summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: set element multi-statement supportPablo Neira Ayuso2020-12-184-0/+93
| | | | | | | | | This patch adds two tests to add multistatement support: - Dynamic set updates from packet path. - Set that is updated from the control plane. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: timeouts later than 23 daysPablo Neira Ayuso2020-12-082-0/+29
| | | | | | | Test timeout later than 23 days in set definitions and dynamic set insertions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZEPablo Neira Ayuso2020-12-041-0/+18
| | | | | | | | | | | | | | | | | Netlink attribute maximum size is 65536 bytes (given nla_len is 16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as possible that can fit into this netlink attribute. Netlink messages with NLMSG_ERROR type originating from the kernel contain the original netlink message as payload, they might be larger than 65536 bytes. Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header coming as (error) reply from the kernel. This estimate is based on the maximum netlink message size that nft sends from userspace. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to restore limit from dynamic setPablo Neira Ayuso2020-12-041-0/+19
| | | | | | | Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Improve fix in sets/0036add_set_element_expiration_0Phil Sutter2020-10-311-1/+1
| | | | | | | | | | Explicitly eliminate the newgen message from output instead of just the last line to make sure no other output is dropped by accident. This also allows the test to pass in unpatched kernels which do not emit the newgen message despite NLM_F_ECHO if no netlink listeners are present. Fixes: 46b54fdcf266d ("Revert "monitor: do not print generation ID with --echo"") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: exercise validation with nft -cPablo Neira Ayuso2020-10-311-0/+12
| | | | | | | Using oif in fib from prerouting is not support, make sure -c reports an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "monitor: do not print generation ID with --echo"Pablo Neira Ayuso2020-10-231-1/+1
| | | | | | | | | | | | | Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo"). There is actually a kernel bug which is preventing from displaying this generation ID message. Update the tests/shell to remove the last line of the --echo output which displays the generation ID once the "netfilter: nftables: fix netlink report logic in flowtable and genid" kernel fix is applied. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ingress inet supportPablo Neira Ayuso2020-10-132-0/+29
| | | | | | | | | | | | | | | | | | Add support for inet ingress chains. table inet filter { chain ingress { type filter hook ingress device "veth0" priority filter; policy accept; } chain input { type filter hook input priority filter; policy accept; } chain forward { type filter hook forward priority filter; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for chainsJose M. Guisado Gomez2020-09-302-0/+17
| | | | | | | | | | | | | | | | | | | | This patch enables the user to specify a comment when adding a chain. Relies on kernel space supporting userdata for chains. > nft add table ip filter > nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; } > list ruleset table ip filter { chain input { comment "test" type filter hook input priority filter; policy accept; } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Combining --terse with --json has no effectGopal Yadav2020-09-221-0/+12
| | | | | | | | --terse with --json is ignored, fix this. This patch also includes a test. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388 Signed-off-by: Gopal Yadav <gopunop@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fail when specifying multiple commentsJose M. Guisado Gomez2020-09-141-0/+97
| | | | | | | | | | | | | | | | | | | | Before this patch grammar supported specifying multiple comments, and only the last value would be assigned. This patch adds a function to test if an attribute is already assigned and, if so, calls erec_queue with this attribute location. Use this function in order to check for duplication (or more) of comments for actions that support it. > nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;} Error: You can only specify this once. This statement is duplicated. add table inet filter { flags dormant; comment test; comment another;} ^^^^^^^^^^^^^^^^ Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for objectsJose M. Guisado Gomez2020-09-082-0/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables specifying an optional comment when declaring named objects. The comment is to be specified inside the object's block ({} block) Relies on libnftnl exporting nftnl_obj_get_data and kernel space support to store the comments. For consistency, this patch makes the comment be printed first when listing objects. Adds a testcase importing all commented named objects except for secmark, although it's supported. Example: Adding a quota with a comment > add table inet filter > nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; } > list ruleset table inet filter { quota q { comment "test_comment" over 1200 bytes } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: find base value expression type via recursionPablo Neira Ayuso2020-09-044-5/+42
| | | | | | | | | | | | | | | | Sets that store flags might contain a mixture of values and binary operations. Find the base value type via recursion to compare the expressions. Make sure concatenations are listed in a deterministic way via concat_expr_msort_value() which builds a mpz value with the tuple. Adjust a few tests after this update since listing differs after this update. Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()") Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support when adding tablesJose M. Guisado Gomez2020-08-282-0/+8
| | | | | | | | | | | | | | | | | | | Adds userdata building logic if a comment is specified when creating a new table. Adds netlink userdata parsing callback function. Relies on kernel supporting userdata for nft_table. Example: > nft add table ip x { comment "test"\; } > nft list ruleset table ip x { comment "test" } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: Check rbtree overlap detection after tree rotationsStefano Brivio2020-08-261-0/+36
| | | | | | | | | | | | | | | | | | | | | Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed an issue with rbtree overlap detection coming from the fact that, after tree rotations performed as part of tree rebalancing, caused by deletions, end elements are not necessarily descendants of their corresponding start elements. Add single-sized elements, delete every second one of them, and re-add them (they will always be full overlaps) in order to check overlap detection after tree rotations. Port indices used in the sets are pseudo-random numbers generated with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen for k-distribution over 16-bit periods, which gives a good statistical randomness and forces 201 rebalancing operations out of 250 deletions with the chosen seed (1). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for map tooPablo Neira Ayuso2020-08-172-5/+9
| | | | | | Extend and slightly rework tests/shell to cover this case too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for set declarationsJose M. Guisado Gomez2020-08-122-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow users to add a comment when declaring a named set. Adds set output handling the comment in both nftables and json format. $ nft add table ip x $ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}} $ nft list ruleset table ip x { set s { type ipv4_addr; comment "some_addrs" elements = { 1.1.1.1, 1.2.3.4 } } } $ nft --json list ruleset { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "table": { "family": "ip", "handle": 4857, "name": "x" } }, { "set": { "comment": "some_addrs", "elem": [ "1.1.1.1", "1.2.3.4" ], "family": "ip", "handle": 1, "name": "s", "table": "x", "type": "ipv4_addr" } } ] } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0044interval_overlap_0: Repeat insertion tests with timeoutStefano Brivio2020-08-041-19/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mike Dillinger reported issues with insertion of entries into sets supporting intervals that were denied because of false conflicts with elements that were already expired. Partial failures would occur to, leading to the generation of new intervals the user didn't specify, as only the opening or the closing elements wouldn't be inserted. The reproducer provided by Mike looks like this: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m which, run in a loop at different intervals, show the different kind of failures. Extend the existing test case for overlapping and non-overlapping intervals to systematically cover sets with a configured timeout. As reported by Pablo, the test would fail if we keep a one-second timeout if it runs on a "slow" kernel (e.g. with KASan), using the libtool wrapper in src/nft as $NFT, because we can't issue 218 commands within one second. To avoid that, introduce an adaptive timeout based on how many times we can list a single entry with a fixed one-second timeout. On a single 2.9GHz AMD Epyc 7351 thread: test run nft commands/s timeout - src/nft libtool wrapper, KASan: 68.4s 10 32s - nft binary, KASan: 5.1s 168 2s - src/nft libtool wrapper, w/o KASan: 18.3s 37 8s - nft binary, w/o KASan: 2.4s 719 1s While at it, fix expectation for insertion of '15-20 . 50-60' (it's expected to succeed, given the list), and the reason why I didn't notice: a simple command preceded by ! won't actually result in the shell exiting, even if it fails. Add some clearer failure reports too. v2: - adjust set timeouts to nft commands/s - fix checks on expected outcome of insertions and reports Reported-by: Mike Dillinger <miked@softtalker.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0043concatenated_ranges_0: Fix checks for add/delete failuresStefano Brivio2020-08-041-18/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The test won't stop if we simply precede commands expected to fail by !. POSIX.1-2017 says: -e When this option is on, if a simple command fails for any of the reasons listed in Consequences of Shell Errors or returns an exit status value >0, and is not part of the compound list following a while, until or if keyword, and is not a part of an AND or OR list, and is not a pipeline preceded by the "!" reserved word, then the shell will immediately exit. ...but I didn't care about the last part. Replace those '! nft ...' commands by 'nft ... && exit 1' to actually detect failures. As a result, I didn't notice that now, correctly, inserting elements into a set that contains the same exact element doesn't actually fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop re-insertions from the checks we perform here, overlapping elements are already covered by other tests. Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove table from cache on delete tablePablo Neira Ayuso2020-07-292-0/+22
