summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* src: allow binop expressions with variable right-hand operandsHEADmasterJeremy Sowden2024-12-0425-0/+335
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hitherto, the kernel has required constant values for the `xor` and `mask` attributes of boolean bitwise expressions. This has meant that the right-hand operand of a boolean binop must be constant. Now the kernel has support for AND, OR and XOR operations with right-hand operands passed via registers, we can relax this restriction. Allow non-constant right-hand operands if the left-hand operand is not constant, e.g.: ct mark & 0xffff0000 | meta mark & 0xffff The kernel now supports performing AND, OR and XOR operations directly, on one register and an immediate value or on two registers, so we need to be able to generate and parse bitwise boolean expressions of this form. If a boolean operation has a constant RHS, we continue to send a mask-and-xor expression to the kernel. Add tests for {ct,meta} mark with variable RHS operands. JSON support is also included. This requires Linux kernel >= 6.13-rc. [ Originally posted as patch 1/8 and 6/8 which has been collapsed and simplified to focus on initial {ct,meta} mark support. Tests have been extracted from 8/8 including a tests/py fix to payload output due to incorrect output in original patchset. JSON support has been extracted from patch 7/8 --pablo] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: compare expression lengthPablo Neira Ayuso2024-12-041-0/+13
| | | | | | | | | | do not merge raw payload expressions with different length. Other expression rely on key comparison which is assumed to have the same length already. Fixes: 60dcc01d6351 ("optimize: add __expr_cmp()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to map key to nfqueue numberFlorian Westphal2024-11-112-0/+17
| | | | | | | | | | | | | | | | | | | | | | | Allow to specify a numeric queue id as part of a map. The parser side is easy, but the reverse direction (listing) is not. 'queue' is a statement, it doesn't have an expression. Add a generic 'queue_type' datatype as a shim to the real basetype with constant expressions, this is used only for udata build/parse, it stores the "key" (the parser token, here "queue") as udata in kernel and can then restore the original key. Add a dumpfile to validate parser & output. JSON support is missing because JSON allow typeof only since quite recently. Joint work with Pablo. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1455 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: Become $PWD agnosticPhil Sutter2024-11-071-3/+2
| | | | | | | | | | The call to 'cd' is problematic since later the script tries to 'exec unshare -n $0'. This is not the only problem though: Individual test cases specified on command line are expected to be relative to the script's directory, too. Just get rid of these nonsensical restrictions. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: monitor: Run in own netnsPhil Sutter2024-11-061-0/+11
| | | | | | | Have the script call itself prefixed by unshare. This won't prevent clashing test case contents, but at least leave the host netns alone. Signed-off-by: Phil Sutter <phil@nwl.cc>
* monitor: Recognize flowtable add/del eventsPhil Sutter2024-11-061-0/+10
| | | | | | | These were entirely ignored before, add the necessary code analogous to e.g. objects. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: Fix for storing payload into missing filePhil Sutter2024-11-061-3/+2
| | | | | | | | | When running a test for which no corresponding *.payload file exists, the *.payload.got file name was incorrectly constructed due to 'payload_path' variable not being set. Fixes: 2cfab7a3e10fc ("tests/py: Write dissenting payload into the right file") Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Support typeof in set and map typesPhil Sutter2024-11-0612-37/+195
| | | | | | | | | | | | | | | | Implement this as a special "type" property value which is an object with sole property "typeof". The latter's value is the JSON representation of the expression in set->key, so for concatenated typeofs it is a concat expression. All this is a bit clumsy right now but it works and it should be possible to tear it down a bit for more user-friendliness in a compatible way by either replacing the concat expression by the array it contains or even the whole "typeof" object - the parser would just assume any object (or objects in an array) in the "type" property value are expressions to extract a type from. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: move device to different namespacePablo Neira Ayuso2024-11-051-0/+39
