We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1- create a new rule match ct stat and ip range
func TestRule(t *testing.T) { conn, err := getConn() if err != nil { t.Fatal(err) } defer closeNs(netns.NsHandle(conn.NetNS)) ruleIn := &Rule{ Table: mytable, Chain: cin, Exprs: []expr.Any{ &expr.Ct{Register: 1, SourceRegister: false, Key: expr.CtKeySTATE}, &expr.Bitwise{ SourceRegister: 1, DestRegister: 1, Len: 4, Mask: []byte{6, 0, 0, 0}, Xor: []byte{0, 0, 0, 0}, }, &expr.Cmp{Op: expr.CmpOpNeq, Register: 1, Data: []byte{0, 0, 0, 0}}, &expr.Payload{ Base: expr.PayloadBaseNetworkHeader, DestRegister: 1, Offset: 16, Len: 4, }, &expr.Range{ Op: expr.CmpOpNeq, Register: 1, FromData: []byte{192, 168, 1, 1}, ToData: []byte{192, 168, 1, 100}, }, &expr.Verdict{Kind: expr.VerdictAccept}, }, } conn.AddRule(ruleIn) err = conn.Flush() if err != nil { t.Fatal(err) } }
2- use nft tool check the rule
$ nft list ruleset table ip mytable { chain c_in { type filter hook input priority filter; policy accept; ct state established,related ip daddr != 192.168.1.1-192.168.1.100 accept } chain c_out { type filter hook output priority filter; policy accept; } }
3- use GetRule and print rule.Expr type and content
func TestListRuleSet(t *testing.T) { conn, err := getConn() if err != nil { t.Fatal(err) } defer closeNs(netns.NsHandle(conn.NetNS)) rules, err := conn.GetRule(mytable, cin) if err != nil { t.Fatal(err) } for _, rule := range rules { for _, exp := range rule.Exprs { t.Log("\n", reflect.TypeOf(exp)) t.Logf("%+v", exp) } } rules, err = conn.GetRule(mytable, cout) if err != nil { t.Fatal(err) } for _, rule := range rules { for _, exp := range rule.Exprs { t.Log("\n", reflect.TypeOf(exp)) t.Logf("%+v", exp) } } } /*output *expr.Bitwise &{SourceRegister:1 DestRegister:1 Len:4 Mask:[6 0 0 0] Xor:[0 0 0 0]} *expr.Cmp &{Op:1 Register:1 Data:[0 0 0 0]} *expr.Payload &{OperationType:0 DestRegister:1 SourceRegister:0 Base:1 Offset:16 Len:4 CsumType:0 CsumFlags:0} *expr.Verdict &{Kind:1 Chain:} */
notice that no *expr.Ct and *expr.Range appear
So I tried to add related type select below case unix.NFTA_EXPR_DATA in fucntion exprsFromMsg
case unix.NFTA_EXPR_DATA
exprsFromMsg
case "ct": e = &expr.Ct{} case "range": e = &expr.Range{}
then test work fine
/*output *expr.Ct &{Register:1 SourceRegister:false Key:0} *expr.Bitwise &{SourceRegister:1 DestRegister:1 Len:4 Mask:[6 0 0 0] Xor:[0 0 0 0]} *expr.Cmp &{Op:1 Register:1 Data:[0 0 0 0]} *expr.Payload &{OperationType:0 DestRegister:1 SourceRegister:0 Base:1 Offset:16 Len:4 CsumType:0 CsumFlags:0} *expr.Range &{Op:1 Register:1 FromData:[8 0 1 0 192 168 1 1] ToData:[8 0 1 0 192 168 1 100]} *expr.Verdict &{Kind:1 Chain:} */
The text was updated successfully, but these errors were encountered:
cc @sbezverk who authored the Ct expression type
Sorry, something went wrong.
Add expr.Ct and expr.Range type select in exprsFromMsg (#120)
5231121
fixes #119
Successfully merging a pull request may close this issue.
1- create a new rule match ct stat and ip range
2- use nft tool check the rule
3- use GetRule and print rule.Expr type and content
So I tried to add related type select below
case unix.NFTA_EXPR_DATA
in fucntionexprsFromMsg
then test work fine
The text was updated successfully, but these errors were encountered: