summaryrefslogtreecommitdiffstats
path: root/tests/py/ip
Commit message (Collapse)AuthorAgeFilesLines
* evaluate: check for missing transport protocol match in nat map with ↵Pablo Neira Ayuso2021-09-292-3/+25
| | | | | | | | | | | | | | | | concatenations Restore this error with NAT maps: # nft add rule 'ip ipfoo c dnat to ip daddr map @y' Error: transport protocol mapping is only valid after transport protocol match add rule ip ipfoo c dnat to ip daddr map @y ~~~~ ^^^^^^^^^^^^^^^ Allow for transport protocol match in the map too, which is implicitly pulling in a transport protocol dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: rework range_expr_to_prefix()Pablo Neira Ayuso2021-09-093-0/+112
| | | | | | | | | Consolidate prefix calculation in range_expr_is_prefix(). Add tests/py for 9208fb30dc49 ("src: Check range bounds before converting to prefix"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove redundant meta protocol from the evaluation stepPablo Neira Ayuso2021-09-032-3/+1
| | | | | | | | | | | | | 567ea4774e13 ("netlink_delinearize: incorrect meta protocol dependency kill") does not document two cases that are handled in this patch: - 'meta protocol ip' is removed if used in the ip family. - 'meta protocol ip6' is removed if used in the ip6 family. This patch removes this redundancy earlier, from the evaluation step before netlink bytecode generation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: incorrect meta protocol dependency killPablo Neira Ayuso2021-08-263-0/+27
| | | | | | | | meta protocol is meaningful in bridge, netdev and inet families, do not remove this. Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing json update for numeric reject with icmp numericPablo Neira Ayuso2021-07-271-0/+10
| | | | | | | Add missing tests to cover json support for reject with icmp numeric. Fixes: 1ab1fcbc19a8 ("parser_bison: parse number as reject icmp code") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update new reject with icmp code syntax leftoverPablo Neira Ayuso2021-07-271-7/+7
| | | | | | | I forgot to update a few more spots in the json files. Fixes: 08d2f0493671 ("src: promote 'reject with icmp CODE' syntax") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: promote 'reject with icmp CODE' syntaxPablo Neira Ayuso2021-07-262-18/+18
| | | | | | | | | | | | | | | | | | | | | | | The kernel already assumes that that ICMP type to reject a packet is destination-unreachable, hence the user specifies the *ICMP code*. Simplify the syntax to: ... reject with icmp port-unreachable this removes the 'type' keyword before the ICMP code to reject the packet with. IIRC, the original intention is to leave room for future extensions that allow to specify both the ICMP type and the ICMP code, this is however not possible with the current inconsistent syntax. Update manpages which also refer to ICMP type. Adjust tests/py to the new syntax. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: parse number as reject icmp codePablo Neira Ayuso2021-07-262-0/+5
| | | | | | | | | | | | Extend parser to accept a numeric icmp code, instead of bailing out: # nft add rule inet filter input reject with icmpx type 3 Error: syntax error, unexpected number, expecting string add rule inet filter input reject with icmpx type 3 ^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1555 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: extend coverage for dnat with classic range representationPablo Neira Ayuso2021-07-142-0/+43
| | | | | | Add a few more tests for the classic dnat range representation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for nat with interval concatenationPablo Neira Ayuso2021-07-135-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to combine concatenation and interval in NAT mappings, e.g. add rule x y dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 } This generates the following NAT expression: [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] which expects to obtain the following tuple: IP address (min), source port (min), IP address (max), source port (max) to be obtained from the map. This representation simplifies the delinearize path, since the datatype is specified as: ipv4_addr . inet_service. A few more notes on this update: - alloc_nftnl_setelem() needs a variant netlink_gen_data() to deal with the representation of the range on the rhs of the mapping. In contrast to interval concatenation in the key side, where the range is expressed as two netlink attributes, the data side of the set element mapping stores the interval concatenation in a contiguos memory area, see __netlink_gen_concat_expand() for reference. - add range_expr_postprocess() to postprocess the data mapping range. If either one single IP address or port is used, then the minimum and maximum value in the range is the same value, e.g. to avoid listing 80-80, this round simplify the range. This also invokes the range to prefix conversion routine. - add concat_elem_expr() helper function to consolidate code to build the concatenation expression on the rhs element data side. This patch also adds tests/py and tests/shell. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: infer NAT mapping with concatenation from setPablo Neira Ayuso2021-07-132-2/+2
| | | | | | | | | | | | If the map is anonymous, infer it from the set elements. Otherwise, the set definition already have an explicit concatenation definition in the data side of the mapping. This update simplifies the NAT mapping syntax with concatenations, e.g. snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove STMT_NAT_F_INTERVAL flags and interval keywordPablo Neira Ayuso2021-07-132-2/+2
| | | | | | | | | | | | | | | STMT_NAT_F_INTERVAL is not useful, the keyword interval can be removed to simplify the syntax, e.g. snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } This patch reworks 9599d9d25a6b ("src: NAT support for intervals in maps"). Do not remove STMT_NAT_F_INTERVAL yet since this flag is needed for interval concatenations coming in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: unbreak verdict maps with implicit map with interval concatenationsPablo Neira Ayuso2021-06-186-0/+92