| | | | | | | This actually triggers a UNREGISTER event, it is similar to existing tests, but add this test to improve coverage for this scenario. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: fix up test case breakageFlorian Westphal2024-10-292-2/+6
| | | | | | | | | | | | | | | | Monitor test fails: echo: running tests from file set-simple.t echo output differs! -add element ip t portrange { 1024-65535 } add element ip t portrange { 100-200 } +add element ip t portrange { 1024-65535 } +# new generation 510 by process 129009 (nft) I also noticed -j mode did not work correctly, add missing json annotations in set-concat-interval.t while at it. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: don't rely on writable test directoryFlorian Westphal2024-10-293-31/+23
| | | | | | | | | | | | | | | | | | | | | | Running shell tests from a virtme-ng instance with ro mapped test dir hangs due to runaway 'awk' reading from stdin instead of the intended $tmpfile (variable is empty), so add quotes where needed. 0002relative_0 wants to check relative includes. It tries to create a temporary file in the current directory, which fails as thats readonly inside the virtme vm instance. [ -w ! $foo ... did not catch this due to missing "". Add quotes and return the skip retval so the test gets flagged as skipped. 0013input_descriptors_included_files_0 and 0020include_chain_0 are switched to normal tmpfiles, there is nothing in the test that needs relative includes. Also, get rid of some error tests for subsequent mktemp calls for scripts that already called 'set -e'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Join arithmetic statements in maps/vmap_timeoutPhil Sutter2024-10-111-6/+3
| | | | | | | In light of the recent typo fix, go an extra step and merge the modulo and offset adjustment in a single term. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: fix spurious dump failure in vmap timeout testFlorian Westphal2024-10-111-1/+1
| | | | | | | | | | | | | | | Blamed commit can update the timeout to 6s, but last line waits for 5 seconds and expects that to be enough to have all elements vanish. Fix the typo to limit update timeout also to 5 seconds and not 6. This fixes spurious dump failures like this one: - elements = { 1.2.3.4 . 22 : jump ssh_input } + elements = { 1.2.3.4 . 22 : jump ssh_input, + 10.0.95.144 . 38023 timeout 6s expires 545ms : jump other_input } Fixes: db80037c0279 ("tests: shell: extend vmap test with updates") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: more randomization for timeout parameterFlorian Westphal2024-09-151-8/+34
| | | | | | | | | | | | Either pass no timeout argument, pass timeout+expires or omit timeout (uses default timeout, if any). This should not expose further kernel code to run at this time, but unlike the existing (deterministic) element-update test case this script does have live traffic and different set types, including rhashtable which has async gc. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix up udp csum fixup outputFlorian Westphal2024-09-111-2/+2
| | | | | | | | | | | | Preceeding commit switched udp to use the inkernel csum parser, so tests warn: WARNING: line 7: 'add rule ip test-ip4 input iif "lo" udp checksum set 0': '[ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ]' mismatches '[ payload write reg 1 => 2b @ transport header + 6 csum_type 0 csum_off 0 csum_flags 0x1 ]' Fixes: f89abfb4068d ("proto: use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to mangle UDP checksum") Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to mangle UDP checksumPablo Neira Ayuso2024-09-101-32/+97
| | | | | | | | | | | | | | | | | | | | | There are two mechanisms to update the UDP checksum field: 1) _CSUM_TYPE and _CSUM_OFFSET which specify the type of checksum (e.g. inet) and offset where it is located. 2) use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to use layer 4 kernel protocol parser. The problem with 1) is that it is inconditional, that is, csum_type and csum_offset cannot deal with zero UDP checksum. Use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag instead since it relies on the layer 4 kernel parser which skips updating zero UDP checksum. Extend test coverage for the UDP mangling with and without zero checksum. Fixes: e6c9174e13b2 ("proto: add checksum key information to struct proto_desc") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: stabilize packetpath/payloadPablo Neira Ayuso2024-09-101-30/+34
| | | | | | | | | | | - Add sleep calls after setting up container topology. - Extend TCP connect timeout to 4 seconds. Test has no listener, this is just sending SYN packets that are rejected but it works to test the payload mangling ruleset. - fix incorrect logic to check for 0 matching packets through grep. Fixes: 84da729e067a ("tests: shell: add test to cover payload transport match and mangle") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test case for timeout updatesFlorian Westphal2024-09-104-0/+195
