summaryrefslogtreecommitdiffstats
path: root/tests/shell
Commit message (Collapse)AuthorAgeFilesLines
* tests: update include directory tests to support wildcard syntax.Ismo Puustinen2017-06-2711-13/+171
| | | | | Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Test input descriptors for included filesShyam Saini2017-06-261-0/+52
| | | | | | | | | | | Before b14572f72aac ("erec: Fix input descriptors for included files"), nft error message was pointing to wrong file. But after this commit it points to right file. This patch adds a new test for this commit. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for incomplete set add set commandShyam Saini2017-06-261-0/+16
| | | | | | | | | | | | | | | | | | | | | | | Before c6cd7c22548a ("src: fix crash when inputting an incomplete set add command") commit, if we run nft with incomplete "add set" command it caused segmentation fault and exit with error code 139 and further it didn't throw any error message. For example: $ sudo nft add set t s But after the aforementioned commit it throws syntax error message and exits with return value 1. For example: $ sudo nft add set t s <cmdline>:1:12-12: Error: syntax error, unexpected newline, expecting '{' add set t s ^ This commit tests changes made in such commit. Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: restrict meta nfproto test cases to inet familyFlorian Westphal2017-06-181-1/+1
| | | | | | | Followup patch will reject meta nfproto for non-inet families. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added tests for ordering files in include dirs.Ismo Puustinen2017-06-072-0/+98
| | | | | | | | Test that the files are ordered properly by introducing included files which have internal dependencies. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: test include directoriesIsmo Puustinen2017-06-066-0/+217
| | | | | | | | | | | | Add tests for: * including an empty directory * including directory with one or two files in it * testing for required trailing slash in directory name * testing for detecting non-existent directory * testing for a broken file in included directory Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: print sets and maps in pretty formatArturo Borrero Gonzalez2017-05-153-12/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Print elements per line instead of all in a single line. The elements which can be 'short' are printed 5 per line, and others, like IPv4 addresses are printed 2 per line. Example: % nft list ruleset -nnn table ip t { set s { type inet_service elements = { 1, 2, 3, 4, 10, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 12345 } } map m { type inet_service . iface_index : verdict elements = { 123 . "lo" : accept, 1234 . "lo" : accept, 12345 . "lo" : accept, 12346 . "lo" : accept, 12347 . "lo" : accept } } set s3 { type ipv4_addr elements = { 1.1.1.1, 2.2.2.2, 3.3.3.3 } } } Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete element and chain in transactionPablo Neira Ayuso2017-05-041-0/+76
| | | | | | | | This patch adds a test to test refcounting from element to chain and objects. Reported-by: Andreas Schultz <aschultz@tpip.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add test for flush command selectiveness on setsElise Lennion2017-03-241-0/+41
| | | | | | | | This tests the selectiveness of flush command on structures that use the generic set infrastructure (sets, maps and flow tables). Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sets: Fix for missing space after last elementPhil Sutter2017-03-2215-31/+31
| | | | | | | | | | | Not having a space between the last element in a set and the closing curly brace looks ugly, so add it here. This also adjusts all shell testcases as they match whitespace in nft output and therefore fail otherwise. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: netns/0003many_0: Fix cleanup after errorPhil Sutter2017-03-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If rule set applying failed, this would leave a stray netns in place. Interestingly, this situation led to other, seemingly unrelated testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0: | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | | W: [FAILED] testcases/sets/0015rulesetflush_0: expected 0 but got 1 | /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported | table inet filter { | ^^ | /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory | add element inet filter blacklist_v4 { | ^^ | /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported | table inet filter { | ^^ | /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory | add element inet filter blacklist_v4 { | ^^ | | I: results: [OK] 0 [FAILED] 1 [TOTAL] 1 | | $ ip netns list | 1_0003many_0 | $ ip netns del 1_0003many_0 | | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | | I: [OK] testcases/sets/0015rulesetflush_0 | | I: results: [OK] 1 [FAILED] 0 [TOTAL] 1 Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add test cases for nested anonymous setsPhil Sutter2017-03-221-0/+46
| | | | | | | | | This makes sure nesting of anonymous sets works regardless of whether defines are used or not. As a side-effect, it also checks that overlap checking when IP address prefixes are used, works. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: test comments with small setsPablo Neira Ayuso2017-03-131-0/+12
| | | | | | Just a test to cover the bitmap backend implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove nft_set_bitmap on each runPablo Neira Ayuso2017-02-161-1/+1
| | | | | | Update shell/run-tests.sh to remove this new module too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: validate set sizePablo Neira Ayuso2017-01-242-0/+28
| | | | | | | | | | Add two tests to make sure that set size checks work fine: 1) Check if set size is indeed working, this is a simple one. 2) Check if set size is correct after ENFILE error, there is bug that adds a new spare slot everytime we hit this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for flush bug on sets with sizeElise Lennion2017-01-241-0/+12
