import nftables-0.9.3-20.el8
This commit is contained in:
parent
7f3b401ac2
commit
259e7f2761
497
SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch
Normal file
497
SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch
Normal file
@ -0,0 +1,497 @@
|
||||
From f9dca1704ce66be31eceac4d7317b825269b3d07 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 2 Mar 2021 17:06:06 +0100
|
||||
Subject: [PATCH] tests: Disable tests known to fail on RHEL8
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
|
||||
Upstream Status: RHEL-only
|
||||
|
||||
RHEL8 kernel does not support:
|
||||
|
||||
- ct timeout or expectation objects
|
||||
- synproxy
|
||||
- flowtables in families other than inet
|
||||
- meta time
|
||||
- bridge family-specific meta expressions (e.g. ibrvproto, ibrpvid)
|
||||
- socket mark
|
||||
- osf
|
||||
- delete set elements from packet path
|
||||
- update stateful objects
|
||||
- explicitly setting set element expiration (commit 79ebb5bb4e3)
|
||||
- flushing chains and deleting referenced objects in the same
|
||||
transaction (upstream commits with 'bogus EBUSY' in subject)
|
||||
|
||||
Disable all related tests to make the testsuites pass.
|
||||
---
|
||||
tests/monitor/testcases/object.t | 14 +++----
|
||||
tests/py/any/meta.t | 36 ++++++++---------
|
||||
tests/py/bridge/meta.t | 8 ++--
|
||||
tests/py/inet/osf.t | 24 +++++------
|
||||
tests/py/inet/socket.t | 2 +-
|
||||
tests/py/inet/synproxy.t | 12 +++---
|
||||
tests/py/ip/objects.t | 46 +++++++++++-----------
|
||||
tests/py/ip6/sets.t | 2 +-
|
||||
.../testcases/flowtable/0002create_flowtable_0 | 8 ++--
|
||||
.../testcases/flowtable/0003add_after_flush_0 | 8 ++--
|
||||
.../testcases/flowtable/0004delete_after_add_0 | 6 +--
|
||||
.../shell/testcases/flowtable/0005delete_in_use_1 | 10 ++---
|
||||
tests/shell/testcases/flowtable/0007prio_0 | 6 +--
|
||||
tests/shell/testcases/flowtable/0008prio_1 | 4 +-
|
||||
.../testcases/flowtable/0009deleteafterflush_0 | 12 +++---
|
||||
tests/shell/testcases/listing/0013objects_0 | 2 +
|
||||
tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 2 +
|
||||
.../shell/testcases/nft-f/0018ct_expectation_obj_0 | 2 +
|
||||
.../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------
|
||||
.../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled | 11 ++++++
|
||||
.../testcases/optionals/update_object_handles_0 | 2 +
|
||||
.../sets/0036add_set_element_expiration_0 | 2 +
|
||||
tests/shell/testcases/transactions/0046set_0 | 2 +
|
||||
23 files changed, 122 insertions(+), 110 deletions(-)
|
||||
delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
|
||||
diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t
|
||||
index 2afe33c..1b30384 100644
|
||||
--- a/tests/monitor/testcases/object.t
|
||||
+++ b/tests/monitor/testcases/object.t
|
||||
@@ -37,10 +37,10 @@ I delete ct helper ip t cth
|
||||
O -
|
||||
J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}}
|
||||
|
||||
-I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; }
|
||||
-O -
|
||||
-J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
|
||||
-
|
||||
-I delete ct timeout ip t ctt
|
||||
-O -
|
||||
-J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
|
||||
+# I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; }
|
||||
+# O -
|
||||
+# J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
|
||||
+#
|
||||
+# I delete ct timeout ip t ctt
|
||||
+# O -
|
||||
+# J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
|
||||
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
|
||||
index 327f973..241b466 100644
|
||||
--- a/tests/py/any/meta.t
|
||||
+++ b/tests/py/any/meta.t
|
||||
@@ -204,21 +204,21 @@ meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo"
|
||||
meta random eq 1;ok;meta random 1
|
||||
meta random gt 1000000;ok;meta random > 1000000
|
||||
|
||||
-meta time "1970-05-23 21:07:14" drop;ok
|
||||
-meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop
|
||||
-meta time "2019-06-21 17:00:00" drop;ok
|
||||
-meta time "2019-07-01 00:00:00" drop;ok
|
||||
-meta time "2019-07-01 00:01:00" drop;ok
|
||||
-meta time "2019-07-01 00:00:01" drop;ok
|
||||
-meta day "Saturday" drop;ok
|
||||
-meta day 6 drop;ok;meta day "Saturday" drop
|
||||
-meta day "Satturday" drop;fail
|
||||
-meta hour "17:00" drop;ok
|
||||
-meta hour "17:00:00" drop;ok;meta hour "17:00" drop
|
||||
-meta hour "17:00:01" drop;ok
|
||||
-meta hour "00:00" drop;ok
|
||||
-meta hour "00:01" drop;ok
|
||||
-
|
||||
-meta time "meh";fail
|
||||
-meta hour "24:00" drop;fail
|
||||
-meta day 7 drop;fail
|
||||
+- meta time "1970-05-23 21:07:14" drop;ok
|
||||
+- meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop
|
||||
+- meta time "2019-06-21 17:00:00" drop;ok
|
||||
+- meta time "2019-07-01 00:00:00" drop;ok
|
||||
+- meta time "2019-07-01 00:01:00" drop;ok
|
||||
+- meta time "2019-07-01 00:00:01" drop;ok
|
||||
+- meta day "Saturday" drop;ok
|
