tests: py: objects.t: must use input, not output

synproxy must never be used in output rules, doing so results in kernel
crash due to infinite recursive calls back to nf_hook_slow() for the
emitted reply packet.

Up until recently kernel lacked this validation, and now that the kernel
rejects this the test fails.  Use input to make this pass again.

A new test to ensure we reject synproxy in ouput should be added
in the near future.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
index 4fcde7cc12ea1383cfb321723d5eab6ccc3d26bc..71d5ffe43275ad93632a7c848a95ff6103594302 100644 (file)
--- a/tests/py/ip/objects.t
+++ b/tests/py/ip/objects.t
@@ -1,6 +1,6 @@
-:output;type filter hook output priority 0
+:input;type filter hook input priority 0
 
-*ip;test-ip4;output
+*ip;test-ip4;input
 
 # counter
 %cnt1 type counter;ok

diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload
index 5252724ceead153412b0605949325fcf7af88880..3da4b28512b6f8ab852cf9de6fb543887d90b925 100644 (file)
--- a/tests/py/ip/objects.t.payload
+++ b/tests/py/ip/objects.t.payload
@@ -1,5 +1,5 @@
 # ip saddr 192.168.1.3 counter name "cnt2"
-ip test-ip4 output 
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 1 name cnt2 ]
@@ -8,14 +8,14 @@ ip test-ip4 output
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
        element 0000bb01  : 0 [end]     element 00005000  : 0 [end]     element 00001600  : 0 [end]
-ip test-ip4 output 
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ip saddr 192.168.1.3 quota name "qt1"
-ip test-ip4 output 
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 2 name qt1 ]
@@ -24,28 +24,28 @@ ip test-ip4 output
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
        element 0000bb01  : 0 [end]     element 00005000  : 0 [end]     element 00001600  : 0 [end]
-ip test-ip4 output 
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ct helper set "cthelp1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 3 name cthelp1 ]
 
 # ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" }
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
         element 00001500  : 0 [end]     element 00004908  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ip saddr 192.168.1.3 limit name "lim1"
-ip test-ip4 output
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 4 name lim1 ]
@@ -54,25 +54,25 @@ ip test-ip4 output
 __objmap%d test-ip4 43 size 3
 __objmap%d test-ip4 0
         element 0000bb01  : 0 [end]     element 00005000  : 0 [end]     element 00001600  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ct timeout set "cttime1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 7 name cttime1 ]
 
 # ct expectation set "ctexpect1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 9 name ctexpect1 ]
 
 # synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}
 __objmap%d test-ip4 43 size 2
 __objmap%d test-ip4 0
        element 0000bb01  : 0 [end]     element 00005000  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]