| | | | | | | | This tests for a bug where elements can't be added after flushing a full set with the flag NFTNL_SET_DESC_SIZE set. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for set element leak bugElise Lennion2017-01-231-0/+11
| | | | | | | This tests for a bug where a repeated element is added and the set elements counter is incorrectly increased. Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
* tests: shell: add maps testsElise Lennion2017-01-104-0/+228
| | | | | | | | | Test adding elements to simple and interval maps. Based on original work from Richard Mörbitz and Pablo Neira. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover cache flush on flush rulesetPablo Neira Ayuso2017-01-101-0/+26
| | | | | | | | This tests covers 530a82a72d15 ("evaluate: Update cache on flush ruleset"). Make sure loading twice including an upfront ruleset flush leaves us with an empty cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test case for inserting element into verdict mapLiping Zhang2016-12-041-0/+25
| | | | | | | | | | "dalegaard@gmail.com" reports that when inserting an element into a verdict map, kernel crash will happen. Now add this test case so we can avoid future regressions fail. Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcase for different defines usageArturo Borrero Gonzalez2016-11-291-0/+44
| | | | | | | | | | | | | | | | | | This testcase add some defines in a nft -f run and then uses them in different spots (which are not covered in previous testcases). * defines used to define another one * different datatypes (numbers, strings, bits, ranges) * usage in sets, maps, contatenatios * single rules with single statements, multiple statements * reuse define in same rule Perhaps this isn't testing many different code path, but I find this interesting to have given it will probably be one of the most common use cases of nftables. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add a testcase for many definesArturo Borrero Gonzalez2016-11-291-0/+37
| | | | | | | Use many defines in a single nft -f run. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add regression test for malformed setsAnatole Denis2016-11-291-0/+33
| | | | | | | | | | see: 5afa5a164ff1c066af1ec56d875b91562882bd50 When a malformed set is added, it was added before erroring out, causing a segfault further down when used. This tests for this case, ensuring that nftables doesn't segfault but errors correctly Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: another testcase for deleting many set elementsArturo Borrero Gonzalez2016-11-241-0/+48
| | | | | | | | | This testcase adds and deletes many elements in a set. We add and delete 65.536 elements in two different nft -f runs. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: testcase for deleting many set elementsArturo Borrero Gonzalez2016-11-241-0/+46
| | | | | | | | | | This testcase adds and deletes many elements in a set. We add and delete 65.536 elements in a same batch of netlink messages, (single nft -f run). Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: testcase for adding many set elementsArturo Borrero Gonzalez2016-11-241-0/+32
| | | | | | | | This testcase adds many elements in a set. We add 65.356 elements. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: allow to execute a single testcaseArturo Borrero Gonzalez2016-11-241-0/+11
| | | | | | | | | | | | | Using, for example: % sudo ./run-tests.sh testcase/mytest_0 Will result in an execution of this single testcase rather than the complete suite. This is useful while working with a concrete testcase. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcases for comments in set elementsArturo Borrero Gonzalez2016-11-093-0/+35
| | | | | | | | This patch adds a several testcases for comments in set elements. This includes the netfilter bug #1090 about comments in set interval elements. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add a new testcase for ruleset loading bugArturo Borrero Gonzalez2016-11-091-0/+27
| | | | | | | | | | | There seems to be a bug that prevent loading a ruleset twice in a row if the ruleset contains sets with intervals. This seems related to the nft cache. By the time of this commit, the bug is not fixed yet. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: introduce the cache testcases directoryArturo Borrero Gonzalez2016-11-091-0/+0
| | | | | | | This directory is for testcases related to the nft cache. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete useless stderr output in testcaseArturo Borrero Gonzalez2016-11-091-1/+1
| | | | | | | This stderr output is expected. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: introduce routing expressionAnders K. Pedersen2016-10-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1. # nft add rule filter postrouting \ flow table acct { rt nexthop timeout 600s counter } # nft add rule ip6 filter postrouting \ flow table acct { rt nexthop timeout 600s counter } These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes. # nft add rule inet filter postrouting \ ether type ip \ flow table acct { rt nexthop timeout 600s counter } # nft add rule inet filter postrouting \ ether type ip6 \ flow table acct { rt nexthop timeout 600s counter } Same as above, but via the inet family, where the ether type must be specified explicitly. "rt classid" is also implemented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: update kernel modules to cleanArturo Borrero Gonzalez2016-10-211-2/+4
| | | | | | | | | | | | | | | Let's keep the kernel_cleanup() function updated with latest kernel changes: * added nft_quota, nft_queue, nft_numgen, nft_range * rename nft_hash to nft_set_hash * keep nft_hash as well * rename nft_rbtree to nft_set_rbtree The idea is to run each test in a clean evironment. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to use variable to add/create/delete elementsPablo Neira Ayuso2016-10-211-0/+22
