import RHEL 10 Beta nftables-1.0.9-4.el10
This commit is contained in:
parent
03c344530e
commit
3e9fc74dc2
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/nftables-1.0.4.tar.bz2
|
nftables-1.0.9.tar.xz
|
||||||
|
@ -1 +0,0 @@
|
|||||||
e2e8b324cece1409a311284ff4fe26c3a5554809 SOURCES/nftables-1.0.4.tar.bz2
|
|
@ -1,97 +0,0 @@
|
|||||||
From c994f1d2a31a2b03557b3eb1c8c2de34b97edce1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 24 Jun 2022 16:02:59 +0200
|
|
||||||
Subject: [PATCH] tests: shell: runtime set element automerge
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 8fafe4e6b5b30
|
|
||||||
|
|
||||||
commit 8fafe4e6b5b30f2539f16403da8d5c5f819e523b
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Mon Jun 13 17:05:22 2022 +0200
|
|
||||||
|
|
||||||
tests: shell: runtime set element automerge
|
|
||||||
|
|
||||||
Add a test to cover runtime set element automerge.
|
|
||||||
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
tests/shell/testcases/sets/automerge_0 | 64 ++++++++++++++++++++++++++
|
|
||||||
1 file changed, 64 insertions(+)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/automerge_0
|
|
||||||
|
|
||||||
diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..c9fb609
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/automerge_0
|
|
||||||
@@ -0,0 +1,64 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+
|
|
||||||
+RULESET="table inet x {
|
|
||||||
+ set y {
|
|
||||||
+ type inet_service
|
|
||||||
+ flags interval
|
|
||||||
+ auto-merge
|
|
||||||
+ }
|
|
||||||
+}"
|
|
||||||
+
|
|
||||||
+$NFT -f - <<< $RULESET
|
|
||||||
+
|
|
||||||
+tmpfile=$(mktemp)
|
|
||||||
+echo -n "add element inet x y { " > $tmpfile
|
|
||||||
+for ((i=0;i<65535;i+=2))
|
|
||||||
+do
|
|
||||||
+ echo -n "$i, " >> $tmpfile
|
|
||||||
+ if [ $i -eq 65534 ]
|
|
||||||
+ then
|
|
||||||
+ echo -n "$i" >> $tmpfile
|
|
||||||
+ fi
|
|
||||||
+done
|
|
||||||
+echo "}" >> $tmpfile
|
|
||||||
+
|
|
||||||
+$NFT -f $tmpfile
|
|
||||||
+
|
|
||||||
+tmpfile2=$(mktemp)
|
|
||||||
+for ((i=1;i<65535;i+=2))
|
|
||||||
+do
|
|
||||||
+ echo "$i" >> $tmpfile2
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+tmpfile3=$(mktemp)
|
|
||||||
+shuf $tmpfile2 > $tmpfile3
|
|
||||||
+i=0
|
|
||||||
+cat $tmpfile3 | while read line && [ $i -lt 10 ]
|
|
||||||
+do
|
|
||||||
+ $NFT add element inet x y { $line }
|
|
||||||
+ i=$((i+1))
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+for ((i=0;i<10;i++))
|
|
||||||
+do
|
|
||||||
+ from=$(($RANDOM%65535))
|
|
||||||
+ to=$(($from+100))
|
|
||||||
+ $NFT add element inet x y { $from-$to }
|
|
||||||
+ if [ $? -ne 0 ]
|
|
||||||
+ then
|
|
||||||
+ echo "failed to add $from-$to"
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+ $NFT get element inet x y { $from-$to }
|
|
||||||
+ if [ $? -ne 0 ]
|
|
||||||
+ then
|
|
||||||
+ echo "failed to get $from-$to"
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+rm -f $tmpfile
|
|
||||||
+rm -f $tmpfile2
|
|
||||||
+rm -f $tmpfile3
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,236 +0,0 @@
|
|||||||
From 33792b491be79cb50d163c4ecc553f1258b82159 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 24 Jun 2022 16:02:59 +0200
|
|
||||||
Subject: [PATCH] rule: collapse set element commands
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 498a5f0c219d8
|
|
||||||
|
|
||||||
commit 498a5f0c219d8a118af4f172f248647d9b077101
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Mon Jun 13 17:22:44 2022 +0200
|
|
||||||
|
|
||||||
rule: collapse set element commands
|
|
||||||
|
|
||||||
Robots might generate a long list of singleton element commands such as:
|
|
||||||
|
|
||||||
add element t s { 1.0.1.0/24 }
|
|
||||||
...
|
|
||||||
add element t s { 1.0.2.0/23 }
|
|
||||||
|
|
||||||
collapse them into one single command before the evaluation step, ie.
|
|
||||||
|
|
||||||
add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 }
|
|
||||||
|
|
||||||
this speeds up overlap detection and set element automerge operations in
|
|
||||||
this worst case scenario.
|
|
||||||
|
|
||||||
Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel
|
|
||||||
elements"), the new interval tracking relies on mergesort. The pattern
|
|
||||||
above triggers the set sorting for each element.
|
|
||||||
|
|
||||||
This patch adds a list to cmd objects that store collapsed commands.
|
|
||||||
Moreover, expressions also contain a reference to the original command,
|
|
||||||
to uncollapse the commands after the evaluation step.
|
|
||||||
|
|
||||||
These commands are uncollapsed after the evaluation step to ensure error
|
|
||||||
reporting works as expected (command and netlink message are mapped
|
|
||||||
1:1).
|
|
||||||
|
|
||||||
For the record:
|
|
||||||
|
|
||||||
- nftables versions <= 1.0.2 did not perform any kind of overlap
|
|
||||||
check for the described scenario above (because set cache only contained
|
|
||||||
elements in the kernel in this case). This is a problem for kernels < 5.7
|
|
||||||
which rely on userspace to detect overlaps.
|
|
||||||
|
|
||||||
- the overlap detection could be skipped for kernels >= 5.7.
|
|
||||||
|
|
||||||
- The extended netlink error reporting available for set elements
|
|
||||||
since 5.19-rc might allow to remove the uncollapse step, in this case,
|
|
||||||
error reporting does not rely on the netlink sequence to refer to the
|
|
||||||
command triggering the problem.
|
|
||||||
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/expression.h | 1 +
|
|
||||||
include/rule.h | 3 ++
|
|
||||||
src/libnftables.c | 17 ++++++++--
|
|
||||||
src/rule.c | 75 ++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 93 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/expression.h b/include/expression.h
|
|
||||||
index 2c3818e..53194c9 100644
|
|
||||||
--- a/include/expression.h
|
|
||||||
+++ b/include/expression.h
|
|
||||||
@@ -243,6 +243,7 @@ struct expr {
|
|
||||||
enum expr_types etype:8;
|
|
||||||
enum ops op:8;
|
|
||||||
unsigned int len;
|
|
||||||
+ struct cmd *cmd;
|
|
||||||
|
|
||||||
union {
|
|
||||||
struct {
|
|
||||||
diff --git a/include/rule.h b/include/rule.h
|
|
||||||
index e232b97..9081225 100644
|
|
||||||
--- a/include/rule.h
|
|
||||||
+++ b/include/rule.h
|
|
||||||
@@ -700,6 +700,7 @@ struct cmd {
|
|
||||||
enum cmd_obj obj;
|
|
||||||
struct handle handle;
|
|
||||||
uint32_t seqnum;
|
|
||||||
+ struct list_head collapse_list;
|
|
||||||
union {
|
|
||||||
void *data;
|
|
||||||
struct expr *expr;
|
|
||||||
@@ -728,6 +729,8 @@ extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
|
|
||||||
const struct handle *h, const struct location *loc,
|
|
||||||
void *data);
|
|
||||||
extern void nft_cmd_expand(struct cmd *cmd);
|
|
||||||
+extern bool nft_cmd_collapse(struct list_head *cmds);
|
|
||||||
+extern void nft_cmd_uncollapse(struct list_head *cmds);
|
|
||||||
extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
|
|
||||||
const struct handle *h,
|
|
||||||
const struct location *loc, struct obj *obj);
|
|
||||||
diff --git a/src/libnftables.c b/src/libnftables.c
|
|
||||||
index 6a22ea0..aac682b 100644
|
|
||||||
--- a/src/libnftables.c
|
|
||||||
+++ b/src/libnftables.c
|
|
||||||
@@ -501,7 +501,9 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
|
|
||||||
{
|
|
||||||
struct nft_cache_filter *filter;
|
|
||||||
struct cmd *cmd, *next;
|
|
||||||
+ bool collapsed = false;
|
|
||||||
unsigned int flags;
|
|
||||||
+ int err = 0;
|
|
||||||
|
|
||||||
filter = nft_cache_filter_init();
|
|
||||||
flags = nft_cache_evaluate(nft, cmds, filter);
|
|
||||||
@@ -512,17 +514,26 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
|
|
||||||
|
|
||||||
nft_cache_filter_fini(filter);
|
|
||||||
|
|
||||||
+ if (nft_cmd_collapse(cmds))
|
|
||||||
+ collapsed = true;
|
|
||||||
+
|
|
||||||
list_for_each_entry_safe(cmd, next, cmds, list) {
|
|
||||||
struct eval_ctx ectx = {
|
|
||||||
.nft = nft,
|
|
||||||
.msgs = msgs,
|
|
||||||
};
|
|
||||||
+
|
|
||||||
if (cmd_evaluate(&ectx, cmd) < 0 &&
|
|
||||||
- ++nft->state->nerrs == nft->parser_max_errors)
|
|
||||||
- return -1;
|
|
||||||
+ ++nft->state->nerrs == nft->parser_max_errors) {
|
|
||||||
+ err = -1;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (nft->state->nerrs)
|
|
||||||
+ if (collapsed)
|
|
||||||
+ nft_cmd_uncollapse(cmds);
|
|
||||||
+
|
|
||||||
+ if (err < 0 || nft->state->nerrs)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
list_for_each_entry(cmd, cmds, list) {
|
|
||||||
diff --git a/src/rule.c b/src/rule.c
|
|
||||||
index 7f61bdc..0526a14 100644
|
|
||||||
--- a/src/rule.c
|
|
||||||
+++ b/src/rule.c
|
|
||||||
@@ -1279,6 +1279,8 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
|
|
||||||
cmd->handle = *h;
|
|
||||||
cmd->location = *loc;
|
|
||||||
cmd->data = data;
|
|
||||||
+ init_list_head(&cmd->collapse_list);
|
|
||||||
+
|
|
||||||
return cmd;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1379,6 +1381,79 @@ void nft_cmd_expand(struct cmd *cmd)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+bool nft_cmd_collapse(struct list_head *cmds)
|
|
||||||
+{
|
|
||||||
+ struct cmd *cmd, *next, *elems = NULL;
|
|
||||||
+ struct expr *expr, *enext;
|
|
||||||
+ bool collapse = false;
|
|
||||||
+
|
|
||||||
+ list_for_each_entry_safe(cmd, next, cmds, list) {
|
|
||||||
+ if (cmd->op != CMD_ADD &&
|
|
||||||
+ cmd->op != CMD_CREATE) {
|
|
||||||
+ elems = NULL;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cmd->obj != CMD_OBJ_ELEMENTS) {
|
|
||||||
+ elems = NULL;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!elems) {
|
|
||||||
+ elems = cmd;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cmd->op != elems->op) {
|
|
||||||
+ elems = cmd;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
|
|
||||||
+ strcmp(elems->handle.set.name, cmd->handle.set.name)) {
|
|
||||||
+ elems = cmd;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ collapse = true;
|
|
||||||
+ list_for_each_entry_safe(expr, enext, &cmd->expr->expressions, list) {
|
|
||||||
+ expr->cmd = cmd;
|
|
||||||
+ list_move_tail(&expr->list, &elems->expr->expressions);
|
|
||||||
+ }
|
|
||||||
+ elems->expr->size += cmd->expr->size;
|
|
||||||
+ list_move_tail(&cmd->list, &elems->collapse_list);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return collapse;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void nft_cmd_uncollapse(struct list_head *cmds)
|
|
||||||
+{
|
|
||||||
+ struct cmd *cmd, *cmd_next, *collapse_cmd, *collapse_cmd_next;
|
|
||||||
+ struct expr *expr, *next;
|
|
||||||
+
|
|
||||||
+ list_for_each_entry_safe(cmd, cmd_next, cmds, list) {
|
|
||||||
+ if (list_empty(&cmd->collapse_list))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ assert(cmd->obj == CMD_OBJ_ELEMENTS);
|
|
||||||
+
|
|
||||||
+ list_for_each_entry_safe(expr, next, &cmd->expr->expressions, list) {
|
|
||||||
+ if (!expr->cmd)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ list_move_tail(&expr->list, &expr->cmd->expr->expressions);
|
|
||||||
+ cmd->expr->size--;
|
|
||||||
+ expr->cmd = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ list_for_each_entry_safe(collapse_cmd, collapse_cmd_next, &cmd->collapse_list, list) {
|
|
||||||
+ collapse_cmd->elem.set = set_get(cmd->elem.set);
|
|
||||||
+ list_add(&collapse_cmd->list, &cmd->list);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
struct markup *markup_alloc(uint32_t format)
|
|
||||||
{
|
|
||||||
struct markup *markup;
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,84 +0,0 @@
|
|||||||
From af9045e2f2029b6573db32bd15ab861d797b86a6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 24 Jun 2022 16:02:59 +0200
|
|
||||||
Subject: [PATCH] intervals: do not report exact overlaps for new elements
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 87ba510fc704f
|
|
||||||
|
|
||||||
commit 87ba510fc704f766b5417d3bfc326e8ab9378c2a
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Mon Jun 13 17:22:47 2022 +0200
|
|
||||||
|
|
||||||
intervals: do not report exact overlaps for new elements
|
|
||||||
|
|
||||||
Two new elements that represent an exact overlap should not trigger an error.
|
|
||||||
|
|
||||||
add table t
|
|
||||||
add set t s { type ipv4_addr; flags interval; }
|
|
||||||
add element t s { 1.0.1.0/24 }
|
|
||||||
...
|
|
||||||
add element t s { 1.0.1.0/24 }
|
|
||||||
|
|
||||||
result in a bogus error.
|
|
||||||
|
|
||||||
# nft -f set.nft
|
|
||||||
set.nft:1002:19-28: Error: conflicting intervals specified
|
|
||||||
add element t s { 1.0.1.0/24 }
|
|
||||||
^^^^^^^^^^
|
|
||||||
|
|
||||||
Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements")
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/intervals.c | 3 +--
|
|
||||||
tests/shell/testcases/sets/exact_overlap_0 | 22 ++++++++++++++++++++++
|
|
||||||
2 files changed, 23 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/exact_overlap_0
|
|
||||||
|
|
||||||
diff --git a/src/intervals.c b/src/intervals.c
|
|
||||||
index bc414d6..89f5c33 100644
|
|
||||||
--- a/src/intervals.c
|
|
||||||
+++ b/src/intervals.c
|
|
||||||
@@ -540,8 +540,7 @@ static int setelem_overlap(struct list_head *msgs, struct set *set,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (mpz_cmp(prev_range.low, range.low) == 0 &&
|
|
||||||
- mpz_cmp(prev_range.high, range.high) == 0 &&
|
|
||||||
- (elem->flags & EXPR_F_KERNEL || prev->flags & EXPR_F_KERNEL))
|
|
||||||
+ mpz_cmp(prev_range.high, range.high) == 0)
|
|
||||||
goto next;
|
|
||||||
|
|
||||||
if (mpz_cmp(prev_range.low, range.low) <= 0 &&
|
|
||||||
diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..1ce9304
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/exact_overlap_0
|
|
||||||
@@ -0,0 +1,22 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+RULESET="add table t
|
|
||||||
+add set t s { type ipv4_addr; flags interval; }
|
|
||||||
+add element t s { 1.0.1.0/24 }
|
|
||||||
+add element t s { 1.0.2.0/23 }
|
|
||||||
+add element t s { 1.0.8.0/21 }
|
|
||||||
+add element t s { 1.0.32.0/19 }
|
|
||||||
+add element t s { 1.1.0.0/24 }
|
|
||||||
+add element t s { 1.1.2.0/23 }
|
|
||||||
+add element t s { 1.1.4.0/22 }
|
|
||||||
+add element t s { 1.1.8.0/24 }
|
|
||||||
+add element t s { 1.1.9.0/24 }
|
|
||||||
+add element t s { 1.1.10.0/23 }
|
|
||||||
+add element t s { 1.1.12.0/22 }
|
|
||||||
+add element t s { 1.1.16.0/20 }
|
|
||||||
+add element t s { 1.1.32.0/19 }
|
|
||||||
+add element t s { 1.0.1.0/24 }"
|
|
||||||
+
|
|
||||||
+$NFT -f - <<< $RULESET || exit 1
|
|
||||||
+
|
|
||||||
+$NFT add element t s { 1.0.1.0/24 }
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From cfb1670ece6414c3d2aad5dd7df572b0cc07acd5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 24 Jun 2022 16:02:59 +0200
|
|
||||||
Subject: [PATCH] intervals: do not empty cache for maps
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit d434de8b50dcf
|
|
||||||
|
|
||||||
commit d434de8b50dcf3f5f4ca027e122a7df9d4e5d8e1
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Thu Jun 16 10:53:56 2022 +0200
|
|
||||||
|
|
||||||
intervals: do not empty cache for maps
|
|
||||||
|
|
||||||
Translate set element to range and sort in maps for the NFT_SET_MAP
|
|
||||||
case, which does not support for automerge yet.
|
|
||||||
|
|
||||||
Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge")
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/intervals.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/intervals.c b/src/intervals.c
|
|
||||||
index 89f5c33..e203413 100644
|
|
||||||
--- a/src/intervals.c
|
|
||||||
+++ b/src/intervals.c
|
|
||||||
@@ -216,6 +216,12 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set,
|
|
||||||
struct cmd *purge_cmd;
|
|
||||||
struct handle h = {};
|
|
||||||
|
|
||||||
+ if (set->flags & NFT_SET_MAP) {
|
|
||||||
+ set_to_range(init);
|
|
||||||
+ list_expr_sort(&init->expressions);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (existing_set) {
|
|
||||||
if (existing_set->init) {
|
|
||||||
list_splice_init(&existing_set->init->expressions,
|
|
||||||
@@ -229,9 +235,6 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set,
|
|
||||||
set_to_range(init);
|
|
||||||
list_expr_sort(&init->expressions);
|
|
||||||
|
|
||||||
- if (set->flags & NFT_SET_MAP)
|
|
||||||
- return 0;
|
|
||||||
-
|
|
||||||
ctx.purge = set_expr_alloc(&internal_location, set);
|
|
||||||
|
|
||||||
setelem_automerge(&ctx);
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,139 +0,0 @@
|
|||||||
From 5c5128094c75a184e54e82f2ad43c67423184c3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 24 Jun 2022 16:02:59 +0200
|
|
||||||
Subject: [PATCH] intervals: Do not sort cached set elements over and over
|
|
||||||
again
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 59e3a59221fb8
|
|
||||||
|
|
||||||
commit 59e3a59221fb81c289a0868a85140dd452fb1c30
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu Jun 16 10:56:12 2022 +0200
|
|
||||||
|
|
||||||
intervals: Do not sort cached set elements over and over again
|
|
||||||
|
|
||||||
When adding element(s) to a non-empty set, code merged the two lists and
|
|
||||||
sorted the result. With many individual 'add element' commands this
|
|
||||||
causes substantial overhead. Make use of the fact that
|
|
||||||
existing_set->init is sorted already, sort only the list of new elements
|
|
||||||
and use list_splice_sorted() to merge the two sorted lists.
|
|
||||||
|
|
||||||
Add set_sort_splice() and use it for set element overlap detection and
|
|
||||||
automerge.
|
|
||||||
|
|
||||||
A test case adding ~25k elements in individual commands completes in
|
|
||||||
about 1/4th of the time with this patch applied.
|
|
||||||
|
|
||||||
Joint work with Pablo.
|
|
||||||
|
|
||||||
Fixes: 3da9643fb9ff9 ("intervals: add support to automerge with kernel elements")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/expression.h | 1 +
|
|
||||||
src/intervals.c | 46 +++++++++++++++++++++-----------------------
|
|
||||||
src/mergesort.c | 2 +-
|
|
||||||
3 files changed, 24 insertions(+), 25 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/expression.h b/include/expression.h
|
|
||||||
index 53194c9..cf7319b 100644
|
|
||||||
--- a/include/expression.h
|
|
||||||
+++ b/include/expression.h
|
|
||||||
@@ -481,6 +481,7 @@ extern struct expr *compound_expr_alloc(const struct location *loc,
|
|
||||||
extern void compound_expr_add(struct expr *compound, struct expr *expr);
|
|
||||||
extern void compound_expr_remove(struct expr *compound, struct expr *expr);
|
|
||||||
extern void list_expr_sort(struct list_head *head);
|
|
||||||
+extern void list_splice_sorted(struct list_head *list, struct list_head *head);
|
|
||||||
|
|
||||||
extern struct expr *concat_expr_alloc(const struct location *loc);
|
|
||||||
|
|
||||||
diff --git a/src/intervals.c b/src/intervals.c
|
|
||||||
index e203413..dcc06d1 100644
|
|
||||||
--- a/src/intervals.c
|
|
||||||
+++ b/src/intervals.c
|
|
||||||
@@ -118,6 +118,26 @@ static bool merge_ranges(struct set_automerge_ctx *ctx,
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void set_sort_splice(struct expr *init, struct set *set)
|
|
||||||
+{
|
|
||||||
+ struct set *existing_set = set->existing_set;
|
|
||||||
+
|
|
||||||
+ set_to_range(init);
|
|
||||||
+ list_expr_sort(&init->expressions);
|
|
||||||
+
|
|
||||||
+ if (!existing_set)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ if (existing_set->init) {
|
|
||||||
+ set_to_range(existing_set->init);
|
|
||||||
+ list_splice_sorted(&existing_set->init->expressions,
|
|
||||||
+ &init->expressions);
|
|
||||||
+ init_list_head(&existing_set->init->expressions);
|
|
||||||
+ } else {
|
|
||||||
+ existing_set->init = set_expr_alloc(&internal_location, set);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void setelem_automerge(struct set_automerge_ctx *ctx)
|
|
||||||
{
|
|
||||||
struct expr *i, *next, *prev = NULL;
|
|
||||||
@@ -222,18 +242,7 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (existing_set) {
|
|
||||||
- if (existing_set->init) {
|
|
||||||
- list_splice_init(&existing_set->init->expressions,
|
|
||||||
- &init->expressions);
|
|
||||||
- } else {
|
|
||||||
- existing_set->init = set_expr_alloc(&internal_location,
|
|
||||||
- set);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- set_to_range(init);
|
|
||||||
- list_expr_sort(&init->expressions);
|
|
||||||
+ set_sort_splice(init, set);
|
|
||||||
|
|
||||||
ctx.purge = set_expr_alloc(&internal_location, set);
|
|
||||||
|
|
||||||
@@ -591,18 +600,7 @@ int set_overlap(struct list_head *msgs, struct set *set, struct expr *init)
|
|
||||||
struct expr *i, *n, *clone;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
- if (existing_set) {
|
|
||||||
- if (existing_set->init) {
|
|
||||||
- list_splice_init(&existing_set->init->expressions,
|
|
||||||
- &init->expressions);
|
|
||||||
- } else {
|
|
||||||
- existing_set->init = set_expr_alloc(&internal_location,
|
|
||||||
- set);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- set_to_range(init);
|
|
||||||
- list_expr_sort(&init->expressions);
|
|
||||||
+ set_sort_splice(init, set);
|
|
||||||
|
|
||||||
err = setelem_overlap(msgs, set, init);
|
|
||||||
|
|
||||||
diff --git a/src/mergesort.c b/src/mergesort.c
|
|
||||||
index 8e6aac5..dca7142 100644
|
|
||||||
--- a/src/mergesort.c
|
|
||||||
+++ b/src/mergesort.c
|
|
||||||
@@ -70,7 +70,7 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void list_splice_sorted(struct list_head *list, struct list_head *head)
|
|
||||||
+void list_splice_sorted(struct list_head *list, struct list_head *head)
|
|
||||||
{
|
|
||||||
struct list_head *h = head->next;
|
|
||||||
struct list_head *l = list->next;
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From a2e5f4f59c0d4a3880a4de5e95adffc553216d2e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:15:02 +0100
|
|
||||||
Subject: [PATCH] doc: Document limitations of ipsec expression with
|
|
||||||
xfrm_interface
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 446e76dbde713
|
|
||||||
|
|
||||||
commit 446e76dbde713327358f17a8af6ce86b8541c836
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu Jun 23 17:49:20 2022 +0200
|
|
||||||
|
|
||||||
doc: Document limitations of ipsec expression with xfrm_interface
|
|
||||||
|
|
||||||
Point at a possible solution to match IPsec info of locally generated
|
|
||||||
traffic routed to an xfrm-type interface.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
doc/primary-expression.txt | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
|
|
||||||
index f97778b..4d6b087 100644
|
|
||||||
--- a/doc/primary-expression.txt
|
|
||||||
+++ b/doc/primary-expression.txt
|
|
||||||
@@ -428,6 +428,10 @@ Destination address of the tunnel|
|
|
||||||
ipv4_addr/ipv6_addr
|
|
||||||
|=================================
|
|
||||||
|
|
||||||
+*Note:* When using xfrm_interface, this expression is not useable in output
|
|
||||||
+hook as the plain packet does not traverse it with IPsec info attached - use a
|
|
||||||
+chain in postrouting hook instead.
