summaryrefslogtreecommitdiffstats
path: root/tests/py/bridge/vlan.t.payload
Commit message (Collapse)AuthorAgeFilesLines
* payload: don't adjust offsets of autogenerated dependency expressionsFlorian Westphal2021-09-291-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pablo says: user reports that this is broken: nft --debug=netlink add rule bridge filter forward vlan id 100 vlan id set 200 [..] [ payload load 2b @ link header + 14 => reg 1 ] [..] [ payload load 2b @ link header + 28 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x0000c800 ] [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] offset says 28, it is assuming q-in-q, in this case it is mangling the existing header. The problem here is that 'vlan id set 200' needs a read-modify-write cycle because 'vlan id set' has to preserve bits located in the same byte area as the vlan id. The first 'payload load' at offset 14 is generated via 'vlan id 100', this part is ok. The second 'payload load' at offset 28 is the bogus one. Its added as a dependency, but then adjusted because nft evaluation considers this identical to 'vlan id 1 vlan id '2, where nft assumes q-in-q. To fix this, skip offset adjustments for raw expressions and mark the dependency-generated payload instruction as such. This is fine because raw payload operations assume that user specifies base/offset/length manually. Also add a test case for this. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add vlan deiPablo Neira Ayuso2021-06-111-7/+18
| | | | | | | | | | the CFI bit has been repurposed as DEI "Drop Eligible Indicator" since 802.1Q-2011. The vlan cfi field is still retained for compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: replace vlan ether type with 8021qFlorian Westphal2021-04-031-2/+2
| | | | | | | | | | | | | Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type. This adds the 8021q shorthand for the existing 'vlan' frame type. nft will continue to recognize 'ether type vlan', but listing will now print 8021q. Adjust all test cases accordingly. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add 8021.AD vlan test casesFlorian Westphal2021-04-031-0/+45
| | | | | | | Check nft doesn't remove the explicit '8021ad' type check and that the expected dependency chains are generated. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-161-30/+30
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix dumping vlan rulesM. Braun2019-07-311-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Given the following bridge rules: 1. ip protocol icmp accept 2. ether type vlan vlan type ip ip protocol icmp accept The are currently both dumped by "nft list ruleset" as 1. ip protocol icmp accept 2. ip protocol icmp accept Though, the netlink code actually is different bridge filter FORWARD 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] bridge filter FORWARD 5 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] What happens here is that: 1. vlan type ip kills ether type vlan 2. ip protocol icmp kills vlan type ip Fix this by avoiding the removal of all vlan statements in the given example. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up meta l4proto change for ip familyFlorian Westphal2017-05-191-2/+2
| | | | | | | We can delete some of the payload files now as ip/ip6/inet produce same implicit meta l4proto dep. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: update for changed set name in payloadPablo Neira Ayuso2016-05-131-3/+3
| | | | | | | Original patch posted in the mailing list from Patrick, I have refreshed this so it applies on top of current HEAD. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinarize: shift constant for ranges tooFlorian Westphal2016-03-101-2/+2
| | | | | | | | | ... else rule like vlan pcp 1-3 won't work and will be displayed as 0-0 (reverse direction already works since range is represented as two lte/gte compare expressions). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-151-0/+201
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>