summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2020-05-27 22:51:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-05-28 02:07:47 +0200
commitfae0a0972d7a71574ca81f439bc828ed0f7d82c1 (patch)
tree63c6961b516c52d4c2fe673c4ee6f875c8a5a6df
parent7aa08d45031ec7ce5dadb4979471d626367c09cd (diff)
tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t
Commit 64b9aa3803dd ("tests/py: Add tests involving concatenated ranges") introduced a rule, commented out, adding an anonymous set including concatenated ranges. Now that they are properly handled, we can enable it. Note that this introduces a new warning. In the output below, '\' marks newlines I introduced to keep lines short: inet/sets.t: WARNING: line 24: \ 'add rule inet test-inet input ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept': \ 'ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept' \ mismatches 'meta nfproto ipv4 ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443} accept' which is similar to the existing warning, also introduced by commit 64b9aa3803dd: inet/sets.t: WARNING: line 23: \ 'add rule inet test-inet input \ ip saddr . ip daddr . tcp dport @set3 accept': \ 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches \ 'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept' This is mentioned in the commit message for 64b9aa3803dd itself: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. which means that for family inet, 'meta nfproto ipv4' is added to the output of the rule, on top of what was passed as input, but not for families bridge and netdev. For this reason, it's not possible in this case to specify a single expected output, differing from the input, and, also, 'meta nfproto ipv4' can only be passed as input for family inet as it's not relevant for the other families. As an alternative, we could split the rules from this test into tests for the corresponding families, as this test case itself is under the 'inet' directory, but I consider this beyond the scope of this patchset. v2: Enable rule in py/inet/sets.t instead of adding a new test in shell/sets (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r--tests/py/inet/sets.t2
-rw-r--r--tests/py/inet/sets.t.payload.bridge14
-rw-r--r--tests/py/inet/sets.t.payload.inet13
-rw-r--r--tests/py/inet/sets.t.payload.netdev13
4 files changed, 41 insertions, 1 deletions
diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t
index e0b0ee86..1c6f3235 100644
--- a/tests/py/inet/sets.t
+++ b/tests/py/inet/sets.t
@@ -21,4 +21,4 @@ ip6 daddr @set1 drop;fail
?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok
ip saddr . ip daddr . tcp dport @set3 accept;ok
--ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok
+ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
index 089d9dd7..92f5417c 100644
--- a/tests/py/inet/sets.t.payload.bridge
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -26,3 +26,17 @@ bridge
[ lookup reg 1 set set3 ]
[ immediate reg 0 accept ]
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+ element 0000000a 00000a00 : 0 [end] element 0101a8c0 00005000 : 0 [end]
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet
index c5acd610..bd6e1b0f 100644
--- a/tests/py/inet/sets.t.payload.inet
+++ b/tests/py/inet/sets.t.payload.inet
@@ -26,3 +26,16 @@ inet
[ lookup reg 1 set set3 ]
[ immediate reg 0 accept ]
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+ element 0000000a 00000a00 : 0 [end] element 0101a8c0 00005000 : 0 [end]
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev
index 82994eab..f3032d8e 100644
--- a/tests/py/inet/sets.t.payload.netdev
+++ b/tests/py/inet/sets.t.payload.netdev
@@ -26,3 +26,16 @@ inet
[ lookup reg 1 set set3 ]
[ immediate reg 0 accept ]
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-netdev 87
+__set%d test-netdev 0
+ element 0000000a 00000a00 : 0 [end] element 0101a8c0 00005000 : 0 [end]
+netdev
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]