||||
+- meta day 6 drop;ok;meta day "Saturday" drop
|
||||
+- meta day "Satturday" drop;fail
|
||||
+- meta hour "17:00" drop;ok
|
||||
+- meta hour "17:00:00" drop;ok;meta hour "17:00" drop
|
||||
+- meta hour "17:00:01" drop;ok
|
||||
+- meta hour "00:00" drop;ok
|
||||
+- meta hour "00:01" drop;ok
|
||||
+
|
||||
+- meta time "meh";fail
|
||||
+- meta hour "24:00" drop;fail
|
||||
+- meta day 7 drop;fail
|
||||
diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
|
||||
index 94525f2..9f55cde 100644
|
||||
--- a/tests/py/bridge/meta.t
|
||||
+++ b/tests/py/bridge/meta.t
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
*bridge;test-bridge;input
|
||||
|
||||
-meta obrname "br0";ok
|
||||
-meta ibrname "br0";ok
|
||||
-meta ibrvproto vlan;ok
|
||||
-meta ibrpvid 100;ok
|
||||
+- meta obrname "br0";ok
|
||||
+- meta ibrname "br0";ok
|
||||
+- meta ibrvproto vlan;ok
|
||||
+- meta ibrpvid 100;ok
|
||||
diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
|
||||
index c828541..5191e72 100644
|
||||
--- a/tests/py/inet/osf.t
|
||||
+++ b/tests/py/inet/osf.t
|
||||
@@ -4,15 +4,15 @@
|
||||
*ip6;osfip6;osfchain
|
||||
*inet;osfinet;osfchain
|
||||
|
||||
-osf name "Linux";ok
|
||||
-osf ttl loose name "Linux";ok
|
||||
-osf ttl skip name "Linux";ok
|
||||
-osf ttl skip version "Linux:3.0";ok
|
||||
-osf ttl skip version "morethan:sixteenbytes";fail
|
||||
-osf ttl nottl name "Linux";fail
|
||||
-osf name "morethansixteenbytes";fail
|
||||
-osf name ;fail
|
||||
-osf name { "Windows", "MacOs" };ok
|
||||
-osf version { "Windows:XP", "MacOs:Sierra" };ok
|
||||
-ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
|
||||
-ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
|
||||
+- osf name "Linux";ok
|
||||
+- osf ttl loose name "Linux";ok
|
||||
+- osf ttl skip name "Linux";ok
|
||||
+- osf ttl skip version "Linux:3.0";ok
|
||||
+- osf ttl skip version "morethan:sixteenbytes";fail
|
||||
+- osf ttl nottl name "Linux";fail
|
||||
+- osf name "morethansixteenbytes";fail
|
||||
+- osf name ;fail
|
||||
+- osf name { "Windows", "MacOs" };ok
|
||||
+- osf version { "Windows:XP", "MacOs:Sierra" };ok
|
||||
+- ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
|
||||
+- ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
|
||||
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
|
||||
index 91846e8..dbc0554 100644
|
||||
--- a/tests/py/inet/socket.t
|
||||
+++ b/tests/py/inet/socket.t
|
||||
@@ -8,4 +8,4 @@ socket transparent 0;ok
|
||||
socket transparent 1;ok
|
||||
socket transparent 2;fail
|
||||
|
||||
-socket mark 0x00000005;ok
|
||||
+- socket mark 0x00000005;ok
|
||||
diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t
|
||||
index 55a05e1..9c58239 100644
|
||||
--- a/tests/py/inet/synproxy.t
|
||||
+++ b/tests/py/inet/synproxy.t
|
||||
@@ -4,10 +4,10 @@
|
||||
*ip6;synproxyip6;synproxychain
|
||||
*inet;synproxyinet;synproxychain
|
||||
|
||||
-synproxy;ok
|
||||
-synproxy mss 1460 wscale 7;ok
|
||||
-synproxy mss 1460 wscale 5 timestamp sack-perm;ok
|
||||
-synproxy timestamp sack-perm;ok
|
||||
-synproxy timestamp;ok
|
||||
-synproxy sack-perm;ok
|
||||
+-synproxy;ok
|
||||
+-synproxy mss 1460 wscale 7;ok
|
||||
+-synproxy mss 1460 wscale 5 timestamp sack-perm;ok
|
||||
+-synproxy timestamp sack-perm;ok
|
||||
+-synproxy timestamp;ok
|
||||
+-synproxy sack-perm;ok
|
||||
|
||||
diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
|
||||
index 4fcde7c..06e94f1 100644
|
||||
--- a/tests/py/ip/objects.t
|
||||
+++ b/tests/py/ip/objects.t
|
||||
@@ -33,26 +33,26 @@ ip saddr 192.168.1.3 limit name "lim1";ok
|
||||
ip saddr 192.168.1.3 limit name "lim3";fail
|
||||
limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok
|
||||
|
||||
-# ct timeout
|
||||
-%cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok
|
||||
-%cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail
|
||||
-%cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok
|
||||
-%cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok
|
||||
-%cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail
|
||||
-
|
||||
-ct timeout set "cttime1";ok
|
||||
-
|
||||
-# ct expectation
|
||||
-%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok
|
||||
-%ctexpect2 type ct expectation { protocol udp; };fail
|
||||
-%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail
|
||||
-%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail
|
||||
-%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok
|
||||
-
|
||||
-ct expectation set "ctexpect1";ok
|
||||
-
|
||||
-# synproxy
|
||||
-%synproxy1 type synproxy mss 1460 wscale 7;ok
|
||||
-%synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok
|
||||
-
|
||||
-synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok
|
||||
+# # ct timeout
|
||||
+# %cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok
|
||||
+# %cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail
|
||||