|
|
||||||
+
|
|
||||||
NUMGEN EXPRESSION
|
|
||||||
~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From 23e6c3545b6c416a0eb7d3c7ac97c74215dcc19c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:18:10 +0100
|
|
||||||
Subject: [PATCH] tests/py: Add a test for failing ipsec after counter
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit ed2426bccd3ea
|
|
||||||
|
|
||||||
commit ed2426bccd3ea954adc8a010bf1736e8ed6a81b9
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu Jun 23 16:28:42 2022 +0200
|
|
||||||
|
|
||||||
tests/py: Add a test for failing ipsec after counter
|
|
||||||
|
|
||||||
This is a bug in parser/scanner due to scoping:
|
|
||||||
|
|
||||||
| Error: syntax error, unexpected string, expecting saddr or daddr
|
|
||||||
| add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2
|
|
||||||
| ^^^^^
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
tests/py/inet/ipsec.t | 2 ++
|
|
||||||
tests/py/inet/ipsec.t.json | 21 +++++++++++++++++++++
|
|
||||||
tests/py/inet/ipsec.t.payload | 6 ++++++
|
|
||||||
3 files changed, 29 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t
|
|
||||||
index e924e9b..b18df39 100644
|
|
||||||
--- a/tests/py/inet/ipsec.t
|
|
||||||
+++ b/tests/py/inet/ipsec.t
|
|
||||||
@@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok
|
|
||||||
ipsec out ip6 saddr dead::feed;ok
|
|
||||||
|
|
||||||
ipsec in spnum 256 reqid 1;fail
|
|
||||||
+
|
|
||||||
+counter ipsec out ip daddr 192.168.1.2;ok
|
|
||||||
diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json
|
|
||||||
index d7d3a03..18a64f3 100644
|
|
||||||
--- a/tests/py/inet/ipsec.t.json
|
|
||||||
+++ b/tests/py/inet/ipsec.t.json
|
|
||||||
@@ -134,3 +134,24 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
+
|
|
||||||
+# counter ipsec out ip daddr 192.168.1.2
|
|
||||||
+[
|
|
||||||
+ {
|
|
||||||
+ "counter": null
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "ipsec": {
|
|
||||||
+ "dir": "out",
|
|
||||||
+ "family": "ip",
|
|
||||||
+ "key": "daddr",
|
|
||||||
+ "spnum": 0
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": "192.168.1.2"
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+]
|
|
||||||
diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload
|
|
||||||
index c46a226..9648255 100644
|
|
||||||
--- a/tests/py/inet/ipsec.t.payload
|
|
||||||
+++ b/tests/py/inet/ipsec.t.payload
|
|
||||||
@@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw
|
|
||||||
[ xfrm load out 0 saddr6 => reg 1 ]
|
|
||||||
[ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ]
|
|
||||||
|
|
||||||
+# counter ipsec out ip daddr 192.168.1.2
|
|
||||||
+ip ipsec-ip4 ipsec-forw
|
|
||||||
+ [ counter pkts 0 bytes 0 ]
|
|
||||||
+ [ xfrm load out 0 daddr4 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x0201a8c0 ]
|
|
||||||
+
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From d0d4d54136f10c23e279da40aae188b8fdc09293 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:18:10 +0100
|
|
||||||
Subject: [PATCH] parser: add missing synproxy scope closure
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 994bf5004b365
|
|
||||||
|
|
||||||
commit 994bf5004b365904029f0fe8c2de587178583712
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Thu Jun 23 18:28:14 2022 +0200
|
|
||||||
|
|
||||||
parser: add missing synproxy scope closure
|
|
||||||
|
|
||||||
Fixes: 232f2c3287fc ("scanner: synproxy: Move to own scope")
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/parser_bison.y | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
|
||||||
index ca5c488..b548d5b 100644
|
|
||||||
--- a/src/parser_bison.y
|
|
||||||
+++ b/src/parser_bison.y
|
|
||||||
@@ -2016,7 +2016,7 @@ map_block_obj_type : COUNTER close_scope_counter { $$ = NFT_OBJECT_COUNTER; }
|
|
||||||
| QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; }
|
|
||||||
| LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; }
|
|
||||||
| SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; }
|
|
||||||
- | SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; }
|
|
||||||
+ | SYNPROXY close_scope_synproxy { $$ = NFT_OBJECT_SYNPROXY; }
|
|
||||||
;
|
|
||||||
|
|
||||||
map_block : /* empty */ { $$ = $<set>-1; }
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,144 +0,0 @@
|
|||||||
From 80b1505ca2ef8432375dc524cc6763e7ef795b1a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:18:10 +0100
|
|
||||||
Subject: [PATCH] scanner: don't pop active flex scanner scope
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 8623772af0610
|
|
||||||
|
|
||||||
commit 8623772af06103ed4ccca3d07e55afbf3d952d6d
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Thu Jun 23 19:56:19 2022 +0200
|
|
||||||
|
|
||||||
scanner: don't pop active flex scanner scope
|
|
||||||
|
|
||||||
Currently we can pop a flex scope that is still active, i.e. the
|
|
||||||
scanner_pop_start_cond() for the scope has not been done.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
counter ipsec out ip daddr 192.168.1.2 counter name "ipsec_out"
|
|
||||||
|
|
||||||
Here, parser fails because 'daddr' is parsed as STRING, not as DADDR token.
|
|
||||||
|
|
||||||
Bug is as follows:
|
|
||||||
COUNTER changes scope to COUNTER. (COUNTER).
|
|
||||||
Next, IPSEC scope gets pushed, stack is: COUNTER, IPSEC.
|
|
||||||
|
|
||||||
Then, the 'COUNTER' scope close happens. Because active scope has changed,
|
|
||||||
we cannot pop (we would pop the 'ipsec' scope in flex).
|
|
||||||
The pop operation gets delayed accordingly.
|
|
||||||
|
|
||||||
Next, IP gets pushed, stack is: COUNTER, IPSEC, IP, plus the information
|
|
||||||
that one scope closure/pop was delayed.
|
|
||||||
|
|
||||||
Then, the IP scope is closed. Because a pop operation was delayed, we pop again,
|
|
||||||
which brings us back to COUNTER state.
|
|
||||||
|
|
||||||
This is bogus: The pop operation CANNOT be done yet, because the ipsec scope
|
|
||||||
is still open, but the existing code lacks the information to detect this.
|
|
||||||
|
|
||||||
After popping the IP scope, we must remain in IPSEC scope until bison
|
|
||||||
parser calls scanner_pop_start_cond(, IPSEC).
|
|
||||||
|
|
||||||
This adds a counter per flex scope so that we can detect this case.
|
|
||||||
In above case, after the IP scope gets closed, the "new" (previous)
|
|
||||||
scope (IPSEC) will be treated as active and its close is attempted again
|
|
||||||
on the next call to scanner_pop_start_cond().
|
|
||||||
|
|
||||||
After this patch, transition in above rule is:
|
|
||||||
|
|
||||||
push counter (COUNTER)
|
|
||||||
push IPSEC (COUNTER, IPSEC)
|
|
||||||
pop COUNTER (delayed: COUNTER, IPSEC, pending-pop for COUNTER),
|
|
||||||
push IP (COUNTER, IPSEC, IP, pending-pop for COUNTER)
|
|
||||||
pop IP (COUNTER, IPSEC, pending-pop for COUNTER)
|
|
||||||
parse DADDR (we're in IPSEC scope, its valid token)
|
|
||||||
pop IPSEC (pops all remaining scopes).
|
|
||||||
|
|
||||||
We could also resurrect the commit:
|
|
||||||
"scanner: flags: move to own scope", the test case passes with the
|
|
||||||
new scope closure logic.
|
|
||||||
|
|
||||||
Fixes: bff106c5b277 ("scanner: add support for scope nesting")
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/parser.h | 3 +++
|
|
||||||
src/scanner.l | 11 +++++++++++
|
|
||||||
2 files changed, 14 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/parser.h b/include/parser.h
|
|
||||||
index f32154c..5e5ad28 100644
|
|
||||||
--- a/include/parser.h
|
|
||||||
+++ b/include/parser.h
|
|
||||||
@@ -26,6 +26,7 @@ struct parser_state {
|
|
||||||
unsigned int flex_state_pop;
|
|
||||||
unsigned int startcond_type;
|
|
||||||
struct list_head *cmds;
|
|
||||||
+ unsigned int *startcond_active;
|
|
||||||
};
|
|
||||||
|
|
||||||
enum startcond_type {
|
|
||||||
@@ -82,6 +83,8 @@ enum startcond_type {
|
|
||||||
PARSER_SC_STMT_REJECT,
|
|
||||||
PARSER_SC_STMT_SYNPROXY,
|
|
||||||
PARSER_SC_STMT_TPROXY,
|
|
||||||
+
|
|
||||||
+ __SC_MAX
|
|
||||||
};
|
|
||||||
|
|
||||||
struct mnl_socket;
|
|
||||||
diff --git a/src/scanner.l b/src/scanner.l
|
|
||||||
index 2154281..ed7256b 100644
|
|
||||||
--- a/src/scanner.l
|
|
||||||
+++ b/src/scanner.l
|
|
||||||
@@ -1148,6 +1148,8 @@ void *scanner_init(struct parser_state *state)
|
|
||||||
yylex_init_extra(state, &scanner);
|
|
||||||
yyset_out(NULL, scanner);
|
|
||||||
|
|
||||||
+ state->startcond_active = xzalloc_array(__SC_MAX,
|
|
||||||
+ sizeof(*state->startcond_active));
|
|
||||||
return scanner;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1177,6 +1179,8 @@ void scanner_destroy(struct nft_ctx *nft)
|
|
||||||
struct parser_state *state = yyget_extra(nft->scanner);
|
|
||||||
|
|
||||||
input_descriptor_list_destroy(state);
|
|
||||||
+ xfree(state->startcond_active);
|
|
||||||
+
|
|
||||||
yylex_destroy(nft->scanner);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1185,6 +1189,7 @@ static void scanner_push_start_cond(void *scanner, enum startcond_type type)
|
|
||||||
struct parser_state *state = yyget_extra(scanner);
|
|
||||||
|
|
||||||
state->startcond_type = type;
|
|
||||||
+ state->startcond_active[type]++;
|
|
||||||
|
|
||||||
yy_push_state((int)type, scanner);
|
|
||||||
}
|
|
||||||
@@ -1193,6 +1198,8 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t)
|
|
||||||
{
|
|
||||||
struct parser_state *state = yyget_extra(scanner);
|
|
||||||
|
|
||||||
+ state->startcond_active[t]--;
|
|
||||||
+
|
|
||||||
if (state->startcond_type != t) {
|
|
||||||
state->flex_state_pop++;
|
|
||||||
return; /* Can't pop just yet! */
|
|
||||||
@@ -1202,6 +1209,10 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t)
|
|
||||||
state->flex_state_pop--;
|
|
||||||
state->startcond_type = yy_top_state(scanner);
|
|
||||||
yy_pop_state(scanner);
|
|
||||||
+
|
|
||||||
+ t = state->startcond_type;
|
|
||||||
+ if (state->startcond_active[t])
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
state->startcond_type = yy_top_state(scanner);
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,67 +0,0 @@
|
|||||||
From babfd73139d19750a7b1f94fdc1b5405f5affe61 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:25:59 +0100
|
|
||||||
Subject: [PATCH] intervals: fix crash when trying to remove element in empty
|
|
||||||
set
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 5357cb7b5cb93
|
|
||||||
|
|
||||||
commit 5357cb7b5cb93fc9b20d4d95b093d6b9f86b7727
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Thu Jun 23 14:20:17 2022 +0200
|
|
||||||
|
|
||||||
intervals: fix crash when trying to remove element in empty set
|
|
||||||
|
|
||||||
The set deletion routine expects an initialized set, otherwise it crashes.
|
|
||||||
|
|
||||||
Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge")
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/intervals.c | 6 +++++-
|
|
||||||
tests/shell/testcases/sets/errors_0 | 14 ++++++++++++++
|
|
||||||
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/errors_0
|
|
||||||
|
|
||||||
diff --git a/src/intervals.c b/src/intervals.c
|
|
||||||
index dcc06d1..c21b3ee 100644
|
|
||||||
--- a/src/intervals.c
|
|
||||||
+++ b/src/intervals.c
|
|
||||||
@@ -475,7 +475,11 @@ int set_delete(struct list_head *msgs, struct cmd *cmd, struct set *set,
|
|
||||||
if (set->automerge)
|
|
||||||
automerge_delete(msgs, set, init, debug_mask);
|
|
||||||
|
|
||||||
- set_to_range(existing_set->init);
|
|
||||||
+ if (existing_set->init) {
|
|
||||||
+ set_to_range(existing_set->init);
|
|
||||||
+ } else {
|
|
||||||
+ existing_set->init = set_expr_alloc(&internal_location, set);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
list_splice_init(&init->expressions, &del_list);
|
|
||||||
|
|
||||||
diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..2960b69
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/errors_0
|
|
||||||
@@ -0,0 +1,14 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+
|
|
||||||
+RULESET="table ip x {
|
|
||||||
+ set y {
|
|
||||||
+ type ipv4_addr
|
|
||||||
+ flags interval
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+delete element ip x y { 2.3.4.5 }"
|
|
||||||
+
|
|
||||||
+$NFT -f - <<< $RULESET || exit 0
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,80 +0,0 @@
|
|||||||
From 3ea1e90779e232776e72548e9a768df1771e0f2c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:25:59 +0100
|
|
||||||
Subject: [PATCH] intervals: check for EXPR_F_REMOVE in case of element
|
|
||||||
mismatch
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 6d1ee9267e7e5
|
|
||||||
|
|
||||||
commit 6d1ee9267e7e5e429a84d7bb8a8644f9eebddb22
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Thu Jun 23 18:41:21 2022 +0200
|
|
||||||
|
|
||||||
intervals: check for EXPR_F_REMOVE in case of element mismatch
|
|
||||||
|
|
||||||
If auto-merge is disable and element to be deleted finds no exact
|
|
||||||
matching, then bail out.
|
|
||||||
|
|
||||||
Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge")
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/intervals.c | 4 ++++
|
|
||||||
tests/shell/testcases/sets/errors_0 | 20 ++++++++++++++++++--
|
|
||||||
2 files changed, 22 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/intervals.c b/src/intervals.c
|
|
||||||
index c21b3ee..13009ca 100644
|
|
||||||
--- a/src/intervals.c
|
|
||||||
+++ b/src/intervals.c
|
|
||||||
@@ -421,6 +421,10 @@ static int setelem_delete(struct list_head *msgs, struct set *set,
|
|
||||||
expr_error(msgs, i, "element does not exist");
|
|
||||||
err = -1;
|
|
||||||
goto err;
|
|
||||||
+ } else if (i->flags & EXPR_F_REMOVE) {
|
|
||||||
+ expr_error(msgs, i, "element does not exist");
|
|
||||||
+ err = -1;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
prev = NULL;
|
|
||||||
}
|
|
||||||
diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0
|
|
||||||
index 2960b69..a676ac7 100755
|
|
||||||
--- a/tests/shell/testcases/sets/errors_0
|
|
||||||
+++ b/tests/shell/testcases/sets/errors_0
|
|
||||||
@@ -1,7 +1,5 @@
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
-set -e
|
|
||||||
-
|
|
||||||
RULESET="table ip x {
|
|
||||||
set y {
|
|
||||||
type ipv4_addr
|
|
||||||
@@ -11,4 +9,22 @@ RULESET="table ip x {
|
|
||||||
|
|
||||||
delete element ip x y { 2.3.4.5 }"
|
|
||||||
|
|
||||||
+$NFT -f - <<< $RULESET
|
|
||||||
+if [ $? -eq 0 ]
|
|
||||||
+then
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+RULESET="table ip x {
|
|
||||||
+ set y {
|
|
||||||
+ type ipv4_addr
|
|
||||||
+ flags interval
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+add element x y { 1.1.1.1/24 }
|
|
||||||
+delete element x y { 1.1.1.1/24 }
|
|
||||||
+add element x y { 1.1.1.1/24 }
|
|
||||||
+delete element x y { 2.2.2.2/24 }"
|
|
||||||
+
|
|
||||||
$NFT -f - <<< $RULESET || exit 0
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
From 477a5632894a8bf6cba1f6e69a3f7d58d220820b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] netlink_delinearize: allow postprocessing on concatenated
|
|
||||||
elements
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 0542a431e8dcc
|
|
||||||
|
|
||||||
commit 0542a431e8dccfa86fa5b1744f536e61a0b204f3
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Tue Jun 14 21:57:58 2022 +0200
|
|
||||||
|
|
||||||
netlink_delinearize: allow postprocessing on concatenated elements
|
|
||||||
|
|
||||||
Currently there is no case where the individual expressions inside a
|
|
||||||
mapped concatenation need to be munged.
|
|
||||||
|
|
||||||
However, to support proper delinearization for an input like
|
|
||||||
'rule netdev nt nc set update ether saddr . vlan id timeout 5s @macset'
|
|
||||||
|
|
||||||
we need to allow this.
|
|
||||||
|
|
||||||
Right now, this gets listed as:
|
|
||||||
|
|
||||||
update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s }
|
|
||||||
|
|
||||||
because the ethernet protocol is replaced by vlan beforehand,
|
|
||||||
so we fail to map @ll,48,48 to a vlan protocol.
|
|
||||||
|
|
||||||
Likewise, we can't map the vlan info either because we cannot
|
|
||||||
cope with the 'and' operation properly, nor is it removed.
|
|
||||||
|
|
||||||
Prepare for this by deleting and re-adding so that we do not
|
|
||||||
corrupt the linked list.
|
|
||||||
|
|
||||||
After this, the list can be safely changed and a followup patch
|
|
||||||
can start to delete/reallocate expressions.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/netlink_delinearize.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index 068c3bb..2f13990 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -2538,16 +2538,21 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
|
||||||
unsigned int type = expr->dtype->type, ntype = 0;
|
|
||||||
int off = expr->dtype->subtypes;
|
|
||||||
const struct datatype *dtype;
|
|
||||||
+ LIST_HEAD(tmp);
|
|
||||||
+ struct expr *n;
|
|
||||||
|
|
||||||
- list_for_each_entry(i, &expr->expressions, list) {
|
|
||||||
+ list_for_each_entry_safe(i, n, &expr->expressions, list) {
|
|
||||||
if (type) {
|
|
||||||
dtype = concat_subtype_lookup(type, --off);
|
|
||||||
expr_set_type(i, dtype, dtype->byteorder);
|
|
||||||
}
|
|
||||||
+ list_del(&i->list);
|
|
||||||
expr_postprocess(ctx, &i);
|
|
||||||
+ list_add_tail(&i->list, &tmp);
|
|
||||||
|
|
||||||
ntype = concat_subtype_add(ntype, i->dtype->type);
|
|
||||||
}
|
|
||||||
+ list_splice(&tmp, &expr->expressions);
|
|
||||||
datatype_set(expr, concat_type_alloc(ntype));
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,159 +0,0 @@
|
|||||||
From 120ec5410b0c9f8f84f2bfdf092228cc61899785 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] netlink_delinearize: postprocess binary ands in
|
|
||||||
concatenations
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 89688c947efc3
|
|
||||||
|
|
||||||
commit 89688c947efc36d25c58c85650414fa3a491732e
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Tue Jun 14 21:56:48 2022 +0200
|
|
||||||
|
|
||||||
netlink_delinearize: postprocess binary ands in concatenations
|
|
||||||
|
|
||||||
Input:
|
|
||||||
update ether saddr . vlan id timeout 5s @macset
|
|
||||||
ether saddr . vlan id @macset
|
|
||||||
|
|
||||||
Before this patch, gets rendered as:
|
|
||||||
update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s }
|
|
||||||
@ll,48,48 . @ll,112,16 & 0xfff @macset
|
|
||||||
|
|
||||||
After this, listing will show:
|
|
||||||
update @macset { @ll,48,48 . vlan id timeout 5s }
|
|
||||||
@ll,48,48 . vlan id @macset
|
|
||||||
|
|
||||||
The @ll, ... is due to vlan description replacing the ethernet one,
|
|
||||||
so payload decode fails to take the concatenation apart (the ethernet
|
|
||||||
header payload info is matched vs. vlan template).
|
|
||||||
|
|
||||||
This will be adjusted by a followup patch.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/netlink.h | 6 ++++++
|
|
||||||
src/netlink_delinearize.c | 45 ++++++++++++++++++++++++++++++++++-----
|
|
||||||
2 files changed, 46 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/netlink.h b/include/netlink.h
|
|
||||||
index e8e0f68..71c888f 100644
|
|
||||||
--- a/include/netlink.h
|
|
||||||
+++ b/include/netlink.h
|
|
||||||
@@ -42,10 +42,16 @@ struct netlink_parse_ctx {
|
|
||||||
struct netlink_ctx *nlctx;
|
|
||||||
};
|
|
||||||
|
|
||||||
+
|
|
||||||
+#define RULE_PP_IN_CONCATENATION (1 << 0)
|
|
||||||
+
|
|
||||||
+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION)
|
|
||||||
+
|
|
||||||
struct rule_pp_ctx {
|
|
||||||
struct proto_ctx pctx;
|
|
||||||
struct payload_dep_ctx pdctx;
|
|
||||||
struct stmt *stmt;
|
|
||||||
+ unsigned int flags;
|
|
||||||
};
|
|
||||||
|
|
||||||
extern const struct input_descriptor indesc_netlink;
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index 2f13990..cba419d 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -2259,12 +2259,13 @@ static void binop_adjust(const struct expr *binop, struct expr *right,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr,
|
|
||||||
- struct expr **expr_binop)
|
|
||||||
+static void __binop_postprocess(struct rule_pp_ctx *ctx,
|
|
||||||
+ struct expr *expr,
|
|
||||||
+ struct expr *left,
|
|
||||||
+ struct expr *mask,
|
|
||||||
+ struct expr **expr_binop)
|
|
||||||
{
|
|
||||||
struct expr *binop = *expr_binop;
|
|
||||||
- struct expr *left = binop->left;
|
|
||||||
- struct expr *mask = binop->right;
|
|
||||||
unsigned int shift;
|
|
||||||
|
|
||||||
assert(binop->etype == EXPR_BINOP);
|
|
||||||
@@ -2300,15 +2301,26 @@ static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr,
|
|
||||||
|
|
||||||
assert(binop->left == left);
|
|
||||||
*expr_binop = expr_get(left);
|
|
||||||
- expr_free(binop);
|
|
||||||
|
|
||||||
if (left->etype == EXPR_PAYLOAD)
|
|
||||||
payload_match_postprocess(ctx, expr, left);
|
|
||||||
else if (left->etype == EXPR_EXTHDR && right)
|
|
||||||
expr_set_type(right, left->dtype, left->byteorder);
|
|
||||||
+
|
|
||||||
+ expr_free(binop);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr,
|
|
||||||
+ struct expr **expr_binop)
|
|
||||||
+{
|
|
||||||
+ struct expr *binop = *expr_binop;
|
|
||||||
+ struct expr *left = binop->left;
|
|
||||||
+ struct expr *mask = binop->right;
|
|
||||||
+
|
|
||||||
+ __binop_postprocess(ctx, expr, left, mask, expr_binop);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void map_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr)
|
|
||||||
{
|
|
||||||
struct expr *binop = expr->map;
|
|
||||||
@@ -2541,6 +2553,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
|
||||||
LIST_HEAD(tmp);
|
|
||||||
struct expr *n;
|
|
||||||
|
|
||||||
+ ctx->flags |= RULE_PP_IN_CONCATENATION;
|
|
||||||
list_for_each_entry_safe(i, n, &expr->expressions, list) {
|
|
||||||
if (type) {
|
|
||||||
dtype = concat_subtype_lookup(type, --off);
|
|
||||||
@@ -2552,6 +2565,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
|
||||||
|
|
||||||
ntype = concat_subtype_add(ntype, i->dtype->type);
|
|
||||||
}
|
|
||||||
+ ctx->flags &= ~RULE_PP_IN_CONCATENATION;
|
|
||||||
list_splice(&tmp, &expr->expressions);
|
|
||||||
datatype_set(expr, concat_type_alloc(ntype));
|
|
||||||
break;
|
|
||||||
@@ -2568,6 +2582,27 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
|
||||||
expr_set_type(expr->right, &integer_type,
|
|
||||||
BYTEORDER_HOST_ENDIAN);
|
|
||||||
break;
|
|
||||||
+ case OP_AND:
|
|
||||||
+ expr_set_type(expr->right, expr->left->dtype,
|
|
||||||
+ expr->left->byteorder);
|
|
||||||
+
|
|
||||||
+ /* Do not process OP_AND in ordinary rule context.
|
|
||||||
+ *
|
|
||||||
+ * Removal needs to be performed as part of the relational
|
|
||||||
+ * operation because the RHS constant might need to be adjusted
|
|
||||||
+ * (shifted).
|
|
||||||
+ *
|
|
||||||
+ * This is different in set element context or concatenations:
|
|
||||||
+ * There is no relational operation (eq, neq and so on), thus
|
|
||||||
+ * it needs to be processed right away.
|
|
||||||
+ */
|
|
||||||
+ if ((ctx->flags & RULE_PP_REMOVE_OP_AND) &&
|
|
||||||
+ expr->left->etype == EXPR_PAYLOAD &&
|
|
||||||
+ expr->right->etype == EXPR_VALUE) {
|
|
||||||
+ __binop_postprocess(ctx, expr, expr->left, expr->right, exprp);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
expr_set_type(expr->right, expr->left->dtype,
|
|
||||||
expr->left->byteorder);
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,287 +0,0 @@
|
|||||||
From 5246e288a724e7b9641c94f228096dc1529bb2ea Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] proto: track full stack of seen l2 protocols, not just
|
|
||||||
cumulative offset
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 0d9daa0407212
|
|
||||||
|
|
||||||
commit 0d9daa0407212c8cc89b3ea8aee031ddf0109b08
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jul 25 14:32:13 2022 +0200
|
|
||||||
|
|
||||||
proto: track full stack of seen l2 protocols, not just cumulative offset
|
|
||||||
|
|
||||||
For input, a cumulative size counter of all pushed l2 headers is enough,
|
|
||||||
because we have the full expression tree available to us.
|
|
||||||
|
|
||||||
For delinearization we need to track all seen l2 headers, else we lose
|
|
||||||
information that we might need at a later time.
|
|
||||||
|
|
||||||
Consider:
|
|
||||||
|
|
||||||
rule netdev nt nc set update ether saddr . vlan id
|
|
||||||
|
|
||||||
during delinearization, the vlan proto_desc replaces the ethernet one,
|
|
||||||
and by the time we try to split the concatenation apart we will search
|
|
||||||
the ether saddr offset vs. the templates for proto_vlan.
|
|
||||||
|
|
||||||
This replaces the offset with an array that stores the protocol
|
|
||||||
descriptions seen.
|
|
||||||
|
|
||||||
Then, if the payload offset is larger than our description, search the
|
|
||||||
l2 stack and adjust the offset until we're within the expected offset
|
|
||||||
boundary.
