| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
tcp flags == {syn, syn|ack}
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack}
results in:
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Extend and slightly rework tests/shell to cover this case too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to add a comment when declaring a named set.
Adds set output handling the comment in both nftables and json
format.
$ nft add table ip x
$ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}}
$ nft list ruleset
table ip x {
set s {
type ipv4_addr;
comment "some_addrs"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
$ nft --json list ruleset
{
"nftables": [
{
"metainfo": {
"json_schema_version": 1,
"release_name": "Capital Idea #2",
"version": "0.9.6"
}
},
{
"table": {
"family": "ip",
"handle": 4857,
"name": "x"
}
},
{
"set": {
"comment": "some_addrs",
"elem": [
"1.1.1.1",
"1.2.3.4"
],
"family": "ip",
"handle": 1,
"name": "s",
"table": "x",
"type": "ipv4_addr"
}
}
]
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mike Dillinger reported issues with insertion of entries into sets
supporting intervals that were denied because of false conflicts with
elements that were already expired. Partial failures would occur to,
leading to the generation of new intervals the user didn't specify,
as only the opening or the closing elements wouldn't be inserted.
The reproducer provided by Mike looks like this:
#!/bin/bash
nft list set ip filter blacklist4-ip-1m
for ((i=1;i<=10;i++)); do
nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
sleep 1
done
nft list set ip filter blacklist4-ip-1m
which, run in a loop at different intervals, show the different kind
of failures.
Extend the existing test case for overlapping and non-overlapping
intervals to systematically cover sets with a configured timeout.
As reported by Pablo, the test would fail if we keep a one-second
timeout if it runs on a "slow" kernel (e.g. with KASan), using the
libtool wrapper in src/nft as $NFT, because we can't issue 218
commands within one second. To avoid that, introduce an adaptive
timeout based on how many times we can list a single entry with a
fixed one-second timeout.
On a single 2.9GHz AMD Epyc 7351 thread:
test run nft commands/s timeout
- src/nft libtool wrapper, KASan: 68.4s 10 32s
- nft binary, KASan: 5.1s 168 2s
- src/nft libtool wrapper, w/o KASan: 18.3s 37 8s
- nft binary, w/o KASan: 2.4s 719 1s
While at it, fix expectation for insertion of '15-20 . 50-60' (it's
expected to succeed, given the list), and the reason why I didn't
notice: a simple command preceded by ! won't actually result in
the shell exiting, even if it fails. Add some clearer failure reports
too.
v2:
- adjust set timeouts to nft commands/s
- fix checks on expected outcome of insertions and reports
Reported-by: Mike Dillinger <miked@softtalker.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test won't stop if we simply precede commands expected to fail
by !. POSIX.1-2017 says:
-e
When this option is on, if a simple command fails for any of
the reasons listed in Consequences of Shell Errors or returns
an exit status value >0, and is not part of the compound list
following a while, until or if keyword, and is not a part of
an AND or OR list, and is not a pipeline preceded by the "!"
reserved word, then the shell will immediately exit.
...but I didn't care about the last part.
Replace those '! nft ...' commands by 'nft ... && exit 1' to actually
detect failures.
As a result, I didn't notice that now, correctly, inserting elements
into a set that contains the same exact element doesn't actually
fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop
re-insertions from the checks we perform here, overlapping elements
are already covered by other tests.
Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following ruleset crashes nft if loaded twice, via nft -ef:
add table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { "eth0" } counter accept
}
}
If the table contains anonymous sets, such as __set0, then delete + add
table might result in nft reusing the existing stale __set0 in the cache.
The problem is that nft gets confused and it reuses the existing stale
__set0 instead of the new anonymous set __set0 with the same name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Extend test to cover for negative value in chain priority definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Flush the set cache before adding the flush command to the netlink batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It reports a failure with the following kernel patch:
commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9
Author: Laura Garcia Liebana <nevola@gmail.com>
Date: Sun May 31 22:26:23 2020 +0200
netfilter: introduce support for reject at prerouting stage
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for using variables for devices in the chain and
flowtable definitions, eg.
define if_main = lo
table netdev filter1 {
chain Main_Ingress1 {
type filter hook ingress device $if_main priority -500; policy accept;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Update permissions in this test script.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This is a test case for the kernel bug fixed by:
netfilter: nf_tables: fix nat hook table deletion
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
define test = "state"
define foo = "match"
table x {
chain y {
ct state invalid log prefix "invalid $test $foo:"
}
}
This patch scans for variables in the log prefix string. The log prefix
expression is a list of constant and variable expression that are
converted into a constant expression from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Otherwise, interval sets do not display element statement such as
counters.
