summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: update inet/bridge icmp test caseFlorian Westphal2017-09-292-4/+4
| | | | | | | | after previous change nft now culls the dependency chain: 'icmpv6 type echo-request' is shown as-is, and not 'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* bison: permit keywords in list_stmt_expressionsFlorian Westphal2017-09-272-0/+6
| | | | | | | | | | | | | 'ct event set label' and 'ct event set new or label' work, but 'ct event set new, label' did not: nft add rule filter input ct event set new,label Error: syntax error, unexpected label This changes the definition to also contain keyword symbol expressions. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add tests for limit stateful objectPablo M. Bermudo Garay2017-09-043-3/+35
| | | | | | | The patch also reorganizes ip/objects.t file. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: convert expr_rt byteorder when evaluating statment argFlorian Westphal2017-08-281-0/+1
| | | | | | | | | | | | | | expr_rt might write data in host byte order, so make sure to convert if needed. This makes 'tcp option maxseg size rt mtu' actually work, right now such rules are no-ops because nft_exthdr never increases the mss. While at it, extend the example to not bother testing non-syn packets. Reported-by: Matteo Croce <technoboy85@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tcp option set support / tcp mss mangling test casesFlorian Westphal2017-08-224-1/+15
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test case for ttl/protocol setFlorian Westphal2017-08-174-0/+58
| | | | | | | | | nft .. ip ttl set 42 did set the protocol field and left ttl alone, add test cases for this. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Merge monitor and echo test suitesPhil Sutter2017-08-154-88/+96
| | | | | | | | | The two test suites were pretty similar already, and since echo output is supposed to be identical to monitor output apart from delete commands, they can be merged together with litte effort. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add a simple test suite for --echo optionPhil Sutter2017-08-142-0/+57
| | | | | | | | The fancy thing about this is that it uses the actual echo output to undo the changes to the rule set. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix arp chain testFlorian Westphal2017-08-081-3/+2
| | | | | | | | | | The forward chain isn't supported anymore (on kernel side it only worked if bridge netfilter 'call-arptables' sysctl is on), so this test now fails with nf-next kernel. In nftables one can filter/test arp packets in bridge family directly. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/monitor: Clear ruleset after testingPhil Sutter2017-07-271-5/+6
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Simplify testcasesPhil Sutter2017-07-275-29/+20
| | | | | | | | By introducing 'O -' indicating that output should be identical as input, testcases can be simplified quite a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix printing of set declarationsPhil Sutter2017-07-274-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | The optional attributes 'flags', 'gc-interval' and 'timeout' have to be delimited by stmt_separator (either newline or semicolon), not 'nl' which is set to whitespace by set_print_plain(). In order to restore readability, change stmt_separator to include a single whitespace after the semicolon. Here's monitor output for the following command: | # nft add set ip t testset { type inet_service; \ | timeout 60s; gc-interval 120s; } Before this patch: | add set ip t testset { type inet_service;timeout 1m gc-interval 2m } With this patch applied: | add set ip t testset { type inet_service; timeout 1m; gc-interval 2m; } Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Add a small READMEPhil Sutter2017-07-251-0/+48
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Ignore newgen messages in outputPhil Sutter2017-07-251-2/+5
| | | | | | | | | | | | Predicting the new ID value is not feasible and neither is implementing support for regular expressions when matching monitor output, so simply ignore them. Also use diff option '-w' instead of '-Z' to ignore all whitespace, not just at EOL. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add basic monitor testing frameworkPhil Sutter2017-07-195-0/+168
| | | | | | | | This implements testing of 'nft monitor' output correctness and adds a number of testcases for named sets. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update include directory tests to support wildcard syntax.Ismo Puustinen2017-06-2711-13/+171
| | | | | Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Fail test forcefully when bug is not fixedShyam Saini2017-06-261-1/+1
| | | | | | | | | | | | | | | | | | | | When we have "fail" in the test cases then py test doesn't complain anything, but the test should complain if the fix is not applied. Before applying 986dea8a4a9d ("evaluate: avoid reference to multiple src data in statements which set values"), nft throws following error message and exits with error code 134. $ nft add rule x y tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted This commit enforces nft-test.py to throw error message when the fix is not applied. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Test input descriptors for included filesShyam Saini2017-06-261-0/+52
| | | | | | | | | | | Before b14572f72aac ("erec: Fix input descriptors for included files"), nft error message was pointing to wrong file. But after this commit it points to right file. This patch adds a new test for this commit. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for incomplete set add set commandShyam Saini2017-06-261-0/+16