|
|
||||||
|
|
||||||
Reported-by: Eric Garver <eric@garver.life>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/proto.h | 3 +-
|
|
||||||
src/evaluate.c | 15 +++++++--
|
|
||||||
src/netlink_delinearize.c | 5 ---
|
|
||||||
src/payload.c | 67 ++++++++++++++++++++++++++++++++-------
|
|
||||||
src/proto.c | 2 --
|
|
||||||
5 files changed, 71 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/proto.h b/include/proto.h
|
|
||||||
index a04240a..35e760c 100644
|
|
||||||
--- a/include/proto.h
|
|
||||||
+++ b/include/proto.h
|
|
||||||
@@ -193,13 +193,14 @@ struct proto_ctx {
|
|
||||||
struct {
|
|
||||||
struct location location;
|
|
||||||
const struct proto_desc *desc;
|
|
||||||
- unsigned int offset;
|
|
||||||
struct {
|
|
||||||
struct location location;
|
|
||||||
const struct proto_desc *desc;
|
|
||||||
} protos[PROTO_CTX_NUM_PROTOS];
|
|
||||||
unsigned int num_protos;
|
|
||||||
} protocol[PROTO_BASE_MAX + 1];
|
|
||||||
+ const struct proto_desc *stacked_ll[PROTO_CTX_NUM_PROTOS];
|
|
||||||
+ uint8_t stacked_ll_count;
|
|
||||||
};
|
|
||||||
|
|
||||||
extern void proto_ctx_init(struct proto_ctx *ctx, unsigned int family,
|
|
||||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
||||||
index 82bf131..9246064 100644
|
|
||||||
--- a/src/evaluate.c
|
|
||||||
+++ b/src/evaluate.c
|
|
||||||
@@ -678,7 +678,13 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
|
|
||||||
conflict_resolution_gen_dependency(ctx, link, payload, &nstmt) < 0)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
- payload->payload.offset += ctx->pctx.protocol[base].offset;
|
|
||||||
+ if (base == PROTO_BASE_LL_HDR) {
|
|
||||||
+ unsigned int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++)
|
|
||||||
+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
@@ -727,7 +733,12 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
|
|
||||||
if (desc == payload->payload.desc) {
|
|
||||||
const struct proto_hdr_template *tmpl;
|
|
||||||
|
|
||||||
- payload->payload.offset += ctx->pctx.protocol[base].offset;
|
|
||||||
+ if (desc->base == PROTO_BASE_LL_HDR) {
|
|
||||||
+ unsigned int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++)
|
|
||||||
+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length;
|
|
||||||
+ }
|
|
||||||
check_icmp:
|
|
||||||
if (desc != &proto_icmp && desc != &proto_icmp6)
|
|
||||||
return 0;
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index cba419d..0b5519d 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -1976,11 +1976,6 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
|
|
||||||
struct expr *expr,
|
|
||||||
struct expr *payload)
|
|
||||||
{
|
|
||||||
- enum proto_bases base = payload->payload.base;
|
|
||||||
-
|
|
||||||
- assert(payload->payload.offset >= ctx->pctx.protocol[base].offset);
|
|
||||||
- payload->payload.offset -= ctx->pctx.protocol[base].offset;
|
|
||||||
-
|
|
||||||
switch (expr->op) {
|
|
||||||
case OP_EQ:
|
|
||||||
case OP_NEQ:
|
|
||||||
diff --git a/src/payload.c b/src/payload.c
|
|
||||||
index 66418cd..2c0d0ac 100644
|
|
||||||
--- a/src/payload.c
|
|
||||||
+++ b/src/payload.c
|
|
||||||
@@ -116,8 +116,13 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
|
|
||||||
if (desc->base == base->base) {
|
|
||||||
assert(base->length > 0);
|
|
||||||
|
|
||||||
- if (!left->payload.is_raw)
|
|
||||||
- ctx->protocol[base->base].offset += base->length;
|
|
||||||
+ if (!left->payload.is_raw) {
|
|
||||||
+ if (desc->base == PROTO_BASE_LL_HDR &&
|
|
||||||
+ ctx->stacked_ll_count < PROTO_CTX_NUM_PROTOS) {
|
|
||||||
+ ctx->stacked_ll[ctx->stacked_ll_count] = base;
|
|
||||||
+ ctx->stacked_ll_count++;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
proto_ctx_update(ctx, desc->base, loc, desc);
|
|
||||||
}
|
|
||||||
@@ -869,6 +874,38 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const struct proto_desc *get_stacked_desc(const struct proto_ctx *ctx,
|
|
||||||
+ const struct proto_desc *top,
|
|
||||||
+ const struct expr *e,
|
|
||||||
+ unsigned int *skip)
|
|
||||||
+{
|
|
||||||
+ unsigned int i, total, payload_offset = e->payload.offset;
|
|
||||||
+
|
|
||||||
+ assert(e->etype == EXPR_PAYLOAD);
|
|
||||||
+
|
|
||||||
+ if (e->payload.base != PROTO_BASE_LL_HDR ||
|
|
||||||
+ payload_offset < top->length) {
|
|
||||||
+ *skip = 0;
|
|
||||||
+ return top;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0, total = 0; i < ctx->stacked_ll_count; i++) {
|
|
||||||
+ const struct proto_desc *stacked;
|
|
||||||
+
|
|
||||||
+ stacked = ctx->stacked_ll[i];
|
|
||||||
+ if (payload_offset < stacked->length) {
|
|
||||||
+ *skip = total;
|
|
||||||
+ return stacked;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ payload_offset -= stacked->length;
|
|
||||||
+ total += stacked->length;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *skip = total;
|
|
||||||
+ return top;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* payload_expr_complete - fill in type information of a raw payload expr
|
|
||||||
*
|
|
||||||
@@ -880,9 +917,10 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
|
|
||||||
*/
|
|
||||||
void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx)
|
|
||||||
{
|
|
||||||
+ unsigned int payload_offset = expr->payload.offset;
|
|
||||||
const struct proto_desc *desc;
|
|
||||||
const struct proto_hdr_template *tmpl;
|
|
||||||
- unsigned int i;
|
|
||||||
+ unsigned int i, total;
|
|
||||||
|
|
||||||
assert(expr->etype == EXPR_PAYLOAD);
|
|
||||||
|
|
||||||
@@ -891,9 +929,12 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx)
|
|
||||||
return;
|
|
||||||
assert(desc->base == expr->payload.base);
|
|
||||||
|
|
||||||
+ desc = get_stacked_desc(ctx, desc, expr, &total);
|
|
||||||
+ payload_offset -= total;
|
|
||||||
+
|
|
||||||
for (i = 0; i < array_size(desc->templates); i++) {
|
|
||||||
tmpl = &desc->templates[i];
|
|
||||||
- if (tmpl->offset != expr->payload.offset ||
|
|
||||||
+ if (tmpl->offset != payload_offset ||
|
|
||||||
tmpl->len != expr->len)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
@@ -950,6 +991,7 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask,
|
|
||||||
unsigned int payload_len = expr->len;
|
|
||||||
const struct proto_desc *desc;
|
|
||||||
unsigned int off, i, len = 0;
|
|
||||||
+ unsigned int total;
|
|
||||||
|
|
||||||
assert(expr->etype == EXPR_PAYLOAD);
|
|
||||||
|
|
||||||
@@ -959,10 +1001,8 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask,
|
|
||||||
|
|
||||||
assert(desc->base == expr->payload.base);
|
|
||||||
|
|
||||||
- if (ctx->protocol[expr->payload.base].offset) {
|
|
||||||
- assert(payload_offset >= ctx->protocol[expr->payload.base].offset);
|
|
||||||
- payload_offset -= ctx->protocol[expr->payload.base].offset;
|
|
||||||
- }
|
|
||||||
+ desc = get_stacked_desc(ctx, desc, expr, &total);
|
|
||||||
+ payload_offset -= total;
|
|
||||||
|
|
||||||
off = round_up(mask->len, BITS_PER_BYTE) - mask_len;
|
|
||||||
payload_offset += off;
|
|
||||||
@@ -1009,10 +1049,11 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask,
|
|
||||||
void payload_expr_expand(struct list_head *list, struct expr *expr,
|
|
||||||
const struct proto_ctx *ctx)
|
|
||||||
{
|
|
||||||
+ unsigned int payload_offset = expr->payload.offset;
|
|
||||||
const struct proto_hdr_template *tmpl;
|
|
||||||
const struct proto_desc *desc;
|
|
||||||
+ unsigned int i, total;
|
|
||||||
struct expr *new;
|
|
||||||
- unsigned int i;
|
|
||||||
|
|
||||||
assert(expr->etype == EXPR_PAYLOAD);
|
|
||||||
|
|
||||||
@@ -1021,13 +1062,16 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
|
|
||||||
goto raw;
|
|
||||||
assert(desc->base == expr->payload.base);
|
|
||||||
|
|
||||||
+ desc = get_stacked_desc(ctx, desc, expr, &total);
|
|
||||||
+ payload_offset -= total;
|
|
||||||
+
|
|
||||||
for (i = 1; i < array_size(desc->templates); i++) {
|
|
||||||
tmpl = &desc->templates[i];
|
|
||||||
|
|
||||||
if (tmpl->len == 0)
|
|
||||||
break;
|
|
||||||
|
|
||||||
- if (tmpl->offset != expr->payload.offset)
|
|
||||||
+ if (tmpl->offset != payload_offset)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
if (tmpl->icmp_dep && ctx->th_dep.icmp.type &&
|
|
||||||
@@ -1039,6 +1083,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
|
|
||||||
list_add_tail(&new->list, list);
|
|
||||||
expr->len -= tmpl->len;
|
|
||||||
expr->payload.offset += tmpl->len;
|
|
||||||
+ payload_offset += tmpl->len;
|
|
||||||
if (expr->len == 0)
|
|
||||||
return;
|
|
||||||
} else if (expr->len > 0) {
|
|
||||||
@@ -1051,7 +1096,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
|
|
||||||
}
|
|
||||||
raw:
|
|
||||||
new = payload_expr_alloc(&expr->location, NULL, 0);
|
|
||||||
- payload_init_raw(new, expr->payload.base, expr->payload.offset,
|
|
||||||
+ payload_init_raw(new, expr->payload.base, payload_offset,
|
|
||||||
expr->len);
|
|
||||||
list_add_tail(&new->list, list);
|
|
||||||
}
|
|
||||||
diff --git a/src/proto.c b/src/proto.c
|
|
||||||
index a013a00..2663f21 100644
|
|
||||||
--- a/src/proto.c
|
|
||||||
+++ b/src/proto.c
|
|
||||||
@@ -160,8 +160,6 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base,
|
|
||||||
proto_base_names[i],
|
|
||||||
ctx->protocol[i].desc ? ctx->protocol[i].desc->name :
|
|
||||||
"none");
|
|
||||||
- if (ctx->protocol[i].offset)
|
|
||||||
- pr_debug(" (offset: %u)", ctx->protocol[i].offset);
|
|
||||||
if (i == base)
|
|
||||||
pr_debug(" <-");
|
|
||||||
pr_debug("\n");
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 33df569ad87c851596c02663fb4941bc0783d08c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] debug: dump the l2 protocol stack
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit dbd5f348c71de
|
|
||||||
|
|
||||||
commit dbd5f348c71decf0baa8fb592c576f63fa232f50
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jul 25 16:42:23 2022 +0200
|
|
||||||
|
|
||||||
debug: dump the l2 protocol stack
|
|
||||||
|
|
||||||
Previously we used to print the cumulative size of the headers,
|
|
||||||
update this to print the tracked l2 stack.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/proto.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/proto.c b/src/proto.c
|
|
||||||
index 2663f21..c496482 100644
|
|
||||||
--- a/src/proto.c
|
|
||||||
+++ b/src/proto.c
|
|
||||||
@@ -154,6 +154,12 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base,
|
|
||||||
if (!(debug_mask & NFT_DEBUG_PROTO_CTX))
|
|
||||||
return;
|
|
||||||
|
|
||||||
+ if (base == PROTO_BASE_LL_HDR && ctx->stacked_ll_count) {
|
|
||||||
+ pr_debug(" saved ll headers:");
|
|
||||||
+ for (i = 0; i < ctx->stacked_ll_count; i++)
|
|
||||||
+ pr_debug(" %s", ctx->stacked_ll[i]->name);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
pr_debug("update %s protocol context:\n", proto_base_names[base]);
|
|
||||||
for (i = PROTO_BASE_LL_HDR; i <= PROTO_BASE_MAX; i++) {
|
|
||||||
pr_debug(" %-20s: %s",
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
|||||||
From 1773e6c1975ee4a6b00c24a99bf57b4597af295d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] tests: add a test case for ether and vlan listing
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit f680055cd4377
|
|
||||||
|
|
||||||
commit f680055cd4377f2f531f5f77b3aaa7550988665d
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jul 25 19:31:22 2022 +0200
|
|
||||||
|
|
||||||
tests: add a test case for ether and vlan listing
|
|
||||||
|
|
||||||
before this patch series, test fails dump validation:
|
|
||||||
- update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0
|
|
||||||
- ether saddr . vlan id @macset
|
|
||||||
+ update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0
|
|
||||||
+ @ll,48,48 . @ll,112,16 & 0xfff @macset
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
tests/shell/testcases/sets/0070stacked_l2_headers | 6 ++++++
|
|
||||||
.../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++
|
|
||||||
2 files changed, 20 insertions(+)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/0070stacked_l2_headers
|
|
||||||
create mode 100644 tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
|
|
||||||
diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..07820b7
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/0070stacked_l2_headers
|
|
||||||
@@ -0,0 +1,6 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
|
|
||||||
+
|
|
||||||
+$NFT -f "$dumpfile"
|
|
||||||
diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ef254b9
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
@@ -0,0 +1,14 @@
|
|
||||||
+table netdev nt {
|
|
||||||
+ set macset {
|
|
||||||
+ typeof ether saddr . vlan id
|
|
||||||
+ size 1024
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ chain nc {
|
|
||||||
+ update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0
|
|
||||||
+ ether saddr . vlan id @macset
|
|
||||||
+ vlan pcp 1
|
|
||||||
+ ether saddr 0a:0b:0c:0d:0e:0f vlan id 42
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,99 +0,0 @@
|
|||||||
From bba1a2086ec7bcc0cfa8df9e12c6cc1375180011 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:57 +0100
|
|
||||||
Subject: [PATCH] netlink_delinearize: also postprocess OP_AND in set element
|
|
||||||
context
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit b1e3ed0335d13
|
|
||||||
|
|
||||||
commit b1e3ed0335d13d206a2a2698a1ba189fa396dbf3
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Aug 1 13:03:18 2022 +0200
|
|
||||||
|
|
||||||
netlink_delinearize: also postprocess OP_AND in set element context
|
|
||||||
|
|
||||||
Pablo reports:
|
|
||||||
add rule netdev nt y update @macset { vlan id timeout 5s }
|
|
||||||
|
|
||||||
listing still shows the raw expression:
|
|
||||||
update @macset { @ll,112,16 & 0xfff timeout 5s }
|
|
||||||
|
|
||||||
so also cover the 'set element' case.
|
|
||||||
|
|
||||||
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
include/netlink.h | 4 +++-
|
|
||||||
src/netlink_delinearize.c | 2 ++
|
|
||||||
.../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++
|
|
||||||
3 files changed, 19 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/include/netlink.h b/include/netlink.h
|
|
||||||
index 71c888f..63d07ed 100644
|
|
||||||
--- a/include/netlink.h
|
|
||||||
+++ b/include/netlink.h
|
|
||||||
@@ -44,8 +44,10 @@ struct netlink_parse_ctx {
|
|
||||||
|
|
||||||
|
|
||||||
#define RULE_PP_IN_CONCATENATION (1 << 0)
|
|
||||||
+#define RULE_PP_IN_SET_ELEM (1 << 1)
|
|
||||||
|
|
||||||
-#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION)
|
|
||||||
+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION | \
|
|
||||||
+ RULE_PP_IN_SET_ELEM)
|
|
||||||
|
|
||||||
struct rule_pp_ctx {
|
|
||||||
struct proto_ctx pctx;
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index 0b5519d..c6ad84d 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -2660,7 +2660,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
|
||||||
expr_postprocess(ctx, &expr->prefix);
|
|
||||||
break;
|
|
||||||
case EXPR_SET_ELEM:
|
|
||||||
+ ctx->flags |= RULE_PP_IN_SET_ELEM;
|
|
||||||
expr_postprocess(ctx, &expr->key);
|
|
||||||
+ ctx->flags &= ~RULE_PP_IN_SET_ELEM;
|
|
||||||
break;
|
|
||||||
case EXPR_EXTHDR:
|
|
||||||
exthdr_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family);
|
|
||||||
diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
index ef254b9..0057e9c 100644
|
|
||||||
--- a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
|
|
||||||
@@ -1,14 +1,28 @@
|
|
||||||
table netdev nt {
|
|
||||||
+ set vlanidset {
|
|
||||||
+ typeof vlan id
|
|
||||||
+ size 1024
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
set macset {
|
|
||||||
typeof ether saddr . vlan id
|
|
||||||
size 1024
|
|
||||||
flags dynamic,timeout
|
|
||||||
}
|
|
||||||
|
|
||||||
+ set ipset {
|
|
||||||
+ typeof vlan id . ip saddr
|
|
||||||
+ size 1024
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
chain nc {
|
|
||||||
update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0
|
|
||||||
ether saddr . vlan id @macset
|
|
||||||
vlan pcp 1
|
|
||||||
ether saddr 0a:0b:0c:0d:0e:0f vlan id 42
|
|
||||||
+ update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0
|
|
||||||
+ update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,198 +0,0 @@
|
|||||||
From da9367286d4589a3371d547cd8e6dd6d985cc69a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:58 +0100
|
|
||||||
Subject: [PATCH] evaluate: search stacked header list for matching payload dep
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 87c3041bfd244
|
|
||||||
|
|
||||||
commit 87c3041bfd244aaf39e644d33c0df4fe04079e1c
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jul 25 20:02:28 2022 +0200
|
|
||||||
|
|
||||||
evaluate: search stacked header list for matching payload dep
|
|
||||||
|
|
||||||
"ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails:
|
|
||||||
|
|
||||||
"vlan id 2 ether saddr 0:1:2:3:4:6" will give
|
|
||||||
Error: conflicting protocols specified: vlan vs. ether
|
|
||||||
|
|
||||||
After "proto: track full stack of seen l2 protocols, not just cumulative offset",
|
|
||||||
we have a list of all l2 headers, so search those to see if we had this
|
|
||||||
proto base in the past before rejecting this.
|
|
||||||
|
|
||||||
Reported-by: Eric Garver <eric@garver.life>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/evaluate.c | 21 +++++++---
|
|
||||||
tests/py/bridge/vlan.t | 3 ++
|
|
||||||
tests/py/bridge/vlan.t.json | 56 +++++++++++++++++++++++++++
|
|
||||||
tests/py/bridge/vlan.t.payload | 16 ++++++++
|
|
||||||
tests/py/bridge/vlan.t.payload.netdev | 20 ++++++++++
|
|
||||||
5 files changed, 110 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
||||||
index 9246064..d67f915 100644
|
|
||||||
--- a/src/evaluate.c
|
|
||||||
+++ b/src/evaluate.c
|
|
||||||
@@ -659,13 +659,22 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
|
|
||||||
struct stmt *nstmt = NULL;
|
|
||||||
int link, err;
|
|
||||||
|
|
||||||
- if (payload->payload.base == PROTO_BASE_LL_HDR &&
|
|
||||||
- proto_is_dummy(desc)) {
|
|
||||||
- err = meta_iiftype_gen_dependency(ctx, payload, &nstmt);
|
|
||||||
- if (err < 0)
|
|
||||||
- return err;
|
|
||||||
+ if (payload->payload.base == PROTO_BASE_LL_HDR) {
|
|
||||||
+ if (proto_is_dummy(desc)) {
|
|
||||||
+ err = meta_iiftype_gen_dependency(ctx, payload, &nstmt);
|
|
||||||
+ if (err < 0)
|
|
||||||
+ return err;
|
|
||||||
|
|
||||||
- rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
|
|
||||||
+ rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
|
|
||||||
+ } else {
|
|
||||||
+ unsigned int i;
|
|
||||||
+
|
|
||||||
+ /* payload desc stored in the L2 header stack? No conflict. */
|
|
||||||
+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) {
|
|
||||||
+ if (ctx->pctx.stacked_ll[i] == payload->payload.desc)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
assert(base <= PROTO_BASE_MAX);
|
|
||||||
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
|
|
||||||
index 924ed4e..4920601 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t
|
|
||||||
+++ b/tests/py/bridge/vlan.t
|
|
||||||
@@ -47,3 +47,6 @@ ether type ip vlan id 1 ip saddr 10.0.0.1;fail
|
|
||||||
|
|
||||||
# mangling
|
|
||||||
vlan id 1 vlan id set 2;ok
|
|
||||||
+
|
|
||||||
+ether saddr 00:01:02:03:04:05 vlan id 1;ok
|
|
||||||
+vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
|
|
||||||
index e7640f9..58d4a40 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.json
|
|
||||||
+++ b/tests/py/bridge/vlan.t.json
|
|
||||||
@@ -761,3 +761,59 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
+
|
|
||||||
+# ether saddr 00:01:02:03:04:05 vlan id 1
|
|
||||||
+[
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "saddr",
|
|
||||||
+ "protocol": "ether"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": "00:01:02:03:04:05"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "id",
|
|
||||||
+ "protocol": "vlan"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": 1
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+]
|
|
||||||
+
|
|
||||||
+# vlan id 2 ether saddr 0:1:2:3:4:6
|
|
||||||
+[
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "saddr",
|
|
||||||
+ "protocol": "ether"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": "00:01:02:03:04:06"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "id",
|
|
||||||
+ "protocol": "vlan"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": 2
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+]
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
|
|
||||||
index 6c8d595..713670e 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.payload
|
|
||||||
+++ b/tests/py/bridge/vlan.t.payload
|
|
||||||
@@ -276,3 +276,19 @@ bridge
|
|
||||||
[ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
[ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ]
|
|
||||||
[ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ]
|
|
||||||
+
|
|
||||||
+# ether saddr 00:01:02:03:04:05 vlan id 1
|
|
||||||
+bridge test-bridge input
|
|
||||||
+ [ payload load 8b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x03020100 0x00810504 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000100 ]
|
|
||||||
+
|
|
||||||
+# vlan id 2 ether saddr 0:1:2:3:4:6
|
|
||||||
+bridge test-bridge input
|
|
||||||
+ [ payload load 8b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x03020100 0x00810604 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000200 ]
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
index d2c7d74..98a2a2b 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
+++ b/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
@@ -322,3 +322,23 @@ netdev
|
|
||||||
[ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
[ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ]
|
|
||||||
[ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ]
|
|
||||||
+
|
|
||||||
+# vlan id 2 ether saddr 0:1:2:3:4:6
|
|
||||||
+netdev test-netdev ingress
|
|
||||||
+ [ meta load iiftype => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000001 ]
|
|
||||||
+ [ payload load 8b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x03020100 0x00810604 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000200 ]
|
|
||||||
+
|
|
||||||
+# ether saddr 00:01:02:03:04:05 vlan id 1
|
|
||||||
+netdev test-netdev ingress
|
|
||||||
+ [ meta load iiftype => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000001 ]
|
|
||||||
+ [ payload load 8b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x03020100 0x00810504 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000100 ]
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,223 +0,0 @@
|
|||||||
From f2988bad7c73e30ea4a80f348f7adf8078e6ef57 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 10:27:58 +0100
|
|
||||||
Subject: [PATCH] src: allow anon set concatenation with ether and vlan
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit c1c223f1b5818
|
|
||||||
|
|
||||||
commit c1c223f1b58188542222ee2d9a4a8cc133d1dc3b
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jul 25 21:34:52 2022 +0200
|
|
||||||
|
|
||||||
src: allow anon set concatenation with ether and vlan
|
|
||||||
|
|
||||||
vlan id uses integer type (which has a length of 0).
|
|
||||||
|
|
||||||
Using it was possible, but listing would assert:
|
|
||||||
python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed.
|
|
||||||
|
|
||||||
There are two reasons for this.
|
|
||||||
First reason is that the udata/typeof information lacks the 'vlan id'
|
|
||||||
part, because internally this is 'payload . binop(payload AND mask)'.
|
|
||||||
|
|
||||||
binop lacks an udata store. It makes little sense to store it,
|
|
||||||
'typeof' keyword expects normal match syntax.
|
|
||||||
|
|
||||||
So, when storing udata, store the left hand side of the binary
|
|
||||||
operation, i.e. the load of the 2-byte key.
|
|
||||||
|
|
||||||
With that resolved, delinerization could work, but concat_elem_expr()
|
|
||||||
would splice 12 bits off the elements value, but it should be 16 (on
|
|
||||||
a byte boundary).
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/expression.c | 17 +++++++++--
|
|
||||||
src/netlink.c | 10 +++++--
|
|
||||||
tests/py/bridge/vlan.t | 2 ++
|
|
||||||
tests/py/bridge/vlan.t.json | 41 +++++++++++++++++++++++++++
|
|
||||||
tests/py/bridge/vlan.t.payload | 12 ++++++++
|
|
||||||
tests/py/bridge/vlan.t.payload.netdev | 14 +++++++++
|
|
||||||
6 files changed, 91 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/expression.c b/src/expression.c
|
|
||||||
index deb649e..7390089 100644
|
|
||||||
--- a/src/expression.c
|
|
||||||
+++ b/src/expression.c
|
|
||||||
@@ -879,17 +879,30 @@ static void concat_expr_print(const struct expr *expr, struct output_ctx *octx)
|
|
||||||
#define NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA 1
|
|
||||||
#define NFTNL_UDATA_SET_KEY_CONCAT_SUB_MAX 2
|
|
||||||
|
|
||||||
+static struct expr *expr_build_udata_recurse(struct expr *e)
|
|
||||||
+{
|
|
||||||
+ switch (e->etype) {
|
|
||||||
+ case EXPR_BINOP:
|
|
||||||
+ return e->left;
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return e;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int concat_expr_build_udata(struct nftnl_udata_buf *udbuf,
|
|
||||||
const struct expr *concat_expr)
|
|
||||||
{
|
|
||||||
struct nftnl_udata *nest;
|
|
||||||
+ struct expr *expr, *tmp;
|
|
||||||
unsigned int i = 0;
|
|
||||||
- struct expr *expr;
|
|
||||||
|
|
||||||
- list_for_each_entry(expr, &concat_expr->expressions, list) {
|
|
||||||
+ list_for_each_entry_safe(expr, tmp, &concat_expr->expressions, list) {
|
|
||||||
struct nftnl_udata *nest_expr;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
+ expr = expr_build_udata_recurse(expr);
|
|
||||||
if (!expr_ops(expr)->build_udata || i >= NFT_REG32_SIZE)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
diff --git a/src/netlink.c b/src/netlink.c
|
|
||||||
index 89d864e..799cf9b 100644
|
|
||||||
--- a/src/netlink.c
|
|
||||||
+++ b/src/netlink.c
|
|
||||||
@@ -1114,17 +1114,21 @@ static struct expr *concat_elem_expr(struct expr *key,
|
|
||||||
struct expr *data, int *off)
|
|
||||||
{
|
|
||||||
const struct datatype *subtype;
|
|
||||||
+ unsigned int sub_length;
|
|
||||||
struct expr *expr;
|
|
||||||
|
|
||||||
if (key) {
|
|
||||||
(*off)--;
|
|
||||||
- expr = constant_expr_splice(data, key->len);
|
|
||||||
+ sub_length = round_up(key->len, BITS_PER_BYTE);
|
|
||||||
+
|
|
||||||
+ expr = constant_expr_splice(data, sub_length);
|
|
||||||
expr->dtype = datatype_get(key->dtype);
|
|
||||||
expr->byteorder = key->byteorder;
|
|
||||||
expr->len = key->len;
|
|
||||||
} else {
|
|
||||||
subtype = concat_subtype_lookup(dtype->type, --(*off));
|
|
||||||
- expr = constant_expr_splice(data, subtype->size);
|
|
||||||
+ sub_length = round_up(subtype->size, BITS_PER_BYTE);
|
|
||||||
+ expr = constant_expr_splice(data, sub_length);
|
|
||||||
expr->dtype = subtype;
|
|
||||||
expr->byteorder = subtype->byteorder;
|
|
||||||
}
|
|
||||||
@@ -1136,7 +1140,7 @@ static struct expr *concat_elem_expr(struct expr *key,
|
|
||||||
expr->dtype->basetype->type == TYPE_BITMASK)
|
|
||||||
expr = bitmask_expr_to_binops(expr);
|
|
||||||
|
|
||||||
- data->len -= netlink_padding_len(expr->len);
|
|
||||||
+ data->len -= netlink_padding_len(sub_length);
|
|
||||||
|
|
||||||
return expr;
|
|
||||||
}
|
|
||||||
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
|
|
||||||
index 4920601..95bdff4 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t
|
|
||||||
+++ b/tests/py/bridge/vlan.t
|
|
||||||
@@ -50,3 +50,5 @@ vlan id 1 vlan id set 2;ok
|
|
||||||
|
|
||||||
ether saddr 00:01:02:03:04:05 vlan id 1;ok
|
|
||||||
vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2
|
|
||||||
+
|
|
||||||
+ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
|
|
||||||
index 58d4a40..f77756f 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.json
|
|
||||||
+++ b/tests/py/bridge/vlan.t.json
|
|
||||||
@@ -817,3 +817,44 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
+
|
|
||||||
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
|
|
||||||
+[
|
|
||||||
+ {
|
|
||||||
+ "match": {
|
|
||||||
+ "left": {
|
|
||||||
+ "concat": [
|
|
||||||
+ {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "saddr",
|
|
||||||
+ "protocol": "ether"
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ "payload": {
|
|
||||||
+ "field": "id",
|
|
||||||
+ "protocol": "vlan"
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ ]
|
|
||||||
+ },
|
|
||||||
+ "op": "==",
|
|
||||||
+ "right": {
|
|
||||||
+ "set": [
|
|
||||||
+ {
|
|
||||||
+ "concat": [
|
|
||||||
+ "0a:0b:0c:0d:0e:0f",
|
|
||||||
+ 42
|
|
||||||
+ ]
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ "concat": [
|
|
||||||
+ "0a:0b:0c:0d:0e:0f",
|
|
||||||
+ 4095
|
|
||||||
+ ]
|
|
||||||
+ }
|
|
||||||
+ ]
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+]
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
|
|
||||||
index 713670e..62e4b89 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.payload
|
|
||||||
+++ b/tests/py/bridge/vlan.t.payload
|
|
||||||
@@ -292,3 +292,15 @@ bridge test-bridge input
|
|
||||||
[ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
[ cmp eq reg 1 0x00000200 ]
|
|
||||||
+
|
|
||||||
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
|
|
||||||
+__set%d test-bridge 3 size 2
|
|
||||||
+__set%d test-bridge 0
|
|
||||||
+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end]
|
|
||||||
+bridge test-bridge input
|
|
||||||
+ [ payload load 2b @ link header + 12 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000081 ]
|
|
||||||
+ [ payload load 6b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 10 ]
|
|
||||||
+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ lookup reg 1 set __set%d ]
|
|
||||||
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
index 98a2a2b..1018d4c 100644
|
|
||||||
--- a/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
+++ b/tests/py/bridge/vlan.t.payload.netdev
|
|
||||||
@@ -342,3 +342,17 @@ netdev test-netdev ingress
|
|
||||||
[ payload load 2b @ link header + 14 => reg 1 ]
|
|
||||||
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
[ cmp eq reg 1 0x00000100 ]
|
|
||||||
+
|
|
||||||
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
|
|
||||||
+__set%d test-netdev 3 size 2
|
|
||||||
+__set%d test-netdev 0
|
|
||||||
+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end]
|
|
||||||
+netdev test-netdev ingress
|
|
||||||
+ [ meta load iiftype => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000001 ]
|
|
||||||
+ [ payload load 2b @ link header + 12 => reg 1 ]
|
|
||||||
+ [ cmp eq reg 1 0x00000081 ]
|
|
||||||
+ [ payload load 6b @ link header + 6 => reg 1 ]
|
|
||||||
+ [ payload load 2b @ link header + 14 => reg 10 ]
|
|
||||||
+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ]
|
|
||||||
+ [ lookup reg 1 set __set%d ]
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,200 +0,0 @@
|
|||||||
From baea5b0f3199d21a8089ab792aee86621f67202c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 12:45:30 +0100
|
|
||||||
Subject: [PATCH] evaluate: set eval ctx for add/update statements with integer
|
|
||||||
constants
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 4cc6b20d31498
|
|
||||||
|
|
||||||
commit 4cc6b20d31498d90e90ff574ce8b70276afcee8f
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Jan 23 19:03:28 2023 +0100
|
|
||||||
|
|
||||||
evaluate: set eval ctx for add/update statements with integer constants
|
|
||||||
|
|
||||||
Eric reports that nft asserts when using integer basetype constants with
|
|
||||||
'typeof' sets. Example:
|
|
||||||
table netdev t {
|
|
||||||
set s {
|
|
||||||
typeof ether saddr . vlan id
|
|
||||||
flags dynamic,timeout
|
|
||||||
}
|
|
||||||
|
|
||||||
chain c { }
|
|
||||||
}
|
|
||||||
|
|
||||||
loads fine. But adding a rule with add/update statement fails:
|
|
||||||
nft 'add rule netdev t c set update ether saddr . 0 @s'
|
|
||||||
nft: netlink_linearize.c:867: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.
