| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
Add unit tests for the use of reject with icmp inside netdev family.
reject.t from inet family couldn't be reused because it was using
meta nfproto which is not supported inside netdev.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Enables not specifying any icmp type and code when using reject inside
netdev.
This patch completely enables using reject for the netdev family.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The example adds a rule to the `output` chain, not the `input` chain.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Explicitly eliminate the newgen message from output instead of just the
last line to make sure no other output is dropped by accident. This also
allows the test to pass in unpatched kernels which do not emit the
newgen message despite NLM_F_ECHO if no netlink listeners are present.
Fixes: 46b54fdcf266d ("Revert "monitor: do not print generation ID with --echo"")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Using oif in fib from prerouting is not support, make sure -c reports an
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Update release name based on the Fearless Fosdick series: Anyface.
Bump dependencies on libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo").
There is actually a kernel bug which is preventing from displaying
this generation ID message.
Update the tests/shell to remove the last line of the --echo output
which displays the generation ID once the "netfilter: nftables: fix netlink
report logic in flowtable and genid" kernel fix is applied.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This fixes testcases/sets/0036add_set_element_expiration_0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Turns out json_string() already dups the input, so the temporary dup
passed to it is lost.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops
Due to incorrect structure layout when calling interval_expr_copy().
Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel provides information regarding expression since
83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for
expressions").
A common mistake is to refer a chain which does not exist, e.g.
# nft add rule x y jump test
Error: Could not process rule: No such file or directory
add rule x y jump test
^^^^
Use the existing netlink extended error reporting infrastructure to
provide better error reporting as in the example above.
Requires Linux kernel patch 83d9dcba06c5 ("netfilter: nf_tables:
extended netlink error reporting for expressions").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Constify pointer to location object to compile check for unintentional
updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Statically store up to 32 locations per command, if the number of
locations is larger than 32, then skip rather than hit assertion.
Revisit this later to dynamically store location per command using a
hashtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Available since Linux kernel >= 5.10.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When last expr has no closing element we did not propagate
expr properties such as comment or expire date to the newly
allocated set elem.
Before:
nft create table t
nft 'add set t s { type ipv4_addr; flags interval; timeout 60s; }'
nft add element t s { 224.0.0.0/3 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
nft flush set t s
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0/4 expires 55s152ms, 240.0.0.0-255.255.255.255 }
nft delete set t s
nft 'add set t s { type ipv4_addr; flags interval; auto-merge; timeout 60s; }'
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
After:
elements = { 224.0.0.0-255.255.255.255 expires 58s515ms }
elements = { 224.0.0.0/4 expires 54s622ms, 240.0.0.0-255.255.255.255 expires 54s622ms }
elements = { 224.0.0.0-255.255.255.255 expires 57s92ms }
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1454
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Stateless SCTP header mangling doesn't work reliably.
This tells the kernel to update the checksum field using
the sctp crc32 algorithm.
Note that this needs additional kernel support to work.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for inet ingress chains.
table inet filter {
chain ingress {
type filter hook ingress device "veth0" priority filter; policy accept;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 741a06ac15d2 ("mergesort: find base value expression type via recursion")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: dcec7d57559a ("ct: Add support for the 'id' key")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Element counters reside in 'stmt' field as counter statement. Append
them to 'elem' object as additional 'counter' property, generated by
counter_stmt_json().
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for an assertion fail when trying to match against an all-wildcard
interface name:
| % nft add rule t c iifname '"*"'
| nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
| zsh: abort nft add rule t c iifname '"*"'
Fix this by detecting the string in expr_evaluate_string() and returning
an error message:
| % nft add rule t c iifname '"*"'
| Error: All-wildcard strings are not supported
| add rule t c iifname "*"
| ^^^
While being at it, drop the 'datalen >= 1' clause from the following
conditional as together with the added check for 'datalen == 0', all
possible other values have been caught already.
|
|
|
|
|
|
|
| |
this updates the two examples in the man page that use the obsolete `meter` to
use sets. I also fixed a bit of formatting for the conntrack expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the user to specify a comment when adding a chain.
Relies on kernel space supporting userdata for chains.
> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset
table ip filter {
chain input {
comment "test"
type filter hook input priority filter; policy accept;
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
--terse with --json is ignored, fix this. This patch also includes a test.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.
This removes errors like:
"transport protocol mapping is only valid after transport protocol match"
when invoking:
# nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80
This patch also catches conflicts like:
# nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
and:
# nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
Note that:
- the singleton protocol context tracker is left in place until the
existing users are updated to use this new multiprotocol tracker.
Moving forward, it would be good to consolidate things around this new
multiprotocol context tracker infrastructure.
