138 lines
4.4 KiB
Diff
138 lines
4.4 KiB
Diff
From c67e2fa3f2e7edf6bcf6a4b3331960105727ee4f Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Tue, 24 Feb 2026 15:53:23 +0100
|
|
Subject: [PATCH] tests: py: objects.t: must use input, not output
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-128553
|
|
Upstream Status: nftables commit 6b71d114912cd269416f232c0f0ec2fcc42eb58f
|
|
|
|
commit 6b71d114912cd269416f232c0f0ec2fcc42eb58f
|
|
Author: Florian Westphal <fw@strlen.de>
|
|
Date: Tue Oct 7 12:48:49 2025 +0200
|
|
|
|
tests: py: objects.t: must use input, not output
|
|
|
|
synproxy must never be used in output rules, doing so results in kernel
|
|
crash due to infinite recursive calls back to nf_hook_slow() for the
|
|
emitted reply packet.
|
|
|
|
Up until recently kernel lacked this validation, and now that the kernel
|
|
rejects this the test fails. Use input to make this pass again.
|
|
|
|
A new test to ensure we reject synproxy in ouput should be added
|
|
in the near future.
|
|
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
tests/py/ip/objects.t | 4 ++--
|
|
tests/py/ip/objects.t.payload | 22 +++++++++++-----------
|
|
2 files changed, 13 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
|
|
index 4fcde7c..71d5ffe 100644
|
|
--- a/tests/py/ip/objects.t
|
|
+++ b/tests/py/ip/objects.t
|
|
@@ -1,6 +1,6 @@
|
|
-:output;type filter hook output priority 0
|
|
+:input;type filter hook input priority 0
|
|
|
|
-*ip;test-ip4;output
|
|
+*ip;test-ip4;input
|
|
|
|
# counter
|
|
%cnt1 type counter;ok
|
|
diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload
|
|
index 5252724..3da4b28 100644
|
|
--- a/tests/py/ip/objects.t.payload
|
|
+++ b/tests/py/ip/objects.t.payload
|
|
@@ -1,5 +1,5 @@
|
|
# ip saddr 192.168.1.3 counter name "cnt2"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ payload load 4b @ network header + 12 => reg 1 ]
|
|
[ cmp eq reg 1 0x0301a8c0 ]
|
|
[ objref type 1 name cnt2 ]
|
|
@@ -8,14 +8,14 @@ ip test-ip4 output
|
|
__objmap%d test-ip4 43
|
|
__objmap%d test-ip4 0
|
|
element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end]
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ meta load l4proto => reg 1 ]
|
|
[ cmp eq reg 1 0x00000006 ]
|
|
[ payload load 2b @ transport header + 2 => reg 1 ]
|
|
[ objref sreg 1 set __objmap%d ]
|
|
|
|
# ip saddr 192.168.1.3 quota name "qt1"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ payload load 4b @ network header + 12 => reg 1 ]
|
|
[ cmp eq reg 1 0x0301a8c0 ]
|
|
[ objref type 2 name qt1 ]
|
|
@@ -24,28 +24,28 @@ ip test-ip4 output
|
|
__objmap%d test-ip4 43
|
|
__objmap%d test-ip4 0
|
|
element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end]
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ meta load l4proto => reg 1 ]
|
|
[ cmp eq reg 1 0x00000006 ]
|
|
[ payload load 2b @ transport header + 2 => reg 1 ]
|
|
[ objref sreg 1 set __objmap%d ]
|
|
|
|
# ct helper set "cthelp1"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ objref type 3 name cthelp1 ]
|
|
|
|
# ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" }
|
|
__objmap%d test-ip4 43
|
|
__objmap%d test-ip4 0
|
|
element 00001500 : 0 [end] element 00004908 : 0 [end]
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ meta load l4proto => reg 1 ]
|
|
[ cmp eq reg 1 0x00000006 ]
|
|
[ payload load 2b @ transport header + 2 => reg 1 ]
|
|
[ objref sreg 1 set __objmap%d ]
|
|
|
|
# ip saddr 192.168.1.3 limit name "lim1"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ payload load 4b @ network header + 12 => reg 1 ]
|
|
[ cmp eq reg 1 0x0301a8c0 ]
|
|
[ objref type 4 name lim1 ]
|
|
@@ -54,25 +54,25 @@ ip test-ip4 output
|
|
__objmap%d test-ip4 43 size 3
|
|
__objmap%d test-ip4 0
|
|
element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end]
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ meta load l4proto => reg 1 ]
|
|
[ cmp eq reg 1 0x00000006 ]
|
|
[ payload load 2b @ transport header + 2 => reg 1 ]
|
|
[ objref sreg 1 set __objmap%d ]
|
|
|
|
# ct timeout set "cttime1"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ objref type 7 name cttime1 ]
|
|
|
|
# ct expectation set "ctexpect1"
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ objref type 9 name ctexpect1 ]
|
|
|
|
# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}
|
|
__objmap%d test-ip4 43 size 2
|
|
__objmap%d test-ip4 0
|
|
element 0000bb01 : 0 [end] element 00005000 : 0 [end]
|
|
-ip test-ip4 output
|
|
+ip test-ip4 input
|
|
[ meta load l4proto => reg 1 ]
|
|
[ cmp eq reg 1 0x00000006 ]
|
|
[ payload load 2b @ transport header + 2 => reg 1 ]
|