|
|
||||||
|
|
||||||
When the 'ether saddr . 0' concat expression is processed, there is
|
|
||||||
no set definition available anymore to deduce the required size of the
|
|
||||||
integer constant.
|
|
||||||
|
|
||||||
nft eval step then derives the required length using the data types.
|
|
||||||
'0' has integer basetype, so the deduced length is 0.
|
|
||||||
|
|
||||||
The assertion triggers because serialization step finds that it
|
|
||||||
needs one more register.
|
|
||||||
|
|
||||||
2 are needed to store the ethernet address, another register is
|
|
||||||
needed for the vlan id.
|
|
||||||
|
|
||||||
Update eval step to make the expression context store the set key
|
|
||||||
information when processing the preceeding set reference, then
|
|
||||||
let stmt_evaluate_set() preserve the existing context instead of
|
|
||||||
zeroing it again via stmt_evaluate_arg().
|
|
||||||
|
|
||||||
This makes concat expression evaluation compute the total size
|
|
||||||
needed based on the sets key definition.
|
|
||||||
|
|
||||||
Reported-by: Eric Garver <eric@garver.life>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/evaluate.c | 32 +++++++++++++++++--
|
|
||||||
.../maps/dumps/typeof_maps_concat.nft | 11 +++++++
|
|
||||||
tests/shell/testcases/maps/typeof_maps_concat | 6 ++++
|
|
||||||
.../sets/dumps/typeof_sets_concat.nft | 12 +++++++
|
|
||||||
tests/shell/testcases/sets/typeof_sets_concat | 6 ++++
|
|
||||||
5 files changed, 65 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat.nft
|
|
||||||
create mode 100755 tests/shell/testcases/maps/typeof_maps_concat
|
|
||||||
create mode 100644 tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
|
|
||||||
create mode 100755 tests/shell/testcases/sets/typeof_sets_concat
|
|
||||||
|
|
||||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
||||||
index d67f915..7f81411 100644
|
|
||||||
--- a/src/evaluate.c
|
|
||||||
+++ b/src/evaluate.c
|
|
||||||
@@ -1526,6 +1526,14 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void expr_evaluate_set_ref(struct eval_ctx *ctx, struct expr *expr)
|
|
||||||
+{
|
|
||||||
+ struct set *set = expr->set;
|
|
||||||
+
|
|
||||||
+ expr_set_context(&ctx->ectx, set->key->dtype, set->key->len);
|
|
||||||
+ ctx->ectx.key = set->key;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
|
|
||||||
{
|
|
||||||
struct expr *set = *expr, *i, *next;
|
|
||||||
@@ -2388,6 +2396,7 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
|
|
||||||
case EXPR_VARIABLE:
|
|
||||||
return expr_evaluate_variable(ctx, expr);
|
|
||||||
case EXPR_SET_REF:
|
|
||||||
+ expr_evaluate_set_ref(ctx, *expr);
|
|
||||||
return 0;
|
|
||||||
case EXPR_VALUE:
|
|
||||||
return expr_evaluate_value(ctx, expr);
|
|
||||||
@@ -2550,6 +2559,25 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
|
|
||||||
return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* like stmt_evaluate_arg, but keep existing context created
|
|
||||||
+ * by previous expr_evaluate().
|
|
||||||
+ *
|
|
||||||
+ * This is needed for add/update statements:
|
|
||||||
+ * ctx->ectx.key has the set key, which may be needed for 'typeof'
|
|
||||||
+ * sets: the 'add/update' expression might contain integer data types.
|
|
||||||
+ *
|
|
||||||
+ * Without the key we cannot derive the element size.
|
|
||||||
+ */
|
|
||||||
+static int stmt_evaluate_key(struct eval_ctx *ctx, struct stmt *stmt,
|
|
||||||
+ const struct datatype *dtype, unsigned int len,
|
|
||||||
+ enum byteorder byteorder, struct expr **expr)
|
|
||||||
+{
|
|
||||||
+ if (expr_evaluate(ctx, expr) < 0)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
|
|
||||||
{
|
|
||||||
if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, 0, &stmt->expr) < 0)
|
|
||||||
@@ -3762,7 +3790,7 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
|
|
||||||
return expr_error(ctx->msgs, stmt->set.set,
|
|
||||||
"Expression does not refer to a set");
|
|
||||||
|
|
||||||
- if (stmt_evaluate_arg(ctx, stmt,
|
|
||||||
+ if (stmt_evaluate_key(ctx, stmt,
|
|
||||||
stmt->set.set->set->key->dtype,
|
|
||||||
stmt->set.set->set->key->len,
|
|
||||||
stmt->set.set->set->key->byteorder,
|
|
||||||
@@ -3805,7 +3833,7 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
|
|
||||||
return expr_error(ctx->msgs, stmt->map.set,
|
|
||||||
"Expression does not refer to a set");
|
|
||||||
|
|
||||||
- if (stmt_evaluate_arg(ctx, stmt,
|
|
||||||
+ if (stmt_evaluate_key(ctx, stmt,
|
|
||||||
stmt->map.set->set->key->dtype,
|
|
||||||
stmt->map.set->set->key->len,
|
|
||||||
stmt->map.set->set->key->byteorder,
|
|
||||||
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..1ca98d8
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft
|
|
||||||
@@ -0,0 +1,11 @@
|
|
||||||
+table netdev t {
|
|
||||||
+ map m {
|
|
||||||
+ typeof ether saddr . vlan id : meta mark
|
|
||||||
+ size 1234
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ chain c {
|
|
||||||
+ ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..07820b7
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/maps/typeof_maps_concat
|
|
||||||
@@ -0,0 +1,6 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
|
|
||||||
+
|
|
||||||
+$NFT -f "$dumpfile"
|
|
||||||
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..dbaf7cd
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
|
|
||||||
@@ -0,0 +1,12 @@
|
|
||||||
+table netdev t {
|
|
||||||
+ set s {
|
|
||||||
+ typeof ether saddr . vlan id
|
|
||||||
+ size 2048
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ chain c {
|
|
||||||
+ ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return
|
|
||||||
+ ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..07820b7
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/typeof_sets_concat
|
|
||||||
@@ -0,0 +1,6 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
|
|
||||||
+
|
|
||||||
+$NFT -f "$dumpfile"
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,107 +0,0 @@
|
|||||||
From 6e522a03cfda57267224ecdd653dcfda9c4efe62 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 9 Feb 2023 15:25:37 +0100
|
|
||||||
Subject: [PATCH] monitor: Sanitize startup race condition
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 545edb7a8ef0a
|
|
||||||
|
|
||||||
commit 545edb7a8ef0a8acf991b1b7857fddc24d7b151a
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Wed Sep 28 23:26:42 2022 +0200
|
|
||||||
|
|
||||||
monitor: Sanitize startup race condition
|
|
||||||
|
|
||||||
During startup, 'nft monitor' first fetches the current ruleset and then
|
|
||||||
keeps this cache up to date based on received events. This is racey, as
|
|
||||||
any ruleset changes in between the initial fetch and the socket opening
|
|
||||||
are not recognized.
|
|
||||||
|
|
||||||
This script demonstrates the problem:
|
|
||||||
|
|
||||||
| #!/bin/bash
|
|
||||||
|
|
|
||||||
| while true; do
|
|
||||||
| nft flush ruleset
|
|
||||||
| iptables-nft -A FORWARD
|
|
||||||
| done &
|
|
||||||
| maniploop=$!
|
|
||||||
|
|
|
||||||
| trap "kill $maniploop; kill \$!; wait" EXIT
|
|
||||||
|
|
|
||||||
| while true; do
|
|
||||||
| nft monitor rules >/dev/null &
|
|
||||||
| sleep 0.2
|
|
||||||
| kill $!
|
|
||||||
| done
|
|
||||||
|
|
||||||
If the table add event is missed, the rule add event callback fails to
|
|
||||||
deserialize the rule and calls abort().
|
|
||||||
|
|
||||||
Avoid the inconvenient program exit by returning NULL from
|
|
||||||
netlink_delinearize_rule() instead of aborting and make callers check
|
|
||||||
the return value.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/cache.c | 1 +
|
|
||||||
src/monitor.c | 5 +++++
|
|
||||||
src/netlink_delinearize.c | 5 ++++-
|
|
||||||
3 files changed, 10 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/cache.c b/src/cache.c
|
|
||||||
index fd8df88..701aec6 100644
|
|
||||||
--- a/src/cache.c
|
|
||||||
+++ b/src/cache.c
|
|
||||||
@@ -490,6 +490,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data)
|
|
||||||
|
|
||||||
netlink_dump_rule(nlr, ctx);
|
|
||||||
rule = netlink_delinearize_rule(ctx, nlr);
|
|
||||||
+ assert(rule);
|
|
||||||
list_add_tail(&rule->list, &ctx->list);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
diff --git a/src/monitor.c b/src/monitor.c
|
|
||||||
index 7fa92eb..a6b30a1 100644
|
|
||||||
--- a/src/monitor.c
|
|
||||||
+++ b/src/monitor.c
|
|
||||||
@@ -551,6 +551,10 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type,
|
|
||||||
|
|
||||||
nlr = netlink_rule_alloc(nlh);
|
|
||||||
r = netlink_delinearize_rule(monh->ctx, nlr);
|
|
||||||
+ if (!r) {
|
|
||||||
+ fprintf(stderr, "W: Received event for an unknown table.\n");
|
|
||||||
+ goto out_free_nlr;
|
|
||||||
+ }
|
|
||||||
nlr_for_each_set(nlr, rule_map_decompose_cb, NULL,
|
|
||||||
&monh->ctx->nft->cache);
|
|
||||||
cmd = netlink_msg2cmd(type, nlh->nlmsg_flags);
|
|
||||||
@@ -587,6 +591,7 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
rule_free(r);
|
|
||||||
+out_free_nlr:
|
|
||||||
nftnl_rule_free(nlr);
|
|
||||||
return MNL_CB_OK;
|
|
||||||
}
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index c6ad84d..1d47c74 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -3194,7 +3194,10 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
|
|
||||||
pctx->rule = rule_alloc(&netlink_location, &h);
|
|
||||||
pctx->table = table_cache_find(&ctx->nft->cache.table_cache,
|
|
||||||
h.table.name, h.family);
|
|
||||||
- assert(pctx->table != NULL);
|
|
||||||
+ if (!pctx->table) {
|
|
||||||
+ errno = ENOENT;
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
pctx->rule->comment = nftnl_rule_get_comment(nlr);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From 9126153259c891ef55571f358d1e56b3f2274fc4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
|
||||||
Subject: [PATCH] netlink_delinearize: fix decoding of concat data element
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit db59a5c1204c9
|
|
||||||
|
|
||||||
commit db59a5c1204c9246a82a115a8761f15809578479
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Dec 12 11:04:34 2022 +0100
|
|
||||||
|
|
||||||
netlink_delinearize: fix decoding of concat data element
|
|
||||||
|
|
||||||
Its possible to use update as follows:
|
|
||||||
|
|
||||||
meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst }
|
|
||||||
|
|
||||||
... but when listing, only the first element of the concatenation is
|
|
||||||
shown.
|
|
||||||
|
|
||||||
Check if the element size is too small and parse subsequent registers as
|
|
||||||
well.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/netlink_delinearize.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index 1d47c74..e9e0845 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -1659,6 +1659,14 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
|
|
||||||
if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) {
|
|
||||||
sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
|
|
||||||
expr_data = netlink_get_register(ctx, loc, sreg_data);
|
|
||||||
+
|
|
||||||
+ if (expr_data->len < set->data->len) {
|
|
||||||
+ expr_free(expr_data);
|
|
||||||
+ expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
|
|
||||||
+ if (expr_data == NULL)
|
|
||||||
+ netlink_error(ctx, loc,
|
|
||||||
+ "Could not parse dynset map data expressions");
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (expr_data != NULL) {
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,66 +0,0 @@
|
|||||||
From d6e25e9fb09649963852ba79a249efeb067c6db4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
|
||||||
Subject: [PATCH] netlink_linearize: fix timeout with map updates
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 284c038ef4c69
|
|
||||||
|
|
||||||
commit 284c038ef4c69d042ef91272d90c143019ecea1f
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Dec 12 11:04:35 2022 +0100
|
|
||||||
|
|
||||||
netlink_linearize: fix timeout with map updates
|
|
||||||
|
|
||||||
Map updates can use timeouts, just like with sets, but the
|
|
||||||
linearization step did not pass this info to the kernel.
|
|
||||||
|
|
||||||
meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport
|
|
||||||
|
|
||||||
Listing this won't show the "timeout 90s" because kernel never saw it to
|
|
||||||
begin with.
|
|
||||||
|
|
||||||
Also update evaluation step to reject a timeout that was set on
|
|
||||||
the data part: Timeouts are only allowed for the key-value pair
|
|
||||||
as a whole.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/evaluate.c | 3 +++
|
|
||||||
src/netlink_linearize.c | 4 ++++
|
|
||||||
2 files changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
||||||
index 7f81411..6d0a0f5 100644
|
|
||||||
--- a/src/evaluate.c
|
|
||||||
+++ b/src/evaluate.c
|
|
||||||
@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
|
|
||||||
if (stmt->map.data->comment != NULL)
|
|
||||||
return expr_error(ctx->msgs, stmt->map.data,
|
|
||||||
"Data expression comments are not supported");
|
|
||||||
+ if (stmt->map.data->timeout > 0)
|
|
||||||
+ return expr_error(ctx->msgs, stmt->map.data,
|
|
||||||
+ "Data expression timeouts are not supported");
|
|
||||||
|
|
||||||
list_for_each_entry(this, &stmt->map.stmt_list, list) {
|
|
||||||
if (stmt_evaluate(ctx, this) < 0)
|
|
||||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
|
||||||
index c8bbcb7..6de0a96 100644
|
|
||||||
--- a/src/netlink_linearize.c
|
|
||||||
+++ b/src/netlink_linearize.c
|
|
||||||
@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
|
|
||||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
|
|
||||||
nft_rule_add_expr(ctx, nle, &stmt->location);
|
|
||||||
|
|
||||||
+ if (stmt->map.key->timeout > 0)
|
|
||||||
+ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
|
|
||||||
+ stmt->map.key->timeout);
|
|
||||||
+
|
|
||||||
list_for_each_entry(this, &stmt->map.stmt_list, list)
|
|
||||||
num_stmts++;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,73 +0,0 @@
|
|||||||
From 254a7ef45c890e297d9390a6f20b9132ad17c5d1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
|
||||||
Subject: [PATCH] tests: add a test case for map update from packet path with
|
|
||||||
concat
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit b8e1940aa1907
|
|
||||||
|
|
||||||
commit b8e1940aa190773b23b3ee9349beb20c31f42bdb
|
|
||||||
Author: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Mon Dec 12 11:04:36 2022 +0100
|
|
||||||
|
|
||||||
tests: add a test case for map update from packet path with concat
|
|
||||||
|
|
||||||
add a second test case for map updates, this time with both
|
|
||||||
a timeout and a data element that consists of a concatenation.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
.../maps/dumps/typeof_maps_concat_update_0.nft | 12 ++++++++++++
|
|
||||||
.../testcases/maps/typeof_maps_concat_update_0 | 18 ++++++++++++++++++
|
|
||||||
2 files changed, 30 insertions(+)
|
|
||||||
create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
|
||||||
create mode 100755 tests/shell/testcases/maps/typeof_maps_concat_update_0
|
|
||||||
|
|
||||||
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..d91b795
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
|
||||||
@@ -0,0 +1,12 @@
|
|
||||||
+table ip foo {
|
|
||||||
+ map pinned {
|
|
||||||
+ typeof ip daddr . tcp dport : ip daddr . tcp dport
|
|
||||||
+ size 65535
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ timeout 6m
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ chain pr {
|
|
||||||
+ update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..645ae14
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0
|
|
||||||
@@ -0,0 +1,18 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+# check update statement does print both concatentations (key and data).
|
|
||||||
+
|
|
||||||
+EXPECTED="table ip foo {
|
|
||||||
+ map pinned {
|
|
||||||
+ typeof ip daddr . tcp dport : ip daddr . tcp dport
|
|
||||||
+ size 65535
|
|
||||||
+ flags dynamic,timeout
|
|
||||||
+ timeout 6m
|
|
||||||
+ }
|
|
||||||
+ chain pr {
|
|
||||||
+ meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
|
|
||||||
+ }
|
|
||||||
+}"
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+$NFT -f - <<< $EXPECTED
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From dbb1bcfbe480866f06977b2648b0a1595091b2b9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:40 +0100
|
|
||||||
Subject: [PATCH] owner: Fix potential array out of bounds access
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 9967911e3dabb
|
|
||||||
|
|
||||||
commit 9967911e3dabb32901617e81e56602af3b37287f
|
|
||||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Date: Wed Dec 21 17:37:46 2022 +0100
|
|
||||||
|
|
||||||
owner: Fix potential array out of bounds access
|
|
||||||
|
|
||||||
If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
|
|
||||||
return 'sizeof(tmp)'. Using this value as index is illegal.
|
|
||||||
|
|
||||||
Original update from Phil, for the conntrack-tools tree, which also has
|
|
||||||
a copy of this function.
|
|
||||||
|
|
||||||
Fixes: 6d085b22a8b5 ("table: support for the table owner flag")
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/owner.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/owner.c b/src/owner.c
|
|
||||||
index 2d98a2e..20bed38 100644
|
|
||||||
--- a/src/owner.c
|
|
||||||
+++ b/src/owner.c
|
|
||||||
@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
rl = readlink(procname, tmp, sizeof(tmp));
|
|
||||||
- if (rl <= 0 || rl > (ssize_t)sizeof(tmp))
|
|
||||||
+ if (rl <= 0 || rl >= (ssize_t)sizeof(tmp))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
tmp[rl] = 0;
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From b5fd150a3fbad94381276bedc816d4a6fdecfaf9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit ef66f321e49b3
|
|
||||||
|
|
||||||
commit ef66f321e49b337c7e678bb90d6acb94f331dfc4
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Wed Jan 11 12:28:15 2023 +0100
|
|
||||||
|
|
||||||
mnl: dump_nf_hooks() leaks memory in error path
|
|
||||||
|
|
||||||
Have to free the basehook object before returning to caller.
|
|
||||||
|
|
||||||
Fixes: 4694f7230195b ("src: add support for base hook dumping")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/mnl.c | 11 +++++++++--
|
|
||||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mnl.c b/src/mnl.c
|
|
||||||
index 7dd77be..269d3f1 100644
|
|
||||||
--- a/src/mnl.c
|
|
||||||
+++ b/src/mnl.c
|
|
||||||
@@ -2211,16 +2211,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data)
|
|
||||||
struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {};
|
|
||||||
uint32_t type;
|
|
||||||
|
|
||||||
- if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0)
|
|
||||||
+ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO],
|
|
||||||
+ dump_nf_chain_info_cb, nested) < 0) {
|
|
||||||
+ basehook_free(hook);
|
|
||||||
return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE]));
|
|
||||||
if (type == NFNL_HOOK_TYPE_NFTABLES) {
|
|
||||||
struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {};
|
|
||||||
const char *tablename, *chainname;
|
|
||||||
|
|
||||||
- if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0)
|
|
||||||
+ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC],
|
|
||||||
+ dump_nf_attr_chain_cb,
|
|
||||||
+ info) < 0) {
|
|
||||||
+ basehook_free(hook);
|
|
||||||
return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]);
|
|
||||||
chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]);
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From f5f1b17763264d88593eba175438818cf6533471 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] meta: parse_iso_date() returns boolean
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit db6e97bd667bf
|
|
||||||
|
|
||||||
commit db6e97bd667bf205cee22049f9d0fd6550cb43a7
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Wed Jan 11 11:26:41 2023 +0100
|
|
||||||
|
|
||||||
meta: parse_iso_date() returns boolean
|
|
||||||
|
|
||||||
Returning ts if 'ts == (time_t) -1' signals success to caller despite
|
|
||||||
failure.
|
|
||||||
|
|
||||||
Fixes: 4460b839b945a ("meta: fix compiler warning in date_type_parse()")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/meta.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/meta.c b/src/meta.c
|
|
||||||
index 80ace25..73bd1c4 100644
|
|
||||||
--- a/src/meta.c
|
|
||||||
+++ b/src/meta.c
|
|
||||||
@@ -433,7 +433,7 @@ success:
|
|
||||||
cur_tm = localtime(&ts);
|
|
||||||
|
|
||||||
if (ts == (time_t) -1 || cur_tm == NULL)
|
|
||||||
- return ts;
|
|
||||||
+ return false;
|
|
||||||
|
|
||||||
/* Substract tm_gmtoff to get the current time */
|
|
||||||
*tstamp = ts - cur_tm->tm_gmtoff;
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 3fbbb074303ec3dafd97fcdeaa0a292068c23140 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] netlink: Fix for potential NULL-pointer deref
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 927d5674e7bf6
|
|
||||||
|
|
||||||
commit 927d5674e7bf656428f97c54c9171006e8c3c75e
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue Jan 10 22:36:58 2023 +0100
|
|
||||||
|
|
||||||
netlink: Fix for potential NULL-pointer deref
|
|
||||||
|
|
||||||
If memory allocation fails, calloc() returns NULL which was not checked
|
|
||||||
for. The code seems to expect zero array size though, so simply
|
|
||||||
replacing this call by one of the x*calloc() ones won't work. So guard
|
|
||||||
the call also by a check for 'len'.
|
|
||||||
|
|
||||||
Fixes: db0697ce7f602 ("src: support for flowtable listing")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/netlink.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/netlink.c b/src/netlink.c
|
|
||||||
index 799cf9b..dee1732 100644
|
|
||||||
--- a/src/netlink.c
|
|
||||||
+++ b/src/netlink.c
|
|
||||||
@@ -1700,7 +1700,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
|
|
||||||
while (dev_array[len])
|
|
||||||
len++;
|
|
||||||
|
|
||||||
- flowtable->dev_array = calloc(1, len * sizeof(char *));
|
|
||||||
+ if (len)
|
|
||||||
+ flowtable->dev_array = xmalloc(len * sizeof(char *));
|
|
||||||
for (i = 0; i < len; i++)
|
|
||||||
flowtable->dev_array[i] = xstrdup(dev_array[i]);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 8bdba078567b879054880ec957a78842c5a18848 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] optimize: Do not return garbage from stack
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit d4d47e5bdf943
|
|
||||||
|
|
||||||
commit d4d47e5bdf943be494aeb5d5a29b8f5212acbddf
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Fri Jan 13 17:09:53 2023 +0100
|
|
||||||
|
|
||||||
optimize: Do not return garbage from stack
|
|
||||||
|
|
||||||
If input does not contain a single 'add' command (unusual, but
|
|
||||||
possible), 'ret' value was not initialized by nft_optimize() before
|
|
||||||
returning its value.
|
|
||||||
|
|
||||||
Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/optimize.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/optimize.c b/src/optimize.c
|
|
||||||
index 3a3049d..6514cbb 100644
|
|
||||||
--- a/src/optimize.c
|
|
||||||
+++ b/src/optimize.c
|
|
||||||
@@ -1017,7 +1017,7 @@ static int cmd_optimize(struct nft_ctx *nft, struct cmd *cmd)
|
|
||||||
int nft_optimize(struct nft_ctx *nft, struct list_head *cmds)
|
|
||||||
{
|
|
||||||
struct cmd *cmd;
|
|
||||||
- int ret;
|
|
||||||
+ int ret = 0;
|
|
||||||
|
|
||||||
list_for_each_entry(cmd, cmds, list) {
|
|
||||||
switch (cmd->op) {
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 2438c7dafba336236e2e5dc1a6c57b6e157327cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] optimize: Clarify chain_optimize() array allocations
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit b83a0416cdc88
|
|
||||||
|
|
||||||
commit b83a0416cdc881c6ac35739cd858e4fe5fb2e04f
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue Jan 10 22:13:44 2023 +0100
|
|
||||||
|
|
||||||
optimize: Clarify chain_optimize() array allocations
|
|
||||||
|
|
||||||
Arguments passed to sizeof() where deemed suspicious by covscan due to
|
|
||||||
the different type. Consistently specify size of an array 'a' using
|
|
||||||
'sizeof(*a) * nmemb'.
|
|
||||||
|
|
||||||
For the statement arrays in stmt_matrix, even use xzalloc_array() since
|
|
||||||
the item count is fixed and therefore can't be zero.
|
|
||||||
|
|
||||||
Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/optimize.c | 7 ++++---
|
|
||||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/optimize.c b/src/optimize.c
|
|
||||||
index 6514cbb..baa6abc 100644
|
|
||||||
--- a/src/optimize.c
|
|
||||||
+++ b/src/optimize.c
|
|
||||||
@@ -918,10 +918,11 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules)
|
|
||||||
ctx->num_rules++;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ctx->rule = xzalloc(sizeof(ctx->rule) * ctx->num_rules);
|
|
||||||
- ctx->stmt_matrix = xzalloc(sizeof(struct stmt *) * ctx->num_rules);
|
|
||||||
+ ctx->rule = xzalloc(sizeof(*ctx->rule) * ctx->num_rules);
|
|
||||||
+ ctx->stmt_matrix = xzalloc(sizeof(*ctx->stmt_matrix) * ctx->num_rules);
|
|
||||||
for (i = 0; i < ctx->num_rules; i++)
|
|
||||||
- ctx->stmt_matrix[i] = xzalloc(sizeof(struct stmt *) * MAX_STMTS);
|
|
||||||
+ ctx->stmt_matrix[i] = xzalloc_array(MAX_STMTS,
|
|
||||||
+ sizeof(**ctx->stmt_matrix));
|
|
||||||
|
|
||||||
merge = xzalloc(sizeof(*merge) * ctx->num_rules);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 21d7fa6f6a40d56c5c23eedd6ddb6a411fb8e62b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Tue, 21 Feb 2023 19:50:41 +0100
|
|
||||||
Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit 1344d9e53ba4d
|
|
||||||
|
|
||||||
commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue Feb 21 18:36:01 2023 +0100
|
|
||||||
|
|
||||||
netlink_delinearize: Sanitize concat data element decoding
|
|
||||||
|
|
||||||
The call to netlink_get_register() might return NULL, catch this before
|
|
||||||
dereferencing the pointer.
|
|
||||||
|
|
||||||
Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
Acked-by: Florian Westphal <fw@strlen.de>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/netlink_delinearize.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
|
||||||
index e9e0845..cadb8ec 100644
|
|
||||||
--- a/src/netlink_delinearize.c
|
|
||||||
+++ b/src/netlink_delinearize.c
|
|
||||||
@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
|
|
||||||
sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
|
|
||||||
expr_data = netlink_get_register(ctx, loc, sreg_data);
|
|
||||||
|
|
||||||
- if (expr_data->len < set->data->len) {
|
|
||||||
+ if (expr_data && expr_data->len < set->data->len) {
|
|
||||||
expr_free(expr_data);
|
|
||||||
expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
|
|
||||||
if (expr_data == NULL)
|
|
||||||
--
|
|
||||||
2.41.0.rc1
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From a2446688362b6b81bd0fa0dc22cb5cc2fa3378c1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 20 Jul 2023 15:55:05 +0200
|
|
||||||
Subject: [PATCH] tests: monitor: Summarize failures per test case
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076
|
|
||||||
Upstream Status: nftables commit c2b28dcebd058
|
|
||||||
|
|
||||||
commit c2b28dcebd058b978692b8e1899e79b96c025396
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu Jul 20 12:08:45 2023 +0200
|
|
||||||
|
|
||||||
tests: monitor: Summarize failures per test case
|
|
||||||
|
|
||||||
Explicitly print when tests from a file fail in addition to the diff +
|
|
||||||
"output differs" message.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
tests/monitor/run-tests.sh | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
|
|
||||||
index b5ca47d..f1ac790 100755
|
|
||||||
--- a/tests/monitor/run-tests.sh
|
|
||||||
+++ b/tests/monitor/run-tests.sh
|
|
||||||
@@ -161,7 +161,10 @@ for variant in $variants; do
|
|
||||||
output_append=${variant}_output_append
|
|
||||||
|
|
||||||
for testcase in ${testcases:-testcases/*.t}; do
|
|
||||||
- echo "$variant: running tests from file $(basename $testcase)"
|
|
||||||
+ filename=$(basename $testcase)
|
|
||||||
+ echo "$variant: running tests from file $filename"
|
|
||||||
+ rc_start=$rc
|
|
||||||
+
|
|
||||||
# files are like this:
|
|
||||||
#
|
|
||||||
# I add table ip t
|
|
||||||
@@ -199,6 +202,10 @@ for variant in $variants; do
|
|
||||||
$run_test
|
|
||||||
let "rc += $?"
