Merge ac32e1ceb5 into 9a9f2ce6b3

expr/ct.go

@@ -226,20 +226,16 @@ func (c *CtExpect) marshal(fam byte) ([]byte, error) {
 }
 
 func (c *CtExpect) marshalData(fam byte) ([]byte, error) {
-	// all elements except l3proto must be defined
+	// all elements must be defined
 	// per https://git.netfilter.org/nftables/tree/doc/stateful-objects.txt?id=db70959a5ccf2952b218f51c3d529e186a5a43bb#n119
-	// from man page: l3proto is derived from the table family by default
 	exprData := []netlink.Attribute{
+		{Type: NFTA_CT_EXPECT_L3PROTO, Data: binaryutil.BigEndian.PutUint16(c.L3Proto)},
 		{Type: NFTA_CT_EXPECT_L4PROTO, Data: []byte{c.L4Proto}},
 		{Type: NFTA_CT_EXPECT_DPORT, Data: binaryutil.BigEndian.PutUint16(c.DPort)},
 		{Type: NFTA_CT_EXPECT_TIMEOUT, Data: binaryutil.BigEndian.PutUint32(c.Timeout)},
 		{Type: NFTA_CT_EXPECT_SIZE, Data: []byte{c.Size}},
 	}
 
-	if c.L3Proto != 0 {
-		attr := netlink.Attribute{Type: NFTA_CT_EXPECT_L3PROTO, Data: binaryutil.BigEndian.PutUint16(c.L3Proto)}
-		exprData = append(exprData, attr)
-	}
 	return netlink.MarshalAttributes(exprData)
 }
 

nftables_test.go

@@ -1486,7 +1486,7 @@ func TestCtExpect(t *testing.T) {
 	defer conn.FlushRuleset()
 
 	table := conn.AddTable(&nftables.Table{
-		Family: nftables.TableFamilyIPv4,
+		Family: nftables.TableFamilyINet,
 		Name:   "filter",
 	})
 
@@ -1498,8 +1498,8 @@ func TestCtExpect(t *testing.T) {
 			L3Proto: unix.NFPROTO_IPV4,
 			L4Proto: unix.IPPROTO_TCP,
 			DPort:   53,
-			Timeout: 20,
+			Timeout: 2000,
-			Size:    100,
+			Size:    1,
 		},
 	}