+# %cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok
|
||||
+# %cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok
|
||||
+# %cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail
|
||||
+#
|
||||
+# ct timeout set "cttime1";ok
|
||||
+
|
||||
+# # ct expectation
|
||||
+# %ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok
|
||||
+# %ctexpect2 type ct expectation { protocol udp; };fail
|
||||
+# %ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail
|
||||
+# %ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail
|
||||
+# %ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok
|
||||
+#
|
||||
+# ct expectation set "ctexpect1";ok
|
||||
+
|
||||
+# # synproxy
|
||||
+# %synproxy1 type synproxy mss 1460 wscale 7;ok
|
||||
+# %synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok
|
||||
+#
|
||||
+# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok
|
||||
diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t
|
||||
index add82eb..cc43aca 100644
|
||||
--- a/tests/py/ip6/sets.t
|
||||
+++ b/tests/py/ip6/sets.t
|
||||
@@ -40,4 +40,4 @@ ip6 saddr != @set33 drop;fail
|
||||
!set5 type ipv6_addr . ipv6_addr;ok
|
||||
ip6 saddr . ip6 daddr @set5 drop;ok
|
||||
add @set5 { ip6 saddr . ip6 daddr };ok
|
||||
-delete @set5 { ip6 saddr . ip6 daddr };ok
|
||||
+- delete @set5 { ip6 saddr . ip6 daddr };ok
|
||||
diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0
|
||||
index 4c85c3f..8b80e34 100755
|
||||
--- a/tests/shell/testcases/flowtable/0002create_flowtable_0
|
||||
+++ b/tests/shell/testcases/flowtable/0002create_flowtable_0
|
||||
@@ -1,12 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
-$NFT add table t
|
||||
-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
|
||||
-if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then
|
||||
+$NFT add table inet t
|
||||
+$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; }
|
||||
+if $NFT create flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then
|
||||
echo "E: flowtable creation not failing on existing set" >&2
|
||||
exit 1
|
||||
fi
|
||||
-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
|
||||
+$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; }
|
||||
|
||||
exit 0
|
||||
diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0
|
||||
index 481c7ed..b4243bc 100755
|
||||
--- a/tests/shell/testcases/flowtable/0003add_after_flush_0
|
||||
+++ b/tests/shell/testcases/flowtable/0003add_after_flush_0
|
||||
@@ -1,8 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
-$NFT add table x
|
||||
-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
+$NFT add table inet x
|
||||
+$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
$NFT flush ruleset
|
||||
-$NFT add table x
|
||||
-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
+$NFT add table inet x
|
||||
+$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0
|
||||
index 8d9a842..4618595 100755
|
||||
--- a/tests/shell/testcases/flowtable/0004delete_after_add_0
|
||||
+++ b/tests/shell/testcases/flowtable/0004delete_after_add_0
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
-$NFT add table x
|
||||
-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
-$NFT delete flowtable x y
|
||||
+$NFT add table inet x
|
||||
+$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
+$NFT delete flowtable inet x y
|
||||
diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1
|
||||
index ef52620..eda1fb9 100755
|
||||
--- a/tests/shell/testcases/flowtable/0005delete_in_use_1
|
||||
+++ b/tests/shell/testcases/flowtable/0005delete_in_use_1
|
||||
@@ -1,11 +1,11 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
-$NFT add table x
|
||||
-$NFT add chain x x
|
||||
-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
-$NFT add rule x x flow add @y
|
||||
+$NFT add table inet x
|
||||
+$NFT add chain inet x x
|
||||
+$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
|
||||
+$NFT add rule inet x x flow add @y
|
||||
|
||||
-$NFT delete flowtable x y || exit 0
|
||||
+$NFT delete flowtable inet x y || exit 0
|
||||
echo "E: delete flowtable in use"
|
||||
exit 1
|
||||
diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0
|
||||
index 49bbcac..0ea262f 100755
|
||||
--- a/tests/shell/testcases/flowtable/0007prio_0
|
||||
+++ b/tests/shell/testcases/flowtable/0007prio_0
|
||||
@@ -15,10 +15,10 @@ format_offset () {
|
||||
fi
|
||||
}
|
||||
|
||||
-$NFT add table t
|
||||
+$NFT add table inet t
|
||||
for offset in -11 -10 0 10 11
|
||||
do
|
||||
- $NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }"
|
||||
- $NFT delete flowtable t f
|
||||
+ $NFT add flowtable inet t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }"
|
||||
+ $NFT delete flowtable inet t f
|
||||
done
|
||||
|
||||
diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1
|
||||
index 48953d7..0d8cdff 100755
|
||||
--- a/tests/shell/testcases/flowtable/0008prio_1
|
||||
+++ b/tests/shell/testcases/flowtable/0008prio_1
|
