summaryrefslogtreecommitdiffstats
path: root/tests/py/any/ct.t.payload
Commit message (Collapse)AuthorAgeFilesLines
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-161-16/+16
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove duplicate payloads.Jeremy Sowden2020-11-091-14/+0
| | | | | | | | | nft-test.py only needs one payload per rule, but a number of rules have duplicates, typically one per address family, so just keep the last payload for rules listed more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: Add support for the 'id' keyBrett Mastbergen2020-05-011-0/+5
| | | | | | | | | The 'id' key allows for matching on the id of the conntrack entry. v2: Remove ct_id_type Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add bit-shift tests.Jeremy Sowden2020-02-071-0/+21
| | | | | | | | Add a couple of Python test-cases for setting the CT mark to a bitwise expression derived from the packet mark and vice versa. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix wrong conversion to "list" in ct markFernando Fernandez Mancera2019-09-101-0/+6
| | | | | | | | | | | We only prefer "list" representation in "ct event". For any other type of "ct" use the "or" representation so nft prints "ct mark set ct mark | 0x00000001" instead of "ct mark set ct mark,0x00000001". Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: replace single element setsPablo Neira Ayuso2019-05-311-26/+26
| | | | | | Add at least two elements to sets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "tests: py: remove single-value-anon-set test cases"Pablo Neira Ayuso2019-05-241-0/+18
| | | | This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.
* tests: py: remove single-value-anon-set test casesFlorian Westphal2019-05-191-18/+0
| | | | | | | | future change will rewrite all single-element anon sets to a cmp op. Retain a few test cases to later check that the rewrite is correct, but remove all others. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add expires tests with different time basesFlorian Westphal2018-05-091-3/+16
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Use libnftables instead of calling nft binaryPhil Sutter2018-04-111-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a simple nftables Python class in py/nftables.py which gives access to libnftables API via ctypes module. nft-test.py is extended to make use of the above class instead of calling nft binary. Since command line formatting had to be touched anyway, this patch also streamlines things a bit by introducing __str__ methods to classes Table and Chain and making extensive use of format strings instead of onerously adding all string parts together. Since the called commands don't see a shell anymore, all shell meta character escaping done in testcases is removed. The visible effects of this change are: * Four new warnings in ip/flowtable.t due to changing objref IDs (will be addressed later in a patch to libnftnl). * Reported command line in warning and error messages changed slightly for obvious reasons. * Reduction of a full test run's runtime by a factor of four. Status diff after running with 'time': < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bison: permit keywords in list_stmt_expressionsFlorian Westphal2017-09-271-0/+5
| | | | | | | | | | | | | 'ct event set label' and 'ct event set new or label' work, but 'ct event set new, label' did not: nft add rule filter input ct event set new,label Error: syntax error, unexpected label This changes the definition to also contain keyword symbol expressions. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict ct saddr test to inet familyFlorian Westphal2017-06-181-7/+0
| | | | | | | | | | | | | | | | any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6 test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed. Actually, this failure is "ok; we can't find upper layer protocol in this case, but even if we'd "fix" this it is still non-sensical, meta nfproto ipv4, but family is ipv6 --> rule would never match. First move this to an inet-specific test. A followup patch will reject meta nfproto for all families except inet. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ct eventmask to eventFlorian Westphal2017-06-071-8/+13
| | | | | | | | ct status isn't named 'statusmask' either. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix inet/bridge/netdev family handling for saddr/daddrFlorian Westphal2017-06-061-0/+7
| | | | | | | | | | | | | "ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6. For some cases we could infer it from the rhs, but there are cases where we don't have any information, e.g. when passing ct original saddr to jhash expression. So do the same thing that we do for "rt nexthop" -- error out and hint to user they need to specifiy the desired address type with "meta nfproto". Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add conntrack event mask supportFlorian Westphal2017-04-241-0/+20
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test entries for conntrack zonesFlorian Westphal2017-02-281-0/+44
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-161-0/+12
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Unmask negative set lookupAnatole Denis2016-11-291-0/+49
| | | | | | | | Many testcases were masked because of bug #888. This series of patches unmasks them Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+4
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new range expression for != [a,b] intervalsPablo Neira Ayuso2016-10-171-4/+2
| | | | | | | Use new range expression in the kernel to fix wrong bytecode generation. This patch also adjust tests so we don't hit problems there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: display bit number instead of raw valueFlorian Westphal2016-08-221-0/+11
| | | | | | | | | | ... and add test cases for ct label. Currently this dumped 'label 0x2', now 'label 1' would be shown. This makes add/list behave the same. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: time_type should send milliseconds to userspacePablo Neira Ayuso2016-07-091-9/+9
| | | | | | | Kernel expects milliseconds, so fix this datatype to use milliseconds instead of seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: update for changed set name in payloadPablo Neira Ayuso2016-05-131-36/+36
| | | | | | | Original patch posted in the mailing list from Patrick, I have refreshed this so it applies on top of current HEAD. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: add more interval tests for anonymous setsPablo Neira Ayuso2016-04-271-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow 'snat' and 'dnat' keywords from the right-hand sidePablo Neira Ayuso2016-03-091-0/+19
| | | | | | | | | | Parse 'snat' and 'dnat' reserved keywords from the right-hand side as symbols. Thus, we can use them as values from ct status. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=950 Reported-by: Ana Rey <anarey@gmail.com> Reported-by: Karol Babioch <karol@babioch.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct regression tests for bytes, packetsFlorian Westphal2015-12-141-0/+18
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: check set value from selector and mapPablo Neira Ayuso2016-01-031-0/+13
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-151-0/+275
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>