nftables - nft command line tool

	Commit message (Collapse)	Author	Age	Files	Lines
*	tests/shell: cleanup creating dummy interfaces in tests	Thomas Haller	2023-09-18	1	-5/+7
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	In "tests/shell/testcases/chains/netdev_chain_0", calling "trap ... EXIT" multiple times does not work. Fix it, by calling one cleanup function. Note that we run in separate namespaces, so the cleanup is usually not necessary. Still do it, we might want to run without unshare (via NFT_TEST_UNSHARE_CMD=""). Without unshare, it's important that the cleanup always works. In practice it might not, for example, "trap ... EXIT" does not run for SIGTERM. A leaked interface might break the follow up test and tests interfere with each other. Try to workaround that by first trying to delete the interface. Also failures to create the interfaces are not considered fatal. I don't understand under what circumstances this might fail, note that there are other tests that create dummy interface and don't "exit 77" on failure. We want to know when something odd is going on. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
*	tests/shell: skip tests if nft does not support JSON mode	Thomas Haller	2023-09-09	7	-1/+20
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	We can build nft without JSON support, and some tests will fail without it. Instead, they should be skipped. Also note, that the test accepts any nft binary via the "NFT" environment variable. So it's not enough to make the skipping dependent on build configuration, but on the currently used $NFT variable. Let "run-test.sh" detect and export a "NFT_TEST_HAVE_json=y\|n" variable. This is heavily inspired by Florian's feature probing patches. Tests that require JSON can check that variable, and skip. Note that they check in the form of [ "$NFT_TEST_HAVE_json" != n ], so the test is only skipped, if we explicitly detect lack of support. That is, don't check via [ "$NFT_TEST_HAVE_json" = y ]. Some of the tests still run parts of the tests that don't require JSON. Only towards the end of such partial run, mark the test as skipped. Some tests require JSON support throughout. For those, add a mechanism where tests can add a tag (in their first 10 lines): # NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) This will be checked by "test-wrapper.sh", which will skip the test. The purpose of this is to make it low-effort to skip a test and to print the reason in the text output as Test skipped due to NFT_TEST_HAVE_json=n (test has "NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)" tag) This is intentionally not shortened to NFT_TEST_REQUIRES(json), so that we can grep for NFT_TEST_HAVE_json to find all relevant places. Note that while NFT_TEST_HAVE_json is autodetected, the caller can also force it by setting the environment variable. This allows to see what would happen to such a test. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
*	tests/shell: generate and add ".nft" dump files for existing tests	Thomas Haller	2023-09-09	1	-0/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Several tests didn't have a ".nft" dump file committed. Generate one and commit it to git. While not all tests have a stable ruleset to compare, many have. Commit the .nft files for the tests where the output appears to be stable. This was generated by running `./tests/shell/run-tests.sh -g` twice, and commit the files that were identical both times. Note that 7 tests on my machine fail, so those are skipped. Also skip the files tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nft tests/shell/testcases/nft-f/dumps/0011manydefines_0.nft tests/shell/testcases/sets/dumps/0011add_many_elements_0.nft tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nft tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nft Those files are larger than 100KB, and I don't think we want to blow up the git repository this way. Even if they are only text files and compress well. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
*	tests/shell: return 77/skip for tests that fail to create dummy device	Thomas Haller	2023-09-08	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \|	There are some existing tests, that skip operation when they fail to create a dummy interface. Use the new exit code 77 to indicate "SKIPPED". I wonder why creating a dummy device would ever fail and why we don't just fail the test altogether in that case. But the patch does not change that. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
*	json: add stateful object comment support	Fernando Fernandez Mancera	2022-09-16	2	-0/+15
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When listing a stateful object with JSON support, the comment was ignored. Output example: { "counter": { "family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0 } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1611 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	json: add secmark object reference support	Fernando Fernandez Mancera	2022-09-16	2	-0/+27
\| \| \| \| \| \| \| \| \|	The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	json: fix json schema version verification	Fernando Fernandez Mancera	2022-09-03	4	-0/+20
\| \| \| \| \| \| \| \| \| \|	nft should ignore malformed or missing entries of `json_schema_version` but check the value when it is integer. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	json: add table map statement support	Fernando Fernandez Mancera	2022-09-03	2	-0/+15
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When listing a map with statements with JSON support, the statement list were ignored. Output example: { "map": { "family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	json: add set statement list support	Fernando Fernandez Mancera	2022-09-01	2	-0/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When listing a set with statements with JSON support, the statements were ignored. Output example: { "set": { "op": "add", "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, "stmt": [ { "limit": { "rate": 10, "burst": 5, "per": "second" } }, { "counter": { "packets": 0, "bytes": 0 } } ], "set": "@my_ssh_meter" } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	parser_json: fix device parsing in netdev family	Pablo Neira Ayuso	2022-08-02	1	-0/+19
	json_unpack() function is not designed to take a pre-allocated buffer. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1612 Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>