summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: Use libnftables instead of calling nft binaryPhil Sutter2018-04-1117-120/+114
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a simple nftables Python class in py/nftables.py which gives access to libnftables API via ctypes module. nft-test.py is extended to make use of the above class instead of calling nft binary. Since command line formatting had to be touched anyway, this patch also streamlines things a bit by introducing __str__ methods to classes Table and Chain and making extensive use of format strings instead of onerously adding all string parts together. Since the called commands don't see a shell anymore, all shell meta character escaping done in testcases is removed. The visible effects of this change are: * Four new warnings in ip/flowtable.t due to changing objref IDs (will be addressed later in a patch to libnftnl). * Reported command line in warning and error messages changed slightly for obvious reasons. * Reduction of a full test run's runtime by a factor of four. Status diff after running with 'time': < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ip6: fix 'missing payload' errorFlorian Westphal2018-04-011-1/+1
| | | | | | ERROR: line 2: did not find payload information for rule 'iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade' Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-test: check start of rule with sets tooFlorian Westphal2018-04-011-0/+4
| | | | | | | | | | | | | | | We special case rules with sets ({}) so set members are sorted properly. But we failed to check start of rule: input: meta mark { 1, 2 } bar expect: meta mark { 1, 2 } bar We made sure 'bar' is equal in both input and expected output, but we did not check start (before {). This causes a gazillion of warnings, will fix in followup commit. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct, meta: fixes for upcoming nft-test.py fixFlorian Westphal2018-04-013-28/+28
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: mh: fix expected test outputFlorian Westphal2018-04-011-1/+1
| | | | | | | Forgot to include '!=', this doesn't trigger at the moment due to a bug in nft-test.py, so fix this before fixing our test script. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: redirect: fix tests for upcoming nft-test.py fixFlorian Westphal2018-04-017-11/+11
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: permit icmp-in-ipv6 and icmpv6-in-ipv4Florian Westphal2018-03-284-7/+47
| | | | | | | | | | | | | | | | | Jozsef points out that meta l4proto icmp icmp type destination-unreachable is hard to read. So, lets just add icmp/icmpv6 to ip/ip6 protocol base so users can just go with icmp type destination-unreachable and let nft fill in needed dependency. After this patch, the recent patch to not remove the dependency can be reverted again. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: meta: icmp, icmpv6: don't kill required dependenciesFlorian Westphal2018-03-275-8/+48
| | | | | | | | when explicitly filtering icmp-in-ipv6 and icmp6-in-ip don't remove the required l3 protocol dependency, else "nft list ruleset" can't be read via nft -f anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test cases for vmap binop transferFlorian Westphal2018-03-178-0/+138
| | | | | | they fail with 'BUG: invalid binary operation 5'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add srh test casesFlorian Westphal2018-03-172-0/+86
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: update to new syntax to add/update set from packet pathPablo Neira Ayuso2018-03-168-8/+8
| | | | | Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add raw payload test cases.Florian Westphal2018-02-265-0/+93
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: meta.t: fix test case for anonymous set automergeFlorian Westphal2018-02-242-2/+2
| | | | | | | | | | commit fb16c8b7f795e0d ("evaluate: Enable automerge feature for anonymous sets") re-enabled merging of adjacent ranges, so 33-55, 56-88 turns into 33-88. Update test case to reflect this. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Spelling fixesVille Skyttä2018-02-151-1/+1
| | | | | Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add secpath supportFlorian Westphal2018-01-162-0/+11
| | | | | | | | | This can be used to check if a packet has a secpath attached to it, i.e. was subject to ipsec processing. Example: add rule inet raw prerouting meta secpath exists accept Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Don't merge adjacent/overlapping rangesPhil Sutter2018-01-112-3/+3
| | | | | | | | | | | | | | | | | | | | | Previously, when adding multiple ranges to a set they were merged if overlapping or adjacent. This might cause inconvenience though since it is afterwards not easily possible anymore to remove one of the merged ranges again while keeping the others in place. Since it is not possible to have overlapping ranges, this patch adds a check for newly added ranges to make sure they don't overlap if merging is turned off. Note that it is not possible (yet?) to enable range merging using nft tool. Testsuite had to be adjusted as well: One test in tests/py changed avoid adding overlapping ranges and the test in tests/shell which explicitly tests for this feature dropped. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: trivial: Fix error messagePhil Sutter2017-12-091-1/+1
| | | | | | | | The error message for failed chain creation quotes the chain's name but lacked the closing tick. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: add test for empty string matchHarsha Sharma2017-11-282-0/+3
| | | | | | | | This patch add tests for empty string match which fails with error "Empty string is not allowed". Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: no need for 'name' token for metersPablo Neira Ayuso2017-11-244-6/+6
| | | | | | | Rework grammar to skip the 'name' token after 'meter' for named meters. For consistency with sets and maps in terms of syntax. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: deprecate "flow table" syntax, replace it by "meter"Pablo Neira Ayuso2017-11-244-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | According to bugzilla 1137: "flow tables" should not be syntactically unique. "Flow tables are always named, but they don't conform to the way sets, maps, and dictionaries work in terms of "add" and "delete" and all that. They are also "flow tables" instead of one word like "flows" or "throttle" or something. It seems weird to just have these break the syntactic expectations." Personally, I never liked the reference to "table" since we have very specific semantics in terms of what a "table" is netfilter for long time. This patch promotes "meter" as the new keyword. The former syntax is still accepted for a while, just to reduce chances of breaking things. At some point the former syntax will just be removed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* tests: nft removes required inet dependency expressionsFlorian Westphal2017-10-266-1/+78
| | | | | | | | | | | +inet/meta.t: line: 10: 'add rule inet t input meta nfproto ipv6 tcp dport 22': 'meta nfproto ipv6 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 11: 'add rule inet t input meta nfproto ipv4 tcp dport 22': 'meta nfproto ipv4 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 13: 'add rule inet t input meta nfproto ipv6 meta l4proto tcp': 'meta nfproto ipv6 meta l4proto 6' mismatches 'meta l4proto 6' +inet/ip_tcp.t: line: 20: 'src/nft add rule inet test input ether type ip tcp dport 22': 'ether type ip tcp dport 22' mismatches 'tcp dport 22' All of these are actual errors, i.e. meaning of rule is changed. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: enable ip/ip.t for bridge protocol, tooFlorian Westphal2017-10-262-0/+761
| | | | | | | This does not add any additional warnings, it just increases coverage to bridge. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: nft removes required payload protocol expressionsFlorian Westphal2017-10-264-0/+144
| | | | | | | | | | | | | This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* same as 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required, as it restricts matching to ipv4. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test case that checks icmp6 in-ipv4Florian Westphal2017-10-262-0/+12
| | | | | | | | | | | | | nft does not handle this correctly. This test fails. In: inet input ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 Out: meta l4proto 58 icmpv6 type destination-unreachable which loses the "ipv4" dependency, i.e. listing should show the rule as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmpX: fix expected outputFlorian Westphal2017-10-262-2/+2
| | | | | | | | | | | both of these rules succeed, but they should fail instead. nft removes the ip6 nexthdr' clause, but this is not correct, it is an explicit test for the ipv6 nexthdr value. Implicit dependencies use meta l4proto to skip extension headers (if any), ipv6 nexthdr does not. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix harmess typo in table nameFlorian Westphal2017-10-262-3/+3
| | | | | | table name should be 'test-ip', not inet. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_linearize: skip set element expression in set statement keyAnders K. Pedersen2017-10-069-2/+109
| | | | | | | | | | | | | | | | | | | | Before this patch the following fails: # nft add rule ip6 filter x \ set add ip6 saddr . ip6 daddr @test nft: netlink_linearize.c:648: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. Aborted This is was previously fixed for flow statements in fbea4a6f4449 ("netlink_linearize: skip set element expression in flow table key"), and this patch implements the same change for set statements by using the set element key in netlink_gen_set_stmt(). nft-test.py is updated to support set types with concatenated data types in order to support testing of this. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: rt: fix test casesFlorian Westphal2017-09-294-7/+12
| | | | | | | | | | nfproto meta dependency is no longer needed, keep one test since we still support this syntax. When meta is not provided, no need to add a dependency because nft_rt already checks pf number before checking skb->dst. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct: adjust test case commandsFlorian Westphal2017-09-294-21/+24
| | | | | | use 'ip saddr', 'ip6 saddr', etc. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: update inet/bridge icmp test caseFlorian Westphal2017-09-292-4/+4
| | | | | | | | after previous change nft now culls the dependency chain: 'icmpv6 type echo-request' is shown as-is, and not 'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* bison: permit keywords in list_stmt_expressionsFlorian Westphal2017-09-272-0/+6
| | | | | | | | | | | | | 'ct event set label' and 'ct event set new or label' work, but 'ct event set new, label' did not: nft add rule filter input ct event set new,label Error: syntax error, unexpected label This changes the definition to also contain keyword symbol expressions. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add tests for limit stateful objectPablo M. Bermudo Garay2017-09-043-3/+35
| | | | | | | The patch also reorganizes ip/objects.t file. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: convert expr_rt byteorder when evaluating statment argFlorian Westphal2017-08-281-0/+1
| | | | | | | | | | | | | | expr_rt might write data in host byte order, so make sure to convert if needed. This makes 'tcp option maxseg size rt mtu' actually work, right now such rules are no-ops because nft_exthdr never increases the mss. While at it, extend the example to not bother testing non-syn packets. Reported-by: Matteo Croce <technoboy85@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tcp option set support / tcp mss mangling test casesFlorian Westphal2017-08-224-1/+15
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test case for ttl/protocol setFlorian Westphal2017-08-174-0/+58
| | | | | | | | | nft .. ip ttl set 42 did set the protocol field and left ttl alone, add test cases for this. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix arp chain testFlorian Westphal2017-08-081-3/+2
| | | | | | | | | | The forward chain isn't supported anymore (on kernel side it only worked if bridge netfilter 'call-arptables' sysctl is on), so this test now fails with nf-next kernel. In nftables one can filter/test arp packets in bridge family directly. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: Fail test forcefully when bug is not fixedShyam Saini2017-06-261-1/+1
| | | | | | | | | | | | | | | | | | | | When we have "fail" in the test cases then py test doesn't complain anything, but the test should complain if the fix is not applied. Before applying 986dea8a4a9d ("evaluate: avoid reference to multiple src data in statements which set values"), nft throws following error message and exits with error code 134. $ nft add rule x y tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted This commit enforces nft-test.py to throw error message when the fix is not applied. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict meta nfproto test cases to inet familyFlorian Westphal2017-06-184-31/+35
| | | | | | | Followup patch will reject meta nfproto for non-inet families. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove two non-sensical rulesFlorian Westphal2017-06-182-25/+0
| | | | | | | | | | | | | | | meta nfproto returns the hook family that the current packet is being evaluted in, e.g. NFPROTO_NETDEV in case we're called from the netdev context. This makes no sense, if we add a rule to netdev, bridge, ip, ... table then thats where it will be evaluated, no runtime test needed. Only exception: inet family, in this case, nfproto will be either ipv4 or ipv6. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict ct saddr test to inet familyFlorian Westphal2017-06-184-8/+23
| | | | | | | | | | | | | | | | any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6 test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed. Actually, this failure is "ok; we can't find upper layer protocol in this case, but even if we'd "fix" this it is still non-sensical, meta nfproto ipv4, but family is ipv6 --> rule would never match. First move this to an inet-specific test. A followup patch will reject meta nfproto for all families except inet. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Add test for ambiguity while setting the valueShyam Saini2017-06-186-0/+16
| | | | | | | | | | | | | | | | | | | | | This test checks bug identified and fixed in the commit mentioned below In a statement if there are multiple src data then it would be totally ambiguous to decide which value to set. Before the commit was made it returned 134(BUG), but now it returns 1 i.e, an error message. Following rules tests ambiguity while setting the value: $ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11} <cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use add rule ip test-ip4 output ct mark set {0x11333, 0x11} ~~~~~~~~~~~~^^^^^^^^^^^^^^^ Test: 986dea8 ("evaluate: avoid reference to multiple src data in statements which set values") Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ct eventmask to eventFlorian Westphal2017-06-072-13/+19
| | | | | | | | ct status isn't named 'statusmask' either. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix inet/bridge/netdev family handling for saddr/daddrFlorian Westphal2017-06-062-0/+11
| | | | | | | | | | | | | "ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6. For some cases we could infer it from the rhs, but there are cases where we don't have any information, e.g. when passing ct original saddr to jhash expression. So do the same thing that we do for "rt nexthop" -- error out and hint to user they need to specifiy the desired address type with "meta nfproto". Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: flush stdout on each test runPablo Neira Ayuso2017-05-291-0/+2
| | | | | | Useful when redirecting output to file and tail -f it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up meta l4proto change for ip familyFlorian Westphal2017-05-1956-6881/+176
| | | | | | | We can delete some of the payload files now as ip/ip6/inet produce same implicit meta l4proto dep. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix up meta l4proto change for ip6 familyFlorian Westphal2017-05-1921-391/+391
| | | | | | | | | | | | After previous commit nft generates meta l4proto for ipv6 dependencies instead of checking the (first) nexthdr value. This fixes up all tests cases accordingly except one which fails with ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset' This will be fixed by removing the implicit dependency in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow update of net base w. meta l4proto icmpv6Florian Westphal2017-05-192-0/+8
| | | | | | | | | | nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert <cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6 add icmpv6 to nexthdr list so base gets updated correctly. Reported-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add ip reject with tcp and check for mark tooFlorian Westphal2017-05-188-6/+21
| | | | | | | ... to avoid resetting e.g. the ssh session to the vm that runs nft-test.py. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: reject: remove dependency for tcp-resetsFlorian Westphal2017-05-181-1/+1
| | | | | | We can remove a l4 dependency in ip/ipv6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: don't kill dependencies accross statementsFlorian Westphal2017-05-082-0/+26
| | | | | | add a test case for previous commit. Signed-off-by: Florian Westphal <fw@strlen.de>