* [PATCH 0/6 nft] improvements for the range printing
@ 2015-06-02 17:03 Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 1/6 nft] netlink_delinearize: pass ctx pointer to stmt_reject_postprocess() Pablo Neira Ayuso
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
Hi Patrick,
This patchset adds the routine to consolidate the range printing from the
delinearization step, so we get:
tcp dport 1024-65535
instead of:
tcp dport >= 1024 tcp dport 65535
Same thing with meta and ct selectors.
This applies on top of the next-4.1 branch that I'll merge asap to master to
start preparing the next 0.5 release.
Let me know if you have any concern, thanks.
Pablo Neira Ayuso (6):
netlink_delinearize: pass ctx pointer to stmt_reject_postprocess()
netlink_delinearize: keep pointer to current statement from rule_pp_ctx
netlink_delinearize: add payload_match_expand()
netlink_delinearize: consolidate range printing
tests: regression: reduce code duplication a bit on error reporting
tests: regression: fix warnings related to range listing
src/netlink_delinearize.c | 218 +++++++++++++++++++++++++------------
tests/regression/any/ct.t | 26 ++---
tests/regression/any/frag.t | 10 +-
tests/regression/any/meta.t | 43 ++++----
tests/regression/arp/arp.t | 14 +--
tests/regression/inet/ah.t | 16 +--
tests/regression/inet/comp.t | 8 +-
tests/regression/inet/dccp.t | 11 +-
tests/regression/inet/esp.t | 8 +-
tests/regression/inet/sctp.t | 16 +--
tests/regression/inet/tcp.t | 30 ++---
tests/regression/inet/udp.t | 20 ++--
tests/regression/inet/udplite.t | 18 +--
tests/regression/ip/icmp.t | 20 ++--
tests/regression/ip/ip.t | 38 +++----
tests/regression/ip/masquerade.t | 2 +-
tests/regression/ip/nat.t | 14 +--
tests/regression/ip/redirect.t | 2 +-
tests/regression/ip6/dst.t | 8 +-
tests/regression/ip6/hbh.t | 8 +-
tests/regression/ip6/ip6.t | 12 +-
tests/regression/ip6/masquerade.t | 2 +-
tests/regression/ip6/mh.t | 18 +--
tests/regression/ip6/redirect.t | 2 +-
tests/regression/ip6/rt.t | 16 +--
tests/regression/nft-test.py | 19 ++--
26 files changed, 337 insertions(+), 262 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/6 nft] netlink_delinearize: pass ctx pointer to stmt_reject_postprocess()
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 2/6 nft] netlink_delinearize: keep pointer to current statement from rule_pp_ctx Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
Instead of a copy of the context variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_delinearize.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index b041579..26a8c85 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1082,18 +1082,18 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
}
}
-static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt)
+static void stmt_reject_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt)
{
const struct proto_desc *desc, *base;
int protocol;
- switch (rctx.pctx.family) {
+ switch (rctx->pctx.family) {
case NFPROTO_IPV4:
- stmt->reject.family = rctx.pctx.family;
+ stmt->reject.family = rctx->pctx.family;
stmt->reject.expr->dtype = &icmp_code_type;
break;
case NFPROTO_IPV6:
- stmt->reject.family = rctx.pctx.family;
+ stmt->reject.family = rctx->pctx.family;
stmt->reject.expr->dtype = &icmpv6_code_type;
break;
case NFPROTO_INET:
@@ -1101,8 +1101,8 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt)
stmt->reject.expr->dtype = &icmpx_code_type;
break;
}
- base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc;
- desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
+ desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
protocol = proto_find_num(base, desc);
switch (protocol) {
case NFPROTO_IPV4:
@@ -1119,8 +1119,8 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt)
stmt->reject.expr->dtype = &icmpx_code_type;
break;
}
- base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc;
- desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
+ desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
protocol = proto_find_num(base, desc);
switch (protocol) {
case __constant_htons(ETH_P_IP):
@@ -1173,7 +1173,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
&stmt->redir.proto);
break;
case STMT_REJECT:
- stmt_reject_postprocess(rctx, stmt);
+ stmt_reject_postprocess(&rctx, stmt);
break;
case STMT_SET:
expr_postprocess(&rctx, stmt, &stmt->set.key);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/6 nft] netlink_delinearize: keep pointer to current statement from rule_pp_ctx
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 1/6 nft] netlink_delinearize: pass ctx pointer to stmt_reject_postprocess() Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 3/6 nft] netlink_delinearize: add payload_match_expand() Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
This patch is required by the range postprocess routine that comes in follow up
patches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_delinearize.c | 71 +++++++++++++++++++++++----------------------
1 file changed, 37 insertions(+), 34 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 26a8c85..71c32c5 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -780,6 +780,7 @@ struct rule_pp_ctx {
struct proto_ctx pctx;
enum proto_bases pbase;
struct stmt *pdep;
+ struct stmt *stmt;
};
/*
@@ -829,7 +830,7 @@ static void integer_type_postprocess(struct expr *expr)
}
static void payload_match_postprocess(struct rule_pp_ctx *ctx,
- struct stmt *stmt, struct expr *expr)
+ struct expr *expr)
{
struct expr *left = expr->left, *right = expr->right, *tmp;
struct list_head list = LIST_HEAD_INIT(list);
@@ -851,8 +852,8 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
if (expr->op == OP_EQ)
left->ops->pctx_update(&ctx->pctx, nexpr);
- nstmt = expr_stmt_alloc(&stmt->location, nexpr);
- list_add_tail(&nstmt->list, &stmt->list);
+ nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr);
+ list_add_tail(&nstmt->list, &ctx->stmt->list);
/* Remember the first payload protocol expression to
* kill it later on if made redundant by a higher layer
@@ -865,8 +866,9 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
else
payload_dependency_kill(ctx, nexpr->left);
}
- list_del(&stmt->list);
- stmt_free(stmt);
+ list_del(&ctx->stmt->list);
+ stmt_free(ctx->stmt);
+ ctx->stmt = NULL;
break;
default:
payload_expr_complete(left, &ctx->pctx);
@@ -878,7 +880,6 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
}
static void meta_match_postprocess(struct rule_pp_ctx *ctx,
- struct stmt *stmt,
const struct expr *expr)
{
struct expr *left = expr->left;
@@ -889,7 +890,8 @@ static void meta_match_postprocess(struct rule_pp_ctx *ctx,
if (ctx->pbase == PROTO_BASE_INVALID &&
left->flags & EXPR_F_PROTOCOL)
- payload_dependency_store(ctx, stmt, left->meta.base);
+ payload_dependency_store(ctx, ctx->stmt,
+ left->meta.base);
break;
case OP_LOOKUP:
expr_set_type(expr->right, expr->left->dtype,
@@ -973,8 +975,7 @@ static void relational_binop_postprocess(struct expr *expr)
}
}
-static void expr_postprocess(struct rule_pp_ctx *ctx,
- struct stmt *stmt, struct expr **exprp)
+static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp, *i;
@@ -982,29 +983,29 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
switch (expr->ops->type) {
case EXPR_MAP:
- expr_postprocess(ctx, stmt, &expr->map);
- expr_postprocess(ctx, stmt, &expr->mappings);
+ expr_postprocess(ctx, &expr->map);
+ expr_postprocess(ctx, &expr->mappings);
break;
case EXPR_MAPPING:
- expr_postprocess(ctx, stmt, &expr->left);
- expr_postprocess(ctx, stmt, &expr->right);
+ expr_postprocess(ctx, &expr->left);
+ expr_postprocess(ctx, &expr->right);
break;
case EXPR_SET:
list_for_each_entry(i, &expr->expressions, list)
- expr_postprocess(ctx, stmt, &i);
+ expr_postprocess(ctx, &i);
break;
case EXPR_UNARY:
- expr_postprocess(ctx, stmt, &expr->arg);
+ expr_postprocess(ctx, &expr->arg);
expr_set_type(expr->arg, expr->arg->dtype, !expr->arg->byteorder);
*exprp = expr_get(expr->arg);
expr_free(expr);
break;
case EXPR_BINOP:
- expr_postprocess(ctx, stmt, &expr->left);
+ expr_postprocess(ctx, &expr->left);
expr_set_type(expr->right, expr->left->dtype,
expr->left->byteorder);
- expr_postprocess(ctx, stmt, &expr->right);
+ expr_postprocess(ctx, &expr->right);
expr_set_type(expr, expr->left->dtype,
expr->left->byteorder);
@@ -1012,19 +1013,19 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
case EXPR_RELATIONAL:
switch (expr->left->ops->type) {
