summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: Fix tests for immediate and lookup expressionsCarlos Falgueras García2016-08-103-35/+67
| | | | | | | | | | An error at Makefile.am has caused that the tests 'nft-expr_immediate-test.c' and 'nft-expr_lookup-tests.c' have not been compiled since they were created. This patch fix that error and some errors in both tests. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add missing tests to test-script.shCarlos Falgueras García2016-08-101-0/+3
| | | | | Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Check set user dataCarlos Falgueras García2016-07-011-0/+4
| | | | | Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: lookup: give support for inverted matchingArturo Borrero2016-06-241-0/+4
| | | | | | | | Inverted matching support was included in the kernel, let's give support here as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: stricter string attribute validationPablo Neira Ayuso2016-06-151-6/+3
| | | | | | In nft-expr_lookup-test.c, check for the strings instead of size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shuffle values that are injectedPablo Neira Ayuso2016-06-1516-34/+34
| | | | | | | Shuffle value that are used to set attributes, this variability should help us catch more problems in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Free nftnl_udata_buf before exitCarlos Falgueras García2016-05-251-0/+1
| | | | | Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-nat: Use different values to testShivani Bhardwaj2016-04-151-6/+6
| | | | | | | | Tests are more effective if different values are set so, use different values for every expression. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-rule-test: check for NFTNL_RULE_USERDATACarlos Falgueras García2016-04-141-0/+21
| | | | | | | Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: Add support for port selectionShivani Bhardwaj2016-03-031-0/+8
| | | | | | | Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add forward expressionPablo Neira Ayuso2016-02-012-0/+94
| | | | | | Add forward expression for the netdev family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add support for flagsPablo Neira Ayuso2016-01-131-0/+4
| | | | | | | This patch adds the limit flags, the first client of this is the inversion flag that allows us to match overlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add dup expression supportPablo Neira Ayuso2015-09-212-0/+98
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add per-byte limiting supportPablo Neira Ayuso2015-09-211-0/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add burst attributePablo Neira Ayuso2015-09-211-0/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _attr_ infix in new nftnl_ definitionsPablo Neira Ayuso2015-09-074-88/+88
| | | | | | | The function names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _ATTR_ infix in new nfntl_ definitionsPablo Neira Ayuso2015-09-074-88/+88
| | | | | | | The constant names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-0719-472/+472
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-0724-850/+850
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add netdev family supportPablo Neira Ayuso2015-06-162-6/+7
| | | | | | | | | Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the basechain is attached to a net_device. This partially reworks 1dd9ba1ea23c ("table: add netdev family support"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: add netdev family supportPablo Neira Ayuso2015-05-291-3/+6
| | | | | | This adds support for the new 'netdev' family tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update JSON/XML tests with the new syntaxAlvaro Neira Ayuso2015-02-10125-124/+126
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: data_reg: use 'reg' instead of 'data_reg'Pablo Neira Ayuso2014-11-1078-78/+78
| | | | | | | | | | | | data_reg is unnecessarily long name and it always has to be wrapped by another data node. This will allow us to represent data not only as registers if needed. Get rid of 'cmpdata' and 'immediatedata' too and use 'data' instead to wrap 'reg' so these are consistent with the bitwise expression. No reason for such specific tag per expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML/JSON exportationPablo Neira Ayuso2014-11-106-6/+6
| | | | | | | | | | | | | | Add new buffer class to consolidate the existing code to export objects in XML/JSON and use it. We save ~700 LOC with this change. The rule and set objects are not yet consolidated. It seems this would require some specific glue code per representation type since lists are arranged differently. This also consolidates the tag names, so we make sure the same are used from XML and JSON by placing them in include/buffer.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: use 'nat_type' instead of 'type' in the parserPablo Neira Ayuso2014-11-102-2/+2
| | | | | | 'type' is already used from the expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tests for nft_redir expressionArturo Borrero2014-10-305-0/+104
| | | | | | | This patch add some tests for the nft_redir expression. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: also test nat flags attributeArturo Borrero2014-10-033-2/+6
| | | | | | | The nat expression has a new attribute. Let's give some testing. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tests for the masq expressionArturo Borrero2014-10-035-0/+96
| | | | | | | The masq expression is lacking of tests. Let's add some. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of cached copies of x_tables.h and xt_LOG.hPablo Neira Ayuso2014-08-312-26/+5
| | | | | | | | | | Keeping the full cached copy the of x_tables.h file in tree is too much for just the XT_EXTENSION_MAXNAMELEN constant. Similarly, xt_LOG.h is not actually required by the tests, we can use any whatever syntetic data to make sure the setter and getter provide the same result. So, let's get rid of these headers from the library tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add json and xml test file for queueAna Rey2014-06-164-0/+5
| | | | | | | New xml and json test files. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xmlfiles: Test files without unset child elements in set elementsAna Rey2014-06-113-3/+3
| | | | | | | Test files without unset child element in set elements. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-parsing-test: Display error reason when testing XMLAna Rey2014-06-111-1/+2
