| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask
value") which was missing comma-separated list of flags.
This patch provides a shortcut for:
tcp flags and fin,rst == 0
which allows to check for the packet whose fin and rst bits are unset:
# nft add rule x y tcp flags not fin,rst counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type.
This adds the 8021q shorthand for the existing 'vlan' frame type.
nft will continue to recognize 'ether type vlan', but listing
will now print 8021q.
Adjust all test cases accordingly.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Check nft doesn't remove the explicit '8021ad' type check and that
the expected dependency chains are generated.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
It is closed after allocation, which is too early: this
stopped 'packets' and 'bytes' from getting parsed correctly.
Also add a test case for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
JSON equivalent for recently added test of the '!' shortcut was missing.
Fixes: e6c32b2fa0b82 ("src: add negation match on singleton bitmask value")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
In combination with libnftnl's commit "set_elem: Fix printing of verdict
map elements", This adds the vmap target to netlink dumps. Adjust dumps
in tests/py accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Libnftnl no longer dumps unused regs, so drop those.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides a shortcut for:
ct status and dnat == 0
which allows to check for the packet whose dnat bit is unset:
# nft add rule x y ct status ! dnat counter
This operation is only available for expression with a bitmask basetype, eg.
# nft describe ct status
ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is just basic housekeeping:
- Remove duplicate tests in any of the *.t files
- Remove explicit output if equal to command itself in *.t files
- Remove duplicate payload records in any of the *.t.payload* files
- Remove stale payload records (for which no commands exist in the
respective *.t file
- Remove duplicate/stale entries in any of the *.t.json files
In some cases, tests were added instead of removing a stale payload
record if it fit nicely into the sequence of tests.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The testsuite supports diverging payloads depending on table family.
This is necessary since for some families, dependency matches are
created.
If a payload mismatch happens, record it into a "got"-file which matches
the family-specific payload file, not the common one. This eases use of
diff-tools a lot as the extra other families' payloads confuse the
tools.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
No need to reduce output size, also this way output is more predictable.
While being at it, drop some pointless chunks from
tests/py/bridge/reject.t.json.output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
These tests fail: nft should leave the type as-is.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
The default burst value is non-zero, so JSON output should include it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Postprocessing for inet family did not attempt to kill any existing
payload dependency, although it is perfectly fine to do so. The mere
culprit is to not abbreviate default code rejects as that would drop
needed protocol info as a side-effect. Since postprocessing is then
almost identical to that of bridge and netdev families, merge them.
While being at it, extend tests/py/netdev/reject.t by a few more tests
taken from inet/reject.t so this covers icmpx rejects as well.
Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Like with bridge family, rejecting with either icmp or icmpv6 must
create a dependency match on meta protocol. Upon delinearization, treat
netdev reject identical to bridge as well so no family info is lost.
This makes reject statement in netdev family fully symmetric so fix
the tests in tests/py/netdev/reject.t, adjust the related payload dumps
and add JSON equivalents which were missing altogether.
Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default")
Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases")
Cc: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Kernel won't search for tcp options in non-tcp packets.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }'
ERROR: did not find JSON equivalent for rule 'ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }'
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Phil Sutter says:
In general, *.t.json files should contain JSON equivalents for rules as
they are *input* into nft. So we want them to be as close to the
introductory standard syntax comment as possible.
Undo earlier change and place the expected dependency added by
nft internals to json.output rather than icmp.t.json.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from
maps") to cover concatenations too.
Error: specify either ip or ip6 for address matching
add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 }
^^^^^^^^^^^^^^^^^
The old syntax for ct original saddr without either ip or ip6 results
in unknown key size, which breaks the listing. The old syntax is only
allowed in simple rules for backward compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nft inserts dependencies for icmp header types, but I forgot to
update the json test files to reflect this change.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }'
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
^^^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Update the byte rate limiter not to print burst 5 (default value).
Update tests/py payloads to print burst 5 instead of zero when the
burst is unspecified.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Payload didn't change but libnftnl was fixed to print the key_end data
reg of concat-range elements, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
If dependency is already fulfilled, do not add another one.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
These are two 2-byte matches, so nft will merge the accesses to
a single 4-byte load+compare.