| | | | | | | | | | | | | | | | | | | | | The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend 0043concatenated_ranges_0 to cover maps tooFlorian Westphal2020-07-231-28/+50
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow for negative value in variable definitionsPablo Neira Ayuso2020-07-222-0/+23
| | | | | | Extend test to cover for negative value in chain priority definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: flush set cache before flush commandPablo Neira Ayuso2020-07-212-0/+24
| | | | | | Flush the set cache before adding the flush command to the netlink batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove check for reject from preroutingPablo Neira Ayuso2020-07-211-11/+0
| | | | | | | | | | | | It reports a failure with the following kernel patch: commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9 Author: Laura Garcia Liebana <nevola@gmail.com> Date: Sun May 31 22:26:23 2020 +0200 netfilter: introduce support for reject at prerouting stage Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use variables in flowtable and chain devicesPablo Neira Ayuso2020-07-214-0/+95
| | | | | | | | | | | | | | | This patch adds support for using variables for devices in the chain and flowtable definitions, eg. define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: chmod 755 testcases/chains/0030create_0Pablo Neira Ayuso2020-07-211-0/+0
| | | | | | Update permissions in this test script. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend existing dormat test case to catch a kernel bugFlorian Westphal2020-07-182-0/+5
| | | | | | | This is a test case for the kernel bug fixed by: netfilter: nf_tables: fix nat hook table deletion Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for implicit chain bindingsPablo Neira Ayuso2020-07-152-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for variables in the log prefix stringPablo Neira Ayuso2020-07-082-0/+21
| | | | | | | | | | | | | | | | | | | For example: define test = "state" define foo = "match" table x { chain y { ct state invalid log prefix "invalid $test $foo:" } } This patch scans for variables in the log prefix string. The log prefix expression is a list of constant and variable expression that are converted into a constant expression from the evaluation phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: zap element statement when decomposing intervalPablo Neira Ayuso2020-07-062-0/+32
| | | | | | | | Otherwise, interval sets do not display element statement such as counters. Fixes: 6d80e0f15492 ("src: support for counter in set definition") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow for empty set variable definitionPablo Neira Ayuso2020-07-043-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: rename testcases/map/dump/0009vmap_0dump.nftPablo Neira Ayuso2020-06-141-1/+1
| | | | | | | Missing .nft extension in dump file. Fixes: 54eb1e16cc47 ("evaluate: missing datatype definition in implicit_set_declaration()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: release dummy rule object from netlink_parse_set_expr()Pablo Neira Ayuso2020-06-082-0/+31
| | | | | | | | | | | | | | | | | | | | | netlink_parse_set_expr() creates a dummy rule object to reuse the existing netlink parser. Release the rule object to fix a memleak. Zap the statement list to avoid a use-after-free since the statement needs to remain in place after releasing the rule. ==21601==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2016 byte(s) in 4 object(s) allocated from: #0 0x7f7824b26330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f78245fcebd in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 #2 0x7f78245fd016 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65 #3 0x7f782456f0b5 in rule_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/rule.c:623 Add a test to check for set counters. SUMMARY: AddressSanitizer: 2016 byte(s) leaked in 4 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing datatype definition in implicit_set_declaration()Pablo Neira Ayuso2020-06-072-0/+32
| | | | | | | | | | | | | | | | | | | | | | set->data from implicit_set_declaration(), otherwise, set_evaluation() bails out with: # nft -f /etc/nftables/inet-filter.nft /etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify mapping data type tcp dport vmap { 22 : jump ssh_input } ^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify mapping data type iif vmap { "eth0" : jump wan_input } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Add a test to cover this case. Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow flowtable definitions with no devicesPablo Neira Ayuso2020-06-021-3/+0
| | | | | | | | | | | | | The listing shows no devices: # nft list ruleset table ip x { flowtable y { hook ingress priority filter } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix get element command with prefixesPhil Sutter2020-05-041-18/+44
| | | | | | | | | | | | Code wasn't aware of prefix elements in interval sets. With previous changes in place, they merely need to be accepted in get_set_interval_find() - value comparison and expression duplication is identical to ranges. Extend sets/0034get_element_0 test to cover prefixes as well. While being at it, also cover concatenated ranges. Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: incorrect byteorder with typeof and integer_datatypePablo Neira Ayuso2020-04-292-0/+10
