src: support ct l3proto/protocol without direction syntax

Acctually, ct l3proto and ct protocol are unrelated to direction, so
it's unnecessary that we must specify dir if we want to use them.

Now add support that we can match ct l3proto/protocol without direction:
  # nft add rule filter input ct l3proto ipv4
  # nft add rule filter output ct protocol 17

Note: existing syntax is still preserved, so "ct reply l3proto ipv6"
is still fine.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/parser_bison.y b/src/parser_bison.y
index aac10dcc9b996760e87372bb1a22cfcb07c8c34b..36dbc8d8515a58880be8c97b3cd84b1f43283221 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2513,6 +2513,8 @@ ct_key                    :       STATE           { $$ = NFT_CT_STATE; }
                        |       EXPIRATION      { $$ = NFT_CT_EXPIRATION; }
                        |       HELPER          { $$ = NFT_CT_HELPER; }
                        |       LABEL           { $$ = NFT_CT_LABELS; }
+                       |       L3PROTOCOL      { $$ = NFT_CT_L3PROTOCOL; }
+                       |       PROTOCOL        { $$ = NFT_CT_PROTOCOL; }
                        |       ct_key_counters
                        ;
 ct_key_dir             :       SADDR           { $$ = NFT_CT_SRC; }

diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index 65f5d921204a9fbecdaf5376b0b77269036d167c..d0f16c51fa4cb13c82e6e6f4dacb0d8383a8a7f1 100644 (file)
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -13,11 +13,11 @@ ct reply saddr 192.168.1.0/24;ok
 ct original daddr 192.168.1.0/24;ok
 ct reply daddr 192.168.1.0/24;ok
 
-ct original l3proto ipv4;ok
-ct reply l3proto foobar;fail
+ct l3proto ipv4;ok
+ct l3proto foobar;fail
 
-ct original protocol 6 ct original proto-dst 22;ok
-ct original protocol 17 ct reply proto-src 53;ok
+ct protocol 6 ct original proto-dst 22;ok
+ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-src 53
 
 # wrong address family
 ct reply daddr dead::beef;fail

diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index 0449b07740e8907797b4392bc37cc55db7dd52a9..56633a248c8c92b46d892d7969ccd9cd94ff35c4 100644 (file)
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -42,14 +42,14 @@ ip test-ip4 output
   [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0001a8c0 ]
 
-# ct original l3proto ipv4
+# ct l3proto ipv4
 ip test-ip4 output
-  [ ct load l3protocol => reg 1 , dir original ]
+  [ ct load l3protocol => reg 1 ]
   [ cmp eq reg 1 0x00000002 ]
 
-# ct original protocol 6 ct original proto-dst 22
+# ct protocol 6 ct original proto-dst 22
 ip test-ip4 output
-  [ ct load protocol => reg 1 , dir original ]
+  [ ct load protocol => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ ct load proto_dst => reg 1 , dir original ]
   [ cmp eq reg 1 0x00001600 ]