list_for_each_entry(i, &expr_concat(expr)->expressions, list) {
ilen = div_round_up(i->len, BITS_PER_BYTE);
- mpz_export_data(data + len, i->value, i->byteorder, ilen);
+ mpz_export_data(data + len, i->value, BYTEORDER_BIG_ENDIAN, ilen);
len += ilen;
}
- mpz_import_data(value, data, BYTEORDER_HOST_ENDIAN, len);
+ mpz_import_data(value, data, BYTEORDER_BIG_ENDIAN, len);
}
static mpz_srcptr expr_msort_value(const struct expr *expr, mpz_t value)
"set": [
{
"concat": [
- "new",
- 305419896
+ "established",
+ 309876276
]
},
{
"concat": [
- "established",
- 309876276
+ "new",
+ 305419896
]
},
{
[
{
"concat": [
- "new",
- 305419896
+ "established",
+ 2271560481
]
},
{
- "drop": null
+ "accept": null
}
],
[
{
"concat": [
- "established",
- 2271560481
+ "new",
+ 305419896
]
},
{
- "accept": null
+ "drop": null
}
]
]
}
}
]
-
-# tcp option mptcp subtype . tcp dport { mp-capable . 10, mp-join . 100, add-addr . 200, remove-addr . 300, mp-prio . 400, mp-fail . 500, mp-fastclose . 600, mp-tcprst . 700 }
-[
- {
- "match": {
- "left": {
- "concat": [
- {
- "tcp option": {
- "field": "subtype",
- "name": "mptcp"
- }
- },
- {
- "payload": {
- "field": "dport",
- "protocol": "tcp"
- }
- }
- ]
- },
- "op": "==",
- "right": {
- "set": [
- {
- "concat": [
- "mp-capable",
- 10
- ]
- },
- {
- "concat": [
- "remove-addr",
- 300
- ]
- },
- {
- "concat": [
- "mp-fastclose",
- 600
- ]
- },
- {
- "concat": [
- "mp-join",
- 100
- ]
- },
- {
- "concat": [
- "mp-prio",
- 400
- ]
- },
- {
- "concat": [
- "mp-tcprst",
- 700
- ]
- },
- {
- "concat": [
- "add-addr",
- 200
- ]
- },
- {
- "concat": [
- "mp-fail",
- 500
- ]
- }
- ]
- }
- }
- }
-]
[
{
"concat": [
- "feed::17",
- 512
+ "dead::beef",
+ 123
]
},
"exp2"
[
{
"concat": [
- "dead::beef",
- 123
+ "feed::17",
+ 512
]
},
"exp2"
ct expectation set ip saddr map @exp
ct expectation set ip6 saddr map { dead::beef : "exp2" }
ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" }
- ct expectation set ip6 daddr . tcp dport map { feed::17 . 512 : "exp2", dead::beef . 123 : "exp2" }
+ ct expectation set ip6 daddr . tcp dport map { dead::beef . 123 : "exp2", feed::17 . 512 : "exp2" }
ct helper set ip6 saddr map { 1c3::c01d : "myftp", dead::beef : "myftp" }
ct helper set ip6 saddr map @helpobj
ct timeout set ip daddr map @timeoutmap
[
{
"concat": [
- 30,
- 30
+ 20,
+ 36
]
},
{
- "drop": null
+ "accept": null
}
],
[
{
"concat": [
- 20,
- 36
+ 30,
+ 30
]
},
{
- "accept": null
+ "drop": null
}
]
]
map m2 {
typeof udp length . @ih,32,32 : verdict
- elements = { 30 . 0x1e : drop,
- 20 . 0x24 : accept }
+ elements = { 20 . 0x24 : accept,
+ 30 . 0x1e : drop }
}
chain c {
"set": [
{
"concat": [
- "fe0::2",
- "tcp"
+ "fe0::1",
+ "udp"
]
},
{
"concat": [
- "fe0::1",
- "udp"
+ "fe0::2",
+ "tcp"
]
}
]
ip6 daddr fe0::1 ip6 saddr fe0::2
ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept }
ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept }
- ip6 saddr . ip6 nexthdr { fe0::2 . tcp, fe0::1 . udp }
+ ip6 saddr . ip6 nexthdr { fe0::1 . udp, fe0::2 . tcp }
ip daddr . iif vmap { 10.0.0.0 . "lo" : accept }
tcp dport 100-222
udp dport vmap { 100-222 : accept }
{
"concat": [
"enp2s0",
- "72.2.3.70",
- 80
+ "72.2.3.66",
+ 443
]
},
{
"concat": [
"10.1.1.52",
- 80
+ 443
]
}
],
{
"concat": [
"enp2s0",
- "72.2.3.66",
- 443
+ "72.2.3.70",
+ 80
]
},
{
"concat": [
"10.1.1.52",
- 443
+ 80
]
}
]
table inet nat {
chain prerouting {
oif "lo" accept
- dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 }
+ dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80 }
}
chain postrouting {
{
"concat": [
"tcp",
- "172.30.238.117",
- 8080
+ "172.30.33.71",
+ 3306
]
},
{
"concat": [
"tcp",
- "172.30.33.71",
- 3306
+ "172.30.238.117",
+ 8080
]
},
{
{
"concat": [
"tcp",
- "aaaa::3",
- 8080
+ "aaaa::2",
+ 3306
]
},
{
"concat": [
"tcp",
- "aaaa::2",
