| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
for nfct_bitmask_clear() and nfct_bitmask_equal()
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Test all combinations of flags/attribute states for both
ZONE and MARK.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Ken-ichirou MATSUZAWA:
"conntrack -L --zone 0" doesn't list any output.
nfct_cmp(mask_obj, ct, NFCT_CMP_MASK)
considers ct to not match since the zone attribute
in ct is not set for the default (0) zone.
libnetfilter_conntrack should be more permissive and return
that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value,
and ct object has ATTR_ZONE not set.
These 3 checks currently fail, even though they really should not:
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1);
Altough in all 3 cases the zone is only set in one conntrack, the value
is zero, so it should be equal to a conntrack object without the zone
bit set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For each attribute:
- copy ct2 attrs to ct1 (so they're the same)
- change value of attr
- call nfct_cmp to check of cmp now fails
Unfortunately, most attributes fail this test at this time, thus
added a TODO exclusion list to make the test pass for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Some of these checks will fail due to errors in nfct_cmp STRICT handling
and missing comparision of attributes in the nfexpect_cmp functions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
For consistency with other tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:
== validate set grp API ==
ERROR: set/get operations don't match for attribute 2 (2 != 1)
ERROR: set/get operations don't match for attribute 3 (3 != 1)
ERROR: set/get operations don't match for attribute 8 (8 != 1)
Shows up with gcc 4.7.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
The attribute is variable-length and must be thus be set via set_attr_l().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wall flags this:
make test_api test_filter
make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/qa'
CC test_api.o
test_api.c:16:8: warning: return type defaults to "int"
test_api.c: In function "eval_sigterm":
test_api.c:23:18: warning: too many arguments for format
test_api.c: In function "main":
test_api.c:55:2: warning: implicit declaration of function "fork"
test_api.c:34:22: warning: unused variable "h"
test_api.c:102:1: warning: control reaches end of non-void function
test_api.c: In function "eval_sigterm":
test_api.c:29:1: warning: control reaches end of non-void function
CCLD test_api
CC test_filter.o
test_filter.c: In function "main":
test_filter.c:58:4: warning: implicit declaration of function "inet_addr"
test_filter.c:74:2: warning: implicit declaration of function "strerror"
test_filter.c:74:2: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
test_filter.c:75:1: warning: control reaches end of non-void function
CCLD test_filter
make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/qa'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
This patch adds a rudimentary test file to check for possible unset
indirect function calls. This automated test should be run after
adding a new attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|