summaryrefslogtreecommitdiffstats
path: root/tests/shell
Commit message (Collapse)AuthorAgeFilesLines
* parser_bison: stateful statement support in mapPablo Neira Ayuso2 days2-0/+44
| | | | | | Missing parser extension to support for stateful statements in map. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Fix bogus testsuite failure with 100HzPhil Sutter2 days1-2/+2
| | | | | | | | | On kernels with CONFIG_HZ=100, clock granularity does not allow tracking timeouts in single digit ms range. Change sets/0031set_timeout_size_0 to not expose this detail. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* src: add --define key=valuePablo Neira Ayuso8 days2-0/+25
| | | | | | | | | | | | | | | | | This patch adds a new option to define variables from the command line. # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; counter accept } } # nft --define dev="{ eth0, eth1 }" -f test.nft You can only combine it with -f/--filename. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for nat with interval concatenationPablo Neira Ayuso2021-07-132-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to combine concatenation and interval in NAT mappings, e.g. add rule x y dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 } This generates the following NAT expression: [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] which expects to obtain the following tuple: IP address (min), source port (min), IP address (max), source port (max) to be obtained from the map. This representation simplifies the delinearize path, since the datatype is specified as: ipv4_addr . inet_service. A few more notes on this update: - alloc_nftnl_setelem() needs a variant netlink_gen_data() to deal with the representation of the range on the rhs of the mapping. In contrast to interval concatenation in the key side, where the range is expressed as two netlink attributes, the data side of the set element mapping stores the interval concatenation in a contiguos memory area, see __netlink_gen_concat_expand() for reference. - add range_expr_postprocess() to postprocess the data mapping range. If either one single IP address or port is used, then the minimum and maximum value in the range is the same value, e.g. to avoid listing 80-80, this round simplify the range. This also invokes the range to prefix conversion routine. - add concat_elem_expr() helper function to consolidate code to build the concatenation expression on the rhs element data side. This patch also adds tests/py and tests/shell. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: infer NAT mapping with concatenation from setPablo Neira Ayuso2021-07-132-13/+13
| | | | | | | | | | | | If the map is anonymous, infer it from the set elements. Otherwise, the set definition already have an explicit concatenation definition in the data side of the mapping. This update simplifies the NAT mapping syntax with concatenations, e.g. snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove STMT_NAT_F_INTERVAL flags and interval keywordPablo Neira Ayuso2021-07-132-2/+2
| | | | | | | | | | | | | | | STMT_NAT_F_INTERVAL is not useful, the keyword interval can be removed to simplify the syntax, e.g. snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } This patch reworks 9599d9d25a6b ("src: NAT support for intervals in maps"). Do not remove STMT_NAT_F_INTERVAL yet since this flag is needed for interval concatenations coming in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinarize: don't check for set element if set is not populatedFlorian Westphal2021-06-301-0/+13
| | | | | | | | | | | | 0065_icmp_postprocessing: line 13: Segmentation fault $NFT insert rule ip x foo index 1 accept Since no listing is done, cache isn't populated and 'nft insert' will trip over set->init == NULL during postprocessing of the existing 'icmp id 42' expression. Fixes: 9a5574e2d4e9 ("netlink_delinearize: add missing icmp id/sequence support") Reported-by: Eric Garver <eric@garver.life> Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: fix maps with key and data concatenationsPablo Neira Ayuso2021-06-232-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | expr_evaluate_concat() is overloaded, it deals with two cases: #1 set key and data definitions, this case uses the special dynamically created concatenation datatype which is taken from the context. #2 set elements, this case iterates over the set key and data expressions that are components of the concatenation tuple, to fetch the corresponding datatype. Add a new function to deal with case #1 specifically. This patch is implicitly fixing up map that include arbitrary concatenations. This is failing with a spurious error report such as: # cat bug.nft table x { map test { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service } } # nft -f bug.nft bug.nft:3:48-71: Error: datatype mismatch, expected concatenation of (IPv4 address, Internet protocol, internet network service), expression has type concatenation of (IPv4 address, internet network service) type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service ^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover split chain reference across tablesPablo Neira Ayuso2021-06-142-0/+26