case EXPR_PAYLOAD:
- payload_match_postprocess(ctx, stmt, expr);
+ payload_match_postprocess(ctx, expr);
return;
default:
- expr_postprocess(ctx, stmt, &expr->left);
+ expr_postprocess(ctx, &expr->left);
break;
}
expr_set_type(expr->right, expr->left->dtype, expr->left->byteorder);
- expr_postprocess(ctx, stmt, &expr->right);
+ expr_postprocess(ctx, &expr->right);
switch (expr->left->ops->type) {
case EXPR_META:
- meta_match_postprocess(ctx, stmt, expr);
+ meta_match_postprocess(ctx, expr);
break;
case EXPR_BINOP:
relational_binop_postprocess(expr);
@@ -1065,11 +1066,11 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
break;
case EXPR_RANGE:
- expr_postprocess(ctx, stmt, &expr->left);
- expr_postprocess(ctx, stmt, &expr->right);
+ expr_postprocess(ctx, &expr->left);
+ expr_postprocess(ctx, &expr->right);
break;
case EXPR_SET_ELEM:
- expr_postprocess(ctx, stmt, &expr->key);
+ expr_postprocess(ctx, &expr->key);
break;
case EXPR_SET_REF:
case EXPR_EXTHDR:
@@ -1082,9 +1083,10 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
}
}
-static void stmt_reject_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt)
+static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
{
const struct proto_desc *desc, *base;
+ struct stmt *stmt = rctx->stmt;
int protocol;
switch (rctx->pctx.family) {
@@ -1149,34 +1151,35 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
proto_ctx_init(&rctx.pctx, rule->handle.family);
list_for_each_entry_safe(stmt, next, &rule->stmts, list) {
+ rctx.stmt = stmt;
+
switch (stmt->ops->type) {
case STMT_EXPRESSION:
- expr_postprocess(&rctx, stmt, &stmt->expr);
+ expr_postprocess(&rctx, &stmt->expr);
break;
case STMT_META:
if (stmt->meta.expr != NULL)
- expr_postprocess(&rctx, stmt, &stmt->meta.expr);
+ expr_postprocess(&rctx, &stmt->meta.expr);
break;
case STMT_CT:
if (stmt->ct.expr != NULL)
- expr_postprocess(&rctx, stmt, &stmt->ct.expr);
+ expr_postprocess(&rctx, &stmt->ct.expr);
break;
case STMT_NAT:
if (stmt->nat.addr != NULL)
- expr_postprocess(&rctx, stmt, &stmt->nat.addr);
+ expr_postprocess(&rctx, &stmt->nat.addr);
if (stmt->nat.proto != NULL)
- expr_postprocess(&rctx, stmt, &stmt->nat.proto);
+ expr_postprocess(&rctx, &stmt->nat.proto);
break;
case STMT_REDIR:
if (stmt->redir.proto != NULL)
- expr_postprocess(&rctx, stmt,
- &stmt->redir.proto);
+ expr_postprocess(&rctx, &stmt->redir.proto);
break;
case STMT_REJECT:
- stmt_reject_postprocess(&rctx, stmt);
+ stmt_reject_postprocess(&rctx);
break;
case STMT_SET:
- expr_postprocess(&rctx, stmt, &stmt->set.key);
+ expr_postprocess(&rctx, &stmt->set.key);
break;
default:
break;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/6 nft] netlink_delinearize: add payload_match_expand()
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 1/6 nft] netlink_delinearize: pass ctx pointer to stmt_reject_postprocess() Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 2/6 nft] netlink_delinearize: keep pointer to current statement from rule_pp_ctx Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 4/6 nft] netlink_delinearize: consolidate range printing Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
This function encapsulates the payload expansion logic. This change in required
by the follow up patch to consolidate range printing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_delinearize.c | 69 ++++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 32 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 71c32c5..7b4d695 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -829,49 +829,54 @@ static void integer_type_postprocess(struct expr *expr)
}
}
-static void payload_match_postprocess(struct rule_pp_ctx *ctx,
- struct expr *expr)
+static void payload_match_expand(struct rule_pp_ctx *ctx, struct expr *expr)
{
struct expr *left = expr->left, *right = expr->right, *tmp;
struct list_head list = LIST_HEAD_INIT(list);
struct stmt *nstmt;
struct expr *nexpr;
+ payload_expr_expand(&list, left, &ctx->pctx);
+ list_for_each_entry(left, &list, list) {
+ tmp = constant_expr_splice(right, left->len);
+ expr_set_type(tmp, left->dtype, left->byteorder);
+ if (tmp->byteorder == BYTEORDER_HOST_ENDIAN)
+ mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE);
+
+ nexpr = relational_expr_alloc(&expr->location, expr->op,
+ left, tmp);
+ if (expr->op == OP_EQ)
+ left->ops->pctx_update(&ctx->pctx, nexpr);
+
+ nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr);
+ list_add_tail(&nstmt->list, &ctx->stmt->list);
+
+ /* Remember the first payload protocol expression to
+ * kill it later on if made redundant by a higher layer
+ * payload expression.
+ */
+ if (ctx->pbase == PROTO_BASE_INVALID &&
+ left->flags & EXPR_F_PROTOCOL)
+ payload_dependency_store(ctx, nstmt,
+ left->payload.base);
+ else
+ payload_dependency_kill(ctx, nexpr->left);
+ }
+ list_del(&ctx->stmt->list);
+ stmt_free(ctx->stmt);
+ ctx->stmt = NULL;
+}
+
+static void payload_match_postprocess(struct rule_pp_ctx *ctx,
+ struct expr *expr)
+{
switch (expr->op) {
case OP_EQ:
case OP_NEQ:
- payload_expr_expand(&list, left, &ctx->pctx);
- list_for_each_entry(left, &list, list) {
- tmp = constant_expr_splice(right, left->len);
- expr_set_type(tmp, left->dtype, left->byteorder);
- if (tmp->byteorder == BYTEORDER_HOST_ENDIAN)
- mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE);
-
- nexpr = relational_expr_alloc(&expr->location, expr->op,
- left, tmp);
- if (expr->op == OP_EQ)
- left->ops->pctx_update(&ctx->pctx, nexpr);
-
- nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr);
- list_add_tail(&nstmt->list, &ctx->stmt->list);
-
- /* Remember the first payload protocol expression to
- * kill it later on if made redundant by a higher layer
- * payload expression.
- */
- if (ctx->pbase == PROTO_BASE_INVALID &&
- left->flags & EXPR_F_PROTOCOL)
- payload_dependency_store(ctx, nstmt,
- left->payload.base);
- else
- payload_dependency_kill(ctx, nexpr->left);
- }
- list_del(&ctx->stmt->list);
- stmt_free(ctx->stmt);
- ctx->stmt = NULL;
+ payload_match_expand(ctx, expr);
break;
default:
- payload_expr_complete(left, &ctx->pctx);
+ payload_expr_complete(expr->left, &ctx->pctx);
expr_set_type(expr->right, expr->left->dtype,
expr->left->byteorder);
payload_dependency_kill(ctx, expr->left);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/6 nft] netlink_delinearize: consolidate range printing
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
` (2 preceding siblings ...)
2015-06-02 17:03 ` [PATCH 3/6 nft] netlink_delinearize: add payload_match_expand() Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 5/6 nft] tests: regression: reduce code duplication a bit on error reporting Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 6/6 nft] tests: regression: fix warnings related to range listing Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
This patch adds a routine to the postprocess stage to check if the previous
expression statement and the current actually represent a range, so we can
provide a more compact listing, eg.
# nft -nn list table test
table ip test {
chain test {
tcp dport 22
tcp dport 22-23
tcp dport != 22-23
ct mark != 0x00000016-0x00000017
ct mark 0x00000016-0x00000017
mark 0x00000016-0x00000017
mark != 0x00000016-0x00000017
}
}
To do so, the context state stores a pointer to the current statement. This
pointer needs to be invalidated in case the current statement is replaced.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_delinearize.c | 82 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 78 insertions(+), 4 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 7b4d695..b1ce911 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -873,8 +873,11 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
switch (expr->op) {
case OP_EQ:
case OP_NEQ:
- payload_match_expand(ctx, expr);
- break;
+ if (expr->right->ops->type == EXPR_VALUE) {
+ payload_match_expand(ctx, expr);
+ break;
+ }
+ /* Fall through */
default:
payload_expr_complete(expr->left, &ctx->pctx);
expr_set_type(expr->right, expr->left->dtype,
@@ -1147,10 +1150,80 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
}
}
+static bool expr_may_merge_range(struct expr *expr, struct expr *prev,
+ enum ops *op)
+{
+ struct expr *left, *prev_left;
+
+ if (prev->ops->type == EXPR_RELATIONAL &&
+ expr->ops->type == EXPR_RELATIONAL) {
+ /* ct and meta needs an unary to swap byteorder, in this case
+ * we have to explore the inner branch in this tree.
