- udp checksum != { 33, 55, 67, 88};ok
udp checksum { 33-55};ok
- udp checksum != { 33-55};ok
+
+# limit impact to lo
+iif lo udp checksum set 0;ok
+iif lo udp dport set 65535;ok
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
+# iif lo udp checksum set 0
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 ]
+
+# iif lo udp dport set 65535
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000ffff ]
+ [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
+# iif lo udp checksum set 0
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 ]
+
+# iif lo udp dport set 65535
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000ffff ]
+ [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
+# iif lo udp checksum set 0
+ip6 test-ip6 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 ]
+
+# iif lo udp dport set 65535
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000ffff ]
+ [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
+# iif lo udp checksum set 0
+netdev test-netdev ingress
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 ]
+
+# iif lo udp dport set 65535
+netdev test-netdev ingress
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000ffff ]
+ [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 ]
+
ip hdrlength 0;ok
ip hdrlength 15;ok
ip hdrlength 16;fail
+
+# limit impact to lo
+iif lo ip daddr set 127.0.0.1;ok
+iif lo ip checksum set 0;ok
+iif lo ip id set 0;ok
[ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0000000f ]
+# iif lo ip daddr set 127.0.0.1
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ immediate reg 1 0x0100007f ]
+ [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 ]
+
+# iif lo ip checksum set 0
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 ]
+
+# iif lo ip id set 0
+ip test-ip4 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 ]
+
[ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0000000f ]
+# iif lo ip daddr set 127.0.0.1
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ immediate reg 1 0x0100007f ]
+ [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 ]
+
+# iif lo ip checksum set 0
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 ]
+
+# iif lo ip id set 0
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ immediate reg 1 0x00000000 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d ]
+# iif lo ip daddr set 127.0.0.1
+netdev test-netdev ingress
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ immediate reg 1 0x0100007f ]
+ [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 ]
+
+# iif lo ip checksum set 0
+netdev test-netdev ingress
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 ]
+
+# iif lo ip id set 0
+netdev test-netdev ingress
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load protocol => reg 1 ]
- ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234;ok;ip6 daddr != 0:1234:1234:1234:1234:1234:1234:1234-1234:1234:0:1234:1234:1234:1234:1234
+
+# limit impact to lo
+iif lo ip6 daddr set ::1;ok
+iif lo ip6 hoplimit set 1;ok
[ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ]
[ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+# iif lo ip6 daddr set ::1
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+ [ payload write reg 1 => 16b @ network header + 24 csum_type 0 csum_off 0 ]
+
+# iif lo ip6 hoplimit set 1
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ immediate reg 1 0x00000001 ]
+ [ payload write reg 1 => 1b @ network header + 7 csum_type 0 csum_off 0 ]
[ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ]
[ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+# iif lo ip6 daddr set ::1
+ip6 test-ip6 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+ [ payload write reg 1 => 16b @ network header + 24 csum_type 0 csum_off 0 ]
+
+# iif lo ip6 hoplimit set 1
+ip6 test-ip6 input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ immediate reg 1 0x00000001 ]
projects / thirdparty / nftables.git / commitdiff
