct": { "dir": "original", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", @@ -139,8 +132,7 @@ "left": { "ct": { "dir": "reply", - "family": "ip", - "key": "daddr" + "key": "ip daddr" } }, "op": "==", diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index b7cd130d..d5faed4c 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -1,44 +1,44 @@ # ct original ip saddr 192.168.0.1 ip test-ip4 output - [ ct load src => reg 1 , dir original ] + [ ct load src_ip => reg 1 , dir original ] [ cmp eq reg 1 0x0100a8c0 ] # ct reply ip saddr 192.168.0.1 ip test-ip4 output - [ ct load src => reg 1 , dir reply ] + [ ct load src_ip => reg 1 , dir reply ] [ cmp eq reg 1 0x0100a8c0 ] # ct original ip daddr 192.168.0.1 ip test-ip4 output - [ ct load dst => reg 1 , dir original ] + [ ct load dst_ip => reg 1 , dir original ] [ cmp eq reg 1 0x0100a8c0 ] # ct reply ip daddr 192.168.0.1 ip test-ip4 output - [ ct load dst => reg 1 , dir reply ] + [ ct load dst_ip => reg 1 , dir reply ] [ cmp eq reg 1 0x0100a8c0 ] # ct original ip saddr 192.168.1.0/24 ip test-ip4 output - [ ct load src => reg 1 , dir original ] + [ ct load src_ip => reg 1 , dir original ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip saddr 192.168.1.0/24 ip test-ip4 output - [ ct load src => reg 1 , dir reply ] + [ ct load src_ip => reg 1 , dir reply ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct original ip daddr 192.168.1.0/24 ip test-ip4 output - [ ct load dst => reg 1 , dir original ] + [ ct load dst_ip => reg 1 , dir original ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip daddr 192.168.1.0/24 ip test-ip4 output - [ ct load dst => reg 1 , dir reply ] + [ ct load dst_ip => reg 1 , dir reply ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] -- cgit v1.2.3