+ */
+ if (expr->left->ops->type == EXPR_UNARY)
+ left = expr->left->arg;
+ else
+ left = expr->left;
+
+ if (prev->left->ops->type == EXPR_UNARY)
+ prev_left = prev->left->arg;
+ else
+ prev_left = prev->left;
+
+ if (left->ops->type == prev_left->ops->type) {
+ if (expr->op == OP_LTE && prev->op == OP_GTE) {
+ *op = OP_EQ;
+ return true;
+ } else if (expr->op == OP_GT && prev->op == OP_LT) {
+ *op = OP_NEQ;
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+static void expr_postprocess_range(struct rule_pp_ctx *ctx, struct stmt *prev,
+ enum ops op)
+{
+ struct stmt *nstmt, *stmt = ctx->stmt;
+ struct expr *nexpr, *rel;
+
+ nexpr = range_expr_alloc(&prev->location, expr_clone(prev->expr->right),
+ expr_clone(stmt->expr->right));
+ expr_set_type(nexpr, stmt->expr->right->dtype,
+ stmt->expr->right->byteorder);
+
+ rel = relational_expr_alloc(&prev->location, op,
+ expr_clone(stmt->expr->left), nexpr);
+
+ nstmt = expr_stmt_alloc(&stmt->location, rel);
+ list_add_tail(&nstmt->list, &stmt->list);
+
+ list_del(&prev->list);
+ stmt_free(prev);
+
+ list_del(&stmt->list);
+ stmt_free(stmt);
+ ctx->stmt = nstmt;
+}
+
+static void stmt_expr_postprocess(struct rule_pp_ctx *ctx, struct stmt *prev)
+{
+ enum ops op;
+
+ if (prev && ctx->stmt->ops->type == prev->ops->type &&
+ expr_may_merge_range(ctx->stmt->expr, prev->expr, &op))
+ expr_postprocess_range(ctx, prev, op);
+
+ expr_postprocess(ctx, &ctx->stmt->expr);
+}
+
static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *rule)
{
struct rule_pp_ctx rctx;
- struct stmt *stmt, *next;
+ struct stmt *stmt, *next, *prev = NULL;
memset(&rctx, 0, sizeof(rctx));
proto_ctx_init(&rctx.pctx, rule->handle.family);
@@ -1160,7 +1233,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
switch (stmt->ops->type) {
case STMT_EXPRESSION:
- expr_postprocess(&rctx, &stmt->expr);
+ stmt_expr_postprocess(&rctx, prev);
break;
case STMT_META:
if (stmt->meta.expr != NULL)
@@ -1189,6 +1262,7 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
default:
break;
}
+ prev = rctx.stmt;
}
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/6 nft] tests: regression: reduce code duplication a bit on error reporting
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
` (3 preceding siblings ...)
2015-06-02 17:03 ` [PATCH 4/6 nft] netlink_delinearize: consolidate range printing Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 6/6 nft] tests: regression: fix warnings related to range listing Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
Consolidate print_err() and print_warning() into print_msg() to reduce code
duplication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/regression/nft-test.py | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/tests/regression/nft-test.py b/tests/regression/nft-test.py
index 559ad41..7823f44 100755
--- a/tests/regression/nft-test.py
+++ b/tests/regression/nft-test.py
@@ -44,26 +44,21 @@ class Colors:
RED = ''
ENDC = ''
-def print_error(reason, filename=None, lineno=None):
+def print_msg(reason, filename=None, lineno=None, color=None, errstr=None):
'''
- Prints an error with nice colors, indicating file and line number.
+ Prints a message with nice colors, indicating file and line number.
'''
if filename and lineno:
- print (filename + ": " + Colors.RED + "ERROR:" +
+ print (filename + ": " + color + "ERROR:" +
Colors.ENDC + " line %d: %s" % (lineno + 1, reason))
else:
- print (Colors.RED + "ERROR:" + Colors.ENDC + " %s" % (reason))
+ print (color + "ERROR:" + Colors.ENDC + " %s" % (reason))
+def print_error(reason, filename=None, lineno=None):
+ print_msg(reason, filename, lineno, Colors.RED, "ERROR:")
def print_warning(reason, filename=None, lineno=None):
- '''
- Prints a warning with nice colors, indicating file and line number.
- '''
- if filename and lineno:
- print (filename + ": " + Colors.YELLOW + "WARNING:" + \
- Colors.ENDC + " line %d: %s" % (lineno + 1, reason))
- else:
- print (Colors.YELLOW + "WARNING:" + " %s" % (reason))
+ print_msg(reason, filename, lineno, Colors.YELLOW, "WARNING:")
def print_differences_warning(filename, lineno, rule1, rule2, cmd):
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 6/6 nft] tests: regression: fix warnings related to range listing
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
` (4 preceding siblings ...)
2015-06-02 17:03 ` [PATCH 5/6 nft] tests: regression: reduce code duplication a bit on error reporting Pablo Neira Ayuso
@ 2015-06-02 17:03 ` Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-02 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
Fix lots of warnings, mostly related to the listing of ranges in many of the
tests that we have, eg.
any/meta.t: WARNING: line: 30: 'nft add rule ip test-ip4 input meta l4proto 33-45': 'meta l4proto 33-45' mismatches 'meta l4proto 33-45'
any/meta.t: WARNING: line: 31: 'nft add rule ip test-ip4 input meta l4proto != 33-45': 'meta l4proto != 33-45' mismatches 'meta l4proto != 33-45'
any/meta.t: WARNING: line: 99: 'nft add rule ip test-ip4 input meta skuid 3001-3005 accept': 'meta skuid 3001-3005 accept' mismatches 'skuid 3001-3005 accept'
any/meta.t: WARNING: line: 100: 'nft add rule ip test-ip4 input meta skuid != 2001-2005 accept': 'meta skuid != 2001-2005 accept' mismatches 'skuid != 2001-2005 accept'
any/meta.t: WARNING: line: 111: 'nft add rule ip test-ip4 input meta skgid 2001-2005 accept': 'meta skgid 2001-2005 accept' mismatches 'skgid 2001-2005 accept'
any/meta.t: WARNING: line: 112: 'nft add rule ip test-ip4 input meta skgid != 2001-2005 accept': 'meta skgid != 2001-2005 accept' mismatches 'skgid != 2001-2005 accept'
any/meta.t: WARNING: line: 156: 'nft add rule ip test-ip4 input meta cpu 1-3': 'meta cpu 1-3' mismatches 'cpu 1-3'
any/meta.t: WARNING: line: 158: 'nft add rule ip test-ip4 input meta cpu != 1-2': 'meta cpu != 1-2' mismatches 'cpu != 1-2'
any/meta.t: WARNING: line: 187: 'nft add rule ip test-ip4 input meta cgroup 0x100001 - 0x100003': 'meta cgroup 0x100001 - 0x100003' mismatches 'cgroup 1048577-1048579'
...
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/regression/any/ct.t | 26 +++++++++++-----------
tests/regression/any/frag.t | 10 ++++-----
tests/regression/any/meta.t | 43 ++++++++++++++++++-------------------
tests/regression/arp/arp.t | 14 ++++++------
tests/regression/inet/ah.t | 16 +++++++-------
tests/regression/inet/comp.t | 8 +++----
tests/regression/inet/dccp.t | 11 +++++-----
tests/regression/inet/esp.t | 8 +++----
tests/regression/inet/sctp.t | 16 +++++++-------
tests/regression/inet/tcp.t | 30 +++++++++++++-------------
tests/regression/inet/udp.t | 20 ++++++++---------
tests/regression/inet/udplite.t | 18 ++++++++--------
tests/regression/ip/icmp.t | 20 ++++++++---------
tests/regression/ip/ip.t | 38 ++++++++++++++++----------------
tests/regression/ip/masquerade.t | 2 +-
tests/regression/ip/nat.t | 14 ++++++------
tests/regression/ip/redirect.t | 2 +-
tests/regression/ip6/dst.t | 8 +++----
tests/regression/ip6/hbh.t | 8 +++----
tests/regression/ip6/ip6.t | 12 +++++------
tests/regression/ip6/masquerade.t | 2 +-
tests/regression/ip6/mh.t | 18 ++++++++--------
tests/regression/ip6/redirect.t | 2 +-
tests/regression/ip6/rt.t | 16 +++++++-------
24 files changed, 180 insertions(+), 182 deletions(-)
diff --git a/tests/regression/any/ct.t b/tests/regression/any/ct.t
index bb26cb8..6ec0526 100644
--- a/tests/regression/any/ct.t
+++ b/tests/regression/any/ct.t
@@ -44,10 +44,10 @@ ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001
ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032
ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002
-ct mark 0x32;ok;ct mark 0x00000032
-ct mark != 0x32;ok;ct mark != 0x00000032
-ct mark 0x32-0x45;ok
-ct mark != 0x32-0x43;ok
+ct mark 0x00000032;ok
+ct mark != 0x00000032;ok
+ct mark 0x00000032-0x00000045;ok
+ct mark != 0x00000032-0x00000045;ok
ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
- ct mark != {0x32, 0x2222, 0x42de3};ok
@@ -60,16 +60,14 @@ ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