| | | | | | | | Add a test to cover table T1 containing the definition of chain C1, and table T1' (actually the same definition as T1) that contains a (jump) reference to chain C1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: extend connlimit testPablo Neira Ayuso2021-06-141-0/+12
| | | | | | | | | Extend existing test to add a ct count expression in the set definition. This test cover the upstream kernel fix ad9f151e560b ("netfilter: nf_tables: initialize set before expression setup"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: rework CMD_OBJ_SETELEMS logicPablo Neira Ayuso2021-06-071-0/+14
| | | | | | | | | | | | | | | | | | | Do not clone the set and zap the elements during the set and map expansion to the CMD_OBJ_SETELEMS command. Instead, update the CMD_OBJ_SET command to add the set to the kernel (without elements) and let CMD_OBJ_SETELEMS add the elements. The CMD_OBJ_SET command calls set_to_intervals() to update set->init->size (NFTNL_SET_DESC_SIZE) before adding the set to the kernel. Updating the set size from do_add_setelems() comes too late, it might result in spurious ENFILE errors for interval sets. Moreover, skip CMD_OBJ_SETELEMS if the set definition specifies no elements. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1500 Fixes: c9eae091983a ("src: add CMD_OBJ_SETELEMS") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test case for removal of anon sets with only a single elementFlorian Westphal2021-06-074-1/+64
| | | | | | | | | | | | | Also add a few examples that should not be changed: - anon set with 2 elements - anon map with 1 element - anon set with a concatenation The latter could be done with cmp but this currently triggers 'Error: Use concatenations with sets and maps, not singleton values' after removing the anon set. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: don't assume fixed handle value in cache/0008_delete_by_handle_0Pablo Neira Ayuso2021-05-121-5/+10
| | | | | | | | This test is occasionally reporting warning in one of my test boxes. Update this test to extract the handle from ruleset listing, use rudimentary invocation of the cut command to work around this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element catch-all supportPablo Neira Ayuso2021-05-114-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | Add a catchall expression (EXPR_SET_ELEM_CATCHALL). Use the asterisk (*) to represent the catch-all set element, e.g. table x { set y { type ipv4_addr counter elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 } } } Special handling for segtree: zap the catch-all element from the set element list and re-add it after processing. Remove wildcard_expr deadcode in src/parser_bison.y This patch also adds several tests for the tests/py and tests/shell infrastructures. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizesStefano Brivio2021-05-081-0/+23
| | | | | | | | | | | The report from https://bugzilla.netfilter.org/show_bug.cgi?id=1520 showed a display issue with particular IPv6 mask lengths in elements of sets with concatenations. Make sure we cover insertion and listing of different mask lengths in concatenated set elements for IPv4 and IPv6. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: skip fuzzy lookup for unexisting 64-bit handlePablo Neira Ayuso2021-05-021-0/+8
| | | | | | | | Deletion by handle, if incorrect, should not exercise the misspell lookup functions. Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unbreak deletion by table handlePablo Neira Ayuso2021-05-021-0/+20
| | | | | | | | | Use NFTA_TABLE_HANDLE instead of NFTA_TABLE_NAME to refer to the table 64-bit unique handle. Fixes: 7840b9224d5b ("evaluate: remove table from cache on delete table") Fixes: f8aec603aa7e ("src: initial extended netlink error reporting") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove missing modulesPablo Neira Ayuso2021-05-021-2/+3
| | | | | | | | | | Update run-tests.sh to remove the following modules: - nft_reject_netdev - nft_xfrm - nft_synproxy Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow to load stateful ct connlimit elements in setsLaura Garcia Liebana2021-05-021-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a syntax error after loading a nft dump with a set including stateful ct connlimit elements. Having a nft dump as per below: table ip nftlb { set connlimit-set { type ipv4_addr size 65535 flags dynamic elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } } } The syntax error is shown when loading the ruleset. root# nft -f connlimit.nft connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}' elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , ^^ connlimit.nft:16000:9-22: Error: syntax error, unexpected string 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } ^^^^^^^^^^^^^^ After applying this patch a kernel panic is raised running nft_rhash_gc() although no packet reaches the set. The following patch [0] should be used as well: 4d8f9065830e5 ("netfilter: nftables: clone set element expression template") Note that the kernel patch will produce the emptying of the connection tracking, so the restore of the conntrack states should be considered. [0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2 Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: fix 0025empty_dynset_0Pablo Neira Ayuso2021-03-241-1/+1