||||
@@ -1,9 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
-$NFT add table t
|
||||
+$NFT add table inet t
|
||||
for prioname in raw mangle dstnar security srcnat out dummy
|
||||
do
|
||||
- $NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; }
|
||||
+ $NFT add flowtable inet t f { hook ingress priority $prioname \; devices = { lo }\; }
|
||||
if (($? == 0))
|
||||
then
|
||||
echo "E: $prioname should not be a valid priority name for flowtables" >&2
|
||||
diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0
|
||||
index 2cda563..061e22e 100755
|
||||
--- a/tests/shell/testcases/flowtable/0009deleteafterflush_0
|
||||
+++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0
|
||||
@@ -1,9 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
-$NFT add table x
|
||||
-$NFT add chain x y
|
||||
-$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;}
|
||||
-$NFT add rule x y flow add @f
|
||||
-$NFT flush chain x y
|
||||
-$NFT delete flowtable x f
|
||||
+$NFT add table inet x
|
||||
+$NFT add chain inet x y
|
||||
+$NFT add flowtable inet x f { hook ingress priority 0\; devices = { lo }\;}
|
||||
+$NFT add rule inet x y flow add @f
|
||||
+$NFT flush chain inet x y
|
||||
+$NFT delete flowtable inet x f
|
||||
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0
|
||||
index 4d39143..130d02c 100755
|
||||
--- a/tests/shell/testcases/listing/0013objects_0
|
||||
+++ b/tests/shell/testcases/listing/0013objects_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
# list table with all objects and chains
|
||||
|
||||
EXPECTED="table ip test {
|
||||
diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
|
||||
index 4f40779..e0f9e44 100755
|
||||
--- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
|
||||
+++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
EXPECTED='table ip filter {
|
||||
ct timeout cttime{
|
||||
protocol tcp
|
||||
diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
|
||||
index 4f9872f..f518cf7 100755
|
||||
--- a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
|
||||
+++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
EXPECTED='table ip filter {
|
||||
ct expectation ctexpect{
|
||||
protocol tcp
|
||||
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
deleted file mode 100644
|
||||
index 7cff1ed..0000000
|
||||
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
+++ /dev/null
|
||||
@@ -1,11 +0,0 @@
|
||||
-table ip filter {
|
||||
- ct timeout cttime {
|
||||
- protocol tcp
|
||||
- l3proto ip
|
||||
- policy = { established : 123, close : 12 }
|
||||
- }
|
||||
-
|
||||
- chain c {
|
||||
- ct timeout set "cttime"
|
||||
- }
|
||||
-}
|
||||
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
new file mode 100644
|
||||
index 0000000..7cff1ed
|
||||
--- /dev/null
|
||||
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
@@ -0,0 +1,11 @@
|
||||
+table ip filter {
|
||||
+ ct timeout cttime {
|
||||
+ protocol tcp
|
||||
+ l3proto ip
|
||||
+ policy = { established : 123, close : 12 }
|
||||
+ }
|
||||
+
|
||||
+ chain c {
|
||||
+ ct timeout set "cttime"
|
||||
+ }
|
||||
+}
|
||||
diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
|
||||
index 8b12b8c..e11b4e7 100755
|
||||
--- a/tests/shell/testcases/optionals/update_object_handles_0
|
||||
+++ b/tests/shell/testcases/optionals/update_object_handles_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
set -e
|
||||
$NFT add table test-ip
|
||||
$NFT add counter test-ip traffic-counter
|
||||
diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0
|
||||
index 51ed0f2..043bb8f 100755
|
||||
--- a/tests/shell/testcases/sets/0036add_set_element_expiration_0
|
||||
+++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
set -e
|
||||
|
||||
RULESET="add table ip x
|
||||
diff --git a/tests/shell/testcases/transactions/0046set_0 b/tests/shell/testcases/transactions/0046set_0
|
||||
index 172e24d..1b24964 100755
|
||||
--- a/tests/shell/testcases/transactions/0046set_0
|
||||
+++ b/tests/shell/testcases/transactions/0046set_0
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
+exit 0
|
||||
+
|
||||
RULESET='add table ip filter
|
||||
add chain ip filter group_7933
|
||||
add map ip filter group_7933 { type ipv4_addr : classid; flags interval; }
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 1490609a3d82e494168a390b34094bacc5e83c02 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 18 May 2021 18:06:50 +0200
|
||||
Subject: [PATCH] monitor: Fix for use after free when printing map elements
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
|
||||
Upstream Status: nftables commit 02174ffad484d
|
||||
|
||||
commit 02174ffad484d9711678e5d415c32307efc39857
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu Jan 9 17:43:11 2020 +0100
|
||||
|
||||
monitor: Fix for use after free when printing map elements
|
||||
|
||||
When populating the dummy set, 'data' field must be cloned just like
|
||||
'key' field.