ct mark set 0x11;ok;ct mark set 0x00000011
-ct expiration 30;ok
-ct expiration 22;ok
-ct expiration != 233;ok
-ct expiration 33-45;ok
-# BUG: ct expiration 33-45 and ct expiration != 33-45
-# Broken output: ct expiration >= "33s" ct expiration <= "9709d53m20s"
-ct expiration != 33-45;ok
-ct expiration {33, 55, 67, 88};ok
-- ct expiration != {33, 55, 67, 88};ok
-ct expiration {33-55};ok
+ct expiration 30;ok;ct expiration 30s
+ct expiration 22;ok;ct expiration 22s
+ct expiration != 233;ok;ct expiration != 3m53s
+ct expiration 33-45;ok;ct expiration 33s-45s
+ct expiration != 33-45;ok;ct expiration != 33s-45s
+ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
+- ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
+ct expiration {33-55};ok;ct expiration { 33s-55s}
# BUG: ct expiration {33-55}
# Broken output: ct expiration { "4271d23h25m52s"-"8738d3h11m59s" }
- ct expiration != {33-55};ok
diff --git a/tests/regression/any/frag.t b/tests/regression/any/frag.t
index 92caf1e..d61a3d4 100644
--- a/tests/regression/any/frag.t
+++ b/tests/regression/any/frag.t
@@ -14,9 +14,9 @@ frag nexthdr ah;ok;frag nexthdr 51
frag reserved 22;ok
frag reserved != 233;ok
-frag reserved 33-45;ok;frag reserved >= 33 frag reserved <= 45
-frag reserved != 33-45;ok;frag reserved < 33 frag reserved > 45
-frag reserved { 33, 55, 67, 88};ok;frag reserved { 88, 33, 67, 55}
+frag reserved 33-45;ok
+frag reserved != 33-45;ok
+frag reserved { 33, 55, 67, 88};ok
- frag reserved != { 33, 55, 67, 88};ok
frag reserved { 33-55};ok
- frag reserved != { 33-55};ok
@@ -56,8 +56,8 @@ frag reserved { 33-55};ok
frag id 1;ok
frag id 22;ok
frag id != 33;ok
-frag id 33-45;ok;frag id >= 33 frag id <= 45
-frag id != 33-45;ok;frag id < 33 frag id > 45
+frag id 33-45;ok
+frag id != 33-45;ok
frag id { 33, 55, 67, 88};ok
- frag id != { 33, 55, 67, 88};ok
frag id { 33-55};ok
diff --git a/tests/regression/any/meta.t b/tests/regression/any/meta.t
index 7108d17..ca0b4d4 100644
--- a/tests/regression/any/meta.t
+++ b/tests/regression/any/meta.t
@@ -27,8 +27,8 @@ meta nfproto {ipv4, ipv6};ok
meta l4proto 22;ok
meta l4proto != 233;ok
-meta l4proto 33-45;ok;meta l4proto >= 33 meta l4proto <= 45
-meta l4proto != 33-45;ok;meta l4proto < 33 meta l4proto > 45
+meta l4proto 33-45;ok
+meta l4proto != 33-45;ok
meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
- meta l4proto != { 33, 55, 67, 88};ok
meta l4proto { 33-55};ok
@@ -96,9 +96,9 @@ meta skuid != man;ok;skuid != 6
meta skuid lt 3000 accept;ok;skuid < 3000 accept
meta skuid gt 3000 accept;ok;skuid > 3000 accept
meta skuid eq 3000 accept;ok;skuid 3000 accept
-meta skuid 3001-3005 accept;ok
-meta skuid != 2001-2005 accept;ok
-meta skuid { 2001-2005} accept;ok
+meta skuid 3001-3005 accept;ok;skuid 3001-3005 accept
+meta skuid != 2001-2005 accept;ok;skuid != 2001-2005 accept
+meta skuid { 2001-2005} accept;ok;skuid { 2001-2005} accept
- meta skuid != { 2001-2005} accept;ok
meta skgid {man, root, backup} accept;ok;skgid { 34, 12, 0} accept
@@ -108,10 +108,10 @@ meta skgid != man;ok;skgid != 12
meta skgid lt 3000 accept;ok;skgid < 3000 accept
meta skgid gt 3000 accept;ok;skgid > 3000 accept
meta skgid eq 3000 accept;ok;skgid 3000 accept
-meta skgid 2001-2005 accept;ok
-meta skgid != 2001-2005 accept;ok
-meta skgid { 2001-2005} accept;ok
-- meta skgid != { 2001-2005} accept;ok
+meta skgid 2001-2005 accept;ok;skgid 2001-2005 accept
+meta skgid != 2001-2005 accept;ok;skgid != 2001-2005 accept
+meta skgid { 2001-2005} accept;ok;skgid { 2001-2005} accept
+- meta skgid != { 2001-2005} accept;ok;skgid != { 2001-2005} accept
# BUG: meta nftrace 2 and meta nftrace 1
# $ sudo nft add rule ip test input meta nftrace 2
@@ -153,11 +153,10 @@ meta pkttype { broadcast, multicast} accept;ok
meta cpu 1;ok;cpu 1
meta cpu != 1;ok;cpu != 1
-meta cpu 1-3;ok;cpu >= 1 cpu <= 3
-# BUG: there is not matching of packets with this rule.
-meta cpu != 1-2;ok;cpu < 1 cpu > 2
-meta cpu { 2,3};ok;cpu { 2, 3}
--meta cpu != { 2,3};ok
+meta cpu 1-3;ok;cpu 1-3
+meta cpu != 1-2;ok;cpu != 1-2
+meta cpu { 2,3};ok;cpu { 2,3}
+-meta cpu != { 2,3};ok; cpu != { 2,3}
meta iifgroup 0;ok;iifgroup default
meta iifgroup != 0;ok;iifgroup != default
@@ -180,11 +179,11 @@ meta oifgroup {11-33};ok
- meta oifgroup != {11,33};ok
- meta oifgroup != {11-33};ok
-meta cgroup 0x100001;ok;cgroup 1048577
-meta cgroup != 0x100001;ok;cgroup != 1048577
-meta cgroup { 0x100001, 0x100002};ok
-# meta cgroup != { 0x100001, 0x100002};ok
-meta cgroup 0x100001 - 0x100003;ok
-# meta cgroup != 0x100001 - 0x100003;ok
-meta cgroup {0x100001 - 0x100003};ok
-# meta cgroup != { 0x100001 - 0x100003};ok
+meta cgroup 1048577;ok;cgroup 1048577
+meta cgroup != 1048577;ok;cgroup != 1048577
+meta cgroup { 1048577, 1048578 };ok;cgroup { 1048577, 1048578}
+# meta cgroup != { 1048577, 1048578};ok;cgroup != { 1048577, 1048578}
+meta cgroup 1048577-1048578;ok;cgroup 1048577-1048578
+meta cgroup != 1048577-1048578;ok;cgroup != 1048577-1048578
+meta cgroup {1048577-1048578};ok;cgroup { 1048577-1048578}
+# meta cgroup != { 1048577-1048578};ok;cgroup != { 1048577-1048578}
diff --git a/tests/regression/arp/arp.t b/tests/regression/arp/arp.t
index 797e394..c4e07d5 100644
--- a/tests/regression/arp/arp.t
+++ b/tests/regression/arp/arp.t
@@ -6,19 +6,19 @@ arp htype 1;ok
arp htype != 1;ok
arp htype 22;ok
arp htype != 233;ok
-arp htype 33-45;ok;arp htype >= 33 arp htype <= 45
-arp htype != 33-45;ok;arp htype < 33 arp htype > 45
+arp htype 33-45;ok
+arp htype != 33-45;ok
arp htype { 33, 55, 67, 88};ok
- arp htype != { 33, 55, 67, 88};ok
arp htype { 33-55};ok
- arp htype != { 33-55};ok
-arp ptype 0x0800;ok
+arp ptype 0x0800;ok;arp ptype ip
arp hlen 22;ok
arp hlen != 233;ok
-arp hlen 33-45;ok;arp hlen >= 33 arp hlen <= 45
-arp hlen != 33-45;ok;arp hlen < 33 arp hlen > 45
+arp hlen 33-45;ok
+arp hlen != 33-45;ok
arp hlen { 33, 55, 67, 88};ok
- arp hlen != { 33, 55, 67, 88};ok
arp hlen { 33-55};ok
@@ -26,8 +26,8 @@ arp hlen { 33-55};ok
arp plen 22;ok
arp plen != 233;ok
-arp plen 33-45;ok;arp plen >= 33 arp plen <= 45
-arp plen != 33-45;ok;arp plen < 33 arp plen > 45
+arp plen 33-45;ok
+arp plen != 33-45;ok
arp plen { 33, 55, 67, 88};ok
- arp plen != { 33, 55, 67, 88};ok
arp plen { 33-55};ok
diff --git a/tests/regression/inet/ah.t b/tests/regression/inet/ah.t
index 6defc35..666659d 100644
--- a/tests/regression/inet/ah.t
+++ b/tests/regression/inet/ah.t
@@ -17,8 +17,8 @@
- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;ah nexthdr { 6, 132, 50, 17, 136, 33, 51, 108}
- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
-ah hdrlength 11-23;ok;ah hdrlength >= 11 ah hdrlength <= 23
-ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23
+ah hdrlength 11-23;ok
+ah hdrlength != 11-23;ok
ah hdrlength { 11-23};ok
- ah hdrlength != { 11-23};ok
ah hdrlength {11, 23, 44 };ok
@@ -26,8 +26,8 @@ ah hdrlength {11, 23, 44 };ok
ah reserved 22;ok
ah reserved != 233;ok
-ah reserved 33-45;ok;ah reserved >= 33 ah reserved <= 45
-ah reserved != 33-45;ok;ah reserved < 33 ah reserved > 45
+ah reserved 33-45;ok
+ah reserved != 33-45;ok
ah reserved {23, 100};ok
- ah reserved != {33, 55, 67, 88};ok
ah reserved { 33-55};ok
@@ -35,8 +35,8 @@ ah reserved { 33-55};ok
ah spi 111;ok
ah spi != 111;ok
-ah spi 111-222;ok;ah spi >= 111 ah spi <= 222
-ah spi != 111-222;ok;ah spi < 111 ah spi > 222
+ah spi 111-222;ok
+ah spi != 111-222;ok
ah spi {111, 122};ok
- ah spi != {111, 122};ok
# BUG: invalid expression type set
@@ -54,5 +54,5 @@ ah sequence {23, 25, 33};ok
- ah sequence != {23, 25, 33};ok
ah sequence { 23-33};ok
- ah sequence != { 33-44};ok
-ah sequence 23-33;ok;ah sequence >= 23 ah sequence <= 33
-ah sequence != 23-33;ok;ah sequence < 23 ah sequence > 33
+ah sequence 23-33;ok
+ah sequence != 23-33;ok
diff --git a/tests/regression/inet/comp.t b/tests/regression/inet/comp.t
index 32db32b..afdc63f 100644
--- a/tests/regression/inet/comp.t
+++ b/tests/regression/inet/comp.t
@@ -4,9 +4,9 @@
:input;type filter hook input priority 0
-# BUG: Do no list table.
+# BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
- comp nexthdr esp;ok;comp nexthdr 50
-comp nexthdr != esp;ok
+comp nexthdr != esp;ok;comp nexthdr != 50
- comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok
# comp flags ## 8-bit field. Reserved for future use. MUST be set to zero.
@@ -23,8 +23,8 @@ comp flags { 0x33-0x55};ok
comp cpi 22;ok
comp cpi != 233;ok
-comp cpi 33-45;ok;comp cpi >= 33 comp cpi <= 45
-comp cpi != 33-45;ok;comp cpi < 33 comp cpi > 45
+comp cpi 33-45;ok
+comp cpi != 33-45;ok
comp cpi {33, 55, 67, 88};ok
- comp cpi != {33, 55, 67, 88};ok
comp cpi { 33-55};ok
diff --git a/tests/regression/inet/dccp.t b/tests/regression/inet/dccp.t
index 272c0e2..e323992 100644
--- a/tests/regression/inet/dccp.t
+++ b/tests/regression/inet/dccp.t
@@ -3,15 +3,16 @@
*inet;test-inet
:input;type filter hook input priority 0
-dccp sport 21-35;ok;dccp sport >= 21 dccp sport <= 35
-dccp sport != 21-35;ok;dccp sport < 21 dccp sport > 35
-dccp sport {23, 24, 25};ok;dccp sport { 23, 24, 25}
+dccp sport 21-35;ok
+dccp sport != 21-35;ok
+dccp sport {23, 24, 25};ok
- dccp sport != { 27, 34};ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
-dccp sport { ftp-data - re-mail-ck};ok;dccp sport { 20-50}
-dccp sport ftp-data - re-mail-ck;ok;dccp sport >= 20 dccp sport <= 50
+dccp sport { 20-50 };ok
+dccp sport ftp-data - re-mail-ck;ok;dccp sport 20-50
+dccp sport 20-50;ok
dccp sport { 20-50};ok
- dccp sport != {27-34};ok
# dccp sport != {27-34};ok
diff --git a/tests/regression/inet/esp.t b/tests/regression/inet/esp.t
index 1f23aa4..3a8502d 100644
--- a/tests/regression/inet/esp.t
+++ b/tests/regression/inet/esp.t
@@ -5,16 +5,16 @@
esp spi 100;ok
esp spi != 100;ok
-esp spi 111-222;ok;esp spi >= 111 esp spi <= 222
-esp spi != 111-222;ok;esp spi < 111 esp spi > 222
+esp spi 111-222;ok
+esp spi != 111-222;ok
esp spi { 100, 102};ok
- esp spi != { 100, 102};ok
esp spi { 100-102};ok
- esp spi {100-102};ok
esp sequence 22;ok
-esp sequence 22-24;ok;esp sequence >= 22 esp sequence <= 24
-esp sequence != 22-24;ok;esp sequence < 22 esp sequence > 24
+esp sequence 22-24;ok
+esp sequence != 22-24;ok
esp sequence { 22, 24};ok
- esp sequence != { 22, 24};ok
# BUG: invalid expression type set
diff --git a/tests/regression/inet/sctp.t b/tests/regression/inet/sctp.t
index b98b0af..537a9b1 100644
--- a/tests/regression/inet/sctp.t
+++ b/tests/regression/inet/sctp.t
@@ -5,8 +5,8 @@
sctp sport 23;ok
sctp sport != 23;ok
-sctp sport 23-44;ok;sctp sport >= 23 sctp sport <= 44
-sctp sport != 23-44;ok;sctp sport < 23 sctp sport > 44
+sctp sport 23-44;ok
+sctp sport != 23-44;ok
sctp sport { 23, 24, 25};ok
- sctp sport != { 23, 24, 25};ok
sctp sport { 23-44};ok
@@ -16,8 +16,8 @@ sctp sport { 23-44};ok
sctp dport 23;ok
sctp dport != 23;ok
-sctp dport 23-44;ok;sctp dport >= 23 sctp dport <= 44
-sctp dport != 23-44;ok;sctp dport < 23 sctp dport > 44
+sctp dport 23-44;ok
+sctp dport != 23-44;ok
sctp dport { 23, 24, 25};ok
- sctp dport != { 23, 24, 25};ok
sctp dport { 23-44};ok
@@ -25,8 +25,8 @@ sctp dport { 23-44};ok
sctp checksum 1111;ok
sctp checksum != 11;ok
-sctp checksum 21-333;ok;sctp checksum >= 21 sctp checksum <= 333
-sctp checksum != 32-111;ok;sctp checksum < 32 sctp checksum > 111
+sctp checksum 21-333;ok
+sctp checksum != 32-111;ok
sctp checksum { 22, 33, 44};ok
- sctp checksum != { 22, 33, 44};ok
sctp checksum { 22-44};ok
@@ -34,8 +34,8 @@ sctp checksum { 22-44};ok
sctp vtag 22;ok
sctp vtag != 233;ok
-sctp vtag 33-45;ok;sctp vtag >= 33 sctp vtag <= 45
-sctp vtag != 33-45;ok;sctp vtag < 33 sctp vtag > 45
+sctp vtag 33-45;ok
+sctp vtag != 33-45;ok
sctp vtag {33, 55, 67, 88};ok
- sctp vtag != {33, 55, 67, 88};ok
sctp vtag { 33-55};ok
diff --git a/tests/regression/inet/tcp.t b/tests/regression/inet/tcp.t
index f72ec52..5eb3882 100644
--- a/tests/regression/inet/tcp.t
+++ b/tests/regression/inet/tcp.t
@@ -5,8 +5,8 @@
tcp dport 22;ok
tcp dport != 233;ok
-tcp dport 33-45;ok;tcp dport >= 33 tcp dport <= 45
-tcp dport != 33-45;ok;tcp dport < 33 tcp dport > 45
+tcp dport 33-45;ok
+tcp dport != 33-45;ok
tcp dport { 33, 55, 67, 88};ok
- tcp dport != { 33, 55, 67, 88};ok
tcp dport { 33-55};ok
@@ -21,8 +21,8 @@ tcp dport { 22, 53, 80, 110 };ok
tcp sport 22;ok
tcp sport != 233;ok
-tcp sport 33-45;ok;tcp sport >= 33 tcp sport <= 45
-tcp sport != 33-45;ok;tcp sport < 33 tcp sport > 45
+tcp sport 33-45;ok
+tcp sport != 33-45;ok
tcp sport { 33, 55, 67, 88};ok
- tcp sport != { 33, 55, 67, 88};ok
tcp sport { 33-55};ok
@@ -33,13 +33,13 @@ tcp sport 8080 drop;ok
tcp sport 1024 tcp dport 22;ok
tcp sport 1024 tcp dport 22 tcp sequence 0;ok
-tcp sequence 0 tcp sport 1024 tcp dport 22;ok;tcp sport 1024 tcp dport 22 tcp sequence 0
+tcp sequence 0 tcp sport 1024 tcp dport 22;ok
tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok
tcp sequence 22;ok
tcp sequence != 233;ok
-tcp sequence 33-45;ok;tcp sequence >= 33 tcp sequence <= 45
-tcp sequence != 33-45;ok;tcp sequence < 33 tcp sequence > 45
+tcp sequence 33-45;ok
+tcp sequence != 33-45;ok
tcp sequence { 33, 55, 67, 88};ok
- tcp sequence != { 33, 55, 67, 88};ok
tcp sequence { 33-55};ok
@@ -48,8 +48,8 @@ tcp sequence { 33-55};ok
tcp ackseq 42949672 drop;ok
tcp ackseq 22;ok
tcp ackseq != 233;ok
-tcp ackseq 33-45;ok;tcp ackseq >= 33 tcp ackseq <= 45
-tcp ackseq != 33-45;ok;tcp ackseq < 33 tcp ackseq > 45
+tcp ackseq 33-45;ok
+tcp ackseq != 33-45;ok
tcp ackseq { 33, 55, 67, 88};ok
- tcp ackseq != { 33, 55, 67, 88};ok
tcp ackseq { 33-55};ok
@@ -75,8 +75,8 @@ tcp flags != cwr;ok
tcp window 22222;ok
tcp window 22;ok
tcp window != 233;ok
-tcp window 33-45;ok;tcp window >= 33 tcp window <= 45
-tcp window != 33-45;ok;tcp window < 33 tcp window > 45
+tcp window 33-45;ok
+tcp window != 33-45;ok
tcp window { 33, 55, 67, 88};ok
- tcp window != { 33, 55, 67, 88};ok
tcp window { 33-55};ok
@@ -85,8 +85,8 @@ tcp window { 33-55};ok
tcp checksum 23456 log drop;ok
tcp checksum 22;ok
tcp checksum != 233;ok
-tcp checksum 33-45;ok;tcp checksum >= 33 tcp checksum <= 45
-tcp checksum != 33-45;ok;tcp checksum < 33 tcp checksum > 45
+tcp checksum 33-45;ok
+tcp checksum != 33-45;ok
tcp checksum { 33, 55, 67, 88};ok
- tcp checksum != { 33, 55, 67, 88};ok
tcp checksum { 33-55};ok
@@ -95,8 +95,8 @@ tcp checksum { 33-55};ok
tcp urgptr 1234 accept;ok
tcp urgptr 22;ok
tcp urgptr != 233;ok
-tcp urgptr 33-45;ok;tcp urgptr >= 33 tcp urgptr <= 45
-tcp urgptr != 33-45;ok;tcp urgptr < 33 tcp urgptr > 45
