| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems that unversioned Python shebangs are discouraged these days:
- See the lintian web on Debian:
https://lintian.debian.org/tags/script-uses-unversioned-python-in-shebang.html
- Also, see "Finalizing Fedora's Switch to Python3":
https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
Replace them all tree-wide.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Remove artificial limitation on the maximum number of statements per
element in listings.
Moreover, update tests/shell which are currently incorrect.
Fixes: e6d1d0d61195 ("src: add set element multi-statement support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Test for kernel commit
7e43e0a1141d ("netfilter: nft_set_rbtree: translate rbtree to array for binary search").
Rbtree rebalance might cause datapath to miss an existing interval.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Extend this with cases covered in kernel commit
7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When deleting a map that has a catchall element that jumps to a chain,
the chain use counter is decremented. In case this drops the use
counter to 0, the chain can be queued for removal.
This decrement has to be un-done in case the transaction is aborted.
Otherwise the chain use counter in this test remains at 0 and the
deletion of the live/in-use chain will work, even though its referenced
from the catchall element.
This results in a use-after-free.
Reported-by: Andrew Fasano <andrew.fasano@nist.gov>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce the NFT_TEST_EXCLUDES environment variable to allow excluding
one or more specific test cases.
Some patches may be considered too aggressive to backport to
downstream releases. For example,
tests/shell/testcases/packetpath/reject_loopback
... fails on all downstream kernels that lack
"netfilter: nf_reject: don't reply to ICMP error messages", but such patch
might be considered too intrusive for some distributions.
This allows downstream CI to just skip these tests without local modifications.
It also allows to exclude all known and expected SKIP subtests which
allows to detect newly introduced SKIP items, which may indicate new bugs.
Signed-off-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The feature test introduced in this patch checks iptables-nft presence
and usability as well as translation support presence in nft (as it may
not be compiled in).
The actual test case will optionally call ip6tables-nft and ebtables-nft
as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The test suites did not cover src/trace.c at all. This test touches over
90% of its lines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
For Linux kernel patch:
cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Make it easier to see where this test failed and dump the
ruleset on error.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
transaction
Add a regression test for rbtree+bsearch getting out-of-sync in
nf-next kernel.
This covers the syzkaller reproducer from
https://syzkaller.appspot.com/bug?extid=d417922a3e7935517ef6
which triggers abort with earlier gc at insert time and additional corner
case where transaction passes without recording a relevant change in the set
(i.e. no call to either abort or commit).
This test passes even on buggy kernels unless KASAN is enabled.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Extend coverage with corner cases with open interval overlaps.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
By exporting all concat components in a way independent from host
byteorder and importing that blob of data in the same way aligns sort
order between hosts of different Endianness.
Fixes: 741a06ac15d2b ("mergesort: find base value expression type via recursion")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Sorting order was obviously wrong, e.g. "ppp0" ordered before "eth1".
Moreover, this happened on Little Endian only so sorting order actually
depended on host's byteorder. By reimporting string values as Big
Endian, both issues are fixed: On one hand, GMP-internal byteorder no
longer depends on host's byteorder, on the other comparing strings
really starts with the first character, not the last.
Fixes: 14ee0a979b622 ("src: sort set elements in netlink_get_setelems()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add comprehensive test for JSON handle-based rule positioning to verify
the handle field correctly positions rules with explicit add/insert
commands while being ignored in implicit format.
Test coverage:
1. ADD with handle positions AFTER the specified handle
2. INSERT with handle positions BEFORE the specified handle
3. INSERT without handle positions at beginning
4. Multiple commands in single transaction (batch behavior)
5. Implicit format ignores handle field for portability
The test uses sed for handle extraction and nft -f format for setup
as suggested in code review. Final state is a table with two rules
from the implicit format test.
Signed-off-by: Alexandre Knecht <knecht.alexandre@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add comprehensive test for JSON add/insert/delete/replace/create
operations on all object types to ensure the handle field changes
don't break non-rule objects.
Tests coverage:
- ADD operations: table, chain, rule, set, counter, quota
- INSERT operations: rule positioning
- REPLACE operations: rule modification
- CREATE operations: table creation with conflict detection
- DELETE operations: rule, set, chain, table
The test verifies that all object types work correctly with JSON
commands and validates intermediate states. Final state is an empty
table from the CREATE test.
Signed-off-by: Alexandre Knecht <knecht.alexandre@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests to exercise packet path for rbtree and hash set types.
We check both positive (added address is matched) and negative
matches (set doesn't indicate match for deleted address).
For ranges, also validate that addresses preceeding or trailing
a range do not match.