| | | | | | | | | | | | | | | | | | | | | | | Before c6cd7c22548a ("src: fix crash when inputting an incomplete set add command") commit, if we run nft with incomplete "add set" command it caused segmentation fault and exit with error code 139 and further it didn't throw any error message. For example: $ sudo nft add set t s But after the aforementioned commit it throws syntax error message and exits with return value 1. For example: $ sudo nft add set t s <cmdline>:1:12-12: Error: syntax error, unexpected newline, expecting '{' add set t s ^ This commit tests changes made in such commit. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict meta nfproto test cases to inet familyFlorian Westphal2017-06-185-32/+36
| | | | | | | Followup patch will reject meta nfproto for non-inet families. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove two non-sensical rulesFlorian Westphal2017-06-182-25/+0
| | | | | | | | | | | | | | | meta nfproto returns the hook family that the current packet is being evaluted in, e.g. NFPROTO_NETDEV in case we're called from the netdev context. This makes no sense, if we add a rule to netdev, bridge, ip, ... table then thats where it will be evaluated, no runtime test needed. Only exception: inet family, in this case, nfproto will be either ipv4 or ipv6. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict ct saddr test to inet familyFlorian Westphal2017-06-184-8/+23
| | | | | | | | | | | | | | | | any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6 test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed. Actually, this failure is "ok; we can't find upper layer protocol in this case, but even if we'd "fix" this it is still non-sensical, meta nfproto ipv4, but family is ipv6 --> rule would never match. First move this to an inet-specific test. A followup patch will reject meta nfproto for all families except inet. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Add test for ambiguity while setting the valueShyam Saini2017-06-186-0/+16
| | | | | | | | | | | | | | | | | | | | | This test checks bug identified and fixed in the commit mentioned below In a statement if there are multiple src data then it would be totally ambiguous to decide which value to set. Before the commit was made it returned 134(BUG), but now it returns 1 i.e, an error message. Following rules tests ambiguity while setting the value: $ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11} <cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use add rule ip test-ip4 output ct mark set {0x11333, 0x11} ~~~~~~~~~~~~^^^^^^^^^^^^^^^ Test: 986dea8 ("evaluate: avoid reference to multiple src data in statements which set values") Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ct eventmask to eventFlorian Westphal2017-06-072-13/+19
| | | | | | | | ct status isn't named 'statusmask' either. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added tests for ordering files in include dirs.Ismo Puustinen2017-06-072-0/+98
| | | | | | | | Test that the files are ordered properly by introducing included files which have internal dependencies. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix inet/bridge/netdev family handling for saddr/daddrFlorian Westphal2017-06-062-0/+11
| | | | | | | | | | | | | "ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6. For some cases we could infer it from the rhs, but there are cases where we don't have any information, e.g. when passing ct original saddr to jhash expression. So do the same thing that we do for "rt nexthop" -- error out and hint to user they need to specifiy the desired address type with "meta nfproto". Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: test include directoriesIsmo Puustinen2017-06-066-0/+217
| | | | | | | | | | | | Add tests for: * including an empty directory * including directory with one or two files in it * testing for required trailing slash in directory name * testing for detecting non-existent directory * testing for a broken file in included directory Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: flush stdout on each test runPablo Neira Ayuso2017-05-291-0/+2
| | | | | | Useful when redirecting output to file and tail -f it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up meta l4proto change for ip familyFlorian Westphal2017-05-1956-6881/+176
| | | | | | | We can delete some of the payload files now as ip/ip6/inet produce same implicit meta l4proto dep. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix up meta l4proto change for ip6 familyFlorian Westphal2017-05-1921-391/+391
| | | | | | | | | | | | After previous commit nft generates meta l4proto for ipv6 dependencies instead of checking the (first) nexthdr value. This fixes up all tests cases accordingly except one which fails with ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset' This will be fixed by removing the implicit dependency in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow update of net base w. meta l4proto icmpv6Florian Westphal2017-05-192-0/+8
| | | | | | | | | | nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert <cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6 add icmpv6 to nexthdr list so base gets updated correctly. Reported-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add ip reject with tcp and check for mark tooFlorian Westphal2017-05-188-6/+21
| | | | | | | ... to avoid resetting e.g. the ssh session to the vm that runs nft-test.py. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: reject: remove dependency for tcp-resetsFlorian Westphal2017-05-181-1/+1
