summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* proto: replace vlan ether type with 8021qFlorian Westphal2021-04-0315-35/+34
| | | | | | | | | | | | | Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type. This adds the 8021q shorthand for the existing 'vlan' frame type. nft will continue to recognize 'ether type vlan', but listing will now print 8021q. Adjust all test cases accordingly. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add 8021.AD vlan test casesFlorian Westphal2021-04-035-0/+450
| | | | | | | Check nft doesn't remove the explicit '8021ad' type check and that the expected dependency chains are generated. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: fix scope closure of COUNTER tokenFlorian Westphal2021-03-254-0/+96
| | | | | | | | | It is closed after allocation, which is too early: this stopped 'packets' and 'bytes' from getting parsed correctly. Also add a test case for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Fix for missing JSON equivalent in any/ct.t.jsonPhil Sutter2021-03-091-0/+15
| | | | | | | JSON equivalent for recently added test of the '!' shortcut was missing. Fixes: e6c32b2fa0b82 ("src: add negation match on singleton bitmask value") Signed-off-by: Phil Sutter <phil@nwl.cc>
* mnl: Set NFTNL_SET_DATA_TYPE before dumping set elementsPhil Sutter2021-03-0917-148/+148
| | | | | | | | In combination with libnftnl's commit "set_elem: Fix printing of verdict map elements", This adds the vmap target to netlink dumps. Adjust dumps in tests/py accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Adjust payloads for fixed nat statement dumpsPhil Sutter2021-03-0910-31/+31
| | | | | | Libnftnl no longer dumps unused regs, so drop those. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add negation match on singleton bitmask valuePablo Neira Ayuso2021-02-052-0/+7
| | | | | | | | | | | | | | | | | This patch provides a shortcut for: ct status and dnat == 0 which allows to check for the packet whose dnat bit is unset: # nft add rule x y ct status ! dnat counter This operation is only available for expression with a bitmask basetype, eg. # nft describe ct status ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add a test sanitizer and fix its findingsPhil Sutter2021-02-0439-780/+160
| | | | | | | | | | | | | | | | This is just basic housekeeping: - Remove duplicate tests in any of the *.t files - Remove explicit output if equal to command itself in *.t files - Remove duplicate payload records in any of the *.t.payload* files - Remove stale payload records (for which no commands exist in the respective *.t file - Remove duplicate/stale entries in any of the *.t.json files In some cases, tests were added instead of removing a stale payload record if it fit nicely into the sequence of tests. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Write dissenting payload into the right filePhil Sutter2021-02-041-1/+4
| | | | | | | | | | | | The testsuite supports diverging payloads depending on table family. This is necessary since for some families, dependency matches are created. If a payload mismatch happens, record it into a "got"-file which matches the family-specific payload file, not the common one. This eases use of diff-tools a lot as the extra other families' payloads confuse the tools. Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Do not abbreviate reject statement objectPhil Sutter2021-02-034-112/+47
| | | | | | | | | No need to reduce output size, also this way output is more predictable. While being at it, drop some pointless chunks from tests/py/bridge/reject.t.json.output. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: add icmp/6 test where dependency should be left aloneFlorian Westphal2021-02-016-0/+73
| | | | | | These tests fail: nft should leave the type as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: limit: Always include burst valuePhil Sutter2021-01-271-0/+277
| | | | | | The default burst value is non-zero, so JSON output should include it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Unify inet, netdev and bridge delinearizationPhil Sutter2021-01-275-196/+292
| | | | | | | | | | | | | | Postprocessing for inet family did not attempt to kill any existing payload dependency, although it is perfectly fine to do so. The mere culprit is to not abbreviate default code rejects as that would drop needed protocol info as a side-effect. Since postprocessing is then almost identical to that of bridge and netdev families, merge them. While being at it, extend tests/py/netdev/reject.t by a few more tests taken from inet/reject.t so this covers icmpx rejects as well. Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Fix for missing dependencies in netdev familyPhil Sutter2021-01-273-21/+184
| | | | | | | | | | | | | | | Like with bridge family, rejecting with either icmp or icmpv6 must create a dependency match on meta protocol. Upon delinearization, treat netdev reject identical to bridge as well so no family info is lost. This makes reject statement in netdev family fully symmetric so fix the tests in tests/py/netdev/reject.t, adjust the related payload dumps and add JSON equivalents which were missing altogether. Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default") Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases") Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* exthdr: remove tcp dependency for tcp option matchingFlorian Westphal2021-01-261-60/+0
| | | | | | Kernel won't search for tcp options in non-tcp packets. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing test inputFlorian Westphal2021-01-261-0/+79
| | | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }' ERROR: did not find JSON equivalent for rule 'ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: icmp: move expected parts to json.outputFlorian Westphal2021-01-262-109/+98
| | | | | | | | | | | | Phil Sutter says: In general, *.t.json files should contain JSON equivalents for rules as they are *input* into nft. So we want them to be as close to the introductory standard syntax comment as possible. Undo earlier change and place the expected dependency added by nft internals to json.output rather than icmp.t.json. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from concatenationsPablo Neira Ayuso2021-01-252-0/+23
| | | | | | | | | | | | | | | | Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from maps") to cover concatenations too. Error: specify either ip or ip6 for address matching add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 } ^^^^^^^^^^^^^^^^^ The old syntax for ct original saddr without either ip or ip6 results in unknown key size, which breaks the listing. The old syntax is only allowed in simple rules for backward compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: icmp: refresh json outputFlorian Westphal2021-01-211-80/+568
| | | | | | | nft inserts dependencies for icmp header types, but I forgot to update the json test files to reflect this change. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing ruleFlorian Westphal2021-01-211-0/+30
| | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix icmpv6.t test casesFlorian Westphal2021-01-212-16/+597
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from mapsPablo Neira Ayuso2021-01-152-0/+12
| | | | | | | | | test.nft:6:55-71: Error: specify either ip or ip6 for address matching add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 } ^^^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-22/+22
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Fix for changed concatenated ranges outputPhil Sutter2020-12-153-3/+3
| | | | | | | Payload didn't change but libnftnl was fixed to print the key_end data reg of concat-range elements, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: icmp, icmpv6: check we don't add second dependencyFlorian Westphal2020-12-094-0/+23
| | | | | | If dependency is already fulfilled, do not add another one. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ip: add one test case to cover both id and sequenceFlorian Westphal2020-12-092-0/+14
| | | | | | | | | These are two 2-byte matches, so nft will merge the accesses to a single 4-byte load+compare. Check this is properly demangled. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmp, icmpv6: avoid remaining warningsFlorian Westphal2020-12-092-42/+34
| | | | | | | | | In case of id/sequence, both 'reply' and 'request' are valid types. nft currently does not remove dependencies that don't have a fixed rhs constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmpv6 expressionsFlorian Westphal2020-12-091-10/+97
| | | | | | nft will now auto-insert a icmpv6 type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmp expressionsFlorian Westphal2020-12-091-1/+130
| | | | | | after previous change nft will insert explicit icmp type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-1624-248/+248
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Fix ARP header field orderingPhil Sutter2020-11-105-0/+111
| | | | | | | | | | | | | | | | | | | | | | | In ARP header, destination ether address sits between source IP and destination IP addresses. Enum arp_hdr_fields had this wrong, which in turn caused wrong ordering of entries in proto_arp->templates. When expanding a combined payload expression, code assumes that template entries are ordered by header offset, therefore the destination ether address match was printed as raw if an earlier field was matched as well: | arp saddr ip 192.168.1.1 arp daddr ether 3e:d1:3f:d6:12:0b was printed as: | arp saddr ip 192.168.1.1 @nh,144,48 69068440080907 Note: Although strictly not necessary, reorder fields in proto_arp->templates as well to match their actual ordering, just to avoid confusion. Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: remove duplicate payloads.Jeremy Sowden2020-11-097-575/+0
| | | | | | | | | nft-test.py only needs one payload per rule, but a number of rules have duplicates, typically one per address family, so just keep the last payload for rules listed more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tcp: add raw tcp option match supportFlorian Westphal2020-11-091-0/+34
| | | | | | | | | To similar change as in previous one, this time for the jason (de)serialization. Re-uses the raw payload match syntax, i.e. base,offset,length. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcp: add raw tcp option match supportFlorian Westphal2020-11-092-0/+9
| | | | | | tcp option @42,16,4 (@kind,offset,length). Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: allow to check for presence of any tcp optionFlorian Westphal2020-11-092-49/+6
| | | | | | | | | | | | | nft currently doesn't allow to check for presence of arbitrary tcp options. Only known options where nft provides a template can be tested for. This allows to test for presence of raw protocol values as well. Example: tcp option 42 exists Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: rename noop to nopFlorian Westphal2020-11-093-18/+4
| | | | | | | 'nop' is the tcp padding "option". "noop" is retained for compatibility on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: merge sack-perm/sack-permitted and maxseg/mssFlorian Westphal2020-11-093-12/+12