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ let "rc_diff = rc - rc_start"
|
|
||||||
+ [[ $rc_diff -ne 0 ]] && \
|
|
||||||
+ echo "$variant: $rc_diff tests from file $filename failed"
|
|
||||||
done
|
|
||||||
done
|
|
||||||
exit $rc
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,114 +0,0 @@
|
|||||||
From 955758b3ef4772bb92fc63a8f6d424f93ebb7a2f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Thu, 21 Sep 2023 15:24:03 +0200
|
|
||||||
Subject: [PATCH] rule: check address family in set collapse
|
|
||||||
|
|
||||||
JIRA: https://issues.redhat.com/browse/RHEL-5160
|
|
||||||
Upstream Status: nftables commit a817ea9655dee
|
|
||||||
|
|
||||||
commit a817ea9655dee1915423a802c0133e3611e02b3a
|
|
||||||
Author: Derek Hageman <hageman@inthat.cloud>
|
|
||||||
Date: Thu Sep 1 10:10:41 2022 -0600
|
|
||||||
|
|
||||||
rule: check address family in set collapse
|
|
||||||
|
|
||||||
498a5f0c219d added collapsing of set operations in different commands.
|
|
||||||
However, the logic is currently too relaxed. It is valid to have a
|
|
||||||
table and set with identical names on different address families.
|
|
||||||
For example:
|
|
||||||
|
|
||||||
table ip a {
|
|
||||||
set x {
|
|
||||||
type inet_service;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
table ip6 a {
|
|
||||||
set x {
|
|
||||||
type inet_service;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
add element ip a x { 1 }
|
|
||||||
add element ip a x { 2 }
|
|
||||||
add element ip6 a x { 2 }
|
|
||||||
|
|
||||||
The above currently results in nothing being added to the ip6 family
|
|
||||||
table due to being collapsed into the ip table add. Prior to
|
|
||||||
498a5f0c219d the set add would work. The fix is simply to check the
|
|
||||||
family in addition to the table and set names before allowing a
|
|
||||||
collapse.
|
|
||||||
|
|
||||||
[ Add testcase to tests/shell --pablo ]
|
|
||||||
|
|
||||||
Fixes: 498a5f0c219d ("rule: collapse set element commands")
|
|
||||||
Signed-off-by: Derek Hageman <hageman@inthat.cloud>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/rule.c | 3 ++-
|
|
||||||
tests/shell/testcases/sets/collapse_elem_0 | 19 +++++++++++++++++++
|
|
||||||
.../testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++
|
|
||||||
3 files changed, 33 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/collapse_elem_0
|
|
||||||
create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft
|
|
||||||
|
|
||||||
diff --git a/src/rule.c b/src/rule.c
|
|
||||||
index 0526a14..3b60cca 100644
|
|
||||||
--- a/src/rule.c
|
|
||||||
+++ b/src/rule.c
|
|
||||||
@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
|
|
||||||
+ if (elems->handle.family != cmd->handle.family ||
|
|
||||||
+ strcmp(elems->handle.table.name, cmd->handle.table.name) ||
|
|
||||||
strcmp(elems->handle.set.name, cmd->handle.set.name)) {
|
|
||||||
elems = cmd;
|
|
||||||
continue;
|
|
||||||
diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..7699e9d
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/collapse_elem_0
|
|
||||||
@@ -0,0 +1,19 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+
|
|
||||||
+RULESET="table ip a {
|
|
||||||
+ set x {
|
|
||||||
+ type inet_service;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+table ip6 a {
|
|
||||||
+ set x {
|
|
||||||
+ type inet_service;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+add element ip a x { 1 }
|
|
||||||
+add element ip a x { 2 }
|
|
||||||
+add element ip6 a x { 2 }"
|
|
||||||
+
|
|
||||||
+$NFT -f - <<< $RULESET
|
|
||||||
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..a3244fc
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
|
|
||||||
@@ -0,0 +1,12 @@
|
|
||||||
+table ip a {
|
|
||||||
+ set x {
|
|
||||||
+ type inet_service
|
|
||||||
+ elements = { 1, 2 }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+table ip6 a {
|
|
||||||
+ set x {
|
|
||||||
+ type inet_service
|
|
||||||
+ elements = { 2 }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From fa2b3f20274f5e66b67e2c3d2b7d957b9200473e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <psutter@redhat.com>
|
|
||||||
Date: Wed, 15 Nov 2023 17:06:19 +0100
|
|
||||||
Subject: [PATCH] parser_bison: Fix for broken compatibility with older dumps
|
|
||||||
|
|
||||||
JIRA: https://issues.redhat.com/browse/RHEL-2596
|
|
||||||
Upstream Status: nftables commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
|
|
||||||
|
|
||||||
commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
|
|
||||||
Author: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu Oct 19 18:40:04 2023 +0200
|
|
||||||
|
|
||||||
parser_bison: Fix for broken compatibility with older dumps
|
|
||||||
|
|
||||||
Commit e6d1d0d611958 ("src: add set element multi-statement
|
|
||||||
support") changed the order of expressions and other state attached to set
|
|
||||||
elements are expected in input. This broke parsing of ruleset dumps
|
|
||||||
created by nft commands prior to that commit.
|
|
||||||
|
|
||||||
Restore compatibility by also accepting the old ordering.
|
|
||||||
|
|
||||||
Fixes: e6d1d0d611958 ("src: add set element multi-statement support")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
||||||
---
|
|
||||||
src/parser_bison.y | 6 ++++
|
|
||||||
tests/shell/testcases/sets/elem_opts_compat_0 | 29 +++++++++++++++++++
|
|
||||||
2 files changed, 35 insertions(+)
|
|
||||||
create mode 100755 tests/shell/testcases/sets/elem_opts_compat_0
|
|
||||||
|
|
||||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
|
||||||
index b548d5b..b882f3b 100644
|
|
||||||
--- a/src/parser_bison.y
|
|
||||||
+++ b/src/parser_bison.y
|
|
||||||
@@ -4283,6 +4283,12 @@ meter_key_expr_alloc : concat_expr
|
|
||||||
|
|
||||||
set_elem_expr : set_elem_expr_alloc
|
|
||||||
| set_elem_expr_alloc set_elem_expr_options
|
|
||||||
+ | set_elem_expr_alloc set_elem_expr_options set_elem_stmt_list
|
|
||||||
+ {
|
|
||||||
+ $$ = $1;
|
|
||||||
+ list_splice_tail($3, &$$->stmt_list);
|
|
||||||
+ xfree($3);
|
|
||||||
+ }
|
|
||||||
;
|
|
||||||
|
|
||||||
set_elem_key_expr : set_lhs_expr { $$ = $1; }
|
|
||||||
diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..e012953
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/shell/testcases/sets/elem_opts_compat_0
|
|
||||||
@@ -0,0 +1,29 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# ordering of element options and expressions has changed, make sure parser
|
|
||||||
+# accepts both ways
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+
|
|
||||||
+$NFT -f - <<EOF
|
|
||||||
+table t {
|
|
||||||
+ set s {
|
|
||||||
+ type inet_service
|
|
||||||
+ counter;
|
|
||||||
+ timeout 30s;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+EOF
|
|
||||||
+
|
|
||||||
+check() {
|
|
||||||
+ out=$($NFT list ruleset)
|
|
||||||
+ secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out")
|
|
||||||
+ [[ $secs -lt 11 ]]
|
|
||||||
+ grep -q 'counter packets 10 bytes 20' <<< "$out"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }'
|
|
||||||
+check
|
|
||||||
+$NFT flush set t s
|
|
||||||
+$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }'
|
|
||||||
+check
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,6 +0,0 @@
|
|||||||
monitor: 2 tests from file object.t failed
|
|
||||||
monitor: 3 tests from file set-interval.t failed
|
|
||||||
monitor: 3 tests from file simple.t failed
|
|
||||||
echo: 2 tests from file object.t failed
|
|
||||||
echo: 3 tests from file set-interval.t failed
|
|
||||||
echo: 3 tests from file simple.t failed
|
|
@ -1,851 +0,0 @@
|
|||||||
any/objects.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
any/objects.t: ERROR: line 16: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
any/rawpayload.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
any/rawpayload.t: ERROR: line 8: add rule netdev test-netdev egress meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 9: add rule netdev test-netdev egress meta l4proto tcp @th,16,16 { 22, 23, 80}: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 10: add rule netdev test-netdev egress @nh,8,8 0xff: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 11: add rule netdev test-netdev egress @nh,8,16 0x0: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 18: add rule netdev test-netdev egress @ll,0,1 1: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 19: add rule netdev test-netdev egress @ll,0,8 & 0x80 == 0x80: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 20: add rule netdev test-netdev egress @ll,0,128 0xfedcba987654321001234567890abcde: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 22: add rule inet test-inet input @ih,32,32 0x14000000: This rule should not have failed.
|
|
||||||
any/rawpayload.t: ERROR: line 22: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
any/quota.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
any/quota.t: ERROR: line 12: add rule netdev test-netdev egress quota 1025 bytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 13: add rule netdev test-netdev egress quota 1 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 14: add rule netdev test-netdev egress quota 2 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 15: add rule netdev test-netdev egress quota 1025 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 16: add rule netdev test-netdev egress quota 1023 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 17: add rule netdev test-netdev egress quota 10230 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 18: add rule netdev test-netdev egress quota 1023000 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 20: add rule netdev test-netdev egress quota over 1 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 21: add rule netdev test-netdev egress quota over 2 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 22: add rule netdev test-netdev egress quota over 1025 kbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 23: add rule netdev test-netdev egress quota over 1023 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 24: add rule netdev test-netdev egress quota over 10230 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 25: add rule netdev test-netdev egress quota over 1023000 mbytes: This rule should not have failed.
|
|
||||||
any/quota.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
any/tcpopt.t: ERROR: line 58: add rule ip test-ip4 input reset tcp option mptcp: This rule should not have failed.
|
|
||||||
any/tcpopt.t: ERROR: line 59: add rule ip test-ip4 input reset tcp option 2: This rule should not have failed.
|
|
||||||
any/tcpopt.t: ERROR: line 60: add rule ip test-ip4 input reset tcp option 123: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
any/meta.t: ERROR: line 12: add rule netdev test-netdev egress meta length 1000: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 13: add rule netdev test-netdev egress meta length 22: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 14: add rule netdev test-netdev egress meta length != 233: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 15: add rule netdev test-netdev egress meta length 33-45: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 16: add rule netdev test-netdev egress meta length != 33-45: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 17: add rule netdev test-netdev egress meta length { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 18: add rule netdev test-netdev egress meta length { 33-55, 67-88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 19: add rule netdev test-netdev egress meta length { 33-55, 56-88, 100-120}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 20: add rule netdev test-netdev egress meta length != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 21: add rule netdev test-netdev egress meta length { 33-55, 66-88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 22: add rule netdev test-netdev egress meta length != { 33-55, 66-88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 24: add rule netdev test-netdev egress meta protocol { ip, arp, ip6, vlan }: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 25: add rule netdev test-netdev egress meta protocol != {ip, arp, ip6, 8021q}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 26: add rule netdev test-netdev egress meta protocol ip: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 27: add rule netdev test-netdev egress meta protocol != ip: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 29: add rule netdev test-netdev egress meta l4proto 22: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 30: add rule netdev test-netdev egress meta l4proto != 233: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 31: add rule netdev test-netdev egress meta l4proto 33-45: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 32: add rule netdev test-netdev egress meta l4proto != 33-45: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 33: add rule netdev test-netdev egress meta l4proto { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 34: add rule netdev test-netdev egress meta l4proto != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 35: add rule netdev test-netdev egress meta l4proto { 33-55, 66-88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 36: add rule netdev test-netdev egress meta l4proto != { 33-55, 66-88}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 38: add rule netdev test-netdev egress meta priority root: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 39: add rule netdev test-netdev egress meta priority none: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 40: add rule netdev test-netdev egress meta priority 0x87654321: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 41: add rule netdev test-netdev egress meta priority 2271560481: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 42: add rule netdev test-netdev egress meta priority 1:1234: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 43: add rule netdev test-netdev egress meta priority bcad:dadc: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 44: add rule netdev test-netdev egress meta priority aabb:0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 45: add rule netdev test-netdev egress meta priority != bcad:dadc: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 46: add rule netdev test-netdev egress meta priority != aabb:0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 47: add rule netdev test-netdev egress meta priority bcad:dada-bcad:dadc: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 48: add rule netdev test-netdev egress meta priority != bcad:dada-bcad:dadc: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 49: add rule netdev test-netdev egress meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 50: add rule netdev test-netdev egress meta priority set cafe:beef: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 51: add rule netdev test-netdev egress meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 53: add rule netdev test-netdev egress meta mark 0x4: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 54: add rule netdev test-netdev egress meta mark 0x32: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 55: add rule netdev test-netdev egress meta mark and 0x03 == 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 56: add rule netdev test-netdev egress meta mark and 0x03 != 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 57: add rule netdev test-netdev egress meta mark 0x10: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 58: add rule netdev test-netdev egress meta mark != 0x10: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 59: add rule netdev test-netdev egress meta mark 0xffffff00/24: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 61: add rule netdev test-netdev egress meta mark or 0x03 == 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 62: add rule netdev test-netdev egress meta mark or 0x03 != 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 63: add rule netdev test-netdev egress meta mark xor 0x03 == 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 64: add rule netdev test-netdev egress meta mark xor 0x03 != 0x01: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 66: add rule netdev test-netdev egress meta iif "lo" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 67: add rule netdev test-netdev egress meta iif != "lo" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 69: add rule netdev test-netdev egress meta iifname "dummy0": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 70: add rule netdev test-netdev egress meta iifname != "dummy0": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 71: add rule netdev test-netdev egress meta iifname {"dummy0", "lo"}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 72: add rule netdev test-netdev egress meta iifname != {"dummy0", "lo"}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 73: add rule netdev test-netdev egress meta iifname "dummy*": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 74: add rule netdev test-netdev egress meta iifname "dummy\*": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 77: add rule netdev test-netdev egress meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 78: add rule netdev test-netdev egress meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 79: add rule netdev test-netdev egress meta iiftype != ether: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 80: add rule netdev test-netdev egress meta iiftype ether: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 81: add rule netdev test-netdev egress meta iiftype != ppp: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 82: add rule netdev test-netdev egress meta iiftype ppp: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 84: add rule netdev test-netdev egress meta oif "lo" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 85: add rule netdev test-netdev egress meta oif != "lo" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 87: add rule netdev test-netdev egress meta oifname "dummy0": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 88: add rule netdev test-netdev egress meta oifname != "dummy0": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 89: add rule netdev test-netdev egress meta oifname { "dummy0", "lo"}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 90: add rule netdev test-netdev egress meta oifname "dummy*": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 91: add rule netdev test-netdev egress meta oifname "dummy\*": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 94: add rule netdev test-netdev egress meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 95: add rule netdev test-netdev egress meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 96: add rule netdev test-netdev egress meta oiftype != ether: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 97: add rule netdev test-netdev egress meta oiftype ether: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 99: add rule netdev test-netdev egress meta skuid {"bin", "root", "daemon"} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 100: add rule netdev test-netdev egress meta skuid != {"bin", "root", "daemon"} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 101: add rule netdev test-netdev egress meta skuid "root": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 102: add rule netdev test-netdev egress meta skuid != "root": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 103: add rule netdev test-netdev egress meta skuid lt 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 104: add rule netdev test-netdev egress meta skuid gt 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 105: add rule netdev test-netdev egress meta skuid eq 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 106: add rule netdev test-netdev egress meta skuid 3001-3005 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 107: add rule netdev test-netdev egress meta skuid != 2001-2005 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 108: add rule netdev test-netdev egress meta skuid { 2001-2005, 3001-3005} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 109: add rule netdev test-netdev egress meta skuid != { 2001-2005, 3001-3005} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 111: add rule netdev test-netdev egress meta skgid {"bin", "root", "daemon"} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 112: add rule netdev test-netdev egress meta skgid != {"bin", "root", "daemon"} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 113: add rule netdev test-netdev egress meta skgid "root": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 114: add rule netdev test-netdev egress meta skgid != "root": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 115: add rule netdev test-netdev egress meta skgid lt 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 116: add rule netdev test-netdev egress meta skgid gt 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 117: add rule netdev test-netdev egress meta skgid eq 3000 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 118: add rule netdev test-netdev egress meta skgid 2001-2005 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 119: add rule netdev test-netdev egress meta skgid != 2001-2005 accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 131: add rule netdev test-netdev egress meta mark set 0xffffffc8 xor 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 132: add rule netdev test-netdev egress meta mark set 0x16 and 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 133: add rule netdev test-netdev egress meta mark set 0xffffffe9 or 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 134: add rule netdev test-netdev egress meta mark set 0xffffffde and 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 135: add rule netdev test-netdev egress meta mark set 0xf045ffde or 0x10: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 136: add rule netdev test-netdev egress meta mark set 0xffffffde or 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 137: add rule netdev test-netdev egress meta mark set 0x32 or 0xfffff: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 138: add rule netdev test-netdev egress meta mark set 0xfffe xor 0x16: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 143: add rule netdev test-netdev egress meta iif "lo": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 144: add rule netdev test-netdev egress meta oif "lo": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 145: add rule netdev test-netdev egress meta oifname "dummy2" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 146: add rule netdev test-netdev egress meta skuid 3000: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 147: add rule netdev test-netdev egress meta skgid 3000: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 151: add rule netdev test-netdev egress meta rtclassid "cosmos": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 153: add rule netdev test-netdev egress meta pkttype broadcast: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 154: add rule netdev test-netdev egress meta pkttype host: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 155: add rule netdev test-netdev egress meta pkttype multicast: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 156: add rule netdev test-netdev egress meta pkttype != broadcast: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 157: add rule netdev test-netdev egress meta pkttype != host: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 158: add rule netdev test-netdev egress meta pkttype != multicast: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 160: add rule netdev test-netdev egress pkttype { broadcast, multicast} accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 162: add rule netdev test-netdev egress meta cpu 1: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 163: add rule netdev test-netdev egress meta cpu != 1: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 164: add rule netdev test-netdev egress meta cpu 1-3: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 165: add rule netdev test-netdev egress meta cpu != 1-2: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 166: add rule netdev test-netdev egress meta cpu { 2,3}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 167: add rule netdev test-netdev egress meta cpu { 2-3, 5-7}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 168: add rule netdev test-netdev egress meta cpu != { 2,3}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 170: add rule netdev test-netdev egress meta iifgroup 0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 171: add rule netdev test-netdev egress meta iifgroup != 0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 172: add rule netdev test-netdev egress meta iifgroup "default": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 173: add rule netdev test-netdev egress meta iifgroup != "default": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 174: add rule netdev test-netdev egress meta iifgroup {"default", 11}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 175: add rule netdev test-netdev egress meta iifgroup != {"default", 11}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 176: add rule netdev test-netdev egress meta iifgroup { 11,33}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 177: add rule netdev test-netdev egress meta iifgroup {11-33, 44-55}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 178: add rule netdev test-netdev egress meta iifgroup != { 11,33}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 179: add rule netdev test-netdev egress meta iifgroup != {11-33, 44-55}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 180: add rule netdev test-netdev egress meta oifgroup 0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 181: add rule netdev test-netdev egress meta oifgroup != 0: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 182: add rule netdev test-netdev egress meta oifgroup "default": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 183: add rule netdev test-netdev egress meta oifgroup != "default": This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 184: add rule netdev test-netdev egress meta oifgroup {"default", 11}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 185: add rule netdev test-netdev egress meta oifgroup != {"default", 11}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 186: add rule netdev test-netdev egress meta oifgroup { 11,33}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 187: add rule netdev test-netdev egress meta oifgroup {11-33, 44-55}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 188: add rule netdev test-netdev egress meta oifgroup != { 11,33}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 189: add rule netdev test-netdev egress meta oifgroup != {11-33, 44-55}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 191: add rule netdev test-netdev egress meta cgroup 1048577: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 192: add rule netdev test-netdev egress meta cgroup != 1048577: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 193: add rule netdev test-netdev egress meta cgroup { 1048577, 1048578 }: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 194: add rule netdev test-netdev egress meta cgroup != { 1048577, 1048578}: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 195: add rule netdev test-netdev egress meta cgroup 1048577-1048578: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 196: add rule netdev test-netdev egress meta cgroup != 1048577-1048578: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 198: add rule netdev test-netdev egress meta iif . meta oif { "lo" . "lo" }: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 199: add rule netdev test-netdev egress meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a }: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 200: add rule netdev test-netdev egress meta iif . meta oif vmap { "lo" . "lo" : drop }: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 202: add rule netdev test-netdev egress meta random eq 1: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 203: add rule netdev test-netdev egress meta random gt 1000000: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 205: add rule ip test-ip4 input meta time "1970-05-23 21:07:14" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 206: add rule ip test-ip4 input meta time 12341234 drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 207: add rule ip test-ip4 input meta time "2019-06-21 17:00:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 208: add rule ip test-ip4 input meta time "2019-07-01 00:00:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 209: add rule ip test-ip4 input meta time "2019-07-01 00:01:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 210: add rule ip test-ip4 input meta time "2019-07-01 00:00:01" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 211: add rule ip test-ip4 input meta time < "2022-07-01 11:00:00" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 212: add rule ip test-ip4 input meta time > "2022-07-01 11:00:00" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 213: add rule ip test-ip4 input meta day "Saturday" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 214: add rule ip test-ip4 input meta day 6 drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 216: add rule ip test-ip4 input meta hour "17:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 217: add rule ip test-ip4 input meta hour "17:00:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 218: add rule ip test-ip4 input meta hour "17:00:01" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 219: add rule ip test-ip4 input meta hour "00:00" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 220: add rule ip test-ip4 input meta hour "00:01" drop: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 221: add rule ip test-ip4 input time < "2022-07-01 11:00:00" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 222: add rule ip test-ip4 input time > "2022-07-01 11:00:00" accept: This rule should not have failed.
|
|
||||||
any/meta.t: ERROR: line 226: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
any/limit.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
any/limit.t: ERROR: line 12: add rule netdev test-netdev egress limit rate 400/minute: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 13: add rule netdev test-netdev egress limit rate 20/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 14: add rule netdev test-netdev egress limit rate 400/hour: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 15: add rule netdev test-netdev egress limit rate 40/day: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 16: add rule netdev test-netdev egress limit rate 400/week: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 17: add rule netdev test-netdev egress limit rate 1023/second burst 10 packets: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 20: add rule netdev test-netdev egress limit rate 1 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 21: add rule netdev test-netdev egress limit rate 2 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 22: add rule netdev test-netdev egress limit rate 1025 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 23: add rule netdev test-netdev egress limit rate 1023 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 24: add rule netdev test-netdev egress limit rate 10230 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 25: add rule netdev test-netdev egress limit rate 1023000 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 28: add rule netdev test-netdev egress limit rate 1 bytes / second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 29: add rule netdev test-netdev egress limit rate 1 kbytes / second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 30: add rule netdev test-netdev egress limit rate 1 mbytes / second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 33: add rule netdev test-netdev egress limit rate 1025 bytes/second burst 512 bytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 34: add rule netdev test-netdev egress limit rate 1025 kbytes/second burst 1023 kbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 35: add rule netdev test-netdev egress limit rate 1025 mbytes/second burst 1025 kbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 36: add rule netdev test-netdev egress limit rate 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 38: add rule netdev test-netdev egress limit rate over 400/minute: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 39: add rule netdev test-netdev egress limit rate over 20/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 40: add rule netdev test-netdev egress limit rate over 400/hour: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 41: add rule netdev test-netdev egress limit rate over 40/day: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 42: add rule netdev test-netdev egress limit rate over 400/week: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 43: add rule netdev test-netdev egress limit rate over 1023/second burst 10 packets: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 45: add rule netdev test-netdev egress limit rate over 1 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 46: add rule netdev test-netdev egress limit rate over 2 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 47: add rule netdev test-netdev egress limit rate over 1025 kbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 48: add rule netdev test-netdev egress limit rate over 1023 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 49: add rule netdev test-netdev egress limit rate over 10230 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 50: add rule netdev test-netdev egress limit rate over 1023000 mbytes/second: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 52: add rule netdev test-netdev egress limit rate over 1025 bytes/second burst 512 bytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 53: add rule netdev test-netdev egress limit rate over 1025 kbytes/second burst 1023 kbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 54: add rule netdev test-netdev egress limit rate over 1025 mbytes/second burst 1025 kbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 55: add rule netdev test-netdev egress limit rate over 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed.
|
|
||||||
any/limit.t: ERROR: line 55: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
any/ct.t: ERROR: line 62: add rule ip test-ip4 output ct mark set (meta mark | 0x10) << 8: This rule should not have failed.