| | | | | | | | | | | Verdict maps in combination with interval concatenations are broken, e.g. # nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept } Retrieve the concatenation field length and count from the map->map expressions that represents the key of the implicit map. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add a icmp-reply only and icmpv6 id test casesFlorian Westphal2021-06-173-0/+38
| | | | | | | | | | | | | | | | | | Check that nft doesn't remove the dependency in these cases: icmp type echo-reply icmp id 1 ("icmp id" matches both echo request and reply). Add icmpv6 test cases. These fail without the previous patches: add rule ip6 test-ip6 input icmpv6 id 1: 'icmpv6 id 1' mismatches 'icmpv6 type { echo-request, echo-reply} icmpv6 parameter-problem 65536/16' add rule ip6 test-ip6 input icmpv6 type echo-reply icmpv6 id 65534': 'icmpv6 type echo-reply icmpv6 id 65534' mismatches 'icmpv6 type echo-reply @th,32,16 65534' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tests: add missing concat test caseFlorian Westphal2021-06-141-0/+39
| | | | | | | | | | Fix ERROR: did not find JSON equivalent for rule 'ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }' when running nft-test.py -j Fixes: bbcc5eda7e58 ("evaluate: restore interval + concatenation in anonymous set") Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: restore interval + concatenation in anonymous setPablo Neira Ayuso2021-06-115-0/+44
| | | | | | | | | | | | | | | | | | | Perform the table and set lookup only for non-anonymous sets, where the incremental cache update is required. The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") resurrected after the cache rework. # nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept } BUG: invalid range expression type concat nft: expression.c:1422: range_expr_value_low: Assertion `0' failed. Abort Add a test case to make sure this does not happen again. Fixes: 5ec5c706d993 ("cache: add hashtable cache for table") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove redundant test casesFlorian Westphal2021-06-0712-1375/+0
| | | | | | | | | | | | | Check for ... 23-42 ... ... { 23-42 } ... and remove the latter. Followup patch will translate the former to the latter during evaluation step to avoid the unneded anon set. A separate test case will be added that checks for such rewrites. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: catchall element supportFlorian Westphal2021-06-021-0/+84
| | | | | | | Treat '*' as catchall element, not as a symbol. Also add missing json test cases for wildcard set support. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add set element catch-all supportPablo Neira Ayuso2021-05-114-0/+89
| | | | | | | | | | | | | | | | | | | | | | | | | Add a catchall expression (EXPR_SET_ELEM_CATCHALL). Use the asterisk (*) to represent the catch-all set element, e.g. table x { set y { type ipv4_addr counter elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 } } } Special handling for segtree: zap the catch-all element from the set element list and re-add it after processing. Remove wildcard_expr deadcode in src/parser_bison.y This patch also adds several tests for the tests/py and tests/shell infrastructures. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: Set NFTNL_SET_DATA_TYPE before dumping set elementsPhil Sutter2021-03-096-10/+10
| | | | | | | | In combination with libnftnl's commit "set_elem: Fix printing of verdict map elements", This adds the vmap target to netlink dumps. Adjust dumps in tests/py accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Adjust payloads for fixed nat statement dumpsPhil Sutter2021-03-095-18/+18
| | | | | | Libnftnl no longer dumps unused regs, so drop those. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add a test sanitizer and fix its findingsPhil Sutter2021-02-046-375/+2
| | | | | | | | | | | | | | | | This is just basic housekeeping: - Remove duplicate tests in any of the *.t files - Remove explicit output if equal to command itself in *.t files - Remove duplicate payload records in any of the *.t.payload* files - Remove stale payload records (for which no commands exist in the respective *.t file - Remove duplicate/stale entries in any of the *.t.json files In some cases, tests were added instead of removing a stale payload record if it fit nicely into the sequence of tests. Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Do not abbreviate reject statement objectPhil Sutter2021-02-031-2/+5
| | | | | | | | | No need to reduce output size, also this way output is more predictable. While being at it, drop some pointless chunks from tests/py/bridge/reject.t.json.output. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: add icmp/6 test where dependency should be left aloneFlorian Westphal2021-02-013-0/+36
| | | | | | These tests fail: nft should leave the type as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing test inputFlorian Westphal2021-01-261-0/+79
| | | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }' ERROR: did not find JSON equivalent for rule 'ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: icmp: move expected parts to json.outputFlorian Westphal2021-01-262-109/+98
| | | | | | | | | | | | Phil Sutter says: In general, *.t.json files should contain JSON equivalents for rules as they are *input* into nft. So we want them to be as close to the introductory standard syntax comment as possible. Undo earlier change and place the expected dependency added by nft internals to json.output rather than icmp.t.json. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from concatenationsPablo Neira Ayuso2021-01-252-0/+23
| | | | | | | | | | | | | | | | Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from maps") to cover concatenations too. Error: specify either ip or ip6 for address matching add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 } ^^^^^^^^^^^^^^^^^ The old syntax for ct original saddr without either ip or ip6 results in unknown key size, which breaks the listing. The old syntax is only allowed in simple rules for backward compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: icmp: refresh json outputFlorian Westphal2021-01-211-80/+568
| | | | | | | nft inserts dependencies for icmp header types, but I forgot to update the json test files to reflect this change. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing ruleFlorian Westphal2021-01-211-0/+30
| | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from mapsPablo Neira Ayuso2021-01-152-0/+12
| | | | | | | | | test.nft:6:55-71: Error: specify either ip or ip6 for address matching add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 } ^^^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: icmp, icmpv6: check we don't add second dependencyFlorian Westphal2020-12-092-0/+13
| | | | | | If dependency is already fulfilled, do not add another one. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ip: add one test case to cover both id and sequenceFlorian Westphal2020-12-092-0/+14
| | | | | | | | | These are two 2-byte matches, so nft will merge the accesses to a single 4-byte load+compare. Check this is properly demangled. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmp, icmpv6: avoid remaining warningsFlorian Westphal2020-12-091-17/+18
| | | | | | | | | In case of id/sequence, both 'reply' and 'request' are valid types. nft currently does not remove dependencies that don't have a fixed rhs constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmp expressionsFlorian Westphal2020-12-091-1/+130
| | | | | | after previous change nft will insert explicit icmp type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-166-86/+86
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add missing nat_type flag and netmap nat flagFlorian Westphal2020-11-051-0/+108
| | | | | | | | | | | | | | | | JSON in/output doesn't know about nat_type and thus cannot save/restore nat mappings involving prefixes or concatenations because the snat statement lacks the prefix/concat/interval type flags. Furthermore, bison parser was extended to support netmap. This is done with an internal 'netmap' flag that is passed to the kernel. We need to dump/restore that as well. Also make sure ip/snat.t passes in json mode. Fixes: 35a6b10c1bc4 ("src: add netmap support") Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: json: add missing test case outputFlorian Westphal2020-11-052-3/+3
| | | | | | | | | | | | Fix warnings and errors when running nf-test.py -j due to missing json test case updates. This also makes bridge/reject.t pass in json mode. No code changes. Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q") Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t") Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Optimize prefix matches on byte-boundariesPhil Sutter2020-11-045-20/+8
| | | | | | | | | | | | | | | | If a prefix expression's length is on a byte-boundary, it is sufficient to just reduce the length passed to "cmp" expression. No need for explicit bitwise modification of data on LHS. The relevant code is already there, used for string prefix matches. There is one exception though, namely zero-length prefixes: Kernel doesn't accept zero-length "cmp" expressions, so keep them in the old code-path for now. This patch depends upon the previous one to correctly parse odd-sized payload matches but has to extend support for non-payload LHS as well. In practice, this is needed for "ct" expressions as they allow matching against IP address prefixes, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* datatype: add frag-needed (ipv4) to reject optionsMichael Braun2020-05-282-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: concatenation, netmap and nat mappingsPablo Neira Ayuso2020-04-282-0/+31
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update nat expressions payload to include proto flagsPablo Neira Ayuso2020-03-203-13/+13
| | | | | | | Update tests according to 6c84577b0d23 ("evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Move tcpopt.t to any/ directoryPhil Sutter2020-03-104-651/+0
| | | | | | | Merge tcpopt.t files in ip, ip6 and inet into a common one, they were just marignally different. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: add missing JSON output.Jeremy Sowden2020-02-071-0/+35
| | | | | | | The JSON output was missing for some existing tests. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add slave device matchingFlorian Westphal2020-01-032-0/+14
| | | | | | | | Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tests: fix typo in ct expectation json testFernando Fernandez Mancera2019-09-151-1/+1
| | | | | | | | | The correct form is "ct expectation" not "ct expect". That was causing the tests/py/ip/object.t json test to fail. Fixes: 1dd08fcfa07a ("src: add ct expectations support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-133-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectations supportStéphane Veyret2019-07-163-0/+20
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2019-06-212-24/+16
| | | | | | | | | | | | | | | | | These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: prefer meta protocol as bridge l3 dependencyFlorian Westphal2019-06-191-90/+90
| | | | | | | | | | | | | | | | | | | On families other than 'ip', the rule ip protocol icmp needs a dependency on the ip protocol so we do not treat e.g. an ipv6 header as ip. Bridge currently uses eth_hdr.type for this, but that will cause the rule above to not match in case the ip packet is within a VLAN tagged frame -- ether.type will appear as ETH_P_8021Q. Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer to use this instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "tests: py: remove single-value-anon-set test cases"Pablo Neira Ayuso2019-05-248-2/+1056
| | | | This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.