| | | | | | | | | | | | Needs a feature check file, so add one: Add element with 1m timeout, then update expiry to 1ms. If element still exists after 1ms, update request was ignored. Test case checks timeouts can both be incremented and decremented, checks error recovery (update request but transaction fails) and that expiry is restored in addion to timeout. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: extend vmap test with updatesFlorian Westphal2024-09-101-3/+45
| | | | | | | | | | | | It won't validate that the update is actually effective, but it will trigger relevant update logic in kernel. This means the updated test works even if the kernel doesn't support updates. A dedicated test will be added to check timeout updates work. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add test for kernel stack recursion bugFlorian Westphal2024-09-102-0/+39
| | | | | | Validate that such ruleset updates get rejected. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: extend coverage for meta l4proto netdev/egress matchingPablo Neira Ayuso2024-09-021-0/+149
| | | | | | | | Extend coverage to match on small UDP packets from netdev/egress. While at it, cover bridge/input and bridge/output hooks too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: relax requirement for replace rule commandPablo Neira Ayuso2024-08-303-4/+64
| | | | | | | | | | | | | | No need for full cache, this command relies on the rule handle which is not validated from userspace. Cache requirements are similar to those of add/create/delete rule commands. This speeds up incremental updates with large rulesets. Extend tests/coverage for rule replacement. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover reset command with counter and quotaPablo Neira Ayuso2024-08-261-0/+104
| | | | | Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover anonymous set with reset commandPablo Neira Ayuso2024-08-261-0/+21
| | | | | | | | Extend existing test to reset counters for rules with anonymous set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1763 Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: consolidate reset commandPablo Neira Ayuso2024-08-261-7/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reset command does not utilize the cache infrastructure. This implicitly fixes a crash with anonymous sets because elements are not fetched. I initially tried to fix it by toggling the missing cache flags, but then ASAN reports memleaks. To address these issues relies on Phil's list filtering infrastructure which updates is expanded to accomodate filtering requirements of the reset commands, such as 'reset table ip' where only the family is sent to the kernel. After this update, tests/shell reports a few inconsistencies between reset and list commands: - reset rules chain t c2 display sets, but it should only list the given chain. - reset rules table t reset rules ip do not list elements in the set. In both cases, these are fully listing a given table and family, elements should be included. The consolidation also ensures list and reset will not differ. A few more notes: - CMD_OBJ_TABLE is used for: rules family table from the parser, due to the lack of a better enum, same applies to CMD_OBJ_CHAIN. - CMD_OBJ_ELEMENTS still does not use the cache, but same occurs in the CMD_GET command case which needs to be consolidated. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1763 Fixes: 83e0f4402fb7 ("Implement 'reset {set,map,element}' commands") Fixes: 1694df2de79f ("Implement 'reset rule' and 'reset rules' commands") Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow 0 burst in limit rate byte modePablo Neira Ayuso2024-08-192-0/+24
| | | | | | | | | | | | | | | Unbreak restoring elements in set with rate limit that fail with: > /dev/stdin:3618:61-61: Error: limit burst must be > 0 >                  elements = { 1.2.3.4 limit rate over 1000 kbytes/second timeout 1s, no need for burst != 0 for limit rate byte mode. Add tests/shell too. Fixes: 702eff5b5b74 ("src: allow burst 0 for byte ratelimit and use it as default") Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add a few tests for nft -iPablo Neira Ayuso2024-08-194-0/+35
| | | | | | | | | | | Eric Garver recently provided a few tests for nft -i that helped identify issues that resulted in reverting: e791dbe109b6 ("cache: recycle existing cache with incremental updates") add these tests to tests/shell. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: skip vlan mangling testcase if egress is not supportPablo Neira Ayuso2024-08-191-0/+2
| | | | | | Add dependency on egress hook to skip this test in older kernels. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Extend table persist flag test a bitPhil Sutter2024-08-143-11/+42