| | | | | | | | Use bash, otherwise it reports here: testcases/nft-f/0025empty_dynset_0: 22: Syntax error: redirection unexpected Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: flowtable add after delete in batchPablo Neira Ayuso2021-03-242-0/+63
| | | | | | Check for bogus EEXIST and EBUSY errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: release single element already contained in an intervalPablo Neira Ayuso2021-03-242-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch: table ip x { chain y { ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 } } } results in: table ip x { chain y { ip saddr { 1.1.1.1 } } } due to incorrect interval merge logic. If the element 1.1.1.1 is already contained in an existing interval 1.1.1.1-1.1.1.2, release it. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1512 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow use of 'verdict' in typeof definitionsFlorian Westphal2021-02-222-0/+8
| | | | | | | | | | | | | | | 'verdict' cannot be used as part of a map typeof-based key definition, its a datatype and not an expression, e.g.: typeof iifname . ip protocol . th dport : verdic ... will fail. Make the parser convert a 'verdict' symbol to a verdict expression and allow to store its presence as part of the typeof key definition. Reported-by: Frank Myhr <fmyhr@fhmtech.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: extend dtype test case to cover expression with integer typeFlorian Westphal2021-02-162-2/+83
| | | | | | | | | ... nft doesn't handle this correctly at the moment: they are added as network byte order (invalid byte order). ct zone has integer_type, the byte order has to be taken from the expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: extend 0025empty_dynset_0 to cover multi-statement supportPablo Neira Ayuso2021-02-092-0/+12
| | | | | | Add a test to cover multi-statement support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add empty dynamic setFlorian Westphal2021-02-052-0/+28
| | | | | | nft crashes on restore. Signed-off-by: Florian Westphal <fw@strlen.de>
* testcases: move two dump files to correct locationFlorian Westphal2021-02-052-0/+0
| | | | | | | The test cases were moved but the dumps remained in the old location. Fixes: eb14363d44cea5 ("tests: shell: move chain priority and policy to chain folder") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: evaluate: reset context maxlen value before prio evaluationFlorian Westphal2021-01-262-0/+24
| | | | | | | | | | unshare -n tests/shell/run-tests.sh tests/shell/testcases/nft-f/0024priority_0 W: [FAILED] tests/shell/testcases/nft-f/0024priority_0: got 1 /dev/stdin:8:47-49: Error: Value 100 exceeds valid range 0-15 type filter hook postrouting priority 100 Reported-by: Andreas Schultz <andreas.schultz@travelping.com Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: set element multi-statement supportPablo Neira Ayuso2020-12-184-0/+93
| | | | | | | | | This patch adds two tests to add multistatement support: - Dynamic set updates from packet path. - Set that is updated from the control plane. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: timeouts later than 23 daysPablo Neira Ayuso2020-12-082-0/+29
| | | | | | | Test timeout later than 23 days in set definitions and dynamic set insertions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZEPablo Neira Ayuso2020-12-041-0/+18
| | | | | | | | | | | | | | | | | Netlink attribute maximum size is 65536 bytes (given nla_len is 16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as possible that can fit into this netlink attribute. Netlink messages with NLMSG_ERROR type originating from the kernel contain the original netlink message as payload, they might be larger than 65536 bytes. Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header coming as (error) reply from the kernel. This estimate is based on the maximum netlink message size that nft sends from userspace. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to restore limit from dynamic setPablo Neira Ayuso2020-12-041-0/+19
| | | | | | | Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Improve fix in sets/0036add_set_element_expiration_0Phil Sutter2020-10-311-1/+1