|
||||
|
||||
Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/monitor.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/monitor.c b/src/monitor.c
|
||||
index 7927b6f..142cc92 100644
|
||||
--- a/src/monitor.c
|
||||
+++ b/src/monitor.c
|
||||
@@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
|
||||
*/
|
||||
dummyset = set_alloc(monh->loc);
|
||||
dummyset->key = expr_clone(set->key);
|
||||
- dummyset->data = set->data;
|
||||
+ if (set->data)
|
||||
+ dummyset->data = expr_clone(set->data);
|
||||
dummyset->flags = set->flags;
|
||||
dummyset->init = set_expr_alloc(monh->loc, set);
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 4ee4ed8d54a8b9f0f0a2b195b3b95b892e4e79a3 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 18 May 2021 18:06:50 +0200
|
||||
Subject: [PATCH] tests: monitor: use correct $nft value in EXIT trap
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
|
||||
Upstream Status: nftables commit 990cbbf75c40b
|
||||
|
||||
commit 990cbbf75c40b92e6d6dc66721dfbedf33cacf8f
|
||||
Author: Štěpán Němec <snemec@redhat.com>
|
||||
Date: Wed Jan 27 15:02:03 2021 +0100
|
||||
|
||||
tests: monitor: use correct $nft value in EXIT trap
|
||||
|
||||
With double quotes, $nft was being expanded to the default value even
|
||||
in presence of the -H option.
|
||||
|
||||
Signed-off-by: Štěpán Němec <snemec@redhat.com>
|
||||
Helped-by: Tomáš Doležal <todoleza@redhat.com>
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
tests/monitor/run-tests.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
|
||||
index ffb833a..c1cacb4 100755
|
||||
--- a/tests/monitor/run-tests.sh
|
||||
+++ b/tests/monitor/run-tests.sh
|
||||
@@ -19,7 +19,7 @@ if [ ! -d $testdir ]; then
|
||||
echo "Failed to create test directory" >&2
|
||||
exit 1
|
||||
fi
|
||||
-trap "rm -rf $testdir; $nft flush ruleset" EXIT
|
||||
+trap 'rm -rf $testdir; $nft flush ruleset' EXIT
|
||||
|
||||
command_file=$(mktemp -p $testdir)
|
||||
output_file=$(mktemp -p $testdir)
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,57 @@
|
||||
From 805fe6f5c9c8f2af78d8e94bd6b5c33724df3c80 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 18 May 2021 18:16:21 +0200
|
||||
Subject: [PATCH] evaluate: Reject quoted strings containing only wildcard
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1818117
|
||||
Upstream Status: nftables commit 032c9f745c6da
|
||||
|
||||
commit 032c9f745c6daab8c27176a95963b1c32b0a5d12
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu Sep 24 17:38:45 2020 +0200
|
||||
|
||||
evaluate: Reject quoted strings containing only wildcard
|
||||
|
||||
Fix for an assertion fail when trying to match against an all-wildcard
|
||||
interface name:
|
||||
|
||||
| % nft add rule t c iifname '"*"'
|
||||
| nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
|
||||
| zsh: abort nft add rule t c iifname '"*"'
|
||||
|
||||
Fix this by detecting the string in expr_evaluate_string() and returning
|
||||
an error message:
|
||||
|
||||
| % nft add rule t c iifname '"*"'
|
||||
| Error: All-wildcard strings are not supported
|
||||
| add rule t c iifname "*"
|
||||
| ^^^
|
||||
|
||||
While being at it, drop the 'datalen >= 1' clause from the following
|
||||
conditional as together with the added check for 'datalen == 0', all
|
||||
possible other values have been caught already.
