On Fri, Jun 16, 2017 at 10:34:07PM +0200, Florian Westphal wrote: > Pablo reports following test case failure: > > any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6 > test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed. > > We can't find upper layer protocol in this case, but even if we'd > "fix" this it is still non-sensical, as > > meta nfproto ipv4 > > will never match except in the inet family and the > ip family, but in the latter case it will always match so it > has no effect). > > So, first step is to move this to an inet specific test to > get rid of the test case failure. > > The followup changes then get rid of meta nfproto tests or > move them to inet-family-only tests. > > The last patch makes nft reject 'meta nfproto' in all families > except inet, where this expression is needed in case one wants to > explicitly restrict a rule to only ipv4 or ipv6. Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Thanks Florian. Can we probably get rid of meta nfproto at some point? IIRC it's only needed because skb->protocol is not set in the output hook, but it is indeed available in postrouting. Can you find any reason for this behaviour? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