|
|
||||||
any/ct.t: ERROR: line 133: add rule ip test-ip4 output ct id 12345: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 4: I cannot create the chain 'egress'
|
|
||||||
arp/arp.t: ERROR: line 9: add rule netdev test-netdev egress arp htype 1: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 10: add rule netdev test-netdev egress arp htype != 1: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 11: add rule netdev test-netdev egress arp htype 22: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 12: add rule netdev test-netdev egress arp htype != 233: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 13: add rule netdev test-netdev egress arp htype 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 14: add rule netdev test-netdev egress arp htype != 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 15: add rule netdev test-netdev egress arp htype { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 16: add rule netdev test-netdev egress arp htype != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 18: add rule netdev test-netdev egress arp ptype 0x0800: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 20: add rule netdev test-netdev egress arp hlen 22: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 21: add rule netdev test-netdev egress arp hlen != 233: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 22: add rule netdev test-netdev egress arp hlen 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 23: add rule netdev test-netdev egress arp hlen != 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 24: add rule netdev test-netdev egress arp hlen { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 25: add rule netdev test-netdev egress arp hlen != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 27: add rule netdev test-netdev egress arp plen 22: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 28: add rule netdev test-netdev egress arp plen != 233: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 29: add rule netdev test-netdev egress arp plen 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 30: add rule netdev test-netdev egress arp plen != 33-45: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 31: add rule netdev test-netdev egress arp plen { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 32: add rule netdev test-netdev egress arp plen != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 34: add rule netdev test-netdev egress arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 35: add rule netdev test-netdev egress arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 36: add rule netdev test-netdev egress arp operation 1-2: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 37: add rule netdev test-netdev egress arp operation request: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 38: add rule netdev test-netdev egress arp operation reply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 39: add rule netdev test-netdev egress arp operation rrequest: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 40: add rule netdev test-netdev egress arp operation rreply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 41: add rule netdev test-netdev egress arp operation inrequest: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 42: add rule netdev test-netdev egress arp operation inreply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 43: add rule netdev test-netdev egress arp operation nak: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 44: add rule netdev test-netdev egress arp operation != request: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 45: add rule netdev test-netdev egress arp operation != reply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 46: add rule netdev test-netdev egress arp operation != rrequest: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 47: add rule netdev test-netdev egress arp operation != rreply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 48: add rule netdev test-netdev egress arp operation != inrequest: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 49: add rule netdev test-netdev egress arp operation != inreply: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 50: add rule netdev test-netdev egress arp operation != nak: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 52: add rule netdev test-netdev egress arp saddr ip 1.2.3.4: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 53: add rule netdev test-netdev egress arp daddr ip 4.3.2.1: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 54: add rule netdev test-netdev egress arp saddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 55: add rule netdev test-netdev egress arp daddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 57: add rule netdev test-netdev egress arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 58: add rule netdev test-netdev egress arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 60: add rule netdev test-netdev egress meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566: This rule should not have failed.
|
|
||||||
arp/arp.t: ERROR: line 60: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
bridge/vlan.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
bridge/vlan.t: ERROR: line 8: add rule netdev test-netdev egress vlan id 4094: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 9: add rule netdev test-netdev egress vlan id 0: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 12: add rule netdev test-netdev egress vlan id 4094 vlan dei 0: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 13: add rule netdev test-netdev egress vlan id 4094 vlan dei 1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 14: add rule netdev test-netdev egress vlan id 4094 vlan dei != 1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 15: add rule netdev test-netdev egress vlan id 4094 vlan cfi 1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 19: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 7: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 20: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 3: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 22: add rule netdev test-netdev egress ether type vlan vlan id 4094: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 23: add rule netdev test-netdev egress ether type vlan vlan id 0: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 24: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 0: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 25: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 28: add rule netdev test-netdev egress vlan id 4094 tcp dport 22: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 29: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 30: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 31: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 32: add rule netdev test-netdev egress ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 34: add rule netdev test-netdev egress vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 37: add rule netdev test-netdev egress ether type vlan ip protocol 1 accept: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 40: add rule netdev test-netdev egress ether type 8021ad vlan id 1 ip protocol 6 accept: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 41: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 42: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 49: add rule netdev test-netdev egress vlan id 1 vlan id set 2: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 51: add rule netdev test-netdev egress ether saddr 00:01:02:03:04:05 vlan id 1: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 52: add rule netdev test-netdev egress vlan id 2 ether saddr 0:1:2:3:4:6: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 54: add rule netdev test-netdev egress ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }: This rule should not have failed.
|
|
||||||
bridge/vlan.t: ERROR: line 54: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
bridge/meta.t: ERROR: line 7: add rule bridge test-bridge input meta ibrvproto vlan: This rule should not have failed.
|
|
||||||
bridge/meta.t: ERROR: line 8: add rule bridge test-bridge input meta ibrpvid 100: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/dccp.t: ERROR: line 10: add rule netdev test-netdev egress dccp sport 21-35: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 11: add rule netdev test-netdev egress dccp sport != 21-35: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 12: add rule netdev test-netdev egress dccp sport {23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 13: add rule netdev test-netdev egress dccp sport != {23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 15: add rule netdev test-netdev egress dccp sport 20-50: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 19: add rule netdev test-netdev egress dccp dport {23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 20: add rule netdev test-netdev egress dccp dport != {23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 22: add rule netdev test-netdev egress dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 23: add rule netdev test-netdev egress dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 24: add rule netdev test-netdev egress dccp type request: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 25: add rule netdev test-netdev egress dccp type != request: This rule should not have failed.
|
|
||||||
inet/dccp.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/map.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/map.t: ERROR: line 9: add rule netdev test-netdev egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}: This rule should not have failed.
|
|
||||||
inet/map.t: ERROR: line 10: add rule netdev test-netdev egress mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}: This rule should not have failed.
|
|
||||||
inet/map.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/synproxy.t: ERROR: line 7: add rule ip synproxyip synproxychain synproxy: This rule should not have failed.
|
|
||||||
inet/synproxy.t: ERROR: line 8: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 7: This rule should not have failed.
|
|
||||||
inet/synproxy.t: ERROR: line 9: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 5 timestamp sack-perm: This rule should not have failed.
|
|
||||||
inet/synproxy.t: ERROR: line 10: add rule ip synproxyip synproxychain synproxy timestamp sack-perm: This rule should not have failed.
|
|
||||||
inet/synproxy.t: ERROR: line 11: add rule ip synproxyip synproxychain synproxy timestamp: This rule should not have failed.
|
|
||||||
inet/synproxy.t: ERROR: line 12: add rule ip synproxyip synproxychain synproxy sack-perm: This rule should not have failed.
|
|
||||||
inet/sets.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/sets.t: ERROR: line 15: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed.
|
|
||||||
inet/sets.t: ERROR: line 18: add rule netdev test-netdev egress ip6 daddr != @set2 accept: This rule should not have failed.
|
|
||||||
inet/sets.t: ERROR: line 24: add rule netdev test-netdev egress ip saddr . ip daddr . tcp dport @set3 accept: This rule should not have failed.
|
|
||||||
inet/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept: This rule should not have failed.
|
|
||||||
inet/sets.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/ip.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/ip.t: ERROR: line 10: add rule netdev test-netdev egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }: This rule should not have failed.
|
|
||||||
inet/ip.t: ERROR: line 12: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/udp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/udp.t: ERROR: line 10: add rule netdev test-netdev egress udp sport 80 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 11: add rule netdev test-netdev egress udp sport != 60 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 12: add rule netdev test-netdev egress udp sport 50-70 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 13: add rule netdev test-netdev egress udp sport != 50-60 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 14: add rule netdev test-netdev egress udp sport { 49, 50} drop: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 15: add rule netdev test-netdev egress udp sport != { 50, 60} accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 19: add rule netdev test-netdev egress udp dport 80 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 20: add rule netdev test-netdev egress udp dport != 60 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 21: add rule netdev test-netdev egress udp dport 70-75 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 22: add rule netdev test-netdev egress udp dport != 50-60 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 23: add rule netdev test-netdev egress udp dport { 49, 50} drop: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 24: add rule netdev test-netdev egress udp dport != { 50, 60} accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 26: add rule netdev test-netdev egress udp length 6666: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 27: add rule netdev test-netdev egress udp length != 6666: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 28: add rule netdev test-netdev egress udp length 50-65 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 29: add rule netdev test-netdev egress udp length != 50-65 accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 30: add rule netdev test-netdev egress udp length { 50, 65} accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 31: add rule netdev test-netdev egress udp length != { 50, 65} accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 33: add rule netdev test-netdev egress udp checksum 6666 drop: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 34: add rule netdev test-netdev egress udp checksum != { 444, 555} accept: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 36: add rule netdev test-netdev egress udp checksum 22: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 37: add rule netdev test-netdev egress udp checksum != 233: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 38: add rule netdev test-netdev egress udp checksum 33-45: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 39: add rule netdev test-netdev egress udp checksum != 33-45: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 40: add rule netdev test-netdev egress udp checksum { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 41: add rule netdev test-netdev egress udp checksum != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 44: add rule netdev test-netdev egress iif "lo" udp checksum set 0: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 45: add rule netdev test-netdev egress iif "lo" udp dport set 65535: This rule should not have failed.
|
|
||||||
inet/udp.t: ERROR: line 45: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/ether.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/ether.t: ERROR: line 11: add rule netdev test-netdev egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed.
|
|
||||||
inet/ether.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed.
|
|
||||||
inet/ether.t: ERROR: line 14: add rule netdev test-netdev egress ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed.
|
|
||||||
inet/ether.t: ERROR: line 14: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/comp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/comp.t: ERROR: line 12: add rule netdev test-netdev egress comp nexthdr != esp: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 18: add rule netdev test-netdev egress comp flags 0x0: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 19: add rule netdev test-netdev egress comp flags != 0x23: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 20: add rule netdev test-netdev egress comp flags 0x33-0x45: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 21: add rule netdev test-netdev egress comp flags != 0x33-0x45: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 22: add rule netdev test-netdev egress comp flags {0x33, 0x55, 0x67, 0x88}: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 23: add rule netdev test-netdev egress comp flags != {0x33, 0x55, 0x67, 0x88}: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 25: add rule netdev test-netdev egress comp cpi 22: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 26: add rule netdev test-netdev egress comp cpi != 233: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 27: add rule netdev test-netdev egress comp cpi 33-45: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 28: add rule netdev test-netdev egress comp cpi != 33-45: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 29: add rule netdev test-netdev egress comp cpi {33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 30: add rule netdev test-netdev egress comp cpi != {33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/comp.t: ERROR: line 30: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/udplite.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/udplite.t: ERROR: line 10: add rule netdev test-netdev egress udplite sport 80 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 11: add rule netdev test-netdev egress udplite sport != 60 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 12: add rule netdev test-netdev egress udplite sport 50-70 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 13: add rule netdev test-netdev egress udplite sport != 50-60 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 14: add rule netdev test-netdev egress udplite sport { 49, 50} drop: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 15: add rule netdev test-netdev egress udplite sport != { 49, 50} accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 17: add rule netdev test-netdev egress udplite dport 80 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 18: add rule netdev test-netdev egress udplite dport != 60 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 19: add rule netdev test-netdev egress udplite dport 70-75 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 20: add rule netdev test-netdev egress udplite dport != 50-60 accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 21: add rule netdev test-netdev egress udplite dport { 49, 50} drop: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 22: add rule netdev test-netdev egress udplite dport != { 49, 50} accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 31: add rule netdev test-netdev egress udplite checksum 6666 drop: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 32: add rule netdev test-netdev egress udplite checksum != { 444, 555} accept: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 33: add rule netdev test-netdev egress udplite checksum 22: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 34: add rule netdev test-netdev egress udplite checksum != 233: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 35: add rule netdev test-netdev egress udplite checksum 33-45: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 36: add rule netdev test-netdev egress udplite checksum != 33-45: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 37: add rule netdev test-netdev egress udplite checksum { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 38: add rule netdev test-netdev egress udplite checksum != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/udplite.t: ERROR: line 38: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/osf.t: ERROR: line 7: add rule ip osfip osfchain osf name "Linux": This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 8: add rule ip osfip osfchain osf ttl loose name "Linux": This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 9: add rule ip osfip osfchain osf ttl skip name "Linux": This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 10: add rule ip osfip osfchain osf ttl skip version "Linux:3.0": This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 15: add rule ip osfip osfchain osf name { "Windows", "MacOs" }: This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 16: add rule ip osfip osfchain osf version { "Windows:XP", "MacOs:Sierra" }: This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 17: add rule ip osfip osfchain ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }: This rule should not have failed.
|
|
||||||
inet/osf.t: ERROR: line 18: add rule ip osfip osfchain ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/tcp.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 13: add rule netdev test-netdev egress tcp dport != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 14: add rule netdev test-netdev egress tcp dport 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 15: add rule netdev test-netdev egress tcp dport != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 16: add rule netdev test-netdev egress tcp dport { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 17: add rule netdev test-netdev egress tcp dport != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 18: add rule netdev test-netdev egress tcp dport {telnet, http, https} accept: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 19: add rule netdev test-netdev egress tcp dport vmap { 22 : accept, 23 : drop }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 20: add rule netdev test-netdev egress tcp dport vmap { 25:accept, 28:drop }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 21: add rule netdev test-netdev egress tcp dport { 22, 53, 80, 110 }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 22: add rule netdev test-netdev egress tcp dport != { 22, 53, 80, 110 }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 26: add rule netdev test-netdev egress tcp sport 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 27: add rule netdev test-netdev egress tcp sport != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 28: add rule netdev test-netdev egress tcp sport 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 29: add rule netdev test-netdev egress tcp sport != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 30: add rule netdev test-netdev egress tcp sport { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 31: add rule netdev test-netdev egress tcp sport != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 32: add rule netdev test-netdev egress tcp sport vmap { 25:accept, 28:drop }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 34: add rule netdev test-netdev egress tcp sport 8080 drop: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 35: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 36: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22 tcp sequence 0: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 38: add rule netdev test-netdev egress tcp sequence 0 tcp sport 1024 tcp dport 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 39: add rule netdev test-netdev egress tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 41: add rule netdev test-netdev egress tcp sequence 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 42: add rule netdev test-netdev egress tcp sequence != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 43: add rule netdev test-netdev egress tcp sequence 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 44: add rule netdev test-netdev egress tcp sequence != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 45: add rule netdev test-netdev egress tcp sequence { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 46: add rule netdev test-netdev egress tcp sequence != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 48: add rule netdev test-netdev egress tcp ackseq 42949672 drop: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 49: add rule netdev test-netdev egress tcp ackseq 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 50: add rule netdev test-netdev egress tcp ackseq != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 51: add rule netdev test-netdev egress tcp ackseq 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 52: add rule netdev test-netdev egress tcp ackseq != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 53: add rule netdev test-netdev egress tcp ackseq { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 54: add rule netdev test-netdev egress tcp ackseq != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 66: add rule netdev test-netdev egress tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 67: add rule netdev test-netdev egress tcp flags != { fin, urg, ecn, cwr} drop: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 68: add rule netdev test-netdev egress tcp flags cwr: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 69: add rule netdev test-netdev egress tcp flags != cwr: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 70: add rule netdev test-netdev egress tcp flags == syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 71: add rule netdev test-netdev egress tcp flags fin,syn / fin,syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 72: add rule netdev test-netdev egress tcp flags != syn / fin,syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 73: add rule netdev test-netdev egress tcp flags & syn != 0: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 74: add rule netdev test-netdev egress tcp flags & syn == 0: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 75: add rule netdev test-netdev egress tcp flags & (syn | ack) != 0: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 76: add rule netdev test-netdev egress tcp flags & (syn | ack) == 0: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 78: add rule netdev test-netdev egress tcp flags & syn == syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 79: add rule netdev test-netdev egress tcp flags & syn != syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 80: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 81: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 82: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != syn: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 83: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == (syn | ack): This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 84: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != (syn | ack): This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 85: add rule netdev test-netdev egress tcp flags & (syn | ack) == (syn | ack): This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 86: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 87: add rule netdev test-netdev egress tcp flags { syn, syn | ack }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 88: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 89: add rule netdev test-netdev egress tcp flags ! fin,rst: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 92: add rule netdev test-netdev egress tcp window 22222: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 93: add rule netdev test-netdev egress tcp window 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 94: add rule netdev test-netdev egress tcp window != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 95: add rule netdev test-netdev egress tcp window 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 96: add rule netdev test-netdev egress tcp window != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 97: add rule netdev test-netdev egress tcp window { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 98: add rule netdev test-netdev egress tcp window != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 100: add rule netdev test-netdev egress tcp checksum 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 101: add rule netdev test-netdev egress tcp checksum != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 102: add rule netdev test-netdev egress tcp checksum 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 103: add rule netdev test-netdev egress tcp checksum != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 104: add rule netdev test-netdev egress tcp checksum { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 105: add rule netdev test-netdev egress tcp checksum != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 107: add rule netdev test-netdev egress tcp urgptr 1234 accept: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 108: add rule netdev test-netdev egress tcp urgptr 22: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 109: add rule netdev test-netdev egress tcp urgptr != 233: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 110: add rule netdev test-netdev egress tcp urgptr 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 111: add rule netdev test-netdev egress tcp urgptr != 33-45: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 112: add rule netdev test-netdev egress tcp urgptr { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 113: add rule netdev test-netdev egress tcp urgptr != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 115: add rule netdev test-netdev egress tcp doff 8: This rule should not have failed.
|
|
||||||
inet/tcp.t: ERROR: line 115: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/ip_tcp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/ip_tcp.t: ERROR: line 10: add rule netdev test-netdev egress ip protocol tcp tcp dport 22: This rule should not have failed.
|
|
||||||
inet/ip_tcp.t: ERROR: line 13: add rule netdev test-netdev egress ip protocol tcp ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed.
|
|
||||||
inet/ip_tcp.t: ERROR: line 16: add rule netdev test-netdev egress ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed.
|
|
||||||
inet/ip_tcp.t: ERROR: line 19: add rule netdev test-netdev egress ip protocol tcp counter tcp dport 22: This rule should not have failed.
|
|
||||||
inet/ip_tcp.t: ERROR: line 21: add rule netdev test-netdev egress ether type ip tcp dport 22: This rule should not have failed.
|
|
||||||
inet/ip_tcp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/meta.t: ERROR: line 23: add rule inet test-inet input meta mark set ct mark >> 8: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/ah.t: ERROR: line 22: add rule netdev test-netdev egress ah hdrlength 11-23: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 23: add rule netdev test-netdev egress ah hdrlength != 11-23: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 24: add rule netdev test-netdev egress ah hdrlength {11, 23, 44 }: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 25: add rule netdev test-netdev egress ah hdrlength != {11, 23, 44 }: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 27: add rule netdev test-netdev egress ah reserved 22: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 28: add rule netdev test-netdev egress ah reserved != 233: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 29: add rule netdev test-netdev egress ah reserved 33-45: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 30: add rule netdev test-netdev egress ah reserved != 33-45: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 31: add rule netdev test-netdev egress ah reserved {23, 100}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 32: add rule netdev test-netdev egress ah reserved != {23, 100}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 34: add rule netdev test-netdev egress ah spi 111: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 35: add rule netdev test-netdev egress ah spi != 111: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 36: add rule netdev test-netdev egress ah spi 111-222: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 37: add rule netdev test-netdev egress ah spi != 111-222: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 38: add rule netdev test-netdev egress ah spi {111, 122}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 39: add rule netdev test-netdev egress ah spi != {111, 122}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 42: add rule netdev test-netdev egress ah sequence 123: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 43: add rule netdev test-netdev egress ah sequence != 123: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 44: add rule netdev test-netdev egress ah sequence {23, 25, 33}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 45: add rule netdev test-netdev egress ah sequence != {23, 25, 33}: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 46: add rule netdev test-netdev egress ah sequence 23-33: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 47: add rule netdev test-netdev egress ah sequence != 23-33: This rule should not have failed.
|
|
||||||
inet/ah.t: ERROR: line 47: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/vmap.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/vmap.t: ERROR: line 8: add rule netdev test-netdev egress iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }: This rule should not have failed.
|
|
||||||
inet/vmap.t: ERROR: line 9: add rule inet test-inet input ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }: This rule should not have failed.
|
|
||||||
inet/vmap.t: ERROR: line 10: add rule netdev test-netdev egress udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }: This rule should not have failed.
|
|
||||||
inet/vmap.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/ether-ip.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/ether-ip.t: ERROR: line 8: add rule netdev test-netdev egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed.
|
|
||||||
inet/ether-ip.t: ERROR: line 9: add rule netdev test-netdev egress tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04: This rule should not have failed.
|
|
||||||
inet/ether-ip.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/esp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/esp.t: ERROR: line 10: add rule netdev test-netdev egress esp spi 100: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 11: add rule netdev test-netdev egress esp spi != 100: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 12: add rule netdev test-netdev egress esp spi 111-222: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 13: add rule netdev test-netdev egress esp spi != 111-222: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 14: add rule netdev test-netdev egress esp spi { 100, 102}: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 15: add rule netdev test-netdev egress esp spi != { 100, 102}: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 17: add rule netdev test-netdev egress esp sequence 22: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 18: add rule netdev test-netdev egress esp sequence 22-24: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 19: add rule netdev test-netdev egress esp sequence != 22-24: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 20: add rule netdev test-netdev egress esp sequence { 22, 24}: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 21: add rule netdev test-netdev egress esp sequence != { 22, 24}: This rule should not have failed.
|
|
||||||
inet/esp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/sctp.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
inet/sctp.t: ERROR: line 10: add rule netdev test-netdev egress sctp sport 23: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 11: add rule netdev test-netdev egress sctp sport != 23: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 12: add rule netdev test-netdev egress sctp sport 23-44: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 13: add rule netdev test-netdev egress sctp sport != 23-44: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 14: add rule netdev test-netdev egress sctp sport { 23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 15: add rule netdev test-netdev egress sctp sport != { 23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 17: add rule netdev test-netdev egress sctp dport 23: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 18: add rule netdev test-netdev egress sctp dport != 23: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 19: add rule netdev test-netdev egress sctp dport 23-44: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 20: add rule netdev test-netdev egress sctp dport != 23-44: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 21: add rule netdev test-netdev egress sctp dport { 23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 22: add rule netdev test-netdev egress sctp dport != { 23, 24, 25}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 24: add rule netdev test-netdev egress sctp checksum 1111: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 25: add rule netdev test-netdev egress sctp checksum != 11: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 26: add rule netdev test-netdev egress sctp checksum 21-333: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 27: add rule netdev test-netdev egress sctp checksum != 32-111: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 28: add rule netdev test-netdev egress sctp checksum { 22, 33, 44}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 29: add rule netdev test-netdev egress sctp checksum != { 22, 33, 44}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 31: add rule netdev test-netdev egress sctp vtag 22: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 32: add rule netdev test-netdev egress sctp vtag != 233: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 33: add rule netdev test-netdev egress sctp vtag 33-45: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 34: add rule netdev test-netdev egress sctp vtag != 33-45: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 35: add rule netdev test-netdev egress sctp vtag {33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 36: add rule netdev test-netdev egress sctp vtag != {33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 39: add rule netdev test-netdev egress sctp chunk data exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 40: add rule netdev test-netdev egress sctp chunk init exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 41: add rule netdev test-netdev egress sctp chunk init-ack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 42: add rule netdev test-netdev egress sctp chunk sack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 43: add rule netdev test-netdev egress sctp chunk heartbeat exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 44: add rule netdev test-netdev egress sctp chunk heartbeat-ack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 45: add rule netdev test-netdev egress sctp chunk abort exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 46: add rule netdev test-netdev egress sctp chunk shutdown exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 47: add rule netdev test-netdev egress sctp chunk shutdown-ack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 48: add rule netdev test-netdev egress sctp chunk error exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 49: add rule netdev test-netdev egress sctp chunk cookie-echo exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 50: add rule netdev test-netdev egress sctp chunk cookie-ack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 51: add rule netdev test-netdev egress sctp chunk ecne exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 52: add rule netdev test-netdev egress sctp chunk cwr exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 53: add rule netdev test-netdev egress sctp chunk shutdown-complete exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 54: add rule netdev test-netdev egress sctp chunk asconf-ack exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 55: add rule netdev test-netdev egress sctp chunk forward-tsn exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 56: add rule netdev test-netdev egress sctp chunk asconf exists: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 59: add rule netdev test-netdev egress sctp chunk data type 0: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 60: add rule netdev test-netdev egress sctp chunk init flags 23: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 61: add rule netdev test-netdev egress sctp chunk init-ack length 42: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 64: add rule netdev test-netdev egress sctp chunk data stream 1337: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 65: add rule netdev test-netdev egress sctp chunk init initial-tsn 5: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 66: add rule netdev test-netdev egress sctp chunk init-ack num-outbound-streams 3: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 67: add rule netdev test-netdev egress sctp chunk sack a-rwnd 1: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 68: add rule netdev test-netdev egress sctp chunk shutdown cum-tsn-ack 65535: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 69: add rule netdev test-netdev egress sctp chunk ecne lowest-tsn 5: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 70: add rule netdev test-netdev egress sctp chunk cwr lowest-tsn 8: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 71: add rule netdev test-netdev egress sctp chunk asconf-ack seqno 12345: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 72: add rule netdev test-netdev egress sctp chunk forward-tsn new-cum-tsn 31337: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 73: add rule netdev test-netdev egress sctp chunk asconf seqno 12345: This rule should not have failed.
|
|
||||||
inet/sctp.t: ERROR: line 73: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
inet/socket.t: ERROR: line 11: add rule ip sockip4 sockchain socket mark 0x00000005: This rule should not have failed.
|
|
||||||
inet/socket.t: ERROR: line 13: add rule ip sockip4 sockchain socket wildcard 0: This rule should not have failed.
|
|
||||||
inet/socket.t: ERROR: line 14: add rule ip sockip4 sockchain socket wildcard 1: This rule should not have failed.
|
|
||||||
ip/objects.t: ERROR: line 37: add ct timeout ip test-ip4 cttime1 { protocol tcp; policy = { established:122 } ;}: I cannot add the ct timeout cttime1
|
|
||||||
ip/objects.t: ERROR: line 39: add ct timeout ip test-ip4 cttime3 { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;}: I cannot add the ct timeout cttime3
|
|
||||||
ip/objects.t: ERROR: line 40: add ct timeout ip test-ip4 cttime4 { protocol udp; policy = { replied:14, unreplied:19 } ;}: I cannot add the ct timeout cttime4
|
|
||||||
ip/objects.t: ERROR: line 43: add rule ip test-ip4 output ct timeout set "cttime1": This rule should not have failed.
|
|
||||||
ip/objects.t: ERROR: line 46: add ct expectation ip test-ip4 ctexpect1 { protocol tcp; dport 1234; timeout 2m; size 12; }: I cannot add the ct expectation ctexpect1
|
|
||||||
ip/objects.t: ERROR: line 50: add ct expectation ip test-ip4 ctexpect5 { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; }: I cannot add the ct expectation ctexpect5
|
|
||||||
ip/objects.t: ERROR: line 52: add rule ip test-ip4 output ct expectation set "ctexpect1": This rule should not have failed.
|
|
||||||
ip/objects.t: ERROR: line 55: add synproxy ip test-ip4 synproxy1 mss 1460 wscale 7: I cannot add the synproxy synproxy1
|
|
||||||
ip/objects.t: ERROR: line 56: add synproxy ip test-ip4 synproxy2 mss 1460 wscale 7 timestamp sack-perm: I cannot add the synproxy synproxy2
|
|
||||||
ip/objects.t: ERROR: line 58: add rule ip test-ip4 output synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
ip/sets.t: ERROR: line 32: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 33: add rule netdev test-netdev egress ip saddr != @set1 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 34: add rule netdev test-netdev egress ip saddr @set2 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 35: add rule netdev test-netdev egress ip saddr != @set2 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 52: add rule netdev test-netdev egress ip saddr . ip daddr @set5 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 53: add rule netdev test-netdev egress add @set5 { ip saddr . ip daddr }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 56: add rule netdev test-netdev egress ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 57: add rule netdev test-netdev egress ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 60: add element ip test-ip4 set6 { 192.168.3.5, * }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 61: add rule netdev test-netdev egress ip saddr @set6 drop: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 63: add rule ip test-ip4 input ip saddr vmap { 1.1.1.1 : drop, * : accept }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 64: add rule ip test-ip4 input meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }: This rule should not have failed.