|
||||
---
|
||||
src/evaluate.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||
index a966ed4..0181750 100644
|
||||
--- a/src/evaluate.c
|
||||
+++ b/src/evaluate.c
|
||||
@@ -321,8 +321,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (datalen >= 1 &&
|
||||
- data[datalen - 1] == '\\') {
|
||||
+ if (datalen == 0)
|
||||
+ return expr_error(ctx->msgs, expr,
|
||||
+ "All-wildcard strings are not supported");
|
||||
+
|
||||
+ if (data[datalen - 1] == '\\') {
|
||||
char unescaped_str[data_len];
|
||||
|
||||
memset(unescaped_str, 0, sizeof(unescaped_str));
|
||||
--
|
||||
1.8.3.1
|
||||
|
64
SOURCES/0046-src-Support-odd-sized-payload-matches.patch
Normal file
64
SOURCES/0046-src-Support-odd-sized-payload-matches.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 64f34f34acedad6cce70f2dd91c82a814d4ffe34 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 19 May 2021 18:03:43 +0200
|
||||
Subject: [PATCH] src: Support odd-sized payload matches
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926
|
||||
Upstream Status: nftables commit 8a927c56d83ed
|
||||
|
||||
commit 8a927c56d83ed0f78785011bd92a53edc25a0ca0
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue Oct 27 17:05:25 2020 +0100
|
||||
|
||||
src: Support odd-sized payload matches
|
||||
|
||||
When expanding a payload match, don't disregard oversized templates at
|
||||
the right offset. A more flexible user may extract less bytes from the
|
||||
packet if only parts of a field are interesting, e.g. only the prefix of
|
||||
source/destination address. Support that by using the template, but fix
|
||||
the length. Later when creating a relational expression for it, detect
|
||||
the unusually small payload expression length and turn the RHS value
|
||||
into a prefix expression.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/netlink_delinearize.c | 6 ++++++
|
||||
src/payload.c | 5 +++++
|
||||
2 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
||||
index 88dbd5a..8bdee12 100644
|
||||
--- a/src/netlink_delinearize.c
|
||||
+++ b/src/netlink_delinearize.c
|
||||
@@ -1577,6 +1577,12 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
|
||||
tmp = constant_expr_splice(right, left->len);
|
||||
expr_set_type(tmp, left->dtype, left->byteorder);
|
||||
|
||||
+ if (left->payload.tmpl && (left->len < left->payload.tmpl->len)) {
|
||||
+ mpz_lshift_ui(tmp->value, left->payload.tmpl->len - left->len);
|
||||
+ tmp->len = left->payload.tmpl->len;
|
||||
+ tmp = prefix_expr_alloc(&tmp->location, tmp, left->len);
|
||||
+ }
|
||||
+
|
||||
nexpr = relational_expr_alloc(&expr->location, expr->op,
|
||||
left, tmp);
|
||||
if (expr->op == OP_EQ)
|
||||
diff --git a/src/payload.c b/src/payload.c
|
||||
index 3576400..45280ef 100644
|
||||
--- a/src/payload.c
|
||||
+++ b/src/payload.c
|
||||
@@ -746,6 +746,11 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
|
||||
expr->payload.offset += tmpl->len;
|
||||
if (expr->len == 0)
|
||||
return;
|
||||
+ } else if (expr->len > 0) {
|
||||
+ new = payload_expr_alloc(&expr->location, desc, i);
|
||||
+ new->len = expr->len;
|
||||
+ list_add_tail(&new->list, list);
|
||||
+ return;
|
||||
} else
|
||||
break;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,241 @@
|
||||
From 6fb6d8f15a82b3348184f6950a436becb06931cb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 19 May 2021 18:03:43 +0200
|
||||
Subject: [PATCH] src: Optimize prefix matches on byte-boundaries
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926
|
||||
Upstream Status: nftables commit 25338cdb6c77a
|
||||
Conflicts: There is a hidden dependency on commit ee4391d0ac1e7 ("nat:
|
||||
transform range to prefix expression when possible").
|
||||
Backport only the single chunk required to keep prefix
|
||||
parsing intact to avoid having to backport 9599d9d25a6b3
|
||||
("src: NAT support for intervals in maps") as a dependency
|
||||
which is clearly oversized for the sake of this purpose.
|
||||
|
||||
commit 25338cdb6c77aa2f0977afbbb612571c9d325213
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue Oct 27 17:33:15 2020 +0100
|
||||
|
||||
src: Optimize prefix matches on byte-boundaries
|
||||
|
||||
If a prefix expression's length is on a byte-boundary, it is sufficient
|
||||
to just reduce the length passed to "cmp" expression. No need for
|
||||
explicit bitwise modification of data on LHS. The relevant code is
|
||||
already there, used for string prefix matches. There is one exception
|
||||
though, namely zero-length prefixes: Kernel doesn't accept zero-length
|
||||
"cmp" expressions, so keep them in the old code-path for now.
|
||||
|
||||
This patch depends upon the previous one to correctly parse odd-sized
|
||||
payload matches but has to extend support for non-payload LHS as well.
