summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: Add any folder with test files.Ana Rey2014-09-186-0/+383
| | | | | | | | | | "any" folder contains the test files that are executed in ipv4, ipv6, inet, arp, bridge family of tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add bridge folder with test files.Ana Rey2014-09-181-0/+7
| | | | | | | | | "bridge" folder contains the test files that are executed in bridge tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add arp folder with test files.Ana Rey2014-09-182-0/+58
| | | | | | | | | "arp" folder contains the test files that are executed in arp tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add inet folder with test files.Ana Rey2014-09-188-0/+380
| | | | | | | | | | "inet" folder contains the test files that are executed in ipv4, ipv6 and inet family of tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add ip6 folder with test files.Ana Rey2014-09-1811-0/+487
| | | | | | | | | | "ip6" folder contains the test files that are executed in ip6 and inet family of tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add ip folder with test filesAna Rey2014-09-186-0/+276
| | | | | | | | | | "ip" folder contains the test files that are executed in ip and inet family of tables. These test files are executed with nft-tests.py Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add automated regression testingAna Rey2014-09-182-0/+1000
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Here, the automated regression testing for nftables and some test files. This script checks that the rule input and output of nft matches. More details here below. A) What is this testing? This script tests two different paths: * The rule input from the command-line. This checks the different steps from the command line to the kernel. This includes the parsing, evaluation and netlink generation steps. * The output listing that is obtained from the kernel. This checks the different steps from the kernel to the command line: The netlink message parsing, postprocess and textify steps to display the rule listing. As a final step, this script compares that the rule that is added can be listed by nft. B) What options are available? The script offers the following options: * Execute test files: ./nft-test.py # Run all test files ./nft-test.py path/file.t # Run this test file If there is a problem, it shows the differences between the rule that is added and the rule that is listed by nft. In case you hit an error, the script doesn't keep testing for more families. Unless you specify the --force-family option. * Execute broken tests: ./nft-test.sh -e This runs tests for rules that need a fix: This mode runs the lines that that start with a "-" symbol. * Debugging: ./nft-test.sh -d This shows all the commands that the script executes, so you can watch its internal behaviour. * Keep testing all families on error. ./nft-test.sh -f Don't stop testing for more families in case of error. C) What is the structure of the test file? A test file contains a set of rules that are added in the system. Here, an example of a test file: *ip;test-ipv4 # line 1 *ip6;test-ipv6 # line 2 *inet;test-inet # line 3 :input;type filter hook input priority 0 # line 4 ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23 # line 5 - tcp dport != {22-25} # line 6 !set1 ipv4_addr;ok # line 7 ?set1 192.168.3.8 192.168.3.9;ok # line 8 # This is a commented-line. # line 9 Line 1 defines a table. The name of the table is 'test-ip' and the family is ip. Lines 2 and 3 defines more tables for different families so the rules in this test file are also tested there. Line 4 defines the chain. The name of this chain is "input". The type is "filter", the hook is "input" and the priority is 0. Line 5 defines the rule, the ";" character is used as separator of several parts: * Part 1: "ah hdrlength != 11-23" is the rule to check. * Part 2: "ok" is the result expected with the execute of this rule. * Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the expected output. You can leave this empty if the output is the same as the input. Line 6 is a marked line. This means that this rule is tested if '-e' is passed as argument to nft-test.py. Line 7 adds a new set. The name of this set is "set1" and the type of this set is "ipv4_add". Line 8 adds two elements into the 'set1' set: "192.168.3.8" and "192.168.3.9". A whitespace separates the elements of the set. Line 9 uses the "#" symbol that means that this line is commented out. D) The test folders The test files are divided in several directories: ip, ip6, inet, arp, bridge and any. * "ip" folder contains the test files that are executed in ip and inet table. * "ip" folder contains the test files that are executed in ip6 and inet table. * "inet" folder contains the test files that are executed in the ip, ip6 and inet table. * "arp" folder contains the test files that are executed in the arp table. * "bridge" folder: Here are the test files are executed in bridge tables. * "any" folder: Here are the test files are executed in ip, ip6, inet, arp and bridge tables. E) Meaning of messages: * A warning message means the rule input and output of nft mismatches. * An error message means the nft-tool shows an error when we add it or the listing is broken after the rule is added. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: prohibit redefinitions of symbols and verify existance on usePatrick McHardy2014-02-043-0/+20
| | | | | | | | | | | | This patch fixes some incorrect behaviour of symbolic variables: - prohibit redefining an existing symbol - verify existance of a symbolic variable during parsing instead of evaluation The second point makes sure we don't allow recursive definitions (var = $var), which lead to a crash due to stack exhaustion. Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add two tests for error reportingPatrick McHardy2014-02-042-0/+27
| | | | | | | Mixed syntactical and non-syntactical errors in individual commands and blocks. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-164-20/+20
| | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Update bate chain creation according to latest syntax changesTomasz Bursztyka2013-09-0411-11/+11
| | | | | | | Adding type, plain hook's name and priority keyword. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: obj-table: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-4/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: set: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: dictionary: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-12/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: obj-chain: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-3/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-meta: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-7/+7
| | | | | | Also enable nftrace, now that nftables kernel-space supports this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: feat-adjancent-load-merging: remove ip protocol from rulePablo Neira Ayuso2013-04-201-1/+1
| | | | | | No need to include this, it is now added as a dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: family-bridge: update to use the current syntaxPablo Neira Ayuso2013-04-201-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: family-ipv6: update to use the current syntaxPablo Neira Ayuso2013-04-191-2/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-ct: update examples to use the current syntaxPablo Neira Ayuso2013-04-181-5/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: family-ipv4: update test to use current syntaxPablo Neira Ayuso2013-04-181-2/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chains: add rename testcasesPatrick McHardy2012-12-153-0/+16
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add loop detection testsPatrick McHardy2012-12-104-0/+29
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add verdict map testPatrick McHardy2012-12-081-0/+20
| | | | Signed-off-by: Patrick McHardy <kaber@ŧrash.net>
* tests: fix test, commands now comes before the family and table namePablo Neira Ayuso2012-08-0614-88/+88
| | | | | | | Most tests still don't work though. They still need another fix. Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-1814-0/+256