| | | | | | We can remove a l4 dependency in ip/ipv6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* expression: print sets and maps in pretty formatArturo Borrero Gonzalez2017-05-153-12/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Print elements per line instead of all in a single line. The elements which can be 'short' are printed 5 per line, and others, like IPv4 addresses are printed 2 per line. Example: % nft list ruleset -nnn table ip t { set s { type inet_service elements = { 1, 2, 3, 4, 10, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 12345 } } map m { type inet_service . iface_index : verdict elements = { 123 . "lo" : accept, 1234 . "lo" : accept, 12345 . "lo" : accept, 12346 . "lo" : accept, 12347 . "lo" : accept } } set s3 { type ipv4_addr elements = { 1.1.1.1, 2.2.2.2, 3.3.3.3 } } } Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: don't kill dependencies accross statementsFlorian Westphal2017-05-082-0/+26
| | | | | | add a test case for previous commit. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: delete element and chain in transactionPablo Neira Ayuso2017-05-041-0/+76
| | | | | | | | This patch adds a test to test refcounting from element to chain and objects. Reported-by: Andreas Schultz <aschultz@tpip.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add conntrack event mask supportFlorian Westphal2017-04-242-0/+26
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* hash: generate a random seed if seed option is emptyLiping Zhang2017-04-152-0/+8
| | | | | | | | | | | Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will not generate a random seed, instead, the seed will always be zero. So if seed option is empty, we shoulde not set the NFTA_HASH_SEED attribute, then a random seed will be generated in the kernel. Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add test for flush command selectiveness on setsElise Lennion2017-03-241-0/+41
| | | | | | | | This tests the selectiveness of flush command on structures that use the generic set infrastructure (sets, maps and flow tables). Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sets: Fix for missing space after last elementPhil Sutter2017-03-2215-31/+31
| | | | | | | | | | | Not having a space between the last element in a set and the closing curly brace looks ugly, so add it here. This also adjusts all shell testcases as they match whitespace in nft output and therefore fail otherwise. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: netns/0003many_0: Fix cleanup after errorPhil Sutter2017-03-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If rule set applying failed, this would leave a stray netns in place. Interestingly, this situation led to other, seemingly unrelated testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0: | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | | W: [FAILED] testcases/sets/0015rulesetflush_0: expected 0 but got 1 | /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported | table inet filter { | ^^ | /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory | add element inet filter blacklist_v4 { | ^^ | /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported | table inet filter { | ^^ | /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory | add element inet filter blacklist_v4 { | ^^ | | I: results: [OK] 0 [FAILED] 1 [TOTAL] 1 | | $ ip netns list | 1_0003many_0 | $ ip netns del 1_0003many_0 | | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | | I: [OK] testcases/sets/0015rulesetflush_0 | | I: results: [OK] 1 [FAILED] 0 [TOTAL] 1 Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add test cases for nested anonymous setsPhil Sutter2017-03-225-0/+103
| | | | | | | | | This makes sure nesting of anonymous sets works regardless of whether defines are used or not. As a side-effect, it also checks that overlap checking when IP address prefixes are used, works. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Add some exotic ICMPv6 typesPhil Sutter2017-03-202-3/+39
| | | | | | | | | | | | | | | This adds support for matching on inverse ND messages as defined by RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810. Note that ICMPV6_MLD2_REPORT macro is defined in linux/icmpv6.h but including that header leads to conflicts with symbols defined in netinet/icmp6.h. In addition to the above, "mld-listener-done" is introduced as an alias for "mld-listener-reduction". Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add insert-failure testFlorian Westphal2017-03-162-3/+15
| | | | | | | It should not be possible to add a ip6 restricted helper to ip family. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add ct helper testsFlorian Westphal2017-03-163-1/+28
| | | | | | | needs minor tweak to nft-test.py so we don't zap the ';' withhin the {}. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: test comments with small setsPablo Neira Ayuso2017-03-131-0/+12
| | | | | | Just a test to cover the bitmap backend implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Adjust for changed exthdr debug outputPhil Sutter2017-03-132-14/+14
| | | | | | | | Debug output from libnftnl has changed to include 'present' keyword if NFT_EXTHDR_F_PRESENT flag is set in expression. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Support existence checkPhil Sutter2017-03-132-0/+13
| | | | | | | | | | | | | | | | | This allows to check whether a FIB entry exists for a given packet by comparing the expression with a boolean keyword like so: | fib daddr oif exists The implementation requires introduction of a generic expression flag EXPR_F_BOOLEAN which allows relational expression to signal it's LHS that a boolean comparison is being done (indicated by boolean type on RHS). In contrast to exthdr existence checks, fib expression can't know this in beforehand because the LHS syntax is absolutely identical to a non-boolean comparison. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement existence checkPhil Sutter2017-03-104-0/+96
| | | | | | | | | | | This allows to check for existence of an IPv6 extension or TCP option header by using the following syntax: | exthdr frag exists | tcpopt window exists Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: hash: support of symmetric hashLaura Garcia Liebana2017-03-062-0/+5
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>