| | | | | | Using a co-process, assert owner flag is effective. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: resolve check-tree.sh errorsFlorian Westphal2024-08-0811-0/+59
| | | | | | | | | | | | | | | | | | | | | It prints a few errors like this: ERR: "tests/shell/testcases/chains/jump_to_base_chain" has no "tests/shell/testcases/chains/dumps/jump_to_base_chain.{nft,nodump}" file For all of those, add the relevant .nft dump file. Add a 'nodump' file in case the test doesn't print anything (e.g. because the test checks that invalid ruleset fails validation). Some tests have a .nft but not .json-nft, this is because json lacks some features, in particular "typeof" and anonymous/implicit chains. ERR: "tests/shell/testcases/maps/delete_element_catchall" has no "tests/shell/testcases/maps/dumps/delete_element_catchall.{nft,nodump}" file ERR: "tests/shell/testcases/maps/dumps/delete_elem_catchall.nft" has no test "tests/shell/testcases/maps/delete_elem_catchall" these two are related, rename the dump file to match the script name. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: move flowtable with bogus priority to correct locationFlorian Westphal2024-08-081-1/+0
| | | | | | | This is an input file to be processed by "assert_failures" script. Fixes: b40bebbcee36 ("rule: do not crash if to-be-printed flowtable lacks priority") Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: skip variables in nat statementsPablo Neira Ayuso2024-07-181-7/+45
| | | | | | | | | | | Do not hit assert(): nft: optimize.c:486: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. variables are not supported by -o/--optimize at this stage. Fixes: 9be404a153bc ("optimize: ignore existing nat mapping") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: connect chains to hook pointFlorian Westphal2024-07-1114-10/+31
| | | | | | | | | | | | | | These tests should fail because they contain a loop or exceed the jump stack. But this depends on the kernel validating chains that are not bound to any basechain/hook point. Wire up the initial chain to filter type. Without this tests will start to fail when kernel stops validating chains that are not reachable by any base chain. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: test jump to basechain is rejected, even if there is no loopFlorian Westphal2024-07-111-0/+25
| | | | | | Check that we can't jump to input hook from output. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add more ruleset validation test casesFlorian Westphal2024-07-113-0/+493
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Passes fine on all tested kernel releases. Same as existing tests, but try harder to fool the validation: 1. Add a ruleset where the jump that that exceeds 16 is "broken", i.e. c0 -> c1 ... -> c8 c9-> c1 ... -> c16 Where c0 is a base chain, with a graph thats really a linear list from c0 to c8 and c9 to c16 is a linear list not connected to the former or a hook point. Then try to link them either directly via jump/goto rule or indirectly with a verdict map. Try both unbound map with element doing 'goto c9' and then trying to add vmap rule to c8 (must fail, creates link). Then try reverse: with empty map, add vmap rule to c8 (should work, no elements...). Then, add map element with jump or goto to c9. This should be rejected. Try the same thing with a tproxy expression in a user-defined chain: attempt to make it reachable from c0 (filter input), which is illegal. Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: clone counter before insertion into set elementPablo Neira Ayuso2024-07-052-0/+28
| | | | | | | | The counter statement that is zapped from the rule needs to be cloned before inserting it into each set element. Fixes: 686ab8b6996e ("optimize: do not remove counter in verdict maps") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover set element deletion in mapsPablo Neira Ayuso2024-07-054-0/+87
| | | | | | | Extend existing coverage to deal with set element deletion, including catchall elements too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for removing table via handle with incorrect familyPablo Neira Ayuso2024-06-271-0/+9
| | | | | | | | This test checks for upstream commit: f6e1532a2697 ("netfilter: nf_tables: validate family when identifying table via handle") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: drop redundant JSON outputsPablo Neira Ayuso2024-06-252-86/+0
| | | | | | | | | | | 8abe71f862e6 ("tests: py: Warn if recorded JSON output matches the input") adds a warning on duplicated JSON outputs. Remove them when running tests with -j: WARNING: Recorded JSON output matches input for: icmp code { 2, 4, 54, 33, 56} Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test case for reset tcp warningFlorian Westphal2024-06-253-0/+212
