| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
got following bug report:
nft add ... ct mark set mark and 0x10
... always sets 0.
What reporter meant to write instead was 'ct mark', not 'mark'.
We can't just remove support for 'mark' and force
'meta mark', but we can start to discourage it by printing meta prefix too.
Later on, we could start to print deprecation warning if needed.
Followup patch can also change
"iifname" etc. to "meta iifname".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
kernel currently permits chains with same name when a transaction renames
2 chains to the same new name. Add a test case for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Original script from Taehee Yoo.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add tests for listing specific object for a given table name and all
objects of a table.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
error was:
nft create set inet filter keepalived_ranges4 { type inet_service . ifname \; }
Error: Empty string is not allowed
This was fixed in
6b00b9537e181 ("evaluate: skip evaluation of datatype concatenations").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default not to print the service name as we discussed during the NFWS.
# nft list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1.1.1.1
}
}
# nft -l list ruleset
table ip x {
chain y {
tcp dport ssh
ip saddr 1.1.1.1
}
}
# nft -ll list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1dot1dot1dot1.cloudflare-dns.com
}
}
Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N)
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Shell prompt ends with:
"%", indicates a C shell.
"$", indicates shell that's compatible with the Bash.
"#", indicates shell is running as the system's root.
So, "%" is replaced with "$" or "#".
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intent was to fix a bug: The following rule in inet table:
| meta nfproto ipv4 icmpv6 type echo-reply
Was added correctly but when printing the meta match was falsely
removed. The fix is to deny dependency killing if RHS family of nfproto
match doesn't match RHS family of l4proto match. Adding this to the
already large conditional led to even more unreadable code, therefore
this patch tries to clean that up (and also removes the partial code
duplication.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Move import and use explicit parameter in object creation.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We need to signal the kernel to use a set backend that supports dynamic
updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSON equivalent of fwd statement was too primitive to support the added
address and family parameters, so make its value an object and accept
the device expression as value of a "dev" property in there. Then add
optional "addr" and "family" properties to it.
While being at it, add a testcase to make sure the extended syntax works
right.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Changing the reference lines is not enough, the actual JSON has to be
adjusted as well. Since after the changes output for ip/flowtable.t is
now symmetric, ip/flowtable.t.json.output can be removed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This way JSON format is more consistent with the standard one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
4s5ms gets rounded to 4s8ms with HZ=250, which is a common setting.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
bash 4.3.30 removes newlines in RULESET when "" are omitted, which
then causes nft -f to complain about invalid syntax.
As a result, all test cases that use this here-doc style fail.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports set test fails with HZ=250, as it lists "324ms" instead
of "321". This is because of rounding errors that occur when converting
from user-side millisecond scale to kernel-internal jiffies one.
use 100ms for now to avoid this error.
Alternatives would be to store use-provided value in kernel or to avoid
the conversions; this would require a change to make timeout independent from
jiffies on kernel side.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two reports point to a crash in nft when 'flush' is provided
on existing ruleset. In that case, nft will crash with a null-ptr
dereference.
"evaluate: do not inconditionally update cache from flush command"
causes the commit to fail due to a cache inconsistency, we then trip
over NULL location->indesc. Cause of 2nd bug not known yet, not sure
how to fix cache issue either, so only adding reproducer so this can be
fixed later.
Without erec bug, the (errnoeous) error message would be
Could not process rule: File exists
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Reported-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The output differs from input in added size property.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Commit 71624f25f22b1 ("tests: py: add expires tests with different time
bases") removed two testcases and added five other ones, adjust JSON
equivalent and recorded output to those changes.
Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* There is no need to prefix element-specific properties with 'elem_',
they can't conflict.
* In json_parse_set_stmt(), searching for above properties is pointless
since that's already done by called function.
* Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt():
json_parse_flagged_expr() may return NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, don't print the position property when listing rules. This
was there only because libnftnl JSON output has it too, but since the
preferred way to *add* a rule at some location is via 'handle' keyword,
keeping "position" in output would be non-intuitive. Changing "position"
property name to "handle" instead is also a no-go since that would clash
with the real rule handle.
Secondly, turn all handle output on regardless of octx->handle setting.
For a programmatic API like JSON, this should be fine.
Thirdly, fix rule locations when parsing JSON: Respect "handle" property
for CMD_INSERT and CMD_ADD and ignore "pos" at all (actually even a
typo, should have read "position"). Also support "index" property
recently added to standard syntax.
Finally, adjust nft-test.py for the above changes: There is no
"position" property to drop from rule output, and "handle" property will
always be present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper"
for consistency. Note that this is not used in regular nft output since
objref_stmt_print() treats this object type separately.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
doing this breaks with older kernels as it will pick a set without
and update callback.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Sometimes we may hit this because script is too slow to remove the
element with timeout from the set.
inet/sets.t: ERROR: line 18: I cannot delete element dead::beef timeout 1s from the set set2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6979625686ec ("relational: Eliminate meta OPs") introduced some
bugs when printing bitmask types.
First, during the post-processing phase of delinearization, the
expression for "tcp flags syn" (PAYLOAD & flag != 0) gets converted to
PAYLOAD == flag, which is not equivalent. This should be
PAYLOAD (IMPL) flag.
Then, during output, the "==" sign from "tcp flags == syn" is dropped,
because the bitmask condition in must_print_eq_op() was removed. Let's
restore it, so that "tcp flags == syn" doesn't get printed as
"tcp flags syn". An extra check for value types is added, so that we
don't start printing "==" for sets such as "tcp flags {syn,ack}"
Finally, add a regression test for this particular case.
Fixes: 6979625686ec ("relational: Eliminate meta OPs")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Just like 4b6fb07de07a ("tests: shell: more chain dependency
validation") but test chain dependency in jumps from maps.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Detect more non-base chain loops.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
More exercising for the chain dependency validation.
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
It is good to know that a log is generated even without browsing the
nft-test.py source code.
Also print_info function is introduced.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The errstr attribute was hard-coded to "ERROR:"
errstr has been moved in the parameter list. As print_msg is only
used from the other print_* this is not an issue, and as there is a
print_error function, I don't think that strerr should default to
"ERROR:".
Also this kind of messages now get written to stderr. This can be
beneficial if someone wants to redirect output to a file.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
The order of the table and chain definitions have changed in test files.
Now the name of the chain has to be specified in the definition of the
table, so their order is reverted.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
/usr/bin/python is linked to different main version of python in
different distributions (eg. 2 on debian, 3 on arch linux).
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extends nft-test.py by optional JSON testing capabilities,
activated via '-j'/'--enable-json' parameter).
JSON testing happens for all rules which are supposed to work: After a
rule has been added and the existing tests (payload, ruleset listing
output) have been performed, basically the same test is done again using
a recorded JSON equivalent and (if necessary) a recorded listing output.
The code tries to ease new test case creation overhead by
auto-generating JSON equivalent input via listing the (non-JSON) rule in
JSON format. Also, differing netlink debug and listing output are stored
in *.got files to assist in analyzing/fixing failing test cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Print the non-equal parts of the two rules in yellow when printing the
differences warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When testing rule adding to different table families, expected payload
was read for each tested family again. Instead, read it just once and
just try to read a family-specific payload for each tested family.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Combine it with 0002insertposition_0 due to the many similarities,
extend it to test 'handle' and 'index' parameters as well and rename the
testcase accordingly.
Also add a new 0002addinsertlocation_1 which tests that wrong argument
to all of the location parameters fails.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Not usable yet, as the set timeout netlink output isn't captured so far,
but it adds groundwork to add this as a follow-up.
Set definition syntax changes a little, if you want to
add multiple elements they now have to be separated by "," just
like in nftables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|