| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Add a shell script that creates many conntrack entries and it updates
the mark to cover for recent bugs in the 1.4.7 release when moving to
libmnl. This test can be extended to cover for more commands.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -A command works exactly the same way as -I except that it
does not fail if the ct entry already exists.
This command is useful for the batched ct loads to not abort if
some entries being applied exist.
The ct entry dump in the "save" format is now switched to use the
-A command as well for the generated output.
Also tests added to cover the -A command.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure the protocol (-p) option is included in the -o save
ct entry dumps for L4 protocols unknown to the conntrack tool.
Do not use getprotobynumber for unknown protocols to ensure
"-o save" data incompatibility between hosts having different
/etc/protocols contents.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before this commit it was possible to successfully create a ct entry
passing -p 256 and -p some_nonsense.
In both cases an entry with the protocol=0 would be created.
Do not allow invalid protocol values to -p option.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Withouth reply l4 protocol being set consistently the mnl_cb_run
(in fact the kernel) would return EINVAL.
Make sure the reply l4 protocol is set properly for unknown
protocols.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The tests/conntrack/bulk-load-stress.sh is intended to be used for
stress-testing the bulk load of ct entries from a file (-R option).
Script usage detail is given by the ./bulk-load-stress.sh -h
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Tests to cover conntrack -L and conntrack -D with and w/o
family (-f) specfied.
conntrack -L and contnrack -D shold list/delete
both IPv4 and IPv6 entries if no family is specified,
and should ony display the corresponding entries if
the family is given.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We are not interested in sysctl echoing the value it just set.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This test case covers missing hashtable buckets and max entries configuration options. There should
be a value for them, otherwise the daemon segfaults.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This allows for running the script away from the test infrastructure,
which is convenient when developing new tests. This also allows for
reusing the same netns setup from new tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new scenario with a virtual network layout that was previously designed by
Pablo (see commit 7f1fb5dad90f04caa94f4fcefd1340aeb2c2f0e3).
The scenario is called 'basic_2_peer_network_tcp_notrack' and can be used to test conntrack entry
replication in TCP/NOTRACK mode with both caches disables. In this mode entry syncronization should
happen basically in the same instant the event is produced.
The testcase is very simple, but works really well:
* send 1 ping to a network peer across the router
* verify the conntrack entry has been replicated to the stand-by router
=== 8< ===
$ cd tests ; sudo ./conntrackd-tests.py --single tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- running test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- passed test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 1
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 1
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
framework
Introduce some initial basic testcases for configuration parsing and standard daemon startup and
shutdown routines.
This should give an example of how the framework works.
Here is an example of running this:
=== 8< ===
$ cd tests/conntrackd ; sudo ./conntrackd-tests.py
[conntrackd-tests.py] INFO: --- running test: stats_general
[conntrackd-tests.py] INFO: --- passed test: stats_general
[conntrackd-tests.py] INFO: --- running test: stats_network
[conntrackd-tests.py] INFO: --- passed test: stats_network
[conntrackd-tests.py] INFO: --- running test: stats_runtime
[conntrackd-tests.py] INFO: --- passed test: stats_runtime
[conntrackd-tests.py] INFO: --- running test: stats_process
[conntrackd-tests.py] INFO: --- passed test: stats_process
[conntrackd-tests.py] INFO: --- running test: stats_queue
[conntrackd-tests.py] INFO: --- passed test: stats_queue
[conntrackd-tests.py] INFO: --- running test: stats_ct
[conntrackd-tests.py] INFO: --- passed test: stats_ct
[conntrackd-tests.py] INFO: --- running test: stats_expect
[conntrackd-tests.py] INFO: --- passed test: stats_expect
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 7
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 7
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test suite should help us develop better tests for conntrack-tools in general and conntrackd
in particular.
The framework is composed of a runner script, written in python3, and 3 yaml files for
configuration and testcase definition:
- scenarios.yaml: contains information on network scenarios for tests to use
- tests.yaml: contains testcase definition
- env.yaml: contains default values for environment variables
The test cases can be anything, from a simple command to an external script call to perform more
complex operations. See follow-up patches to know more on how this works.
The plan is to replace or call from this framework the other testsuites in this tree.
The runner script is rather simple, and it should be more or less straight forward to use it.
On Debian machines, it requires the *python3-yaml* package to be installed as a dependency.