Pipapo has no test to avoid duplicating what is already in
kernel kselftest (nft_concat_range.sh).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
bitmap sets don't support 'counter' flag, so we can only check
'match' vs 'no match', but we can't tell which set element has
matched.
Static test, counter validation via dumps.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 91dc281a82ea ("src: rework singleton interval transformation to
reduce memory consumption") duplicates singleton interval elements when
the netlink message gets full, this results in spurious EEXIST errors
when creating many elements in a set.
This patch extends the existing test to cover for this bug.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a kernel with broken (never upstreamed) patch this fails with:
Accepted bad ruleset with jump from filter type to masquerade (3)
and
Accepted bad ruleset with jump from prerouting to masquerade
... because bogus optimisation suppresses re-validation of 'n2', even
though it becomes reachable from an invalid base chain (filter, but n2
has nat-only masquerade expression).
Another broken corner-case is validation of the different hook types:
When it becomes reachable from nat:prerouting in addition to the allowed
nat:postrouting the validation step must fail.
Improve test coverage to ensure future optimisations catch this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Added cases for SNAT or DNAT only for active and passive modes.
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Refactored the setup of nft rulesets, now it is possible to set up an
SNAT or DNAT-only ruleset for future tests.
Presented the testcase function to test passive or active modes.
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Some distros only refer to python3, update it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older kernels do not support netdev basechain without device, add it so
this works.
Alternative is to skip it by adding:
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device)
but it seems easier to support it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
v2:
- Switched to range syntax instead of two matches as suggested by Phil.
Signed-off-by: Yi Chen <yiche@redhat.com>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While executing the test suite from tests/shell folder, the following error
is displayed many times:
tests/shell/testcases/maps/vmap_timeout: line 48: [: : integer expected
Looking at the script, a non-existing variable (expires) is tested instead of
the existing one (expire).
Reproduction:
tests/shell/run-tests.sh -v
Fixes: db80037c0279 ("tests: shell: extend vmap test with updates")
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Included bogons assert:
Assertion `!expr_is_constant(*expr) || expr_is_singleton(*expr)' failed
This is because the "foo*" + prefix combination causes expr_evaluate
to replace the binop + string expression with another prefix that
gets allocated while handling "foo*" (wildcard).
This causes expr_evaluate_prefix to build
a prefix -> prefix -> binop chain.
After this, we get:
Error: Right hand side of relational expression ((null)) must be constant
a b ct helper "2.2.2.2.3*1"/80
~~~~~~~~~~^^^^^^^^^^^^^^^^
Error: Binary operation (&) is undefined for prefix expressions
a b ct helper "2.2.2.****02"/80
^^^^^^^^^^^^^^^^^
for those inputs rather than hitting assert() in byteorder_conversion()
later on.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Included bogon causes a crash because the list head isn't initialised
due to tunnel->type == VXLAN.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
| |
|
|
|
|
|
|
| |
minor change to the bogon makes it assert because symbolic expression
will have wrong refcount (2) at scope teardown.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Included bogons crash with segfault and assertion. After fix:
tunnel_with_garbage_dst:3:12-14: Error: syntax error, unexpected tcp, expecting string or quoted string or string with a trailing asterisk or '$'
ip saddr tcp dport { }
^^^
The parser change restricts the grammar to no longer allow this,
we would crash here because we enter payload evaluation path that
tries to insert a dependency into the rule, but we don't have one
(ctx->rule and ctx->stmt are NULL as expected here).
The eval stage change makes sure we will reject non-value symbols:
tunnel_with_anon_set_assert:1:12-31: Error: must be a value, not set
define s = { 1.2.3.4, 5.6.7.8 }
^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Included bogon crashes, after fix:
empty_geneve_definition_crash:2:9-16: Error: Could not process rule: Invalid argument
Since this feature is undocumented (hint, hint) I don't know
if there are cases where ip daddr can be elided.
If not, a followup patch should reject empty dst upfront
so users get a more verbose error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
| |
|
|
|
|
|
|
|
| |
Test case for:
91a79b792204 ("netfilter: nf_reject: don't leak dst refcount for loopback packets")
and
db99b2f2b3e2 ("netfilter: nf_reject: don't reply to icmp error messages")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The test checks that the packets are processed by the bridge device and
not forwarded.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Switch this to $NFT, which contains the locally-compiled binary.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Don't include a trailing space, its only there if nftables is a module:
hook ingress device foo2 {
0000000000 chain netdev t c [nf_tables]
}
with CONFIG_NF_TABLES=y, this gets listed as:
'0000000000 chain netdev t c\n'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a helper file to:
1. create client <-> router <-> server topology
2. floodping from client to server
3. add a chain + set that contains both client and server
addresses
4. a control counter that should never match
5. then, flush the set (not the ruleset) and re-add the
addresses in one transaction
Report failure when counter had a match.
