| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch consolidates ctx->stmt_len reset in stmt_evaluate() to avoid
this problem. Note that stmt_evaluate_meta() and stmt_evaluate_ct()
already reset it after the statement evaluation.
Moreover, statement dependency can be generated while evaluating a meta
and ct statement. Payload statement dependency already manually stashes
this before calling stmt_evaluate(). Add a new stmt_dependency_evaluate()
function to stash statement length context when evaluating a new statement
dependency and use it for all of the existing statement dependencies.
Florian also says:
'meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 }' will
crash. Reason is that the l2 dependency generated here is errounously
expanded to a 32bit-one, so the evaluation path won't recognize this
as a L2 dependency. Therefore, pctx->stacked_ll_count is 0 and
__expr_evaluate_payload() crashes with a null deref when
dereferencing pctx->stacked_ll[0].
nft-test.py gains a fugly hack to tolerate '!map typeof vlan id : meta mark'.
For more generic support we should find something more acceptable, e.g.
!map typeof( everything here is a key or data ) timeout ...
tests/py update and assert(pctx->stacked_ll_count) by Florian Westphal.
Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
v1.0.2 of 'nft' fails on 'time < "2022-07-01 11:00:00"' but succeeds
when 'meta' is specified ('meta time < "2022-07-01 11:00:00"'). This
extends coverage by testing 'time' without 'meta'.
Signed-off-by: Martin Gignac <martin.gignac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add meta time tests using < and > operands.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
A prefix of integer type is big-endian in nature. Prefix match can be
optimized to truncated 'cmp' only if it is big-endian.
[ Add one tests/py for this use-case --pablo ]
Fixes: 25338cdb6c77 ("src: Optimize prefix matches on byte-boundaries")
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Check for
... 23-42 ...
... { 23-42 } ...
and remove the latter. Followup patch will translate the former to the
latter during evaluation step to avoid the unneded anon set.
A separate test case will be added that checks for such rewrites.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type.
This adds the 8021q shorthand for the existing 'vlan' frame type.
nft will continue to recognize 'ether type vlan', but listing
will now print 8021q.
Adjust all test cases accordingly.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
In combination with libnftnl's commit "set_elem: Fix printing of verdict
map elements", This adds the vmap target to netlink dumps. Adjust dumps
in tests/py accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is just basic housekeeping:
- Remove duplicate tests in any of the *.t files
- Remove explicit output if equal to command itself in *.t files
- Remove duplicate payload records in any of the *.t.payload* files
- Remove stale payload records (for which no commands exist in the
respective *.t file
- Remove duplicate/stale entries in any of the *.t.json files
In some cases, tests were added instead of removing a stale payload
record if it fit nicely into the sequence of tests.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
libnftnl has been changed to bring the format of registers in bitwise
dumps in line with those in other types of expression. Update the
expected output of Python test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Endianness is not meaningful for objects smaller than 2 bytes and the
byte-order conversions are no-ops in the kernel, so just update the
expression as if it were constant.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Payload generated for 'meta time' matches depends on host's timezone and
DST setting. To produce constant output, set a fixed timezone in
nft-test.py. Choose UTC-2 since most payloads are correct then, adjust
the remaining two tests.
Fixes: 0518ea3f70d8c ("tests: add meta time test cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Ander Juaristi <a@juaristi.eus>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add at least two elements to sets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.
|
| |
|
|
|
|
|
|
| |
future change will rewrite all single-element anon sets to a cmp op.
Retain a few test cases to later check that the rewrite is correct, but
remove all others.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
when explicitly filtering icmp-in-ipv6 and icmp6-in-ip don't remove the
required l3 protocol dependency, else "nft list ruleset" can't be read
via nft -f anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
commit fb16c8b7f795e0d
("evaluate: Enable automerge feature for anonymous sets") re-enabled
merging of adjacent ranges, so 33-55, 56-88 turns into 33-88.
Update test case to reflect this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, when adding multiple ranges to a set they were merged if
overlapping or adjacent. This might cause inconvenience though since it
is afterwards not easily possible anymore to remove one of the merged
ranges again while keeping the others in place.
Since it is not possible to have overlapping ranges, this patch adds a
check for newly added ranges to make sure they don't overlap if merging
is turned off.
Note that it is not possible (yet?) to enable range merging using nft
tool.
Testsuite had to be adjusted as well: One test in tests/py changed avoid
adding overlapping ranges and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Followup patch will reject meta nfproto for non-inet families.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
<cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
add icmpv6 to nexthdr list so base gets updated correctly.
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Many testcases were masked because of bug #888. This series of patches unmasks
them
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
'unicast' doesn't check for unicast packets; it checks for PACKET_HOST,
i.e. a packet coming in for this host.
A unicast address to some other machine (e.g. because nic is
in promisc mode) will have PACKET_OTHER.
So at best this is misleading, so this patch changes it
to 'host'. The unicast entry is retained for compat purpose.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use new range expression in the kernel to fix wrong bytecode generation.
This patch also adjust tests so we don't hit problems there.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This commit removes some duplicated tests.
Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some tests use hard coded interface names and interface indexes.
This commit removes these cases by exchanging "eth0" with "dummy0" and
"lo" (depending on the test) in all ifname tests and by using "lo"
instead of "eth0" in all interface index tests (because we can assume
"lo" ifindex is 1).
Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.
The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.
Here below, several example on how to match the packet priority field:
nft add rule filter forward meta priority abcd:0
nft add rule filter forward meta priority abcd:1234
and to set it, you have to:
nft add rule filter forward meta priority set abcd:1234
The priority expression in flex looks ahead to restrict the pattern to
avoid problems with mappings:
{classid}/[ \t\n:\-},]
So the following doesn't break:
... vmap { 25:accept }
^^^^^
The lookahead expression requires a slight change to extend the input
string in one byte.
This patch is conservative as you always have to explicity indicate
major and minor numbers even if zero.
We could consider supporting this shortcut in the future:
abcd:
However, with regards to this:
:abcd
We don't need to support it since major number is assumed to be >= 1.
However, if we ever decide to support this, we'll have problems since
this clashes with our port representation in redirect and mangle.
So let's keep this simple and start with this approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following selectors display strings using quotes:
* meta iifname
* meta oifname
* meta ibriport
* meta obriport
However, the following do not:
* meta oif
* meta iif
* meta skuid
* meta skgid
* meta iifgroup
* meta oifgroup
* meta rtclassid
* ct label
Given they refer to user-defined values, neither keywords nor internal
built-in known values, let's quote the output of this.
This patch modifies symbolic_constant_print() so we can signal this to
indicate if the string needs to be quoted.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Original patch posted in the mailing list from Patrick, I have refreshed
this so it applies on top of current HEAD.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
Rearrange the directory to obtain a better organization of files and
tests-suites.
We end with a tree like this:
tests
|
.--- py
.--- shell
.--- files
This was suggested by Pablo.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