|
||||
In practice, this is needed for "ct" expressions as they allow matching
|
||||
against IP address prefixes, too.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/netlink_delinearize.c | 8 ++++++--
|
||||
src/netlink_linearize.c | 4 +++-
|
||||
tests/py/ip/ct.t.payload | 4 ----
|
||||
tests/py/ip/ip.t.payload | 6 ++----
|
||||
tests/py/ip/ip.t.payload.bridge | 6 ++----
|
||||
tests/py/ip/ip.t.payload.inet | 6 ++----
|
||||
tests/py/ip/ip.t.payload.netdev | 6 ++----
|
||||
tests/py/ip6/ip6.t.payload.inet | 5 ++---
|
||||
tests/py/ip6/ip6.t.payload.ip6 | 5 ++---
|
||||
9 files changed, 21 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
||||
index 8bdee12..157a473 100644
|
||||
--- a/src/netlink_delinearize.c
|
||||
+++ b/src/netlink_delinearize.c
|
||||
@@ -291,8 +291,9 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
|
||||
|
||||
if (left->len > right->len &&
|
||||
expr_basetype(left) != &string_type) {
|
||||
- netlink_error(ctx, loc, "Relational expression size mismatch");
|
||||
- goto err_free;
|
||||
+ mpz_lshift_ui(right->value, left->len - right->len);
|
||||
+ right = prefix_expr_alloc(loc, right, right->len);
|
||||
+ right->prefix->len = left->len;
|
||||
} else if (left->len > 0 && left->len < right->len) {
|
||||
expr_free(left);
|
||||
left = netlink_parse_concat_expr(ctx, loc, sreg, right->len);
|
||||
@@ -2164,6 +2165,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
||||
expr_postprocess(ctx, &expr->left);
|
||||
expr_postprocess(ctx, &expr->right);
|
||||
break;
|
||||
+ case EXPR_PREFIX:
|
||||
+ expr_postprocess(ctx, &expr->prefix);
|
||||
+ break;
|
||||
case EXPR_SET_ELEM:
|
||||
expr_postprocess(ctx, &expr->key);
|
||||
break;
|
||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
||||
index 606d97a..25be634 100644
|
||||
--- a/src/netlink_linearize.c
|
||||
+++ b/src/netlink_linearize.c
|
||||
@@ -501,7 +501,9 @@ static void netlink_gen_relational(struct netlink_linearize_ctx *ctx,
|
||||
return netlink_gen_flagcmp(ctx, expr, dreg);
|
||||
case EXPR_PREFIX:
|
||||
sreg = get_register(ctx, expr->left);
|
||||
- if (expr_basetype(expr->left)->type != TYPE_STRING) {
|
||||
+ if (expr_basetype(expr->left)->type != TYPE_STRING &&
|
||||
+ (!expr->right->prefix_len ||
|
||||
+ expr->right->prefix_len % BITS_PER_BYTE)) {
|
||||
len = div_round_up(expr->right->len, BITS_PER_BYTE);
|
||||
netlink_gen_expr(ctx, expr->left, sreg);
|
||||
right = netlink_gen_prefix(ctx, expr, sreg);
|
||||
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
|
||||
index d5faed4..a7e08f9 100644
|
||||
--- a/tests/py/ip/ct.t.payload
|
||||
+++ b/tests/py/ip/ct.t.payload
|
||||
@@ -21,25 +21,21 @@ ip test-ip4 output
|
||||
# ct original ip saddr 192.168.1.0/24
|
||||
ip test-ip4 output
|
||||
[ ct load src_ip => reg 1 , dir original ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
[ cmp eq reg 1 0x0001a8c0 ]
|
||||
|
||||
# ct reply ip saddr 192.168.1.0/24
|
||||
ip test-ip4 output
|
||||
[ ct load src_ip => reg 1 , dir reply ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
[ cmp eq reg 1 0x0001a8c0 ]
|
||||
|
||||
# ct original ip daddr 192.168.1.0/24
|
||||
ip test-ip4 output
|
||||
[ ct load dst_ip => reg 1 , dir original ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
[ cmp eq reg 1 0x0001a8c0 ]
|
||||
|
||||
# ct reply ip daddr 192.168.1.0/24
|
||||
ip test-ip4 output
|
||||
[ ct load dst_ip => reg 1 , dir reply ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
[ cmp eq reg 1 0x0001a8c0 ]
|
||||
|
||||
# ct l3proto ipv4
|
||||
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
|
||||
index d627b22..825c0f0 100644
|
||||
--- a/tests/py/ip/ip.t.payload
|
||||
+++ b/tests/py/ip/ip.t.payload
|
||||
@@ -358,14 +358,12 @@ ip test-ip4 input
|
||||
|
||||
# ip saddr 192.168.2.0/24
|
||||
ip test-ip4 input
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp eq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr != 192.168.2.0/24
|
||||
ip test-ip4 input
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp neq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
|
||||
diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
|
||||
index 91a4fde..e958a5b 100644
|
||||
--- a/tests/py/ip/ip.t.payload.bridge
|
||||
+++ b/tests/py/ip/ip.t.payload.bridge
|
||||
@@ -466,16 +466,14 @@ bridge test-bridge input
|
||||
bridge test-bridge input
|
||||
[ meta load protocol => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000008 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp eq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr != 192.168.2.0/24
|
||||
bridge test-bridge input
|
||||
[ meta load protocol => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000008 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp neq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
|
||||
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
|
||||
index b9cb28a..6501473 100644
|
||||
--- a/tests/py/ip/ip.t.payload.inet
|
||||
+++ b/tests/py/ip/ip.t.payload.inet
|
||||
@@ -466,16 +466,14 @@ inet test-inet input
