summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* osf: add ttl option supportFernando Fernandez Mancera2018-10-233-2/+72
| | | | | | | | | | | | | | Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Add ct timeout supportPhil Sutter2018-10-151-0/+7
| | | | | | | Add support for printing and parsing ct timeout objects to JSON API. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing JSON bits for inet/meta.tPhil Sutter2018-10-152-3/+20
| | | | | | | | Those were forgotten when renaming meta secpath to meta ipsec. Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Fix for ECN keyword in LHS of relationalPhil Sutter2018-10-044-0/+48
| | | | | | | | | | | | | | | | | | | | Of all possible TCP flags, 'ecn' is special since it is recognized by lex as a keyword (there is a a field in IPv4 and IPv6 headers with the same name). Therefore it is listed in keyword_expr, but that was sufficient for RHS only. The following statement reproduces the issue: | tcp flags & (syn | ecn) == (syn | ecn) The solution is to limit binop expressions to accept an RHS expression on RHS ("real" LHS expressions don't make much sense there anyway), which then allows keyword_expr to occur there. In order to maintain the recursive behaviour if braces are present, allow primary_rhs_expr to consist of a basic_rhs_expr enclosed in braces. This in turn requires for braced RHS part in relational_expr to be dropped, otherwise bison complains about shift/reduce conflict. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ipsec (xfrm) expressionMáté Eckl2018-09-213-0/+197
| | | | | | | | | | | | | | | | This allows matching on ipsec tunnel/beet addresses in xfrm state associated with a packet, ipsec request id and the SPI. Examples: ipsec in ip saddr 192.168.1.0/24 ipsec out ip6 daddr @endpoints ipsec in spi 1-65536 Joint work with Florian Westphal. Cc: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: rename meta secpath to meta ipsecFlorian Westphal2018-09-212-3/+3
| | | | | | | for symmetry with 'rt ipsec'. "meta secpath" still works. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rt: add support to check if route will perform ipsec transformationFlorian Westphal2018-09-213-0/+42
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON for icmp*.tPhil Sutter2018-09-134-5/+69
| | | | | | | | | A recent change to ip/icmp.t and ip6/icmpv6.t did not update JSON equivalents accordingly, fix this. Fixes: 0f44d4f627535 ("proto: fix icmp/icmpv6 code datatype") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Check differing rule output for sanityPhil Sutter2018-09-111-0/+24
| | | | | | | | | If an added rule's listing differs from the input (either expected or not), reinsert that output and check payload again to make sure the asymmetry doesn't lead to (internal) changes in ruleset. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: fix icmp/icmpv6 code datatypeFlorian Westphal2018-09-044-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | Andrew A. Sabitov says: I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code and check incoming icmpv6 traffic against it: add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; } add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination add element inet fw in_icmpv6_types { 1 . 1 } # communication with destination administratively prohibited # ... add rule inet fw in_icmpv6 icmpv6 type . icmpv6 code @in_icmpv6_types \ limit rate 15/minute accept yields: Error: can not use variable sized data types (integer) in concat expressions icmpv6 type . icmpv6 code @in_icmpv6_types ~~~~~~~~~~~~~~^^^^^^^^^^^ Change 'code' type to the icmp/icmpv6 code type. Needs minor change to test suite as nft will now display human-readable names instead of numeric codes. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1276 Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix json output for osf, socket and tproxy expressionsFlorian Westphal2018-09-035-25/+71
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Make nft-test.py a little more robustPhil Sutter2018-09-031-2/+9
| | | | | | | | | When adding a new test, missing payload file causes nft-test.py to choke due to accessing undeclared variables. Fix this by making sure relevant variables are declared outside of try-catch blocks. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add ct timeout testsHarsha Sharma2018-08-313-0/+17
| | | | | | | Add test for adding ct timeout objects and assigning it via rule. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Make match op mandatory, introduce 'in' operatorPhil Sutter2018-08-30114-0/+1214
| | | | | | | | This special operator is required for cases where missing operator does not lead to same results as equal operator, i.e. with bitmasks on RHS. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Rename mangle statement propertiesPhil Sutter2018-08-3023-168/+168
| | | | | | | Instead of the generic "left" and "right", use "key" and "value". Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Rename (v)map expression propertiesPhil Sutter2018-08-3031-204/+204
| | | | | | | | Change the rather generic "left" and "right" into "key" and "data" as suggested at NFWS. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review payload expressionPhil Sutter2018-08-3086-1128/+1114