|
|
||||||
ip/sets.t: ERROR: line 65: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
ip/ip.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
ip/ip.t: ERROR: line 28: add rule netdev test-netdev egress ip dscp cs1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 29: add rule netdev test-netdev egress ip dscp != cs1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 30: add rule netdev test-netdev egress ip dscp 0x38: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 31: add rule netdev test-netdev egress ip dscp != 0x20: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 32: add rule netdev test-netdev egress ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 34: add rule netdev test-netdev egress ip dscp != {cs0, cs3}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 35: add rule netdev test-netdev egress ip dscp vmap { cs1 : continue , cs4 : accept } counter: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 37: add rule netdev test-netdev egress ip length 232: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 38: add rule netdev test-netdev egress ip length != 233: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 39: add rule netdev test-netdev egress ip length 333-435: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 40: add rule netdev test-netdev egress ip length != 333-453: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 41: add rule netdev test-netdev egress ip length { 333, 553, 673, 838}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 42: add rule netdev test-netdev egress ip length != { 333, 553, 673, 838}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 44: add rule netdev test-netdev egress ip id 22: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 45: add rule netdev test-netdev egress ip id != 233: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 46: add rule netdev test-netdev egress ip id 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 47: add rule netdev test-netdev egress ip id != 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 48: add rule netdev test-netdev egress ip id { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 49: add rule netdev test-netdev egress ip id != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 51: add rule netdev test-netdev egress ip frag-off 222 accept: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 52: add rule netdev test-netdev egress ip frag-off != 233: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 53: add rule netdev test-netdev egress ip frag-off 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 54: add rule netdev test-netdev egress ip frag-off != 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 55: add rule netdev test-netdev egress ip frag-off { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 56: add rule netdev test-netdev egress ip frag-off != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 58: add rule netdev test-netdev egress ip ttl 0 drop: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 59: add rule netdev test-netdev egress ip ttl 233: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 60: add rule netdev test-netdev egress ip ttl 33-55: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 61: add rule netdev test-netdev egress ip ttl != 45-50: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 62: add rule netdev test-netdev egress ip ttl {43, 53, 45 }: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 63: add rule netdev test-netdev egress ip ttl != {43, 53, 45 }: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 65: add rule netdev test-netdev egress ip protocol tcp: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 66: add rule netdev test-netdev egress ip protocol != tcp: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 67: add rule netdev test-netdev egress ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 68: add rule netdev test-netdev egress ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 70: add rule netdev test-netdev egress ip protocol 255: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 73: add rule netdev test-netdev egress ip checksum 13172 drop: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 74: add rule netdev test-netdev egress ip checksum 22: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 75: add rule netdev test-netdev egress ip checksum != 233: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 76: add rule netdev test-netdev egress ip checksum 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 77: add rule netdev test-netdev egress ip checksum != 33-45: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 78: add rule netdev test-netdev egress ip checksum { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 79: add rule netdev test-netdev egress ip checksum != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 83: add rule netdev test-netdev egress ip saddr 192.168.2.0/24: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 84: add rule netdev test-netdev egress ip saddr != 192.168.2.0/24: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 85: add rule netdev test-netdev egress ip saddr 192.168.3.1 ip daddr 192.168.3.100: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 86: add rule netdev test-netdev egress ip saddr != 1.1.1.1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 87: add rule netdev test-netdev egress ip saddr 1.1.1.1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 88: add rule netdev test-netdev egress ip daddr 192.168.0.1-192.168.0.250: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 89: add rule netdev test-netdev egress ip daddr 10.0.0.0-10.255.255.255: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 90: add rule netdev test-netdev egress ip daddr 172.16.0.0-172.31.255.255: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 91: add rule netdev test-netdev egress ip daddr 192.168.3.1-192.168.4.250: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 92: add rule netdev test-netdev egress ip daddr != 192.168.0.1-192.168.0.250: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 93: add rule netdev test-netdev egress ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 94: add rule netdev test-netdev egress ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 96: add rule netdev test-netdev egress ip daddr 192.168.1.2-192.168.1.55: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 97: add rule netdev test-netdev egress ip daddr != 192.168.1.2-192.168.1.55: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 98: add rule netdev test-netdev egress ip saddr 192.168.1.3-192.168.33.55: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 99: add rule netdev test-netdev egress ip saddr != 192.168.1.3-192.168.33.55: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 101: add rule netdev test-netdev egress ip daddr 192.168.0.1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 102: add rule netdev test-netdev egress ip daddr 192.168.0.1 drop: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 103: add rule netdev test-netdev egress ip daddr 192.168.0.2: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 105: add rule netdev test-netdev egress ip saddr & 0xff == 1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 106: add rule netdev test-netdev egress ip saddr & 0.0.0.255 < 0.0.0.127: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 108: add rule netdev test-netdev egress ip saddr & 0xffff0000 == 0xffff0000: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 110: add rule netdev test-netdev egress ip version 4 ip hdrlength 5: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 111: add rule netdev test-netdev egress ip hdrlength 0: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 112: add rule netdev test-netdev egress ip hdrlength 15: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 113: add rule netdev test-netdev egress ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 117: add rule netdev test-netdev egress iif "lo" ip daddr set 127.0.0.1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 118: add rule netdev test-netdev egress iif "lo" ip checksum set 0: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 119: add rule netdev test-netdev egress iif "lo" ip id set 0: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 120: add rule netdev test-netdev egress iif "lo" ip ecn set 1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 121: add rule netdev test-netdev egress iif "lo" ip ecn set ce: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 122: add rule netdev test-netdev egress iif "lo" ip ttl set 23: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 123: add rule netdev test-netdev egress iif "lo" ip protocol set 1: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 125: add rule netdev test-netdev egress iif "lo" ip dscp set af23: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 126: add rule netdev test-netdev egress iif "lo" ip dscp set cs0: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 128: add rule netdev test-netdev egress ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 129: add rule netdev test-netdev egress ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }: This rule should not have failed.
|
|
||||||
ip/ip.t: ERROR: line 129: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
ip/snat.t: ERROR: line 17: add rule ip test-ip4 postrouting snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }: This rule should not have failed.
|
|
||||||
ip/meta.t: ERROR: line 16: add rule ip test-ip4 input meta sdif "lo" accept: This rule should not have failed.
|
|
||||||
ip/meta.t: ERROR: line 17: add rule ip test-ip4 input meta sdifname != "vrf1" accept: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
ip6/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr @set2 drop: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr != @set2 drop: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr . ip6 daddr @set5 drop: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 43: add rule netdev test-netdev egress add @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 44: add rule ip6 test-ip6 input delete @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed.
|
|
||||||
ip6/sets.t: ERROR: line 44: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
ip6/frag.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
ip6/frag.t: ERROR: line 9: add rule netdev test-netdev egress frag nexthdr tcp: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 10: add rule netdev test-netdev egress frag nexthdr != icmp: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 11: add rule netdev test-netdev egress frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 12: add rule netdev test-netdev egress frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 13: add rule netdev test-netdev egress frag nexthdr esp: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 14: add rule netdev test-netdev egress frag nexthdr ah: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 16: add rule netdev test-netdev egress frag reserved 22: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 17: add rule netdev test-netdev egress frag reserved != 233: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 18: add rule netdev test-netdev egress frag reserved 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 19: add rule netdev test-netdev egress frag reserved != 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 20: add rule netdev test-netdev egress frag reserved { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 21: add rule netdev test-netdev egress frag reserved != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 23: add rule netdev test-netdev egress frag frag-off 22: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 24: add rule netdev test-netdev egress frag frag-off != 233: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 25: add rule netdev test-netdev egress frag frag-off 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 26: add rule netdev test-netdev egress frag frag-off != 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 27: add rule netdev test-netdev egress frag frag-off { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 28: add rule netdev test-netdev egress frag frag-off != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 30: add rule netdev test-netdev egress frag reserved2 1: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 31: add rule netdev test-netdev egress frag more-fragments 0: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 32: add rule netdev test-netdev egress frag more-fragments 1: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 34: add rule netdev test-netdev egress frag id 1: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 35: add rule netdev test-netdev egress frag id 22: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 36: add rule netdev test-netdev egress frag id != 33: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 37: add rule netdev test-netdev egress frag id 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 38: add rule netdev test-netdev egress frag id != 33-45: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 39: add rule netdev test-netdev egress frag id { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 40: add rule netdev test-netdev egress frag id != { 33, 55, 67, 88}: This rule should not have failed.
|
|
||||||
ip6/frag.t: ERROR: line 40: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
ip6/meta.t: ERROR: line 15: add rule ip6 test-ip6 input meta sdif "lo" accept: This rule should not have failed.
|
|
||||||
ip6/meta.t: ERROR: line 16: add rule ip6 test-ip6 input meta sdifname != "vrf1" accept: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 3: I cannot create the chain 'egress'
|
|
||||||
ip6/vmap.t: ERROR: line 9: add rule netdev test-netdev egress ip6 saddr vmap { abcd::3 : accept }: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 14: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 15: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 16: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 17: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 18: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 19: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 20: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 21: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 22: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 23: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 24: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 27: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 28: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 29: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 30: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 31: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 32: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 33: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 34: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 35: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 36: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 37: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 38: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 39: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 40: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 41: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 43: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 44: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 45: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 46: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 47: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 48: add rule netdev test-netdev egress ip6 saddr vmap { ::1234 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 49: add rule netdev test-netdev egress ip6 saddr vmap { 1234:: : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 50: add rule netdev test-netdev egress ip6 saddr vmap { ::/64 : accept}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 52: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 53: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 54: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 55: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}: This rule should not have failed.
|
|
||||||
ip6/vmap.t: ERROR: line 58: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
netdev/fwd.t: ERROR: line 2: I cannot create the chain 'egress'
|
|
||||||
netdev/fwd.t: ERROR: line 6: add rule netdev test-netdev egress fwd to "lo": This rule should not have failed.
|
|
||||||
netdev/fwd.t: ERROR: line 7: add rule netdev test-netdev egress fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed.
|
|
||||||
netdev/fwd.t: ERROR: line 9: add rule netdev test-netdev egress fwd ip to 192.168.2.200 device "lo": This rule should not have failed.
|
|
||||||
netdev/fwd.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
||||||
netdev/reject.t: ERROR: line 5: add rule netdev test-netdev ingress reject with icmp host-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 6: add rule netdev test-netdev ingress reject with icmp net-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 7: add rule netdev test-netdev ingress reject with icmp prot-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 8: add rule netdev test-netdev ingress reject with icmp port-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 9: add rule netdev test-netdev ingress reject with icmp net-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 10: add rule netdev test-netdev ingress reject with icmp host-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 11: add rule netdev test-netdev ingress reject with icmp admin-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 13: add rule netdev test-netdev ingress reject with icmpv6 no-route: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 14: add rule netdev test-netdev ingress reject with icmpv6 admin-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 15: add rule netdev test-netdev ingress reject with icmpv6 addr-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 16: add rule netdev test-netdev ingress reject with icmpv6 port-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 17: add rule netdev test-netdev ingress reject with icmpv6 policy-fail: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 18: add rule netdev test-netdev ingress reject with icmpv6 reject-route: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 20: add rule netdev test-netdev ingress mark 12345 reject with tcp reset: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 22: add rule netdev test-netdev ingress reject: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 23: add rule netdev test-netdev ingress meta protocol ip reject: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 24: add rule netdev test-netdev ingress meta protocol ip6 reject: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 26: add rule netdev test-netdev ingress reject with icmpx host-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 27: add rule netdev test-netdev ingress reject with icmpx no-route: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 28: add rule netdev test-netdev ingress reject with icmpx admin-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 29: add rule netdev test-netdev ingress reject with icmpx port-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 31: add rule netdev test-netdev ingress meta protocol ip reject with icmp host-unreachable: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 32: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpv6 no-route: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 39: add rule netdev test-netdev ingress meta protocol ip reject with icmpx admin-prohibited: This rule should not have failed.
|
|
||||||
netdev/reject.t: ERROR: line 40: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpx admin-prohibited: This rule should not have failed.
|
|
||||||
netdev/dup.t: ERROR: line 2: I cannot create the chain 'egress'
|
|
||||||
netdev/dup.t: ERROR: line 6: add rule netdev test-netdev egress dup to "lo": This rule should not have failed.
|
|
||||||
netdev/dup.t: ERROR: line 7: add rule netdev test-netdev egress dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed.
|
|
||||||
netdev/dup.t: ERROR: line 8: The chain egress does not exist in netdev test-netdev. I cannot delete it.
|
|
@ -1,27 +0,0 @@
|
|||||||
W: [FAILED] ././tests/shell/testcases/cache/0008_delete_by_handle_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/cache/0010_implicit_chain_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0021prio_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_1
|
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0043chain_ingress_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/flowtable/0013addafterdelete_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/flowtable/0014addafterdelete_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/listing/0013objects_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/0011vmap_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/typeof_maps_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/nft-f/0017ct_timeout_obj_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/nft-f/0018ct_expectation_obj_0
|
|
||||||
W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_chain_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/optionals/comments_objects_0
|
|
||||||
W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_table_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/owner/0001-flowtable-uaf
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/0024named_objects_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/0044interval_overlap_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/0046netmap_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/0063set_catchall_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/0064map_catchall_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0
|
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/typeof_sets_0
|
|
@ -1,532 +0,0 @@
|
|||||||
%define nft_rpmversion 1.0.4
|
|
||||||
%define nft_specrelease 4
|
|
||||||
%define libnftnl_ver 1.2.2-1
|
|
||||||
|
|
||||||
Name: nftables
|
|
||||||
Version: %{nft_rpmversion}
|
|
||||||
Release: %{nft_specrelease}%{?dist}%{?buildid}
|
|
||||||
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
|
||||||
Epoch: 1
|
|
||||||
Summary: Netfilter Tables userspace utillites
|
|
||||||
|
|
||||||
License: GPLv2
|
|
||||||
URL: https://netfilter.org/projects/nftables/
|
|
||||||
Source0: %{url}/files/%{name}-%{version}.tar.bz2
|
|
||||||
Source1: nftables.service
|
|
||||||
Source2: nftables.conf
|
|
||||||
Source3: main.nft
|
|
||||||
Source4: router.nft
|
|
||||||
Source5: nat.nft
|
|
||||||
Source6: nft-test.stderr.expect
|
|
||||||
Source7: run-tests.stderr.expect
|
|
||||||
Source8: monitor-run-tests.stderr.expect
|
|
||||||
|
|
||||||
Patch1: 0001-tests-shell-runtime-set-element-automerge.patch
|
|
||||||
Patch2: 0002-rule-collapse-set-element-commands.patch
|
|
||||||
Patch3: 0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch
|
|
||||||
Patch4: 0004-intervals-do-not-empty-cache-for-maps.patch
|
|
||||||
Patch5: 0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch
|
|
||||||
Patch6: 0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch
|
|
||||||
Patch7: 0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch
|
|
||||||
Patch8: 0008-parser-add-missing-synproxy-scope-closure.patch
|
|
||||||
Patch9: 0009-scanner-don-t-pop-active-flex-scanner-scope.patch
|
|
||||||
Patch10: 0010-intervals-fix-crash-when-trying-to-remove-element-in.patch
|
|
||||||
Patch11: 0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch
|
|
||||||
Patch12: 0012-netlink_delinearize-allow-postprocessing-on-concaten.patch
|
|
||||||
Patch13: 0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch
|
|
||||||
Patch14: 0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch
|
|
||||||
Patch15: 0015-debug-dump-the-l2-protocol-stack.patch
|
|
||||||
Patch16: 0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch
|
|
||||||
Patch17: 0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch
|
|
||||||
Patch18: 0018-evaluate-search-stacked-header-list-for-matching-pay.patch
|
|
||||||
Patch19: 0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch
|
|
||||||
Patch20: 0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch
|
|
||||||
Patch21: 0021-monitor-Sanitize-startup-race-condition.patch
|
|
||||||
Patch22: 0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
|
|
||||||
Patch23: 0023-netlink_linearize-fix-timeout-with-map-updates.patch
|
|
||||||
Patch24: 0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
|
|
||||||
Patch25: 0025-owner-Fix-potential-array-out-of-bounds-access.patch
|
|
||||||
Patch26: 0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
|
|
||||||
Patch27: 0027-meta-parse_iso_date-returns-boolean.patch
|
|
||||||
Patch28: 0028-netlink-Fix-for-potential-NULL-pointer-deref.patch
|
|
||||||
Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch
|
|
||||||
Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch
|
|
||||||
Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch
|
|
||||||
Patch32: 0032-tests-monitor-Summarize-failures-per-test-case.patch
|
|
||||||
Patch33: 0033-rule-check-address-family-in-set-collapse.patch
|
|
||||||
Patch34: 0034-parser_bison-Fix-for-broken-compatibility-with-older.patch
|
|
||||||
|
|
||||||
BuildRequires: autoconf
|
|
||||||
BuildRequires: automake
|
|
||||||
BuildRequires: libtool
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: flex
|
|
||||||
BuildRequires: bison
|
|
||||||
BuildRequires: pkgconfig(libmnl) >= 1.0.4
|
|
||||||
BuildRequires: gmp-devel
|
|
||||||
BuildRequires: readline-devel
|
|
||||||
BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver}
|
|
||||||
BuildRequires: systemd
|
|
||||||
BuildRequires: asciidoc
|
|
||||||
BuildRequires: pkgconfig(xtables) >= 1.6.1
|
|
||||||
BuildRequires: jansson-devel
|
|
||||||
BuildRequires: python3-devel
|
|
||||||
|
|
||||||
Requires: libnftnl >= %{libnftnl_ver}
|
|
||||||
|
|
||||||
%description
|
|
||||||
Netfilter Tables userspace utilities.
|
|
||||||
|
|
||||||
%package devel
|
|
||||||
Summary: Development library for nftables / libnftables
|
|
||||||
Group: Development/Libraries
|
|
||||||
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
||||||
Requires: pkgconfig
|
|
||||||
|
|
||||||
%description devel
|
|
||||||
Development tools and static libraries and header files for the libnftables library.
|
|
||||||
|
|
||||||
%package -n python3-nftables
|
|
||||||
Summary: Python module providing an interface to libnftables
|
|
||||||
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
||||||
|
|
||||||
%description -n python3-nftables
|
|
||||||
The nftables python module provides an interface to libnftables via ctypes.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -p1
|
|
||||||
cp -a %{SOURCE6} ./tests/py/
|
|
||||||
cp -a %{SOURCE7} ./tests/shell/
|
|
||||||
cp -a %{SOURCE8} ./tests/monitor/run-tests.stderr.expect
|
|
||||||
|
|
||||||
%build
|
|
||||||
autoreconf -fi
|
|
||||||
rm -Rf autom4te*.cache config.h.in~
|
|
||||||
%configure --disable-silent-rules --with-json --with-xtables \
|
|
||||||
--enable-python --with-python-bin=%{__python3} --with-cli=readline
|
|
||||||
make %{?_smp_mflags}
|
|
||||||
|
|
||||||
%install
|
|
||||||
%make_install
|
|
||||||
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
|
||||||
|
|
||||||
# Don't ship static lib (for now at least)
|
|
||||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
|
|
||||||
|
|
||||||
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
|
|
||||||
|
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
|
|
||||||
cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
|
|
||||||
|
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
|
|
||||||
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
|
|
||||||
|
|
||||||
rm $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
|
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
|
|
||||||
$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
|
|
||||||
|
|
||||||
find $RPM_BUILD_ROOT/%{_sysconfdir} \
|
|
||||||
\( -type d -exec chmod 0700 {} \; \) , \
|
|
||||||
\( -type f -exec chmod 0600 {} \; \)
|
|
||||||
|
|
||||||
# make nftables.py use the real library file name
|
|
||||||
# to avoid nftables-devel package dependency
|
|
||||||
sofile=$(readlink $RPM_BUILD_ROOT/%{_libdir}/libnftables.so)
|
|
||||||
sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
|
|
||||||
$RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
|
||||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
|
||||||
|
|
||||||
%post
|
|
||||||
%systemd_post nftables.service
|
|
||||||
|
|
||||||
%preun
|
|
||||||
%systemd_preun nftables.service
|
|
||||||
|
|
||||||
%postun
|
|
||||||
%systemd_postun_with_restart nftables.service
|
|
||||||
|
|
||||||
%post devel
|
|
||||||
%ldconfig_post
|
|
||||||
|
|
||||||
%postun devel
|
|
||||||
%ldconfig_postun
|
|
||||||
|
|
||||||
%files
|
|
||||||
%license COPYING
|
|
||||||
%config(noreplace) %{_sysconfdir}/nftables/
|
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf
|
|
||||||
%{_sbindir}/nft
|
|
||||||
%{_libdir}/libnftables.so.*
|
|
||||||
%{_mandir}/man5/libnftables-json.5*
|
|
||||||
%{_mandir}/man8/nft*
|
|
||||||
%{_unitdir}/nftables.service
|
|
||||||
%{_docdir}/nftables/examples/*.nft
|
|
||||||
|
|
||||||
%files devel
|
|
||||||
%{_libdir}/libnftables.so
|
|
||||||
%{_libdir}/pkgconfig/libnftables.pc
|
|
||||||
%{_includedir}/nftables/libnftables.h
|
|
||||||
%{_mandir}/man3/libnftables.3*
|
|
||||||
|
|
||||||
%files -n python3-nftables
|
|
||||||
%{python3_sitelib}/nftables-*.egg-info
|
|
||||||
%{python3_sitelib}/nftables/
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Wed Nov 15 2023 Phil Sutter <psutter@redhat.com> [1.0.4-4.el8]
|
|
||||||
- parser_bison: Fix for broken compatibility with older dumps (Phil Sutter) [RHEL-2596]
|
|
||||||
|
|
||||||
* Thu Sep 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-3.el8]
|
|
||||||
- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL]
|
|
||||||
- rule: check address family in set collapse (Phil Sutter) [RHEL-5160]
|
|
||||||
|
|
||||||
* Thu Jul 20 2023 Phil Sutter <psutter@redhat.com> [1.0.4-2.el8]
|
|
||||||
- Add expected error records for testsuite runs (Phil Sutter) [2211076]
|
|
||||||
- tests: monitor: Summarize failures per test case (Phil Sutter) [2211076]
|
|
||||||
|
|
||||||
* Tue May 30 2023 Phil Sutter <psutter@redhat.com> [1.0.4-1.el8]
|
|
||||||
- Synchronize patch level with nftables-1.0.4-10.el9 (Phil Sutter) [2211076]
|
|
||||||
- Rebase onto version 1.0.4 (Phil Sutter) [2211076]
|
|
||||||
|
|
||||||
* Thu Apr 28 2022 Phil Sutter <psutter@redhat.com> [0.9.3-26.el8]
|
|
||||||
- libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287]
|
|
||||||
- src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287]
|
|
||||||
- src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287]
|
|
||||||
- rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287]
|
|
||||||
- rule: memleak in __do_add_setelems() (Phil Sutter) [2073287]
|
|
||||||
- tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924]
|
|
||||||
- mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924]
|
|
||||||
|
|
||||||
* Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8]
|
|
||||||
- mnl: do not build nftnl_set element list (Phil Sutter) [2047821]
|
|
||||||
- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]
|
|
||||||
- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773]
|
|
||||||
- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594]
|
|
||||||
- src: support for restoring element counters (Phil Sutter) [2039594]
|
|
||||||
- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594]
|
|
||||||
|
|
||||||
* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> [0.9.3-24.el8]
|
|
