From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH nft 0/4] restrict meta nfproto to inet family
Date: Fri, 16 Jun 2017 22:34:07 +0200 [thread overview]
Message-ID: <20170616203411.16408-1-fw@strlen.de> (raw)
Pablo reports following test case failure:
any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6
test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed.
We can't find upper layer protocol in this case, but even if we'd
"fix" this it is still non-sensical, as
meta nfproto ipv4
will never match except in the inet family and the
ip family, but in the latter case it will always match so it
has no effect).
So, first step is to move this to an inet specific test to
get rid of the test case failure.
The followup changes then get rid of meta nfproto tests or
move them to inet-family-only tests.
The last patch makes nft reject 'meta nfproto' in all families
except inet, where this expression is needed in case one wants to
explicitly restrict a rule to only ipv4 or ipv6.
next reply other threads:[~2017-06-16 20:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-16 20:34 Florian Westphal [this message]
2017-06-16 20:34 ` [PATCH 1/4] tests: restrict ct saddr test to inet family Florian Westphal
2017-06-16 20:34 ` [PATCH 2/4] tests: remove two non-sensical rules Florian Westphal
2017-06-16 20:34 ` [PATCH 3/4] tests: restrict meta nfproto test cases to inet family Florian Westphal
2017-06-16 20:34 ` [PATCH 4/4] evaluate: reject meta nfproto outside of " Florian Westphal
2017-06-18 9:52 ` Pablo Neira Ayuso
2017-06-18 9:35 ` [PATCH nft 0/4] restrict meta nfproto to " Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170616203411.16408-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).