summaryrefslogtreecommitdiffstats
path: root/tests/regression
Commit message (Collapse)AuthorAgeFilesLines
* tests: add inet test for ip/ether concatenationFlorian Westphal2015-11-104-0/+42
| | | | | | | | Test rule from Pablo, it caused assertion failure with earlier versions of nft (caused by 7ead4932f9ab, later fixed via 775e7ff1f5ddaa32). Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test cases for ethernet header matchingFlorian Westphal2015-11-068-0/+200
| | | | | | Adds ether saddr statements for inet, bridge and ip/ip6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests matching on ether saddr for inet, bridge, ip, ip6Florian Westphal2015-11-065-0/+227
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-022-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tests for dupPablo Neira Ayuso2015-09-305-0/+80
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: limit: extend them to validate new bytes/second and burst parametersPablo Neira Ayuso2015-09-232-6/+63
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* vlan: make != tests workFlorian Westphal2015-09-182-0/+12
|
* tests: vlan testsFlorian Westphal2015-09-182-0/+223
| | | | | | | add a few regression tests that match vlan id/dei/pcp fields of the vlan header. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests for ip version/hdrlength/tcp doffFlorian Westphal2015-09-187-0/+78
| | | | | | | Header fields of 4 bit lengths. Requires implicit masks and shifting of RHS constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: don't depend on set element orderFlorian Westphal2015-09-182-1/+30
| | | | | | | | | | | | | Pablo reported test failures because the order of returned set entries is not deterministic. This sorts set elements before comparision. Patrick suggested to move ordering into libnftnl (since we could f.e. also get duplicate entries due to how netlink dumps work), but thats a bit more work. Hence this quick workaround. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add concatenations and maps; combine them tooPablo Neira Ayuso2015-09-118-0/+118
| | | | | | | This patch adds simple tests for concatenation and maps, including more advanced tests that combine them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: display error when trying to run tests out of the root directoryPablo Neira Ayuso2015-09-071-0/+5
| | | | | | | | | | Since 357d8cfcceb2 ("tests: use the src/nft binary instead of $PATH one"), the tests fail if you try to run them if you are not under the root directory of the nftables repository. Display an error so I don't forget I have to do it like this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add 'awkward' prefix match expressionFlorian Westphal2015-08-233-0/+17
| | | | | | Its just a more complicated way of saying 'ip saddr 255.255.0.0/16'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: use the src/nft binary instead of $PATH oneFlorian Westphal2015-08-231-17/+18
| | | | | | | ... so one doesn't need to install new binary into $PATH (or change PATH... ) during development. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: redirect: fix payload displayPablo Neira Ayuso2015-08-182-33/+33
| | | | | | | This has to be related to libnftnl's 0edeb667a2cf ("expr: redir: fix snprintf to return the number of bytes printed"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: don't include listing in payload testsPablo Neira Ayuso2015-08-184-6/+0
| | | | | | | | Since e715f6d1241c ("netlink: don't call netlink_dump_*() from listing functions with --debug=netlink"), there is no debugging from the listing path. Thus, we can remove the set line from the test files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add two test cases using binop w. payloadFlorian Westphal2015-08-073-0/+31
| | | | | | | | | | | | [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 ... .. to make sure that later support to match header elements that have odd (non-byte aligned) lengths/offsets doesn't erronously eliminate explicitly added binops while searching expressions for implicit binops. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: validate generated netlink instructionsFlorian Westphal2015-07-2065-5/+11259
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | compare netlink instructions generated by given nft command line with recorded version. Example: udp dport 80 accept in ip family should look like ip test-ip4 input [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005000 ] [ immediate reg 0 accept ] This is stored in udp.t.payload.ip Other suffixes: .payload.ip6 .payload.inet .payload ('any') The test script first looks for 'testname.t.payload.$family', if that doesn't exist 'testname.t.payload' is used. This allows for family independent test (e.g. meta), where we don't expect/have any family specific expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: meta: use root for uid/gid checksFlorian Westphal2015-07-161-8/+8
| | | | | | | | | | | | I get failures here since 'man' has different uid vs. what test suite expects. Furthermore, this box does not have a 'backup' user. Switch to root/bin/daemon -- those exist on both debian and fedora. After this meta.t passes on all my machines. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid more warningsFlorian Westphal2015-07-155-11/+11
| | | | | | | | | | | | | | | | | | | ... 2001:838:35f:1::-2001:838:35f:2:: :80-100' mismatches ... 2001:838:35f:1::-2001:838:35f:2:::80-100' nft accepts both, so just alter test to not complain. Also, fix test script to display the expected output rather than the input. Otherwise, a rule like some_input;ok;expected_output may display nonsensical message like warning: some_input mismatches some_input This also fixes the icmpv6 test accordingly, nft displays ranges correctly. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: regression: ip6: reduce warning noisePablo Neira Ayuso2015-06-132-23/+24