- link and network layers are not updated to use this infrastructure
yet. The code that deals with vlan conflicts relies on forcing
protocol context updates to the singleton protocol base.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If there is protocol context for this base, just return from function
to remove one level of indentation. This patch is cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If nft crashes or hits an assertion, the last command run shows in the
/tmp/nftables-test.log file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Because the command seqnums are monotonic, repeated traversals
of the cmds list from the beginning are not necessary as long as
the error seqnums are also monotonic.
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Assume each error in the batch will result in a 1k notification for the
non-echo flag set on case as described in 860671662d3f ("mnl: fix --echo
buffer size again").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch grammar supported specifying multiple comments, and
only the last value would be assigned.
This patch adds a function to test if an attribute is already assigned
and, if so, calls erec_queue with this attribute location.
Use this function in order to check for duplication (or more) of comments
for actions that support it.
> nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;}
Error: You can only specify this once. This statement is duplicated.
add table inet filter { flags dormant; comment test; comment another;}
^^^^^^^^^^^^^^^^
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables specifying an optional comment when declaring named objects. The
comment is to be specified inside the object's block ({} block)
Relies on libnftnl exporting nftnl_obj_get_data and kernel space support
to store the comments.
For consistency, this patch makes the comment be printed first when
listing objects.
Adds a testcase importing all commented named objects except for secmark,
although it's supported.
Example: Adding a quota with a comment
> add table inet filter
> nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; }
> list ruleset
table inet filter {
quota q {
comment "test_comment"
over 1200 bytes
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sets that store flags might contain a mixture of values and binary
operations. Find the base value type via recursion to compare the
expressions.
Make sure concatenations are listed in a deterministic way via
concat_expr_msort_value() which builds a mpz value with the tuple.
Adjust a few tests after this update since listing differs after this
update.
Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()")
Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables had a "-m socket --transparent" which didn't match sockets that are
bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was
possible to override this behavior by using --nowildcard, in which case it
did match zero bound sockets as well.
The issue is that nftables never included the wildcard check, so in effect
it behaved like "iptables -m socket --transparent --nowildcard" with no
means to exclude wildcarded listeners.
This is a problem as a user-space process that binds to 0.0.0.0:<port> that
enables IP_TRANSPARENT would effectively intercept traffic going in _any_
direction on the specific port, whereas in most cases, transparent proxies
would only need this for one specific address.
The solution is to add "socket wildcard" key to the nft_socket module, which
makes it possible to match on the wildcardness of a socket from
one's ruleset.
This is how to use it:
table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}
This patch effectively depends on its counterpart in the kernel.
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds userdata building logic if a comment is specified when creating a
new table. Adds netlink userdata parsing callback function.
Relies on kernel supporting userdata for nft_table.
Example:
> nft add table ip x { comment "test"\; }
> nft list ruleset
table ip x {
comment "test"
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This significantly improves ruleset listing time with large rulesets
(~50k rules) with _lots_ of non-base chains.
# time nft list ruleset &> /dev/null
Before this patch:
real 0m11,172s
user 0m6,810s
sys 0m4,220s
After this patch:
real 0m4,747s
user 0m0,802s
sys 0m3,912s
This patch also removes list_bindings from netlink_ctx since there is no
need to keep a temporary list of chains anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
netlink_parsers is actually small, but update this code to use a
hashtable instead since more expressions may come in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed
an issue with rbtree overlap detection coming from the fact that,
after tree rotations performed as part of tree rebalancing, caused
by deletions, end elements are not necessarily descendants of their
corresponding start elements.
Add single-sized elements, delete every second one of them, and
re-add them (they will always be full overlaps) in order to check
overlap detection after tree rotations.
Port indices used in the sets are pseudo-random numbers generated
with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen
for k-distribution over 16-bit periods, which gives a good
statistical randomness and forces 201 rebalancing operations out of
250 deletions with the chosen seed (1).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example: nft --debug=netlink list ruleset
inet firewall @knock_candidates_ipv4
element 0100007f 00007b00 : 0 [end]
element 0200007f 0000f1ff : 0 [end]
element 0100007f 00007a00 : 0 [end]
inet firewall @__set0
element 00000100 : 0 [end]
element 00000200 : 0 [end]
inet firewall knock-input 3
[ meta load l4proto => reg 1 ]
...
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tcp flags == {syn, syn|ack}
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack}
results in:
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Extend and slightly rework tests/shell to cover this case too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to add a comment when declaring a named set.
Adds set output handling the comment in both nftables and json
format.