+tcp urgptr 33-45;ok
+tcp urgptr != 33-45;ok
tcp urgptr { 33, 55, 67, 88};ok
- tcp urgptr != { 33, 55, 67, 88};ok
tcp urgptr { 33-55};ok
diff --git a/tests/regression/inet/udp.t b/tests/regression/inet/udp.t
index 0e8a01f..58f4002 100644
--- a/tests/regression/inet/udp.t
+++ b/tests/regression/inet/udp.t
@@ -5,9 +5,9 @@
udp sport 80 accept;ok
udp sport != 60 accept;ok
-udp sport 50-70 accept;ok;udp sport >= 50 udp sport <= 70 accept
-udp sport != 50-60 accept;ok;udp sport < 50 udp sport > 60 accept
-udp sport { 49, 50} drop;ok;udp sport { 49, 50} drop
+udp sport 50-70 accept;ok
+udp sport != 50-60 accept;ok
+udp sport { 49, 50} drop;ok
- udp sport != { 50, 60} accept;ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
@@ -16,19 +16,19 @@ udp sport { 12-40};ok
udp dport 80 accept;ok
udp dport != 60 accept;ok
-udp dport 70-75 accept;ok;udp dport >= 70 udp dport <= 75 accept
-udp dport != 50-60 accept;ok;udp dport < 50 udp dport > 60 accept
+udp dport 70-75 accept;ok
+udp dport != 50-60 accept;ok
udp dport { 49, 50} drop;ok
- udp dport != { 50, 60} accept;ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
-udp dport { 70-75} accept;ok;udp dport { 70-75} accept
+udp dport { 70-75} accept;ok
- udp dport != { 50-60} accept;ok
udp length 6666;ok
udp length != 6666;ok
-udp length 50-65 accept;ok;udp length >= 50 udp length <= 65 accept
-udp length != 50-65 accept;ok;udp length < 50 udp length > 65 accept
+udp length 50-65 accept;ok
+udp length != 50-65 accept;ok
udp length { 50, 65} accept;ok
- udp length != { 50, 65} accept;ok
udp length { 35-50};ok
@@ -41,8 +41,8 @@ udp checksum 6666 drop;ok
udp checksum 22;ok
udp checksum != 233;ok
-udp checksum 33-45;ok;udp checksum >= 33 udp checksum <= 45
-udp checksum != 33-45;ok;udp checksum < 33 udp checksum > 45
+udp checksum 33-45;ok
+udp checksum != 33-45;ok
udp checksum { 33, 55, 67, 88};ok
- udp checksum != { 33, 55, 67, 88};ok
udp checksum { 33-55};ok
diff --git a/tests/regression/inet/udplite.t b/tests/regression/inet/udplite.t
index 1d5fbb3..9420ab4 100644
--- a/tests/regression/inet/udplite.t
+++ b/tests/regression/inet/udplite.t
@@ -5,20 +5,20 @@
udplite sport 80 accept;ok
udplite sport != 60 accept;ok
-udplite sport 50-70 accept;ok;udplite sport >= 50 udplite sport <= 70 accept
-udplite sport != 50-60 accept;ok;udplite sport < 50 udplite sport > 60 accept
-udplite sport { 49, 50} drop;ok;udplite sport { 49, 50} drop
+udplite sport 50-70 accept;ok
+udplite sport != 50-60 accept;ok
+udplite sport { 49, 50} drop;ok
- udplite sport != { 50, 60} accept;ok
udplite sport { 12-40};ok
- udplite sport != { 13-24};ok
udplite dport 80 accept;ok
udplite dport != 60 accept;ok
-udplite dport 70-75 accept;ok;udplite dport >= 70 udplite dport <= 75 accept
-udplite dport != 50-60 accept;ok;udplite dport < 50 udplite dport > 60 accept
-udplite dport { 49, 50} drop;ok;udplite dport { 49, 50} drop
+udplite dport 70-75 accept;ok
+udplite dport != 50-60 accept;ok
+udplite dport { 49, 50} drop;ok
- udplite dport != { 50, 60} accept;ok
-udplite dport { 70-75} accept;ok;udplite dport { 70-75} accept
+udplite dport { 70-75} accept;ok
- udplite dport != { 50-60} accept;ok
- udplite csumcov 6666;ok
@@ -34,8 +34,8 @@ udplite checksum 6666 drop;ok
- udplite checksum != { 444, 555} accept;ok
udplite checksum 22;ok
udplite checksum != 233;ok
-udplite checksum 33-45;ok;udplite checksum >= 33 udplite checksum <= 45
-udplite checksum != 33-45;ok;udplite checksum < 33 udplite checksum > 45
+udplite checksum 33-45;ok
+udplite checksum != 33-45;ok
udplite checksum { 33, 55, 67, 88};ok
- udplite checksum != { 33, 55, 67, 88};ok
udplite checksum { 33-55};ok
diff --git a/tests/regression/ip/icmp.t b/tests/regression/ip/icmp.t
index cd43a66..9c2aba7 100644
--- a/tests/regression/ip/icmp.t
+++ b/tests/regression/ip/icmp.t
@@ -24,8 +24,8 @@ icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-re
icmp code 111 accept;ok
icmp code != 111 accept;ok
-icmp code 33-55;ok;icmp code >= 33 icmp code <= 55
-icmp code != 33-55;ok;icmp code < 33 icmp code > 55
+icmp code 33-55;ok
+icmp code != 33-55;ok
icmp code { 33-55};ok
- icmp code != { 33-55};ok
icmp code { 2, 4, 54, 33, 56};ok
@@ -36,8 +36,8 @@ icmp code { 2, 4, 54, 33, 56};ok
icmp checksum 12343 accept;ok
icmp checksum != 12343 accept;ok
-icmp checksum 11-343 accept;ok;icmp checksum >= 11 icmp checksum <= 343 accept
-icmp checksum != 11-343 accept;ok;icmp checksum < 11 icmp checksum > 343 accept
+icmp checksum 11-343 accept;ok
+icmp checksum != 11-343 accept;ok
icmp checksum { 11-343} accept;ok
- icmp checksum != { 11-343} accept;ok
icmp checksum { 1111, 222, 343} accept;ok
@@ -49,8 +49,8 @@ icmp checksum { 1111, 222, 343} accept;ok
icmp id 1245 log;ok
icmp id 22;ok
icmp id != 233;ok
-icmp id 33-45;ok;icmp id >= 33 icmp id <= 45
-icmp id != 33-45;ok;icmp id < 33 icmp id > 45
+icmp id 33-45;ok
+icmp id != 33-45;ok
icmp id { 33-55};ok
- icmp id != { 33-55};ok
icmp id { 22, 34, 333};ok
@@ -61,8 +61,8 @@ icmp id { 22, 34, 333};ok
icmp sequence 22;ok
icmp sequence != 233;ok
-icmp sequence 33-45;ok;icmp sequence >= 33 icmp sequence <= 45
-icmp sequence != 33-45;ok;icmp sequence < 33 icmp sequence > 45
+icmp sequence 33-45;ok
+icmp sequence != 33-45;ok
icmp sequence { 33, 55, 67, 88};ok
- icmp sequence != { 33, 55, 67, 88};ok
icmp sequence { 33-55};ok
@@ -83,8 +83,8 @@ icmp mtu { 33-55};ok
icmp gateway 22;ok
icmp gateway != 233;ok
-icmp gateway 33-45;ok;icmp gateway >= 33 icmp gateway <= 45
-icmp gateway != 33-45;ok;icmp gateway < 33 icmp gateway > 45
+icmp gateway 33-45;ok
+icmp gateway != 33-45;ok
icmp gateway { 33, 55, 67, 88};ok
- icmp gateway != { 33, 55, 67, 88};ok
icmp gateway { 33-55};ok
diff --git a/tests/regression/ip/ip.t b/tests/regression/ip/ip.t
index a781de5..fa864df 100644
--- a/tests/regression/ip/ip.t
+++ b/tests/regression/ip/ip.t
@@ -30,8 +30,8 @@
ip length 232;ok
ip length != 233;ok
-ip length 333-435;ok;ip length >= 333 ip length <= 435
-ip length != 333-453;ok;ip length < 333 ip length > 453
+ip length 333-435;ok
+ip length != 333-453;ok
ip length { 333, 553, 673, 838};ok
- ip length != { 333, 535, 637, 883};ok
ip length { 333-535};ok
@@ -39,8 +39,8 @@ ip length { 333-535};ok
ip id 22;ok
ip id != 233;ok
-ip id 33-45;ok;ip id >= 33 ip id <= 45
-ip id != 33-45;ok;ip id < 33 ip id > 45
+ip id 33-45;ok
+ip id != 33-45;ok
ip id { 33, 55, 67, 88};ok
- ip id != { 33, 55, 67, 88};ok
ip id { 33-55};ok