| | | | | | | | | | | | | | | | | getnameinfo() displays this: ::1234:1234:1234:1234:1234:1234:1234 as: 0:1234:1234:1234:1234:1234:1234:1234 which is basically equivalent. nft accepts both inputs. So add some exceptions to the tests to reduce the amount of noise in the tests, so we can focus on real problems. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: use bitmask_type for comp flagsPablo Neira Ayuso2015-06-051-1/+1
| | | | | | | | | | | | | | | | I think flags should be displayed in hexadecimal and should be handled as a bitmask. inet/comp.t: WARNING: line: 15: 'nft add rule ip test-ip4 input comp flags 0x00': 'comp flags 0x00' mismatches 'comp flags 0' inet/comp.t: WARNING: line: 16: 'nft add rule ip test-ip4 input comp flags != 0x23': 'comp flags != 0x23' mismatches 'comp flags != 35' inet/comp.t: WARNING: line: 17: 'nft add rule ip test-ip4 input comp flags 0x33-0x45': 'comp flags 0x33-0x45' mismatches 'comp flags 51-69' inet/comp.t: WARNING: line: 18: 'nft add rule ip test-ip4 input comp flags != 0x33-0x45': 'comp flags != 0x33-0x45' mismatches 'comp flags != 51-69' inet/comp.t: WARNING: line: 19: 'nft add rule ip test-ip4 input comp flags {0x33, 0x55, 0x67, 0x88}': 'comp flags {0x33, 0x55, 0x67, 0x88}' mismatches 'comp flags { 103, 85, 51, 136}' inet/comp.t: WARNING: line: 21: 'nft add rule ip test-ip4 input comp flags { 0x33-0x55}': 'comp flags { 0x33-0x55}' mismatches 'comp flags { 51-85}' rfc3173 says that this is unused for future use though. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix NAT testsPablo Neira Ayuso2015-06-024-9/+20
| | | | | | | | | | | snat can be only used from prerouting and input, and dnat from output and postrouting. ip/nat.t: ERROR: line 12: nft add rule ip test-ip4 output iifname eth0 tcp sport 23-34 snat 192.168.3.2: This rule should not have failed. Split the test file as they require different chain configuration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix warnings related to range listingPablo Neira Ayuso2015-06-0224-182/+180
| | | | | | | | | | | | | | | | | | Fix lots of warnings, mostly related to the listing of ranges in many of the tests that we have, eg. any/meta.t: WARNING: line: 30: 'nft add rule ip test-ip4 input meta l4proto 33-45': 'meta l4proto 33-45' mismatches 'meta l4proto 33-45' any/meta.t: WARNING: line: 31: 'nft add rule ip test-ip4 input meta l4proto != 33-45': 'meta l4proto != 33-45' mismatches 'meta l4proto != 33-45' any/meta.t: WARNING: line: 99: 'nft add rule ip test-ip4 input meta skuid 3001-3005 accept': 'meta skuid 3001-3005 accept' mismatches 'skuid 3001-3005 accept' any/meta.t: WARNING: line: 100: 'nft add rule ip test-ip4 input meta skuid != 2001-2005 accept': 'meta skuid != 2001-2005 accept' mismatches 'skuid != 2001-2005 accept' any/meta.t: WARNING: line: 111: 'nft add rule ip test-ip4 input meta skgid 2001-2005 accept': 'meta skgid 2001-2005 accept' mismatches 'skgid 2001-2005 accept' any/meta.t: WARNING: line: 112: 'nft add rule ip test-ip4 input meta skgid != 2001-2005 accept': 'meta skgid != 2001-2005 accept' mismatches 'skgid != 2001-2005 accept' any/meta.t: WARNING: line: 156: 'nft add rule ip test-ip4 input meta cpu 1-3': 'meta cpu 1-3' mismatches 'cpu 1-3' any/meta.t: WARNING: line: 158: 'nft add rule ip test-ip4 input meta cpu != 1-2': 'meta cpu != 1-2' mismatches 'cpu != 1-2' any/meta.t: WARNING: line: 187: 'nft add rule ip test-ip4 input meta cgroup 0x100001 - 0x100003': 'meta cgroup 0x100001 - 0x100003' mismatches 'cgroup 1048577-1048579' ... Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: reduce code duplication a bit on error reportingPablo Neira Ayuso2015-06-021-12/+7
| | | | | | | Consolidate print_err() and print_warning() into print_msg() to reduce code duplication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-test: don't use colors if output is not a ttyPatrick McHardy2015-03-251-6/+12
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: regression: fix bogus warnings in any/mark.tPablo Neira Ayuso2015-03-181-8/+8
| | | | | | | 'meta mark set 10' is a valid input, but the expected output is 'mark set 10'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: masquerade is only allowed from postroutingPablo Neira Ayuso2015-03-182-2/+0
| | | | | | | Disable the tests from the output chain, the kernel rejects this with operation not supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: consider policy in base chainArturo Borrero2015-03-181-2/+2
| | | | | | | | nft now prints the default chain policy, consider this when parsing the output to find mismatches. Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix typo in READMEEric Leblond2015-03-021-1/+1
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: register pkttype_type datatypePablo Neira Ayuso2015-02-011-1/+1
| | | | | Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=995 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: revisit chain testsPablo Neira Ayuso2014-12-224-14/+8
| | | | | | | | Make sure support chain don't stop working. Remove some minor mistakes and out of scope tests from chain*.t Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: named sets workPablo Neira Ayuso2014-12-221-4/+3
| | | | | | Those tests work already, enable them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: log.t: this works for bridge and arp since 3.17Pablo Neira Ayuso2014-12-141-5/+4
| | | | | | | So tests log statement for those two families too and remove the tests/selectors that are ip and ip6 specific, they don't belong here. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: simplify run_test_file() in case `-e' is usedPablo Neira Ayuso2014-12-141-15/+1
