ruleset: dispatch ct states using verdict map

In case the dropping of invalid conntrack states is enabled, using a verdict
map allows us to use only one rule instead of two, lowering the initial rule
match overhead.

Signed-off-by: Andris PE <neandris@gmail.com>
[whitespace cleanup, rebase, extend commit subject and message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 219cd02a7535a96a284a3882baf01a63e2100de7..f7c93fc47077de547be0315c75db230a0a2fffea 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -115,10 +115,7 @@ table inet fw4 {
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
 {% fw4.includes('chain-prepend', 'input') %}
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
-{% if (fw4.default_option("drop_invalid")): %}
-               ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
-{% endif %}
+               ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows"
 {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
                tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
 {% endif %}
@@ -141,10 +138,7 @@ table inet fw4 {
                meta l4proto { tcp, udp } flow offload @ft;
 {% endif %}
 {% fw4.includes('chain-prepend', 'forward') %}
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
-{% if (fw4.default_option("drop_invalid")): %}
-               ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
-{% endif %}
+               ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows"
 {% for (let rule in fw4.rules("forward")): %}
                {%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %}
 {% endfor %}
@@ -163,10 +157,7 @@ table inet fw4 {
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
 {% fw4.includes('chain-prepend', 'output') %}
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
-{% if (fw4.default_option("drop_invalid")): %}
-               ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
-{% endif %}
+               ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows"
 {% for (let rule in fw4.rules("output")): %}
                {%+ include("rule.uc", { fw4, zone: null, rule }) %}
 {% endfor %}

diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 2a0e5df19d04f78b1c54ba8b48080b8892a3f261..6a30d2209974dfb408d1a85713219a3f9f47c107 100644 (file)
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -112,7 +112,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
@@ -123,7 +123,7 @@ table inet fw4 {
                type filter hook forward priority filter; policy drop;
 
                meta l4proto { tcp, udp } flow offload @ft;
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
@@ -134,7 +134,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"

diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index 93a0f08d7c8ceb12b51765d511215854baa3de24..7b62d682cd106f8929a7b5bb39d0e616f7b5f6f6 100644 (file)
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -93,7 +93,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }
@@ -101,7 +101,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        }
@@ -111,7 +111,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 03be7af9dfc80263a5ecc0514208359bc71cfbcd..572086e14ebfdbc0c3133a2509cda3774b3aa7f8 100644 (file)
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -95,7 +95,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
                iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
                iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
@@ -104,7 +104,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
                iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
                iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
@@ -115,7 +115,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
                oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
                oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index 1b1098f1082fc4797f2900884e3a4dbcd5ce6f69..35d3cbc3dac4ea8defa93a16cb426a249fe5b3b6 100644 (file)
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -99,7 +99,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
                iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
                iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
@@ -108,7 +108,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
                iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
                iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
@@ -119,7 +119,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
                oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
                oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 011ef8912adea405c77bd18675c5760c2d8e1e23..51e05db2b44dc7581369d94c62d493d1bd57b362 100644 (file)
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -122,7 +122,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
                iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
        }
@@ -130,7 +130,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
                iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
        }
@@ -140,7 +140,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
                oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
        }

diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid
index 5a404b987cbc393adbb8632e5af18f8d3a732107..bdda791d85d70f73b7788ec91c4fa739f96e893b 100644 (file)
--- a/tests/02_zones/04_masq_allow_invalid
+++ b/tests/02_zones/04_masq_allow_invalid
@@ -71,14 +71,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
        }
 
@@ -87,7 +87,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
        }
 

diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index 292fd114d228942f66fe707d7849b4a170241be8..22c2183f3b97bc68ef96e533d1a01784a804327f 100644 (file)
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -122,7 +122,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
                iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
                iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
@@ -137,7 +137,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
                iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
                iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
@@ -154,7 +154,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
                oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
                oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index c171ac7944157ce61563704a435c7ceeddfef6e7..a66ad736ef3da7d6e7d4132f90b6a13b823e5949 100644 (file)
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -81,7 +81,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic"
                meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
                meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
@@ -91,7 +91,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic"
                meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
                meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
@@ -103,7 +103,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic"
                meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
                meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"

diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index b01a609efec320b9d924dbeec29e9a746bc95fe8..28a4894ae3e01daa8cf6654eeb46f5399320863b 100644 (file)
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -136,7 +136,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic"
                meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
                meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic"
@@ -148,7 +148,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic"
                meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
                meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic"
@@ -162,7 +162,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic"
                meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
                meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic"

diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers
index 1a5a24aafb65b72a9bba34e572f0fcefefaf122e..363aff17342dabbbfa95cf30948f61e174dda8da 100644 (file)
--- a/tests/02_zones/07_helpers
+++ b/tests/02_zones/07_helpers
@@ -168,7 +168,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
                iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
                iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
@@ -178,7 +178,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
                iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
                iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
@@ -190,7 +190,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
                oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
                oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit
index 35e510851a519f9f7be6af10ac76d06952350f3c..b5613bc96e9c494d58ca7aec76fb1ad788c2ca35 100644 (file)
--- a/tests/02_zones/08_log_limit
+++ b/tests/02_zones/08_log_limit
@@ -240,7 +240,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]"
                tcp dport 1008 counter comment "!fw4: @rule[7]"
                tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: "
@@ -254,7 +254,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: "
                tcp dport 1005 counter comment "!fw4: @rule[4]"
                tcp dport 1006 counter comment "!fw4: @rule[5]"
@@ -269,7 +269,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic"
                oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 7751a2328839073ad92245f0268e5a0950341b4e..4a7ba42a3276b9f1f96335a102ca893dd66767d8 100644 (file)
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -71,14 +71,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                counter comment "!fw4: @rule[1]"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                counter comment "!fw4: @rule[3]"
        }
 
@@ -87,7 +87,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter comment "!fw4: @rule[0]"
                counter comment "!fw4: @rule[2]"
        }

diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index c5ef8c6544476e9551419730ca58298220dbea7f..ae2f424ca935939d4a8f6b8f34d4f13c1af5c9cd 100644 (file)
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -68,13 +68,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -82,7 +82,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter comment "!fw4: Implicitly enabled"
                counter comment "!fw4: Explicitly enabled"
        }

diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index 05fb3799ddc891daf46b025e9522663ec17cda64..eb3272fb41d7d2039ac5fccf868a737c41d3afa7 100644 (file)
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -107,13 +107,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -121,7 +121,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
                meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
        }

diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index c3553752e4b739bfd110a0fd1e8291c4b9d318f2..b70d1027c3f460fa646de13e351dee5726c749d5 100644 (file)
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -77,13 +77,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -91,7 +91,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
                meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
                meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"

diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 57444ded8b77ab00a8314a18152537a466ca81e4..e1d27e31cce51e8de8f11e69569748a49b4bfc9b 100644 (file)
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -178,7 +178,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }
@@ -186,7 +186,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        }
@@ -196,7 +196,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index 6423398c385f28cef36ab3c0cbeff874400ac584..0bedf5073c7045cb0025cff81614f45166c78c76 100644 (file)
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -133,7 +133,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
@@ -142,7 +142,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
@@ -153,7 +153,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1"
                ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
                ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"

diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index e6057fd601bcd8de1318b120427c87490c68c42f..80a9773c1f5d39b5565d980488edeb8052135d4f 100644 (file)
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -165,7 +165,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic"
@@ -174,7 +174,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic"
@@ -185,7 +185,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index fa02eade0b7381f9d9818f7bc00926af7f3becb5..b275ca6291c8b3a254258c7e6183ecdbe60c272c 100644 (file)
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -202,14 +202,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
        }
 
