summaryrefslogtreecommitdiffstats
path: root/tests/shell
Commit message (Collapse)AuthorAgeFilesLines
* src: add comment support for objectsHEADmasterJose M. Guisado Gomez10 days2-0/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables specifying an optional comment when declaring named objects. The comment is to be specified inside the object's block ({} block) Relies on libnftnl exporting nftnl_obj_get_data and kernel space support to store the comments. For consistency, this patch makes the comment be printed first when listing objects. Adds a testcase importing all commented named objects except for secmark, although it's supported. Example: Adding a quota with a comment > add table inet filter > nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; } > list ruleset table inet filter { quota q { comment "test_comment" over 1200 bytes } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: find base value expression type via recursionPablo Neira Ayuso14 days4-5/+42
| | | | | | | | | | | | | | | | Sets that store flags might contain a mixture of values and binary operations. Find the base value type via recursion to compare the expressions. Make sure concatenations are listed in a deterministic way via concat_expr_msort_value() which builds a mpz value with the tuple. Adjust a few tests after this update since listing differs after this update. Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()") Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support when adding tablesJose M. Guisado Gomez2020-08-282-0/+8
| | | | | | | | | | | | | | | | | | | Adds userdata building logic if a comment is specified when creating a new table. Adds netlink userdata parsing callback function. Relies on kernel supporting userdata for nft_table. Example: > nft add table ip x { comment "test"\; } > nft list ruleset table ip x { comment "test" } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: Check rbtree overlap detection after tree rotationsStefano Brivio2020-08-261-0/+36
| | | | | | | | | | | | | | | | | | | | | Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed an issue with rbtree overlap detection coming from the fact that, after tree rotations performed as part of tree rebalancing, caused by deletions, end elements are not necessarily descendants of their corresponding start elements. Add single-sized elements, delete every second one of them, and re-add them (they will always be full overlaps) in order to check overlap detection after tree rotations. Port indices used in the sets are pseudo-random numbers generated with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen for k-distribution over 16-bit periods, which gives a good statistical randomness and forces 201 rebalancing operations out of 250 deletions with the chosen seed (1). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for map tooPablo Neira Ayuso2020-08-172-5/+9
| | | | | | Extend and slightly rework tests/shell to cover this case too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for set declarationsJose M. Guisado Gomez2020-08-122-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow users to add a comment when declaring a named set. Adds set output handling the comment in both nftables and json format. $ nft add table ip x $ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}} $ nft list ruleset table ip x { set s { type ipv4_addr; comment "some_addrs" elements = { 1.1.1.1, 1.2.3.4 } } } $ nft --json list ruleset { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "table": { "family": "ip", "handle": 4857, "name": "x" } }, { "set": { "comment": "some_addrs", "elem": [ "1.1.1.1", "1.2.3.4" ], "family": "ip", "handle": 1, "name": "s", "table": "x", "type": "ipv4_addr" } } ] } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0044interval_overlap_0: Repeat insertion tests with timeoutStefano Brivio2020-08-041-19/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mike Dillinger reported issues with insertion of entries into sets supporting intervals that were denied because of false conflicts with elements that were already expired. Partial failures would occur to, leading to the generation of new intervals the user didn't specify, as only the opening or the closing elements wouldn't be inserted. The reproducer provided by Mike looks like this: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m which, run in a loop at different intervals, show the different kind of failures. Extend the existing test case for overlapping and non-overlapping intervals to systematically cover sets with a configured timeout. As reported by Pablo, the test would fail if we keep a one-second timeout if it runs on a "slow" kernel (e.g. with KASan), using the libtool wrapper in src/nft as $NFT, because we can't issue 218 commands within one second. To avoid that, introduce an adaptive timeout based on how many times we can list a single entry with a fixed one-second timeout. On a single 2.9GHz AMD Epyc 7351 thread: test run nft commands/s timeout - src/nft libtool wrapper, KASan: 68.4s 10 32s - nft binary, KASan: 5.1s 168 2s - src/nft libtool wrapper, w/o KASan: 18.3s 37 8s - nft binary, w/o KASan: 2.4s 719 1s While at it, fix expectation for insertion of '15-20 . 50-60' (it's expected to succeed, given the list), and the reason why I didn't notice: a simple command preceded by ! won't actually result in the shell exiting, even if it fails. Add some clearer failure reports too. v2: - adjust set timeouts to nft commands/s - fix checks on expected outcome of insertions and reports Reported-by: Mike Dillinger <miked@softtalker.