$ nft add table ip x
$ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}}
$ nft list ruleset
table ip x {
set s {
type ipv4_addr;
comment "some_addrs"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
$ nft --json list ruleset
{
"nftables": [
{
"metainfo": {
"json_schema_version": 1,
"release_name": "Capital Idea #2",
"version": "0.9.6"
}
},
{
"table": {
"family": "ip",
"handle": 4857,
"name": "x"
}
},
{
"set": {
"comment": "some_addrs",
"elem": [
"1.1.1.1",
"1.2.3.4"
],
"family": "ip",
"handle": 1,
"name": "s",
"table": "x",
"type": "ipv4_addr"
}
}
]
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Since 94a945ffa81b ("libnftables: Get rid of explicit cache flushes"),
the cache logic checks for the generation number to refresh the cache.
This breaks interactive mode when listing stateful objects though. This
patch adds a new flag to force a cache refresh when the user requests a
ruleset listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mpz_init_bitmask() overrides the existing memory area:
==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==19179== at 0x483577F: malloc (vg_replace_malloc.c:299)
==19179== by 0x489C718: xmalloc (utils.c:36)
==19179== by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2) f
==19179== by 0x4880239: constant_expr_alloc (expression.c:400)
==19179== by 0x489B8A1: interval_map_decompose (segtree.c:1098)
==19179== by 0x489017D: netlink_list_setelems (netlink.c:1220)
==19179== by 0x48779AC: cache_init_objects (rule.c:170) 5
==19179== by 0x48779AC: cache_init (rule.c:228)
==19179== by 0x48779AC: cache_update (rule.c:279)
==19179== by 0x48A21AE: nft_evaluate (libnftables.c:406)
left-hand side of the interval is leaked when building the range:
==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==25835== at 0x483577F: malloc (vg_replace_malloc.c:299)
==25835== by 0x489B628: xmalloc (utils.c:36)
==25835== by 0x489B6F8: xzalloc (utils.c:65)
==25835== by 0x487E176: expr_alloc (expression.c:45)
==25835== by 0x487F960: mapping_expr_alloc (expression.c:1149)
==25835== by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166)
==25835== by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725)
==25835== by 0x488F0D5: netlink_list_setelems (netlink.c:1215)
==25835== by 0x487695C: cache_init_objects (rule.c:170)
==25835== by 0x487695C: cache_init (rule.c:228)
==25835== by 0x487695C: cache_update (rule.c:279)
==25835== by 0x48A10BE: nft_evaluate (libnftables.c:406)
==25835== by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451)
==25835== by 0x10A8E1: main (main.c:487)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mike Dillinger reported issues with insertion of entries into sets
supporting intervals that were denied because of false conflicts with
elements that were already expired. Partial failures would occur to,
leading to the generation of new intervals the user didn't specify,
as only the opening or the closing elements wouldn't be inserted.
The reproducer provided by Mike looks like this:
#!/bin/bash
nft list set ip filter blacklist4-ip-1m
for ((i=1;i<=10;i++)); do
nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
sleep 1
done
nft list set ip filter blacklist4-ip-1m
which, run in a loop at different intervals, show the different kind
of failures.
Extend the existing test case for overlapping and non-overlapping
intervals to systematically cover sets with a configured timeout.
As reported by Pablo, the test would fail if we keep a one-second
timeout if it runs on a "slow" kernel (e.g. with KASan), using the
libtool wrapper in src/nft as $NFT, because we can't issue 218
commands within one second. To avoid that, introduce an adaptive
timeout based on how many times we can list a single entry with a
fixed one-second timeout.
On a single 2.9GHz AMD Epyc 7351 thread:
test run nft commands/s timeout
- src/nft libtool wrapper, KASan: 68.4s 10 32s
- nft binary, KASan: 5.1s 168 2s
- src/nft libtool wrapper, w/o KASan: 18.3s 37 8s
- nft binary, w/o KASan: 2.4s 719 1s
While at it, fix expectation for insertion of '15-20 . 50-60' (it's
expected to succeed, given the list), and the reason why I didn't
notice: a simple command preceded by ! won't actually result in
the shell exiting, even if it fails. Add some clearer failure reports
too.
v2:
- adjust set timeouts to nft commands/s
- fix checks on expected outcome of insertions and reports
Reported-by: Mike Dillinger <miked@softtalker.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test won't stop if we simply precede commands expected to fail
by !. POSIX.1-2017 says:
-e
When this option is on, if a simple command fails for any of
the reasons listed in Consequences of Shell Errors or returns
an exit status value >0, and is not part of the compound list
following a while, until or if keyword, and is not a part of
an AND or OR list, and is not a pipeline preceded by the "!"
reserved word, then the shell will immediately exit.
...but I didn't care about the last part.
Replace those '! nft ...' commands by 'nft ... && exit 1' to actually
detect failures.
As a result, I didn't notice that now, correctly, inserting elements
into a set that contains the same exact element doesn't actually
fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop
re-insertions from the checks we perform here, overlapping elements
are already covered by other tests.
Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|