diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-18 13:10:55 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-03-20 18:50:03 +0100 |
| commit | b11b6c68e61ea294eb4c313705ccfe3e7b0eda87 (patch) | |
| tree | d84b4a22c6648a2bf7d2774801db85bd56c3b345 /tests/py | |
| parent | ea011231c06cbe828cf6056bc9c3d116e1f528d5 (diff) | |
netlink_delinearize: restore binop syntax when listing ruleset for flags
c3d57114f119 ("parser_bison: add shortcut syntax for matching flags
without binary operations") provides a similar syntax to iptables using
a prefix representation for flag matching.
Restore original representation using binop when listing the ruleset.
The parser still accepts the prefix notation for backward compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py')
| -rw-r--r-- | tests/py/inet/tcp.t | 16 | ||||
| -rw-r--r-- | tests/py/inet/tcp.t.json | 42 | ||||
| -rw-r--r-- | tests/py/inet/tcp.t.json.output | 279 | ||||
| -rw-r--r-- | tests/py/inet/tcp.t.payload | 6 |
4 files changed, 317 insertions, 26 deletions
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index f51ebd36..f4bdac17 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -68,8 +68,8 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok tcp flags cwr;ok tcp flags != cwr;ok tcp flags == syn;ok -tcp flags fin,syn / fin,syn;ok -tcp flags != syn / fin,syn;ok +tcp flags fin,syn / fin,syn;ok;tcp flags & (fin | syn) == fin | syn +tcp flags != syn / fin,syn;ok;tcp flags & (fin | syn) != syn tcp flags & syn != 0;ok;tcp flags syn tcp flags & syn == 0;ok;tcp flags ! syn tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack @@ -77,12 +77,12 @@ tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack # it should be possible to transform this to: tcp flags syn tcp flags & syn == syn;ok tcp flags & syn != syn;ok -tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) == (syn | ack);ok;tcp flags syn,ack / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) != (syn | ack);ok;tcp flags != syn,ack / fin,syn,rst,ack -tcp flags & (syn | ack) == (syn | ack);ok;tcp flags syn,ack / syn,ack +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags & (fin | syn | rst | ack) == syn +tcp flags & (fin | syn | rst | ack) == syn;ok +tcp flags & (fin | syn | rst | ack) != syn;ok +tcp flags & (fin | syn | rst | ack) == syn | ack;ok +tcp flags & (fin | syn | rst | ack) != syn | ack;ok +tcp flags & (syn | ack) == syn | ack;ok tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff tcp flags { syn, syn | ack };ok tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index 8439c2b5..d3a846cf 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -1712,7 +1712,7 @@ } ] -# tcp flags & (fin | syn | rst | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) == syn | ack [ { "match": { @@ -1741,7 +1741,7 @@ } ] -# tcp flags & (fin | syn | rst | ack) != (syn | ack) +# tcp flags & (syn | ack) == syn | ack [ { "match": { @@ -1754,14 +1754,12 @@ } }, [ - "fin", "syn", - "rst", "ack" ] ] }, - "op": "!=", + "op": "==", "right": [ "syn", "ack" @@ -1770,7 +1768,7 @@ } ] -# tcp flags & (syn | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) != syn | ack [ { "match": { @@ -1782,17 +1780,31 @@ "protocol": "tcp" } }, - [ - "syn", - "ack" - ] + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } ] }, - "op": "==", - "right": [ - "syn", - "ack" - ] + "op": "!=", + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index c471e8d8..e186e127 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -208,3 +208,282 @@ } } ] + +# tcp flags fin,syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "fin", + "syn" + ] + } + } + } +] + +# tcp flags != syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "ack" + ] + } + ] + }, + "op": "!=", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (syn | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload index 1cfe500b..bc6bb989 100644 --- a/tests/py/inet/tcp.t.payload +++ b/tests/py/inet/tcp.t.payload @@ -442,7 +442,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000002 ] -# tcp flags & (fin | syn | rst | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) == syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -450,7 +450,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000012 ] -# tcp flags & (fin | syn | rst | ack) != (syn | ack) +# tcp flags & (fin | syn | rst | ack) != syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -458,7 +458,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000012 ] -# tcp flags & (syn | ack) == (syn | ack) +# tcp flags & (syn | ack) == syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] |