| | | | | | | | | | | For raw payloads, property "name" is not needed, it's clearly identified by base/offset/len properties. In non-raw payload expressions, rename property "name" to "protocol" as suggested during NFWS. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review verdict statement and expressionPhil Sutter2018-08-301-1/+3
| | | | | | | | | | | | Change jump and goto verdicts to become extensible by dedicating an object for the target parameter. While being at it, drop break and queue verdict expressions since they don't seem to exist, no idea where I got those from in the first place. For queue, there is a dedicated expression at least. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Make meta statement/expression extensiblePhil Sutter2018-08-3054-326/+326
| | | | | | | | | | Lessons learned from fwd statement: We must not assume a given statement/expression may not receive further properties in the future. Therefore make meta value an object with a property "key" instead of just a string containing the key name. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Fix coloring of differencesPhil Sutter2018-08-301-17/+14
| | | | | | | This was surprisingly hard to get right, but this should do the trick. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: tproxy: add json supportFlorian Westphal2018-08-293-0/+273
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: tproxy: relax family restrictionsFlorian Westphal2018-08-294-15/+20
| | | | | | | | | | | | | | | | | | evaluation step currently prohibits tproxy ip to 1.2.3.4 in ip family, and tproxy ip6 to dead::1 in ip6. This seems an arbitrary limitation, just accept this. The current restriction would make json output support harder than needed, as the tproxy expression generated from json path would have to special-case the table its currently in, rather than just using the family attribute in the json output. We obviously still reject the family in case it mismatches the table family (e.g., can't use ip address in ip6 table). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: osf: add json supportFlorian Westphal2018-08-291-0/+66
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: reject: Allow icmpx in inet/bridge familiesPhil Sutter2018-08-146-0/+118
| | | | | | | | | | | | | | | | | | | Commit 3e6ab2b335142 added restraints on reject types for bridge and inet families but aparently those were too strict: If a rule in e.g. inet family contained a match which introduced a protocol dependency, icmpx type rejects were disallowed for no obvious reason. Allow icmpx type rejects in inet family regardless of protocol dependency since we either have IPv4 or IPv6 traffic in there and for both icmpx is fine. Merge restraints in bridge family with those for TCP reset since it already does what is needed, namely checking that ether proto is either IPv4 or IPv6. Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: test osf with setsPablo Neira Ayuso2018-08-072-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to use new osf expression from assignment statementPablo Neira Ayuso2018-08-072-0/+10
| | | | | | | | | | So the following rule to set the conntrack mark based on the OS passive recognition works: # nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 } Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: improve test cases for osfFernando Fernandez Mancera2018-08-072-2/+15
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: py: fix osf testcases warningFernando Fernandez Mancera2018-08-042-3/+3
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add test cases for "osf" matchingFernando Fernandez Mancera2018-08-042-0/+10
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Expose socket mark via socket expressionMáté Eckl2018-08-033-0/+31
| | | | | | | | This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Add test cases for tproxy supportMáté Eckl2018-08-036-0/+153
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: always prefix 'meta' for almost all tokensFlorian Westphal2018-07-2117-100/+100
| | | | | | | | | | | | | | | | | | got following bug report: nft add ... ct mark set mark and 0x10 ... always sets 0. What reporter meant to write instead was 'ct mark', not 'mark'. We can't just remove support for 'mark' and force 'meta mark', but we can start to discourage it by printing meta prefix too. Later on, we could start to print deprecation warning if needed. Followup patch can also change "iifname" etc. to "meta iifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: Refactor meta_may_dependency_kill()Phil Sutter2018-06-264-0/+216
| | | | | | | | | | | | | | | | The original intent was to fix a bug: The following rule in inet table: | meta nfproto ipv4 icmpv6 type echo-reply Was added correctly but when printing the meta match was falsely removed. The fix is to deny dependency killing if RHS family of nfproto match doesn't match RHS family of l4proto match. Adding this to the already large conditional led to even more unreadable code, therefore this patch tries to clean that up (and also removes the partial code duplication. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: fix import when run from other directoryEric Leblond2018-06-211-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: minor cleaningEric Leblond2018-06-201-4/+5