- 3306
+ "aaaa::3",
+ 8080
]
},
{
table ip x {
chain y {
ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop
- meta l4proto . ip daddr . tcp dport { tcp . 172.30.238.117 . 8080, tcp . 172.30.33.71 . 3306, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject
+ meta l4proto . ip daddr . tcp dport { tcp . 172.30.33.71 . 3306, tcp . 172.30.238.117 . 8080, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject
ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
}
}
table ip6 x {
chain y {
- meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject
+ meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::2 . 3306, tcp . aaaa::3 . 8080, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject
ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
}
}
},
{
"concat": [
- 138,
- "new"
+ 137,
+ "untracked"
]
},
{
"concat": [
- 137,
- "untracked"
+ 138,
+ "new"
]
},
{
"set": [
{
"concat": [
- 51820,
- "foo"
+ 67,
+ "bar"
]
},
{
},
{
"concat": [
- 67,
- "bar"
+ 51820,
+ "foo"
]
}
]
"set": [
{
"concat": [
- 100,
- "foo"
+ 67,
+ "bar"
]
},
{
"concat": [
- 51820,
+ 100,
"foo"
]
},
},
{
"concat": [
- 67,
- "bar"
+ 51820,
+ "foo"
]
}
]
"set": [
{
"concat": [
- 100,
- "foo"
+ 67,
+ "bar"
]
},
{
"concat": [
- 51820,
+ 100,
"foo"
]
},
{
"concat": [
- 514,
- "bar"
+ 100,
+ "test"
]
},
{
"concat": [
- 67,
+ 514,
"bar"
]
},
{
"concat": [
- 100,
- "test"
+ 51820,
+ "foo"
]
},
{
chain y {
iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept
ip protocol . th dport { tcp . 22, udp . 67 }
- udp dport . ct state { 137 . new, 138 . new, 137 . untracked, 138 . untracked } accept
+ udp dport . ct state { 137 . new, 137 . untracked, 138 . new, 138 . untracked } accept
}
chain c1 {
- udp dport . iifname { 51820 . "foo", 514 . "bar", 67 . "bar" } accept
+ udp dport . iifname { 67 . "bar", 514 . "bar", 51820 . "foo" } accept
}
chain c2 {
- udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar" } accept
+ udp dport . iifname { 67 . "bar", 100 . "foo", 514 . "bar", 51820 . "foo" } accept
}
chain c3 {
- udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar", 100 . "test", 51820 . "test" } accept
+ udp dport . iifname { 67 . "bar", 100 . "foo", 100 . "test", 514 . "bar", 51820 . "foo", 51820 . "test" } accept
}
}
{
"concat": [
"broadcast",
- 547
+ 67
]
},
{
{
"concat": [
"broadcast",
- 67
+ 547
]
},
{
table ip x {
chain x {
- meta pkttype . udp dport vmap { broadcast . 547 : accept, broadcast . 67 : accept, multicast . 1900 : drop }
+ meta pkttype . udp dport vmap { broadcast . 67 : accept, broadcast . 547 : accept, multicast . 1900 : drop }
}
chain y {
type inet_service . ifname
elements = { 22 . "eth0",
80 . "eth0",
- 81 . "eth0",
- 80 . "eth1" }
+ 80 . "eth1",
+ 81 . "eth0" }
}
set nv {
"elem": [
{
"concat": [
- "192.168.0.113",
+ "192.168.0.12",
"tcp",
- 22
+ 53
]
},
{
"concat": [
"192.168.0.12",
"tcp",
- 53
+ 80
]
},
{
},
{
"concat": [
- "192.168.0.12",
+ "192.168.0.13",
"tcp",
80
]
},
{
"concat": [
- "192.168.0.13",
+ "192.168.0.113",
"tcp",
- 80
+ 22
]
}
]
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
- elements = { 192.168.0.113 . tcp . 22,
- 192.168.0.12 . tcp . 53,
- 192.168.0.12 . udp . 53,
+ elements = { 192.168.0.12 . tcp . 53,
192.168.0.12 . tcp . 80,
- 192.168.0.13 . tcp . 80 }
+ 192.168.0.12 . udp . 53,
+ 192.168.0.13 . tcp . 80,
+ 192.168.0.113 . tcp . 22 }
}
chain forward {
set s14 {
typeof tcp option mptcp subtype . ip daddr
- elements = { remove-addr . 10.1.1.1,
- mp-join . 10.1.1.2 }
+ elements = { mp-join . 10.1.1.2,
+ remove-addr . 10.1.1.1 }
}
chain c1 {
set s14 {
typeof tcp option mptcp subtype . ip daddr
- elements = { remove-addr . 10.1.1.1,
- mp-join . 10.1.1.2 }
+ elements = { mp-join . 10.1.1.2,
+ remove-addr . 10.1.1.1 }
}
$INPUT_OSF_CHAIN
chain c2 {
projects / thirdparty / nftables.git / commitdiff
