summaryrefslogtreecommitdiffstats
path: root/tests/py
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: disable arp family for queue statementPablo Neira Ayuso8 days1-1/+0
| | | | | | | | | | | | | | Kernel commit: commit 47f4f510ad586032b85c89a0773fbb011d412425 Author: Florian Westphal <fw@strlen.de> Date: Tue Jul 26 19:49:00 2022 +0200 netfilter: nft_queue: only allow supported familes and hooks restricts supported families, excluding arp. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow anon set concatenation with ether and vlanFlorian Westphal13 days4-0/+69
| | | | | | | | | | | | | | | | | | | | | | | vlan id uses integer type (which has a length of 0). Using it was possible, but listing would assert: python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed. There are two reasons for this. First reason is that the udata/typeof information lacks the 'vlan id' part, because internally this is 'payload . binop(payload AND mask)'. binop lacks an udata store. It makes little sense to store it, 'typeof' keyword expects normal match syntax. So, when storing udata, store the left hand side of the binary operation, i.e. the load of the 2-byte key. With that resolved, delinerization could work, but concat_elem_expr() would splice 12 bits off the elements value, but it should be 16 (on a byte boundary). Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: search stacked header list for matching payload depFlorian Westphal13 days4-0/+95
| | | | | | | | | | | | | | "ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails: "vlan id 2 ether saddr 0:1:2:3:4:6" will give Error: conflicting protocols specified: vlan vs. ether After "proto: track full stack of seen l2 protocols, not just cumulative offset", we have a list of all l2 headers, so search those to see if we had this proto base in the past before rejecting this. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Add a test for failing ipsec after counterPhil Sutter2022-06-273-0/+29
| | | | | | | | | | | This is a bug in parser/scanner due to scoping: | Error: syntax error, unexpected string, expecting saddr or daddr | add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2 | ^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: Add meta time tests without 'meta' keywordMartin Gignac2022-04-103-0/+52
| | | | | | | | | v1.0.2 of 'nft' fails on 'time < "2022-07-01 11:00:00"' but succeeds when 'meta' is specified ('meta time < "2022-07-01 11:00:00"'). This extends coverage by testing 'time' without 'meta'. Signed-off-by: Martin Gignac <martin.gignac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Don't colorize output if stderr is redirectedPhil Sutter2022-04-081-1/+1
| | | | | | | | Cover for calls with '2>/tmp/log' and avoid printing escape sequences to that file. One could still keep colored output on stdout, but that required a printing routine for non-errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: extend meta time coveragePablo Neira Ayuso2022-04-083-0/+52
| | | | | | Add meta time tests using < and > operands. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add inet/vmap testsPablo Neira Ayuso2022-03-294-0/+222
| | | | | | | Add a few tests with concatenations including raw and integer type expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add tcp option reset supportFlorian Westphal2022-02-283-0/+53
| | | | | | | This allows to replace a tcp option with nops, similar to the TCPOPTSTRIP feature of iptables. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: Test connlimit statementPhil Sutter2022-02-203-0/+30
| | | | | | This wasn't covered at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: remove redundant payload expressionsJeremy Sowden2022-01-153-21/+1
| | | | | | | | Now that we keep track of more payload dependencies, more redundant payloads are eliminated. Remove these from the Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip.t bridge payloadJeremy Sowden2022-01-151-1/+1
| | | | | | | | | | | | Correct the statement used to load the protocol in the bridge payload of one of the ip tests. A previous commit was supposed, in part, to do this, but the update got lost. Fixes: 4b8e51ea5fc8 ("tests: py: fix inet/ip.t payloads") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip_tcp.t testJeremy Sowden2022-01-152-2/+14
| | | | | | | | | | | | | | | | | | Contrary to the comment and expected output, nft does _not_ eliminate the redundant `ip protocol` expression from the second test. Dependency elimination requires a higher level expression. `ip saddr` cannot lead to the elimination of `ip protocol` since they are both L3 expressions. `tcp dport` cannot because although `ip saddr` and `ip protocol` both imply that the L3 protocol is `ip`, only protocol matches are stored as dependencies, so the redundancy is not apparent, and in fact, `payload_may_dependency_kill` explicitly checks for the combination of inet, bridge or netdev family, L4 expression and L3 ipv4 or ipv6 dependency and returns false. Correct the expected output and comment. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip.t payloadsJeremy Sowden2022-01-151-14/+0