@@ -48,8 +48,8 @@ ip id { 33-55};ok
ip frag-off 222 accept;ok
ip frag-off != 233;ok
-ip frag-off 33-45;ok;ip frag-off >= 33 ip frag-off <= 45
-ip frag-off != 33-45;ok;ip frag-off < 33 ip frag-off > 45
+ip frag-off 33-45;ok
+ip frag-off != 33-45;ok
ip frag-off { 33, 55, 67, 88};ok
- ip frag-off != { 33, 55, 67, 88};ok
ip frag-off { 33-55};ok
@@ -57,8 +57,8 @@ ip frag-off { 33-55};ok
ip ttl 0 drop;ok
ip ttl 233 log;ok
-ip ttl 33-55;ok;ip ttl >= 33 ip ttl <= 55
-ip ttl != 45-50;ok;ip ttl < 45 ip ttl > 50
+ip ttl 33-55;ok
+ip ttl != 45-50;ok
ip ttl {43, 53, 45 };ok
- ip ttl != {46, 56, 93 };ok
# BUG: ip ttl != {46, 56, 93 };ok
@@ -75,8 +75,8 @@ ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip p
ip checksum 13172 drop;ok
ip checksum 22;ok
ip checksum != 233;ok
-ip checksum 33-45;ok;ip checksum >= 33 ip checksum <= 45
-ip checksum != 33-45;ok;ip checksum < 33 ip checksum > 45
+ip checksum 33-45;ok
+ip checksum != 33-45;ok
ip checksum { 33, 55, 67, 88};ok
- ip checksum != { 33, 55, 67, 88};ok
ip checksum { 33-55};ok
@@ -87,20 +87,20 @@ ip saddr != 192.168.2.0/24;ok
ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
ip saddr != 1.1.1.1 log prefix giuseppe;ok;ip saddr != 1.1.1.1 log prefix "giuseppe"
ip saddr 1.1.1.1 log prefix example group 1;ok;ip saddr 1.1.1.1 log prefix "example" group 1
-ip daddr 192.168.0.1-192.168.0.250;ok;ip daddr >= 192.168.0.1 ip daddr <= 192.168.0.250
-ip daddr 10.0.0.0-10.255.255.255;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.255.255.255
-ip daddr 172.16.0.0-172.31.255.255;ok;ip daddr >= 172.16.0.0 ip daddr <= 172.31.255.255
-ip daddr 192.168.3.1-192.168.4.250;ok;ip daddr >= 192.168.3.1 ip daddr <= 192.168.4.250
-ip daddr != 192.168.0.1-192.168.0.250;ok;ip daddr < 192.168.0.1 ip daddr > 192.168.0.250
+ip daddr 192.168.0.1-192.168.0.250;ok
+ip daddr 10.0.0.0-10.255.255.255;ok
+ip daddr 172.16.0.0-172.31.255.255;ok
+ip daddr 192.168.3.1-192.168.4.250;ok
+ip daddr != 192.168.0.1-192.168.0.250;ok
ip daddr { 192.168.0.1-192.168.0.250};ok
- ip daddr != { 192.168.0.1-192.168.0.250};ok
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
- ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
-ip daddr 192.168.1.2-192.168.1.55;ok;ip daddr >= 192.168.1.2 ip daddr <= 192.168.1.55
-ip daddr != 192.168.1.2-192.168.1.55;ok;ip daddr < 192.168.1.2 ip daddr > 192.168.1.55
-ip saddr 192.168.1.3-192.168.33.55;ok;ip saddr >= 192.168.1.3 ip saddr <= 192.168.33.55
-ip saddr != 192.168.1.3-192.168.33.55;ok;ip saddr < 192.168.1.3 ip saddr > 192.168.33.55
+ip daddr 192.168.1.2-192.168.1.55;ok
+ip daddr != 192.168.1.2-192.168.1.55;ok
+ip saddr 192.168.1.3-192.168.33.55;ok
+ip saddr != 192.168.1.3-192.168.33.55;ok
ip daddr 192.168.0.1;ok
ip daddr 192.168.0.1 drop;ok
diff --git a/tests/regression/ip/masquerade.t b/tests/regression/ip/masquerade.t
index d0fe02d..35001f3 100644
--- a/tests/regression/ip/masquerade.t
+++ b/tests/regression/ip/masquerade.t
@@ -21,5 +21,5 @@ ip saddr 10.1.1.1 masquerade drop;fail
# masquerade with sets
tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
-ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade;ok
iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/regression/ip/nat.t b/tests/regression/ip/nat.t
index 5afe823..26c8cbf 100644
--- a/tests/regression/ip/nat.t
+++ b/tests/regression/ip/nat.t
@@ -4,15 +4,15 @@
:output;type nat hook output priority 0
-iifname eth0 tcp dport 80-90 dnat 192.168.3.2;ok;iifname "eth0" tcp dport >= 80 tcp dport <= 90 dnat 192.168.3.2
-iifname eth0 tcp dport != 80-90 dnat 192.168.3.2;ok;iifname "eth0" tcp dport < 80 tcp dport > 90 dnat 192.168.3.2
-iifname eth0 tcp dport {80, 90, 23} dnat 192.168.3.2;ok
-- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+iifname "eth0" tcp dport 80-90 dnat 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
-iifname eth0 tcp sport 23-34 snat 192.168.3.2;ok;iifname "eth0" tcp sport >= 23 tcp sport <= 34 snat 192.168.3.2
+iifname eth0 tcp sport 23-34 snat 192.168.3.2;ok
-- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
-iifname eth0 tcp dport != 23-34 dnat 192.168.3.2;ok;iifname "eth0" tcp dport < 23 tcp dport > 34 dnat 192.168.3.2
+iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2;ok
diff --git a/tests/regression/ip/redirect.t b/tests/regression/ip/redirect.t
index bbf440d..b7eecb7 100644
--- a/tests/regression/ip/redirect.t
+++ b/tests/regression/ip/redirect.t
@@ -41,5 +41,5 @@ ip saddr 10.1.1.1 redirect drop;fail
# redirect with sets
tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok
-ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect;ok
iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
diff --git a/tests/regression/ip6/dst.t b/tests/regression/ip6/dst.t
index 1b1bc52..3207af7 100644
--- a/tests/regression/ip6/dst.t
+++ b/tests/regression/ip6/dst.t
@@ -4,8 +4,8 @@
dst nexthdr 22;ok
dst nexthdr != 233;ok
-dst nexthdr 33-45;ok;dst nexthdr >= 33 dst nexthdr <= 45
-dst nexthdr != 33-45;ok;dst nexthdr < 33 dst nexthdr > 45
+dst nexthdr 33-45;ok
+dst nexthdr != 33-45;ok
dst nexthdr { 33, 55, 67, 88};ok
- dst nexthdr != { 33, 55, 67, 88};ok
dst nexthdr { 33-55};ok
@@ -17,8 +17,8 @@ dst nexthdr != icmp;ok;dst nexthdr != 1
dst hdrlength 22;ok
dst hdrlength != 233;ok
-dst hdrlength 33-45;ok;dst hdrlength >= 33 dst hdrlength <= 45
-dst hdrlength != 33-45;ok;dst hdrlength < 33 dst hdrlength > 45
+dst hdrlength 33-45;ok
+dst hdrlength != 33-45;ok
dst hdrlength { 33, 55, 67, 88};ok
- dst hdrlength != { 33, 55, 67, 88};ok
dst hdrlength { 33-55};ok
diff --git a/tests/regression/ip6/hbh.t b/tests/regression/ip6/hbh.t
index b274b8b..4e67c42 100644
--- a/tests/regression/ip6/hbh.t
+++ b/tests/regression/ip6/hbh.t
@@ -4,8 +4,8 @@
hbh hdrlength 22;ok
hbh hdrlength != 233;ok
-hbh hdrlength 33-45;ok;hbh hdrlength >= 33 hbh hdrlength <= 45
-hbh hdrlength != 33-45;ok;hbh hdrlength < 33 hbh hdrlength > 45
+hbh hdrlength 33-45;ok
+hbh hdrlength != 33-45;ok
hbh hdrlength {33, 55, 67, 88};ok
- hbh hdrlength != {33, 55, 67, 88};ok
hbh hdrlength { 33-55};ok
@@ -15,8 +15,8 @@ hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthd
- hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
hbh nexthdr 22;ok
hbh nexthdr != 233;ok
-hbh nexthdr 33-45;ok;hbh nexthdr >= 33 hbh nexthdr <= 45
-hbh nexthdr != 33-45;ok;hbh nexthdr < 33 hbh nexthdr > 45
+hbh nexthdr 33-45;ok
+hbh nexthdr != 33-45;ok
hbh nexthdr {33, 55, 67, 88};ok
- hbh nexthdr != {33, 55, 67, 88};ok