| | | | | | | | | | | | | | | | | | | | | | | Using variable definitions from element command doesn't work, eg. -test.nft- define whitelist_v4 = { 1.1.1.1 } table inet filter { set whitelist_v4 { type ipv4_addr; } } add element inet filter whitelist_v4 $whitelist_v4 -EOF- # nft -f test.nft test.nft:7:38-38: Error: syntax error, unexpected '$', expecting '{' add element inet filter whitelist_v4 $whitelist_v4 ^ Fix this by using set_block_expr rule for every element command. This patch also comes with a new regression test. Reported-by: Leon Merten Lohse <leon@green-side.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow variable references in set elements definitionPablo Neira Ayuso2016-08-291-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Andreas reports that he cannot use variables in set definitions: define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143 set s-ext-2-int { type ipv4_addr . inet_service elements = { $s-ext-2-int } } This syntax is not correct though, since the curly braces should be placed in the variable definition itself, so we have context to handle this variable as a list of set elements. The correct syntax that works after this patch is: define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 } table inet forward { set s-ext-2-int { type ipv4_addr . inet_service elements = $s-ext-2-int } } Reported-by: Andreas Hainke <andreas.hainke@foteviken.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-251-0/+15
| | | | | | | This patch validates that creation of an already existing element bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-241-0/+14
| | | | | | | This patch validates that creation of an already existing set bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcase for reject exprLiping Zhang2016-08-221-0/+9
| | | | | | | | | | | Reject expr is only valid in input/forward/output chain, and if user can add reject expr in prerouting chain, kernel panic will happen. So add a simple test case to cover this situation. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: tests to include filesPablo Neira Ayuso2016-08-104-0/+107
| | | | | | | | | | | | Four tests to cover file inclusion using: 1) Absolute path. 2) Relative path. 3) Default include directory path. And one more test to cover endless file inclusion loop. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: keep map flag around when flags are specifiedPablo Neira Ayuso2016-07-271-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | If you add a map with timeouts, eg. # nft add table x # nft add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } The listing shows a set instead of a map: # nft list ruleset table ip x { set y { type ipv4_addr flags timeout } } This patch fixes the parser to keep the map flag around when timeout flag (or any other flags) are specified. This patch also comes with a regression test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: make sure split table definition works via nft -fPablo Neira Ayuso2016-07-131-0/+50
| | | | | | Add test to cover split table definition in one single file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: run-tests.sh: use src/nft binary by defaultArturo Borrero2016-06-232-2/+5
| | | | | | | | Better use the local tree nft binary rather than the installed one. Requested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover transactions via nft -f using flat syntaxPablo Neira Ayuso2016-06-2222-0/+758
| | | | | | | | | | | | | | | | | | | | | | This patch covers transactions using the flat syntax representation, eg. add table x add chain x y { type filter hook forward priority 0; } add chain x y { policy drop; } This also covers things like: add element x whitelist { 1.1.1.1 } delete element x whitelist { 1.1.1.1 } The one above may look silly from a human behaviour point of view, but silly robots may very well behave like this. These tests require several kernel patches though in order to pass successfully. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* tests: shell: cleanup tempfile handling in testcases/sets/cache_handling_0Arturo Borrero2016-06-151-7/+1
| | | | | | | | It uses a bogus pattern which was cleaned up already in others testscases, and this is a leftover. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete unused variable in run-tests.shArturo Borrero2016-06-151-1/+1
| | | | | | | | | This ${TESTS_OUTPUT} variable is empty. Delete it. It was probably an idea about dinamically redirecting testscases output. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add endless jump loop testsLiping Zhang2016-06-152-0/+23
| | | | | | | Add some tests for endless jump loop validation. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: make testcases which using tcp/udp port more rubostLiping Zhang2016-06-157-7/+7
| | | | | | | | | | | | | | | | In my mechain, port 12345 is mapped to italk in /etc/services: italk 12345/tcp # Italk Chat System So when we add nft rule with udp port "12345", nft list ruleset will displayed it as "italk", that cause the result is not same with expected, then testcase fail. Add "-nn" option when dump the rulesets from the kernel, make testcases which using tcp/udp port more rubost. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell/run-tests.sh: print hint about testcase being executedArturo Borrero2016-05-131-0/+4
| | | | | | | | | | | Print a line with the name of the testcase being executed, and then delete it with the result. There are tests which may take a long time and its good to know what is doing the testsuite. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell/run-tests.sh: execute tests in sorted orderArturo Borrero2016-05-131-1/+6
| | | | | | | | | Let's sort tests files before iterating over them. Put the find string in a separated function so it's more readable. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: add testcase to catch segfault if invalid syntax was usedArturo Borrero2016-05-131-0/+21
| | | | | | | | This helps to catch 5afa5a1 ("evaluate: check for NULL datatype in rhs in lookup expr"). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>