| | | | | | | | | | In one of the bridge payloads, the wrong command is given to load the protocol. [ fw@strlen.de: remove the duplicated netdev payload ] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/sets.t netdev payloadJeremy Sowden2022-01-151-3/+3
| | | | | | | | The netdev payload for one of the inet/sets.t tests was cut-and-pasted from the inet payload without being properly updated. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: reject: support ethernet as L2 protocol for inet tableJeremy Sowden2021-12-153-0/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we are evaluating a `reject` statement in the `inet` family, we may have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the evaluation context: table inet filter { chain input { type filter hook input priority filter; ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject } } Since no `reject` option is given, nft attempts to infer one and fails: BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed. Aborted The reason it fails is that the ethernet protocol numbers for IPv4 and IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and `NFPROTO_IPV6`. Add support for the ethernet protocol numbers. Replace the current `BUG("unsupported family")` error message with something more informative that tells the user to provide an explicit reject option. Add a Python test case. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add tcp subtype match test casesFlorian Westphal2021-12-013-0/+78
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add test cases for md5sig, fastopen and mptcp mnemonicsFlorian Westphal2021-12-013-0/+63
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: remove KIND keywordFlorian Westphal2021-12-013-67/+38
| | | | | | | | | | | | | | | | tcp option <foo> kind ... never makes any sense, as "tcp option <foo>" already tells the kernel to look for the foo <kind>. "tcp option sack kind 5" matches if the sack option is present; its a more complicated form of the simpler "tcp option sack exists". "tcp option sack kind 1" (or any other value than 5) will never match. So remove this. Test cases are converted to "exists". Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Avoid duplicate records in *.got filesPhil Sutter2021-11-301-10/+19
| | | | | | | | | | If payloads don't contain family-specific bits, they may sit in a single *.payload file for all tested families. In such case, nft-test.py will consequently write dissenting payloads into a single *.got file. To avoid the duplicate entries, check if a matching record exists already before writing it out. Signed-off-by: Phil Sutter <phil@nwl.cc>
* parser_json: add raw payload inner header match supportPablo Neira Ayuso2021-11-173-0/+25
| | | | | | | Add missing "ih" base raw payload and extend tests/py to cover this new usecase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove netdev coverage in ip/ip_tcp.tPablo Neira Ayuso2021-11-122-96/+0
| | | | | | | | | | | | | The following tests shows a warning in the netdev family: ip/ip_tcp.t: WARNING: line 9: 'add rule netdev test-netdev ingress ip protocol tcp tcp dport 22': 'tcp dport 22' mismatches 'ip protocol 6 tcp dport 22' 'ip protocol tcp' can be removed in the ip family, but not in netdev. This test is specific of the ip family, remove the netdev lines. Fixes: 510c4fad7e78 ("src: Support netdev egress hook") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing json output update in ip6/meta.tPablo Neira Ayuso2021-11-121-0/+16
| | | | | | | Update json output for 'meta protocol ip6 udp dport 67'. Fixes: 646c5d02a5db ("rule: remove redundant meta protocol from the evaluation step") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing ip/snat.t json updatesPablo Neira Ayuso2021-11-122-0/+347
| | | | | | | Missing json update for new tests added recently. Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing ip/dnat.t json updatesPablo Neira Ayuso2021-11-121-0/+333
| | | | | | | Missing json update for three new tests added recently. Fixes: 640dc0c8a3da ("tests: py: extend coverage for dnat with classic range representation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update rawpayload.t.jsonPablo Neira Ayuso2021-11-082-5/+21