For reference, here are the script options:
=== 8< ===
$ tests/conntrackd/conntrackd-tests.py --help
usage: conntrackd-tests.py [-h] [--tests-file TESTS_FILE]
[--scenarios-file SCENARIOS_FILE]
[--env-file ENV_FILE]
[--single SINGLE]
[--start-scenario START_SCENARIO]
[--stop-scenario STOP_SCENARIO]
[--debug]
Utility to run tests for conntrack-tools
optional arguments:
-h, --help show this help message and exit
--tests-file TESTS_FILE
File with testcase definitions. Defaults to 'tests.yaml'
--scenarios-file SCENARIOS_FILE
File with configuration scenarios for tests. Defaults to 'scenarios.yaml'
--env-file ENV_FILE File with environment variables for scenarios/tests. Defaults to 'env.yaml'
--single SINGLE Execute a single testcase and exit. Use this for developing testcases
--start-scenario START_SCENARIO
Execute scenario start commands and exit. Use this for developing testcases
--stop-scenario STOP_SCENARIO
Execute scenario stop commands and exit. Use this for cleanup
--debug debug mode
=== 8< ===
To run it, simply use:
=== 8< ===
$ cd tests/conntrackd/ ; sudo ./conntrackd-tests.py
[..]
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a script that creates a ip netns testbed. The network
topology looks like this:
veth0---veth0
host nsr1 ns2
veth0----veth0
ns1 veth2
|
veth0
nsr2
* ns1 and ns2 are clients to generate traffic
* nsr1 and nsr2 run conntrackd to synchronize states
* nsr1 is the primary gateway
- veth2 is used to synchronize states
* nsr2 is the backup gateway
- veth0 is used to synchronize states
To set up the testbed:
% sudo ./conntrackd-netns-test.sh start
To test your testbed works, from ns2:
% sudo ip netns exec ns2 nc -l -p 8080
From ns1:
% sudo ip netns exec ns1 nc -vvv 10.0.1.2 8080
From nsr1:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr1.conf
cache internal:
current active connections: 1
[...]
cache external:
current active connections: 0
From nsr2:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr2.conf
cache internal:
current active connections: 0
[...]
cache external:
current active connections: 1
To stop it:
% sudo ./conntrackd-netns-test.sh stop
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the
fallback to IPv4 if -f is not specified, which was the original
behaviour.
This patch modifies the default to use the unspec family if -f is not
specified for the following ct commands:
- list
- update
- delete
- get
(these two commands below do not support for -f though, but in case this is
extended in the future to support it):
- flush
- event
The existing code that parses IPv4 and IPv6 addresses already infers the
family, which simplifies the introduction of this update.
The expect commands are not updated, they still require many mandatory
options for filtering.
This patch includes a few test updates too.
Based on patch from Mikhail Sennikovsky.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add test to cover icmp entry creation/deletion with conntrack
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Extend testsuite with a few more tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Move this to test/
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any of these nf drivers could be built-ins instead of modules; don't cause
the testsuite to fail on modprobe, instead let it proceed and succeed/fail
later based on actual test results.
Ideally we would check up front if the driver is loaded rather than trying
to modprobe and ignoring failures, but there doesn't seem to be a reliable
place to check this in the kernel filesystem.
Signed-off-by: Steve Langasek <steve.langasek@ubuntu.com>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Refactor and improve nat support to allow conntrack to manage IPv6
NAT entries.
Refactor and improve conntrack nat tests to include IPv6 NAT.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The binary under test should be the one, this ensures
that it is in sync with the tests performed, and that
users who build from source, can test the binary prior
to `make install`.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Got tired of having to exit the editor, before testing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Use scandir(3) instead of opendir(3), so that the tests are
run in the expected order, otherwise it doesn't make
sense to prefix the testfiles with a two digit number,
giving the impression that they are run in order.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch gets the nfct syntax in sync with nft so it looks like this:
nfct <add|delete|...> object ...
instead of:
nfct object <add|delete|...> ...
This patch retains backward compatibility so you can still use the old syntax.
The manpage and tests have been also updated to promote the adoption of this
syntax. We should have little existing clients of this tool as we can only use
this to configure the cttimeout and cthelper infrastructures.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This reports:
run-test.sh: line 3: UID: read-only variable
rename it to _UID.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
I decided to move it to:
http://git.netfilter.org/conntrackd-helper-tests
to reduce the bloat of this tree, most people are not interested
in this stuff when they grab it via git clone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes few compile warnings and errors.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the automated testing infrastructure the user-space
helpers. Basically, this adds the `cthelper-test' program that can
be invoked from the command line:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521
To test the helper with one PCAP file that contains traces of Oracle TNS
traffic. It also provides tweaks to test the DNAT content mangling code:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521 dnat
This will also allow fuzzy testing of user-space helper, for further
validation, not yet implemented.
To compile this tool, you have to run:
./configure
make check
under the qa/cthelper-test/ directory. I'm doing like this because
this directory is not included in the standalone tarball that
make distcheck generates (I don't want to bloat it with development
tools that can be retrieved from the git repository).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
For automated testing of the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
All automated testing for the conntrack-tools will now reside under
the test directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch adds the automated tests for the cttimeout infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