| | | | | | | | | | | | | | | Add the use of system errors (nft_parse_perror) in test_xml to know which node is not found. Example: parsing xmlfiles/75-ruleset.xml: FAILED (Invalid argument) Reason : Node "flags" not found [ I have mangled this patch to rename this the current 'fail' message to 'Reason' --pablo ] Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xmlfile: Remove unset child elements in the log expressionAna Rey2014-06-104-4/+4
| | | | | | | Test files without unset child element in the log expression. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: include xml and json test files via make distcheckPablo Neira Ayuso2014-04-261-1/+3
| | | | | Reported-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: include test-script.sh via make distcheckPablo Neira Ayuso2014-04-251-0/+2
| | | | | Reported-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Fix a memory leakAna Rey2014-04-141-0/+2
| | | | | | | | | | | | | | Free nft_parse_err struct when there is an error in execute_test function. It solves the following memory leak shown by valgrind. ==7845== 24 bytes in 1 blocks are still reachable in loss record 1 of 2 ==7845== at 0x4C29590: calloc (vg_replace_malloc.c:618) ==7845== by 0x401740: execute_test_file (nft-parsing-test.c:249) ==7845== by 0x400EBB: main (nft-parsing-test.c:330) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add support to check a json or xml testfileAna Rey2014-04-141-1/+47
| | | | | | | | | | Add new command-line argument "-f <file>" to check a json or xml testfile. ./nft-parsing-test -f <file> Check this testfile. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: New tools to update xml and json testfilesAna Rey2014-04-141-6/+36
| | | | | | | | | | | | | New tools to updata testfiles when the structure of xml or json files are changed. It adds a new command-line argument in nft-parsing-test. With nft-parsing-test -u <directory>, you can update test files in <directory> with a new structure of xml or json file. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete an immediatedate label in xml and json fileAna Rey2014-04-149-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It deletes the immediatedata label in the structure of json and xml file. Example of the old structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <immediatedata> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </immediatedata> </expr> </rule> </nftables> Example of the new structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </expr> </rule> </nftables> To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete a cmpdata label in xml and json fileAna Rey2014-04-1469-69/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It delete the cmpdata label in the structure of json and xml file. Example of xmlfile: The old structure of xml file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <cmpdata> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </cmpdata> </expr> The new structure of json file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </expr> [...] To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Use getopt_long to parse the command-line arguments.Ana Rey2014-04-072-10/+51
| | | | | | | | Use getopt_long to parse the command-line arguments and prepare it to add new arguments in next patches. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix wrong type in NFT_ATTR_*_FAMILYPablo Neira Ayuso2014-02-275-14/+14
| | | | | | This fixes assertions in the test files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-03136-459/+224
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-2022-62/+62
| | | | | | | | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * ct: use a string with 'dir' attributeArturo Borrero2014-01-1811-11/+11
| | | | | | | | | | | | | | | | | | This patch implements a string to represent directions in the CT expression: * original (0) * reply (1) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * data_reg: fix verdict format approachArturo Borrero2014-01-182-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patrick reports that the XML/JSON formats of the data_reg object are not accuarate. This patch updates these formats, so they are now as follow: * <data_reg type=value> with raw data (this doesn't change). * <data_reg type=verdict> with a concrete verdict (eg drop accept) and an optional <chain>, with destination. In XML: <data_reg type="verdict"> <verdict>goto</verdict> <chain>output</chain> </data_reg> In JSON: "data_reg" : { "type" : "verdict", "verdict" : "goto" "chain" : "output", } The default output format is updated to reflect these changes (minor collateral thing). When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN flag, a basic check for the chain not being NULL is done, instead of evaluating if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer used in the data_reg XML/JSON parsing zone. While at it, I updated the error reporting stuff regarding data_reg/verdict, in order to leave a consistent state in the library. A JSON testfile is updated as well. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * tests: xml: delete commentsArturo Borrero2014-01-1548-48/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When building a XML tree, only one root node can be in place. This is a "feature" added in libmxml 2.7: <<< mxmlLoad... did not error out on XML with multiple root nodes (Bug #403) >>> In libmxml 2.6 the second root node was ignored, not because it was a comment but a bug. Our files had two root nodes, being comments or not. libmxml accept comments, but inside the root node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * tests: nft-parsing-test: use nft_ruleset_parse_file()Arturo Borrero2014-01-09112-338/+144
| | | | | | | | | | | | | | | | | | | | All testfiles are now enclosed in the corresponding top element, ie. * XML: <nftables>...</nftables> * JSON: {"nftables":[...]} Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-061-17/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | tests: add table 'use' attr to testfilesArturo Borrero Gonzalez2014-01-036-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Parsing tests were failing because a missing 'use' attribute in tables. validating xmlfiles/02-table.xml: FAILED from file: 0</flags></table> f from snprintf: 0</flags><use>0</use ^ [...] validating jsonfiles/64-ruleset.json: FAILED from file: ,"flags":0}},{"chain from snprintf: ,"flags":0,"use":0}} ^ Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>