The test cases for the set types are done in separate files to take
advantage of run-tests.sh parallelization.
The expected behavior is that every ping packet is matched by the set.
The packet path should either match the old state, right before flush,
or the new state, after re-add.
As the flushed addresses are re-added in the same transaction we must
not observe in-limbo state where existing elements are deactivated but
new elements are not found.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Assert that:
- Non-matching interface specs are accepted
- Existing interfaces are hooked into upon flowtable/chain creation
- A new device matching the spec is hooked into immediately
- No stale hooks remain in 'nft list hooks' output
- Wildcard hooks basically work
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The script relies upon a call to modprobe which does not work in
fake root environments.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Make the test suite runners exit 77 when requiring root and running as
regular user, exit 99 for internal errors (unrelated to test cases) and
exit 1 (or any free non-zero value) to indicate test failures.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
These tests fail in case kernel requires bitwise RHS to be a constant
value.
Fixes: 67d2a8d4c86f ("tests: shell: add parser and packetpath test")
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Expand test with flowtable devices defined with variables to improve
coverage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add tests for tunnel statement and object support. Shell and python
tests both cover standard nft output and json.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add a testcase to cover for merging two rules into verdict map, added by
345d9260f7fe ("optimize: merge several selectors with different verdict into verdict map").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Extend tests/shell coverage to exercise merging nested sets, provided
by fixes such as:
a6b75b837f5e ("evaluate: set: Allow for set elems to be sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSON output for the fib expression changed:
- "result": "check"
+ "result": "oif"
This breaks third party JSON parsers, revert this change for relational
expressions only via workaround until there are clear rules on how to
proceed with JSON schema updates.
As for set and map statements, keep this new "check" result type since
it is not possible to peek on rhs in such case to guess if the
NFT_FIB_F_PRESENT flag needs to be set on.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806
Fixes: f4b646032acf ("fib: allow to check if route exists in maps")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
chain_stmt_destroy is called from bison destructor, but it turns out
this function won't free the associated chain.
There is no memory leak when bison can parse the input because the chain
statement evaluation step queues the embedded anon chain via cmd_alloc.
Then, a later cmd_free() releases the chain and the embedded statements.
In case of a parser error, the evaluation step is never reached and the
chain object leaks, e.g. in
foo bar jump { return }
Bison calls the right destructor but the anonon chain and all
statements/expressions in it are not released:
HEAP SUMMARY:
in use at exit: 1,136 bytes in 4 blocks
total heap usage: 98 allocs, 94 frees, 840,255 bytes allocated
1,136 (568 direct, 568 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
at: calloc (vg_replace_malloc.c:1675)
by: xzalloc (in libnftables.so.1.1.0)
by: chain_alloc (in libnftables.so.1.1.0)
by: nft_parse (in libnftables.so.1.1.0)
by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0)
by: nft_run_cmd_from_filename (in libnftables.so.1.1.0)
To resolve this, make chain_stmt_destroy also release the embedded
chain. This in turn requires chain refcount increases whenever a chain
is assocated with a chain statement, else we get double-free of the
chain.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set on CHAIN_F_BASECHAIN when policy is specified in chain, otherwise
chain priority is not evaluated.
Toggling this flag requires needs three adjustments to work though:
1) chain_evaluate() needs skip evaluation of hook name and priority if
not specified to allow for updating the default chain policy, e.g.
chain ip x y { policy accept; }
2) update netlink bytecode generation for chain to skip NFTA_CHAIN_HOOK
so update path is exercised in the kernel.
3) error reporting needs to check if basechain priority and type is
set on, otherwise skip further hints.
Fixes: acdfae9c3126 ("src: allow to specify the default policy for base chains")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of commit a740f2036ad0d ("json: Introduce
json_add_array_new()"), keeping the function but eliminating its primary
task which is to replace arrays of size 1 by their only item. While
support for this on input is convenient for users, it means extra casing
in JSON output parsers to cover for it. The minor reduction in output
size does not justify that.
Fixes: a740f2036ad0d ("json: Introduce json_add_array_new()")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
One to validate parsing, and one to test that packets match the
expected mapping.
omits json file because of:
internal:0:0-0: Error: Expression type payload not allowed in context (RHS, STMT).
i.e. there is more work to be done on json side to support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
At the time the comment was written the patch wasn't yet upstream
so replace this with the right id and title.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