| | | | | | | | | | Explicitly eliminate the newgen message from output instead of just the last line to make sure no other output is dropped by accident. This also allows the test to pass in unpatched kernels which do not emit the newgen message despite NLM_F_ECHO if no netlink listeners are present. Fixes: 46b54fdcf266d ("Revert "monitor: do not print generation ID with --echo"") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: exercise validation with nft -cPablo Neira Ayuso2020-10-311-0/+12
| | | | | | | Using oif in fib from prerouting is not support, make sure -c reports an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "monitor: do not print generation ID with --echo"Pablo Neira Ayuso2020-10-231-1/+1
| | | | | | | | | | | | | Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo"). There is actually a kernel bug which is preventing from displaying this generation ID message. Update the tests/shell to remove the last line of the --echo output which displays the generation ID once the "netfilter: nftables: fix netlink report logic in flowtable and genid" kernel fix is applied. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ingress inet supportPablo Neira Ayuso2020-10-132-0/+29
| | | | | | | | | | | | | | | | | | Add support for inet ingress chains. table inet filter { chain ingress { type filter hook ingress device "veth0" priority filter; policy accept; } chain input { type filter hook input priority filter; policy accept; } chain forward { type filter hook forward priority filter; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for chainsJose M. Guisado Gomez2020-09-302-0/+17
| | | | | | | | | | | | | | | | | | | | This patch enables the user to specify a comment when adding a chain. Relies on kernel space supporting userdata for chains. > nft add table ip filter > nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; } > list ruleset table ip filter { chain input { comment "test" type filter hook input priority filter; policy accept; } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Combining --terse with --json has no effectGopal Yadav2020-09-221-0/+12
| | | | | | | | --terse with --json is ignored, fix this. This patch also includes a test. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388 Signed-off-by: Gopal Yadav <gopunop@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fail when specifying multiple commentsJose M. Guisado Gomez2020-09-141-0/+97
| | | | | | | | | | | | | | | | | | | | Before this patch grammar supported specifying multiple comments, and only the last value would be assigned. This patch adds a function to test if an attribute is already assigned and, if so, calls erec_queue with this attribute location. Use this function in order to check for duplication (or more) of comments for actions that support it. > nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;} Error: You can only specify this once. This statement is duplicated. add table inet filter { flags dormant; comment test; comment another;} ^^^^^^^^^^^^^^^^ Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for objectsJose M. Guisado Gomez2020-09-082-0/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables specifying an optional comment when declaring named objects. The comment is to be specified inside the object's block ({} block) Relies on libnftnl exporting nftnl_obj_get_data and kernel space support to store the comments. For consistency, this patch makes the comment be printed first when listing objects. Adds a testcase importing all commented named objects except for secmark, although it's supported. Example: Adding a quota with a comment > add table inet filter > nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; } > list ruleset table inet filter { quota q { comment "test_comment" over 1200 bytes } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: find base value expression type via recursionPablo Neira Ayuso2020-09-044-5/+42
| | | | | | | | | | | | | | | | Sets that store flags might contain a mixture of values and binary operations. Find the base value type via recursion to compare the expressions. Make sure concatenations are listed in a deterministic way via concat_expr_msort_value() which builds a mpz value with the tuple. Adjust a few tests after this update since listing differs after this update. Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()") Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support when adding tablesJose M. Guisado Gomez2020-08-282-0/+8
| | | | | | | | | | | | | | | | | | | Adds userdata building logic if a comment is specified when creating a new table. Adds netlink userdata parsing callback function. Relies on kernel supporting userdata for nft_table. Example: > nft add table ip x { comment "test"\; } > nft list ruleset table ip x { comment "test" } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: Check rbtree overlap detection after tree rotationsStefano Brivio2020-08-261-0/+36
