Message ID | 20170323081156.17727-1-fw@strlen.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Thu, Mar 23, 2017 at 09:11:56AM +0100, Florian Westphal wrote: > This test fails with > 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' > > ip protocol tcp tcp dport 22 is *ONLY* identical to > 'tcp dport 22' in the ip family. > > For netdev/inet/bridge, the dependency is required because > we only want to match ipv4 packets. This needs the C chunk to fix this, right? so I let you decide if you want to push out this test now or make it together with the fix. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Thu, Mar 23, 2017 at 09:11:56AM +0100, Florian Westphal wrote: > > This test fails with > > 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' > > > > ip protocol tcp tcp dport 22 is *ONLY* identical to > > 'tcp dport 22' in the ip family. > > > > For netdev/inet/bridge, the dependency is required because > > we only want to match ipv4 packets. > > This needs the C chunk to fix this, right? so I let you decide if you > want to push out this test now or make it together with the fix. I have no fix at the moment. I will thus probably push this test when I get home so we don't forget about it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Apr 06, 2017 at 08:45:47PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Thu, Mar 23, 2017 at 09:11:56AM +0100, Florian Westphal wrote: > > > This test fails with > > > 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' > > > > > > ip protocol tcp tcp dport 22 is *ONLY* identical to > > > 'tcp dport 22' in the ip family. > > > > > > For netdev/inet/bridge, the dependency is required because > > > we only want to match ipv4 packets. > > > > This needs the C chunk to fix this, right? so I let you decide if you > > want to push out this test now or make it together with the fix. > > I have no fix at the moment. > > I will thus probably push this test when I get home so we don't forget > about it. Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t new file mode 100644 index 000000000000..b69edc38137b --- /dev/null +++ b/tests/py/inet/ip_tcp.t @@ -0,0 +1,9 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*inet;test-inet;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress + +# must not remove ip dependency -- ONLY ipv4 packets should be matched +ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 diff --git a/tests/py/inet/ip_tcp.t.payload b/tests/py/inet/ip_tcp.t.payload new file mode 100644 index 000000000000..b13988bc8d5e --- /dev/null +++ b/tests/py/inet/ip_tcp.t.payload @@ -0,0 +1,8 @@ +# ip protocol tcp tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t new file mode 100644 index 000000000000..30759c8f619b --- /dev/null +++ b/tests/py/ip/ip_tcp.t @@ -0,0 +1,7 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*ip;test-inet;input + +# can remove ip dependency -- its redundant in ip family +ip protocol tcp tcp dport 22;ok;tcp dport 22 diff --git a/tests/py/ip/ip_tcp.t.payload b/tests/py/ip/ip_tcp.t.payload new file mode 100644 index 000000000000..e4141394af7e --- /dev/null +++ b/tests/py/ip/ip_tcp.t.payload @@ -0,0 +1,6 @@ +# ip protocol tcp tcp dport 22 +ip test-inet input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ]
This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* identical to 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required because we only want to match ipv4 packets. Signed-off-by: Florian Westphal <fw@strlen.de> --- Ran out of time, sorry. I'll need to delay both this and the change of ipv6 nexthdr to meta dependencies until after netdev 2.1. tests/py/inet/ip_tcp.t | 9 +++++++++ tests/py/inet/ip_tcp.t.payload | 8 ++++++++ tests/py/ip/ip_tcp.t | 7 +++++++ tests/py/ip/ip_tcp.t.payload | 6 ++++++ 4 files changed, 30 insertions(+) create mode 100644 tests/py/inet/ip_tcp.t create mode 100644 tests/py/inet/ip_tcp.t.payload create mode 100644 tests/py/ip/ip_tcp.t create mode 100644 tests/py/ip/ip_tcp.t.payload