summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* tests: frag: enable more testsFlorian Westphal2016-03-103-3/+49
| | | | | | a couple of tests were disabled since nft did not support this. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinarize: shift constant for ranges tooFlorian Westphal2016-03-102-4/+4
| | | | | | | | | ... else rule like vlan pcp 1-3 won't work and will be displayed as 0-0 (reverse direction already works since range is represented as two lte/gte compare expressions). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-test: don't zap remainder of rule after handling a setFlorian Westphal2016-03-102-7/+13
| | | | | | | | | | | | | | | | | | | | | | Don't delete the part after the set, i.e. given chain input { type filter hook input priority 0; policy accept; vlan id { 1, 2, 4, 100, 4095} vlan pcp 1-3 } don't remove the vlan pcp 1-3 part. This exposes following bug: bridge/vlan.t: WARNING: line: 32: 'nft add rule --debug=netlink bridge test-bridge input vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3': 'vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3' mismatches 'vlan id { 4, 1, 2, 4095, 100} vlan pcp 0-0' We do not shift the range, so on reverse translation we get a 0-0 output. The bug will be fixes in a followup commit. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: frag: enable more testsFlorian Westphal2016-03-103-4/+72
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: add tests for router-advertisement and router-solicitation icmp typesPablo Neira Ayuso2016-03-102-1/+30
| | | | | | | Introduced by 039f818fc88010 ("proto: Add router advertisement and solicitation icmp types"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow 'snat' and 'dnat' keywords from the right-hand sidePablo Neira Ayuso2016-03-092-5/+22
| | | | | | | | | | Parse 'snat' and 'dnat' reserved keywords from the right-hand side as symbols. Thus, we can use them as values from ct status. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=950 Reported-by: Ana Rey <anarey@gmail.com> Reported-by: Karol Babioch <karol@babioch.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: enable tests for dccp typesPablo Neira Ayuso2016-03-075-4/+111
| | | | | | This patch make sure we test dccp type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: extend masquerade to cover ports tooPablo Neira Ayuso2016-03-034-0/+38
| | | | | | Tests new masquerade port range support (available since 4.6-rc). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add/fix inet+exthdr testsFlorian Westphal2016-03-025-0/+327
| | | | | | | | exhdr needs to be treated as if we'd test an ipv6 header field, i.e. inet, bridge, netdev need to add a dependency on ipv6 protocol. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: enforce ip6 proto with exthdr expressionFlorian Westphal2016-03-022-32/+28
| | | | | | | | | | | | | | Don't allow use of exthdr with e.g. ip family. Move frag.t to ip6 directory and don't use it with ipv4 anymore. This change causes major test failures for all exthdr users since they now fail with inet/bridge/netdev families. Will be resolved in a later patch -- we need to add an ipv6 dependency for them. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: use parameter-problem for icmpv6 typePablo Neira Ayuso2016-02-012-0/+9
| | | | | | | To keep it consistent with icmpv4 naming. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=911 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test vlan on ingressPablo Neira Ayuso2016-01-312-0/+237
| | | | | | | | | | This generates the same code as bridge does, but it includes this check in first place. [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test port ranges and maps for redirectPablo Neira Ayuso2016-01-314-0/+47
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-312-0/+21
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement for netdevPablo Neira Ayuso2016-01-312-0/+21
| | | | | | | | | | | | This patch contains the missing chunk to add support for the netdev family. Part of the support slipped through in the original patch to add the dup statement for IPv4 and IPv6. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress dup to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6: Add tests for icmpv6 packet typesShivani Bhardwaj2016-01-312-0/+10
| | | | | | | | Add tests for the icmpv6 packet types policy-fail and reject-route to be used with REJECT target. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: only remove protocol if equal cmp is usedFlorian Westphal2016-01-272-0/+24
| | | | | | | | | | | | | | | | | | Check for OP_EQ before removing a dependency, else we may zap wrong one, changing the meaning of the rule. Listing without patch: ip protocol udp udp dport ssh ip protocol udp udp dport ssh counter packets 1 bytes 308 ip protocol udp udp dport ssh With patch: ip protocol != tcp udp dport ssh ip protocol != udp udp dport ssh ip protocol != tcp counter packets 1 bytes 308 udp dport ssh Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: do binop postprocessing also for map lookupsFlorian Westphal2016-01-264-0/+35
| | | | | | | | | | old nft list: mark set unknown unknown & 0xfff [invalid type] map { 3 : 0x00000017, 1 : 0x0000002a} new: mark set vlan id map { 3 : 0x00000017, 1 : 0x0000002a} Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add two map test casesFlorian Westphal2016-01-266-0/+54
| | | | | | | | One normal map lookup, one with an explicit binop. The latter is supposed to also work with the followup patch applied. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-142-16/+99
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ct: remove BUG cases that work with current masterFlorian Westphal2016-01-071-33/+0
| | | | | | | | We have tests for these in ip/ct.t. (We cannot use ipv4 addresses e.g. in ipv6 family). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct regression tests for bytes, packetsFlorian Westphal2015-12-142-0/+27
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: swap key and direction in ct_dir syntaxFlorian Westphal2016-01-073-24/+32
| | | | | | | | | | | | | | | old: ct saddr original 1.2.3.4 new: ct original saddr 1.2.3.4 The advantage is that this allows to add ct keys where direction is optional without creating ambiguities in the parser. So we can have ct packets gt 42 ct original packets gt 42 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: netdev family with ingress chainPablo Neira Ayuso2016-01-1334-0/+2999
| | | | | | | This patch enables tests for the new netdev family and its ingress chain. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test udp from ip and ip6 familiesPablo Neira Ayuso2016-01-133-2/+446
| | | | | | The existing test was checking for the ip family three times, fix it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: don't test log statement from protocol matchPablo Neira Ayuso2016-01-1310-68/+24
| | | | | | | | | | | | I think this unit tests should be self-contained at some level. The shell/ directory should be used to catch regressions at ruleset level, ie. these kind of combinations. Another motivation is that I want that netdev/ingress gets tested (coming in a follow up patch), and we don't support log there yet, so I would need to skip this test for that case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: update test files syntaxPablo M. Bermudo Garay2016-01-1252-120/+158
| | | | | | | | The test files have been adapted to the syntax defined in the previous commit "tests/py: modify supported test file syntax" Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: modify supported test file syntaxPablo M. Bermudo Garay2016-01-121-26/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Until now, the syntax to represent tables and chains in test files was: *ip;test-ip4 *ip6;test-ip6 *inet;test-inet :input;type filter hook input priority 0 Where lines starting with * are tables and lines starting with : are chains. This commit change the test script to deal with new syntax: :input;type filter hook input priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input Now the chains should be included before tables. Also, lines defining tables have a new third part (delimited by semicolon) where the chains needed by the table are declared. If table needs to include more than one chain, those must be separated by commas: :input;type filter hook input priority 0 :forward;type filter hook forward priority 0 :output;type filter hook output priority 0 *arp;test-arp;input,forward,output This new syntax allow to include in the same test file chains not supported by all families of tables tested. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: convert chains and tables to objectsPablo M. Bermudo Garay2016-01-121-58/+72
| | | | | | | | Now these concepts are represented by objects instead of lists or sparse parameters. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: simplify use of globalsPablo M. Bermudo Garay2016-01-121-18/+14
| | | | | | | | | | | The script made a messy use of globals, these was sometimes accessed directly and passed as parameter in other cases. Since is not expected having to deal with threads in the script, now the globals are always accessed directly for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: fix stylePablo M. Bermudo Garay2016-01-121-100/+109
| | | | | | | | | | - Adjust lines to 80 columns style - Add two lines of separation between functions - Remove redundant parentheses and semicolons - Apply other minor style fixes Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: remove unused variablesPablo M. Bermudo Garay2016-01-121-30/+8
| | | | | | | Only that. The script had a lot of unused variables. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add ct tests for ip familyFlorian Westphal2016-01-042-0/+85
| | | | | | | | | | Cannot check e.g. saddr for 192.168.0.1 for 'any' protocol, nft needs to expect arguments of a specific address type. So e.g. when using 'inet' we need to add a rule that makes the expected family explicit, e.g. 'meta nfproto ipv4'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: check set value from selector and mapPablo Neira Ayuso2016-01-032-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-15131-0/+15201
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>