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0043concatenated_ranges_0: Fix checks for add/delete failuresStefano Brivio2020-08-041-18/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The test won't stop if we simply precede commands expected to fail by !. POSIX.1-2017 says: -e When this option is on, if a simple command fails for any of the reasons listed in Consequences of Shell Errors or returns an exit status value >0, and is not part of the compound list following a while, until or if keyword, and is not a part of an AND or OR list, and is not a pipeline preceded by the "!" reserved word, then the shell will immediately exit. ...but I didn't care about the last part. Replace those '! nft ...' commands by 'nft ... && exit 1' to actually detect failures. As a result, I didn't notice that now, correctly, inserting elements into a set that contains the same exact element doesn't actually fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop re-insertions from the checks we perform here, overlapping elements are already covered by other tests. Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove table from cache on delete tablePablo Neira Ayuso2020-07-292-0/+22
| | | | | | | | | | | | | | | | | | | | | The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend 0043concatenated_ranges_0 to cover maps tooFlorian Westphal2020-07-231-28/+50
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow for negative value in variable definitionsPablo Neira Ayuso2020-07-222-0/+23
| | | | | | Extend test to cover for negative value in chain priority definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: flush set cache before flush commandPablo Neira Ayuso2020-07-212-0/+24
| | | | | | Flush the set cache before adding the flush command to the netlink batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove check for reject from preroutingPablo Neira Ayuso2020-07-211-11/+0
| | | | | | | | | | | | It reports a failure with the following kernel patch: commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9 Author: Laura Garcia Liebana <nevola@gmail.com> Date: Sun May 31 22:26:23 2020 +0200 netfilter: introduce support for reject at prerouting stage Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use variables in flowtable and chain devicesPablo Neira Ayuso2020-07-214-0/+95
| | | | | | | | | | | | | | | This patch adds support for using variables for devices in the chain and flowtable definitions, eg. define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: chmod 755 testcases/chains/0030create_0Pablo Neira Ayuso2020-07-211-0/+0
| | | | | | Update permissions in this test script. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend existing dormat test case to catch a kernel bugFlorian Westphal2020-07-182-0/+5
| | | | | | | This is a test case for the kernel bug fixed by: netfilter: nf_tables: fix nat hook table deletion Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for implicit chain bindingsPablo Neira Ayuso2020-07-152-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for variables in the log prefix stringPablo Neira Ayuso2020-07-082-0/+21
| | | | | | | | | | | | | | | | | | | For example: define test = "state" define foo = "match" table x { chain y { ct state invalid log prefix "invalid $test $foo:" } } This patch scans for variables in the log prefix string. The log prefix expression is a list of constant and variable expression that are converted into a constant expression from the evaluation phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: zap element statement when decomposing intervalPablo Neira Ayuso2020-07-062-0/+32
| | | | | | | | Otherwise, interval sets do not display element statement such as counters. Fixes: 6d80e0f15492 ("src: support for counter in set definition") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow for empty set variable definitionPablo Neira Ayuso2020-07-043-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Allow wrappers to be passed as nft commandStefano Brivio2020-06-151-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current check on $NFT only allows to directly pass an executable, so I've been commenting it out locally for a while to run tests with valgrind. Instead of using the -x test, run nft without arguments and check the exit status. POSIX.1-2017, Shell and Utilities volume, par. 2.8.2 ("Exit Status for Commands") states: If a command is not found, the exit status shall be 127. If the command name is found, but it is not an executable utility, the exit status shall be 126. Applications that invoke utilities without using the shell should use these exit status values to report similar errors. While this script isn't POSIX-compliant, it requires bash, and any modern version of bash complies with those exit status requirements. Also valgrind complies with this. We need to quote the NFT variable passed to execute the commands in the main loop and adjust error and informational messages, too. This way, for example, export NFT="valgrind nft" can be issued to run tests with valgrind. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Run in separate network namespace, don't break connectivityStefano Brivio2020-06-151-0/+9
| | | | | | | | | | | | | It might be convenient to run tests from a development branch that resides on another host, and if we break connectivity on the test host as tests are executed, we can't run them this way. If kernel implementation (CONFIG_NET_NS), unshare(1), or Python bindings for unshare() are not available, warn and continue. Suggested-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: rename testcases/map/dump/0009vmap_0dump.nftPablo Neira Ayuso2020-06-141-1/+1
