diff options
| author | Lukas Wunner <lukas@wunner.de> | 2020-03-11 13:20:06 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-10-28 02:01:25 +0200 |
| commit | 510c4fad7e78f9350f492463d68899a6154807d3 (patch) | |
| tree | 42057f190379a7a2c2501977957f1cb6bb501e90 /tests/py/inet | |
| parent | 1e30a3a49a5eaf2a1e0e4b2d8f4949db9db565e7 (diff) | |
src: Support netdev egress hook
Add userspace support for the netdev egress hook which is queued up for
v5.16-rc1, complete with documentation and tests. Usage is identical to
the ingress hook.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/inet')
| -rw-r--r-- | tests/py/inet/ah.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/comp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/dccp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/esp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/ether-ip.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/ether.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/ip.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/ip.t.payload.netdev | 14 | ||||
| -rw-r--r-- | tests/py/inet/ip_tcp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/map.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/sctp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/sets.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/tcp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/udp.t | 3 | ||||
| -rw-r--r-- | tests/py/inet/udplite.t | 3 |
15 files changed, 42 insertions, 14 deletions
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t index 78c454f7..83b6202b 100644 --- a/tests/py/inet/ah.t +++ b/tests/py/inet/ah.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress - ah nexthdr esp;ok - ah nexthdr ah;ok diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t index ec9924ff..2ef53820 100644 --- a/tests/py/inet/comp.t +++ b/tests/py/inet/comp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. - comp nexthdr esp;ok;comp nexthdr 50 diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t index 2216fa2a..90142f53 100644 --- a/tests/py/inet/dccp.t +++ b/tests/py/inet/dccp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dccp sport 21-35;ok dccp sport != 21-35;ok diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t index 58e9f884..536260cf 100644 --- a/tests/py/inet/esp.t +++ b/tests/py/inet/esp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress esp spi 100;ok esp spi != 100;ok diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t index 0c8c7f9d..759124de 100644 --- a/tests/py/inet/ether-ip.t +++ b/tests/py/inet/ether-ip.t @@ -1,8 +1,9 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t index afdf8b89..c4b1ced7 100644 --- a/tests/py/inet/ether.t +++ b/tests/py/inet/ether.t @@ -1,11 +1,12 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t index ac5b825e..bdb3330c 100644 --- a/tests/py/inet/ip.t +++ b/tests/py/inet/ip.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail diff --git a/tests/py/inet/ip.t.payload.netdev b/tests/py/inet/ip.t.payload.netdev index 95be9194..38ed0ad3 100644 --- a/tests/py/inet/ip.t.payload.netdev +++ b/tests/py/inet/ip.t.payload.netdev @@ -12,3 +12,17 @@ netdev test-netdev ingress [ payload load 6b @ link header + 6 => reg 10 ] [ lookup reg 1 set __set%d ] +# meta protocol ip ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +__set%d test-netdev 3 +__set%d test-netdev 0 + element 01010101 02020202 fecafeca 0000feca : 0 [end] +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 6b @ link header + 6 => reg 10 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t index f2a28ebd..ab76ffa9 100644 --- a/tests/py/inet/ip_tcp.t +++ b/tests/py/inet/ip_tcp.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # must not remove ip dependency -- ONLY ipv4 packets should be matched ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t index e83490a8..5a7161b7 100644 --- a/tests/py/inet/map.t +++ b/tests/py/inet/map.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t index 57b9e67b..016173b9 100644 --- a/tests/py/inet/sctp.t +++ b/tests/py/inet/sctp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress sctp sport 23;ok sctp sport != 23;ok diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t index 1c6f3235..5b22e1fe 100644 --- a/tests/py/inet/sets.t +++ b/tests/py/inet/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !set1 type ipv4_addr timeout 60s;ok ?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index aa07c3ba..f51ebd36 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport set {1, 2, 3};fail diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t index c434f2ed..7f21c8ed 100644 --- a/tests/py/inet/udp.t +++ b/tests/py/inet/udp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udp sport 80 accept;ok udp sport != 60 accept;ok diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t index a8fdc8ea..6a54709c 100644 --- a/tests/py/inet/udplite.t +++ b/tests/py/inet/udplite.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udplite sport 80 accept;ok udplite sport != 60 accept;ok |