diff --git a/.gitignore b/.gitignore index 25d867d..73189d9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nftables-0.6.tar.bz2 +SOURCES/nftables-0.8.tar.bz2 diff --git a/.nftables.metadata b/.nftables.metadata index 641ee93..769c19f 100644 --- a/.nftables.metadata +++ b/.nftables.metadata @@ -1 +1 @@ -c0f90a208e0ab5d43d3e638350a4fe58e6f4366f SOURCES/nftables-0.6.tar.bz2 +651c462e1eaa07303978208b7a29050bb4a6f441 SOURCES/nftables-0.8.tar.bz2 diff --git a/SOURCES/0001-src-fix-protocol-context-update-on-big-endian-system.patch b/SOURCES/0001-src-fix-protocol-context-update-on-big-endian-system.patch new file mode 100644 index 0000000..409ca4d --- /dev/null +++ b/SOURCES/0001-src-fix-protocol-context-update-on-big-endian-system.patch @@ -0,0 +1,208 @@ +From ae89c5b2865f77ac5e3f8e6c74c9b07296a1acdf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Dec 2017 14:17:27 +0100 +Subject: [PATCH] src: fix protocol context update on big-endian systems + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1523016 +Upstream Status: nftables commit a2c55e04d5a11 + +commit a2c55e04d5a1187914cba2c02810db94de499ace +Author: Phil Sutter +Date: Sat Dec 9 16:52:29 2017 +0100 + + src: fix protocol context update on big-endian systems + + There is an obscure bug on big-endian systems when trying to list a rule + containing the expression 'ct helper tftp' which triggers the assert() + call in mpz_get_type(). + + Florian identified the cause: ct_expr_pctx_update() is called for the + relational expression which calls mpz_get_uint32() to get RHS value + (assuming it is a protocol number). On big-endian systems, the + misinterpreted value exceeds UINT_MAX. + + Expressions' pctx_update() callback should only be called for protocol + matches, so ct_meta_common_postprocess() lacked a check for 'left->flags + & EXPR_F_PROTOCOL' like the one already present in + payload_expr_pctx_update(). + + In order to fix this in a clean way, this patch introduces a wrapper + relational_expr_pctx_update() to be used instead of directly calling + LHS's pctx_update() callback which unifies the necessary checks (and + adds one more assert): + + - assert(expr->ops->type == EXPR_RELATIONAL) + -> This is new, just to ensure the wrapper is called properly. + - assert(expr->op == OP_EQ) + -> This was moved from {ct,meta,payload}_expr_pctx_update(). + - left->ops->pctx_update != NULL + -> This was taken from expr_evaluate_relational(), a necessary + requirement for the introduced wrapper to function at all. + - (left->flags & EXPR_F_PROTOCOL) != 0 + -> The crucial missing check which led to the problem. + + Suggested-by: Florian Westphal + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal +--- + include/expression.h | 3 +++ + src/ct.c | 2 -- + src/evaluate.c | 6 ++---- + src/expression.c | 13 +++++++++++++ + src/meta.c | 2 -- + src/netlink.c | 2 +- + src/netlink_delinearize.c | 4 ++-- + src/payload.c | 7 +------ + 8 files changed, 22 insertions(+), 17 deletions(-) + +diff --git a/include/expression.h b/include/expression.h +index 215cbc9..915ce0b 100644 +--- a/include/expression.h ++++ b/include/expression.h +@@ -369,6 +369,9 @@ extern struct expr *binop_expr_alloc(const struct location *loc, enum ops op, + extern struct expr *relational_expr_alloc(const struct location *loc, enum ops op, + struct expr *left, struct expr *right); + ++extern void relational_expr_pctx_update(struct proto_ctx *ctx, ++ const struct expr *expr); ++ + extern struct expr *verdict_expr_alloc(const struct location *loc, + int verdict, const char *chain); + +diff --git a/src/ct.c b/src/ct.c +index 58b873e..8ab32e9 100644 +--- a/src/ct.c ++++ b/src/ct.c +@@ -327,8 +327,6 @@ static void ct_expr_pctx_update(struct proto_ctx *ctx, const struct expr *expr) + const struct proto_desc *base = NULL, *desc; + uint32_t nhproto; + +- assert(expr->op == OP_EQ); +- + nhproto = mpz_get_uint32(right->value); + + base = ctx->protocol[left->ct.base].desc; +diff --git a/src/evaluate.c b/src/evaluate.c +index 618e188..f16bb33 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -743,7 +743,7 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct) + constant_data_ptr(ct->ct.nfproto, left->len)); + dep = relational_expr_alloc(&ct->location, OP_EQ, left, right); + +- left->ops->pctx_update(&ctx->pctx, dep); ++ relational_expr_pctx_update(&ctx->pctx, dep); + + nstmt = expr_stmt_alloc(&dep->location, dep); + +@@ -1632,9 +1632,7 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) + * Update protocol context for payload and meta iiftype + * equality expressions. + */ +- if (left->flags & EXPR_F_PROTOCOL && +- left->ops->pctx_update) +- left->ops->pctx_update(&ctx->pctx, rel); ++ relational_expr_pctx_update(&ctx->pctx, rel); + + if (left->ops->type == EXPR_CONCAT) + return 0; +diff --git a/src/expression.c b/src/expression.c +index fc1097a..f8b560c 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -600,6 +600,19 @@ struct expr *relational_expr_alloc(const struct location *loc, enum ops op, + return expr; + } + ++void relational_expr_pctx_update(struct proto_ctx *ctx, ++ const struct expr *expr) ++{ ++ const struct expr *left = expr->left; ++ ++ assert(expr->ops->type == EXPR_RELATIONAL); ++ assert(expr->op == OP_EQ); ++ ++ if (left->ops->pctx_update && ++ (left->flags & EXPR_F_PROTOCOL)) ++ left->ops->pctx_update(ctx, expr); ++} ++ + static void range_expr_print(const struct expr *expr, struct output_ctx *octx) + { + octx->numeric += NUMERIC_ALL + 1; +diff --git a/src/meta.c b/src/meta.c +index 56b9e29..3c31174 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -482,8 +482,6 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx, + const struct proto_desc *desc; + uint8_t protonum; + +- assert(expr->op == OP_EQ); +- + switch (left->meta.key) { + case NFT_META_IIFTYPE: + if (h->base < PROTO_BASE_NETWORK_HDR && +diff --git a/src/netlink.c b/src/netlink.c +index d5d410a..5d6f5ce 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -2729,7 +2729,7 @@ restart: + list_add_tail(&stmt->list, &unordered); + + desc = ctx->protocol[base].desc; +- lhs->ops->pctx_update(ctx, rel); ++ relational_expr_pctx_update(ctx, rel); + } + + expr_free(rhs); +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 4432887..11fd330 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -1329,7 +1329,7 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, + nexpr = relational_expr_alloc(&expr->location, expr->op, + left, tmp); + if (expr->op == OP_EQ) +- left->ops->pctx_update(&ctx->pctx, nexpr); ++ relational_expr_pctx_update(&ctx->pctx, nexpr); + + nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr); + list_add_tail(&nstmt->list, &ctx->stmt->list); +@@ -1397,7 +1397,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, + if (expr->right->ops->type == EXPR_RANGE) + break; + +- expr->left->ops->pctx_update(&ctx->pctx, expr); ++ relational_expr_pctx_update(&ctx->pctx, expr); + + if (ctx->pdctx.pbase == PROTO_BASE_INVALID && + left->flags & EXPR_F_PROTOCOL) { +diff --git a/src/payload.c b/src/payload.c +index aa8a95a..60090ac 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -84,11 +84,6 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, + const struct proto_desc *base, *desc; + unsigned int proto = 0; + +- if (!(left->flags & EXPR_F_PROTOCOL)) +- return; +- +- assert(expr->op == OP_EQ); +- + /* Export the data in the correct byte order */ + assert(right->len / BITS_PER_BYTE <= sizeof(proto)); + mpz_export_data(constant_data_ptr(proto, right->len), right->value, +@@ -240,7 +235,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } +- left->ops->pctx_update(&ctx->pctx, dep); ++ relational_expr_pctx_update(&ctx->pctx, dep); + *res = stmt; + return 0; + } +-- +1.8.3.1 + diff --git a/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch b/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch deleted file mode 100644 index 794b03e..0000000 --- a/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch +++ /dev/null @@ -1,2446 +0,0 @@ -From 0c88dfebed17ad23e25e53740872a2c825c68e9d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Feb 2017 17:01:36 +0100 -Subject: [PATCH] src: use new range expression for != [a,b] intervals - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1358705 -Upstream Status: nftables commit 3ed932917cc74 -Conflicts: -* Context change in nf_tables.h due to missing inverted lookup matching - support. -* Adjusted test case changes to missing commit 82dfc87c85f00 ("datatype: - time_type should send milliseconds to userspace"). - -commit 3ed932917cc744b489bd2706a55a1778b0b50c0e -Author: Pablo Neira Ayuso -Date: Tue Sep 20 19:25:25 2016 +0200 - - src: use new range expression for != [a,b] intervals - - Use new range expression in the kernel to fix wrong bytecode generation. - This patch also adjust tests so we don't hit problems there. - - Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/nf_tables.h | 29 +++++++++++++++++++++ - src/netlink_delinearize.c | 45 +++++++++++++++++++++++++++++++++ - src/netlink_linearize.c | 46 ++++++++++++++++------------------ - tests/py/any/ct.t.payload | 6 ++--- - tests/py/any/meta.t.payload | 18 +++++-------- - tests/py/arp/arp.t.payload | 9 +++---- - tests/py/arp/arp.t.payload.netdev | 9 +++---- - tests/py/inet/ah.t.payload.inet | 12 +++------ - tests/py/inet/ah.t.payload.ip | 12 +++------ - tests/py/inet/ah.t.payload.ip6 | 12 +++------ - tests/py/inet/ah.t.payload.netdev | 12 +++------ - tests/py/inet/comp.t.payload.inet | 6 ++--- - tests/py/inet/comp.t.payload.ip | 6 ++--- - tests/py/inet/comp.t.payload.ip6 | 6 ++--- - tests/py/inet/comp.t.payload.netdev | 6 ++--- - tests/py/inet/dccp.t.payload.inet | 3 +-- - tests/py/inet/dccp.t.payload.ip | 3 +-- - tests/py/inet/dccp.t.payload.ip6 | 3 +-- - tests/py/inet/dccp.t.payload.netdev | 3 +-- - tests/py/inet/esp.t.payload.inet | 6 ++--- - tests/py/inet/esp.t.payload.ip | 6 ++--- - tests/py/inet/esp.t.payload.ip6 | 6 ++--- - tests/py/inet/esp.t.payload.netdev | 6 ++--- - tests/py/inet/sctp.t.payload.inet | 12 +++------ - tests/py/inet/sctp.t.payload.ip | 12 +++------ - tests/py/inet/sctp.t.payload.ip6 | 12 +++------ - tests/py/inet/sctp.t.payload.netdev | 12 +++------ - tests/py/inet/tcp.t.payload.inet | 21 ++++++---------- - tests/py/inet/tcp.t.payload.ip | 21 ++++++---------- - tests/py/inet/tcp.t.payload.ip6 | 21 ++++++---------- - tests/py/inet/tcp.t.payload.netdev | 21 ++++++---------- - tests/py/inet/udp.t.payload.inet | 12 +++------ - tests/py/inet/udp.t.payload.ip | 12 +++------ - tests/py/inet/udp.t.payload.ip6 | 12 +++------ - tests/py/inet/udp.t.payload.netdev | 12 +++------ - tests/py/inet/udplite.t.payload.inet | 9 +++---- - tests/py/inet/udplite.t.payload.ip | 9 +++---- - tests/py/inet/udplite.t.payload.ip6 | 9 +++---- - tests/py/inet/udplite.t.payload.netdev | 9 +++---- - tests/py/ip/dnat.t.payload.ip | 6 ++--- - tests/py/ip/icmp.t.payload.ip | 18 +++++-------- - tests/py/ip/ip.t.payload | 24 ++++++------------ - tests/py/ip/ip.t.payload.inet | 24 ++++++------------ - tests/py/ip/ip.t.payload.netdev | 24 ++++++------------ - tests/py/ip/snat.t.payload | 6 ++--- - tests/py/ip6/dst.t.payload.inet | 6 ++--- - tests/py/ip6/dst.t.payload.ip6 | 6 ++--- - tests/py/ip6/frag.t.payload.inet | 9 +++---- - tests/py/ip6/frag.t.payload.ip6 | 9 +++---- - tests/py/ip6/hbh.t.payload.inet | 6 ++--- - tests/py/ip6/hbh.t.payload.ip6 | 6 ++--- - tests/py/ip6/icmpv6.t.payload.ip6 | 9 +++---- - tests/py/ip6/ip6.t.payload.inet | 12 +++------ - tests/py/ip6/ip6.t.payload.ip6 | 12 +++------ - tests/py/ip6/mh.t.payload.inet | 12 +++------ - tests/py/ip6/mh.t.payload.ip6 | 12 +++------ - tests/py/ip6/rt.t.payload.inet | 12 +++------ - tests/py/ip6/rt.t.payload.ip6 | 12 +++------ - 58 files changed, 292 insertions(+), 419 deletions(-) - -diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h -index eeffde1..0df2ccc 100644 ---- a/include/linux/netfilter/nf_tables.h -+++ b/include/linux/netfilter/nf_tables.h -@@ -542,6 +542,35 @@ enum nft_cmp_attributes { - #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) - - /** -+ * enum nft_range_ops - nf_tables range operator -+ * -+ * @NFT_RANGE_EQ: equal -+ * @NFT_RANGE_NEQ: not equal -+ */ -+enum nft_range_ops { -+ NFT_RANGE_EQ, -+ NFT_RANGE_NEQ, -+}; -+ -+/** -+ * enum nft_range_attributes - nf_tables range expression netlink attributes -+ * -+ * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) -+ * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) -+ * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) -+ * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) -+ */ -+enum nft_range_attributes { -+ NFTA_RANGE_UNSPEC, -+ NFTA_RANGE_SREG, -+ NFTA_RANGE_OP, -+ NFTA_RANGE_FROM_DATA, -+ NFTA_RANGE_TO_DATA, -+ __NFTA_RANGE_MAX -+}; -+#define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1) -+ -+/** - * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes - * - * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 9e26078..c3f0773 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -193,6 +193,46 @@ static void netlink_parse_immediate(struct netlink_parse_ctx *ctx, - netlink_set_register(ctx, dreg, expr); - } - -+static enum ops netlink_parse_range_op(const struct nftnl_expr *nle) -+{ -+ switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_RANGE_OP)) { -+ case NFT_RANGE_EQ: -+ return OP_EQ; -+ case NFT_RANGE_NEQ: -+ return OP_NEQ; -+ default: -+ return OP_INVALID; -+ } -+} -+ -+static void netlink_parse_range(struct netlink_parse_ctx *ctx, -+ const struct location *loc, -+ const struct nftnl_expr *nle) -+{ -+ struct expr *expr, *left, *right, *from, *to; -+ struct nft_data_delinearize nld; -+ enum nft_registers sreg; -+ enum ops op; -+ -+ sreg = netlink_parse_register(nle, NFTNL_EXPR_RANGE_SREG); -+ left = netlink_get_register(ctx, loc, sreg); -+ if (left == NULL) -+ return netlink_error(ctx, loc, -+ "Relational expression has no left hand side"); -+ -+ op = netlink_parse_range_op(nle); -+ -+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_FROM_DATA, &nld.len); -+ from = netlink_alloc_value(loc, &nld); -+ -+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_TO_DATA, &nld.len); -+ to = netlink_alloc_value(loc, &nld); -+ -+ right = range_expr_alloc(loc, from, to); -+ expr = relational_expr_alloc(loc, op, left, right); -+ ctx->stmt = expr_stmt_alloc(loc, expr); -+} -+ - static enum ops netlink_parse_cmp_op(const struct nftnl_expr *nle) - { - switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_CMP_OP)) { -@@ -986,6 +1026,7 @@ static const struct { - { .name = "counter", .parse = netlink_parse_counter }, - { .name = "log", .parse = netlink_parse_log }, - { .name = "limit", .parse = netlink_parse_limit }, -+ { .name = "range", .parse = netlink_parse_range }, - { .name = "reject", .parse = netlink_parse_reject }, - { .name = "nat", .parse = netlink_parse_nat }, - { .name = "masq", .parse = netlink_parse_masq }, -@@ -1303,6 +1344,10 @@ static void binop_adjust(struct expr *expr, unsigned int shift) - } - } - break; -+ case EXPR_RANGE: -+ binop_adjust_one(binop, right->left, shift); -+ binop_adjust_one(binop, right->right, shift); -+ break; - default: - BUG("unknown expression type %s\n", expr->ops->name); - break; -diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c -index 98c22d8..ffc3f57 100644 ---- a/src/netlink_linearize.c -+++ b/src/netlink_linearize.c -@@ -334,45 +334,41 @@ static void netlink_gen_range(struct netlink_linearize_ctx *ctx, - sreg = get_register(ctx, expr->left); - netlink_gen_expr(ctx, expr->left, sreg); - -- nle = alloc_nft_expr("cmp"); -- netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); - switch (expr->op) { - case OP_NEQ: -- nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, -- netlink_gen_cmp_op(OP_LT)); -+ nle = alloc_nft_expr("range"); -+ netlink_put_register(nle, NFTNL_EXPR_RANGE_SREG, sreg); -+ nftnl_expr_set_u32(nle, NFTNL_EXPR_RANGE_OP, NFT_RANGE_NEQ); -+ netlink_gen_data(range->left, &nld); -+ nftnl_expr_set(nle, NFTNL_EXPR_RANGE_FROM_DATA, -+ nld.value, nld.len); -+ netlink_gen_data(range->right, &nld); -+ nftnl_expr_set(nle, NFTNL_EXPR_RANGE_TO_DATA, -+ nld.value, nld.len); -+ nftnl_rule_add_expr(ctx->nlr, nle); - break; - case OP_RANGE: - case OP_EQ: -+ nle = alloc_nft_expr("cmp"); -+ netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); - nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, - netlink_gen_cmp_op(OP_GTE)); -- break; -- default: -- BUG("invalid range operation %u\n", expr->op); -- } -- -- netlink_gen_data(range->left, &nld); -- nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); -- nftnl_rule_add_expr(ctx->nlr, nle); -+ netlink_gen_data(range->left, &nld); -+ nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); -+ nftnl_rule_add_expr(ctx->nlr, nle); - -- nle = alloc_nft_expr("cmp"); -- netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); -- switch (expr->op) { -- case OP_NEQ: -- nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, -- netlink_gen_cmp_op(OP_GT)); -- break; -- case OP_RANGE: -- case OP_EQ: -+ nle = alloc_nft_expr("cmp"); -+ netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); - nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, - netlink_gen_cmp_op(OP_LTE)); -+ netlink_gen_data(range->right, &nld); -+ nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); -+ nftnl_rule_add_expr(ctx->nlr, nle); - break; - default: - BUG("invalid range operation %u\n", expr->op); -- } - -- netlink_gen_data(range->right, &nld); -- nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); -- nftnl_rule_add_expr(ctx->nlr, nle); -+ } - - release_register(ctx, expr->left); - } -diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload -index 7ed3338..26bcf26 100644 ---- a/tests/py/any/ct.t.payload -+++ b/tests/py/any/ct.t.payload -@@ -155,8 +155,7 @@ ip test-ip4 output - ip test-ip4 output - [ ct load mark => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0x32000000 ] -- [ cmp gt reg 1 0x45000000 ] -+ [ range neq reg 1 0x32000000 0x45000000 ] - - # ct mark {0x32, 0x2222, 0x42de3} - __set%d test-ip4 3 -@@ -221,8 +220,7 @@ ip test-ip4 output - ip test-ip4 output - [ ct load expiration => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # ct expiration {33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload -index d584873..00a2f20 100644 ---- a/tests/py/any/meta.t.payload -+++ b/tests/py/any/meta.t.payload -@@ -24,8 +24,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load len => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # meta length { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -119,8 +118,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 2, 1) ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # meta l4proto { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -391,8 +389,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load skuid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0xd1070000 ] -- [ cmp gt reg 1 0xd5070000 ] -+ [ range neq reg 1 0xd1070000 0xd5070000 ] - [ immediate reg 0 accept ] - - # meta skuid { 2001-2005} accept -@@ -456,8 +453,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load skgid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0xd1070000 ] -- [ cmp gt reg 1 0xd5070000 ] -+ [ range neq reg 1 0xd1070000 0xd5070000 ] - [ immediate reg 0 accept ] - - # meta skgid { 2001-2005} accept -@@ -601,8 +597,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load cpu => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0x01000000 ] -- [ cmp gt reg 1 0x02000000 ] -+ [ range neq reg 1 0x01000000 0x02000000 ] - - # meta cpu { 2,3} - __set%d test-ip4 3 -@@ -740,8 +735,7 @@ ip test-ip4 input - ip test-ip4 input - [ meta load cgroup => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp lt reg 1 0x01001000 ] -- [ cmp gt reg 1 0x02001000 ] -+ [ range neq reg 1 0x01001000 0x02001000 ] - - # meta cgroup {1048577-1048578} - __set%d test-ip4 7 -diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload -index 31c3024..5b8f8d5 100644 ---- a/tests/py/arp/arp.t.payload -+++ b/tests/py/arp/arp.t.payload -@@ -27,8 +27,7 @@ arp test-arp input - # arp htype != 33-45 - arp test-arp input - [ payload load 2b @ network header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # arp htype { 33, 55, 67, 88} - __set%d test-arp 3 -@@ -70,8 +69,7 @@ arp test-arp input - # arp hlen != 33-45 - arp test-arp input - [ payload load 1b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # arp hlen { 33, 55, 67, 88} - __set%d test-arp 3 -@@ -108,8 +106,7 @@ arp test-arp input - # arp plen != 33-45 - arp test-arp input - [ payload load 1b @ network header + 5 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # arp plen { 33, 55, 67, 88} - __set%d test-arp 3 -diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev -index a64ebea..5188ed7 100644 ---- a/tests/py/arp/arp.t.payload.netdev -+++ b/tests/py/arp/arp.t.payload.netdev -@@ -39,8 +39,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # arp htype { 33, 55, 67, 88} - __set%d test-netdev 3 -@@ -96,8 +95,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # arp hlen { 33, 55, 67, 88} - __set%d test-netdev 3 -@@ -146,8 +144,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 5 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # arp plen { 33, 55, 67, 88} - __set%d test-netdev 3 -diff --git a/tests/py/inet/ah.t.payload.inet b/tests/py/inet/ah.t.payload.inet -index 739386a..1e56797 100644 ---- a/tests/py/inet/ah.t.payload.inet -+++ b/tests/py/inet/ah.t.payload.inet -@@ -11,8 +11,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x0000000b ] -- [ cmp gt reg 1 0x00000017 ] -+ [ range neq reg 1 0x0000000b 0x00000017 ] - - # ah hdrlength { 11-23} - __set%d test-inet 7 -@@ -61,8 +60,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ah reserved {23, 100} - __set%d test-inet 3 -@@ -111,8 +109,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # ah spi {111, 122} - __set%d test-inet 3 -@@ -181,6 +178,5 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x17000000 ] -- [ cmp gt reg 1 0x21000000 ] -+ [ range neq reg 1 0x17000000 0x21000000 ] - -diff --git a/tests/py/inet/ah.t.payload.ip b/tests/py/inet/ah.t.payload.ip -index b989948..5ad0041 100644 ---- a/tests/py/inet/ah.t.payload.ip -+++ b/tests/py/inet/ah.t.payload.ip -@@ -11,8 +11,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x0000000b ] -- [ cmp gt reg 1 0x00000017 ] -+ [ range neq reg 1 0x0000000b 0x00000017 ] - - # ah hdrlength { 11-23} - __set%d test-ip4 7 -@@ -61,8 +60,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ah reserved {23, 100} - __set%d test-ip4 3 -@@ -111,8 +109,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # ah spi {111, 122} - __set%d test-ip4 3 -@@ -181,6 +178,5 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x17000000 ] -- [ cmp gt reg 1 0x21000000 ] -+ [ range neq reg 1 0x17000000 0x21000000 ] - -diff --git a/tests/py/inet/ah.t.payload.ip6 b/tests/py/inet/ah.t.payload.ip6 -index 95eae66..c57a28a 100644 ---- a/tests/py/inet/ah.t.payload.ip6 -+++ b/tests/py/inet/ah.t.payload.ip6 -@@ -11,8 +11,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x0000000b ] -- [ cmp gt reg 1 0x00000017 ] -+ [ range neq reg 1 0x0000000b 0x00000017 ] - - # ah hdrlength { 11-23} - __set%d test-ip6 7 -@@ -61,8 +60,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ah reserved {23, 100} - __set%d test-ip6 3 -@@ -111,8 +109,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # ah spi {111, 122} - __set%d test-ip6 3 -@@ -181,6 +178,5 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x17000000 ] -- [ cmp gt reg 1 0x21000000 ] -+ [ range neq reg 1 0x17000000 0x21000000 ] - -diff --git a/tests/py/inet/ah.t.payload.netdev b/tests/py/inet/ah.t.payload.netdev -index 55eea13..e06811d 100644 ---- a/tests/py/inet/ah.t.payload.netdev -+++ b/tests/py/inet/ah.t.payload.netdev -@@ -11,8 +11,7 @@ netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x0000000b ] -- [ cmp gt reg 1 0x00000017 ] -+ [ range neq reg 1 0x0000000b 0x00000017 ] - - # ah hdrlength { 11-23} - __set%d test-netdev 7 -@@ -61,8 +60,7 @@ netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ah reserved {23, 100} - __set%d test-netdev 3 -@@ -111,8 +109,7 @@ netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # ah spi {111, 122} - __set%d test-netdev 3 -@@ -181,6 +178,5 @@ netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x17000000 ] -- [ cmp gt reg 1 0x21000000 ] -+ [ range neq reg 1 0x17000000 0x21000000 ] - -diff --git a/tests/py/inet/comp.t.payload.inet b/tests/py/inet/comp.t.payload.inet -index eff32b7..cdeba2b 100644 ---- a/tests/py/inet/comp.t.payload.inet -+++ b/tests/py/inet/comp.t.payload.inet -@@ -32,8 +32,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000033 ] -- [ cmp gt reg 1 0x00000045 ] -+ [ range neq reg 1 0x00000033 0x00000045 ] - - # comp flags {0x33, 0x55, 0x67, 0x88} - __set%d test-inet 3 -@@ -82,8 +81,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # comp cpi {33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/comp.t.payload.ip b/tests/py/inet/comp.t.payload.ip -index b2a8ab4..9da8f94 100644 ---- a/tests/py/inet/comp.t.payload.ip -+++ b/tests/py/inet/comp.t.payload.ip -@@ -32,8 +32,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000033 ] -- [ cmp gt reg 1 0x00000045 ] -+ [ range neq reg 1 0x00000033 0x00000045 ] - - # comp flags {0x33, 0x55, 0x67, 0x88} - __set%d test-ip4 3 -@@ -82,8 +81,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # comp cpi {33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/comp.t.payload.ip6 b/tests/py/inet/comp.t.payload.ip6 -index f179998..69a13ed 100644 ---- a/tests/py/inet/comp.t.payload.ip6 -+++ b/tests/py/inet/comp.t.payload.ip6 -@@ -32,8 +32,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000033 ] -- [ cmp gt reg 1 0x00000045 ] -+ [ range neq reg 1 0x00000033 0x00000045 ] - - # comp flags {0x33, 0x55, 0x67, 0x88} - __set%d test-ip6 3 -@@ -82,8 +81,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # comp cpi {33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/inet/comp.t.payload.netdev b/tests/py/inet/comp.t.payload.netdev -index eff32b7..cdeba2b 100644 ---- a/tests/py/inet/comp.t.payload.netdev -+++ b/tests/py/inet/comp.t.payload.netdev -@@ -32,8 +32,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000033 ] -- [ cmp gt reg 1 0x00000045 ] -+ [ range neq reg 1 0x00000033 0x00000045 ] - - # comp flags {0x33, 0x55, 0x67, 0x88} - __set%d test-inet 3 -@@ -82,8 +81,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # comp cpi {33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/dccp.t.payload.inet b/tests/py/inet/dccp.t.payload.inet -index f5aacf6..ccba6d0 100644 ---- a/tests/py/inet/dccp.t.payload.inet -+++ b/tests/py/inet/dccp.t.payload.inet -@@ -11,8 +11,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001500 ] -- [ cmp gt reg 1 0x00002300 ] -+ [ range neq reg 1 0x00001500 0x00002300 ] - - # dccp sport {23, 24, 25} - __set%d test-inet 3 -diff --git a/tests/py/inet/dccp.t.payload.ip b/tests/py/inet/dccp.t.payload.ip -index bda8dfd..a02247f 100644 ---- a/tests/py/inet/dccp.t.payload.ip -+++ b/tests/py/inet/dccp.t.payload.ip -@@ -11,8 +11,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001500 ] -- [ cmp gt reg 1 0x00002300 ] -+ [ range neq reg 1 0x00001500 0x00002300 ] - - # dccp sport {23, 24, 25} - __set%d test-ip4 3 -diff --git a/tests/py/inet/dccp.t.payload.ip6 b/tests/py/inet/dccp.t.payload.ip6 -index f78f983..c81a3a0 100644 ---- a/tests/py/inet/dccp.t.payload.ip6 -+++ b/tests/py/inet/dccp.t.payload.ip6 -@@ -11,8 +11,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001500 ] -- [ cmp gt reg 1 0x00002300 ] -+ [ range neq reg 1 0x00001500 0x00002300 ] - - # dccp sport {23, 24, 25} - __set%d test-ip4 3 -diff --git a/tests/py/inet/dccp.t.payload.netdev b/tests/py/inet/dccp.t.payload.netdev -index abed6b2..abb1fb9 100644 ---- a/tests/py/inet/dccp.t.payload.netdev -+++ b/tests/py/inet/dccp.t.payload.netdev -@@ -11,8 +11,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001500 ] -- [ cmp gt reg 1 0x00002300 ] -+ [ range neq reg 1 0x00001500 0x00002300 ] - - # dccp sport {23, 24, 25} - __set%d test-inet 3 -diff --git a/tests/py/inet/esp.t.payload.inet b/tests/py/inet/esp.t.payload.inet -index 5f3a0da..d41f766 100644 ---- a/tests/py/inet/esp.t.payload.inet -+++ b/tests/py/inet/esp.t.payload.inet -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # esp spi { 100, 102} - __set%d test-inet 3 -@@ -68,8 +67,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x16000000 ] -- [ cmp gt reg 1 0x18000000 ] -+ [ range neq reg 1 0x16000000 0x18000000 ] - - # esp sequence { 22, 24} - __set%d test-inet 3 -diff --git a/tests/py/inet/esp.t.payload.ip b/tests/py/inet/esp.t.payload.ip -index cf52678..5de41ae 100644 ---- a/tests/py/inet/esp.t.payload.ip -+++ b/tests/py/inet/esp.t.payload.ip -@@ -25,8 +25,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # esp spi { 100, 102} - __set%d test-ip4 3 -@@ -68,8 +67,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x16000000 ] -- [ cmp gt reg 1 0x18000000 ] -+ [ range neq reg 1 0x16000000 0x18000000 ] - - # esp sequence { 22, 24} - __set%d test-ip4 3 -diff --git a/tests/py/inet/esp.t.payload.ip6 b/tests/py/inet/esp.t.payload.ip6 -index 982412d..0bc2e70 100644 ---- a/tests/py/inet/esp.t.payload.ip6 -+++ b/tests/py/inet/esp.t.payload.ip6 -@@ -25,8 +25,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # esp spi { 100, 102} - __set%d test-ip6 3 -@@ -68,8 +67,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x16000000 ] -- [ cmp gt reg 1 0x18000000 ] -+ [ range neq reg 1 0x16000000 0x18000000 ] - - # esp sequence { 22, 24} - __set%d test-ip6 3 -diff --git a/tests/py/inet/esp.t.payload.netdev b/tests/py/inet/esp.t.payload.netdev -index 5f3a0da..d41f766 100644 ---- a/tests/py/inet/esp.t.payload.netdev -+++ b/tests/py/inet/esp.t.payload.netdev -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x6f000000 ] -- [ cmp gt reg 1 0xde000000 ] -+ [ range neq reg 1 0x6f000000 0xde000000 ] - - # esp spi { 100, 102} - __set%d test-inet 3 -@@ -68,8 +67,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x16000000 ] -- [ cmp gt reg 1 0x18000000 ] -+ [ range neq reg 1 0x16000000 0x18000000 ] - - # esp sequence { 22, 24} - __set%d test-inet 3 -diff --git a/tests/py/inet/sctp.t.payload.inet b/tests/py/inet/sctp.t.payload.inet -index 9c68a8c..bc7fe7c 100644 ---- a/tests/py/inet/sctp.t.payload.inet -+++ b/tests/py/inet/sctp.t.payload.inet -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp sport { 23, 24, 25} - __set%d test-inet 3 -@@ -75,8 +74,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp dport { 23, 24, 25} - __set%d test-inet 3 -@@ -125,8 +123,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x20000000 ] -- [ cmp gt reg 1 0x6f000000 ] -+ [ range neq reg 1 0x20000000 0x6f000000 ] - - # sctp checksum { 22, 33, 44} - __set%d test-inet 3 -@@ -175,8 +172,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # sctp vtag {33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/sctp.t.payload.ip b/tests/py/inet/sctp.t.payload.ip -index 6e07a4c..fa6ea43 100644 ---- a/tests/py/inet/sctp.t.payload.ip -+++ b/tests/py/inet/sctp.t.payload.ip -@@ -25,8 +25,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp sport { 23, 24, 25} - __set%d test-ip4 3 -@@ -75,8 +74,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp dport { 23, 24, 25} - __set%d test-ip4 3 -@@ -125,8 +123,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x20000000 ] -- [ cmp gt reg 1 0x6f000000 ] -+ [ range neq reg 1 0x20000000 0x6f000000 ] - - # sctp checksum { 22, 33, 44} - __set%d test-ip4 3 -@@ -175,8 +172,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # sctp vtag {33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/sctp.t.payload.ip6 b/tests/py/inet/sctp.t.payload.ip6 -index 579609b..5d11369 100644 ---- a/tests/py/inet/sctp.t.payload.ip6 -+++ b/tests/py/inet/sctp.t.payload.ip6 -@@ -25,8 +25,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp sport { 23, 24, 25} - __set%d test-ip6 3 -@@ -75,8 +74,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp dport { 23, 24, 25} - __set%d test-ip6 3 -@@ -125,8 +123,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x20000000 ] -- [ cmp gt reg 1 0x6f000000 ] -+ [ range neq reg 1 0x20000000 0x6f000000 ] - - # sctp checksum { 22, 33, 44} - __set%d test-ip6 3 -@@ -175,8 +172,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # sctp vtag {33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/inet/sctp.t.payload.netdev b/tests/py/inet/sctp.t.payload.netdev -index 9c68a8c..bc7fe7c 100644 ---- a/tests/py/inet/sctp.t.payload.netdev -+++ b/tests/py/inet/sctp.t.payload.netdev -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp sport { 23, 24, 25} - __set%d test-inet 3 -@@ -75,8 +74,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002c00 ] -+ [ range neq reg 1 0x00001700 0x00002c00 ] - - # sctp dport { 23, 24, 25} - __set%d test-inet 3 -@@ -125,8 +123,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x20000000 ] -- [ cmp gt reg 1 0x6f000000 ] -+ [ range neq reg 1 0x20000000 0x6f000000 ] - - # sctp checksum { 22, 33, 44} - __set%d test-inet 3 -@@ -175,8 +172,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # sctp vtag {33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/tcp.t.payload.inet b/tests/py/inet/tcp.t.payload.inet -index 9c3fbbf..354d013 100644 ---- a/tests/py/inet/tcp.t.payload.inet -+++ b/tests/py/inet/tcp.t.payload.inet -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp dport { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -116,8 +115,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp sport { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -217,8 +215,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp sequence { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -275,8 +272,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp ackseq { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -358,8 +354,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp window { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -408,8 +403,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp checksum { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -466,8 +460,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp urgptr { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/tcp.t.payload.ip b/tests/py/inet/tcp.t.payload.ip -index 75cbe70..d70a176 100644 ---- a/tests/py/inet/tcp.t.payload.ip -+++ b/tests/py/inet/tcp.t.payload.ip -@@ -25,8 +25,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp dport { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -116,8 +115,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp sport { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -217,8 +215,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp sequence { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -275,8 +272,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp ackseq { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -358,8 +354,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp window { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -408,8 +403,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -466,8 +460,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp urgptr { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/tcp.t.payload.ip6 b/tests/py/inet/tcp.t.payload.ip6 -index f65f9b8..4e9c413 100644 ---- a/tests/py/inet/tcp.t.payload.ip6 -+++ b/tests/py/inet/tcp.t.payload.ip6 -@@ -25,8 +25,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp dport { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -116,8 +115,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp sport { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -217,8 +215,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp sequence { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -275,8 +272,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp ackseq { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -358,8 +354,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp window { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -408,8 +403,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp checksum { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -466,8 +460,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp urgptr { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/inet/tcp.t.payload.netdev b/tests/py/inet/tcp.t.payload.netdev -index a554d07..854f4bb 100644 ---- a/tests/py/inet/tcp.t.payload.netdev -+++ b/tests/py/inet/tcp.t.payload.netdev -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp dport { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -116,8 +115,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp sport { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -217,8 +215,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp sequence { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -275,8 +272,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # tcp ackseq { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -358,8 +354,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp window { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -416,8 +411,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp checksum { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -474,8 +468,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # tcp urgptr { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/udp.t.payload.inet b/tests/py/inet/udp.t.payload.inet -index 4ca9904..057b912 100644 ---- a/tests/py/inet/udp.t.payload.inet -+++ b/tests/py/inet/udp.t.payload.inet -@@ -28,8 +28,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp sport { 49, 50} drop -@@ -83,8 +82,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp dport { 49, 50} drop -@@ -137,8 +135,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00004100 ] -+ [ range neq reg 1 0x00003200 0x00004100 ] - [ immediate reg 0 accept ] - - # udp length { 50, 65} accept -@@ -197,8 +194,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udp checksum { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/udp.t.payload.ip b/tests/py/inet/udp.t.payload.ip -index 56b6051..5fd279d 100644 ---- a/tests/py/inet/udp.t.payload.ip -+++ b/tests/py/inet/udp.t.payload.ip -@@ -28,8 +28,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp sport { 49, 50} drop -@@ -83,8 +82,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp dport { 49, 50} drop -@@ -137,8 +135,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00004100 ] -+ [ range neq reg 1 0x00003200 0x00004100 ] - [ immediate reg 0 accept ] - - # udp length { 50, 65} accept -@@ -197,8 +194,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udp checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/udp.t.payload.ip6 b/tests/py/inet/udp.t.payload.ip6 -index 1f1df66..a7d12c8 100644 ---- a/tests/py/inet/udp.t.payload.ip6 -+++ b/tests/py/inet/udp.t.payload.ip6 -@@ -28,8 +28,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp sport { 49, 50} drop -@@ -83,8 +82,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp dport { 49, 50} drop -@@ -137,8 +135,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00004100 ] -+ [ range neq reg 1 0x00003200 0x00004100 ] - [ immediate reg 0 accept ] - - # udp length { 50, 65} accept -@@ -197,8 +194,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udp checksum { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/inet/udp.t.payload.netdev b/tests/py/inet/udp.t.payload.netdev -index 4ca9904..057b912 100644 ---- a/tests/py/inet/udp.t.payload.netdev -+++ b/tests/py/inet/udp.t.payload.netdev -@@ -28,8 +28,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp sport { 49, 50} drop -@@ -83,8 +82,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udp dport { 49, 50} drop -@@ -137,8 +135,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00004100 ] -+ [ range neq reg 1 0x00003200 0x00004100 ] - [ immediate reg 0 accept ] - - # udp length { 50, 65} accept -@@ -197,8 +194,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udp checksum { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/inet/udplite.t.payload.inet b/tests/py/inet/udplite.t.payload.inet -index 034c62d..ad2c970 100644 ---- a/tests/py/inet/udplite.t.payload.inet -+++ b/tests/py/inet/udplite.t.payload.inet -@@ -28,8 +28,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite sport { 49, 50} drop -@@ -83,8 +82,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite dport { 49, 50} drop -@@ -144,8 +142,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udplite checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/udplite.t.payload.ip b/tests/py/inet/udplite.t.payload.ip -index 3da9e53..8321c23 100644 ---- a/tests/py/inet/udplite.t.payload.ip -+++ b/tests/py/inet/udplite.t.payload.ip -@@ -28,8 +28,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite sport { 49, 50} drop -@@ -83,8 +82,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite dport { 49, 50} drop -@@ -144,8 +142,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udplite checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/udplite.t.payload.ip6 b/tests/py/inet/udplite.t.payload.ip6 -index 205ea21..dce215d 100644 ---- a/tests/py/inet/udplite.t.payload.ip6 -+++ b/tests/py/inet/udplite.t.payload.ip6 -@@ -28,8 +28,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite sport { 49, 50} drop -@@ -83,8 +82,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite dport { 49, 50} drop -@@ -144,8 +142,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udplite checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/inet/udplite.t.payload.netdev b/tests/py/inet/udplite.t.payload.netdev -index 034c62d..ad2c970 100644 ---- a/tests/py/inet/udplite.t.payload.netdev -+++ b/tests/py/inet/udplite.t.payload.netdev -@@ -28,8 +28,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite sport { 49, 50} drop -@@ -83,8 +82,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00003200 ] -- [ cmp gt reg 1 0x00003c00 ] -+ [ range neq reg 1 0x00003200 0x00003c00 ] - [ immediate reg 0 accept ] - - # udplite dport { 49, 50} drop -@@ -144,8 +142,7 @@ inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # udplite checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip -index bf972c6..c951f7c 100644 ---- a/tests/py/ip/dnat.t.payload.ip -+++ b/tests/py/ip/dnat.t.payload.ip -@@ -17,8 +17,7 @@ ip test-ip4 prerouting - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00005000 ] -- [ cmp gt reg 1 0x00005a00 ] -+ [ range neq reg 1 0x00005000 0x00005a00 ] - [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] - -@@ -43,8 +42,7 @@ ip test-ip4 prerouting - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002200 ] -+ [ range neq reg 1 0x00001700 0x00002200 ] - [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] - -diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip -index 32f2685..c7df75d 100644 ---- a/tests/py/ip/icmp.t.payload.ip -+++ b/tests/py/ip/icmp.t.payload.ip -@@ -142,8 +142,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x00000037 ] -+ [ range neq reg 1 0x00000021 0x00000037 ] - - # icmp code { 33-55} - __set%d test-ip4 7 -@@ -195,8 +194,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00000b00 ] -- [ cmp gt reg 1 0x00005701 ] -+ [ range neq reg 1 0x00000b00 0x00005701 ] - [ immediate reg 0 accept ] - - # icmp checksum { 11-343} accept -@@ -256,8 +254,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # icmp id { 33-55} - __set%d test-ip4 7 -@@ -306,8 +303,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # icmp sequence { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -381,8 +377,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # icmp mtu { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -431,8 +426,7 @@ ip test-ip4 input - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # icmp gateway { 33, 55, 67, 88} - __set%d test-ip4 3 -diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload -index 3bd3358..9ce5527 100644 ---- a/tests/py/ip/ip.t.payload -+++ b/tests/py/ip/ip.t.payload -@@ -50,8 +50,7 @@ ip test-ip4 input - # ip length != 333-453 - ip test-ip4 input - [ payload load 2b @ network header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00004d01 ] -- [ cmp gt reg 1 0x0000c501 ] -+ [ range neq reg 1 0x00004d01 0x0000c501 ] - - # ip length { 333, 553, 673, 838} - __set%d test-ip4 3 -@@ -88,8 +87,7 @@ ip test-ip4 input - # ip id != 33-45 - ip test-ip4 input - [ payload load 2b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip id { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -127,8 +125,7 @@ ip test-ip4 input - # ip frag-off != 33-45 - ip test-ip4 input - [ payload load 2b @ network header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip frag-off { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -166,8 +163,7 @@ ip test-ip4 input - # ip ttl != 45-50 - ip test-ip4 input - [ payload load 1b @ network header + 8 => reg 1 ] -- [ cmp lt reg 1 0x0000002d ] -- [ cmp gt reg 1 0x00000032 ] -+ [ range neq reg 1 0x0000002d 0x00000032 ] - - # ip ttl {43, 53, 45 } - __set%d test-ip4 3 -@@ -229,8 +225,7 @@ ip test-ip4 input - # ip checksum != 33-45 - ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip checksum { 33, 55, 67, 88} - __set%d test-ip4 3 -@@ -302,8 +297,7 @@ ip test-ip4 input - # ip daddr != 192.168.0.1-192.168.0.250 - ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0100a8c0 ] -- [ cmp gt reg 1 0xfa00a8c0 ] -+ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] - - # ip daddr { 192.168.0.1-192.168.0.250} - __set%d test-ip4 7 -@@ -331,8 +325,7 @@ ip test-ip4 input - # ip daddr != 192.168.1.2-192.168.1.55 - ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0201a8c0 ] -- [ cmp gt reg 1 0x3701a8c0 ] -+ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] - - # ip saddr 192.168.1.3-192.168.33.55 - ip test-ip4 input -@@ -343,8 +336,7 @@ ip test-ip4 input - # ip saddr != 192.168.1.3-192.168.33.55 - ip test-ip4 input - [ payload load 4b @ network header + 12 => reg 1 ] -- [ cmp lt reg 1 0x0301a8c0 ] -- [ cmp gt reg 1 0x3721a8c0 ] -+ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] - - # ip daddr 192.168.0.1 - ip test-ip4 input -diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet -index ef4692e..cf41eb2 100644 ---- a/tests/py/ip/ip.t.payload.inet -+++ b/tests/py/ip/ip.t.payload.inet -@@ -68,8 +68,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00004d01 ] -- [ cmp gt reg 1 0x0000c501 ] -+ [ range neq reg 1 0x00004d01 0x0000c501 ] - - # ip length { 333, 553, 673, 838} - __set%d test-inet 3 -@@ -118,8 +117,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip id { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -169,8 +167,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip frag-off { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -220,8 +217,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ network header + 8 => reg 1 ] -- [ cmp lt reg 1 0x0000002d ] -- [ cmp gt reg 1 0x00000032 ] -+ [ range neq reg 1 0x0000002d 0x00000032 ] - - # ip ttl {43, 53, 45 } - __set%d test-inet 3 -@@ -303,8 +299,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 10 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip checksum { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -400,8 +395,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0100a8c0 ] -- [ cmp gt reg 1 0xfa00a8c0 ] -+ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] - - # ip daddr { 192.168.0.1-192.168.0.250} - __set%d test-inet 7 -@@ -437,8 +431,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0201a8c0 ] -- [ cmp gt reg 1 0x3701a8c0 ] -+ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] - - # ip saddr 192.168.1.3-192.168.33.55 - inet test-inet input -@@ -453,8 +446,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 12 => reg 1 ] -- [ cmp lt reg 1 0x0301a8c0 ] -- [ cmp gt reg 1 0x3721a8c0 ] -+ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] - - # ip daddr 192.168.0.1 - inet test-inet input -diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev -index 4feaa27..ae2a74b 100644 ---- a/tests/py/ip/ip.t.payload.netdev -+++ b/tests/py/ip/ip.t.payload.netdev -@@ -25,8 +25,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00004d01 ] -- [ cmp gt reg 1 0x0000c501 ] -+ [ range neq reg 1 0x00004d01 0x0000c501 ] - - # ip length { 333, 553, 673, 838} - __set%d test-netdev 3 -@@ -75,8 +74,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip id { 33, 55, 67, 88} - __set%d test-netdev 3 -@@ -126,8 +124,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip frag-off { 33, 55, 67, 88} - __set%d test-netdev 3 -@@ -170,8 +167,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] -- [ cmp lt reg 1 0x0000002d ] -- [ cmp gt reg 1 0x00000032 ] -+ [ range neq reg 1 0x0000002d 0x00000032 ] - - # ip ttl {43, 53, 45 } - __set%d test-netdev 3 -@@ -239,8 +235,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip checksum { 33, 55, 67, 88} - __set%d test-netdev 3 -@@ -329,8 +324,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0100a8c0 ] -- [ cmp gt reg 1 0xfa00a8c0 ] -+ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] - - # ip daddr { 192.168.0.1-192.168.0.250} - __set%d test-netdev 7 -@@ -366,8 +360,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] -- [ cmp lt reg 1 0x0201a8c0 ] -- [ cmp gt reg 1 0x3701a8c0 ] -+ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] - - # ip saddr 192.168.1.3-192.168.33.55 - netdev test-netdev ingress -@@ -382,8 +375,7 @@ netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] -- [ cmp lt reg 1 0x0301a8c0 ] -- [ cmp gt reg 1 0x3721a8c0 ] -+ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] - - # ip daddr 192.168.0.1 - netdev test-netdev ingress -diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload -index cbea641..40a2f4c 100644 ---- a/tests/py/ip/snat.t.payload -+++ b/tests/py/ip/snat.t.payload -@@ -17,8 +17,7 @@ ip test-ip4 postrouting - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00005000 ] -- [ cmp gt reg 1 0x00005a00 ] -+ [ range neq reg 1 0x00005000 0x00005a00 ] - [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] - -@@ -43,8 +42,7 @@ ip test-ip4 postrouting - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] -- [ cmp lt reg 1 0x00001700 ] -- [ cmp gt reg 1 0x00002200 ] -+ [ range neq reg 1 0x00001700 0x00002200 ] - [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] - -diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet -index 15914d9..62d1c5a 100644 ---- a/tests/py/ip6/dst.t.payload.inet -+++ b/tests/py/ip6/dst.t.payload.inet -@@ -25,8 +25,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 60 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # dst nexthdr { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -99,8 +98,7 @@ ip6 test-ip6 input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 60 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # dst hdrlength { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6 -index 3f6c8e1..c022c7f 100644 ---- a/tests/py/ip6/dst.t.payload.ip6 -+++ b/tests/py/ip6/dst.t.payload.ip6 -@@ -17,8 +17,7 @@ ip6 test-ip6 input - # dst nexthdr != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 60 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # dst nexthdr { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -73,8 +72,7 @@ ip6 test-ip6 input - # dst hdrlength != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 60 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # dst hdrlength { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet -index 387dbd6..bf57eca 100644 ---- a/tests/py/ip6/frag.t.payload.inet -+++ b/tests/py/ip6/frag.t.payload.inet -@@ -63,8 +63,7 @@ inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 44 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # frag reserved { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -117,8 +116,7 @@ inet test-inet output - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] -- [ cmp lt reg 1 0x00000801 ] -- [ cmp gt reg 1 0x00006801 ] -+ [ range neq reg 1 0x00000801 0x00006801 ] - - # frag frag-off { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -184,8 +182,7 @@ inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 4b @ 44 + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # frag id { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6 -index 1f27975..aa27005 100644 ---- a/tests/py/ip6/frag.t.payload.ip6 -+++ b/tests/py/ip6/frag.t.payload.ip6 -@@ -45,8 +45,7 @@ ip6 test-ip6 output - # frag reserved != 33-45 - ip6 test-ip6 output - [ exthdr load 1b @ 44 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # frag reserved { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -87,8 +86,7 @@ ip6 test-ip6 output - ip6 test-ip6 output - [ exthdr load 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] -- [ cmp lt reg 1 0x00000801 ] -- [ cmp gt reg 1 0x00006801 ] -+ [ range neq reg 1 0x00000801 0x00006801 ] - - # frag frag-off { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -138,8 +136,7 @@ ip6 test-ip6 output - # frag id != 33-45 - ip6 test-ip6 output - [ exthdr load 4b @ 44 + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # frag id { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet -index 5fcd2fd..7e0d079 100644 ---- a/tests/py/ip6/hbh.t.payload.inet -+++ b/tests/py/ip6/hbh.t.payload.inet -@@ -25,8 +25,7 @@ inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 0 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # hbh hdrlength {33, 55, 67, 88} - __set%d test-inet 3 -@@ -85,8 +84,7 @@ inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 0 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # hbh nexthdr {33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6 -index a2b4633..783fc6a 100644 ---- a/tests/py/ip6/hbh.t.payload.ip6 -+++ b/tests/py/ip6/hbh.t.payload.ip6 -@@ -17,8 +17,7 @@ ip6 test-ip6 filter-input - # hbh hdrlength != 33-45 - ip6 test-ip6 filter-input - [ exthdr load 1b @ 0 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # hbh hdrlength {33, 55, 67, 88} - __set%d test-ip6 3 -@@ -63,8 +62,7 @@ ip6 test-ip6 filter-input - # hbh nexthdr != 33-45 - ip6 test-ip6 filter-input - [ exthdr load 1b @ 0 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # hbh nexthdr {33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 -index 4b6f541..822db2d 100644 ---- a/tests/py/ip6/icmpv6.t.payload.ip6 -+++ b/tests/py/ip6/icmpv6.t.payload.ip6 -@@ -266,8 +266,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 4b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x21000000 ] -- [ cmp gt reg 1 0x2d000000 ] -+ [ range neq reg 1 0x21000000 0x2d000000 ] - - # icmpv6 mtu {33, 55, 67, 88} - __set%d test-ip6 3 -@@ -302,8 +301,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # icmpv6 id {33, 55, 67, 88} - __set%d test-ip6 3 -@@ -366,8 +364,7 @@ ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00000200 ] -- [ cmp gt reg 1 0x00000400 ] -+ [ range neq reg 1 0x00000200 0x00000400 ] - - # icmpv6 sequence { 2-4} - __set%d test-ip6 7 -diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet -index c29c5a3..f52376c 100644 ---- a/tests/py/ip6/ip6.t.payload.inet -+++ b/tests/py/ip6/ip6.t.payload.inet -@@ -106,8 +106,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip6 length { 33-55} - __set%d test-inet 7 -@@ -176,8 +175,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002c ] -+ [ range neq reg 1 0x00000021 0x0000002c ] - - # ip6 hoplimit 1 - inet test-inet input -@@ -206,8 +204,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 7 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # ip6 hoplimit {33, 55, 67, 88} - __set%d test-inet 3 -@@ -510,6 +507,5 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 16b @ network header + 24 => reg 1 ] -- [ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ] -- [ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ] -+ [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ] - -diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 -index c249923..e5eef5b 100644 ---- a/tests/py/ip6/ip6.t.payload.ip6 -+++ b/tests/py/ip6/ip6.t.payload.ip6 -@@ -80,8 +80,7 @@ ip6 test-ip6 input - # ip6 length != 33-45 - ip6 test-ip6 input - [ payload load 2b @ network header + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # ip6 length { 33-55} - __set%d test-ip6 7 -@@ -134,8 +133,7 @@ ip6 test-ip6 input - # ip6 nexthdr != 33-44 - ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002c ] -+ [ range neq reg 1 0x00000021 0x0000002c ] - - # ip6 hoplimit 1 - ip6 test-ip6 input -@@ -156,8 +154,7 @@ ip6 test-ip6 input - # ip6 hoplimit != 33-45 - ip6 test-ip6 input - [ payload load 1b @ network header + 7 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # ip6 hoplimit {33, 55, 67, 88} - __set%d test-ip6 3 -@@ -376,6 +373,5 @@ ip6 test-ip6 input - # ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234 - ip6 test-ip6 input - [ payload load 16b @ network header + 24 => reg 1 ] -- [ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ] -- [ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ] -+ [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ] - -diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet -index 5d06566..471af09 100644 ---- a/tests/py/ip6/mh.t.payload.inet -+++ b/tests/py/ip6/mh.t.payload.inet -@@ -63,8 +63,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 135 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh nexthdr { 33, 55, 67, 88 } - __set%d test-inet 3 -@@ -113,8 +112,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 135 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh hdrlength { 33, 55, 67, 88 } - __set%d test-inet 3 -@@ -187,8 +185,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 135 + 3 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh reserved { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -237,8 +234,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 2b @ 135 + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # mh checksum { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6 -index d5366a5..7a9aa35 100644 ---- a/tests/py/ip6/mh.t.payload.ip6 -+++ b/tests/py/ip6/mh.t.payload.ip6 -@@ -45,8 +45,7 @@ ip6 test-ip6 input - # mh nexthdr != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 135 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh nexthdr { 33, 55, 67, 88 } - __set%d test-ip6 3 -@@ -83,8 +82,7 @@ ip6 test-ip6 input - # mh hdrlength != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 135 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh hdrlength { 33, 55, 67, 88 } - __set%d test-ip6 3 -@@ -139,8 +137,7 @@ ip6 test-ip6 input - # mh reserved != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 135 + 3 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # mh reserved { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -177,8 +174,7 @@ ip6 test-ip6 input - # mh checksum != 33-45 - ip6 test-ip6 input - [ exthdr load 2b @ 135 + 4 => reg 1 ] -- [ cmp lt reg 1 0x00002100 ] -- [ cmp gt reg 1 0x00002d00 ] -+ [ range neq reg 1 0x00002100 0x00002d00 ] - - # mh checksum { 33, 55, 67, 88} - __set%d test-ip6 3 -diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet -index 7d644fb..30e29a5 100644 ---- a/tests/py/ip6/rt.t.payload.inet -+++ b/tests/py/ip6/rt.t.payload.inet -@@ -63,8 +63,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 43 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt nexthdr { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -113,8 +112,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 43 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt hdrlength { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -163,8 +161,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 43 + 2 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt type { 33, 55, 67, 88} - __set%d test-inet 3 -@@ -213,8 +210,7 @@ inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load 1b @ 43 + 3 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt seg-left { 33, 55, 67, 88} - __set%d test-inet 3 -diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6 -index 3245725..b96980b 100644 ---- a/tests/py/ip6/rt.t.payload.ip6 -+++ b/tests/py/ip6/rt.t.payload.ip6 -@@ -45,8 +45,7 @@ ip6 test-ip6 input - # rt nexthdr != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 43 + 0 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt nexthdr { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -83,8 +82,7 @@ ip6 test-ip6 input - # rt hdrlength != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 43 + 1 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt hdrlength { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -121,8 +119,7 @@ ip6 test-ip6 input - # rt type != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 43 + 2 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt type { 33, 55, 67, 88} - __set%d test-ip6 3 -@@ -159,8 +156,7 @@ ip6 test-ip6 input - # rt seg-left != 33-45 - ip6 test-ip6 input - [ exthdr load 1b @ 43 + 3 => reg 1 ] -- [ cmp lt reg 1 0x00000021 ] -- [ cmp gt reg 1 0x0000002d ] -+ [ range neq reg 1 0x00000021 0x0000002d ] - - # rt seg-left { 33, 55, 67, 88} - __set%d test-ip6 3 --- -1.8.3.1 - diff --git a/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch b/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch deleted file mode 100644 index a8035cd..0000000 --- a/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 8180301a3aad23ccd2f81ddb8007efe8bef67892 Mon Sep 17 00:00:00 2001 -From: Timothy Redaelli -Date: Fri, 24 Feb 2017 11:35:32 +0100 -Subject: [PATCH] netlink_delinearize: Avoid potential null pointer deref - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360257 -Upstream Status: nftables commit d975ab4 -Conflicts: Skipped a chunk due to missing commit - 34523621 ("src: add hash expression") - -commit d975ab412c33ddce2c39e0e86f87085d13b1aeca -Author: Pablo Neira Ayuso -Date: Mon Sep 5 18:52:43 2016 +0200 - - netlink_delinearize: Avoid potential null pointer deref - - Phil Sutter says: - - As netlink_get_register() may return NULL, we must not pass the returned - data unchecked to expr_set_type() as that will dereference it. Since the - parser has failed at that point anyway, by returning early we can skip - the useless statement allocation that follows in - netlink_parse_ct_stmt(). - - Signed-off-by: Pablo Neira Ayuso - Acked-by: Phil Sutter - -Signed-off-by: Timothy Redaelli ---- - src/netlink_delinearize.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index c3f0773..505516c 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -475,6 +475,10 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx, - - sreg = netlink_parse_register(nle, NFT_EXPR_PAYLOAD_SREG); - val = netlink_get_register(ctx, loc, sreg); -+ if (val == NULL) -+ return netlink_error(ctx, loc, -+ "payload statement has no expression"); -+ - stmt = payload_stmt_alloc(loc, expr, val); - - list_add_tail(&stmt->list, &ctx->rule->stmts); -@@ -536,6 +540,9 @@ static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx, - - sreg = netlink_parse_register(nle, NFTNL_EXPR_META_SREG); - expr = netlink_get_register(ctx, loc, sreg); -+ if (expr == NULL) -+ return netlink_error(ctx, loc, -+ "meta statement has no expression"); - - key = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY); - stmt = meta_stmt_alloc(loc, key, expr); -@@ -565,6 +572,9 @@ static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx, - - sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG); - expr = netlink_get_register(ctx, loc, sreg); -+ if (expr == NULL) -+ return netlink_error(ctx, loc, -+ "ct statement has no expression"); - - key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY); - stmt = ct_stmt_alloc(loc, key, expr); --- -1.8.3.1 - diff --git a/SOURCES/0002-netlink_linearize-exthdr-op-must-be-u32.patch b/SOURCES/0002-netlink_linearize-exthdr-op-must-be-u32.patch new file mode 100644 index 0000000..72caf4c --- /dev/null +++ b/SOURCES/0002-netlink_linearize-exthdr-op-must-be-u32.patch @@ -0,0 +1,48 @@ +From d0d83585f7f6a74ac02338a37c6860cd2f26b33b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Dec 2017 14:18:17 +0100 +Subject: [PATCH] netlink_linearize: exthdr op must be u32 + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1524246 +Upstream Status: nftables commit 80f5d7fd66895 + +commit 80f5d7fd66895c651c9d1e35b2353f3020ffb538 +Author: Florian Westphal +Date: Mon Dec 11 10:06:55 2017 +0100 + + netlink_linearize: exthdr op must be u32 + + libnftnl casts this to u32. Broke exthdr expressions on bigendian. + + Reported-by: Li Shuang + Signed-off-by: Florian Westphal + Acked-by: Pablo Neira Ayuso +--- + src/netlink_linearize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index fb2d250..a268dcc 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -178,7 +178,7 @@ static void netlink_gen_exthdr(struct netlink_linearize_ctx *ctx, + nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE); + nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN, + div_round_up(expr->len, BITS_PER_BYTE)); +- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); ++ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); + nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_FLAGS, expr->exthdr.flags); + nftnl_rule_add_expr(ctx->nlr, nle); + } +@@ -839,7 +839,7 @@ static void netlink_gen_exthdr_stmt(struct netlink_linearize_ctx *ctx, + nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE); + nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN, + div_round_up(expr->len, BITS_PER_BYTE)); +- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); ++ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); + nftnl_rule_add_expr(ctx->nlr, nle); + } + +-- +1.8.3.1 + diff --git a/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch b/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch deleted file mode 100644 index 51a7eb9..0000000 --- a/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 19c9a7bfb73f33f50675f31f3664556105a50086 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 28 Feb 2017 18:14:53 +0100 -Subject: [PATCH] evaluate: Fix datalen checks in expr_evaluate_string() - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360240 -Upstream Status: nftables commit 7a5b4c505e4d4 - -commit 7a5b4c505e4d460239ac8a36b4fbccf222cd6134 -Author: Phil Sutter -Date: Tue Aug 30 19:39:49 2016 +0200 - - evaluate: Fix datalen checks in expr_evaluate_string() - - I have been told that the flex scanner won't return empty strings, so - strlen(data) should always be greater 0. To avoid a hard to debug issue - though, add an assert() to make sure this is always the case before - risking an unsigned variable underrun. - - A real issue though is the check for 'datalen - 1 >= 0', which will - never fail due to datalen being unsigned. Fix this by incrementing both - sides by one, hence checking 'datalen >= 1'. - - Signed-off-by: Phil Sutter - Signed-off-by: Pablo Neira Ayuso ---- - src/evaluate.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index f24e5f3..5e3c158 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -248,6 +248,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) - memset(data + len, 0, data_len - len); - mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len); - -+ assert(strlen(data) > 0); - datalen = strlen(data) - 1; - if (data[datalen] != '*') { - /* We need to reallocate the constant expression with the right -@@ -261,7 +262,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) - return 0; - } - -- if (datalen - 1 >= 0 && -+ if (datalen >= 1 && - data[datalen - 1] == '\\') { - char unescaped_str[data_len]; - --- -1.8.3.1 - diff --git a/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch b/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch deleted file mode 100644 index 956404b..0000000 --- a/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7fb6387b3c00346a429d291dd057e47c9354e263 Mon Sep 17 00:00:00 2001 -From: Timothy Redaelli -Date: Fri, 24 Feb 2017 11:58:57 +0100 -Subject: [PATCH] evaluate: reject: Have a generic fix for missing network - context - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360354 -Upstream Status: nftables commit 7241af3 - -commit 7241af302bbe56908fa87b17799048bfe884e35f -Author: Phil Sutter -Date: Tue Aug 30 19:39:51 2016 +0200 - - evaluate: reject: Have a generic fix for missing network context - - Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport - protocol conflict from inet") took care of a crash when using inet or - bridge families, but since then netdev family has been added which also - does not implicitly define the network context. Therefore the crash can - be reproduced again using the following example: - - nft add rule netdev filter e1000-ingress \ - meta l4proto udp reject with tcp reset - - In order to fix this in a more generic way, have stmt_evaluate_reset() - fall back to the generic proto_inet_service irrespective of the actual - proto context. - - Signed-off-by: Phil Sutter - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Timothy Redaelli ---- - src/evaluate.