| | | | | | | Missing update of json test. Fixes: 6ad2058da66a ("datatype: add xinteger_type alias to print in hexadecimal") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove verdict from closing end intervalPablo Neira Ayuso2021-11-087-7/+7
| | | | | | | | | | | | | Kernel does not allow for NFT_SET_ELEM_INTERVAL_END flag and NFTA_SET_ELEM_DATA. The closing end interval represents a mismatch, therefore, no verdict can be applied. The existing payload files show the drop verdict when this is unset (because NF_DROP=0). This update is required to fix payload warnings in tests/py after libnftnl's ("set: use NFTNL_SET_ELEM_VERDICT to print verdict"). Fixes: 6671d9d137f6 ("mnl: Set NFTNL_SET_DATA_TYPE before dumping set elements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add xinteger_type alias to print in hexadecimalPablo Neira Ayuso2021-11-032-8/+8
| | | | | | | | | Add an alias of the integer type to print raw payload expressions in hexadecimal. Update tests/py. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: postpone transport protocol match check after nat expression ↵Pablo Neira Ayuso2021-11-033-0/+27
| | | | | | | | | evaluation Fix bogus error report when using transport protocol as map key. Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: extend limit syntaxJeremy Sowden2021-11-033-0/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The documentation describes the syntax of limit statements thus: limit rate [over] packet_number / TIME_UNIT [burst packet_number packets] limit rate [over] byte_number BYTE_UNIT / TIME_UNIT [burst byte_number BYTE_UNIT] TIME_UNIT := second | minute | hour | day BYTE_UNIT := bytes | kbytes | mbytes From this one might infer that a limit may be specified by any of the following: limit rate 1048576/second limit rate 1048576 mbytes/second limit rate 1048576 / second limit rate 1048576 mbytes / second However, the last does not currently parse: $ sudo /usr/sbin/nft add filter input limit rate 1048576 mbytes / second Error: wrong rate format add filter input limit rate 1048576 mbytes / second ^^^^^^^^^^^^^^^^^^^^^^^^^ Extend the `limit_rate_bytes` parser rule to support it, and add some new Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Support netdev egress hookLukas Wunner2021-10-2833-28/+2353
| | | | | | | | | Add userspace support for the netdev egress hook which is queued up for v5.16-rc1, complete with documentation and tests. Usage is identical to the ingress hook. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Move netdev-specific tests to appropriate subdirectoryLukas Wunner2021-10-287-0/+0
| | | | | | | | The fwd and dup statements are specific to netdev hooks, so move their tests to the appropriate subdirectory. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check for missing transport protocol match in nat map with ↵Pablo Neira Ayuso2021-09-292-3/+25
| | | | | | | | | | | | | | | | concatenations Restore this error with NAT maps: # nft add rule 'ip ipfoo c dnat to ip daddr map @y' Error: transport protocol mapping is only valid after transport protocol match add rule ip ipfoo c dnat to ip daddr map @y ~~~~ ^^^^^^^^^^^^^^^ Allow for transport protocol match in the map too, which is implicitly pulling in a transport protocol dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: don't adjust offsets of autogenerated dependency expressionsFlorian Westphal2021-09-294-0/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pablo says: user reports that this is broken: nft --debug=netlink add rule bridge filter forward vlan id 100 vlan id set 200 [..] [ payload load 2b @ link header + 14 => reg 1 ] [..] [ payload load 2b @ link header + 28 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x0000c800 ] [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] offset says 28, it is assuming q-in-q, in this case it is mangling the existing header. The problem here is that 'vlan id set 200' needs a read-modify-write cycle because 'vlan id set' has to preserve bits located in the same byte area as the vlan id. The first 'payload load' at offset 14 is generated via 'vlan id 100', this part is ok. The second 'payload load' at offset 28 is the bogus one. Its added as a dependency, but then adjusted because nft evaluation considers this identical to 'vlan id 1 vlan id '2, where nft assumes q-in-q. To fix this, skip offset adjustments for raw expressions and mark the dependency-generated payload instruction as such. This is fine because raw payload operations assume that user specifies base/offset/length manually. Also add a test case for this. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: update ct expirationPablo Neira Ayuso2021-09-151-3/+3