Fixes: 6d80e0f15492 ("src: support for counter in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow for empty set definition in variables if they are merged to
non-empty set definition:
define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
}
}
However, disallow this:
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
}
}
# nft -f x.nft
/tmp/x.nft:6:18-52: Error: Set is empty
tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current check on $NFT only allows to directly pass an executable,
so I've been commenting it out locally for a while to run tests with
valgrind.
Instead of using the -x test, run nft without arguments and check the
exit status. POSIX.1-2017, Shell and Utilities volume, par. 2.8.2
("Exit Status for Commands") states:
If a command is not found, the exit status shall be 127. If the
command name is found, but it is not an executable utility, the
exit status shall be 126. Applications that invoke utilities
without using the shell should use these exit status values to
report similar errors.
While this script isn't POSIX-compliant, it requires bash, and any
modern version of bash complies with those exit status requirements.
Also valgrind complies with this.
We need to quote the NFT variable passed to execute the commands in
the main loop and adjust error and informational messages, too.
This way, for example, export NFT="valgrind nft" can be issued to
run tests with valgrind.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It might be convenient to run tests from a development branch that
resides on another host, and if we break connectivity on the test
host as tests are executed, we can't run them this way.
If kernel implementation (CONFIG_NET_NS), unshare(1), or Python
bindings for unshare() are not available, warn and continue.
Suggested-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Missing .nft extension in dump file.
Fixes: 54eb1e16cc47 ("evaluate: missing datatype definition in implicit_set_declaration()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
netlink_parse_set_expr() creates a dummy rule object to reuse the
existing netlink parser. Release the rule object to fix a memleak.
Zap the statement list to avoid a use-after-free since the statement
needs to remain in place after releasing the rule.
==21601==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 2016 byte(s) in 4 object(s) allocated from:
#0 0x7f7824b26330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f78245fcebd in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36
#2 0x7f78245fd016 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65
#3 0x7f782456f0b5 in rule_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/rule.c:623
Add a test to check for set counters.
SUMMARY: AddressSanitizer: 2016 byte(s) leaked in 4 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set->data from implicit_set_declaration(), otherwise, set_evaluation()
bails out with:
# nft -f /etc/nftables/inet-filter.nft
/etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify
mapping data type
tcp dport vmap { 22 : jump ssh_input }
^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify
mapping data type
iif vmap { "eth0" : jump wan_input }
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Add a test to cover this case.
Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The listing shows no devices:
# nft list ruleset
table ip x {
flowtable y {
hook ingress priority filter
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 64b9aa3803dd ("tests/py: Add tests involving concatenated
ranges") introduced a rule, commented out, adding an anonymous set
including concatenated ranges. Now that they are properly handled,
we can enable it.
Note that this introduces a new warning. In the output below, '\'
marks newlines I introduced to keep lines short:
inet/sets.t: WARNING: line 24: \
'add rule inet test-inet input ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept': \
'ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept' \
mismatches 'meta nfproto ipv4 ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443} accept'
which is similar to the existing warning, also introduced by
commit 64b9aa3803dd:
inet/sets.t: WARNING: line 23: \
'add rule inet test-inet input \
ip saddr . ip daddr . tcp dport @set3 accept': \
'ip saddr . ip daddr . tcp dport @set3 accept' mismatches \
'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept'
This is mentioned in the commit message for 64b9aa3803dd itself:
* Payload dependency killing ignores the concatenated IP header
expressions on LHS, so rule output is asymmetric.
which means that for family inet, 'meta nfproto ipv4' is added to
the output of the rule, on top of what was passed as input, but not
for families bridge and netdev.
For this reason, it's not possible in this case to specify a single
expected output, differing from the input, and, also,
'meta nfproto ipv4' can only be passed as input for family inet as
it's not relevant for the other families.
As an alternative, we could split the rules from this test into
tests for the corresponding families, as this test case itself
is under the 'inet' directory, but I consider this beyond the scope
of this patchset.
v2: Enable rule in py/inet/sets.t instead of adding a new test in
shell/sets (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables to send icmp frag-needed messages using reject target.
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Despite being explicitly mentioned as available, prerouting and
postrouting hooks are not used, filter-pre and filter-post chains
are both built to hook on input.