| | | | | | | Missing .nft extension in dump file. Fixes: 54eb1e16cc47 ("evaluate: missing datatype definition in implicit_set_declaration()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: release dummy rule object from netlink_parse_set_expr()Pablo Neira Ayuso2020-06-082-0/+31
| | | | | | | | | | | | | | | | | | | | | netlink_parse_set_expr() creates a dummy rule object to reuse the existing netlink parser. Release the rule object to fix a memleak. Zap the statement list to avoid a use-after-free since the statement needs to remain in place after releasing the rule. ==21601==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2016 byte(s) in 4 object(s) allocated from: #0 0x7f7824b26330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f78245fcebd in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 #2 0x7f78245fd016 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65 #3 0x7f782456f0b5 in rule_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/rule.c:623 Add a test to check for set counters. SUMMARY: AddressSanitizer: 2016 byte(s) leaked in 4 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing datatype definition in implicit_set_declaration()Pablo Neira Ayuso2020-06-072-0/+32
| | | | | | | | | | | | | | | | | | | | | | set->data from implicit_set_declaration(), otherwise, set_evaluation() bails out with: # nft -f /etc/nftables/inet-filter.nft /etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify mapping data type tcp dport vmap { 22 : jump ssh_input } ^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify mapping data type iif vmap { "eth0" : jump wan_input } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Add a test to cover this case. Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow flowtable definitions with no devicesPablo Neira Ayuso2020-06-021-3/+0
| | | | | | | | | | | | | The listing shows no devices: # nft list ruleset table ip x { flowtable y { hook ingress priority filter } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix get element command with prefixesPhil Sutter2020-05-041-18/+44
| | | | | | | | | | | | Code wasn't aware of prefix elements in interval sets. With previous changes in place, they merely need to be accepted in get_set_interval_find() - value comparison and expression duplication is identical to ranges. Extend sets/0034get_element_0 test to cover prefixes as well. While being at it, also cover concatenated ranges. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: dump generated use new nft toolMichael Braun2020-05-011-1/+1
| | | | | | | | | | | Instead of using an (possibly outdated) system nft to generate dumps, use the newly build tool. This fixes the dump output being corrupted if the system tool does not support parsing new features. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: incorrect byteorder with typeof and integer_datatypePablo Neira Ayuso2020-04-292-0/+10
| | | | | | | | | | | | | | | | | | | | table bridge t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } } } # nft --debug=netlink -f test.nft s3 t 0 s3 t 0 element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] ^^^^^^^^ The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly handled as BYTEORDER_BIG_ENDIAN). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add NAT mappings testsPablo Neira Ayuso2020-04-284-0/+53
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* concat: provide proper dtype when parsing typeof udataFlorian Westphal2020-04-012-0/+14
| | | | | | | | | | | | | | | | Pablo reports following list bug: table ip foo { map whitelist { typeof ip saddr . ip daddr : meta mark elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001, 0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 } } } Problem is that concat provided 'invalid' dtype. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Introduce test for insertion of overlapping and ↵Stefano Brivio2020-03-261-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | non-overlapping ranges Insertion of overlapping ranges should return success only if the new elements are identical to existing ones, or, for concatenated ranges, if the new element is less specific (in all its fields) than any existing one. Note that, in case the range is identical to an existing one, insertion won't actually be performed, but no error will be returned either on 'add element'. This was inspired by a failing case reported by Phil Sutter (where concatenated overlapping ranges would fail insertion silently) and is fixed by kernel series with subject: nftables: Consistently report partial and entire set overlaps With that series, these tests now pass also if the call to set_overlap() on insertion is skipped. Partial or entire overlapping was already detected by the kernel for concatenated ranges (nft_set_pipapo) from the beginning, and that series makes the nft_set_rbtree implementation consistent in terms of detection and reporting. Without that, overlap checks are performed by nft but not guaranteed by the kernel. However, we can't just drop set_overlap() now, as we need to preserve compatibility with older kernels. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update nat_addr_port with typeof+concat mapsFlorian Westphal2020-02-262-0/+80
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: adjust tests to new nat concatenation syntaxPablo Neira Ayuso2020-02-242-16/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nat: add and use maps with both address and serviceFlorian Westphal2020-02-242-0/+160
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add initial nat map testFlorian Westphal2020-02-242-0/+96