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 5e3c158..1b8d565 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -2014,9 +2014,7 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt) - return 0; - - base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc; -- if (base == NULL && -- (ctx->pctx.family == NFPROTO_INET || -- ctx->pctx.family == NFPROTO_BRIDGE)) -+ if (base == NULL) - base = &proto_inet_service; - - protonum = proto_find_num(base, desc); --- -1.8.3.1 - diff --git a/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch b/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch deleted file mode 100644 index 3bc4f4d..0000000 --- a/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 611c93ad808addc5e3f38c279de273d6419b5c6e Mon Sep 17 00:00:00 2001 -From: Timothy Redaelli -Date: Mon, 8 May 2017 18:43:32 +0200 -Subject: [PATCH] payload: don't update protocol context if we can't find a - description - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1446534 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1399764 -Upstream Status: nftables commit 3503738 - -commit 3503738f77cdbe521da1054a37f59ac2e442b4cf -Author: Florian Westphal -Date: Mon Jun 6 21:52:28 2016 +0200 - - payload: don't update protocol context if we can't find a description - - Since commit - 20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking") - we deref null pointer if we can't find a description for the desired - protocol, so "ip protocol 254" crashes while testing protocols 6 or 17 - (tcp, udp) works. - - Also add a test case for this. - - Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072 - Signed-off-by: Florian Westphal - Acked-by: Pablo Neira Ayuso - -Signed-off-by: Timothy Redaelli ---- - src/payload.c | 3 +++ - tests/py/ip/ip.t | 3 +++ - tests/py/ip/ip.t.payload | 5 +++++ - tests/py/ip/ip.t.payload.inet | 7 +++++++ - tests/py/ip/ip.t.payload.netdev | 7 +++++++ - 5 files changed, 25 insertions(+) - -diff --git a/src/payload.c b/src/payload.c -index ac0e917..9ba980a 100644 ---- a/src/payload.c -+++ b/src/payload.c -@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, - base = ctx->protocol[left->payload.base].desc; - desc = proto_find_upper(base, proto); - -+ if (!desc) -+ return; -+ - assert(desc->base <= PROTO_BASE_MAX); - if (desc->base == base->base) { - assert(base->length > 0); -diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t -index 594136c..a265b75 100644 ---- a/tests/py/ip/ip.t -+++ b/tests/py/ip/ip.t -@@ -75,6 +75,9 @@ ip protocol != tcp;ok;ip protocol != 6 - ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept - - ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok - -+ip protocol 255;ok -+ip protocol 256;fail -+ - ip checksum 13172 drop;ok - ip checksum 22;ok - ip checksum != 233;ok -diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload -index 9ce5527..13df804 100644 ---- a/tests/py/ip/ip.t.payload -+++ b/tests/py/ip/ip.t.payload -@@ -200,6 +200,11 @@ ip test-ip4 input - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] -diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet -index cf41eb2..34fca91 100644 ---- a/tests/py/ip/ip.t.payload.inet -+++ b/tests/py/ip/ip.t.payload.inet -@@ -264,6 +264,13 @@ inet test-inet input - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - inet test-inet input - [ meta load nfproto => reg 1 ] -diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev -index ae2a74b..b61fd1e 100644 ---- a/tests/py/ip/ip.t.payload.netdev -+++ b/tests/py/ip/ip.t.payload.netdev -@@ -200,6 +200,13 @@ netdev test-netdev ingress - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ meta load protocol => reg 1 ] -+ [ cmp eq reg 1 0x00000008 ] -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - netdev test-netdev ingress - [ meta load protocol => reg 1 ] --- -1.8.3.1 - diff --git a/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch b/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch deleted file mode 100644 index 73770e0..0000000 --- a/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 174b2a34a7c6a2fcf75baefd2f96c78a60c5417f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 17:56:59 +0200 -Subject: [PATCH] src: rename datatype name from tc_handle to classid - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 -Upstream Status: nftables commit 11b39df32835c - -commit 11b39df32835ce855e5c6b889fa2cbcefe517547 -Author: Pablo Neira Ayuso -Date: Fri Jul 22 16:43:13 2016 +0200 - - src: rename datatype name from tc_handle to classid - - Signed-off-by: Pablo Neira Ayuso ---- - include/datatype.h | 4 ++-- - src/meta.c | 6 +++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/include/datatype.h b/include/datatype.h -index c7e110f..f0e085b 100644 ---- a/include/datatype.h -+++ b/include/datatype.h -@@ -27,7 +27,7 @@ - * @TYPE_IFINDEX: interface index (integer subtype) - * @TYPE_ARPHRD: interface type (integer subtype) - * @TYPE_REALM: routing realm (integer subtype) -- * @TYPE_TC_HANDLE: TC handle (integer subtype) -+ * @TYPE_CLASSID: TC classid (integer subtype) - * @TYPE_UID: user ID (integer subtype) - * @TYPE_GID: group ID (integer subtype) - * @TYPE_CT_STATE: conntrack state (bitmask subtype) -@@ -66,7 +66,7 @@ enum datatypes { - TYPE_IFINDEX, - TYPE_ARPHRD, - TYPE_REALM, -- TYPE_TC_HANDLE, -+ TYPE_CLASSID, - TYPE_UID, - TYPE_GID, - TYPE_CT_STATE, -diff --git a/src/meta.c b/src/meta.c -index 75431a2..d912b4e 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -127,9 +127,9 @@ err: - } - - static const struct datatype tchandle_type = { -- .type = TYPE_TC_HANDLE, -- .name = "tc_handle", -- .desc = "TC handle", -+ .type = TYPE_CLASSID, -+ .name = "classid", -+ .desc = "TC classid", - .byteorder = BYTEORDER_HOST_ENDIAN, - .size = 4 * BITS_PER_BYTE, - .basetype = &integer_type, --- -1.8.3.1 - diff --git a/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch b/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch deleted file mode 100644 index 5187b32..0000000 --- a/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0987bd768b0f9f8e3190fd955d01e54e0d4465e0 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 17:56:59 +0200 -Subject: [PATCH] src: simplify classid printing using %x instead of %04x - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 -Upstream Status: nftables commit 860979abdbe30 - -commit 860979abdbe3081c310a5acd9250abdfcb741ce4 -Author: Pablo Neira Ayuso -Date: Fri Jul 22 16:45:57 2016 +0200 - - src: simplify classid printing using %x instead of %04x - - No need to print this in iptables CLASSIFY target format, - eg. 0004:1230, this is innecessarily large. - - And always print major and minor numbers. - - Signed-off-by: Pablo Neira Ayuso ---- - src/meta.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - -diff --git a/src/meta.c b/src/meta.c -index d912b4e..3a72d10 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -80,14 +80,7 @@ static void tchandle_type_print(const struct expr *expr) - printf("none"); - break; - default: -- if (TC_H_MAJ(handle) == 0) -- printf(":%04x", TC_H_MIN(handle)); -- else if (TC_H_MIN(handle) == 0) -- printf("%04x:", TC_H_MAJ(handle) >> 16); -- else { -- printf("%04x:%04x", -- TC_H_MAJ(handle) >> 16, TC_H_MIN(handle)); -- } -+ printf("%0x:%0x", TC_H_MAJ(handle) >> 16, TC_H_MIN(handle)); - break; - } - } --- -1.8.3.1 - diff --git a/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch b/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch deleted file mode 100644 index b900561..0000000 --- a/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch +++ /dev/null @@ -1,356 +0,0 @@ -From 3ce7e132a4828b707c94efb0cb5058067828353d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 17:56:59 +0200 -Subject: [PATCH] src: meta priority support using tc classid - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 -Upstream Status: nftables commit 6f2eb8548e0d1 -Conflicts: Context change in tests due to missing meta random keyword. - -commit 6f2eb8548e0d18078989adec069b438b2f154767 -Author: Pablo Neira Ayuso -Date: Tue Aug 16 23:30:18 2016 +0200 - - src: meta priority support using tc classid - - This patch adds the missing bits to scan and parse the meta priority - handle as expressed by tc classid major:minor syntax. - - The :minor syntax is not support for two reason: major is always >= 1 - and this clashes with port syntax in nat. - - Here below, several example on how to match the packet priority field: - - nft add rule filter forward meta priority abcd:0 - nft add rule filter forward meta priority abcd:1234 - - and to set it, you have to: - - nft add rule filter forward meta priority set abcd:1234 - - The priority expression in flex looks ahead to restrict the pattern to - avoid problems with mappings: - - {classid}/[ \t\n:\-},] - - So the following doesn't break: - - ... vmap { 25:accept } - ^^^^^ - - The lookahead expression requires a slight change to extend the input - string in one byte. - - This patch is conservative as you always have to explicity indicate - major and minor numbers even if zero. - - We could consider supporting this shortcut in the future: - - abcd: - - However, with regards to this: - - :abcd - - We don't need to support it since major number is assumed to be >= 1. - However, if we ever decide to support this, we'll have problems since - this clashes with our port representation in redirect and mangle. - - So let's keep this simple and start with this approach. - - Signed-off-by: Pablo Neira Ayuso ---- - src/cli.c | 8 +++++ - src/erec.c | 1 + - src/main.c | 3 +- - src/meta.c | 39 +++++++++++++++++------- - src/scanner.l | 6 ++++ - src/statement.c | 2 +- - tests/py/any/meta.t | 22 ++++++++------ - tests/py/any/meta.t.payload | 72 +++++++++++++++++++++++++++++++++++++++++++++ - 8 files changed, 131 insertions(+), 22 deletions(-) - -diff --git a/src/cli.c b/src/cli.c -index adffd6b..a74411a 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -92,6 +92,8 @@ static void cli_complete(char *line) - const HIST_ENTRY *hist; - const char *c; - LIST_HEAD(msgs); -+ int len; -+ char *s; - - if (line == NULL) { - printf("\n"); -@@ -119,6 +121,12 @@ static void cli_complete(char *line) - if (hist == NULL || strcmp(hist->line, line)) - add_history(line); - -+ len = strlen(line); -+ s = xmalloc(len + 2); -+ snprintf(s, len + 2, "%s\n", line); -+ xfree(line); -+ line = s; -+ - parser_init(state, &msgs); - scanner_push_buffer(scanner, &indesc_cli, line); - nft_run(scanner, state, &msgs); -diff --git a/src/erec.c b/src/erec.c -index d514230..adbc096 100644 ---- a/src/erec.c -+++ b/src/erec.c -@@ -92,6 +92,7 @@ void erec_print(FILE *f, const struct error_record *erec) - case INDESC_BUFFER: - case INDESC_CLI: - line = indesc->data; -+ *strchrnul(line, '\n') = '\0'; - break; - case INDESC_FILE: - memset(buf, 0, sizeof(buf)); -diff --git a/src/main.c b/src/main.c -index ad73d80..39a47bb 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -328,12 +328,13 @@ int main(int argc, char * const *argv) - for (len = 0, i = optind; i < argc; i++) - len += strlen(argv[i]) + strlen(" "); - -- buf = xzalloc(len + 1); -+ buf = xzalloc(len + 2); - for (i = optind; i < argc; i++) { - strcat(buf, argv[i]); - if (i + 1 < argc) - strcat(buf, " "); - } -+ strcat(buf, "\n"); - parser_init(&state, &msgs); - scanner = scanner_init(&state); - scanner_push_buffer(scanner, &indesc_cmdline, buf); -diff --git a/src/meta.c b/src/meta.c -index 3a72d10..652b1cf 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -10,6 +10,7 @@ - * Development of this code funded by Astaro AG (http://www.astaro.com/) - */ - -+#include - #include - #include - #include -@@ -89,34 +90,50 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, - struct expr **res) - { - uint32_t handle; -+ char *str; - - if (strcmp(sym->identifier, "root") == 0) - handle = TC_H_ROOT; - else if (strcmp(sym->identifier, "none") == 0) - handle = TC_H_UNSPEC; -- else if (sym->identifier[0] == ':') { -- if (sscanf(sym->identifier, ":%04x", &handle) != 1) -+ else if (strchr(sym->identifier, ':')) { -+ uint16_t tmp; -+ char *colon; -+ -+ str = xstrdup(sym->identifier); -+ -+ colon = strchr(str, ':'); -+ if (!colon) - goto err; -- } else if (sym->identifier[strlen(sym->identifier)-1] == ':') { -- if (sscanf(sym->identifier, "%04x:", &handle) != 1) -+ -+ *colon = '\0'; -+ -+ errno = 0; -+ tmp = strtoull(str, NULL, 16); -+ if (errno != 0) - goto err; - -- handle <<= 16; -- } else { -- uint32_t min, max; -+ handle = (tmp << 16); -+ if (str[strlen(str) - 1] == ':') -+ goto out; - -- if (sscanf(sym->identifier, "%04x:%04x", &max, &min) != 2) -+ errno = 0; -+ tmp = strtoull(colon + 1, NULL, 16); -+ if (errno != 0) - goto err; - -- handle = max << 16 | min; -+ handle |= tmp; -+ } else { -+ handle = strtoull(sym->identifier, NULL, 0); - } -+out: - *res = constant_expr_alloc(&sym->location, sym->dtype, - BYTEORDER_HOST_ENDIAN, - sizeof(handle) * BITS_PER_BYTE, &handle); - return NULL; - err: -- return error(&sym->location, "Could not parse %s", -- sym->dtype->desc); -+ xfree(str); -+ return error(&sym->location, "Could not parse %s", sym->dtype->desc); - } - - static const struct datatype tchandle_type = { -diff --git a/src/scanner.l b/src/scanner.l -index 88669d0..5855041 100644 ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -170,6 +170,7 @@ macaddr (([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}) - ip4addr (([[:digit:]]{1,3}"."){3}([[:digit:]]{1,3})) - ip6addr ({v680}|{v67}|{v66}|{v65}|{v64}|{v63}|{v62}|{v61}|{v60}) - -+classid ({hexdigit}{1,4}:{hexdigit}{1,4}) - addrstring ({macaddr}|{ip4addr}|{ip6addr}) - - %option prefix="nft_" -@@ -500,6 +501,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - return NUM; - } - -+{classid}/[ \t\n:\-},] { -+ yylval->string = xstrdup(yytext); -+ return STRING; -+ } -+ - {quotedstring} { - yytext[yyleng - 1] = '\0'; - yylval->string = xstrdup(yytext + 1); -diff --git a/src/statement.c b/src/statement.c -index 76f528b..0960f44 100644 ---- a/src/statement.c -+++ b/src/statement.c -@@ -458,7 +458,7 @@ static void redir_stmt_print(const struct stmt *stmt) - printf("redirect"); - - if (stmt->redir.proto) { -- printf(" to "); -+ printf(" to :"); - expr_print(stmt->redir.proto); - } - -diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t -index 424cb18..6ea06d9 100644 ---- a/tests/py/any/meta.t -+++ b/tests/py/any/meta.t -@@ -38,15 +38,19 @@ meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88} - meta l4proto { 33-55};ok - - meta l4proto != { 33-55};ok - --- meta priority :aabb;ok --- meta priority bcad:dadc;ok --- meta priority aabb:;ok --- meta priority != :aabb;ok --- meta priority != bcad:dadc;ok --- meta priority != aabb:;ok --- meta priority bcad:dada-bcad:dadc;ok --- meta priority != bcad:dada-bcad:dadc;ok --- meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok -+meta priority root;ok -+meta priority none;ok -+meta priority 0x87654321;ok;meta priority 8765:4321 -+meta priority 2271560481;ok;meta priority 8765:4321 -+meta priority 1:1234;ok -+meta priority bcad:dadc;ok -+meta priority aabb:0;ok -+meta priority != bcad:dadc;ok -+meta priority != aabb:0;ok -+meta priority bcad:dada-bcad:dadc;ok -+meta priority != bcad:dada-bcad:dadc;ok -+meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok -+meta priority set cafe:beef;ok - - meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok - - meta mark 0x4;ok;mark 0x00000004 -diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload -index 00a2f20..8065178 100644 ---- a/tests/py/any/meta.t.payload -+++ b/tests/py/any/meta.t.payload -@@ -775,3 +775,75 @@ ip test-ip4 output - [ meta load oif => reg 9 ] - [ lookup reg 1 set __map%d dreg 0 ] - -+# meta priority root -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0xffffffff ] -+ -+# meta priority none -+netdev test-netdev ingress -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0x00000000 ] -+ -+# meta priority 1:1234 -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0x00011234 ] -+ -+# meta priority bcad:dadc -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0xbcaddadc ] -+ -+# meta priority aabb:0 -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0xaabb0000 ] -+ -+# meta priority != bcad:dadc -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp neq reg 1 0xbcaddadc ] -+ -+# meta priority != aabb:0 -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp neq reg 1 0xaabb0000 ] -+ -+# meta priority bcad:dada-bcad:dadc -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ byteorder reg 1 = hton(reg 1, 4, 4) ] -+ [ cmp gte reg 1 0xdadaadbc ] -+ [ cmp lte reg 1 0xdcdaadbc ] -+ -+# meta priority != bcad:dada-bcad:dadc -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ byteorder reg 1 = hton(reg 1, 4, 4) ] -+ [ cmp lt reg 1 0xdadaadbc ] -+ [ cmp gt reg 1 0xdcdaadbc ] -+ -+# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb} -+__set%d test-ip4 3 -+__set%d test-ip4 0 -+ element bcaddada : 0 [end] element bcaddadc : 0 [end] element aaaabbbb : 0 [end] -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ lookup reg 1 set __set%d ] -+ -+# meta priority set cafe:beef -+ip test-ip4 input -+ [ immediate reg 1 0xcafebeef ] -+ [ meta set priority with reg 1 ] -+ -+# meta priority 0x87654321 -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0x87654321 ] -+ -+# meta priority 2271560481 -+ip test-ip4 input -+ [ meta load priority => reg 1 ] -+ [ cmp eq reg 1 0x87654321 ] -+ --- -1.8.3.1 - diff --git a/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch b/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch deleted file mode 100644 index 06f0372..0000000 --- a/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b43f64d4c9dcd52da901ea1274895d11575acf4e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 17:57:57 +0200 -Subject: [PATCH] meta: fix memory leak in tc classid parser - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 -Upstream Status: nftables commit d815b8d2bf18b - -commit d815b8d2bf18bc589f10c3fb4524a2b93fe91b93 -Author: Liping Zhang -Date: Sun Aug 28 16:36:22 2016 +0800 - - meta: fix memory leak in tc classid parser - - We forgot to free the str which was allocated by xstrdup, - so memory leak will happen. - - Signed-off-by: Liping Zhang - Signed-off-by: Pablo Neira Ayuso ---- - src/meta.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/meta.c b/src/meta.c -index 652b1cf..d77106e 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -90,7 +90,7 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, - struct expr **res) - { - uint32_t handle; -- char *str; -+ char *str = NULL; - - if (strcmp(sym->identifier, "root") == 0) - handle = TC_H_ROOT; -@@ -127,6 +127,7 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, - handle = strtoull(sym->identifier, NULL, 0); - } - out: -+ xfree(str); - *res = constant_expr_alloc(&sym->location, sym->dtype, - BYTEORDER_HOST_ENDIAN, - sizeof(handle) * BITS_PER_BYTE, &handle); --- -1.8.3.1 - diff --git a/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch b/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch deleted file mode 100644 index 391986f..0000000 --- a/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch +++ /dev/null @@ -1,119 +0,0 @@ -From fad810f8c3b1b9135f9b8a89d6e6e5472fb2b3b4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 18:29:28 +0200 -Subject: [PATCH] datatype: time_type should send milliseconds to userspace - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1427114 -Upstream Status: nftables commit 82dfc87c85f00 -Conflicts: Adjusted one test case for previously backported commit - 3ed932917cc74 ("src: use new range expression for != [a,b] - intervals"). - -commit 82dfc87c85f00acfa0d46369ae3f66c26a93f502 -Author: Pablo Neira Ayuso -Date: Fri Jul 8 15:12:31 2016 +0200 - - datatype: time_type should send milliseconds to userspace - - Kernel expects milliseconds, so fix this datatype to use - milliseconds instead of seconds. - - Signed-off-by: Pablo Neira Ayuso ---- - include/utils.h | 1 + - src/datatype.c | 3 ++- - tests/py/any/ct.t.payload | 16 ++++++++-------- - 3 files changed, 11 insertions(+), 9 deletions(-) - -diff --git a/include/utils.h b/include/utils.h -index 8a1dc5e..d886764 100644 ---- a/include/utils.h -+++ b/include/utils.h -@@ -83,6 +83,7 @@ - (void) (&_max1 == &_max2); \ - _max1 > _max2 ? _max1 : _max2; }) - -+#define MSEC_PER_SEC 1000L - - /** - * fls - find last (most-significant) bit set -diff --git a/src/datatype.c b/src/datatype.c -index 40e14c9..002c4c6 100644 ---- a/src/datatype.c -+++ b/src/datatype.c -@@ -883,7 +883,7 @@ struct error_record *time_parse(const struct location *loc, const char *str, - - static void time_type_print(const struct expr *expr) - { -- time_print(mpz_get_uint64(expr->value)); -+ time_print(mpz_get_uint64(expr->value) / MSEC_PER_SEC); - } - - static struct error_record *time_type_parse(const struct expr *sym, -@@ -896,6 +896,7 @@ static struct error_record *time_type_parse(const struct expr *sym, - if (erec != NULL) - return erec; - -+ s *= MSEC_PER_SEC; - if (s > UINT32_MAX) - return error(&sym->location, "value too large"); - -diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload -index 26bcf26..0598fdf 100644 ---- a/tests/py/any/ct.t.payload -+++ b/tests/py/any/ct.t.payload -@@ -197,35 +197,35 @@ ip test-ip4 output - # ct expiration 30 - ip test-ip4 output - [ ct load expiration => reg 1 ] -- [ cmp eq reg 1 0x0000001e ] -+ [ cmp eq reg 1 0x00007530 ] - - # ct expiration 22 - ip test-ip4 output - [ ct load expiration => reg 1 ] -- [ cmp eq reg 1 0x00000016 ] -+ [ cmp eq reg 1 0x000055f0 ] - - # ct expiration != 233 - ip test-ip4 output - [ ct load expiration => reg 1 ] -- [ cmp neq reg 1 0x000000e9 ] -+ [ cmp neq reg 1 0x00038e28 ] - - # ct expiration 33-45 - ip test-ip4 output - [ ct load expiration => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ cmp gte reg 1 0x21000000 ] -- [ cmp lte reg 1 0x2d000000 ] -+ [ cmp gte reg 1 0xe8800000 ] -+ [ cmp lte reg 1 0xc8af0000 ] - - # ct expiration != 33-45 - ip test-ip4 output - [ ct load expiration => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] -- [ range neq reg 1 0x21000000 0x2d000000 ] -+ [ range neq reg 1 0xe8800000 0xc8af0000 ] - - # ct expiration {33, 55, 67, 88} - __set%d test-ip4 3 - __set%d test-ip4 0 -- element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -+ element 000080e8 : 0 [end] element 0000d6d8 : 0 [end] element 000105b8 : 0 [end] element 000157c0 : 0 [end] - ip test-ip4 output - [ ct load expiration => reg 1 ] - [ lookup reg 1 set __set%d ] -@@ -233,7 +233,7 @@ ip test-ip4 output - # ct expiration {33-55} - __set%d test-ip4 7 - __set%d test-ip4 0 -- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -+ element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end] - ip test-ip4 output - [ ct load expiration => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] --- -1.8.3.1 - diff --git a/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch b/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch deleted file mode 100644 index 0099337..0000000 --- a/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch +++ /dev/null @@ -1,218 +0,0 @@ -From d9512e718d90343bb83f39c26c6c4ee2e3173a53 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 18:52:01 +0200 -Subject: [PATCH] include: refresh uapi/linux/netfilter/nf_tables.h copy - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1440011 -Upstream Status: nftables commit e7b1270057037 - -commit e7b1270057037c1c2524204c4c903c995cf77aab -Author: Pablo Neira Ayuso -Date: Fri Aug 26 13:22:00 2016 +0200 - - include: refresh uapi/linux/netfilter/nf_tables.h copy - - Fetch incremental incremental updates on this file. - - Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/nf_tables.h | 80 ++++++++++++++++++++++++++++++++++++- - 1 file changed, 79 insertions(+), 1 deletion(-) - -diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h -index 0df2ccc..3b4ec63 100644 ---- a/include/linux/netfilter/nf_tables.h -+++ b/include/linux/netfilter/nf_tables.h -@@ -3,6 +3,7 @@ - - #define NFT_TABLE_MAXNAMELEN 32 - #define NFT_CHAIN_MAXNAMELEN 32 -+#define NFT_SET_MAXNAMELEN 32 - #define NFT_USERDATA_MAXLEN 256 - - /** -@@ -182,6 +183,7 @@ enum nft_chain_attributes { - NFTA_CHAIN_USE, - NFTA_CHAIN_TYPE, - NFTA_CHAIN_COUNTERS, -+ NFTA_CHAIN_PAD, - __NFTA_CHAIN_MAX - }; - #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) -@@ -206,6 +208,7 @@ enum nft_rule_attributes { - NFTA_RULE_COMPAT, - NFTA_RULE_POSITION, - NFTA_RULE_USERDATA, -+ NFTA_RULE_PAD, - __NFTA_RULE_MAX - }; - #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) -@@ -308,6 +311,7 @@ enum nft_set_attributes { - NFTA_SET_TIMEOUT, - NFTA_SET_GC_INTERVAL, - NFTA_SET_USERDATA, -+ NFTA_SET_PAD, - __NFTA_SET_MAX - }; - #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) -@@ -341,6 +345,7 @@ enum nft_set_elem_attributes { - NFTA_SET_ELEM_EXPIRATION, - NFTA_SET_ELEM_USERDATA, - NFTA_SET_ELEM_EXPR, -+ NFTA_SET_ELEM_PAD, - __NFTA_SET_ELEM_MAX - }; - #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) -@@ -541,6 +546,10 @@ enum nft_cmp_attributes { - }; - #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) - -+enum nft_lookup_flags { -+ NFT_LOOKUP_F_INV = (1 << 0), -+}; -+ - /** - * enum nft_range_ops - nf_tables range operator - * -@@ -577,6 +586,7 @@ enum nft_range_attributes { - * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) - * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) - * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32) -+ * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags) - */ - enum nft_lookup_attributes { - NFTA_LOOKUP_UNSPEC, -@@ -584,6 +594,7 @@ enum nft_lookup_attributes { - NFTA_LOOKUP_SREG, - NFTA_LOOKUP_DREG, - NFTA_LOOKUP_SET_ID, -+ NFTA_LOOKUP_FLAGS, - __NFTA_LOOKUP_MAX - }; - #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1) -@@ -613,6 +624,7 @@ enum nft_dynset_attributes { - NFTA_DYNSET_SREG_DATA, - NFTA_DYNSET_TIMEOUT, - NFTA_DYNSET_EXPR, -+ NFTA_DYNSET_PAD, - __NFTA_DYNSET_MAX, - }; - #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) -@@ -741,6 +753,26 @@ enum nft_meta_keys { - }; - - /** -+ * enum nft_hash_attributes - nf_tables hash expression netlink attributes -+ * -+ * @NFTA_HASH_SREG: source register (NLA_U32) -+ * @NFTA_HASH_DREG: destination register (NLA_U32) -+ * @NFTA_HASH_LEN: source data length (NLA_U32) -+ * @NFTA_HASH_MODULUS: modulus value (NLA_U32) -+ * @NFTA_HASH_SEED: seed value (NLA_U32) -+ */ -+enum