| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
after previous change nft now culls the dependency chain:
'icmpv6 type echo-request' is shown as-is, and not
'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'ct event set label' and 'ct event set new or label' work, but
'ct event set new, label' did not:
nft add rule filter input ct event set new,label
Error: syntax error, unexpected label
This changes the definition to also contain keyword symbol expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The patch also reorganizes ip/objects.t file.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_rt might write data in host byte order, so make sure to
convert if needed.
This makes 'tcp option maxseg size rt mtu' actually work, right now such rules
are no-ops because nft_exthdr never increases the mss.
While at it, extend the example to not bother testing non-syn packets.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
nft .. ip ttl set 42
did set the protocol field and left ttl alone, add test cases for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The two test suites were pretty similar already, and since echo output
is supposed to be identical to monitor output apart from delete
commands, they can be merged together with litte effort.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The fancy thing about this is that it uses the actual echo output to
undo the changes to the rule set.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The forward chain isn't supported anymore (on kernel side it only worked
if bridge netfilter 'call-arptables' sysctl is on), so this test now fails
with nf-next kernel.
In nftables one can filter/test arp packets in bridge family directly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
By introducing 'O -' indicating that output should be identical as
input, testcases can be simplified quite a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The optional attributes 'flags', 'gc-interval' and 'timeout' have to be
delimited by stmt_separator (either newline or semicolon), not 'nl'
which is set to whitespace by set_print_plain().
In order to restore readability, change stmt_separator to include a
single whitespace after the semicolon.
Here's monitor output for the following command:
| # nft add set ip t testset { type inet_service; \
| timeout 60s; gc-interval 120s; }
Before this patch:
| add set ip t testset { type inet_service;timeout 1m gc-interval 2m }
With this patch applied:
| add set ip t testset { type inet_service; timeout 1m; gc-interval 2m; }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Predicting the new ID value is not feasible and neither is implementing
support for regular expressions when matching monitor output, so simply
ignore them.
Also use diff option '-w' instead of '-Z' to ignore all whitespace, not
just at EOL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This implements testing of 'nft monitor' output correctness and adds a
number of testcases for named sets.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have "fail" in the test cases then py test doesn't complain
anything, but the test should complain if the fix is not applied.
Before applying 986dea8a4a9d ("evaluate: avoid reference to multiple src
data in statements which set values"), nft throws following error
message and exits with error code 134.
$ nft add rule x y tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
This commit enforces nft-test.py to throw error message when the fix
is not applied.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Before b14572f72aac ("erec: Fix input descriptors for included files"),
nft error message was pointing to wrong file. But after this commit it
points to right file.
This patch adds a new test for this commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before c6cd7c22548a ("src: fix crash when inputting an incomplete set
add command") commit, if we run nft with incomplete "add set" command it
caused segmentation fault and exit with error code 139 and further it
didn't throw any error message.
For example:
$ sudo nft add set t s
But after the aforementioned commit it throws syntax error message and
exits with return value 1.
For example:
$ sudo nft add set t s
<cmdline>:1:12-12: Error: syntax error, unexpected newline, expecting '{'
add set t s
^
This commit tests changes made in such commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Followup patch will reject meta nfproto for non-inet families.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
meta nfproto returns the hook family that the current packet
is being evaluted in, e.g.
NFPROTO_NETDEV in case we're called from the netdev context.
This makes no sense, if we add a rule to netdev, bridge, ip, ...
table then thats where it will be evaluated, no runtime test needed.
Only exception: inet family, in this case, nfproto will be either
ipv4 or ipv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6
test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed.
Actually, this failure is "ok; we can't find upper layer protocol
in this case, but even if we'd "fix" this it is still non-sensical,
meta nfproto ipv4, but family is ipv6 --> rule would never match.
First move this to an inet-specific test.
A followup patch will reject meta nfproto for all families except inet.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test checks bug identified and fixed in the commit mentioned below
In a statement if there are multiple src data then it would be
totally ambiguous to decide which value to set.
Before the commit was made it returned 134(BUG), but now it returns 1
i.e, an error message.
