nftables - nft command line tool

	Commit message (Collapse)	Author	Age	Files	Lines
*	src: allow binop expressions with variable right-hand operands	Jeremy Sowden	2024-12-04	12	-0/+114
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Hitherto, the kernel has required constant values for the `xor` and `mask` attributes of boolean bitwise expressions. This has meant that the right-hand operand of a boolean binop must be constant. Now the kernel has support for AND, OR and XOR operations with right-hand operands passed via registers, we can relax this restriction. Allow non-constant right-hand operands if the left-hand operand is not constant, e.g.: ct mark & 0xffff0000 \| meta mark & 0xffff The kernel now supports performing AND, OR and XOR operations directly, on one register and an immediate value or on two registers, so we need to be able to generate and parse bitwise boolean expressions of this form. If a boolean operation has a constant RHS, we continue to send a mask-and-xor expression to the kernel. Add tests for {ct,meta} mark with variable RHS operands. JSON support is also included. This requires Linux kernel >= 6.13-rc. [ Originally posted as patch 1/8 and 6/8 which has been collapsed and simplified to focus on initial {ct,meta} mark support. Tests have been extracted from 8/8 including a tests/py fix to payload output due to incorrect output in original patchset. JSON support has been extracted from patch 7/8 --pablo] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests: shell: Pretty-print all *.json-nft dumps	Phil Sutter	2024-02-08	10	-10/+681
\| \| \| \| \| \| \| \| \| \| \| \| \|	The problem with single line output as produced by 'nft -j list ruleset' is its incompatibility to unified diff format as any change in this single line will produce a diff which contains the old and new lines in total. This is not just unreadable but will blow up patches which may exceed mailinglists' mail size limits. Convert them all at once by feeding their contents to tests/shell/helpers/json-pretty.sh. Signed-off-by: Phil Sutter <phil@nwl.cc>
*	tests/shell: sanitize "handle" in JSON output	Thomas Haller	2023-11-22	10	-10/+10
\| \| \| \| \| \| \| \| \|	The "handle" in JSON output is not stable. Sanitize/normalize to zero. Adjust the sanitize code, and regenerate the .json-nft files. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests/shell: add JSON dump files	Thomas Haller	2023-11-15	10	-0/+10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Generate and add ".json-nft" files. These files contain the output of `nft -j list ruleset` after the test. Also, "test-wrapper.sh" will compare the current ruleset against the ".json-nft" files and test them with "nft -j --check -f $FILE`. These are useful extra tests, that we almost get for free. Note that for some JSON dumps, `nft -f --check` fails (or prints something). For those tests no *.json-nft file is added. The bugs needs to be fixed first. An example of such an issue is: $ DUMPGEN=all ./tests/shell/run-tests.sh tests/shell/testcases/maps/nat_addr_port which gives a file "rc-failed-chkdump" with Command `./tests/shell/../../src/nft -j --check -f "tests/shell/testcases/maps/dumps/nat_addr_port.json-nft"` failed >>>> internal:0:0-0: Error: Invalid map type 'ipv4_addr . inet_service'. internal:0:0-0: Error: Parsing command array at index 3 failed. internal:0:0-0: Error: unqualified type integer specified in map definition. Try "typeof expression" instead of "type datatype". <<<< Tests like "tests/shell/testcases/nft-f/0012different_defines_0" and "tests/shell/testcases/nft-f/0024priority_0" also don't get a .json-nft dump yet, because their output is not stable. That needs fixing too. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
*	tests/shell: skip bitshift tests if kernel lacks support	Florian Westphal	2023-09-18	10	-0/+20
\| \| \| \| \|	Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Thomas Haller <thaller@redhat.com>
*	tests: shell: add test-cases for ct and packet mark payload expressions	Jeremy Sowden	2023-03-28	16	-0/+136
\| \| \| \| \| \| \| \|	Add new test-cases to verify that defining a rule that sets the ct or packet mark to a value derived from a payload works correctly. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests: shell: rename and move bitwise test-cases	Jeremy Sowden	2023-03-28	4	-0/+34
	The `0040mark_shift_?` tests are testing not just shifts, but binops more generally, so name them accordingly. Move them to a new folder specifically for bitwise operations. Change the priorities of the chains to match the type. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>