On 22 March 2016 at 20:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Tue, Mar 22, 2016 at 02:06:09PM +0100, Arturo Borrero Gonzalez wrote:
>> Some basic test regarding chains: jumps and validations.
>>
>> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
>> ---
>> NOTE: the testcases/chains/0009masquerade_jump_1 file fails, seems like a bug
>> in the kernel validation. Needs more investigation.
>
> I can see this there:
>
>> +$NFT add chain t output {type nat hook output priority 0 \; }
>
> We only support masquerade from postrouting.
>
> static struct xt_target masquerade_tg_reg __read_mostly = {
> .name = "MASQUERADE",
> .family = NFPROTO_IPV4,
> .target = masquerade_tg,
> .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
> .table = "nat",
> .hooks = 1 << NF_INET_POST_ROUTING,
>
> BTW, it would be good to add more tests to exercise the chain loop
> detection code.
>
> Please, fix and resubmit, thanks.
Probably mi description of the problem was poor.
The offending testcase is testing, in fact, that we can add a rule
with a jump to a chain with a masquerade rule, thus connecting
masquerade to a output hook:
$NFT add table t
$NFT add chain t output {type nat hook output priority 0 \; }
$NFT add chain t c1
$NFT add rule t c1 masquerade
$NFT add rule t output tcp dport vmap {1 :jump c1 }
this don't fail, and that's the problem indeed.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