| | | | | | | | | | | | | | | | | | | | | Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed an issue with rbtree overlap detection coming from the fact that, after tree rotations performed as part of tree rebalancing, caused by deletions, end elements are not necessarily descendants of their corresponding start elements. Add single-sized elements, delete every second one of them, and re-add them (they will always be full overlaps) in order to check overlap detection after tree rotations. Port indices used in the sets are pseudo-random numbers generated with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen for k-distribution over 16-bit periods, which gives a good statistical randomness and forces 201 rebalancing operations out of 250 deletions with the chosen seed (1). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for map tooPablo Neira Ayuso2020-08-172-5/+9
| | | | | | Extend and slightly rework tests/shell to cover this case too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for set declarationsJose M. Guisado Gomez2020-08-122-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow users to add a comment when declaring a named set. Adds set output handling the comment in both nftables and json format. $ nft add table ip x $ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}} $ nft list ruleset table ip x { set s { type ipv4_addr; comment "some_addrs" elements = { 1.1.1.1, 1.2.3.4 } } } $ nft --json list ruleset { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "table": { "family": "ip", "handle": 4857, "name": "x" } }, { "set": { "comment": "some_addrs", "elem": [ "1.1.1.1", "1.2.3.4" ], "family": "ip", "handle": 1, "name": "s", "table": "x", "type": "ipv4_addr" } } ] } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0044interval_overlap_0: Repeat insertion tests with timeoutStefano Brivio2020-08-041-19/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mike Dillinger reported issues with insertion of entries into sets supporting intervals that were denied because of false conflicts with elements that were already expired. Partial failures would occur to, leading to the generation of new intervals the user didn't specify, as only the opening or the closing elements wouldn't be inserted. The reproducer provided by Mike looks like this: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m which, run in a loop at different intervals, show the different kind of failures. Extend the existing test case for overlapping and non-overlapping intervals to systematically cover sets with a configured timeout. As reported by Pablo, the test would fail if we keep a one-second timeout if it runs on a "slow" kernel (e.g. with KASan), using the libtool wrapper in src/nft as $NFT, because we can't issue 218 commands within one second. To avoid that, introduce an adaptive timeout based on how many times we can list a single entry with a fixed one-second timeout. On a single 2.9GHz AMD Epyc 7351 thread: test run nft commands/s timeout - src/nft libtool wrapper, KASan: 68.4s 10 32s - nft binary, KASan: 5.1s 168 2s - src/nft libtool wrapper, w/o KASan: 18.3s 37 8s - nft binary, w/o KASan: 2.4s 719 1s While at it, fix expectation for insertion of '15-20 . 50-60' (it's expected to succeed, given the list), and the reason why I didn't notice: a simple command preceded by ! won't actually result in the shell exiting, even if it fails. Add some clearer failure reports too. v2: - adjust set timeouts to nft commands/s - fix checks on expected outcome of insertions and reports Reported-by: Mike Dillinger <miked@softtalker.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0043concatenated_ranges_0: Fix checks for add/delete failuresStefano Brivio2020-08-041-18/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The test won't stop if we simply precede commands expected to fail by !. POSIX.1-2017 says: -e When this option is on, if a simple command fails for any of the reasons listed in Consequences of Shell Errors or returns an exit status value >0, and is not part of the compound list following a while, until or if keyword, and is not a part of an AND or OR list, and is not a pipeline preceded by the "!" reserved word, then the shell will immediately exit. ...but I didn't care about the last part. Replace those '! nft ...' commands by 'nft ... && exit 1' to actually detect failures. As a result, I didn't notice that now, correctly, inserting elements into a set that contains the same exact element doesn't actually fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop re-insertions from the checks we perform here, overlapping elements are already covered by other tests. Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove table from cache on delete tablePablo Neira Ayuso2020-07-292-0/+22
| | | | | | | | | | | | | | | | | | | | | The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend 0043concatenated_ranges_0 to cover maps tooFlorian Westphal2020-07-231-28/+50
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow for negative value in variable definitionsPablo Neira Ayuso2020-07-222-0/+23
| | | | | | Extend test to cover for negative value in chain priority definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>