| | | | | | | Avoid copy&paste coding style pattern by simplifying the code that handles the `-e' option that allows us to run known broken tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix wrong number of test filesPablo Neira Ayuso2014-12-141-1/+2
| | | | | | Always increment the test file counter for each test file in the list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: use 'redirect to PORT' instead of 'redirect :PORT'Pablo Neira Ayuso2014-12-122-21/+21
| | | | | | Small syntax update suggested by Patrick. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: redirect.t: fix bogus errorsPablo Neira Ayuso2014-12-122-2/+2
| | | | | | | Separate values in set, otherwise bash interprets the brackets and the test reports an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: adapt nat tests to use random-fullyPablo Neira Ayuso2014-12-124-27/+27
| | | | | | | This adapts test to the change that happened in d9a9a79 ('stmt: rename nat "random-fully" option to "fully-random"'). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: any/ct: remove wrong outputPablo Neira Ayuso2014-12-011-2/+2
| | | | | | | | | | | | | | | | | ct mark 0x32-0x45 displays: ct mark >= 0x00000032 ct mark <= 0x00000045 ^^^^^^^^^^ instead of ct mark <= 0x45000000 ^^^^^^^^^^ Remove the custom output so this displays a warning. nft should (at some point) merge the two statements into one single to express the range from the netlink_delinearize step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix "Listing is broken" instead of output mismatchPablo Neira Ayuso2014-12-011-9/+6
| | | | | | | If the output string doesn't match the input, indicate that the output mismatches instead of the misleading "Listing is broken". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: relax datatype check in integer_type_parse()Pablo Neira Ayuso2014-11-301-0/+3
| | | | | | | | | | | | | | | | Otherwise parsing with basetypes doesn't work. Now nft displays an error when the symbolic constant is not correct: <cmdline>:1:29-31: Error: Could not parse conntrack state add rule test test ct state xxx accept ^^^ Use .sym_tbl instead and default on the symbol_constant_parse() function from the ethertype and pkttype, this simplifies the code and (more importantly) it avoids a breakage after the change in integer_type_parse(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix crash when using basetype instead of symbolic constantsPablo Neira Ayuso2014-11-281-0/+1
| | | | | | | | | | | | | | | | | | | | The following example: # nft add rule filter input ct state 8 accept Segmentation fault leads to a crash because we have the following datatype relation: ct_state -> bitmask -> integer The bitmask, which is an intermediate basetype, has no parse() function, this leads to a crash in symbolic_constant_parse(). Patrick suggested to walk down the chain until we find a parser function. Reported-by: leroy christophe <christophe.leroy@c-s.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: test masquerade from nat/postrouting tooPablo Neira Ayuso2014-11-242-0/+2
| | | | | | | We can specify several chains in the tests, so test this from postrouting too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix bogus error due to bashPablo Neira Ayuso2014-11-243-4/+4
| | | | | | | | | | | | | | This suppresses several superfluous errors: any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed. any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed. ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed. ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed. This needs a space before the list of elements in the set, otherwise bash here misinterprets the set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: don't use -nnn for non-list commandsPablo Neira Ayuso2014-11-231-3/+3
| | | | | | Not useful, they just bloat the nft-tests.py output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: any/queue.t: use new syntaxPablo Neira Ayuso2014-11-231-1/+1
| | | | | | | queue options are now expressed as flags, so you have to use comma separated values. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add cgroup support in meta expresionAna Rey2014-11-101-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | The new attribute of meta is "cgroup". Example of use in nft: # nft add rule ip test output meta cgroup != 0x100001 counter drop Moreover, this adds tests to the meta.t test file. The kernel support is addedin the commit: ce67417 ("netfilter: nft_meta: add cgroup support") The libnftnl support is add in the commit: 1d4a480 ("expr: meta: Add cgroup support") More information about the steps to use cgroup: https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt More info about cgroup in iptables: http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3 Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow both nat_flags and port specification in redirectArturo Borrero2014-11-092-8/+14
| | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the parser to permit both nat_flags and port specification in the redirect expression. The resulting syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] The port specification requires a bit of context regardin the transport protocol. Some examples: % nft add rule nat prerouting tcp dport 22 redirect :23 % nft add rule add prerouting udp dport 53 redirect :5353 The nat_flags argument is the last argument: % nft add rule nat prerouting tdp dport 80 redirect :8080 random The port specification can be a range: % nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random While at it, the regression tests files are updated. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/regression: redirect: fix invalid syntaxArturo Borrero2014-11-092-55/+55
| | | | | | | | | This patch fixes invalid syntax in the redirect test files. I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>