Note that this will fix support for single expressions on older kernels but multiple expressions on older kernels will remain unsupported as NFT_DYNSET_F_EXPR flag should not be omitted for dynsets with multiple expressions.
Fix the marshall of the hash seed to be conditional, only if it is
explicitly set, we need to add it to the kernel as stated on the
libnftl and nftables projects.
Refence: https://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=25e7b99cc450490c38becb03d8bddd0199cfd3f9#n174
Otherwise, having a hash expression similar to this:
```
ip daddr set jhash tcp sport mod 2 seed 0x0 map { 0 : 192.168.0.1, 1 : 192.168.2.2 }
```
end up setting only the first IP and ignoring the second one.
Signed-off-by: Rafael Campos <methril@gmail.com>
The Objref expression was not considered when parsing raw expressions
bytes to construct nftables expressions.
Add unit test to check that a rule with an Objref expression is
properly obtained by GetRules().
Signed-off-by: Victor Sandonis Consuegra <vsandonis@ibm.com>
The Meta nftables expression was not filling the Register and SourceRegister
fields when unmarshalling.
Add a check for NFTA_META_SREG message when unmarshalling to fill the Meta
fields.
Add Unit Test for source and destination unmarshall.
Signed-off-by: Rafael Campos <rafael.campos.lasheras@ibm.com>
* Unmarshal Exthdr and support DestRegister/Flags for reads
Some fields in Exthdr are context-sensitive. Mixing unexpected fields
will result in EOPNOTSUPP.
* Fix order in which Exthdr attributes are written
Fixes https://github.com/google/nftables/issues/113
Log expression implementation changed to better support different log options
Added uint16 support to the binaryutil package
Changed old log expression tests that were failing after change
Added a new test to check the implementation for multiple log options
Before this commit: the unmarshaling of a verdict pointing
to a chain fails.
After this commit: the unmarshaling of a rule with a verdict
pointing to a chain succeeds and the information about the
chain gets put in `Verdict.Chain`.
Resolves: #105
Signed-off-by: Paul Greenberg <greenpau@outlook.com>
* Change in dnat logic to cover all combinations
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Add parameter to cover all possible nat combinations
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
_|+
turekt
Aleksei Ilin
Lionel Jouin
Francesco Cheinasso
Rafael Campos Las Heras
black-desk
Rafael Campos
Andrew LeFevre
vsandonis
thediveo
TheDiveO
Ben de Graaff
Gustavo Iñiguez Goia
pengyuan.dai
Paul Greenberg
Grégoire Delattre
Grégoire Delattre
Serguei Bezverkhi
Alexis PIRES
Minaru
Maxime Demode