Following rules tests ambiguity while setting the value:
$ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11}
<cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use
add rule ip test-ip4 output ct mark set {0x11333, 0x11}
~~~~~~~~~~~~^^^^^^^^^^^^^^^
Test: 986dea8 ("evaluate: avoid reference to multiple src data in
statements which set values")
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
ct status isn't named 'statusmask' either.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Test that the files are ordered properly by introducing included files
which have internal dependencies.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6.
For some cases we could infer it from the rhs, but there are cases where we don't have any
information, e.g. when passing ct original saddr to jhash expression.
So do the same thing that we do for "rt nexthop" -- error out and hint to user
they need to specifiy the desired address type with "meta nfproto".
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for:
* including an empty directory
* including directory with one or two files in it
* testing for required trailing slash in directory name
* testing for detecting non-existent directory
* testing for a broken file in included directory
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Useful when redirecting output to file and tail -f it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We can delete some of the payload files now as ip/ip6/inet produce
same implicit meta l4proto dep.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset'
This will be fixed by removing the implicit dependency in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
<cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
add icmpv6 to nexthdr list so base gets updated correctly.
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
... to avoid resetting e.g. the ssh session to the vm that runs
nft-test.py.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
We can remove a l4 dependency in ip/ipv6 families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
map m {
type inet_service . iface_index : verdict
elements = { 123 . "lo" : accept,
1234 . "lo" : accept,
12345 . "lo" : accept,
12346 . "lo" : accept,
12347 . "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
add a test case for previous commit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds a test to test refcounting from element to chain and
objects.
Reported-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will
not generate a random seed, instead, the seed will always be zero.
So if seed option is empty, we shoulde not set the NFTA_HASH_SEED
attribute, then a random seed will be generated in the kernel.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This tests the selectiveness of flush command on structures that use the
generic set infrastructure (sets, maps and flow tables).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Not having a space between the last element in a set and the closing
curly brace looks ugly, so add it here.
This also adjusts all shell testcases as they match whitespace in nft
output and therefore fail otherwise.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If rule set applying failed, this would leave a stray netns in place.
Interestingly, this situation led to other, seemingly unrelated
testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0:
| $ ./run-tests.sh testcases/sets/0015rulesetflush_0
| I: using nft binary ../../src/nft
|
| W: [FAILED] testcases/sets/0015rulesetflush_0: expected 0 but got 1
| /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported
| table inet filter {
| ^^
| /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory
| add element inet filter blacklist_v4 {
| ^^
| /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported
| table inet filter {
| ^^
| /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory
| add element inet filter blacklist_v4 {
| ^^
|
| I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
|
| $ ip netns list
| 1_0003many_0
| $ ip netns del 1_0003many_0
|
| $ ./run-tests.sh testcases/sets/0015rulesetflush_0
| I: using nft binary ../../src/nft
|
| I: [OK] testcases/sets/0015rulesetflush_0
|
| I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This makes sure nesting of anonymous sets works regardless of whether
defines are used or not. As a side-effect, it also checks that overlap
checking when IP address prefixes are used, works.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for matching on inverse ND messages as defined by
RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810.
Note that ICMPV6_MLD2_REPORT macro is defined in linux/icmpv6.h but
including that header leads to conflicts with symbols defined in
netinet/icmp6.h.
In addition to the above, "mld-listener-done" is introduced as an alias
for "mld-listener-reduction".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It should not be possible to add a ip6 restricted helper to ip family.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
needs minor tweak to nft-test.py so we don't zap the ';' withhin the {}.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Just a test to cover the bitmap backend implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Debug output from libnftnl has changed to include 'present' keyword if
NFT_EXTHDR_F_PRESENT flag is set in expression.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to check whether a FIB entry exists for a given packet by
comparing the expression with a boolean keyword like so:
| fib daddr oif exists
The implementation requires introduction of a generic expression flag
EXPR_F_BOOLEAN which allows relational expression to signal it's LHS
that a boolean comparison is being done (indicated by boolean type on
RHS). In contrast to exthdr existence checks, fib expression can't know
this in beforehand because the LHS syntax is absolutely identical to a
non-boolean comparison.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to check for existence of an IPv6 extension or TCP
option header by using the following syntax:
| exthdr frag exists
| tcpopt window exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|