||||||
- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127]
|
|
||||||
- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127]
|
|
||||||
|
|
||||||
* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> [0.9.3-23.el8]
|
|
||||||
- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127]
|
|
||||||
- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127]
|
|
||||||
|
|
||||||
* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> [0.9.3-22.el8]
|
|
||||||
- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059]
|
|
||||||
- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059]
|
|
||||||
- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059]
|
|
||||||
- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141]
|
|
||||||
|
|
||||||
* Mon Aug 02 2021 Phil Sutter <psutter@redhat.com> [0.9.3-21.el8]
|
|
||||||
- tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203]
|
|
||||||
- doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365]
|
|
||||||
- include: missing sctp_chunk.h in Makefile.am (Phil Sutter) [1979334]
|
|
||||||
- exthdr: Implement SCTP Chunk matching (Phil Sutter) [1979334]
|
|
||||||
- scanner: sctp: Move to own scope (Phil Sutter) [1979334]
|
|
||||||
- scanner: introduce start condition stack (Phil Sutter) [1979334]
|
|
||||||
- json: Simplify non-tcpopt exthdr printing a bit (Phil Sutter) [1979334]
|
|
||||||
- json: tcp: add raw tcp option match support (Phil Sutter) [1979334]
|
|
||||||
- tcp: add raw tcp option match support (Phil Sutter) [1979334]
|
|
||||||
- tcpopt: allow to check for presence of any tcp option (Phil Sutter) [1979334]
|
|
||||||
- tcpopt: split tcpopt_hdr_fields into per-option enum (Phil Sutter) [1979334]
|
|
||||||
- tcpopt: rename noop to nop (Phil Sutter) [1979334]
|
|
||||||
- tcpopts: clean up parser -> tcpopt.c plumbing (Phil Sutter) [1979334]
|
|
||||||
- parser: merge sack-perm/sack-permitted and maxseg/mss (Phil Sutter) [1979334]
|
|
||||||
- tests/py: Move tcpopt.t to any/ directory (Phil Sutter) [1979334]
|
|
||||||
|
|
||||||
* Thu May 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-20.el8]
|
|
||||||
- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926]
|
|
||||||
- src: Support odd-sized payload matches (Phil Sutter) [1934926]
|
|
||||||
- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184]
|
|
||||||
- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184]
|
|
||||||
|
|
||||||
* Wed May 19 2021 Phil Sutter <psutter@redhat.com> [0.9.3-19.el8]
|
|
||||||
- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117]
|
|
||||||
- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203]
|
|
||||||
- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203]
|
|
||||||
- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203]
|
|
||||||
|
|
||||||
* Sat Feb 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-18.el8]
|
|
||||||
- json: init parser state for every new buffer/file (Phil Sutter) [1930873]
|
|
||||||
|
|
||||||
* Tue Jan 12 2021 Phil Sutter <psutter@redhat.com> [0.9.3-17.el8]
|
|
||||||
- json: don't leave dangling pointers on hlist (Phil Sutter) [1900565]
|
|
||||||
- json: Fix seqnum_to_json() functionality (Phil Sutter) [1900565]
|
|
||||||
- json: echo: Speedup seqnum_to_json() (Phil Sutter) [1900565]
|
|
||||||
- proto: Fix ARP header field ordering (Phil Sutter) [1896334]
|
|
||||||
- proto: add sctp crc32 checksum fixup (Phil Sutter) [1895804]
|
|
||||||
- mergesort: unbreak listing with binops (Phil Sutter) [1891790]
|
|
||||||
- evaluate: missing datatype definition in implicit_set_declaration() (Phil Sutter) [1877022]
|
|
||||||
- evaluate: Perform set evaluation on implicitly declared (anonymous) sets (Phil Sutter) [1877022]
|
|
||||||
- src: store expr, not dtype to track data in sets (Phil Sutter) [1877022]
|
|
||||||
|
|
||||||
* Sat Aug 08 2020 Phil Sutter <psutter@redhat.com> [0.9.3-16.el8]
|
|
||||||
- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684]
|
|
||||||
- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684]
|
|
||||||
|
|
||||||
* Tue Jun 30 2020 Phil Sutter <psutter@redhat.com> [0.9.3-15.el8]
|
|
||||||
- segtree: Fix get element command with prefixes (Phil Sutter) [1832235]
|
|
||||||
- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235]
|
|
||||||
- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235]
|
|
||||||
- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235]
|
|
||||||
- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235]
|
|
||||||
|
|
||||||
* Wed Jun 24 2020 Phil Sutter <psutter@redhat.com> [0.9.3-14.el8]
|
|
||||||
- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300]
|
|
||||||
- doc: Document notrack statement (Phil Sutter) [1841292]
|
|
||||||
|
|
||||||
* Wed May 27 2020 Phil Sutter <psutter@redhat.com> [0.9.3-13.el8]
|
|
||||||
- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798]
|
|
||||||
|
|
||||||
* Thu Mar 26 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8]
|
|
||||||
- Restore default config to be empty (Phil Sutter) [1694723]
|
|
||||||
|
|
||||||
* Mon Feb 17 2020 Phil Sutter <psutter@redhat.com> [0.9.3-11.el8]
|
|
||||||
- Package requires libnftnl-1.1.5-3 (Phil Sutter) [1795224]
|
|
||||||
- src: Add support for concatenated set ranges (Phil Sutter) [1795224]
|
|
||||||
- src: Add support for NFTNL_SET_DESC_CONCAT (Phil Sutter) [1795224]
|
|
||||||
- include: resync nf_tables.h cache copy (Phil Sutter) [1795224]
|
|
||||||
- parser: add a helper for concat expression handling (Phil Sutter) [1795224]
|
|
||||||
|
|
||||||
* Wed Feb 12 2020 Phil Sutter <psutter@redhat.com> [0.9.3-10.el8]
|
|
||||||
- scanner: Extend asteriskstring definition (Phil Sutter) [1763652]
|
|
||||||
- doc: nft.8: Mention wildcard interface matching (Phil Sutter) [1763652]
|
|
||||||
- tests: py: Support testing host binaries (Phil Sutter) [1754047]
|
|
||||||
- tests: monitor: Support testing host's nft binary (Phil Sutter) [1754047]
|
|
||||||
- tests: monitor: Support running individual test cases (Phil Sutter) [1754047]
|
|
||||||
- tests: json_echo: Support testing host binaries (Phil Sutter) [1754047]
|
|
||||||
- tests: json_echo: Fix for Python3 (Phil Sutter) [1754047]
|
|
||||||
|
|
||||||
* Mon Jan 27 2020 Phil Sutter <psutter@redhat.com> [0.9.3-9.el8]
|
|
||||||
- netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt() (Phil Sutter) [1793030]
|
|
||||||
- netlink: Fix leaks in netlink_parse_cmp() (Phil Sutter) [1793030]
|
|
||||||
- netlink: Fix leak in unterminated string deserializer (Phil Sutter) [1793030]
|
|
||||||
|
|
||||||
* Fri Jan 17 2020 Phil Sutter <psutter@redhat.com> [0.9.3-8.el8]
|
|
||||||
- cache: Fix for doubled output after reset command (Phil Sutter) [1790793]
|
|
||||||
- tests: shell: Search diff tool once and for all (Phil Sutter) [1790793]
|
|
||||||
- xfrm: spi is big-endian (Phil Sutter) [1790963]
|
|
||||||
|
|
||||||
* Mon Jan 13 2020 Phil Sutter <psutter@redhat.com> [0.9.3-7.el8]
|
|
||||||
- monitor: Fix output for ranges in anonymous sets (Phil Sutter) [1774742]
|
|
||||||
|
|
||||||
* Fri Jan 10 2020 Phil Sutter <psutter@redhat.com> [0.9.3-6.el8]
|
|
||||||
- monitor: Do not decompose non-anonymous sets (Phil Sutter) [1774742]
|
|
||||||
- main: restore --debug (Phil Sutter) [1778883]
|
|
||||||
- main: enforce options before commands (Phil Sutter) [1778883]
|
|
||||||
|
|
||||||
* Fri Jan 10 2020 Phil Sutter <psutter@redhat.com> [0.9.3-5.el8]
|
|
||||||
- Install an improved sample config (Phil Sutter) [1694723]
|
|
||||||
|
|
||||||
* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> [0.9.3-4.el8]
|
|
||||||
- Explicitly depend on newer libnftl version (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Tue Dec 03 2019 Phil Sutter <psutter@redhat.com> [0.9.3-3.el8]
|
|
||||||
- Fix permissions of osf-related configs (Phil Sutter) [1776462]
|
|
||||||
|
|
||||||
* Tue Dec 03 2019 Phil Sutter <psutter@redhat.com> [0.9.3-2.el8]
|
|
||||||
- Add example scripts to nftables package (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [0.9.3-1.el8]
|
|
||||||
- Rebase onto upstream release 0.9.3 (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Mon Oct 21 2019 Phil Sutter <psutter@redhat.com> [0.9.2-4.el8]
|
|
||||||
- tproxy: Add missing error checking when parsing from netlink (Phil Sutter) [1643192]
|
|
||||||
- parser_json: Fix checking of parse_policy() return code (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Fri Oct 18 2019 Phil Sutter <psutter@redhat.com> [0.9.2-3.el8]
|
|
||||||
- spec: Avoid multilib problems due to updated nftables.py (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Fri Oct 18 2019 Phil Sutter <psutter@redhat.com> [0.9.2-2.el8]
|
|
||||||
- rule: Fix for single line ct timeout printing (Phil Sutter) [1643192]
|
|
||||||
- tests/monitor: Fix for changed ct timeout format (Phil Sutter) [1643192]
|
|
||||||
- monitor: Add missing newline to error message (Phil Sutter) [1643192]
|
|
||||||
- src: restore --echo with anonymous sets (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Tue Oct 15 2019 Phil Sutter <psutter@redhat.com> [0.9.2-1.el8]
|
|
||||||
- src: obj: fix memleak in handle_free() (Phil Sutter) [1643192]
|
|
||||||
- libnftables: memleak when list of commands is empty (Phil Sutter) [1643192]
|
|
||||||
- mnl: do not cache sender buffer size (Phil Sutter) [1643192]
|
|
||||||
- src: meter: avoid double-space in list ruleset output (Phil Sutter) [1643192]
|
|
||||||
- src: parser_json: fix crash while restoring secmark object (Phil Sutter) [1643192]
|
|
||||||
- nftables: don't crash in 'list ruleset' if policy is not set (Phil Sutter) [1643192]
|
|
||||||
- json: tests: fix typo in ct expectation json test (Phil Sutter) [1643192]
|
|
||||||
- parser_bison: Fix 'exists' keyword on Big Endian (Phil Sutter) [1643192]
|
|
||||||
- json: fix type mismatch on "ct expect" json exporting (Phil Sutter) [1643192]
|
|
||||||
- libnftables: use-after-free in exit path (Phil Sutter) [1643192]
|
|
||||||
- netlink_delinearize: fix wrong conversion to "list" in ct mark (Phil Sutter) [1643192]
|
|
||||||
- mnl: fix --echo buffer size again (Phil Sutter) [1643192]
|
|
||||||
- parser_json: fix crash on insert rule to bad references (Phil Sutter) [1643192]
|
|
||||||
- evaluate: flag fwd and queue statements as terminal (Phil Sutter) [1643192]
|
|
||||||
- tests: shell: check that rule add with index works with echo (Phil Sutter) [1643192]
|
|
||||||
- cache: fix --echo with index/position (Phil Sutter) [1643192]
|
|
||||||
- src: secmark: fix brace indentation and missing quotes in selctx output (Phil Sutter) [1643192]
|
|
||||||
- Add python3-nftables sub-package (Phil Sutter) [1643192]
|
|
||||||
- Rebase onto upstream version 0.9.2 (Phil Sutter) [1643192]
|
|
||||||
|
|
||||||
* Mon Aug 12 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-14
|
|
||||||
- src: fix jumps on bigendian arches
|
|
||||||
- src: json: fix constant parsing on bigendian
|
|
||||||
|
|
||||||
* Thu Aug 08 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-13
|
|
||||||
- Fix for adding a rule with index and set reference
|
|
||||||
|
|
||||||
* Wed Jul 31 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-12
|
|
||||||
- Fix permissions of /etc/nftables directory
|
|
||||||
|
|
||||||
* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-11
|
|
||||||
- Fix segfault with xtables support
|
|
||||||
|
|
||||||
* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-10
|
|
||||||
- Fix typo in spec file
|
|
||||||
|
|
||||||
* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-9
|
|
||||||
- Allow variables in jump statement
|
|
||||||
- Make example configs readable only by root
|
|
||||||
- Document nft list parameters
|
|
||||||
- Document vmap statement
|
|
||||||
- Install netdev-ingress.nft sample config in the right spot
|
|
||||||
- Backport upstream fixes since last release
|
|
||||||
|
|
||||||
* Fri Mar 01 2019 Phil Sutter - 1:0.9.0-8
|
|
||||||
- Add missing patch to spec file
|
|
||||||
|
|
||||||
* Fri Dec 21 2018 Phil Sutter - 1:0.9.0-7
|
|
||||||
- src: Reject 'export vm json' command
|
|
||||||
|
|
||||||
* Tue Dec 18 2018 Phil Sutter - 1:0.9.0-6
|
|
||||||
- Rebuild for updated libnftnl
|
|
||||||
|
|
||||||
* Thu Dec 13 2018 Phil Sutter - 1:0.9.0-5
|
|
||||||
- nft.8: Document log level audit
|
|
||||||
- nft.8: Clarify 'index' option of add rule command
|
|
||||||
|
|
||||||
* Thu Oct 25 2018 Phil Sutter - 1:0.9.0-4
|
|
||||||
- Add fixes for covscan report
|
|
||||||
- Fix for ECN keyword in LHS of relational
|
|
||||||
- Update meta pkt_type value description
|
|
||||||
- Fix for segfault with JSON output if xt expression is present
|
|
||||||
- Add missing nft suffix to files included from /etc/sysconfig/nftables.conf
|
|
||||||
- Use native JSON API in nft monitor
|
|
||||||
|
|
||||||
* Thu Oct 11 2018 Phil Sutter - 1:0.9.0-3
|
|
||||||
- Enable xtables support
|
|
||||||
- Enable JSON support
|
|
||||||
|
|
||||||
* Mon Sep 10 2018 Phil Sutter - 1:0.9.0-2
|
|
||||||
- Allow icmpx in inet/bridge families
|
|
||||||
|
|
||||||
* Tue Aug 14 2018 Phil Sutter - 1:0.9.0-1
|
|
||||||
- New version 0.9.0
|
|
||||||
- Install libnftables
|
|
||||||
- Add devel sub-package
|
|
||||||
- Add gcc BuildRequires
|
|
||||||
|
|
||||||
* Sat Mar 03 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.3-1
|
|
||||||
- Update to 0.8.3. Fixes bug #1551207
|
|
||||||
|
|
||||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.8.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Feb 05 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.2-1
|
|
||||||
- Update to 0.8.2. Fixes bug #1541582
|
|
||||||
|
|
||||||
* Tue Jan 16 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.1-1
|
|
||||||
- Update to 0.8.1. Fixes bug #1534982
|
|
||||||
|
|
||||||
* Sun Oct 22 2017 Kevin Fenzi <kevin@scrye.com> - 0.8-1
|
|
||||||
- Update to 0.8.
|
|
||||||
|
|
||||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 1:0.7-2
|
|
||||||
- Rebuild for readline 7.x
|
|
||||||
|
|
||||||
* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 0.7-1
|
|
||||||
- Update to 0.7
|
|
||||||
|
|
||||||
* Fri Jul 15 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-2
|
|
||||||
- Rebuild for new glibc symbols
|
|
||||||
|
|
||||||
* Thu Jun 02 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-1
|
|
||||||
- Update to 0.6.
|
|
||||||
|
|
||||||
* Sun Apr 10 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-4
|
|
||||||
- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936
|
|
||||||
|
|
||||||
* Fri Mar 25 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-3
|
|
||||||
- Add systemd unit file. Fixes bug #1313936
|
|
||||||
|
|
||||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.5-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 0.5-1
|
|
||||||
- Update to 0.5
|
|
||||||
|
|
||||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.4-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat Jan 10 2015 Kevin Fenzi <kevin@scrye.com> 0.4-2
|
|
||||||
- Add patch to fix nft -f dep gen.
|
|
||||||
|
|
||||||
* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 0.4-1
|
|
||||||
- Update to 0.4
|
|
||||||
- Add Epoch to fix versioning.
|
|
||||||
|
|
||||||
* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 0.100-4.20140903git
|
|
||||||
- Update to 20140903 snapshot
|
|
||||||
|
|
||||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-4.20140704git
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Jul 04 2014 Kevin Fenzi <kevin@scrye.com> 0.100-3.20140704git
|
|
||||||
- Update to new snapshot
|
|
||||||
|
|
||||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-2.20140426git
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat Apr 26 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140426git
|
|
||||||
- Update t0 20140426
|
|
||||||
|
|
||||||
* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140330git
|
|
||||||
- Update to 20140330 snapshot
|
|
||||||
- Sync versions to be post 0.100 release.
|
|
||||||
|
|
||||||
* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140326git
|
|
||||||
- Update to 20140326 snapshot
|
|
||||||
- Fix permissions on man pages.
|
|
||||||
|
|
||||||
* Mon Mar 24 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140324git
|
|
||||||
- Update to 20140324 snapshot
|
|
||||||
|
|
||||||
* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140307git
|
|
||||||
- Update to 20140307
|
|
||||||
|
|
||||||
* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140125git
|
|
||||||
- Update to 20140125 snapshot
|
|
||||||
|
|
||||||
* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.3.20140118git
|
|
||||||
- Update to 20140118 snapshot
|
|
||||||
- Fixed License tag to be correct
|
|
||||||
- Fixed changelog
|
|
||||||
- nft scripts now use full path for nft
|
|
||||||
- Fixed man page building
|
|
||||||
- Dropped unneeded rm in install
|
|
||||||
- Patched build to not be silent.
|
|
||||||
|
|
||||||
* Tue Dec 03 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2.20131202git
|
|
||||||
- Use upstream snapshots for source.
|
|
||||||
- Use 0 for version.
|
|
||||||
|
|
||||||
* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1
|
|
||||||
- initial version for Fedora review
|
|
@ -18,9 +18,10 @@ table ip nftables_svc {
|
|||||||
elements = { 192.168.122.0/24 }
|
elements = { 192.168.122.0/24 }
|
||||||
}
|
}
|
||||||
|
|
||||||
# force port randomization for non-locally originated connections using
|
# [CVE-2021-3773] force port randomization for non-locally originated
|
||||||
# suspicious port values to prevent port-shadow attacks, i.e.
|
# connections using suspicious port values to prevent port-shadow
|
||||||
# accidental matching of new inbound connections vs. existing ones
|
# attacks, i.e. accidental matching of new inbound connections vs.
|
||||||
|
# existing ones
|
||||||
chain do_masquerade {
|
chain do_masquerade {
|
||||||
meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
|
meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
|
||||||
masquerade
|
masquerade
|
389
nftables.spec
Normal file
389
nftables.spec
Normal file
@ -0,0 +1,389 @@
|
|||||||
|
Name: nftables
|
||||||
|
Version: 1.0.9
|
||||||
|
Release: 4%{?dist}
|
||||||
|
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
||||||
|
Epoch: 1
|
||||||
|
Summary: Netfilter Tables userspace utilites
|
||||||
|
|
||||||
|
License: GPL-2.0-only
|
||||||
|
URL: https://netfilter.org/projects/nftables/
|
||||||
|
Source0: %{url}/files/%{name}-%{version}.tar.xz
|
||||||
|
Source1: nftables.service
|
||||||
|
Source2: nftables.conf
|
||||||
|
Source3: main.nft
|
||||||
|
Source4: router.nft
|
||||||
|
Source5: nat.nft
|
||||||
|
|
||||||
|
#BuildRequires: autogen
|
||||||
|
#BuildRequires: autoconf
|
||||||
|
#BuildRequires: automake
|
||||||
|
#BuildRequires: libtool
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: flex
|
||||||
|
BuildRequires: bison
|
||||||
|
BuildRequires: pkgconfig(libmnl) >= 1.0.4
|
||||||
|
BuildRequires: gmp-devel
|
||||||
|
BuildRequires: pkgconfig(libnftnl) >= 1.2.3
|
||||||
|
BuildRequires: systemd
|
||||||
|
BuildRequires: asciidoc
|
||||||
|
BuildRequires: pkgconfig(xtables) >= 1.6.1
|
||||||
|
BuildRequires: jansson-devel
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
BuildRequires: readline-devel
|
||||||
|
BuildRequires: libedit-devel
|
||||||
|
BuildRequires: python3-setuptools
|
||||||
|
|
||||||
|
%generate_buildrequires
|
||||||
|
cd py/
|
||||||
|
%pyproject_buildrequires
|
||||||
|
|
||||||
|
%description
|
||||||
|
Netfilter Tables userspace utilities.
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development library for nftables / libnftables
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: pkgconfig
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
Headers, man pages and other development files for the libnftables library.
|
||||||
|
|
||||||
|
%package -n python3-nftables
|
||||||
|
Summary: Python module providing an interface to libnftables
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
%{?python_provide:%python_provide python3-nftables}
|
||||||
|
|
||||||
|
%description -n python3-nftables
|
||||||
|
The nftables python module provides an interface to libnftables via ctypes.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
#./autogen.sh
|
||||||
|
%configure --disable-silent-rules --with-xtables --with-json
|
||||||
|
%make_build
|
||||||
|
cd py/
|
||||||
|
%pyproject_wheel
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install
|
||||||
|
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||||
|
|
||||||
|
# Don't ship static lib (for now at least)
|
||||||
|
rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
|
||||||
|
|
||||||
|
# drop vendor-provided configs, they are not really useful
|
||||||
|
rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
|
||||||
|
|
||||||
|
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
|
||||||
|
|
||||||
|
mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
|
cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
|
||||||
|
|
||||||
|
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
|
||||||
|
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
|
||||||
|
|
||||||
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
|
||||||
|
$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
|
||||||
|
|
||||||
|
find $RPM_BUILD_ROOT/%{_sysconfdir} \
|
||||||
|
\( -type d -exec chmod 0700 {} \; \) , \
|
||||||
|
\( -type f -exec chmod 0600 {} \; \)
|
||||||
|
|
||||||
|
cd py/
|
||||||
|
%pyproject_install
|
||||||
|
%pyproject_save_files nftables
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post nftables.service
|
||||||
|
%ldconfig_post
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun nftables.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart nftables.service
|
||||||
|
%ldconfig_postun
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%config(noreplace) %{_sysconfdir}/nftables/
|
||||||
|
%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf
|
||||||
|
%{_sbindir}/nft
|
||||||
|
%{_libdir}/libnftables.so.*
|
||||||
|
%{_mandir}/man5/libnftables-json.5*
|
||||||
|
%{_mandir}/man8/nft*
|
||||||
|
%{_unitdir}/nftables.service
|
||||||
|
%{_docdir}/nftables/examples/*.nft
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_libdir}/libnftables.so
|
||||||
|
%{_libdir}/pkgconfig/libnftables.pc
|
||||||
|
%{_includedir}/nftables/libnftables.h
|
||||||
|
%{_mandir}/man3/libnftables.3*
|
||||||
|
|
||||||
|
%files -n python3-nftables -f %{pyproject_files}
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:1.0.9-4
|
||||||
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.9-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.9-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Oct 19 2023 Phil Sutter <psutter@redhat.com> - 1:1.0.9-1
|
||||||
|
- Fix devel sub-package description
|
||||||
|
- Utilize pyproject-rpm-macros for the python sub-package
|
||||||
|
- new version 1.0.9
|
||||||
|
|
||||||
|
* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 1:1.0.7-4
|
||||||
|
- Convert license to SPDX format
|
||||||
|
|
||||||
|
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.7-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jun 15 2023 Python Maint <python-maint@redhat.com> - 1:1.0.7-2
|
||||||
|
- Rebuilt for Python 3.12
|
||||||
|
|
||||||
|
* Sat Apr 01 2023 Kevin Fenzi <kevin@scrye.com> - 1.0.7-1
|
||||||
|
- Update to 1.0.7. Fixes rhbz#2155658
|
||||||
|
- Build the package with setuptools instead of distutils. Fixes: rhbz#2154872
|
||||||
|
|
||||||
|
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.5-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Aug 10 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.5-1
|
||||||
|
- New version 1.0.5
|
||||||
|
|
||||||
|
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.4-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1:1.0.4-2
|
||||||
|
- Rebuilt for Python 3.11
|
||||||
|
|
||||||
|
* Fri Jun 10 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.4-1
|
||||||
|
- Review package dependencies
|
||||||
|
- Update to 1.0.4. Fixes rhbz#2056594
|
||||||
|
|
||||||
|
* Tue Mar 08 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-4
|
||||||
|
- Prevent port-shadow attacks in sample nat config. Fixes rhbz#2061917
|
||||||
|
|
||||||
|
* Thu Feb 03 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-3
|
||||||
|
- Ship a more advanced default config. Fixes rhbz#1999596
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Nov 27 2021 Kevin Fenzi <kevin@scrye.com> - 1.0.1-1
|
||||||
|
- Update to 1.1.1. Fixes rhbz#2024594
|
||||||
|
|
||||||
|
* Fri Aug 27 2021 Kevin Fenzi <kevin@scrye.com> - 1.0.0-1
|
||||||
|
- Update to 1.1.0. Fixes rhbz#1995737
|
||||||
|
|
||||||
|
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.9-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1:0.9.9-2
|
||||||
|
- Rebuilt for Python 3.10
|
||||||
|
|
||||||
|
* Wed Jun 02 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.9-1
|
||||||
|
- Update to 0.9.9. Fixes rhbz#1964718
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1:0.9.8-3
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.8-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 0.9.8-1
|
||||||
|
- Update to 0.9.8. Fixes rhbz#1916940
|
||||||
|
|
||||||
|
* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 0.9.7-1
|
||||||
|
- Update to 0.9.7. Fixes bug #1891769
|
||||||
|
|
||||||
|
* Thu Oct 29 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:0.9.6-2
|
||||||
|
- Drop upstreamed patch
|
||||||
|
|
||||||
|
* Sat Sep 05 2020 Neal Gompa <ngompa13@gmail.com> - 1:0.9.6-1
|
||||||
|
- Update to 0.9.6 (RH#1846663)
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.3-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1:0.9.3-5
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1:0.9.3-4
|
||||||
|
- Rebuilt for Python 3.9
|
||||||
|
|
||||||
|
* Fri May 15 2020 Richard Shaw <hobbes1069@gmail.com> - 1:0.9.3-3
|
||||||
|
- Add patch for json performance with ipsets, fixes RHBZ#1834853.
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.3-1
|
||||||
|
- Update to 0.9.3. Fixes bug #1778959
|
||||||
|
|
||||||
|
* Tue Oct 01 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.2-3
|
||||||
|
- Drop unneeded docbook2X build dependency
|
||||||
|
- Add python3-nftables sub-package
|
||||||
|
|
||||||
|
* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.2-2
|
||||||
|
- Move libnftables section 3 man page to devel package.
|
||||||
|
|
||||||
|
* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.2-1
|
||||||
|
- Update to 0.9.2. Fixes bug #1743223
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jun 28 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.1-2
|
||||||
|
- Add some filters to nftables.conf
|
||||||
|
|
||||||
|
* Tue Jun 25 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.1-1
|
||||||
|
- Update to 0.9.1. Fixes bug #1723515
|
||||||
|
|
||||||
|
* Mon Jun 17 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.0-7
|
||||||
|
- Rebuild for new libnftnl.
|
||||||
|
|
||||||
|
* Sat Mar 16 2019 Kevin Fenzi <kevin@scrye.com> - 1:0.9.0-6
|
||||||
|
- Fix permissions. Bug #1685242
|
||||||
|
|
||||||
|
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:0.9.0-5
|
||||||
|
- Rebuild for readline 8.0
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sun Nov 04 2018 Kevin Fenzi <kevin@scrye.com> - 0.9.0-3
|
||||||
|
- Fix config file to have correct include names. Fixes bug #1642103
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jun 09 2018 Kevin Fenzi <kevin@scrye.com> - 0.9.0-1
|
||||||
|
- Update to 0.9.0. Fixes bug #1589404
|
||||||
|
|
||||||
|
* Fri May 11 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.5-1
|
||||||
|
- Update to 0.8.5. Fixes bug #1576802
|
||||||
|
|
||||||
|
* Sun May 06 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.4-2
|
||||||
|
- Fix devel package to require the Epoch too.
|
||||||
|
- Fix libraries split
|
||||||
|
|
||||||
|
* Fri May 04 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.4-1
|
||||||
|
- Update to 0.8.4. Fixes bug #1574096
|
||||||
|
|
||||||
|
* Sat Mar 03 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.3-1
|
||||||
|
- Update to 0.8.3. Fixes bug #1551207
|
||||||
|
|
||||||
|
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.8.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Feb 05 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.2-1
|
||||||
|
- Update to 0.8.2. Fixes bug #1541582
|
||||||
|
|
||||||
|
* Tue Jan 16 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.1-1
|
||||||
|
- Update to 0.8.1. Fixes bug #1534982
|
||||||
|
|
||||||
|
* Sun Oct 22 2017 Kevin Fenzi <kevin@scrye.com> - 0.8-1
|
||||||
|
- Update to 0.8.
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 1:0.7-2
|
||||||
|
- Rebuild for readline 7.x
|
||||||
|
|
||||||
|
* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 0.7-1
|
||||||
|
- Update to 0.7
|
||||||
|
|
||||||
|
* Fri Jul 15 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-2
|
||||||
|
- Rebuild for new glibc symbols
|
||||||
|
|
||||||
|
* Thu Jun 02 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-1
|
||||||
|
- Update to 0.6.
|
||||||
|
|
||||||
|
* Sun Apr 10 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-4
|
||||||
|
- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936
|
||||||
|
|
||||||
|
* Fri Mar 25 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-3
|
||||||
|
- Add systemd unit file. Fixes bug #1313936
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.5-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 0.5-1
|
||||||
|
- Update to 0.5
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.4-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jan 10 2015 Kevin Fenzi <kevin@scrye.com> 0.4-2
|
||||||
|
- Add patch to fix nft -f dep gen.
|
||||||
|
|
||||||
|
* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 0.4-1
|
||||||
|
- Update to 0.4
|
||||||
|
- Add Epoch to fix versioning.
|
||||||
|
|
||||||
|
* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 0.100-4.20140903git
|
||||||
|
- Update to 20140903 snapshot
|
||||||
|
|
||||||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-4.20140704git
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jul 04 2014 Kevin Fenzi <kevin@scrye.com> 0.100-3.20140704git
|
||||||
|
- Update to new snapshot
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-2.20140426git
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Apr 26 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140426git
|
||||||
|
- Update t0 20140426
|
||||||
|
|
||||||
|
* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140330git
|
||||||
|
- Update to 20140330 snapshot
|
||||||
|
- Sync versions to be post 0.100 release.
|
||||||
|
|
||||||
|
* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140326git
|
||||||
|
- Update to 20140326 snapshot
|
||||||
|
- Fix permissions on man pages.
|
||||||
|
|
||||||
|
* Mon Mar 24 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140324git
|
||||||
|
- Update to 20140324 snapshot
|
||||||
|
|
||||||
|
* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140307git
|
||||||
|
- Update to 20140307
|
||||||
|
|
||||||
|
* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140125git
|
||||||
|
- Update to 20140125 snapshot
|
||||||
|
|
||||||
|
* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.3.20140118git
|
||||||
|
- Update to 20140118 snapshot
|
||||||
|
- Fixed License tag to be correct
|
||||||
|
- Fixed changelog
|
||||||
|
- nft scripts now use full path for nft
|
||||||
|
- Fixed man page building
|
||||||
|
- Dropped unneeded rm in install
|
||||||
|
- Patched build to not be silent.
|
||||||
|
|
||||||
|
* Tue Dec 03 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2.20131202git
|
||||||
|
- Use upstream snapshots for source.
|
||||||
|
- Use 0 for version.
|
||||||
|
|
||||||
|
* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1
|
||||||
|
- initial version for Fedora review
|
Loading…
Reference in New Issue
Block a user