| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Comparators are not implemented.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The ct_echo_event and ct_mark_filter tests break `make distcheck'. Get them
out of the way until this is corrently integrated into automake.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
testing mark filter in root by
# ./qa/ct_mark_filter.sh
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nssocket forks and change netns pre-establishd by ip(8), serves its
socket descriptor to parent via nssocket(). Since this socket is
isolated, it can be used to create regression tests for conntrack.
This also adds a conntrack event testcase as a first user.
A ct_echo_event.sh script is provided to build and run this test
automatically:
# ./qa/ct_echo_event.sh
make: Entering directory...
...debug output like:
[NEW] tcp 6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport...
[UPDATE] tcp 6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport...
...
[DESTROY] icmp 1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0...
# echo $?
0
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
for nfct_bitmask_clear() and nfct_bitmask_equal()
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Test all combinations of flags/attribute states for both
ZONE and MARK.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Ken-ichirou MATSUZAWA:
"conntrack -L --zone 0" doesn't list any output.
nfct_cmp(mask_obj, ct, NFCT_CMP_MASK)
considers ct to not match since the zone attribute
in ct is not set for the default (0) zone.
libnetfilter_conntrack should be more permissive and return
that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value,
and ct object has ATTR_ZONE not set.
These 3 checks currently fail, even though they really should not:
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1);
Altough in all 3 cases the zone is only set in one conntrack, the value
is zero, so it should be equal to a conntrack object without the zone
bit set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Only dump the contents of the system-wide connlabel.conf if present
instead of expecting same content as the qa config.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For each attribute:
- copy ct2 attrs to ct1 (so they're the same)
- change value of attr
- call nfct_cmp to check of cmp now fails
Unfortunately, most attributes fail this test at this time, thus
added a TODO exclusion list to make the test pass for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Some of these checks will fail due to errors in nfct_cmp STRICT handling
and missing comparision of attributes in the nfexpect_cmp functions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
For consistency with other tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:
== validate set grp API ==
ERROR: set/get operations don't match for attribute 2 (2 != 1)
ERROR: set/get operations don't match for attribute 3 (3 != 1)
ERROR: set/get operations don't match for attribute 8 (8 != 1)
Shows up with gcc 4.7.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
The attribute is variable-length and must be thus be set via set_attr_l().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
The compiler is probably smart enough to see that the type cannot
change, but make an "else" out of it, just for fun.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
"-ldl" is not needed since the programs themselves never use functions
from libdl. Also, -dynamic is not required at all.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch improves several aspects of the QA tools to stress
the conntrack system via ctnetlink and to check reliable event
delivery.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ct_stress adds plenty of flows in assured state (worst case
for the conntrack table).
ct_events_reliable forces reliable event delivery.
You have to use this tools together:
./ct_events_reliable &
then:
./ct_stress 65535 # your ct table size
If things go well, you will end up hitting ENOMEM.
Both as root, of course.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wall flags this:
make test_api test_filter
make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/qa'
CC test_api.o
test_api.c:16:8: warning: return type defaults to "int"
test_api.c: In function "eval_sigterm":
test_api.c:23:18: warning: too many arguments for format
test_api.c: In function "main":
test_api.c:55:2: warning: implicit declaration of function "fork"
test_api.c:34:22: warning: unused variable "h"
test_api.c:102:1: warning: control reaches end of non-void function
test_api.c: In function "eval_sigterm":
test_api.c:29:1: warning: control reaches end of non-void function
CCLD test_api
CC test_filter.o
test_filter.c: In function "main":
test_filter.c:58:4: warning: implicit declaration of function "inet_addr"
test_filter.c:74:2: warning: implicit declaration of function "strerror"
test_filter.c:74:2: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
test_filter.c:75:1: warning: control reaches end of non-void function
CCLD test_filter
make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/qa'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.
This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.
This patch also includes fixes in the limitations, previous
calculations were wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch adds a rudimentary test file to check for possible unset
indirect function calls. This automated test should be run after
adding a new attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