Check this is properly demangled.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
In case of id/sequence, both 'reply' and 'request' are valid types.
nft currently does not remove dependencies that don't have
a fixed rhs constant.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
nft will now auto-insert a icmpv6 type match.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
after previous change nft will insert explicit icmp type match.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
libnftnl has been changed to bring the format of registers in bitwise
dumps in line with those in other types of expression. Update the
expected output of Python test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ARP header, destination ether address sits between source IP and
destination IP addresses. Enum arp_hdr_fields had this wrong, which
in turn caused wrong ordering of entries in proto_arp->templates. When
expanding a combined payload expression, code assumes that template
entries are ordered by header offset, therefore the destination ether
address match was printed as raw if an earlier field was matched as
well:
| arp saddr ip 192.168.1.1 arp daddr ether 3e:d1:3f:d6:12:0b
was printed as:
| arp saddr ip 192.168.1.1 @nh,144,48 69068440080907
Note: Although strictly not necessary, reorder fields in
proto_arp->templates as well to match their actual ordering, just to
avoid confusion.
Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
nft-test.py only needs one payload per rule, but a number of rules have
duplicates, typically one per address family, so just keep the last
payload for rules listed more than once.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
To similar change as in previous one, this time for the
jason (de)serialization.
Re-uses the raw payload match syntax, i.e. base,offset,length.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
tcp option @42,16,4 (@kind,offset,length).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently doesn't allow to check for presence of arbitrary tcp options.
Only known options where nft provides a template can be tested for.
This allows to test for presence of raw protocol values as well.
Example:
tcp option 42 exists
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
'nop' is the tcp padding "option". "noop" is retained for compatibility
on parser side.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One was added by the tcp option parsing ocde, the other by synproxy.
So we have:
synproxy ... sack-perm
synproxy ... mss
and
tcp option maxseg
tcp option sack-permitted
This kills the extra tokens on the scanner/parser side,
so sack-perm and sack-permitted can both be used.
Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too.
On the output side, the shorter form is now preferred, i.e. sack-perm
and mss.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Tests currently fail with
ip6/dnat.t: WARNING: line 8: ... because test still expects a range expression.
Fixes: ee4391d0ac1e7 ("nat: transform range to prefix expression when possible")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSON in/output doesn't know about nat_type and thus cannot save/restore
nat mappings involving prefixes or concatenations because the snat
statement lacks the prefix/concat/interval type flags.
Furthermore, bison parser was extended to support netmap.
This is done with an internal 'netmap' flag that is passed to the
kernel. We need to dump/restore that as well.
Also make sure ip/snat.t passes in json mode.
Fixes: 35a6b10c1bc4 ("src: add netmap support")
Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
make dnat.t pass in json mode.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix warnings and errors when running nf-test.py -j due to missing json test case updates.
This also makes bridge/reject.t pass in json mode.
No code changes.
Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q")
Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t")
Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a prefix expression's length is on a byte-boundary, it is sufficient
to just reduce the length passed to "cmp" expression. No need for
explicit bitwise modification of data on LHS. The relevant code is
already there, used for string prefix matches. There is one exception
though, namely zero-length prefixes: Kernel doesn't accept zero-length
"cmp" expressions, so keep them in the old code-path for now.
This patch depends upon the previous one to correctly parse odd-sized
payload matches but has to extend support for non-payload LHS as well.
In practice, this is needed for "ct" expressions as they allow matching
against IP address prefixes, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Add unit tests for the use of reject with icmp inside netdev family.
reject.t from inet family couldn't be reused because it was using
meta nfproto which is not supported inside netdev.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 741a06ac15d2 ("mergesort: find base value expression type via recursion")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: dcec7d57559a ("ct: Add support for the 'id' key")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.
This removes errors like:
"transport protocol mapping is only valid after transport protocol match"
when invoking:
# nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80
This patch also catches conflicts like:
# nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
and:
# nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
Note that:
- the singleton protocol context tracker is left in place until the
existing users are updated to use this new multiprotocol tracker.
Moving forward, it would be good to consolidate things around this new
multiprotocol context tracker infrastructure.
- link and network layers are not updated to use this infrastructure
yet. The code that deals with vlan conflicts relies on forcing
protocol context updates to the singleton protocol base.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If nft crashes or hits an assertion, the last command run shows in the
/tmp/nftables-test.log file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|