Fixes: 25851df85e85 ("tests: regression: revisit chain tests")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Code wasn't aware of prefix elements in interval sets. With previous
changes in place, they merely need to be accepted in
get_set_interval_find() - value comparison and expression duplication is
identical to ranges.
Extend sets/0034get_element_0 test to cover prefixes as well. While
being at it, also cover concatenated ranges.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of using an (possibly outdated) system nft to generate dumps,
use the newly build tool.
This fixes the dump output being corrupted if the system tool does
not support parsing new features.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The 'id' key allows for matching on the id of the conntrack entry.
v2: Remove ct_id_type
Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch transform a range of IP addresses to prefix when listing the
ruleset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table bridge t {
set s3 {
typeof meta ibrpvid
elements = { 2, 3, 103 }
}
}
# nft --debug=netlink -f test.nft
s3 t 0
s3 t 0
element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end]
^^^^^^^^
The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly
handled as BYTEORDER_BIG_ENDIAN).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Service names printing are not default these days, using service names
with ranges is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Segfault on error reporting when intervals overlap.
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.1.1-10.0.2.255 : drop
}
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports following list bug:
table ip foo {
map whitelist {
typeof ip saddr . ip daddr : meta mark
elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001,
0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 }
}
}
Problem is that concat provided 'invalid' dtype.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
non-overlapping ranges
Insertion of overlapping ranges should return success only if the new
elements are identical to existing ones, or, for concatenated ranges,
if the new element is less specific (in all its fields) than any
existing one.
Note that, in case the range is identical to an existing one, insertion
won't actually be performed, but no error will be returned either on
'add element'.
This was inspired by a failing case reported by Phil Sutter (where
concatenated overlapping ranges would fail insertion silently) and is
fixed by kernel series with subject:
nftables: Consistently report partial and entire set overlaps
With that series, these tests now pass also if the call to set_overlap()
on insertion is skipped. Partial or entire overlapping was already
detected by the kernel for concatenated ranges (nft_set_pipapo) from
the beginning, and that series makes the nft_set_rbtree implementation
consistent in terms of detection and reporting. Without that, overlap
checks are performed by nft but not guaranteed by the kernel.
However, we can't just drop set_overlap() now, as we need to preserve
compatibility with older kernels.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Update tests according to 6c84577b0d23 ("evaluate: add range specified
flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Merge tcpopt.t files in ip, ip6 and inet into a common one, they were
just marignally different.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Very basic testing, just a set definition, a rule which references it
and another one with an anonymous set.
Sadly this is already enough to expose some pending issues:
* Payload dependency killing ignores the concatenated IP header
expressions on LHS, so rule output is asymmetric.
* Anonymous sets don't accept concatenated ranges yet, so the second
rule is manually disabled for now.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
When setting a fixed timezone, JSON expected output for one (known)
asymmetric rule was left out by accident.
Fixes: 7e326d697ecf4 ("tests/py: Set a fixed timezone in nft-test.py")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Endianness is not meaningful for objects smaller than 2 bytes and the
byte-order conversions are no-ops in the kernel, so just update the
expression as if it were constant.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Will be extended to cover upcoming
'dnat to ip saddr . tcp dport map { \
1.2.3.4 . 80 : 5.6.7.8 : 8080,
2.2.3.4 . 80 : 7.6.7.8 : 1234,
...
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Dump validation may fail:
- tcp dport { 22, 23 } counter packets 0 bytes 0
+ tcp dport { 22, 23 } counter packets 9 bytes 3400
... which is normal on host namespace.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
run_tests.sh alreadty discards stderr by default, but will show it in
case the test script is run directly (passed as argument).
Discarding stderr also in the script prevents one from seeing
BUG() assertions and the like.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test checks that set elements can be added, deleted, that
addition and deletion are refused when appropriate, that entries
time out properly, and that they can be fetched by matching values
in the given ranges.
v5:
- speed this up by performing the timeout test for one single
permutation (Phil Sutter), by decreasing the number of
permutations from 96 to 12 if this is invoked by run-tests.sh
(Pablo Neira Ayuso) and by combining some commands into single
nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the
test now takes 1.8s instead of 82.5s
- renumber test to 0043, 0042 was added meanwhile
v4: No changes
v3:
- renumber test to 0042, 0041 was added meanwhile
v2:
- actually check an IPv6 prefix, instead of specifying everything
as explicit ranges in ELEMS_ipv6_addr
- renumber test to 0041, 0038 already exists
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