hbh nexthdr { 33-55};ok
diff --git a/tests/regression/ip6/ip6.t b/tests/regression/ip6/ip6.t
index 243c789..529a068 100644
--- a/tests/regression/ip6/ip6.t
+++ b/tests/regression/ip6/ip6.t
@@ -29,8 +29,8 @@ ip6 flowlabel { 33-55};ok
ip6 length 22;ok
ip6 length != 233;ok
-ip6 length 33-45;ok;ip6 length >= 33 ip6 length <= 45
-ip6 length != 33-45;ok;ip6 length < 33 ip6 length > 45
+ip6 length 33-45;ok
+ip6 length != 33-45;ok
- ip6 length { 33, 55, 67, 88};ok
- ip6 length != {33, 55, 67, 88};ok
ip6 length { 33-55};ok
@@ -43,13 +43,13 @@ ip6 nexthdr esp;ok;ip6 nexthdr 50
ip6 nexthdr != esp;ok;ip6 nexthdr != 50
ip6 nexthdr { 33-44};ok
- p6 nexthdr != { 33-44};ok
-ip6 nexthdr 33-44;ok;ip6 nexthdr >= 33 ip6 nexthdr <= 44
-ip6 nexthdr != 33-44;ok;ip6 nexthdr < 33 ip6 nexthdr > 44
+ip6 nexthdr 33-44;ok
+ip6 nexthdr != 33-44;ok
ip6 hoplimit 1 log;ok
ip6 hoplimit != 233;ok
-ip6 hoplimit 33-45;ok;ip6 hoplimit >= 33 ip6 hoplimit <= 45
-ip6 hoplimit != 33-45;ok;ip6 hoplimit < 33 ip6 hoplimit > 45
+ip6 hoplimit 33-45;ok
+ip6 hoplimit != 33-45;ok
ip6 hoplimit {33, 55, 67, 88};ok
- ip6 hoplimit != {33, 55, 67, 88};ok
ip6 hoplimit {33-55};ok
diff --git a/tests/regression/ip6/masquerade.t b/tests/regression/ip6/masquerade.t
index 817acd4..4e6c086 100644
--- a/tests/regression/ip6/masquerade.t
+++ b/tests/regression/ip6/masquerade.t
@@ -21,5 +21,5 @@ ip6 saddr ::1 masquerade drop;fail
# masquerade with sets
tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
-ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade;ok;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade;ok
iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/regression/ip6/mh.t b/tests/regression/ip6/mh.t
index 4ff58a1..cd652b3 100644
--- a/tests/regression/ip6/mh.t
+++ b/tests/regression/ip6/mh.t
@@ -10,8 +10,8 @@ mh nexthdr icmp;ok;mh nexthdr 1
mh nexthdr != icmp;ok;mh nexthdr != 1
mh nexthdr 22;ok
mh nexthdr != 233;ok
-mh nexthdr 33-45;ok;mh nexthdr >= 33 mh nexthdr <= 45
-mh nexthdr != 33-45;ok;mh nexthdr < 33 mh nexthdr > 45
+mh nexthdr 33-45;ok
+mh nexthdr != 33-45;ok
mh nexthdr { 33, 55, 67, 88 };ok
- mh nexthdr != { 33, 55, 67, 88 };ok
mh nexthdr { 33-55 };ok
@@ -19,9 +19,9 @@ mh nexthdr { 33-55 };ok
mh hdrlength 22;ok
mh hdrlength != 233;ok
-mh hdrlength 33-45;ok;mh hdrlength >= 33 mh hdrlength <= 45
-mh hdrlength != 33-45;ok;mh hdrlength < 33 mh hdrlength > 45
-mh hdrlength { 33, 55, 67, 88 };ok;mh hdrlength { 67, 33, 88, 55}
+mh hdrlength 33-45;ok
+mh hdrlength != 33-45;ok
+mh hdrlength { 33, 55, 67, 88 };ok
- mh hdrlength != { 33, 55, 67, 88 };ok
mh hdrlength { 33-55 };ok
- mh hdrlength != { 33-55 };ok
@@ -32,8 +32,8 @@ mh type != home-agent-switch-message;ok
mh reserved 22;ok
mh reserved != 233;ok
-mh reserved 33-45;ok;mh reserved >= 33 mh reserved <= 45
-mh reserved != 33-45;ok;mh reserved < 33 mh reserved > 45
+mh reserved 33-45;ok
+mh reserved != 33-45;ok
mh reserved { 33, 55, 67, 88};ok
- mh reserved != {33, 55, 67, 88};ok
mh reserved { 33-55};ok
@@ -41,8 +41,8 @@ mh reserved { 33-55};ok
mh checksum 22;ok
mh checksum != 233;ok
-mh checksum 33-45;ok;mh checksum >= 33 mh checksum <= 45
-mh checksum != 33-45;ok;mh checksum < 33 mh checksum > 45
+mh checksum 33-45;ok
+mh checksum != 33-45;ok
mh checksum { 33, 55, 67, 88};ok
- mh checksum != { 33, 55, 67, 88};ok
mh checksum { 33-55};ok
diff --git a/tests/regression/ip6/redirect.t b/tests/regression/ip6/redirect.t
index 730d733..31ffe8c 100644
--- a/tests/regression/ip6/redirect.t
+++ b/tests/regression/ip6/redirect.t
@@ -40,5 +40,5 @@ ip6 saddr ::1 redirect drop;fail
# redirect with sets
tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok
-ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 redirect;ok;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 redirect
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 redirect;ok
iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
diff --git a/tests/regression/ip6/rt.t b/tests/regression/ip6/rt.t
index 76579ba..eca47ca 100644
--- a/tests/regression/ip6/rt.t
+++ b/tests/regression/ip6/rt.t
@@ -10,8 +10,8 @@ rt nexthdr icmp;ok;rt nexthdr 1
rt nexthdr != icmp;ok;rt nexthdr != 1
rt nexthdr 22;ok
rt nexthdr != 233;ok
-rt nexthdr 33-45;ok;rt nexthdr >= 33 rt nexthdr <= 45
-rt nexthdr != 33-45;ok;rt nexthdr < 33 rt nexthdr > 45
+rt nexthdr 33-45;ok
+rt nexthdr != 33-45;ok
rt nexthdr { 33, 55, 67, 88};ok
- rt nexthdr != { 33, 55, 67, 88};ok
rt nexthdr { 33-55};ok;rt nexthdr { 33-55}
@@ -19,8 +19,8 @@ rt nexthdr { 33-55};ok;rt nexthdr { 33-55}
rt hdrlength 22;ok
rt hdrlength != 233;ok
-rt hdrlength 33-45;ok;rt hdrlength >= 33 rt hdrlength <= 45
-rt hdrlength != 33-45;ok;rt hdrlength < 33 rt hdrlength > 45
+rt hdrlength 33-45;ok
+rt hdrlength != 33-45;ok
rt hdrlength { 33, 55, 67, 88};ok
- rt hdrlength != { 33, 55, 67, 88};ok
rt hdrlength { 33-55};ok
@@ -28,8 +28,8 @@ rt hdrlength { 33-55};ok
rt type 22;ok
rt type != 233;ok
-rt type 33-45;ok;rt type >= 33 rt type <= 45
-rt type != 33-45;ok;rt type < 33 rt type > 45
+rt type 33-45;ok
+rt type != 33-45;ok
rt type { 33, 55, 67, 88};ok
- rt type != { 33, 55, 67, 88};ok
rt type { 33-55};ok
@@ -37,8 +37,8 @@ rt type { 33-55};ok
rt seg-left 22;ok
rt seg-left != 233;ok
-rt seg-left 33-45;ok;rt seg-left >= 33 rt seg-left <= 45
-rt seg-left != 33-45;ok;rt seg-left < 33 rt seg-left > 45
+rt seg-left 33-45;ok
+rt seg-left != 33-45;ok
rt seg-left { 33, 55, 67, 88};ok
- rt seg-left != { 33, 55, 67, 88};ok
rt seg-left { 33-55};ok
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-06-02 16:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-02 17:03 [PATCH 0/6 nft] improvements for the range printing Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 1/6 nft] netlink_delinearize: pass ctx pointer to stmt_reject_postprocess() Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 2/6 nft] netlink_delinearize: keep pointer to current statement from rule_pp_ctx Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 3/6 nft] netlink_delinearize: add payload_match_expand() Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 4/6 nft] netlink_delinearize: consolidate range printing Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 5/6 nft] tests: regression: reduce code duplication a bit on error reporting Pablo Neira Ayuso
2015-06-02 17:03 ` [PATCH 6/6 nft] tests: regression: fix warnings related to range listing Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).