nft_hash_attributes { -+ NFTA_HASH_UNSPEC, -+ NFTA_HASH_SREG, -+ NFTA_HASH_DREG, -+ NFTA_HASH_LEN, -+ NFTA_HASH_MODULUS, -+ NFTA_HASH_SEED, -+ __NFTA_HASH_MAX, -+}; -+#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) -+ -+/** - * enum nft_meta_attributes - nf_tables meta expression netlink attributes - * - * @NFTA_META_DREG: destination register (NLA_U32) -@@ -835,6 +867,7 @@ enum nft_limit_attributes { - NFTA_LIMIT_BURST, - NFTA_LIMIT_TYPE, - NFTA_LIMIT_FLAGS, -+ NFTA_LIMIT_PAD, - __NFTA_LIMIT_MAX - }; - #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) -@@ -849,6 +882,7 @@ enum nft_counter_attributes { - NFTA_COUNTER_UNSPEC, - NFTA_COUNTER_BYTES, - NFTA_COUNTER_PACKETS, -+ NFTA_COUNTER_PAD, - __NFTA_COUNTER_MAX - }; - #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) -@@ -895,6 +929,25 @@ enum nft_queue_attributes { - #define NFT_QUEUE_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */ - #define NFT_QUEUE_FLAG_MASK 0x03 - -+enum nft_quota_flags { -+ NFT_QUOTA_F_INV = (1 << 0), -+}; -+ -+/** -+ * enum nft_quota_attributes - nf_tables quota expression netlink attributes -+ * -+ * @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16) -+ * @NFTA_QUOTA_FLAGS: flags (NLA_U32) -+ */ -+enum nft_quota_attributes { -+ NFTA_QUOTA_UNSPEC, -+ NFTA_QUOTA_BYTES, -+ NFTA_QUOTA_FLAGS, -+ NFTA_QUOTA_PAD, -+ __NFTA_QUOTA_MAX -+}; -+#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) -+ - /** - * enum nft_reject_types - nf_tables reject expression reject types - * -@@ -1066,7 +1119,7 @@ enum nft_gen_attributes { - * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32) - * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32) - */ --enum nft_trace_attibutes { -+enum nft_trace_attributes { - NFTA_TRACE_UNSPEC, - NFTA_TRACE_TABLE, - NFTA_TRACE_CHAIN, -@@ -1084,6 +1137,7 @@ enum nft_trace_attibutes { - NFTA_TRACE_MARK, - NFTA_TRACE_NFPROTO, - NFTA_TRACE_POLICY, -+ NFTA_TRACE_PAD, - __NFTA_TRACE_MAX - }; - #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1) -@@ -1096,4 +1150,28 @@ enum nft_trace_types { - __NFT_TRACETYPE_MAX - }; - #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1) -+ -+/** -+ * enum nft_ng_attributes - nf_tables number generator expression netlink attributes -+ * -+ * @NFTA_NG_DREG: destination register (NLA_U32) -+ * @NFTA_NG_UNTIL: source value to increment the counter until reset (NLA_U32) -+ * @NFTA_NG_TYPE: operation type (NLA_U32) -+ */ -+enum nft_ng_attributes { -+ NFTA_NG_UNSPEC, -+ NFTA_NG_DREG, -+ NFTA_NG_UNTIL, -+ NFTA_NG_TYPE, -+ __NFTA_NG_MAX -+}; -+#define NFTA_NG_MAX (__NFTA_NG_MAX - 1) -+ -+enum nft_ng_types { -+ NFT_NG_INCREMENTAL, -+ NFT_NG_RANDOM, -+ __NFT_NG_MAX -+}; -+#define NFT_NG_MAX (__NFT_NG_MAX - 1) -+ - #endif /* _LINUX_NF_TABLES_H */ --- -1.8.3.1 - diff --git a/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch b/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch deleted file mode 100644 index e5ea600..0000000 --- a/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch +++ /dev/null @@ -1,131 +0,0 @@ -From cb0e9dac618d08410a799d0f6e24c03052754b53 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 18:32:43 +0200 -Subject: [PATCH] src: Interpret OP_NEQ against a set as OP_LOOKUP - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1440011 -Upstream Status: nftables commit cc7b37d18a687 - -commit cc7b37d18a687d53e8724b3104b042e6767a9cef -Author: Anatole Denis -Date: Thu Nov 24 15:16:20 2016 +0100 - - src: Interpret OP_NEQ against a set as OP_LOOKUP - - Now that the support for inverted matching is in the kernel and in libnftnl, add - it to nftables too. - - This fixes bug #888 - - Signed-off-by: Anatole Denis - Signed-off-by: Pablo Neira Ayuso ---- - src/evaluate.c | 14 ++++++++++++++ - src/netlink_delinearize.c | 10 ++++++++++ - src/netlink_linearize.c | 14 +++++++++----- - 3 files changed, 33 insertions(+), 5 deletions(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 1b8d565..680eda0 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -1460,6 +1460,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) - if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0) - return -1; - break; -+ case EXPR_SET: -+ assert(rel->op == OP_NEQ); -+ right = rel->right = -+ implicit_set_declaration(ctx, "__set%d", -+ left->dtype, left->len, -+ right); -+ /* fall through */ -+ case EXPR_SET_REF: -+ assert(rel->op == OP_NEQ); -+ /* Data for range lookups needs to be in big endian order */ -+ if (right->set->flags & SET_F_INTERVAL && -+ byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0) -+ return -1; -+ break; - default: - BUG("invalid expression type %s\n", right->ops->name); - } -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 505516c..c002538 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -299,6 +299,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, - const char *name; - struct expr *expr, *left, *right; - struct set *set; -+ uint32_t flag; - - name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET); - set = set_lookup(ctx->table, name); -@@ -330,6 +331,12 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, - expr = relational_expr_alloc(loc, OP_LOOKUP, left, right); - } - -+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) { -+ flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS); -+ if (flag & NFT_LOOKUP_F_INV) -+ expr->op = OP_NEQ; -+ } -+ - ctx->stmt = expr_stmt_alloc(loc, expr); - } - -@@ -1218,6 +1225,9 @@ static void ct_meta_common_postprocess(const struct expr *expr) - struct expr *right = expr->right; - - switch (expr->op) { -+ case OP_NEQ: -+ if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) -+ break; - case OP_LOOKUP: - expr_set_type(right, left->dtype, left->byteorder); - if (right->dtype == &integer_type) -diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c -index ffc3f57..8d8ec92 100644 ---- a/src/netlink_linearize.c -+++ b/src/netlink_linearize.c -@@ -216,6 +216,8 @@ static void netlink_gen_lookup(struct netlink_linearize_ctx *ctx, - expr->right->set->handle.set); - nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_SET_ID, - expr->right->set->handle.set_id); -+ if (expr->op == OP_NEQ) -+ nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS, NFT_LOOKUP_F_INV); - - release_register(ctx, expr->left); - nftnl_rule_add_expr(ctx->nlr, nle); -@@ -284,13 +286,14 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, - - assert(dreg == NFT_REG_VERDICT); - -- if (expr->right->ops->type == EXPR_RANGE) -- return netlink_gen_range(ctx, expr, dreg); -- -- sreg = get_register(ctx, expr->left); -- - switch (expr->right->ops->type) { -+ case EXPR_RANGE: -+ return netlink_gen_range(ctx, expr, dreg); -+ case EXPR_SET: -+ case EXPR_SET_REF: -+ return netlink_gen_lookup(ctx, expr, dreg); - case EXPR_PREFIX: -+ sreg = get_register(ctx, expr->left); - if (expr->left->dtype->type != TYPE_STRING) { - len = div_round_up(expr->right->len, BITS_PER_BYTE); - netlink_gen_expr(ctx, expr->left, sreg); -@@ -303,6 +306,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, - } - break; - default: -+ sreg = get_register(ctx, expr->left); - len = div_round_up(expr->right->len, BITS_PER_BYTE); - right = expr->right; - netlink_gen_expr(ctx, expr->left, sreg); --- -1.8.3.1 - diff --git a/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch b/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch deleted file mode 100644 index 0f0aa90..0000000 --- a/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 858069eb28f440d5fb8658f1c3903e078ac42b92 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 12 May 2017 18:33:23 +0200 -Subject: [PATCH] evaluate: Avoid undefined behaviour in concat_subtype_id() - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360789 -Upstream Status: nftables commit 83e52f7a7f5ea - -commit 83e52f7a7f5eaa893e146d23ff2e9292179f9485 -Author: Phil Sutter -Date: Tue Aug 30 19:39:52 2016 +0200 - - evaluate: Avoid undefined behaviour in concat_subtype_id() - - For the left side of a concat expression, dtype is NULL and therefore - off is 0. In that case the code expects to get a datatype of - TYPE_INVALID, but this is fragile as the output of concat_subtype_id() - is undefined for n > 32 / TYPE_BITS. - - To fix this, call datatype_lookup() directly passing the expected - TYPE_INVALID as argument if off is 0. - - Signed-off-by: Phil Sutter - Signed-off-by: Pablo Neira Ayuso ---- - src/evaluate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 680eda0..20584b7 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -965,7 +965,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) - "expressions", - i->dtype->name); - -- tmp = concat_subtype_lookup(type, --off); -+ if (dtype == NULL) -+ tmp = datatype_lookup(TYPE_INVALID); -+ else -+ tmp = concat_subtype_lookup(type, --off); - expr_set_context(&ctx->ectx, tmp, tmp->size); - - if (list_member_evaluate(ctx, &i) < 0) --- -1.8.3.1 - diff --git a/SOURCES/nft.8 b/SOURCES/nft.8 index 57d4da8..156e8f4 100644 --- a/SOURCES/nft.8 +++ b/SOURCES/nft.8 @@ -1,12 +1,11 @@ -.\" t -.\" -*- coding: us-ascii -*- +'\" t -*- coding: us-ascii -*- .if \n(.g .ds T< \\FC .if \n(.g .ds T> \\F[\n[.fam]] .de URL \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH nft 8 "29 June 2016" "" "" +.TH nft 8 "13 October 2017" "" "" .SH NAME nft \- Administration tool for packet filtering and classification .SH SYNOPSIS @@ -16,16 +15,14 @@ nft \- Administration tool for packet filtering and classification \fBnft\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[ -\fB-n | --numeric\fR -] [ -\fB[-I | --includepath]\fR +[\fB-n\fR | \fB--numeric\fR] [\fB-N\fR | \fB--reversedns\fR] [\fB-s\fR | \fB--stateless\fR] [\fB-c\fR | \fB--check\fR] [\fB-a\fR | \fB--handle\fR] [\fB-e\fR | \fB--echo\fR] [ +{\fB-I\fR | \fB--includepath\fR} \fIdirectory\fR ] [ -\fB[-f | --file]\fR +{\fB-f\fR | \fB--file\fR} \fIfilename\fR | -\fB[-i | --interactive]\fR +{\fB-i\fR | \fB--interactive\fR} | \fIcmd\fR \&...] @@ -38,11 +35,7 @@ nft \- Administration tool for packet filtering and classification \fBnft\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[ -\fB-h | --help\fR -] [ -\fB-v | --version\fR -] +[\fB-h\fR | \fB--help\fR] [\fB-v\fR | \fB--version\fR] 'in \n(.iu-\nxu .ad b 'hy @@ -59,21 +52,30 @@ Show help message and all options. Show version. .TP \*(T<\fB\-n, \-\-numeric\fR\*(T> -Numeric output: Addresses and other information -that might need network traffic to resolve to symbolic names -are shown numerically (default behaviour). When used twice, -internet services are translated. When used twice, internet -services and UIDs/GIDs are also shown numerically. When used -three times, protocol numbers are also shown numerically. +Show data numerically. When used once (the default behaviour), skip +lookup of addresses to symbolic names. Use twice to also show Internet +services (port numbers) numerically. Use three times to also show +protocols and UIDs/GIDs numerically. +.TP +\*(T<\fB\-s, \-\-stateless\fR\*(T> +Omit stateful information of rules and stateful objects. .TP -\*(T<\fB\-N\fR\*(T> -Translate IP addresses to DNS names. +\*(T<\fB\-c, \-\-check\fR\*(T> +Check commands validity without actually applying the changes. +.TP +\*(T<\fB\-N, \-\-reversedns\fR\*(T> +Translate IP addresses to names. Usually requires network traffic for DNS lookup. .TP \*(T<\fB\-a, \-\-handle\fR\*(T> Show rule handles in output. .TP +\*(T<\fB\-e, \-\-echo\fR\*(T> +When inserting items into the ruleset using \fBadd\fR, +\fBinsert\fR or \fBreplace\fR commands, +print notifications just like \fBnft monitor\fR. +.TP \*(T<\fB\-I, \-\-includepath \fR\*(T>\fIdirectory\fR -Add the directory \fIdirectory\fR to the list of directories to be searched for included files. +Add the directory \fIdirectory\fR to the list of directories to be searched for included files. This option may be specified multiple times. .TP \*(T<\fB\-f, \-\-file \fR\*(T>\fIfilename\fR Read input from \fIfilename\fR. @@ -111,7 +113,22 @@ double quotes (\*(T<"\*(T>). .PP Other files can be included by using the \fBinclude\fR statement. The directories to be searched for include files can be specified using -the \*(T<\fB\-I/\-\-includepath\fR\*(T> option. +the \*(T<\fB\-I/\-\-includepath\fR\*(T> option. You can override this behaviour +either by prepending ./ to your path to force inclusion of files located in the +current working directory (ie. relative path) or / for file location expressed +as an absolute path. +.PP +If -I/--includepath is not specified, then nft relies on the default directory +that is specified at compile time. You can retrieve this default directory via +-h/--help option. +.PP +Include statements support the usual shell wildcard symbols +(\*(T<*,?,[]\*(T>). Having no matches for an include statement is not +an error, if wildcard symbols are used in the include statement. This allows having +potentially empty include directories for statements like +\*(T. The wildcard matches are +loaded in alphabetical order. Files beginning with dot (\*(T<.\*(T>) are +not matched by include statements. .SS "SYMBOLIC VARIABLES" 'nh .fi @@ -164,7 +181,7 @@ IPv6 address family. Internet (IPv4/IPv6) address family. .TP \*(T<\fBarp\fR\*(T> -ARP address family, handling packets vi +ARP address family, handling IPv4 ARP packets. .TP \*(T<\fBbridge\fR\*(T> Bridge address family, handling packets which traverse a bridge device. @@ -247,6 +264,8 @@ T} .TE .SS "BRIDGE ADDRESS FAMILY" The bridge address family handles ethernet packets traversing bridge devices. +.PP +The list of supported hooks is identical to IPv4/IPv6/Inet address families above. .SS "NETDEV ADDRESS FAMILY" The Netdev address family handles packets from ingress. .PP @@ -269,6 +288,48 @@ before layer 3 protocol handlers and it can be used for early filtering and policing. T} .TE +.SH RULESET +'nh +.fi +.ad l +{list | flush} \fBruleset\fR [\fIfamily\fR] +.ad b +'hy +'nh +.fi +.ad l +{export} [\fBruleset\fR] {\fIformat\fR} +.ad b +'hy +.PP +The \fBruleset\fR keyword is used to identify the whole +set of tables, chains, etc. currently in place in kernel. The +following \fBruleset\fR commands exist: +.TP +\*(T<\fBlist\fR\*(T> +Print the ruleset in human-readable format. +.TP +\*(T<\fBflush\fR\*(T> +Clear the whole ruleset. Note that unlike iptables, this +will remove all tables and whatever they contain, +effectively leading to an empty ruleset - no packet +filtering will happen anymore, so the kernel accepts any +valid packet it receives. +.TP +\*(T<\fBexport\fR\*(T> +Print the ruleset in machine readable format. The +mandatory \fIformat\fR parameter +may be either \*(T or +\*(T. +.PP +It is possible to limit \fBlist\fR and +\fBflush\fR to a specific address family only. For a +list of valid family names, see \*(T
above. +.PP +Note that contrary to what one might assume, the output generated +by \fBexport\fR is not parseable by +\fBnft -f\fR. Instead, the output of +\fBlist\fR command serves well for that purpose. .SH TABLES 'nh .fi @@ -277,11 +338,12 @@ T} .ad b 'hy .PP -Tables are containers for chains and sets. They are identified by their address family +Tables are containers for chains, sets and stateful objects. They are identified by their address family and their name. The address family must be one of \*(T, \*(T, \*(T, \*(T, \*(T, \*(T. The \*(T address family is a dummy family which is used to create -hybrid IPv4/IPv6 tables. +hybrid IPv4/IPv6 tables. The \*(T expression \*(T +keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in. When no address family is specified, \*(T is used by default. .TP \*(T<\fBadd\fR\*(T> @@ -299,13 +361,21 @@ Flush all chains and rules of the specified table. 'nh .fi .ad l -{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR} {\fIpolicy\fR} {\fIdevice\fR} +{add | create} \fBchain\fR [\fIfamily\fR] \fItable\fR \fIchain\fR [ +{ +{\fItype\fR} +{\fIhook\fR} +[\fIdevice\fR] +{\fIpriority\fR ;} +[\fIpolicy\fR ;] +} +] .ad b 'hy 'nh .fi .ad l -{add | create | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} +{delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} .ad b 'hy 'nh @@ -326,7 +396,7 @@ value are specified, the chain is created as a base chain and hooked up to the networking stack. .TP \*(T<\fBcreate\fR\*(T> -Simlar to the \fBadd\fR command, but returns an error if the +Similar to the \fBadd\fR command, but returns an error if the chain already exists. .TP \*(T<\fBdelete\fR\*(T> @@ -341,6 +411,76 @@ List all rules of the specified chain. .TP \*(T<\fBflush\fR\*(T> Flush all rules of the specified chain. +.PP +For base chains, \fBtype\fR, \fBhook\fR and \fBpriority\fR parameters are mandatory. +.PP +\fBSupported chain types\fR +.TS +allbox ; +l | l | l | l. +T{ +Type +T} T{ +Families +T} T{ +Hooks +T} T{ +Description +T} +.T& +l | l | l | l +l | l | l | l +l | l | l | l. +T{ +filter +T} T{ +all +T} T{ +all +T} T{ +Standard chain type to use in doubt. +T} +T{ +nat +T} T{ +ip, ip6 +T} T{ +prerouting, input, output, postrouting +T} T{ +Chains of this type perform Native Address Translation based on conntrack entries. Only the first packet of a connection actually traverses this chain - its rules usually define details of the created conntrack entry (NAT statements for instance). +T} +T{ +route +T} T{ +ip, ip6 +T} T{ +output +T} T{ +If a packet has traversed a chain of this +type and is about to be accepted, a new route +lookup is performed if relevant parts of the IP +header have changed. This allows to e.g. +implement policy routing selectors in +nftables. +T} +.TE +.PP +Apart from the special cases illustrated above (e.g. \*(T type not supporting \*(T hook or \*(T type only supporting \*(T hook), there are two further quirks worth noticing: +.TP 0.2i +\(bu +\*(T family supports merely a single +combination, namely \*(T type and +\*(T hook. Base chains in this family also require the \*(T parameter to be present since they exist per incoming interface only. +.TP 0.2i +\(bu +\*(T family supports only +\*(T and \*(T +hooks, both in chains of type +\*(T. +.PP +The \*(T parameter accepts a signed integer value which specifies the order in which chains with same \*(T value are traversed. The ordering is ascending, i.e. lower priority values have precedence over higher ones. +.PP +Base chains also allow to set the chain's \*(T, i.e. what happens to packets not explicitly accepted or refused in contained rules. Supported policy values are \*(T (which is the default) or \*(T. .SH RULES 'nh .fi @@ -351,6 +491,12 @@ Flush all rules of the specified chain. 'nh .fi .ad l +{replace} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR} {\fIstatement\fR}\&... +.ad b +'hy +'nh +.fi +.ad l {delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR} .ad b 'hy @@ -367,540 +513,2786 @@ the rule given by the position. Similar to the \fBadd\fR command, but the rule is prepended to the beginning of the chain or before the rule at the given position. .TP +\*(T<\fBreplace\fR\*(T> +Similar to the \fBadd\fR command, but the rule replaces the specified rule. +.TP \*(T<\fBdelete\fR\*(T> Delete the specified rule. -.SH EXPRESSIONS -Expressions represent values, either constants like network addresses, port numbers etc. or data -gathered from the packet during ruleset evaluation. Expressions can be combined using binary, -logical, relational and other types of expressions to form complex or relational (match) expressions. -They are also used as arguments to certain types of operations, like NAT, packet marking etc. -.PP -Each expression has a data type, which determines the size, parsing and representation of -symbolic values and type compatibility with other expressions. -.SS "DESCRIBE COMMAND" +.SH SETS 'nh .fi .ad l -\fBdescribe\fR \kx -.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) -'in \n(.iu+\nxu -{\fIexpression\fR} -'in \n(.iu-\nxu +{add} \fBset\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} +{ +{\fItype\fR} [\fIflags\fR] [\fItimeout\fR] [\fIgc-interval\fR] [\fIelements\fR] [\fIsize\fR] [\fIpolicy\fR] +} .ad b 'hy -.PP -The \fBdescribe\fR command shows information about the type of an expression and -its data type. -.PP -\fBThe describe command\fR -.PP -.nf -\*(T< -$ nft describe tcp flags -payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits - -pre\-defined symbolic constants: -fin 0x01 -syn 0x02 -rst 0x04 -psh 0x08 -ack 0x10 -urg 0x20 -ecn 0x40 -cwr 0x80 - \*(T> +'nh .fi -.SH "DATA TYPES" -Data types determine the size, parsing and representation of symbolic values and type compatibility -of expressions. A number of global data types exist, in addition some expression types define further -data types specific to the expression type. Most data types have a fixed size, some however may have -a dynamic size, f.i. the string type. +.ad l +{delete | list | flush} \fBset\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} +.ad b +'hy +'nh +.fi +.ad l +{add | delete} \fBelement\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} +{ +{\fIelements\fR} +} +.ad b +'hy .PP -Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer -type, meaning an IPv4 address can also be specified as an integer value. +Sets are elements containers of an user-defined data type, they are uniquely identified by an user-defined name and attached to tables. +.TP +\*(T<\fBadd\fR\*(T> +Add a new set in the specified table. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified set. +.TP +\*(T<\fBlist\fR\*(T> +Display the elements in the specified set. +.TP +\*(T<\fBflush\fR\*(T> +Remove all elements from the specified set. +.TP +\*(T<\fBadd element\fR\*(T> +Comma-separated list of elements to add into the specified set. +.TP +\*(T<\fBdelete element\fR\*(T> +Comma-separated list of elements to delete from the specified set. .PP -In certain contexts (set and map definitions) it is necessary to explicitly specify a data type. -Each type has a name which is used for this. -.SS "INTEGER TYPE" +\fBSet specifications\fR .TS allbox ; -l | l | l | l. +l | l | l. T{ -Name -T} T{ Keyword T} T{ -Size +Description T} T{ -Base type +Type T} .T& -l | l | l | l. +l | l | l. T{ -Integer -T} T{ -integer +type T} T{ -variable +data type of set elements T} T{ -- +string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark T} -.TE -.PP -The integer type is used for numeric values. It may be specified as decimal, hexadecimal -or octal number. The integer type doesn't have a fixed size, its size is determined by the -expression for which it is used. -.SS "BITMASK TYPE" -.TS -allbox ; -l | l | l | l. T{ -Name -T} T{ -Keyword +flags T} T{ -Size +set flags T} T{ -Base type +string: constant, interval, timeout T} -.T& -l | l | l | l. T{ -Bitmask +timeout T} T{ -bitmask -T} T{ -variable +time an element stays in the set T} T{ -integer +string, decimal followed by unit. Units are: d, h, m, s T} -.TE -.PP -The bitmask type (\fBbitmask\fR) is used for bitmasks. -.SS "STRING TYPE" -.TS -allbox ; -l | l | l | l. T{ -Name +gc-interval T} T{ -Keyword +garbage collection interval, only available when timeout or flag timeout are active T} T{ -Size +string, decimal followed by unit. Units are: d, h, m, s +T} +T{ +elements T} T{ -Base type +elements contained by the set +T} T{ +set data type T} -.T& -l | l | l | l. T{ -String +size T} T{ -string +maximun number of elements in the set T} T{ -variable +unsigned integer (64 bit) +T} +T{ +policy T} T{ -- +set policy +T} T{ +string: performance [default], memory T} .TE +.SH MAPS +'nh +.fi +.ad l +{add} \fBmap\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} +{ +{\fItype\fR} [\fIflags\fR] [\fIelements\fR] [\fIsize\fR] [\fIpolicy\fR] +} +.ad b +'hy +'nh +.fi +.ad l +{delete | list | flush} \fBmap\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} +.ad b +'hy +'nh +.fi +.ad l +{add | delete} \fBelement\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} +{ +{\fIelements\fR} +} +.ad b +'hy .PP -The string type is used to for character strings. A string begins with an alphabetic character -(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T, -\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed -in double quotes (\*(T<"\*(T>) is recognized as a string. -.PP -\fBString specification\fR +Maps store data based on some specific key used as input, they are uniquely identified by an user-defined name and attached to tables. +.TP +\*(T<\fBadd\fR\*(T> +Add a new map in the specified table. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified map. +.TP +\*(T<\fBlist\fR\*(T> +Display the elements in the specified map. +.TP +\*(T<\fBflush\fR\*(T> +Remove all elements from the specified map. +.TP +\*(T<\fBadd element\fR\*(T> +Comma-separated list of elements to add into the specified map. +.TP +\*(T<\fBdelete element\fR\*(T> +Comma-separated list of element keys to delete from the specified map. .PP -.nf -\*(T< -# Interface name -filter input iifname eth0 - -# Weird interface name -filter input iifname "(eth0)" - \*(T> -.fi -.SS "LINK LAYER ADDRESS TYPE" +\fBMap specifications\fR .TS allbox ; -l | l | l | l. +l | l | l. T{ -Name -T} T{ Keyword T} T{ -Size +Description T} T{ -Base type +Type T} .T& -l | l | l | l. +l | l | l. T{ -Link layer address +type T} T{ -lladdr +data type of map elements T} T{ -variable +string ':' string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark, counter, quota. Counter and quota can't be used as keys +T} +T{ +flags T} T{ -integer +map flags +T} T{ +string: constant, interval T} -.TE +T{ +elements +T} T{ +elements contained by the map +T} T{ +map data type +T} +T{ +size +T} T{ +maximun number of elements in the map +T} T{ +unsigned integer (64 bit) +T} +T{ +policy +T} T{ +map policy +T} T{ +string: performance [default], memory +T} +.TE +.SH "STATEFUL OBJECTS" +'nh +.fi +.ad l +{add | delete | list | reset} \fBtype\fR [\fIfamily\fR] {\fItable\fR} {\fIobject\fR} +.ad b +'hy .PP -The link layer address type is used for link layer addresses. Link layer addresses are specified -as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>). +Stateful objects are attached to tables and are identified by an unique name. They group stateful information from rules, to reference them in rules the keywords "type name" are used e.g. "counter name". +.TP +\*(T<\fBadd\fR\*(T> +Add a new stateful object in the specified table. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified object. +.TP +\*(T<\fBlist\fR\*(T> +Display stateful information the object holds. +.TP +\*(T<\fBreset\fR\*(T> +List-and-reset stateful object. +.SS CT +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{helper} {type} {\fItype\fR} {protocol} {\fIprotocol\fR} [l3proto] [\fIfamily\fR] +'in \n(.iu-\nxu +.ad b +'hy .PP -\fBLink layer address specification\fR +Ct helper is used to define connection tracking helpers that can then be used in combination with the \*(T<"ct helper set"\*(T> statement. +type and protocol are mandatory, l3proto is derived from the table family by default, i.e. in the inet table the kernel will +try to load both the ipv4 and ipv6 helper backends, if they are supported by the kernel. .PP -.nf -\*(T< -# Ethernet destination MAC address -filter input ether daddr 20:c9:d0:43:12:d9 - \*(T> -.fi -.SS "IPV4 ADDRESS TYPE" +\fBconntrack helper specifications\fR .TS allbox ; -l | l | l | l. +l | l | l. T{ -Name -T} T{ Keyword T} T{ -Size +Description T} T{ -Base type +Type T} .T& -l | l | l | l. +l | l | l +l | l | l +l | l | l. T{ -IPv4 address +type T} T{ -ipv4_addr +name of helper type T} T{ -32 bit +quoted string (e.g. "ftp") +T} +T{ +protocol T} T{ -integer +layer 4 protocol of the helper +T} T{ +string (e.g. tcp) +T} +T{ +l3proto +T} T{ +layer 3 protocol of the helper +T} T{ +address family (e.g. ip) T} .TE .PP -The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, -dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name -will be resolved using the standard system resolver. +\fBdefining and assigning ftp helper\fR .PP -\fBIPv4 address specification\fR +Unlike iptables, helper assignment needs to be performed after the conntrack lookup has completed, for example +with the default 0 hook priority. .PP .nf \*(T< -# dotted decimal notation -filter output ip daddr 127.0.0.1 - -# host name -filter output ip daddr localhost +table inet myhelpers { + ct helper ftp\-standard { + type "ftp" protocol tcp + } + chain prerouting { + type filter hook prerouting priority 0; + tcp dport 21 ct helper set "ftp\-standard" + } +} \*(T> .fi -.SS "IPV6 ADDRESS TYPE" +.SS COUNTER +'nh +.fi +.ad l +\fBcounter\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[packets bytes] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBCounter specifications\fR .TS allbox ; -l | l | l | l. +l | l | l. T{ -Name -T} T{ Keyword T} T{ -Size +Description T} T{ -Base type +Type T} .T& -l | l | l | l. +l | l | l +l | l | l. T{ -IPv6 address +packets T} T{ -ipv6_addr +initial count of packets T} T{ -128 bit +unsigned integer (64 bit) +T} +T{ +bytes T} T{ -integer +initial count of bytes +T} T{ +unsigned integer (64 bit) T} .TE -.PP -The IPv6 address type is used for IPv6 addresses. FIXME -.PP -\fBIPv6 address specification\fR -.PP -.nf -\*(T< -# abbreviated loopback address -filter output ip6 daddr ::1 - \*(T> -.fi -.SH "PRIMARY EXPRESSIONS" -The lowest order expression is a primary expression, representing either a constant or a single -datum from a packet's payload, meta data or a stateful module. -.SS "META EXPRESSIONS" +.SS QUOTA 'nh .fi .ad l -\fBmeta\fR \kx +\fBquota\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -{length | nfproto | l4proto | protocol | priority} +[over | until] [used] 'in \n(.iu-\nxu .ad b 'hy +.PP +\fBQuota specifications\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l. +T{ +quota +T} T{ +quota limit, used as the quota name +T} T{ +Two arguments, unsigned interger (64 bit) and string: bytes, kbytes, mbytes. "over" and "until" go before these arguments +T} +T{ +used +T} T{ +initial value of used quota +T} T{ +Two arguments, unsigned interger (64 bit) and string: bytes, kbytes, mbytes +T} +.TE +.SH EXPRESSIONS +Expressions represent values, either constants like network addresses, port numbers etc. or data +gathered from the packet during ruleset evaluation. Expressions can be combined using binary, +logical, relational and other types of expressions to form complex or relational (match) expressions. +They are also used as arguments to certain types of operations, like NAT, packet marking etc. +.PP +Each expression has a data type, which determines the size, parsing and representation of +symbolic values and type compatibility with other expressions. +.SS "DESCRIBE COMMAND" 'nh .fi .ad l -[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibriport | obriport | pkttype | cpu | iifgroup | oifgroup | cgroup} +\fBdescribe\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{\fIexpression\fR} +'in \n(.iu-\nxu .ad b 'hy .PP -A meta expression refers to meta data associated with a packet. +The \fBdescribe\fR command shows information about the type of an expression and +its data type. .PP -There are two types of meta expressions: unqualified and qualified meta expressions. -Qualified meta expressions require the \fBmeta\fR keyword before the -meta key, unqualified meta expressions can be specified by using the meta key directly -or as qualified meta expressions. +\fBThe describe command\fR .PP -\fBMeta expression types\fR +.nf +\*(T< +$ nft describe tcp flags +payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits + +pre\-defined symbolic constants: +fin 0x01 +syn 0x02 +rst 0x04 +psh 0x08 +ack 0x10 +urg 0x20 +ecn 0x40 +cwr 0x80 + \*(T> +.fi +.SH "DATA TYPES" +Data types determine the size, parsing and representation of symbolic values and type compatibility +of expressions. A number of global data types exist, in addition some expression types define further +data types specific to the expression type. Most data types have a fixed size, some however may have +a dynamic size, f.i. the string type. +.PP +Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer +type, meaning an IPv4 address can also be specified as an integer value. +.PP +In certain contexts (set and map definitions) it is necessary to explicitly specify a data type. +Each type has a name which is used for this. +.SS "INTEGER TYPE" .TS allbox ; -l | l | l. +l | l | l | l. T{ +Name +T} T{ Keyword T} T{ -Description +Size T} T{ -Type +Base type T} .T& -l | l | l. +l | l | l | l. T{ -length +Integer T} T{ -Length of the packet in bytes +integer T} T{ -integer (32 bit) +variable +T} T{ +- T} +.TE +.PP +The integer type is used for numeric values. It may be specified as decimal, hexadecimal +or octal number. The integer type doesn't have a fixed size, its size is determined by the +expression for which it is used. +.SS "BITMASK TYPE" +.TS +allbox ; +l | l | l | l. T{ -protocol +Name T} T{ -Ethertype protocol value +Keyword T} T{ -ether_type +Size +T} T{ +Base type T} +.T& +l | l | l | l. T{ -priority +Bitmask T} T{ -TC packet priority +bitmask T} T{ -integer (32 bit) +variable +T} T{ +integer T} +.TE +.PP +The bitmask type (\fBbitmask\fR) is used for bitmasks. +.SS "STRING TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +String +T} T{ +string +T} T{ +variable +T} T{ +- +T} +.TE +.PP +The string type is used to for character strings. A string begins with an alphabetic character +(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T, +\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed +in double quotes (\*(T<"\*(T>) is recognized as a string. +.PP +\fBString specification\fR +.PP +.nf +\*(T< +# Interface name +filter input iifname eth0 + +# Weird interface name +filter input iifname "(eth0)" + \*(T> +.fi +.SS "LINK LAYER ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +Link layer address +T} T{ +lladdr +T} T{ +variable +T} T{ +integer +T} +.TE +.PP +The link layer address type is used for link layer addresses. Link layer addresses are specified +as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>). +.PP +\fBLink layer address specification\fR +.PP +.nf +\*(T< +# Ethernet destination MAC address +filter input ether daddr 20:c9:d0:43:12:d9 + \*(T> +.fi +.SS "IPV4 ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +IPv4 address +T} T{ +ipv4_addr +T} T{ +32 bit +T} T{ +integer +T} +.TE +.PP +The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, +dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name +will be resolved using the standard system resolver. +.PP +\fBIPv4 address specification\fR +.PP +.nf +\*(T< +# dotted decimal notation +filter output ip daddr 127.0.0.1 + +# host name +filter output ip daddr localhost + \*(T> +.fi +.SS "IPV6 ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +IPv6 address +T} T{ +ipv6_addr +T} T{ +128 bit +T} T{ +integer +T} +.TE +.PP +The IPv6 address type is used for IPv6 addresses. FIXME +.PP +\fBIPv6 address specification\fR +.PP +.nf +\*(T< +# abbreviated loopback address +filter output ip6 daddr ::1 + \*(T> +.fi +.SS "BOOLEAN TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +Boolean +T} T{ +boolean +T} T{ +1 bit +T} T{ +integer +T} +.TE +.PP +The boolean type is a syntactical helper type in user space. +It's use is in the right-hand side of a (typically implicit) +relational expression to change the expression on the left-hand +side into a boolean check (usually for existence). +.PP +The following keywords will automatically resolve into a boolean +type with given value: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l +l | l. +T{ +exists +T} T{ +1 +T} +T{ +missing +T} T{ +0 +T} +.TE +.PP +\fBBoolean specification\fR +.PP +The following expressions support a boolean comparison: +.TS +allbox ; +l | l. +T{ +Expression +T} T{ +Behaviour +T} +.T& +l | l +l | l +l | l. +T{ +fib +T} T{ +Check route existence. +T} +T{ +exthdr +T} T{ +Check IPv6 extension header existence. +T} +T{ +tcp option +T} T{ +Check TCP option header existence. +T} +.TE +.PP +.nf +\*(T< +# match if route exists +filter input fib daddr . iif oif exists + +# match only non\-fragmented packets in IPv6 traffic +filter input exthdr frag missing + +# match if TCP timestamp option is present +filter input tcp option timestamp exists + \*(T> +.fi +.SS "ICMP TYPE TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +ICMP Type +T} T{ +icmp_type +T} T{ +8 bit +T} T{ +integer +T} +.TE +.PP +The ICMP Type type is used to conveniently specify the ICMP header's type field. +.PP +The following keywords may be used when specifying the ICMP type: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +echo-reply +T} T{ +0 +T} +T{ +destination-unreachable +T} T{ +3 +T} +T{ +source-quench +T} T{ +4 +T} +T{ +redirect +T} T{ +5 +T} +T{ +echo-request +T} T{ +8 +T} +T{ +router-advertisement +T} T{ +9 +T} +T{ +router-solicitation +T} T{ +10 +T} +T{ +time-exceeded +T} T{ +11 +T} +T{ +parameter-problem +T} T{ +12 +T} +T{ +timestamp-request +T} T{ +13 +T} +T{ +timestamp-reply +T} T{ +14 +T} +T{ +info-request +T} T{ +15 +T} +T{ +info-reply +T} T{ +16 +T} +T{ +address-mask-request +T} T{ +17 +T} +T{ +address-mask-reply +T} T{ +18 +T} +.TE +.PP +\fBICMP Type specification\fR +.PP +.nf +\*(T< +# match ping packets +filter output icmp type { echo\-request, echo\-reply } + \*(T> +.fi +.SS "ICMP CODE TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +ICMP Code +T} T{ +icmp_code +T} T{ +8 bit +T} T{ +integer +T} +.TE +.PP +The ICMP Code type is used to conveniently specify the ICMP header's code field. +.PP +The following keywords may be used when specifying the ICMP code: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +net-unreachable +T} T{ +0 +T} +T{ +host-unreachable +T} T{ +1 +T} +T{ +prot-unreachable +T} T{ +2 +T} +T{ +port-unreachable +T} T{ +3 +T} +T{ +net-prohibited +T} T{ +9 +T} +T{ +host-prohibited +T} T{ +10 +T} +T{ +admin-prohibited +T} T{ +13 +T} +.TE +.SS "ICMPV6 TYPE TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +ICMPv6 Type +T} T{ +icmpv6_type +T} T{ +8 bit +T} T{ +integer +T} +.TE +.PP +The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field. +.PP +The following keywords may be used when specifying the ICMPv6 type: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +destination-unreachable +T} T{ +1 +T} +T{ +packet-too-big +T} T{ +2 +T} +T{ +time-exceeded +T} T{ +3 +T} +T{ +parameter-problem +T} T{ +4 +T} +T{ +echo-request +T} T{ +128 +T} +T{ +echo-reply +T} T{ +129 +T} +T{ +mld-listener-query +T} T{ +130 +T} +T{ +mld-listener-report +T} T{ +131 +T} +T{ +mld-listener-done +T} T{ +132 +T} +T{ +mld-listener-reduction +T} T{ +132 +T} +T{ +nd-router-solicit +T} T{ +133 +T} +T{ +nd-router-advert +T} T{ +134 +T} +T{ +nd-neighbor-solicit +T} T{ +135 +T} +T{ +nd-neighbor-advert +T} T{ +136 +T} +T{ +nd-redirect +T} T{ +137 +T} +T{ +router-renumbering +T} T{ +138 +T} +T{ +ind-neighbor-solicit +T} T{ +141 +T} +T{ +ind-neighbor-advert +T} T{ +142 +T} +T{ +mld2-listener-report +T} T{ +143 +T} +.TE +.PP +\fBICMPv6 Type specification\fR +.PP +.nf +\*(T< +# match ICMPv6 ping packets +filter output icmpv6 type { echo\-request, echo\-reply } + \*(T> +.fi +.SS "ICMPV6 CODE TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +ICMPv6 Code +T} T{ +icmpv6_code +T} T{ +8 bit +T} T{ +integer +T} +.TE +.PP +The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field. +.PP +The following keywords may be used when specifying the ICMPv6 code: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +no-route +T} T{ +0 +T} +T{ +admin-prohibited +T} T{ +1 +T} +T{ +addr-unreachable +T} T{ +3 +T} +T{ +port-unreachable +T} T{ +4 +T} +T{ +policy-fail +T} T{ +5 +T} +T{ +reject-route +T} T{ +6 +T} +.TE +.SS "ICMPVX CODE TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +ICMPvX Code +T} T{ +icmpx_code +T} T{ +8 bit +T} T{ +integer +T} +.TE +.PP +The ICMPvX Code type abstraction is a set of values which +overlap between ICMP and ICMPv6 Code types to be used from the +inet family. +.PP +The following keywords may be used when specifying the ICMPvX code: +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +no-route +T} T{ +0 +T} +T{ +port-unreachable +T} T{ +1 +T} +T{ +host-unreachable +T} T{ +2 +T} +T{ +admin-prohibited +T} T{ +3 +T} +.TE +.SS "CONNTRACK TYPES" +This is an overview of types used in \fBct\fR +expression and statement: +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +conntrack state +T} T{ +ct_state +T} T{ +4 byte +T} T{ +bitmask +T} +T{ +conntrack direction +T} T{ +ct_dir +T} T{ +8 bit +T} T{ +integer +T} +T{ +conntrack status +T} T{ +ct_status +T} T{ +4 byte +T} T{ +bitmask +T} +T{ +conntrack event bits +T} T{ +ct_event +T} T{ +4 byte +T} T{ +bitmask +T} +T{ +conntrack label +T} T{ +ct_label +T} T{ +128 bit +T} T{ +bitmask +T} +.TE +.PP +For each of the types above, keywords are available for convenience: + +\fBconntrack state (ct_state)\fR +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +invalid +T} T{ +1 +T} +T{ +established +T} T{ +2 +T} +T{ +related +T} T{ +4 +T} +T{ +new +T} T{ +8 +T} +T{ +untracked +T} T{ +64 +T} +.TE +.PP +\fBconntrack direction (ct_dir)\fR +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l +l | l. +T{ +original +T} T{ +0 +T} +T{ +reply +T} T{ +1 +T} +.TE +.PP +\fBconntrack status (ct_status)\fR +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +expected +T} T{ +1 +T} +T{ +seen-reply +T} T{ +2 +T} +T{ +assured +T} T{ +4 +T} +T{ +confirmed +T} T{ +8 +T} +T{ +snat +T} T{ +16 +T} +T{ +dnat +T} T{ +32 +T} +T{ +dying +T} T{ +512 +T} +.TE +.PP +\fBconntrack event bits (ct_event)\fR +.TS +allbox ; +l | l. +T{ +Keyword +T} T{ +Value +T} +.T& +l | l. +T{ +new +T} T{ +1 +T} +T{ +related +T} T{ +2 +T} +T{ +destroy +T} T{ +4 +T} +T{ +reply +T} T{ +8 +T} +T{ +assured +T} T{ +16 +T} +T{ +protoinfo +T} T{ +32 +T} +T{ +helper +T} T{ +64 +T} +T{ +mark +T} T{ +128 +T} +T{ +seqadj +T} T{ +256 +T} +T{ +secmark +T} T{ +512 +T} +T{ +label +T} T{ +1024 +T} +.TE +.PP +Possible keywords for conntrack label type +(\fBct_label\fR) are read at runtime from +\*(T. +.SH "PRIMARY EXPRESSIONS" +The lowest order expression is a primary expression, representing either a constant or a single +datum from a packet's payload, meta data or a stateful module. +.SS "META EXPRESSIONS" +'nh +.fi +.ad l +\fBmeta\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{length | nfproto | l4proto | protocol | priority} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibriport | obriport | pkttype | cpu | iifgroup | oifgroup | cgroup | random} +.ad b +'hy +.PP +A meta expression refers to meta data associated with a packet. +.PP +There are two types of meta expressions: unqualified and qualified meta expressions. +Qualified meta expressions require the \fBmeta\fR keyword before the +meta key, unqualified meta expressions can be specified by using the meta key directly +or as qualified meta expressions. +.PP +\fBMeta expression types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +length +T} T{ +Length of the packet in bytes +T} T{ +integer (32 bit) +T} +T{ +nfproto +T} T{ +real hook protocol family, useful only in inet table +T} T{ +integer (32 bit) +T} +T{ +protocol +T} T{ +Ethertype protocol value +T} T{ +ether_type +T} +T{ +priority +T} T{ +TC packet priority +T} T{ +tc_handle +T} +T{ +mark +T} T{ +Packet mark +T} T{ +mark +T} +T{ +iif +T} T{ +Input interface index +T} T{ +iface_index +T} +T{ +iifname +T} T{ +Input interface name +T} T{ +string +T} +T{ +iiftype +T} T{ +Input interface type +T} T{ +iface_type +T} +T{ +oif +T} T{ +Output interface index +T} T{ +iface_index +T} +T{ +oifname +T} T{ +Output interface name +T} T{ +string +T} +T{ +oiftype +T} T{ +Output interface hardware type +T} T{ +iface_type +T} +T{ +skuid +T} T{ +UID associated with originating socket +T} T{ +uid +T} +T{ +skgid +T} T{ +GID associated with originating socket +T} T{ +gid +T} +T{ +rtclassid +T} T{ +Routing realm +T} T{ +realm +T} +T{ +ibriport +T} T{ +Input bridge interface name +T} T{ +string +T} +T{ +obriport +T} T{ +Output bridge interface name +T} T{ +string +T} +T{ +pkttype +T} T{ +packet type +T} T{ +pkt_type +T} +T{ +cpu +T} T{ +cpu number processing the packet +T} T{ +integer (32 bits) +T} +T{ +iifgroup +T} T{ +incoming device group +T} T{ +devgroup +T} +T{ +oifgroup +T} T{ +outgoing device group +T} T{ +devgroup +T} +T{ +cgroup +T} T{ +control group id +T} T{ +integer (32 bits) +T} +T{ +random +T} T{ +pseudo-random number +T} T{ +integer (32 bits) +T} +.TE +.PP +\fBMeta expression specific types\fR +.TS +allbox ; +l | l. +T{ +Type +T} T{ +Description +T} +.T& +l | l. +T{ +iface_index +T} T{ +Interface index (32 bit number). Can be specified numerically +or as name of an existing interface. +T} +T{ +ifname +T} T{ +Interface name (16 byte string). Does not have to exist. +T} +T{ +iface_type +T} T{ +Interface type (16 bit number). +T} +T{ +uid +T} T{ +User ID (32 bit number). Can be specified numerically or as +user name. +T} +T{ +gid +T} T{ +Group ID (32 bit number). Can be specified numerically or as +group name. +T} +T{ +realm +T} T{ +Routing Realm (32 bit number). Can be specified numerically +or as symbolic name defined in /etc/iproute2/rt_realms. +T} +T{ +devgroup_type +T} T{ +Device group (32 bit number). Can be specified numerically +or as symbolic name defined in /etc/iproute2/group. +T} +T{ +pkt_type +T} T{ +Packet type: Unicast (addressed to local host), +Broadcast (to all), Multicast (to group). +T} +.TE +.PP +\fBUsing meta expressions\fR +.PP +.nf +\*(T< +# qualified meta expression +filter output meta oif eth0 + +# unqualified meta expression +filter output oif eth0 + \*(T> +.fi +.SS "FIB EXPRESSIONS" +'nh +.fi +.ad l +\fBfib\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{saddr | daddr | [mark | iif | oif]} {oif | oifname | type} +'in \n(.iu-\nxu +.ad b +'hy +.PP +A fib expression queries the fib (forwarding information base) +to obtain information such as the output interface index a particular address would use. The input is a tuple of elements that is used as input to the fib lookup +functions. +.PP +\fBfib expression specific types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l +l | l | l. +T{ +oif +T} T{ +Output interface index +T} T{ +integer (32 bit) +T} +T{ +oifname +T} T{ +Output interface name +T} T{ +string +T} +T{ +type +T} T{ +Address type +T} T{ +fib_addrtype +T} +.TE +.PP +\fBUsing fib expressions\fR +.PP +.nf +\*(T< +# drop packets without a reverse path +filter prerouting fib saddr . iif oif missing drop + +# drop packets to address not configured on ininterface +filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop + +# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) +filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } + \*(T> +.fi +.SS "ROUTING EXPRESSIONS" +'nh +.fi +.ad l +\fBrt\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{classid | nexthop} +'in \n(.iu-\nxu +.ad b +'hy +.PP +A routing expression refers to routing data associated with a packet. +.PP +\fBRouting expression types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l +l | l | l. +T{ +classid +T} T{ +Routing realm +T} T{ +realm +T} +T{ +nexthop +T} T{ +Routing nexthop +T} T{ +ipv4_addr/ipv6_addr +T} +T{ +mtu +T} T{ +TCP maximum segment size of route +T} T{ +integer (16 bit) +T} +.TE +.PP +\fBRouting expression specific types\fR +.TS +allbox ; +l | l. +T{ +Type +T} T{ +Description +T} +.T& +l | l. +T{ +realm +T} T{ +Routing Realm (32 bit number). Can be specified numerically +or as symbolic name defined in /etc/iproute2/rt_realms. +T} +.TE +.PP +\fBUsing routing expressions\fR +.PP +.nf +\*(T< +# IP family independent rt expression +filter output rt classid 10 + +# IP family dependent rt expressions +ip filter output rt nexthop 192.168.0.1 +ip6 filter output rt nexthop fd00::1 +inet filter output rt ip nexthop 192.168.0.1 +inet filter output rt ip6 nexthop fd00::1 + \*(T> +.fi +.SH "PAYLOAD EXPRESSIONS" +Payload expressions refer to data from the packet's payload. +.SS "ETHERNET HEADER EXPRESSION" +'nh +.fi +.ad l +\fBether\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIethernet header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBEthernet header expression types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l +l | l | l. +T{ +daddr +T} T{ +Destination MAC address +T} T{ +ether_addr +T} +T{ +saddr +T} T{ +Source MAC address +T} T{ +ether_addr +T} +T{ +type +T} T{ +EtherType +T} T{ +ether_type +T} +.TE +.SS "VLAN HEADER EXPRESSION" +'nh +.fi +.ad l +\fBvlan\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIVLAN header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBVLAN header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +id +T} T{ +VLAN ID (VID) +T} T{ +integer (12 bit) +T} +T{ +cfi +T} T{ +Canonical Format Indicator +T} T{ +integer (1 bit) +T} +T{ +pcp +T} T{ +Priority code point +T} T{ +integer (3 bit) +T} +T{ +type +T} T{ +EtherType +T} T{ +ether_type +T} +.TE +.SS "ARP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBarp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIARP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBARP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +htype +T} T{ +ARP hardware type +T} T{ +integer (16 bit) +T} +T{ +ptype +T} T{ +EtherType +T} T{ +ether_type +T} +T{ +hlen +T} T{ +Hardware address len +T} T{ +integer (8 bit) +T} +T{ +plen +T} T{ +Protocol address len +T} T{ +integer (8 bit) +T} +T{ +operation +T} T{ +Operation +T} T{ +arp_op +T} +.TE +.SS "IPV4 HEADER EXPRESSION" +'nh +.fi +.ad l +\fBip\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIIPv4 header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPv4 header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +version +T} T{ +IP header version (4) +T} T{ +integer (4 bit) +T} +T{ +hdrlength +T} T{ +IP header length including options +T} T{ +integer (4 bit) FIXME scaling +T} +T{ +dscp +T} T{ +Differentiated Services Code Point +T} T{ +dscp +T} +T{ +ecn +T} T{ +Explicit Congestion Notification +T} T{ +ecn +T} +T{ +length +T} T{ +Total packet length +T} T{ +integer (16 bit) +T} +T{ +id +T} T{ +IP ID +T} T{ +integer (16 bit) +T} +T{ +frag-off +T} T{ +Fragment offset +T} T{ +integer (16 bit) +T} +T{ +ttl +T} T{ +Time to live +T} T{ +integer (8 bit) +T} +T{ +protocol +T} T{ +Upper layer protocol +T} T{ +inet_proto +T} +T{ +checksum +T} T{ +IP header checksum +T} T{ +integer (16 bit) +T} +T{ +saddr +T} T{ +Source address +T} T{ +ipv4_addr +T} +T{ +daddr +T} T{ +Destination address +T} T{ +ipv4_addr +T} +.TE +.SS "ICMP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBicmp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIICMP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBICMP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +type +T} T{ +ICMP type field +T} T{ +icmp_type +T} +T{ +code +T} T{ +ICMP code field +T} T{ +integer (8 bit) +T} +T{ +checksum +T} T{ +ICMP checksum field +T} T{ +integer (16 bit) +T} +T{ +id +T} T{ +ID of echo request/response +T} T{ +integer (16 bit) +T} +T{ +sequence +T} T{ +sequence number of echo request/response +T} T{ +integer (16 bit) +T} +T{ +gateway +T} T{ +gateway of redirects +T} T{ +integer (32 bit) +T} +T{ +mtu +T} T{ +MTU of path MTU discovery +T} T{ +integer (16 bit) +T} +.TE +.SS "IPV6 HEADER EXPRESSION" +'nh +.fi +.ad l +\fBip6\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIIPv6 header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPv6 header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +version +T} T{ +IP header version (6) +T} T{ +integer (4 bit) +T} +T{ +dscp +T} T{ +Differentiated Services Code Point +T} T{ +dscp +T} +T{ +ecn +T} T{ +Explicit Congestion Notification +T} T{ +ecn +T} +T{ +flowlabel +T} T{ +Flow label +T} T{ +integer (20 bit) +T} +T{ +length +T} T{ +Payload length +T} T{ +integer (16 bit) +T} +T{ +nexthdr +T} T{ +Nexthdr protocol +T} T{ +inet_proto +T} +T{ +hoplimit +T} T{ +Hop limit +T} T{ +integer (8 bit) +T} +T{ +saddr +T} T{ +Source address +T} T{ +ipv6_addr +T} +T{ +daddr +T} T{ +Destination address +T} T{ +ipv6_addr +T} +.TE +.SS "ICMPV6 HEADER EXPRESSION" +'nh +.fi +.ad l +\fBicmpv6\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIICMPv6 header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBICMPv6 header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +type +T} T{ +ICMPv6 type field +T} T{ +icmpv6_type +T} +T{ +code +T} T{ +ICMPv6 code field +T} T{ +integer (8 bit) +T} +T{ +checksum +T} T{ +ICMPv6 checksum field +T} T{ +integer (16 bit) +T} +T{ +parameter-problem +T} T{ +pointer to problem +T} T{ +integer (32 bit) +T} +T{ +packet-too-big +T} T{ +oversized MTU +T} T{ +integer (32 bit) +T} +T{ +id +T} T{ +ID of echo request/response +T} T{ +integer (16 bit) +T} +T{ +sequence +T} T{ +sequence number of echo request/response +T} T{ +integer (16 bit) +T} +T{ +max-delay +T} T{ +maximum response delay of MLD queries +T} T{ +integer (16 bit) +T} +.TE +.SS "TCP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBtcp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fITCP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBTCP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +T{ +sequence +T} T{ +Sequence number +T} T{ +integer (32 bit) +T} +T{ +ackseq +T} T{ +Acknowledgement number +T} T{ +integer (32 bit) +T} +T{ +doff +T} T{ +Data offset +T} T{ +integer (4 bit) FIXME scaling +T} +T{ +reserved +T} T{ +Reserved area +T} T{ +integer (4 bit) +T} +T{ +flags +T} T{ +TCP flags +T} T{ +tcp_flag +T} +T{ +window +T} T{ +Window +T} T{ +integer (16 bit) +T} +T{ +checksum +T} T{ +Checksum +T} T{ +integer (16 bit) +T} +T{ +urgptr +T} T{ +Urgent pointer +T} T{ +integer (16 bit) +T} +.TE +.SS "UDP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBudp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIUDP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBUDP header expression\fR +.TS +allbox ; +l | l | l. T{ -mark +Keyword T} T{ -Packet mark +Description T} T{ -packetmark +Type T} +.T& +l | l | l. T{ -iif +sport T} T{ -Input interface index +Source port T} T{ -iface_index +inet_service T} T{ -iifname +dport T} T{ -Input interface name +Destination port T} T{ -string +inet_service T} T{ -iiftype +length T} T{ -Input interface type +Total packet length T} T{ -iface_type +integer (16 bit) T} T{ -oif +checksum T} T{ -Output interface index +Checksum T} T{ -iface_index +integer (16 bit) T} +.TE +.SS "UDP-LITE HEADER EXPRESSION" +'nh +.fi +.ad l +\fBudplite\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIUDP-Lite header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBUDP-Lite header expression\fR +.TS +allbox ; +l | l | l. T{ -oifname +Keyword T} T{ -Output interface name +Description T} T{ -string +Type T} +.T& +l | l | l +l | l | l +l | l | l. T{ -oiftype +sport T} T{ -Output interface hardware type +Source port T} T{ -iface_type +inet_service T} T{ -skuid +dport T} T{ -UID associated with originating socket +Destination port T} T{ -uid +inet_service T} T{ -skgid +checksum T} T{ -GID associated with originating socket +Checksum T} T{ -gid +integer (16 bit) T} +.TE +.SS "SCTP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBsctp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fISCTP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBSCTP header expression\fR +.TS +allbox ; +l | l | l. T{ -rtclassid +Keyword T} T{ -Routing realm +Description T} T{ -realm +Type T} +.T& +l | l | l. T{ -ibriport +sport T} T{ -Input bridge interface name +Source port T} T{ -string +inet_service T} T{ -obriport +dport T} T{ -Output bridge interface name +Destination port T} T{ -string +inet_service T} T{ -pkttype +vtag T} T{ -packet type +Verfication Tag T} T{ -pkt_type +integer (32 bit) T} T{ -cpu +checksum T} T{ -cpu number processing the packet +Checksum T} T{ -integer (32 bits) +integer (32 bit) T} +.TE +.SS "DCCP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBdccp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIDCCP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBDCCP header expression\fR +.TS +allbox ; +l | l | l. T{ -iifgroup +Keyword T} T{ -incoming device group +Description T} T{ -devgroup_type +Type T} +.T& +l | l | l +l | l | l. T{ -oifgroup +sport T} T{ -outgoing device group +Source port T} T{ -devgroup_type +inet_service T} T{ -cgroup +dport T} T{ -control group id +Destination port T} T{ -integer (32 bits) +inet_service T} .TE +.SS "AUTHENTICATION HEADER EXPRESSION" +'nh +.fi +.ad l +\fBah\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIAH header field\fR] +'in \n(.iu-\nxu +.ad b +'hy .PP -\fBMeta expression specific types\fR +\fBAH header expression\fR .TS allbox ; -l | l. +l | l | l. T{ -Type +Keyword T} T{ Description +T} T{ +Type T} .T& -l | l. +l | l | l. T{ -iface_index +nexthdr T} T{ -Interface index (32 bit number). Can be specified numerically -or as name of an existing interface. -T} -T{ -ifname +Next header protocol T} T{ -Interface name (16 byte string). Does not have to exist. +inet_proto T} T{ -iface_type +hdrlength T} T{ -Interface type (16 bit number). -T} -T{ -uid +AH Header length T} T{ -User ID (32 bit number). Can be specified numerically or as -user name. +integer (8 bit) T} T{ -gid +reserved T} T{ -Group ID (32 bit number). Can be specified numerically or as -group name. -T} -T{ -realm +Reserved area T} T{ -Routing Realm (32 bit number). Can be specified numerically -or as symbolic name defined in /etc/iproute2/rt_realms. +integer (16 bit) T} T{ -devgroup_type +spi T} T{ -Device group (32 bit number). Can be specified numerically -or as symbolic name defined in /etc/iproute2/group. +Security Parameter Index +T} T{ +integer (32 bit) T} T{ -pkt_type +sequence T} T{ -Packet type: Unicast (addressed to local host), -Broadcast (to all), Multicast (to group). -T} -.TE -.PP -\fBUsing meta expressions\fR -.PP -.nf -\*(T< -# qualified meta expression -filter output meta oif eth0 - -# unqualified meta expression -filter output oif eth0 - \*(T> -.fi -.SH "PAYLOAD EXPRESSIONS" -Payload expressions refer to data from the packet's payload. -.SS "ETHERNET HEADER EXPRESSION" +Sequence number +T} T{ +integer (32 bit) +T} +.TE +.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION" 'nh .fi .ad l -\fBether\fR \kx +\fBesp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIethernet header field\fR] +[\fIESP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBEthernet header expression types\fR +\fBESP header expression\fR .TS allbox ; l | l | l. @@ -913,43 +3305,35 @@ Type T} .T& l | l | l -l | l | l l | l | l. T{ -daddr -T} T{ -Destination MAC address -T} T{ -ether_addr -T} -T{ -saddr +spi T} T{ -Source MAC address +Security Parameter Index T} T{ -ether_addr +integer (32 bit) T} T{ -type +sequence T} T{ -EtherType +Sequence number T} T{ -ether_type +integer (32 bit) T} .TE -.SS "VLAN HEADER EXPRESSION" +.SS "IPCOMP HEADER EXPRESSION" 'nh .fi .ad l -\fBvlan\fR \kx +\fBcomp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIVLAN header field\fR] +[\fIIPComp header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBVLAN header expression\fR +\fBIPComp header expression\fR .TS allbox ; l | l | l. @@ -961,110 +3345,159 @@ T} T{ Type T} .T& +l | l | l +l | l | l l | l | l. T{ -id -T} T{ -VLAN ID (VID) -T} T{ -integer (12 bit) -T} -T{ -cfi +nexthdr T} T{ -Canonical Format Indicator +Next header protocol T} T{ -flag +inet_proto T} T{ -pcp +flags T} T{ -Priority code point +Flags T} T{ -integer (3 bit) +bitmask T} T{ -type +cpi T} T{ -EtherType +Compression Parameter Index T} T{ -ethertype +integer (16 bit) T} .TE -.SS "ARP HEADER EXPRESSION" +.SS "EXTENSION HEADER EXPRESSIONS" +Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers and +TCPs options. +.PP +nftables currently supports matching (finding) a given ipv6 extension header or TCP option. 'nh .fi .ad l -\fBarp\fR \kx +\fBhbh\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIARP header field\fR] +{nexthdr | hdrlength} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBfrag\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{nexthdr | frag-off | more-fragments | id} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBrt\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{nexthdr | hdrlength | type | seg-left} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBdst\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{nexthdr | hdrlength} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBmh\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{nexthdr | hdrlength | checksum | type} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBtcp option\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} \fItcp_option_field\fR 'in \n(.iu-\nxu .ad b 'hy .PP -\fBARP header expression\fR +The following syntaxes are valid only in a relational expression +with boolean type on right-hand side for checking header existence only: +'nh +.fi +.ad l +\fBexthdr\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{hbh | frag | rt | dst | mh} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBtcp option\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPv6 extension headers\fR .TS allbox ; -l | l | l. +l | l. T{ Keyword T} T{ Description -T} T{ -Type T} .T& -l | l | l. +l | l. T{ -htype -T} T{ -ARP hardware type +hbh T} T{ -integer (16 bit) +Hop by Hop T} T{ -ptype -T} T{ -EtherType +rt T} T{ -ethertype +Routing Header T} T{ -hlen -T} T{ -Hardware address len +frag T} T{ -integer (8 bit) +Fragmentation header T} T{ -plen -T} T{ -Protocol address len +dst T} T{ -integer (8 bit) +dst options T} T{ -operation -T} T{ -Operation +mh T} T{ -arp_op +Mobility Header T} .TE -.SS "IPV4 HEADER EXPRESSION" -'nh -.fi -.ad l -\fBip\fR \kx -.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) -'in \n(.iu+\nxu -[\fIIPv4 header field\fR] -'in \n(.iu-\nxu -.ad b -'hy .PP -\fBIPv4 header expression\fR +\fBTCP Options\fR .TS allbox ; l | l | l. @@ -1073,202 +3506,415 @@ Keyword T} T{ Description T} T{ -Type +TCP option fields T} .T& l | l | l. T{ -version +eol T} T{ -IP header version (4) +End of option list T} T{ -integer (4 bit) +kind T} T{ -hdrlength +noop T} T{ -IP header length including options +1 Byte TCP No-op options T} T{ -integer (4 bit) FIXME scaling +kind T} T{ -dscp +maxseg T} T{ -Differentiated Services Code Point +TCP Maximum Segment Size T} T{ -integer (6 bit) +kind, length, size T} T{ -ecn +window T} T{ -Explicit Congestion Notification +TCP Window Scaling T} T{ -integer (2 bit) +kind, length, count T} T{ -length +sack-permitted T} T{ -Total packet length +TCP SACK permitted T} T{ -integer (16 bit) +kind, length T} T{ -id +sack T} T{ -IP ID +TCP Selective Acknowledgement (alias of block 0) T} T{ -integer (16 bit) +kind, length, left, right +T} +T{ +sack0 +T} T{ +TCP Selective Acknowledgement (block 0) +T} T{ +kind, length, left, right +T} +T{ +sack1 +T} T{ +TCP Selective Acknowledgement (block 1) +T} T{ +kind, length, left, right +T} +T{ +sack2 +T} T{ +TCP Selective Acknowledgement (block 2) +T} T{ +kind, length, left, right +T} +T{ +sack3 +T} T{ +TCP Selective Acknowledgement (block 3) +T} T{ +kind, length, left, right +T} +T{ +timestamp +T} T{ +TCP Timestamps +T} T{ +kind, length, tsval, tsecr +T} +.TE +.PP +\fBfinding TCP options\fR +.PP +.nf +\*(T< +filter input tcp option sack\-permitted kind 1 counter + \*(T> +.fi +.PP +\fBmatching IPv6 exthdr\fR +.PP +.nf +\*(T< +ip6 filter input frag more\-fragments 1 counter + \*(T> +.fi +.SS "CONNTRACK EXPRESSIONS" +Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. +.PP +There are three types of conntrack expressions. Some conntrack expressions require the flow +direction before the conntrack key, others must be used directly because they are direction agnostic. +The \fBpackets\fR, \fBbytes\fR and \fBavgpkt\fR keywords can be +used with or without a direction. If the direction is omitted, the sum of the original and the reply +direction is returned. The same is true for the \fBzone\fR, if a direction is given, the zone +is only matched if the zone id is tied to the given direction. +.PP +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{original | reply} {ip | ip6} {saddr | daddr} +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBConntrack expressions\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type T} +.T& +l | l | l. T{ -frag-off +state T} T{ -Fragment offset +State of the connection T} T{ -integer (16 bit) +ct_state T} T{ -ttl +direction T} T{ -Time to live +Direction of the packet relative to the connection T} T{ -integer (8 bit) +ct_dir T} T{ -protocol +status T} T{ -Upper layer protocol +Status of the connection T} T{ -inet_proto +ct_status T} T{ -checksum +mark T} T{ -IP header checksum +Connection mark T} T{ -integer (16 bit) +mark T} T{ -saddr +expiration T} T{ -Source address +Connection expiration time T} T{ -ipv4_addr +time T} T{ -daddr +helper T} T{ -Destination address +Helper associated with the connection T} T{ -ipv4_addr +string T} -.TE -.SS "IPV6 HEADER EXPRESSION" -'nh -.fi -.ad l -\fBip6\fR \kx -.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) -'in \n(.iu+\nxu -[\fIIPv6 header field\fR] -'in \n(.iu-\nxu -.ad b -'hy -.PP -\fBIPv6 header expression\fR -.TS -allbox ; -l | l | l. T{ -Keyword +label T} T{ -Description +Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path T} T{ -Type +ct_label T} -.T& -l | l | l. T{ -version +l3proto T} T{ -IP header version (6) +Layer 3 protocol of the connection T} T{ -integer (4 bit) +nf_proto T} T{ -priority +saddr T} T{ +Source address of the connection for the given direction T} T{ +ipv4_addr/ipv6_addr T} T{ -dscp +daddr T} T{ -Differentiated Services Code Point +Destination address of the connection for the given direction T} T{ -integer (6 bit) +ipv4_addr/ipv6_addr T} T{ -ecn +protocol T} T{ -Explicit Congestion Notification +Layer 4 protocol of the connection for the given direction T} T{ -integer (2 bit) +inet_proto T} T{ -flowlabel +proto-src T} T{ -Flow label +Layer 4 protocol source for the given direction T} T{ -integer (20 bit) +integer (16 bit) T} T{ -length +proto-dst T} T{ -Payload length +Layer 4 protocol destination for the given direction T} T{ integer (16 bit) T} T{ -nexthdr +packets T} T{ -Nexthdr protocol +packet count seen in the given direction or sum of original and reply T} T{ -inet_proto +integer (64 bit) T} T{ -hoplimit +bytes T} T{ -Hop limit +bytecount seen, see description for \fBpackets\fR keyword T} T{ -integer (8 bit) +integer (64 bit) T} T{ -saddr +avgpkt T} T{ -Source address +average bytes per packet, see description for \fBpackets\fR keyword T} T{ -ipv6_addr +integer (64 bit) T} T{ -daddr +zone T} T{ -Destination address +conntrack zone T} T{ -ipv6_addr +integer (16 bit) T} .TE -.SS "TCP HEADER EXPRESSION" +.PP +A description of conntrack-specific types listed above can be +found sub-section \*(T above. +.SH STATEMENTS +Statements represent actions to be performed. They can alter control flow (return, jump +to a different chain, accept or drop the packet) or can perform actions, such as logging, +rejecting a packet, etc. +.PP +Statements exist in two kinds. Terminal statements unconditionally terminate evaluation +of the current rule, non-terminal statements either only conditionally or never terminate +evaluation of the current rule, in other words, they are passive from the ruleset evaluation +perspective. There can be an arbitrary amount of non-terminal statements in a rule, but +only a single terminal statement as the final statement. +.SS "VERDICT STATEMENT" +The verdict statement alters control flow in the ruleset and issues +policy decisions for packets. +.PP 'nh .fi .ad l -\fBtcp\fR \kx +{accept | drop | queue | continue | return} +.ad b +'hy +'nh +.fi +.ad l +{jump | goto} {\fIchain\fR} +.ad b +'hy +.PP +.TP +\*(T<\fBaccept\fR\*(T> +Terminate ruleset evaluation and accept the packet. +.TP +\*(T<\fBdrop\fR\*(T> +Terminate ruleset evaluation and drop the packet. +.TP +\*(T<\fBqueue\fR\*(T> +Terminate ruleset evaluation and queue the packet to userspace. +.TP +\*(T<\fBcontinue\fR\*(T> +Continue ruleset evaluation with the next rule. FIXME +.TP +\*(T<\fBreturn\fR\*(T> +Return from the current chain and continue evaluation at the +next rule in the last chain. If issued in a base chain, it is +equivalent to \fBaccept\fR. +.TP +\*(T<\fBjump \fR\*(T>\fIchain\fR +Continue evaluation at the first rule in \fIchain\fR. +The current position in the ruleset is pushed to a call stack and evaluation +will continue there when the new chain is entirely evaluated of a +\fBreturn\fR verdict is issued. +.TP +\*(T<\fBgoto \fR\*(T>\fIchain\fR +Similar to \fBjump\fR, but the current position is not pushed +to the call stack, meaning that after the new chain evaluation will continue +at the last chain instead of the one containing the goto statement. +.PP +\fBVerdict statements\fR +.PP +.nf +\*(T< +# process packets from eth0 and the internal network in from_lan +# chain, drop all packets from eth0 with different source addresses. + +filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan +filter input iif eth0 drop + \*(T> +.fi +.SS "PAYLOAD STATEMENT" +The payload statement alters packet content. +It can be used for example to set ip DSCP (differv) header field or ipv6 flow labels. +.PP +\fBroute some packets instead of bridging\fR +.PP +.nf +\*(T< +# redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging +# assumes 00:11:22:33:44:55 is local MAC address. +bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55 + \*(T> +.fi +.PP +\fBSet IPv4 DSCP header field\fR +.PP +.nf +\*(T< +ip forward ip dscp set 42 + \*(T> +.fi +.SS "EXTENSION HEADER STATEMENT" +The extension header statement alters packet content in variable-sized headers. +This can currently be used to alter the TCP Maximum segment size of packets, +similar to TCPMSS. +.PP +\fBchange tcp mss\fR +.PP +.nf +\*(T< +tcp flags syn tcp option maxseg size set 1360 +# set a size based on route information: +tcp flags syn tcp option maxseg size set rt mtu + \*(T> +.fi +.SS "LOG STATEMENT" +'nh +.fi +.ad l +\fBlog\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fITCP header field\fR] +[prefix +\fIquoted_string\fR] [level +\fIsyslog-level\fR] [flags +\fIlog-flags\fR] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBlog\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +group +\fInflog_group\fR [prefix +\fIquoted_string\fR] [queue-threshold +\fIvalue\fR] [snaplen +\fIsize\fR] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBTCP header expression\fR +The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). If the group number is specified, the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details. This is a non-terminating statement, so the rule evaluation continues after the packet is logged. +.PP +\fBlog statement options\fR .TS allbox ; l | l | l. @@ -1282,143 +3928,212 @@ T} .T& l | l | l. T{ -sport +prefix T} T{ -Source port +Log message prefix T} T{ -inet_service +quoted string T} T{ -dport +syslog-level T} T{ -Destination port +Syslog level of logging T} T{ -inet_service +string: emerg, alert, crit, err, warn [default], notice, info, debug T} T{ -sequence +group T} T{ -Sequence number +NFLOG group to send messages to T} T{ -integer (32 bit) +unsigned integer (16 bit) T} T{ -ackseq +snaplen T} T{ -Acknowledgement number +Length of packet payload to include in netlink message T} T{ -integer (32 bit) +unsigned integer (32 bit) T} T{ -doff +queue-threshold T} T{ -Data offset +Number of packets to queue inside the kernel before sending them to userspace T} T{ -integer (4 bit) FIXME scaling +unsigned integer (32 bit) T} +.TE +.PP +\fBlog-flags\fR +.TS +allbox ; +l | l. T{ -reserved -T} T{ -Reserved area +Flag T} T{ -integer (4 bit) +Description T} +.T& +l | l. T{ -flags +tcp sequence T} T{ -TCP flags -T} T{ -tcp_flags +Log TCP sequence numbers. T} T{ -window -T} T{ -Window +tcp options T} T{ -integer (16 bit) +Log options from the TCP packet header. T} T{ -checksum +ip options T} T{ -Checksum +Log options from the IP/IPv6 packet header. +T} +T{ +skuid T} T{ -integer (16 bit) +Log the userid of the process which generated the packet. T} T{ -urgptr +ether T} T{ -Urgent pointer +Decode MAC addresses and protocol. +T} +T{ +all T} T{ -integer (16 bit) +Enable all log flags listed above. T} .TE -.SS "UDP HEADER EXPRESSION" +.PP +\fBUsing log statement\fR +.PP +.nf +\*(T< +# log the UID which generated the packet and ip options +ip filter output log flags skuid flags ip options + +# log the tcp sequence numbers and tcp options from the TCP packet +ip filter output log flags tcp sequence,options + +# enable all supported log flags +ip6 filter output log flags all + \*(T> +.fi +.SS "REJECT STATEMENT" 'nh .fi .ad l -\fBudp\fR \kx +\fBreject\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIUDP header field\fR] +[ +with +{icmp | icmp6 | icmpx} +type +{icmp_type | icmp6_type | icmpx_type} +] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBreject\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[ +with +{tcp} +{reset} +] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBUDP header expression\fR +A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. +.PP +The different ICMP reject variants are meant for use in different table families: .TS allbox ; l | l | l. T{ -Keyword +Variant T} T{ -Description +Family T} T{ Type T} .T& +l | l | l +l | l | l l | l | l. T{ -sport -T} T{ -Source port -T} T{ -inet_service -T} -T{ -dport +icmp T} T{ -Destination port +ip T} T{ -inet_service +icmp_code T} T{ -length +icmp6 T} T{ -Total packet length +ip6 T} T{ -integer (16 bit) +icmpv6_code T} T{ -checksum +icmpx T} T{ -Checksum +inet T} T{ -integer (16 bit) +icmpx_code T} .TE -.SS "UDP-LITE HEADER EXPRESSION" +.PP +For a description of the different types and a list of supported +keywords refer to \*(T section above. +The common default reject value is +\fBport-unreachable\fR. +.SS "COUNTER STATEMENT" +A counter statement sets the hit count of packets along with the number of bytes. +.PP 'nh .fi .ad l -\fBudplite\fR \kx +\fBcounter\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIUDP-Lite header field\fR] +{packets +\fInumber\fR +} {bytes +\fInumber\fR +} 'in \n(.iu-\nxu .ad b 'hy +.SS "CONNTRACK STATEMENT" +The conntrack statement can be used to set the conntrack mark and conntrack labels. .PP -\fBUDP-Lite header expression\fR +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{mark | event | label | zone} set \fIvalue\fR +'in \n(.iu-\nxu +.ad b +'hy +.PP +The ct statement sets meta data associated with a connection. +The zone id has to be assigned before a conntrack lookup takes place, +i.e. this has to be done in prerouting and possibly output (if locally +generated packets need to be placed in a distinct zone), with a hook +priority of -300. +.PP +\fBConntrack statement types\fR .TS allbox ; l | l | l. @@ -1427,52 +4142,97 @@ Keyword T} T{ Description T} T{ -Type +Value T} .T& l | l | l. T{ -sport +event T} T{ -Source port +conntrack event bits T} T{ -inet_service +bitmask, integer (32 bit) T} T{ -dport +helper T} T{ -Destination port +name of ct helper object to assign to the connection T} T{ -inet_service +quoted string T} T{ -cscov +mark T} T{ -Checksum coverage +Connection tracking mark T} T{ -integer (16 bit) +mark T} T{ -checksum +label T} T{ -Checksum +Connection tracking label +T} T{ +label +T} +T{ +zone +T} T{ +conntrack zone T} T{ integer (16 bit) T} .TE -.SS "SCTP HEADER EXPRESSION" +.PP +\fBsave packet nfmark in conntrack\fR +.PP +.nf +\*(T< +ct mark set meta mark + \*(T> +.fi +.PP +\fBset zone mapped via interface\fR +.PP +.nf +\*(T< +table inet raw { + chain prerouting { + type filter hook prerouting priority \-300; + ct zone set iif map { "eth1" : 1, "veth1" : 2 } + } + chain output { + type filter hook output priority \-300; + ct zone set oif map { "eth1" : 1, "veth1" : 2 } + } +} + \*(T> +.fi +.PP +\fBrestrict events reported by ctnetlink\fR +.PP +.nf +\*(T< +ct event set new,related,destroy + \*(T> +.fi +.SS "META STATEMENT" +A meta statement sets the value of a meta expression. +The existing meta fields are: priority, mark, pkttype, nftrace. +.PP 'nh .fi .ad l -\fBsctp\fR \kx +\fBmeta\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fISCTP header field\fR] +{mark | priority | pkttype | nftrace} set \fIvalue\fR 'in \n(.iu-\nxu .ad b 'hy .PP -\fBSCTP header expression\fR +A meta statement sets meta data associated with a packet. +.PP +\fBMeta statement types\fR .TS allbox ; l | l | l. @@ -1481,57 +4241,69 @@ Keyword T} T{ Description T} T{ -Type +Value T} .T& l | l | l. T{ -sport +priority T} T{ -Source port +TC packet priority T} T{ -inet_service +tc_handle T} T{ -dport +mark T} T{ -Destination port +Packet mark T} T{ -inet_service +mark T} T{ -vtag +pkttype T} T{ -Verfication Tag +packet type T} T{ -integer (32 bit) +pkt_type T} T{ -checksum +nftrace T} T{ -Checksum +ruleset packet tracing on/off. Use \fBmonitor trace\fR command to watch traces T} T{ -integer (32 bit) +0, 1 T} .TE -.SS "DCCP HEADER EXPRESSION" +.SS "LIMIT STATEMENT" 'nh .fi .ad l -\fBdccp\fR \kx +\fBlimit\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIDCCP header field\fR] +rate [over] \fIpacket_number\fR / {second | minute | hour | day} [burst \fIpacket_number\fR packets] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBlimit\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +rate [over] \fIbyte_number\fR {bytes | kbytes | mbytes} / {second | minute | hour | day | week} [burst \fIbyte_number\fR bytes] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBDCCP header expression\fR +A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The \fBover\fR keyword, that is optional, makes it match over the specified rate. +.PP +\fBlimit statement values\fR .TS allbox ; l | l | l. T{ -Keyword +Value T} T{ Description T} T{ @@ -1541,99 +4313,130 @@ T} l | l | l l | l | l. T{ -sport +packet_number T} T{ -Source port +Number of packets T} T{ -inet_service +unsigned integer (32 bit) T} T{ -dport +byte_number T} T{ -Destination port +Number of bytes T} T{ -inet_service +unsigned integer (32 bit) T} .TE -.SS "AUTHENTICATION HEADER EXPRESSION" +.SS "NAT STATEMENTS" 'nh .fi .ad l -\fBah\fR \kx +\fBsnat\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIAH header field\fR] +to +\fIaddress\fR +[:port] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBsnat\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +\fIaddress\fR - \fIaddress\fR +[:\fIport\fR - \fIport\fR] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBdnat\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +\fIaddress\fR +[:\fIport\fR] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBdnat\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +\fIaddress\fR +[:\fIport\fR - \fIport\fR] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBmasquerade\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +[:\fIport\fR] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBmasquerade\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +[:\fIport\fR - \fIport\fR] [persistent, random, fully-random] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBredirect\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +to +[:\fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy -.PP -\fBAH header expression\fR -.TS -allbox ; -l | l | l. -T{ -Keyword -T} T{ -Description -T} T{ -Type -T} -.T& -l | l | l. -T{ -nexthdr -T} T{ -Next header protocol -T} T{ -inet_service -T} -T{ -hdrlength -T} T{ -AH Header length -T} T{ -integer (8 bit) -T} -T{ -reserved -T} T{ -Reserved area -T} T{ -integer (4 bit) -T} -T{ -spi -T} T{ -Security Parameter Index -T} T{ -integer (32 bit) -T} -T{ -sequence -T} T{ -Sequence number -T} T{ -integer (32 bit) -T} -.TE -.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION" 'nh .fi .ad l -\fBesp\fR \kx +\fBredirect\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -[\fIESP header field\fR] +to +[:\fIport\fR - \fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBESP header expression\fR +The nat statements are only valid from nat chain types. +.PP +The \fBsnat\fR and \fBmasquerade\fR statements specify that the source address of the packet should be modified. While \fBsnat\fR is only valid in the postrouting and input chains, \fBmasquerade\fR makes sense only in postrouting. The \fBdnat\fR and \fBredirect\fR statements are only valid in the prerouting and output chains, they specify that the destination address of the packet should be modified. You can use non-base chains which are called from base chains of nat chain type too. All future packets in this connection will also be mangled, and rules should cease being examined. +.PP +The \fBmasquerade\fR statement is a special form of \fBsnat\fR which always uses the outgoing interface's IP address to translate to. It is particularly useful on gateways with dynamic (public) IP addresses. +.PP +The \fBredirect\fR statement is a special form of \fBdnat\fR which always translates the destination address to the local host's one. It comes in handy if one only wants to alter the destination port of incoming traffic on different interfaces. +.PP +Note that all nat statements require both prerouting and postrouting base chains to be present since otherwise packets on the return path won't be seen by netfilter and therefore no reverse translation will take place. +.PP +\fBNAT statement values\fR .TS allbox ; l | l | l. T{ -Keyword +Expression T} T{ Description T} T{ @@ -1643,307 +4446,170 @@ T} l | l | l l | l | l. T{ -spi +address T} T{ -Security Parameter Index +Specifies that the source/destination address of the packet should be modified. You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value. T} T{ -integer (32 bit) +ipv4_addr, ipv6_addr, eg. abcd::1234, or you can use a mapping, eg. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } T} T{ -sequence +port T} T{ -Sequence number +Specifies that the source/destination address of the packet should be modified. T} T{ -integer (32 bit) +port number (16 bits) T} .TE -.SS "IPCOMP HEADER EXPRESSION" -'nh -.fi -.ad l -\fBcomp\fR \kx -.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) -'in \n(.iu+\nxu -[\fIIPComp header field\fR] -'in \n(.iu-\nxu -.ad b -'hy .PP -\fBIPComp header expression\fR +\fBNAT statement flags\fR .TS allbox ; -l | l | l. +l | l. T{ -Keyword +Flag T} T{ Description -T} T{ -Type T} .T& -l | l | l -l | l | l -l | l | l. +l | l +l | l +l | l. T{ -nexthdr -T} T{ -Next header protocol +persistent T} T{ -inet_service +Gives a client the same source-/destination-address for each connection. T} T{ -flags -T} T{ -Flags +random T} T{ -bitmask +If used then port mapping will be randomized using a random seeded MD5 hash mix using source and destination address and destination port. T} T{ -cpi -T} T{ -Compression Parameter Index +fully-random T} T{ -integer (16 bit) +If used then port mapping is generated based on a 32-bit pseudo-random algorithm. T} .TE -.SH BLA -.SS "IPV6 EXTENSION HEADER EXPRESSIONS" -IPv6 extension header expressions refer to data from an IPv6 packet's extension headers. -.SS "CONNTRACK EXPRESSIONS" -Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. .PP -There are three types of conntrack expressions. Some conntrack expressions require the flow -direction before the conntrack key, others must be used directly because they are -direction agnostic. The \fBpackets and bytes\fR keywords can be used -with or without a direction. If the direction is omitted, the sum of the original and the reply -direction is returned. +\fBUsing NAT statements\fR +.PP +.nf +\*(T< +# create a suitable table/chain setup for all further examples +add table nat +add chain nat prerouting { type nat hook prerouting priority 0; } +add chain nat postrouting { type nat hook postrouting priority 100; } + +# translate source addresses of all packets leaving via eth0 to address 1.2.3.4 +add rule nat postrouting oif eth0 snat to 1.2.3.4 + +# redirect all traffic entering via eth0 to destination address 192.168.1.120 +add rule nat prerouting iif eth0 dnat to 192.168.1.120 + +# translate source addresses of all packets leaving via eth0 to whatever +# locally generated packets would use as source to reach the same destination +add rule nat postrouting oif eth0 masquerade + +# redirect incoming TCP traffic for port 22 to port 2222 +add rule nat prerouting tcp dport 22 redirect to :2222 + \*(T> +.fi +.SS "QUEUE STATEMENT" +This statement passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. See libnetfilter_queue documentation for details. .PP 'nh .fi .ad l -\fBct\fR \kx +\fBqueue\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -{state | direction | status | mark | expiration | helper | label | bytes | packets} {original | reply | {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets}} +[num +\fIqueue_number\fR] [bypass] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBqueue\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[num +\fIqueue_number_from\fR - \fIqueue_number_to\fR] [bypass,fanout] 'in \n(.iu-\nxu .ad b 'hy .PP -\fBConntrack expressions\fR +\fBqueue statement values\fR .TS allbox ; l | l | l. T{ -Keyword +Value T} T{ Description T} T{ Type T} .T& +l | l | l +l | l | l l | l | l. T{ -state -T} T{ -State of the connection -T} T{ -ct_state -T} -T{ -direction -T} T{ -Direction of the packet relative to the connection -T} T{ -ct_dir -T} -T{ -status -T} T{ -Status of the connection -T} T{ -ct_status -T} -T{ -mark -T} T{ -Connection mark -T} T{ -packetmark -T} -T{ -expiration -T} T{ -Connection expiration time -T} T{ -time -T} -T{ -helper -T} T{ -Helper associated with the connection -T} T{ -string -T} -T{ -label -T} T{ -Connection tracking label -T} T{ -ct_label -T} -T{ -l3proto -T} T{ -Layer 3 protocol of the connection -T} T{ -nf_proto -T} -T{ -saddr -T} T{ -Source address of the connection for the given direction -T} T{ -ipv4_addr/ipv6_addr -T} -T{ -daddr +queue_number T} T{ -Destination address of the connection for the given direction +Sets queue number, default is 0. T} T{ -ipv4_addr/ipv6_addr +unsigned integer (16 bit) T} T{ -protocol +queue_number_from T} T{ -Layer 4 protocol of the connection for the given direction +Sets initial queue in the range, if fanout is used. T} T{ -inet_proto +unsigned integer (16 bit) T} T{ -proto-src +queue_number_to T} T{ -Layer 4 protocol source for the given direction +Sets closing queue in the range, if fanout is used. T} T{ -integer (16 bit) +unsigned integer (16 bit) T} +.TE +.PP +\fBqueue statement flags\fR +.TS +allbox ; +l | l. T{ -proto-dst -T} T{ -Layer 4 protocol destination for the given direction +Flag T} T{ -integer (16 bit) +Description T} +.T& +l | l +l | l. T{ -packets -T} T{ -packet count seen in the given direction or sum of original and reply +bypass T} T{ -integer (64 bit) +Let packets go through if userspace application cannot back off. Before using this flag, read libnetfilter_queue documentation for performance tuning recomendations. T} T{ -bytes -T} T{ -bytecount seen, see description for \fBpackets\fR keyword +fanout T} T{ -integer (64 bit) +Distribute packets between several queues. T} .TE -.SH STATEMENTS -Statements represent actions to be performed. They can alter control flow (return, jump -to a different chain, accept or drop the packet) or can perform actions, such as logging, -rejecting a packet, etc. -.PP -Statements exist in two kinds. Terminal statements unconditionally terminate evaluation -of the current rule, non-terminal statements either only conditionally or never terminate -evaluation of the current rule, in other words, they are passive from the ruleset evaluation -perspective. There can be an arbitrary amount of non-terminal statements in a rule, but -only a single terminal statement as the final statement. -.SS "VERDICT STATEMENT" -The verdict statement alters control flow in the ruleset and issues -policy decisions for packets. -.PP -'nh -.fi -.ad l -{accept | drop | queue | continue | return} -.ad b -'hy -'nh -.fi -.ad l -{jump | goto} {\fIchain\fR} -.ad b -'hy -.PP -.TP -\*(T<\fBaccept\fR\*(T> -Terminate ruleset evaluation and accept the packet. -.TP -\*(T<\fBdrop\fR\*(T> -Terminate ruleset evaluation and drop the packet. -.TP -\*(T<\fBqueue\fR\*(T> -Terminate ruleset evaluation and queue the packet to userspace. -.TP -\*(T<\fBcontinue\fR\*(T> -Continue ruleset evaluation with the next rule. FIXME -.TP -\*(T<\fBreturn\fR\*(T> -Return from the current chain and continue evaluation at the -next rule in the last chain. If issued in a base chain, it is -equivalent to \fBaccept\fR. -.TP -\*(T<\fBjump \fR\*(T>\fIchain\fR -Continue evaluation at the first rule in \fIchain\fR. -The current position in the ruleset is pushed to a call stack and evaluation -will continue there when the new chain is entirely evaluated of a -\fBreturn\fR verdict is issued. -.TP -\*(T<\fBgoto \fR\*(T>\fIchain\fR -Similar to \fBjump\fR, but the current position is not pushed -to the call stack, meaning that after the new chain evaluation will continue -at the last chain instead of the one containing the goto statement. -.PP -\fBVerdict statements\fR -.PP -.nf -\*(T< -# process packets from eth0 and the internal network in from_lan -# chain, drop all packets from eth0 with different source addresses. - -filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan -filter input iif eth0 drop - \*(T> -.fi -.SS "LOG STATEMENT" -.SS "REJECT STATEMENT" -.SS "COUNTER STATEMENT" -.SS "META STATEMENT" -.SS "LIMIT STATEMENT" -.SS "NAT STATEMENT" -.SS "QUEUE STATEMENT" .SH "ADDITIONAL COMMANDS" These are some additional commands included in nft. -.SS EXPORT -Export your current ruleset in XML or JSON format to stdout. -.PP -Examples: - -.nf -\*(T< -% nft export xml -[...] -% nft export json -[...] - \*(T> -.fi .SS MONITOR The monitor command allows you to listen to Netlink events produced by the nf_tables subsystem, related to creation and deletion of objects. -When they ocurr, nft will print to stdout the monitored events in either +When they occur, nft will print to stdout the monitored events in either XML, JSON or native nft format. .PP -To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements'. +To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements' , 'ruleset'. .PP To filter events related to a concrete action, use keyword 'new' or 'destroy'. .PP @@ -1980,6 +4646,14 @@ Hit ^C to finish the monitor operation. % nft monitor chains \*(T> .fi +.PP +\fBListen to ruleset events such as table, chain, rule, set, counters and quotas, in native nft format\fR +.PP +.nf +\*(T< +% nft monitor ruleset + \*(T> +.fi .SH "ERROR REPORTING" When an error is detected, nft shows the line(s) containing the error, the position of the erroneous parts in the input stream and marks up the erroneous parts using @@ -2026,11 +4700,16 @@ errors with a status of 2, unable to open Netlink socket with 3. .SH "SEE ALSO" iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) .PP -There is an official wiki at: http://wiki.nftables.org +There is an official wiki at: https://wiki.nftables.org .SH AUTHORS -nftables was written by Patrick McHardy. +nftables was written by Patrick McHardy and Pablo Neira Ayuso, among many other contributors from the Netfilter community. .SH COPYRIGHT -Copyright \(co 2008-2014 Patrick McHardy <\*(T> +.nf + +Copyright \(co 2008\-2014 Patrick McHardy <\*(T> +Copyright \(co 2013\-2016 Pablo Neira Ayuso <\*(T> + +.fi .PP nftables is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as diff --git a/SOURCES/nftables.conf b/SOURCES/nftables.conf index ec7b1ef..3653a23 100644 --- a/SOURCES/nftables.conf +++ b/SOURCES/nftables.conf @@ -4,11 +4,3 @@ # # These provide an iptables like set of filters # (uncomment to include) -# include "/etc/nftables/bridge-filter" -# include "/etc/nftables/inet-filter" -# include "/etc/nftables/ipv4-filter" -# include "/etc/nftables/ipv4-mangle" -# include "/etc/nftables/ipv4-nat" -# include "/etc/nftables/ipv6-filter" -# include "/etc/nftables/ipv6-mangle" -# include "/etc/nftables/ipv6-nat" diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 5d5ee86..9dc7432 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,6 +1,6 @@ -%define rpmversion 0.6 -%define specrelease 4%{?dist} -%define libnftnlversion 1.0.6-4 +%define rpmversion 0.8 +%define specrelease 7%{?dist} +%define libnftnlversion 1.0.8-1 Name: nftables Version: %{rpmversion} @@ -22,19 +22,8 @@ BuildRequires: libnftnl-devel >= %{libnftnlversion} #BuildRequires: docbook2X #BuildRequires: docbook-dtds BuildRequires: systemd -Patch0: 0001-src-use-new-range-expression-for-a-b-intervals.patch -Patch1: 0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch -Patch2: 0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch -Patch3: 0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch -Patch4: 0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch -Patch5: 0006-src-rename-datatype-name-from-tc_handle-to-classid.patch -Patch6: 0007-src-simplify-classid-printing-using-x-instead-of-04x.patch -Patch7: 0008-src-meta-priority-support-using-tc-classid.patch -Patch8: 0009-meta-fix-memory-leak-in-tc-classid-parser.patch -Patch9: 0010-datatype-time_type-should-send-milliseconds-to-users.patch -Patch10: 0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch -Patch11: 0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch -Patch12: 0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch +Patch0: 0001-src-fix-protocol-context-update-on-big-endian-system.patch +Patch1: 0002-netlink_linearize-exthdr-op-must-be-u32.patch %description Netfilter Tables userspace utilities. @@ -43,7 +32,7 @@ Netfilter Tables userspace utilities. %autosetup -p1 %build -%configure --disable-silent-rules +%configure --disable-silent-rules DOCBOOK2X_MAN="no" DOCBOOK2MAN="no" DB2X_DOCBOOK2MAN="no" make %{?_smp_mflags} %install @@ -58,6 +47,12 @@ cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ +for f in $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*; do + echo "# include \"%{_sysconfdir}/nftables/$(basename $f)\"" +done >> $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf +chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf +chmod 750 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ +chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/* %post %systemd_post nftables.service @@ -77,6 +72,28 @@ cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ %{_unitdir}/nftables.service %changelog +* Mon Dec 18 2017 Phil Sutter [0.8-7.el7] +- A proper fix for incompatible docbook2man (Phil Sutter) [1523239] + +* Thu Dec 14 2017 Phil Sutter [0.8-6.el7] +- netlink_linearize: exthdr op must be u32 (Phil Sutter) [1524246] +- src: fix protocol context update on big-endian systems (Phil Sutter) [1523016] + +* Fri Dec 08 2017 Phil Sutter [0.8-5.el7] +- Prevent build failure due to incompatible docbook2man (Phil Sutter) [1523239] + +* Sat Oct 14 2017 Phil Sutter [0.8-4.el7] +- Update /etc/sysconfig/nftables.conf with new config samples (Phil Sutter) [1472261] + +* Fri Oct 13 2017 Phil Sutter [0.8-3.el7] +- Fix typo in spec file (Phil Sutter) [1451404] + +* Fri Oct 13 2017 Phil Sutter [0.8-2.el7] +- Fix permissions of installed config files (Phil Sutter) [1451404] + +* Fri Oct 13 2017 Phil Sutter [0.8-1.el7] +- Rebase onto upstream version 0.8 (Phil Sutter) [1472261] + * Fri May 12 2017 Phil Sutter [0.6-4.el7] - evaluate: Avoid undefined behaviour in concat_subtype_id() (Phil Sutter) [1360789] - src: Interpret OP_NEQ against a set as OP_LOOKUP (Phil Sutter) [1440011]