| | | | | | | | | | | | | | | | | | | | tcp reset rule + nftrace 1 triggers (harmless) splat from flow dissector: WARNING: CPU: 2 PID: 145809 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x19d4/0x5cc0 __skb_get_hash+0xa8/0x220 nft_trace_init+0x2ff/0x3b0 nft_do_chain+0xb04/0x1370 nft_do_chain_inet+0xc5/0x2e0 nf_hook_slow+0xa0/0x1d0 ip_local_out+0x14/0x90 nf_send_reset+0x94e/0xbd0 nft_reject_inet_eval+0x45e/0x690 nft_do_chain+0x220/0x1370 nf_hook_slow+0xa0/0x1d0 ip_local_deliver+0x23f/0x2d0 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dynset: avoid errouneous assert with ipv6 concat dataSon Dinh2024-06-1611-0/+141
| | | | | | | | | | | | | | | | | | nft add rule ip6 table-test chain-1 update @map-X { ip6 saddr : 1000::1 . 5001 } nft: src/netlink_linearize.c:873: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. Aborted (core dumped) This is because we pass the EXPR_SET_ELEM expr to the register allocation, which will make it reserve 1 128 bit register / 16 bytes. This happens to be enough for most cases, but its not for ipv6 concat data. Pass the actual key and data instead: This will reserve enough space to hold a possible concat expression. Also add test cases. Signed-off-by: Son Dinh <dinhtrason@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: do not crash if to-be-printed flowtable lacks priorityFlorian Westphal2024-06-161-0/+6
| | | | | | | Print an empty flowtable rather than crashing when dereferencing flowtable->priority.expr (its NULL). Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: use common shebang in "packetpath/flowtables" testThomas Haller2024-06-161-1/+3
| | | | | | | | | | | | | | | | | | | | | | "./tools/check-tree.sh" checks for a certain shebang. Either `/bin/bash` or `/bin/bash -e`. No other are currently allowed, because it makes sense to be strict/consistent and there is no need such flexibility. Move the "-x" to a later command. Note that "set -x" may not be a good choice anyway. If you want to debug a test and see the shell commands, you could just run $ ./tests/shell/run-tests.sh tests/shell/testcases/packetpath/flowtables -x That will automatically use `/bin/bash -x` as interpreter. And that works for all tests the same. This is also the reason why "check-tree.sh" checks for a well-known shebang. Because the "-x" option of the test runner mangles the shebang, but for that it needs to understand it. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: skip NFTA_RULE_POSITION_ID tests if kernel does not support itPablo Neira Ayuso2024-06-133-0/+27
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: skip ipsec tests if kernel does not support itPablo Neira Ayuso2024-06-132-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: skip ip option tests if kernel does not support itPablo Neira Ayuso2024-06-132-0/+10
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add dependencies to skip unsupported tests in older kernelsPablo Neira Ayuso2024-06-135-0/+14
| | | | | | Update tests which contain unsupported features in older kernels. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cmd: skip variable set elements when collapsing commandsPablo Neira Ayuso2024-06-113-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | ASAN reports an issue when collapsing commands that represent an element through a variable: include/list.h:60:13: runtime error: member access within null pointer of type 'struct list_head' AddressSanitizer:DEADLYSIGNAL ================================================================= ==11398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffb77cf09c2 bp 0x7ffc818267c0 sp 0x7ffc818267a0 T0) ==11398==The signal is caused by a WRITE memory access. ==11398==Hint: address points to the zero page. #0 0x7ffb77cf09c2 in __list_add include/list.h:60 #1 0x7ffb77cf0ad9 in list_add_tail include/list.h:87 #2 0x7ffb77cf0e72 in list_move_tail include/list.h:169 #3 0x7ffb77cf86ad in nft_cmd_collapse src/cmd.c:478 #4 0x7ffb77da9f16 in nft_evaluate src/libnftables.c:531 #5 0x7ffb77dac471 in __nft_run_cmd_from_filename src/libnftables.c:720 #6 0x7ffb77dad703 in nft_run_cmd_from_filename src/libnftables.c:807 Skip such commands to address this issue. This patch also extends tests/shell to cover for this bug. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1754 Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add vlan mangling test casePablo Neira Ayuso2024-06-031-0/+75
| | | | | | | | As a follow up for: 74cf3d16d8e9 ("tests: shell: add vlan match test case") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add vlan double tagging match simple test casePablo Neira Ayuso2024-06-031-0/+73
| | | | | | | | | | As a follow up for: 74cf3d16d8e9 ("tests: shell: add vlan match test case") Add basic test for q-in-q matching support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>