|
||||
inet test-inet input
|
||||
[ meta load nfproto => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000002 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp eq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr != 192.168.2.0/24
|
||||
inet test-inet input
|
||||
[ meta load nfproto => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000002 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp neq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
|
||||
diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
|
||||
index 588e5ca..58ae358 100644
|
||||
--- a/tests/py/ip/ip.t.payload.netdev
|
||||
+++ b/tests/py/ip/ip.t.payload.netdev
|
||||
@@ -379,16 +379,14 @@ netdev test-netdev ingress
|
||||
netdev test-netdev ingress
|
||||
[ meta load protocol => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000008 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp eq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr != 192.168.2.0/24
|
||||
netdev test-netdev ingress
|
||||
[ meta load protocol => reg 1 ]
|
||||
[ cmp eq reg 1 0x00000008 ]
|
||||
- [ payload load 4b @ network header + 12 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
|
||||
+ [ payload load 3b @ network header + 12 => reg 1 ]
|
||||
[ cmp neq reg 1 0x0002a8c0 ]
|
||||
|
||||
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
|
||||
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
|
||||
index d015c8e..ffc9b9f 100644
|
||||
--- a/tests/py/ip6/ip6.t.payload.inet
|
||||
+++ b/tests/py/ip6/ip6.t.payload.inet
|
||||
@@ -604,9 +604,8 @@ inet test-inet input
|
||||
inet test-inet input
|
||||
[ meta load nfproto => reg 1 ]
|
||||
[ cmp eq reg 1 0x0000000a ]
|
||||
- [ payload load 16b @ network header + 8 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
|
||||
- [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
|
||||
+ [ payload load 8b @ network header + 8 => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000000 0x00000000 ]
|
||||
|
||||
# ip6 saddr ::1 ip6 daddr ::2
|
||||
inet test-inet input
|
||||
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
|
||||
index b2e8363..18b8bcb 100644
|
||||
--- a/tests/py/ip6/ip6.t.payload.ip6
|
||||
+++ b/tests/py/ip6/ip6.t.payload.ip6
|
||||
@@ -452,9 +452,8 @@ ip6 test-ip6 input
|
||||
|
||||
# ip6 saddr ::/64
|
||||
ip6 test-ip6 input
|
||||
- [ payload load 16b @ network header + 8 => reg 1 ]
|
||||
- [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
|
||||
- [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
|
||||
+ [ payload load 8b @ network header + 8 => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000000 0x00000000 ]
|
||||
|
||||
# ip6 saddr ::1 ip6 daddr ::2
|
||||
ip6 test-ip6 input
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,9 +1,9 @@
|
||||
%define rpmversion 0.9.3
|
||||
%define specrelease 18%{?dist}
|
||||
%define specrelease 20
|
||||
|
||||
Name: nftables
|
||||
Version: %{rpmversion}
|
||||
Release: %{specrelease}%{?buildid}
|
||||
Release: %{specrelease}%{?dist}%{?buildid}
|
||||
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
||||
Epoch: 1
|
||||
Summary: Netfilter Tables userspace utillites
|
||||
@ -58,6 +58,12 @@ Patch38: 0038-json-echo-Speedup-seqnum_to_json.patch
|
||||
Patch39: 0039-json-Fix-seqnum_to_json-functionality.patch
|
||||
Patch40: 0040-json-don-t-leave-dangling-pointers-on-hlist.patch
|
||||
Patch41: 0041-json-init-parser-state-for-every-new-buffer-file.patch
|
||||
Patch42: 0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch
|
||||
Patch43: 0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch
|
||||
Patch44: 0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
|
||||
Patch45: 0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch
|
||||
Patch46: 0046-src-Support-odd-sized-payload-matches.patch
|
||||
Patch47: 0047-src-Optimize-prefix-matches-on-byte-boundaries.patch
|
||||
|
||||
BuildRequires: autogen
|
||||
BuildRequires: autoconf
|
||||
@ -174,6 +180,18 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
||||
%{python3_sitelib}/nftables/
|
||||
|
||||
%changelog
|
||||
* Thu May 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-20.el8]
|
||||
- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926]
|
||||
- src: Support odd-sized payload matches (Phil Sutter) [1934926]
|
||||
- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184]
|
||||
- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184]
|
||||
|
||||
* Wed May 19 2021 Phil Sutter <psutter@redhat.com> [0.9.3-19.el8]
|
||||
- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117]
|
||||
- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203]
|
||||
- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203]
|
||||
- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203]
|
||||
|
||||
* Sat Feb 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-18.el8]
|
||||
- json: init parser state for every new buffer/file (Phil Sutter) [1930873]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user