| | | | | | | | | | | | | | | | | | | | | | One was added by the tcp option parsing ocde, the other by synproxy. So we have: synproxy ... sack-perm synproxy ... mss and tcp option maxseg tcp option sack-permitted This kills the extra tokens on the scanner/parser side, so sack-perm and sack-permitted can both be used. Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too. On the output side, the shorter form is now preferred, i.e. sack-perm and mss. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix ip6 dnat test case after range to prefix transformation changeFlorian Westphal2020-11-071-8/+9
| | | | | | | | Tests currently fail with ip6/dnat.t: WARNING: line 8: ... because test still expects a range expression. Fixes: ee4391d0ac1e7 ("nat: transform range to prefix expression when possible") Signed-off-by: Florian Westphal <fw@strlen.de>
* json: add missing nat_type flag and netmap nat flagFlorian Westphal2020-11-051-0/+108
| | | | | | | | | | | | | | | | JSON in/output doesn't know about nat_type and thus cannot save/restore nat mappings involving prefixes or concatenations because the snat statement lacks the prefix/concat/interval type flags. Furthermore, bison parser was extended to support netmap. This is done with an internal 'netmap' flag that is passed to the kernel. We need to dump/restore that as well. Also make sure ip/snat.t passes in json mode. Fixes: 35a6b10c1bc4 ("src: add netmap support") Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid warning and add missing json test casesFlorian Westphal2020-11-052-2/+57
| | | | | | make dnat.t pass in json mode. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: json: add missing test case outputFlorian Westphal2020-11-055-4/+150
| | | | | | | | | | | | Fix warnings and errors when running nf-test.py -j due to missing json test case updates. This also makes bridge/reject.t pass in json mode. No code changes. Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q") Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t") Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Optimize prefix matches on byte-boundariesPhil Sutter2020-11-047-26/+12
| | | | | | | | | | | | | | | | If a prefix expression's length is on a byte-boundary, it is sufficient to just reduce the length passed to "cmp" expression. No need for explicit bitwise modification of data on LHS. The relevant code is already there, used for string prefix matches. There is one exception though, namely zero-length prefixes: Kernel doesn't accept zero-length "cmp" expressions, so keep them in the old code-path for now. This patch depends upon the previous one to correctly parse odd-sized payload matches but has to extend support for non-payload LHS as well. In practice, this is needed for "ct" expressions as they allow matching against IP address prefixes, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: add netdev folder and reject.t icmp casesJose M. Guisado Gomez2020-11-023-1/+81
| | | | | | | | | | Add unit tests for the use of reject with icmp inside netdev family. reject.t from inet family couldn't be reused because it was using meta nfproto which is not supported inside netdev. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing test JSON output for TCP flag tests.Jeremy Sowden2020-10-122-0/+186
| | | | | | Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: correct order of set elements in test JSON output.Jeremy Sowden2020-10-121-10/+10
| | | | | | Fixes: 741a06ac15d2 ("mergesort: find base value expression type via recursion") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing JSON output for ct test.Jeremy Sowden2020-10-121-0/+15
| | | | | | Fixes: dcec7d57559a ("ct: Add support for the 'id' key") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: context tracking for multiple transport protocolsPablo Neira Ayuso2020-09-152-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch extends the protocol context infrastructure to track multiple transport protocols when they are specified from sets. This removes errors like: "transport protocol mapping is only valid after transport protocol match" when invoking: # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80 This patch also catches conflicts like: # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ and: # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ Note that: - the singleton protocol context tracker is left in place until the existing users are updated to use this new multiprotocol tracker. Moving forward, it would be good to consolidate things around this new multiprotocol context tracker infrastructure. - link and network layers are not updated to use this infrastructure yet. The code that deals with vlan conflicts relies on forcing protocol context updates to the singleton protocol base. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: flush log file output before running each commandPablo Neira Ayuso2020-09-141-0/+2
| | | | | | | If nft crashes or hits an assertion, the last command run shows in the /tmp/nftables-test.log file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added "socket wildcard" testcasesBalazs Scheidler2020-08-293-0/+62
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: unbreak listing with binopsPablo Neira Ayuso2020-08-202-0/+23
| | | | | | | | | | | | | tcp flags == {syn, syn|ack} tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} results in: BUG: Unknown expression binop nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed. Aborted (core dumped) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>