| | | | | | | | Since 309785674b25 ("datatype: time_print() ignores -T"), time_type honors -T option. Given tests/py run in numeric format, this patch fixes a warning since the ct expiration is now expressed in seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: rework range_expr_to_prefix()Pablo Neira Ayuso2021-09-093-0/+112
| | | | | | | | | Consolidate prefix calculation in range_expr_is_prefix(). Add tests/py for 9208fb30dc49 ("src: Check range bounds before converting to prefix"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove redundant meta protocol from the evaluation stepPablo Neira Ayuso2021-09-034-6/+2
| | | | | | | | | | | | | 567ea4774e13 ("netlink_delinearize: incorrect meta protocol dependency kill") does not document two cases that are handled in this patch: - 'meta protocol ip' is removed if used in the ip family. - 'meta protocol ip6' is removed if used in the ip6 family. This patch removes this redundancy earlier, from the evaluation step before netlink bytecode generation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: incorrect meta protocol dependency killPablo Neira Ayuso2021-08-2612-0/+253
| | | | | | | | meta protocol is meaningful in bridge, netdev and inet families, do not remove this. Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Optimize prefix match only if is big-endianXiao Liang2021-08-233-0/+27
| | | | | | | | | | | A prefix of integer type is big-endian in nature. Prefix match can be optimized to truncated 'cmp' only if it is big-endian. [ Add one tests/py for this use-case --pablo ] Fixes: 25338cdb6c77 ("src: Optimize prefix matches on byte-boundaries") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: consolidate queue statement syntaxPablo Neira Ayuso2021-08-203-8/+113
| | | | | | | | | | | | Print queue statement using the 'queue ... to' syntax to consolidate the syntax around Florian's proposal introduced in 6cf0f2c17bfb ("src: queue: allow use of arbitrary queue expressions"). Retain backward compatibility, 'queue num' syntax is still allowed. Update and add new tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmask againPablo Neira Ayuso2021-08-153-0/+30
| | | | | | | != operation should also be covered too. Fixes: 347a4aa16e64 ("netlink_delinearize: skip flags / mask notation for singleton bitmask") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Make netns spawning more robustPhil Sutter2021-08-111-6/+34
| | | | | | | On systems without unshare Python module, try to call unshare binary with oneself as parameters. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tcpopt: bogus assertion on undefined optionsPablo Neira Ayuso2021-08-113-0/+23
| | | | | | | | | | # nft add rule x y tcp option 6 exists # nft list ruleset nft: tcpopt.c:208: tcpopt_init_raw: Assertion `expr->exthdr.desc != NULL' failed. Aborted Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1557 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: check more flag match transformations to compact syntaxPablo Neira Ayuso2021-07-283-0/+193
| | | | | | Add a few more tests to extend coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: tcp flags & (fin | syn | rst | ack) == synPablo Neira Ayuso2021-07-283-0/+36
| | | | | | Add a test case to cover translation to tcp flags syn / fin,syn,rst,ack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmaskPablo Neira Ayuso2021-07-283-0/+31
| | | | | | | | Do not transform 'tcp flags & flag == flag' to 'flag / flag'. The parser does not accept this notation yet. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: idempotent tcp flags & syn != 0 to tcp flag synPablo Neira Ayuso2021-07-273-0/+25
| | | | | | Add a test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disallow negation with binary operationPablo Neira Ayuso2021-07-271-0/+1
| | | | | | | | | | | | | The negation was introduced to provide a simple shortcut. Extend e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to disallow negation with binary operations too. # nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn' Error: cannot combine negation with binary expression add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: incorrect netlink bytecode with binary operation and flagsPablo Neira Ayuso2021-07-273-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft generates incorrect bytecode when combining flag datatype and binary operations: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] Note the double bitwise expression. The last two expressions are not correct either since it should match on the syn flag, ie. 0x2. After this patch, netlink bytecode generation looks correct: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: missing != in flagcmp expression print functionPablo Neira Ayuso2021-07-273-0/+34
| | | | | | | Missing != when printing the expression. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>