test.nft:6:55-71: Error: specify either ip or ip6 for address matching add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 } ^^^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/evaluate.c | 6 ++++++ tests/py/ip/ct.t | 3 +++ tests/py/ip/ct.t.payload | 9 +++++++++ 3 files changed, 18 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 38dbc33d7826..c830dcdbd965 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1472,6 +1472,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) const struct datatype *dtype; struct expr *key, *data; + if (map->map->etype == EXPR_CT && + (map->map->ct.key == NFT_CT_SRC || + map->map->ct.key == NFT_CT_DST)) + return expr_error(ctx->msgs, map->map, + "specify either ip or ip6 for address matching"); + expr_set_context(&ctx->ectx, NULL, 0); if (expr_evaluate(ctx, &map->map) < 0) return -1; diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t index d3247f79113f..c5ce12747d42 100644 --- a/tests/py/ip/ct.t +++ b/tests/py/ip/ct.t @@ -21,3 +21,6 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s # wrong address family ct reply ip daddr dead::beef;fail + +meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail +meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index a7e08f98e6a3..3348d16ddc72 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -56,3 +56,12 @@ ip test-ip4 output [ cmp eq reg 1 0x00000011 ] [ ct load proto_src => reg 1 , dir reply ] [ cmp eq reg 1 0x00003500 ] + +# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000011 0 [end] +ip + [ ct load dst_ip => reg 1 , dir original ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] -- 2.20.1