@@ -218,7 +218,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
        }
 

diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time
index 7a7471b8f8373f0f25739ff733ab9be6dd6a80d3..cba19145cfe5b1efd487d6364c6ad3db38523b8f 100644 (file)
--- a/tests/03_rules/09_time
+++ b/tests/03_rules/09_time
@@ -139,13 +139,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -153,7 +153,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1"
                meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2"
                meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3"

diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack
index e2b6acc1cc9e3c89d9cd67ca1424c7d8b0d3a3e4..d64df1114999b8b058c53a793534c41acac16028 100644 (file)
--- a/tests/03_rules/10_notrack
+++ b/tests/03_rules/10_notrack
@@ -103,7 +103,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic"
                iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic"
                meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic"
@@ -113,7 +113,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic"
                iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic"
                meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic"
@@ -125,7 +125,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic"
                oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic"
                meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic"

diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log
index ecbabe566157602cdb12fdd65452cd05aae42eef..6404a58b9bf3e2016e6fc8c7a8271d9f2035b63d 100644 (file)
--- a/tests/03_rules/11_log
+++ b/tests/03_rules/11_log
@@ -114,13 +114,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -128,7 +128,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter log prefix "@rule[0]: " comment "!fw4: @rule[0]"
                counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name"
                counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]"

diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark
index 67e2a0c30f3c18ac391eb8a1f9baec4fc3347fb9..1d095cf86a0f9bea31d74ec4f8276a76eed62b66 100644 (file)
--- a/tests/03_rules/12_mark
+++ b/tests/03_rules/12_mark
@@ -98,13 +98,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -112,7 +112,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }
 
        chain prerouting {

diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index 6f2ddaee36afffbc69a085dd0ef39f5290abc2e7..54431ba74c4d33dd94917f9f6bf14c46a40eae62 100644 (file)
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -92,7 +92,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic"
                iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic"
                iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
@@ -101,7 +101,7 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic"
                iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic"
                iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
@@ -112,7 +112,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic"
                oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic"
                oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"

diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration
index 88f6171ef679916846335771b302ac106bb97686..cebb33739c78af70a0342f013cdb4c7f8e92764a 100644 (file)
--- a/tests/05_ipsets/01_declaration
+++ b/tests/05_ipsets/01_declaration
@@ -88,13 +88,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        }
 
        chain output {
@@ -102,7 +102,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }
 
        chain prerouting {

diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage
index 0f919aff3cf787d07282e60585aee39acdab3093..6bff992662118b51759f62a2fd9375f712c1ebeb 100644 (file)
--- a/tests/05_ipsets/02_usage
+++ b/tests/05_ipsets/02_usage
@@ -162,13 +162,13 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1"
                meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'"
                meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction"
@@ -182,7 +182,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }
 
        chain prerouting {

diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes
index 314a428099c9326034341b7c1960bbde24b25cd2..275f9eea83f84cf995db4580df5915b13cac271d 100644 (file)
--- a/tests/06_includes/01_nft_includes
+++ b/tests/06_includes/01_nft_includes
@@ -156,7 +156,7 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
        }
 
@@ -164,7 +164,7 @@ table inet fw4 {
                type filter hook forward priority filter; policy drop;
 
                include "/usr/share/nftables.d/include-chain-start-forward.nft"
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
                include "/usr/share/nftables.d/include-chain-end-forward.nft"
        }
@@ -174,7 +174,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
        }
 

diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include
index fa398ffdabc3e1ef5b4c7243437cde2f6f8873e9..e822fb8a135e3d9812e9e882dcd87f5373fd105a 100644 (file)
--- a/tests/06_includes/02_firewall.user_include
+++ b/tests/06_includes/02_firewall.user_include
@@ -93,14 +93,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
        }
 
@@ -109,7 +109,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
        }
 

diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include
index ac0a6c86b0dbce07a2ff31b9509ffda98e8d6233..b0072d315f0597e6ef8315c3fa2d3c7c7d3e76fa 100644 (file)
--- a/tests/06_includes/04_disabled_include
+++ b/tests/06_includes/04_disabled_include
@@ -99,14 +99,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
        }
 
@@ -115,7 +115,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
        }
 

diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes
index 53cc6f8a40fabcbba68f1ec55c938e7e117d686c..f2b89c3e6031516c6f14298e9dd5ff17616d574a 100644 (file)
--- a/tests/06_includes/05_automatic_includes
+++ b/tests/06_includes/05_automatic_includes
@@ -99,14 +99,14 @@ table inet fw4 {
 
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-               ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
 
-               ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
        }
 
@@ -115,7 +115,7 @@ table inet fw4 {
 
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-               ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+               ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
        }