From: Florian Westphal Date: Tue, 7 Oct 2025 10:48:49 +0000 (+0200) Subject: tests: py: objects.t: must use input, not output X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6b71d114912cd269416f232c0f0ec2fcc42eb58f;p=thirdparty%2Fnftables.git tests: py: objects.t: must use input, not output synproxy must never be used in output rules, doing so results in kernel crash due to infinite recursive calls back to nf_hook_slow() for the emitted reply packet. Up until recently kernel lacked this validation, and now that the kernel rejects this the test fails. Use input to make this pass again. A new test to ensure we reject synproxy in ouput should be added in the near future. Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso --- diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t index 4fcde7cc..71d5ffe4 100644 --- a/tests/py/ip/objects.t +++ b/tests/py/ip/objects.t @@ -1,6 +1,6 @@ -:output;type filter hook output priority 0 +:input;type filter hook input priority 0 -*ip;test-ip4;output +*ip;test-ip4;input # counter %cnt1 type counter;ok diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload index 5252724c..3da4b285 100644 --- a/tests/py/ip/objects.t.payload +++ b/tests/py/ip/objects.t.payload @@ -1,5 +1,5 @@ # ip saddr 192.168.1.3 counter name "cnt2" -ip test-ip4 output +ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0301a8c0 ] [ objref type 1 name cnt2 ] @@ -8,14 +8,14 @@ ip test-ip4 output __objmap%d test-ip4 43 __objmap%d test-ip4 0 element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] -ip test-ip4 output +ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ objref sreg 1 set __objmap%d ] # ip saddr 192.168.1.3 quota name "qt1" -ip test-ip4 output +ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0301a8c0 ] [ objref type 2 name qt1 ] @@ -24,28 +24,28 @@ ip test-ip4 output __objmap%d test-ip4 43 __objmap%d test-ip4 0 element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] -ip test-ip4 output +ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ objref sreg 1 set __objmap%d ] # ct helper set "cthelp1" -ip test-ip4 output +ip test-ip4 input [ objref type 3 name cthelp1 ] # ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" } __objmap%d test-ip4 43 __objmap%d test-ip4 0 element 00001500 : 0 [end] element 00004908 : 0 [end] -ip test-ip4 output +ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ objref sreg 1 set __objmap%d ] # ip saddr 192.168.1.3 limit name "lim1" -ip test-ip4 output +ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0301a8c0 ] [ objref type 4 name lim1 ] @@ -54,25 +54,25 @@ ip test-ip4 output __objmap%d test-ip4 43 size 3 __objmap%d test-ip4 0 element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] -ip test-ip4 output +ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ objref sreg 1 set __objmap%d ] # ct timeout set "cttime1" -ip test-ip4 output +ip test-ip4 input [ objref type 7 name cttime1 ] # ct expectation set "ctexpect1" -ip test-ip4 output +ip test-ip4 input [ objref type 9 name ctexpect1 ] # synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"} __objmap%d test-ip4 43 size 2 __objmap%d test-ip4 0 element 0000bb01 : 0 [end] element 00005000 : 0 [end] -ip test-ip4 output +ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ]