summaryrefslogtreecommitdiffstats
path: root/tests/regression/ip6
Commit message (Collapse)AuthorAgeFilesLines
* tests: redirect: fix payload displayPablo Neira Ayuso2015-08-181-15/+15
| | | | | | | This has to be related to libnftnl's 0edeb667a2cf ("expr: redir: fix snprintf to return the number of bytes printed"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: don't include listing in payload testsPablo Neira Ayuso2015-08-182-2/+0
| | | | | | | | Since e715f6d1241c ("netlink: don't call netlink_dump_*() from listing functions with --debug=netlink"), there is no debugging from the listing path. Thus, we can remove the set line from the test files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: validate generated netlink instructionsFlorian Westphal2015-07-2021-0/+3502
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | compare netlink instructions generated by given nft command line with recorded version. Example: udp dport 80 accept in ip family should look like ip test-ip4 input [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005000 ] [ immediate reg 0 accept ] This is stored in udp.t.payload.ip Other suffixes: .payload.ip6 .payload.inet .payload ('any') The test script first looks for 'testname.t.payload.$family', if that doesn't exist 'testname.t.payload' is used. This allows for family independent test (e.g. meta), where we don't expect/have any family specific expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid more warningsFlorian Westphal2015-07-153-9/+9
| | | | | | | | | | | | | | | | | | | ... 2001:838:35f:1::-2001:838:35f:2:: :80-100' mismatches ... 2001:838:35f:1::-2001:838:35f:2:::80-100' nft accepts both, so just alter test to not complain. Also, fix test script to display the expected output rather than the input. Otherwise, a rule like some_input;ok;expected_output may display nonsensical message like warning: some_input mismatches some_input This also fixes the icmpv6 test accordingly, nft displays ranges correctly. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: regression: ip6: reduce warning noisePablo Neira Ayuso2015-06-132-23/+24
| | | | | | | | | | | | | | | | | getnameinfo() displays this: ::1234:1234:1234:1234:1234:1234:1234 as: 0:1234:1234:1234:1234:1234:1234:1234 which is basically equivalent. nft accepts both inputs. So add some exceptions to the tests to reduce the amount of noise in the tests, so we can focus on real problems. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix NAT testsPablo Neira Ayuso2015-06-022-2/+7
| | | | | | | | | | | snat can be only used from prerouting and input, and dnat from output and postrouting. ip/nat.t: ERROR: line 12: nft add rule ip test-ip4 output iifname eth0 tcp sport 23-34 snat 192.168.3.2: This rule should not have failed. Split the test file as they require different chain configuration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix warnings related to range listingPablo Neira Ayuso2015-06-027-33/+33
| | | | | | | | | | | | | | | | | | Fix lots of warnings, mostly related to the listing of ranges in many of the tests that we have, eg. any/meta.t: WARNING: line: 30: 'nft add rule ip test-ip4 input meta l4proto 33-45': 'meta l4proto 33-45' mismatches 'meta l4proto 33-45' any/meta.t: WARNING: line: 31: 'nft add rule ip test-ip4 input meta l4proto != 33-45': 'meta l4proto != 33-45' mismatches 'meta l4proto != 33-45' any/meta.t: WARNING: line: 99: 'nft add rule ip test-ip4 input meta skuid 3001-3005 accept': 'meta skuid 3001-3005 accept' mismatches 'skuid 3001-3005 accept' any/meta.t: WARNING: line: 100: 'nft add rule ip test-ip4 input meta skuid != 2001-2005 accept': 'meta skuid != 2001-2005 accept' mismatches 'skuid != 2001-2005 accept' any/meta.t: WARNING: line: 111: 'nft add rule ip test-ip4 input meta skgid 2001-2005 accept': 'meta skgid 2001-2005 accept' mismatches 'skgid 2001-2005 accept' any/meta.t: WARNING: line: 112: 'nft add rule ip test-ip4 input meta skgid != 2001-2005 accept': 'meta skgid != 2001-2005 accept' mismatches 'skgid != 2001-2005 accept' any/meta.t: WARNING: line: 156: 'nft add rule ip test-ip4 input meta cpu 1-3': 'meta cpu 1-3' mismatches 'cpu 1-3' any/meta.t: WARNING: line: 158: 'nft add rule ip test-ip4 input meta cpu != 1-2': 'meta cpu != 1-2' mismatches 'cpu != 1-2' any/meta.t: WARNING: line: 187: 'nft add rule ip test-ip4 input meta cgroup 0x100001 - 0x100003': 'meta cgroup 0x100001 - 0x100003' mismatches 'cgroup 1048577-1048579' ... Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: masquerade is only allowed from postroutingPablo Neira Ayuso2015-03-181-1/+0
| | | | | | | Disable the tests from the output chain, the kernel rejects this with operation not supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: revisit chain testsPablo Neira Ayuso2014-12-221-1/+0
| | | | | | | | Make sure support chain don't stop working. Remove some minor mistakes and out of scope tests from chain*.t Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: use 'redirect to PORT' instead of 'redirect :PORT'Pablo Neira Ayuso2014-12-121-9/+9
| | | | | | Small syntax update suggested by Patrick. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: redirect.t: fix bogus errorsPablo Neira Ayuso2014-12-121-1/+1
| | | | | | | Separate values in set, otherwise bash interprets the brackets and the test reports an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: adapt nat tests to use random-fullyPablo Neira Ayuso2014-12-122-13/+13
| | | | | | | This adapts test to the change that happened in d9a9a79 ('stmt: rename nat "random-fully" option to "fully-random"'). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: test masquerade from nat/postrouting tooPablo Neira Ayuso2014-11-241-0/+1
| | | | | | | We can specify several chains in the tests, so test this from postrouting too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix bogus error due to bashPablo Neira Ayuso2014-11-241-1/+1
| | | | | | | | | | | | | | This suppresses several superfluous errors: any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed. any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed. ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed. ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed. This needs a space before the list of elements in the set, otherwise bash here misinterprets the set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow both nat_flags and port specification in redirectArturo Borrero2014-11-091-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the parser to permit both nat_flags and port specification in the redirect expression. The resulting syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] The port specification requires a bit of context regardin the transport protocol. Some examples: % nft add rule nat prerouting tcp dport 22 redirect :23 % nft add rule add prerouting udp dport 53 redirect :5353 The nat_flags argument is the last argument: % nft add rule nat prerouting tdp dport 80 redirect :8080 random The port specification can be a range: % nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random While at it, the regression tests files are updated. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/regression: redirect: fix invalid syntaxArturo Borrero2014-11-091-28/+28
| | | | | | | | | This patch fixes invalid syntax in the redirect test files. I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/regression: masquerade: fix invalid syntaxArturo Borrero2014-11-091-17/+17
| | | | | | | | | This patch fixes invalid syntax in the masquerade test files. I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add redirect supportArturo Borrero2014-11-041-0/+42
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: update and add the reject tests for ip, ip6, bridge and inet.Alvaro Neira2014-10-221-1/+8
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tests for masqueradeArturo Borrero2014-10-171-0/+25
| | | | | | | Let's test the new masquerade option in nftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add ip6 folder with test files.Ana Rey2014-09-1811-0/+487
"ip6" folder contains the test files that are executed in ip6 and inet family of tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>