On Wed, Mar 23, 2016 at 08:44:31AM +0100, Arturo Borrero Gonzalez wrote:
> On 22 March 2016 at 20:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Tue, Mar 22, 2016 at 02:06:09PM +0100, Arturo Borrero Gonzalez wrote:
> >> Some basic test regarding chains: jumps and validations.
> >>
> >> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
> >> ---
> >> NOTE: the testcases/chains/0009masquerade_jump_1 file fails, seems like a bug
> >> in the kernel validation. Needs more investigation.
> >
> > I can see this there:
> >
> >> +$NFT add chain t output {type nat hook output priority 0 \; }
> >
> > We only support masquerade from postrouting.
> >
> > static struct xt_target masquerade_tg_reg __read_mostly = {
> > .name = "MASQUERADE",
> > .family = NFPROTO_IPV4,
> > .target = masquerade_tg,
> > .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
> > .table = "nat",
> > .hooks = 1 << NF_INET_POST_ROUTING,
> >
> > BTW, it would be good to add more tests to exercise the chain loop
> > detection code.
> >
> > Please, fix and resubmit, thanks.
>
> Probably mi description of the problem was poor.
>
> The offending testcase is testing, in fact, that we can add a rule
> with a jump to a chain with a masquerade rule, thus connecting
> masquerade to a output hook:
>
> $NFT add table t
> $NFT add chain t output {type nat hook output priority 0 \; }
> $NFT add chain t c1
> $NFT add rule t c1 masquerade
> $NFT add rule t output tcp dport vmap {1 :jump c1 }
>
> this don't fail, and that's the problem indeed.
Right, I'm applying this so we keep this in the radar, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