| | | | | | | Move import and use explicit parameter in object creation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Support latest enhancements of fwd statementPhil Sutter2018-06-114-29/+53
| | | | | | | | | | | | | JSON equivalent of fwd statement was too primitive to support the added address and family parameters, so make its value an object and accept the device expression as value of a "dev" property in there. Then add optional "addr" and "family" properties to it. While being at it, add a testcase to make sure the extended syntax works right. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for socket expressionPhil Sutter2018-06-111-0/+28
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON for flowtable testsPhil Sutter2018-06-114-28/+7
| | | | | | | | | Changing the reference lines is not enough, the actual JSON has to be adjusted as well. Since after the changes output for ip/flowtable.t is now symmetric, ip/flowtable.t.json.output can be removed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Call verdict maps 'vmap' in JSON as wellPhil Sutter2018-06-1115-72/+72
| | | | | | | This way JSON format is more consistent with the standard one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: py: Add test cases for socket matchingMáté Eckl2018-06-062-0/+39
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: Add support for audit loggingPhil Sutter2018-06-033-0/+21
| | | | | | | | | | | This is implemented via a pseudo log level. The kernel ignores any other parameter, so reject those at evaluation stage. Audit logging is therefore simply a matter of: | log level audit Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: ip6/flowtable.t: Add missing JSON expected outputPhil Sutter2018-06-031-0/+62
| | | | | | | The output differs from input in added size property. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing JSON equivalent for rule in inet/tcp.tPhil Sutter2018-06-011-0/+16
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing JSON equivalent for inet/sets.tPhil Sutter2018-06-011-0/+37
| | | | | | | | | This adds the missing JSON variant for the two rules which are supposed to work. Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Adjust JSON for changes in any/ct.tPhil Sutter2018-06-012-4/+94
| | | | | | | | | | Commit 71624f25f22b1 ("tests: py: add expires tests with different time bases") removed two testcases and added five other ones, adjust JSON equivalent and recorded output to those changes. Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review set elem expressionsPhil Sutter2018-06-013-3/+27
| | | | | | | | | | | | * There is no need to prefix element-specific properties with 'elem_', they can't conflict. * In json_parse_set_stmt(), searching for above properties is pointless since that's already done by called function. * Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt(): json_parse_flagged_expr() may return NULL. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Sort out rule position and handles in generalPhil Sutter2018-06-011-8/+2
| | | | | | | | | | | | | | | | | | | | | | | | First of all, don't print the position property when listing rules. This was there only because libnftnl JSON output has it too, but since the preferred way to *add* a rule at some location is via 'handle' keyword, keeping "position" in output would be non-intuitive. Changing "position" property name to "handle" instead is also a no-go since that would clash with the real rule handle. Secondly, turn all handle output on regardless of octx->handle setting. For a programmatic API like JSON, this should be fine. Thirdly, fix rule locations when parsing JSON: Respect "handle" property for CMD_INSERT and CMD_ADD and ignore "pos" at all (actually even a typo, should have read "position"). Also support "index" property recently added to standard syntax. Finally, adjust nft-test.py for the above changes: There is no "position" property to drop from rule output, and "handle" property will always be present. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* objref: Use "ct helper" for NFT_OBJECT_CT_HELPERPhil Sutter2018-06-011-2/+2
| | | | | | | | | Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper" for consistency. Note that this is not used in regular nft output since objref_stmt_print() treats this object type separately. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meters: do not set a defaut meter size from userspaceFlorian Westphal2018-05-296-9/+9
| | | | | | | doing this breaks with older kernels as it will pick a set without and update callback. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix race in deleting elementPablo Neira Ayuso2018-05-251-1/+1
| | | | | | | | | Sometimes we may hit this because script is too slow to remove the element with timeout from the set. inet/sets.t: ERROR: line 18: I cannot delete element dead::beef timeout 1s from the set set2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>