| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
[ cmp eq reg 1 ...
.. to make sure that later support to match header elements that have odd
(non-byte aligned) lengths/offsets doesn't erronously eliminate explicitly
added binops while searching expressions for implicit binops.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
compare netlink instructions generated by given nft command line
with recorded version.
Example: udp dport 80 accept in ip family should look like
ip test-ip4 input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005000 ]
[ immediate reg 0 accept ]
This is stored in udp.t.payload.ip
Other suffixes:
.payload.ip6
.payload.inet
.payload ('any')
The test script first looks for 'testname.t.payload.$family', if that
doesn't exist 'testname.t.payload' is used.
This allows for family independent test (e.g. meta), where we don't
expect/have any family specific expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
snat can be only used from prerouting and input, and dnat from output and
postrouting.
ip/nat.t: ERROR: line 12: nft add rule ip test-ip4 output iifname eth0 tcp sport 23-34 snat 192.168.3.2: This rule should not have failed.
Split the test file as they require different chain configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix lots of warnings, mostly related to the listing of ranges in many of the
tests that we have, eg.
any/meta.t: WARNING: line: 30: 'nft add rule ip test-ip4 input meta l4proto 33-45': 'meta l4proto 33-45' mismatches 'meta l4proto 33-45'
any/meta.t: WARNING: line: 31: 'nft add rule ip test-ip4 input meta l4proto != 33-45': 'meta l4proto != 33-45' mismatches 'meta l4proto != 33-45'
any/meta.t: WARNING: line: 99: 'nft add rule ip test-ip4 input meta skuid 3001-3005 accept': 'meta skuid 3001-3005 accept' mismatches 'skuid 3001-3005 accept'
any/meta.t: WARNING: line: 100: 'nft add rule ip test-ip4 input meta skuid != 2001-2005 accept': 'meta skuid != 2001-2005 accept' mismatches 'skuid != 2001-2005 accept'
any/meta.t: WARNING: line: 111: 'nft add rule ip test-ip4 input meta skgid 2001-2005 accept': 'meta skgid 2001-2005 accept' mismatches 'skgid 2001-2005 accept'
any/meta.t: WARNING: line: 112: 'nft add rule ip test-ip4 input meta skgid != 2001-2005 accept': 'meta skgid != 2001-2005 accept' mismatches 'skgid != 2001-2005 accept'
any/meta.t: WARNING: line: 156: 'nft add rule ip test-ip4 input meta cpu 1-3': 'meta cpu 1-3' mismatches 'cpu 1-3'
any/meta.t: WARNING: line: 158: 'nft add rule ip test-ip4 input meta cpu != 1-2': 'meta cpu != 1-2' mismatches 'cpu != 1-2'
any/meta.t: WARNING: line: 187: 'nft add rule ip test-ip4 input meta cgroup 0x100001 - 0x100003': 'meta cgroup 0x100001 - 0x100003' mismatches 'cgroup 1048577-1048579'
...
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Disable the tests from the output chain, the kernel rejects this with
operation not supported.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Make sure support chain don't stop working.
Remove some minor mistakes and out of scope tests from chain*.t
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Those tests work already, enable them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Small syntax update suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Separate values in set, otherwise bash interprets the brackets
and the test reports an error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This adapts test to the change that happened in d9a9a79 ('stmt: rename
nat "random-fully" option to "fully-random"').
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We can specify several chains in the tests, so test this from
postrouting too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This suppresses several superfluous errors:
any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed.
any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed.
ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
This needs a space before the list of elements in the set, otherwise
bash here misinterprets the set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the parser to permit both nat_flags and port specification
in the redirect expression.
The resulting syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
The port specification requires a bit of context regardin the transport
protocol. Some examples:
% nft add rule nat prerouting tcp dport 22 redirect :23
% nft add rule add prerouting udp dport 53 redirect :5353
The nat_flags argument is the last argument:
% nft add rule nat prerouting tdp dport 80 redirect :8080 random
The port specification can be a range:
% nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random
While at it, the regression tests files are updated.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch fixes invalid syntax in the redirect test files.
I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch fixes invalid syntax in the masquerade test files.
I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds redirect support for nft.
The syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's test the new masquerade option in nftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
"ip" folder contains the test files that are executed in ip and inet
family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|