| | | | | | | | | | | | | | | | | | | | table bridge t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } } } # nft --debug=netlink -f test.nft s3 t 0 s3 t 0 element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] ^^^^^^^^ The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly handled as BYTEORDER_BIG_ENDIAN). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add NAT mappings testsPablo Neira Ayuso2020-04-284-0/+53
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* concat: provide proper dtype when parsing typeof udataFlorian Westphal2020-04-012-0/+14
| | | | | | | | | | | | | | | | Pablo reports following list bug: table ip foo { map whitelist { typeof ip saddr . ip daddr : meta mark elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001, 0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 } } } Problem is that concat provided 'invalid' dtype. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Introduce test for insertion of overlapping and ↵Stefano Brivio2020-03-261-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | non-overlapping ranges Insertion of overlapping ranges should return success only if the new elements are identical to existing ones, or, for concatenated ranges, if the new element is less specific (in all its fields) than any existing one. Note that, in case the range is identical to an existing one, insertion won't actually be performed, but no error will be returned either on 'add element'. This was inspired by a failing case reported by Phil Sutter (where concatenated overlapping ranges would fail insertion silently) and is fixed by kernel series with subject: nftables: Consistently report partial and entire set overlaps With that series, these tests now pass also if the call to set_overlap() on insertion is skipped. Partial or entire overlapping was already detected by the kernel for concatenated ranges (nft_set_pipapo) from the beginning, and that series makes the nft_set_rbtree implementation consistent in terms of detection and reporting. Without that, overlap checks are performed by nft but not guaranteed by the kernel. However, we can't just drop set_overlap() now, as we need to preserve compatibility with older kernels. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update nat_addr_port with typeof+concat mapsFlorian Westphal2020-02-262-0/+80
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: adjust tests to new nat concatenation syntaxPablo Neira Ayuso2020-02-242-16/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nat: add and use maps with both address and serviceFlorian Westphal2020-02-242-0/+160
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add initial nat map testFlorian Westphal2020-02-242-0/+96
| | | | | | | | | | | Will be extended to cover upcoming 'dnat to ip saddr . tcp dport map { \ 1.2.3.4 . 80 : 5.6.7.8 : 8080, 2.2.3.4 . 80 : 7.6.7.8 : 1234, ... Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: avoid spurious failure when running in host namespaceFlorian Westphal2020-02-222-2/+2
| | | | | | | | | | Dump validation may fail: - tcp dport { 22, 23 } counter packets 0 bytes 0 + tcp dport { 22, 23 } counter packets 9 bytes 3400 ... which is normal on host namespace. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: 0034get_element_0: do not discard stderrFlorian Westphal2020-02-221-1/+1
| | | | | | | | | | run_tests.sh alreadty discards stderr by default, but will show it in case the test script is run directly (passed as argument). Discarding stderr also in the script prevents one from seeing BUG() assertions and the like. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: Introduce test for set with concatenated rangesStefano Brivio2020-02-191-0/+180
| | | | | | | | | | | | | | | | | | | | | | | | | | | This test checks that set elements can be added, deleted, that addition and deletion are refused when appropriate, that entries time out properly, and that they can be fetched by matching values in the given ranges. v5: - speed this up by performing the timeout test for one single permutation (Phil Sutter), by decreasing the number of permutations from 96 to 12 if this is invoked by run-tests.sh (Pablo Neira Ayuso) and by combining some commands into single nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the test now takes 1.8s instead of 82.5s - renumber test to 0043, 0042 was added meanwhile v4: No changes v3: - renumber test to 0042, 0041 was added meanwhile v2: - actually check an IPv6 prefix, instead of specifying everything as explicit ranges in ELEMS_ipv6_addr - renumber test to 0041, 0038 already exists Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: maps: update data expression dtype based on setFlorian Westphal2020-02-132-0/+49
| | | | | | | | | | | What we want: - update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } what we got: + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2000000 [invalid type] } Reported-by: Serguei Bezverkhi <sbezverk@gmail.com> Close: https://bugzilla.netfilter.org/show_bug.cgi?id=1405 Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: validate error reporting with include and globPablo Neira Ayuso2020-02-132-0/+97
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test for glob includesLaurent Fasnacht2020-02-131-0/+39
| | | | | | | | | Including more than MAX_INCLUDE_DEPTH file in one statement should succeed. This reproduces bug #1243. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>