| | | | | | | | | | | Will be extended to cover upcoming 'dnat to ip saddr . tcp dport map { \ 1.2.3.4 . 80 : 5.6.7.8 : 8080, 2.2.3.4 . 80 : 7.6.7.8 : 1234, ... Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: avoid spurious failure when running in host namespaceFlorian Westphal2020-02-222-2/+2
| | | | | | | | | | Dump validation may fail: - tcp dport { 22, 23 } counter packets 0 bytes 0 + tcp dport { 22, 23 } counter packets 9 bytes 3400 ... which is normal on host namespace. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: 0034get_element_0: do not discard stderrFlorian Westphal2020-02-221-1/+1
| | | | | | | | | | run_tests.sh alreadty discards stderr by default, but will show it in case the test script is run directly (passed as argument). Discarding stderr also in the script prevents one from seeing BUG() assertions and the like. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: Introduce test for set with concatenated rangesStefano Brivio2020-02-191-0/+180
| | | | | | | | | | | | | | | | | | | | | | | | | | | This test checks that set elements can be added, deleted, that addition and deletion are refused when appropriate, that entries time out properly, and that they can be fetched by matching values in the given ranges. v5: - speed this up by performing the timeout test for one single permutation (Phil Sutter), by decreasing the number of permutations from 96 to 12 if this is invoked by run-tests.sh (Pablo Neira Ayuso) and by combining some commands into single nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the test now takes 1.8s instead of 82.5s - renumber test to 0043, 0042 was added meanwhile v4: No changes v3: - renumber test to 0042, 0041 was added meanwhile v2: - actually check an IPv6 prefix, instead of specifying everything as explicit ranges in ELEMS_ipv6_addr - renumber test to 0041, 0038 already exists Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: maps: update data expression dtype based on setFlorian Westphal2020-02-132-0/+49
| | | | | | | | | | | What we want: - update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } what we got: + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2000000 [invalid type] } Reported-by: Serguei Bezverkhi <sbezverk@gmail.com> Close: https://bugzilla.netfilter.org/show_bug.cgi?id=1405 Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: validate error reporting with include and globPablo Neira Ayuso2020-02-132-0/+97
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test for glob includesLaurent Fasnacht2020-02-131-0/+39
| | | | | | | | | Including more than MAX_INCLUDE_DEPTH file in one statement should succeed. This reproduces bug #1243. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add bit-shift tests.Jeremy Sowden2020-02-074-0/+34
| | | | | | | | Add a couple of shell test-cases for setting the CT mark to a bitwise expression derived from the packet mark and vice versa. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: update list of rmmod modulesPablo Neira Ayuso2020-01-221-2/+2
| | | | | | | * Missing nft_fib_inet. * nft_chain_nat_ipv4 and nft_chain_nat_ipv6 became nft_chain_nat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set lookup and set updatePablo Neira Ayuso2020-01-221-0/+21
| | | | | | A simple test to cover set lookup and update in one rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: Fix for doubled output after reset commandPhil Sutter2020-01-161-1/+11
| | | | | | | | | | | | | | | Reset command causes a dump of the objects to reset and adds those to cache. Yet it ignored if the object in question was already there and up to now CMD_RESET was flagged as NFT_CACHE_FULL. Tackle this from two angles: First, reduce cache requirements of reset command to the necessary bits which is table cache. This alone would suffice if there wasn't interactive mode (and other libnftables users): A cache containing the objects to reset might be in place already, so add dumped objects to cache only if they don't exist already. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Search diff tool once and for allPhil Sutter2020-01-1633-75/+46
| | | | | | | | | | | | | | | Instead of calling 'which diff' over and over again, just detect the tool's presence in run-tests.sh and pass $DIFF to each testcase just like with nft binary. Fall back to using 'true' command to avoid the need for any conditional calling in test cases. While being at it, unify potential diff calls so that a string comparison in shell happens irrespective of diff presence. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete flowtable after flushing chainPablo Neira Ayuso2020-01-051-0/+10
| | | | | | | This patch adds a test to cover delete flowtable after chain flush including two rule references to the flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: enforce options before commandsPablo Neira Ayuso2019-12-1810-11/+19
| | | | | | | | | | | | | | | | | This patch turns on POSIXLY_CORRECT on the getopt parser to enforce options before commands. Users get a hint in such a case: # nft list ruleset -a Error: syntax error, options must be specified before commands nft list ruleset -a ^ ~~ This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with negative chain priority"). Tests have been updated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add typeof test casesFlorian Westphal2019-12-174-0/+91
| | | | | | | | Add sets using unspecific string/integer types, one with osf name, other with vlan id. Neither type can be used directly, as they lack the type size information. Signed-off-by: Florian Westphal <fw@strlen.de>