summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: trivial: Fix error messagePhil Sutter2017-12-091-1/+1
| | | | | | | | The error message for failed chain creation quotes the chain's name but lacked the closing tick. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: add test for empty string matchHarsha Sharma2017-11-282-0/+3
| | | | | | | | This patch add tests for empty string match which fails with error "Empty string is not allowed". Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: no need for 'name' token for metersPablo Neira Ayuso2017-11-245-8/+8
| | | | | | | Rework grammar to skip the 'name' token after 'meter' for named meters. For consistency with sets and maps in terms of syntax. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: deprecate "flow table" syntax, replace it by "meter"Pablo Neira Ayuso2017-11-245-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | According to bugzilla 1137: "flow tables" should not be syntactically unique. "Flow tables are always named, but they don't conform to the way sets, maps, and dictionaries work in terms of "add" and "delete" and all that. They are also "flow tables" instead of one word like "flows" or "throttle" or something. It seems weird to just have these break the syntactic expectations." Personally, I never liked the reference to "table" since we have very specific semantics in terms of what a "table" is netfilter for long time. This patch promotes "meter" as the new keyword. The former syntax is still accepted for a while, just to reduce chances of breaking things. At some point the former syntax will just be removed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* tests: shell: Prevent lockout in nft-f/0008split_tables_0Phil Sutter2017-11-221-2/+2
| | | | | | | | | | | Since packets traverse both tables, the accept rule in the first one is ineffective due to the second table's drop policy. To prevent lockouts when running the testsuite via SSH connection, set the second chain's policy to accept as well. Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via nft -f") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for IPv4 Mapped IPv6 address.Varsha Rao2017-11-201-0/+25
| | | | | | | This patch adds test case for IPv4 Mapped IPv6 address. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Rename 0025named_limit_0 to 0026named_limit_0Varsha Rao2017-11-201-0/+0
| | | | | | | | This renames file 0025named_limit_0 to 0026named_limit_0, there is already a test whose prefix is 0025. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: tests: files: Remove test files.Varsha Rao2017-11-1613-243/+0
| | | | | | | | This patch removes all the test cases from tests/files. As they are already present in other test files. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Print error "this requires root" and exitHarsha Sharma2017-11-061-0/+5
| | | | | | | | If executed without root privileges, print error "this requires root!" and exit. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for map expression.Varsha Rao2017-11-061-0/+10
| | | | | | | Add tests for different map expression. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft removes required inet dependency expressionsFlorian Westphal2017-10-266-1/+78
| | | | | | | | | | | +inet/meta.t: line: 10: 'add rule inet t input meta nfproto ipv6 tcp dport 22': 'meta nfproto ipv6 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 11: 'add rule inet t input meta nfproto ipv4 tcp dport 22': 'meta nfproto ipv4 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 13: 'add rule inet t input meta nfproto ipv6 meta l4proto tcp': 'meta nfproto ipv6 meta l4proto 6' mismatches 'meta l4proto 6' +inet/ip_tcp.t: line: 20: 'src/nft add rule inet test input ether type ip tcp dport 22': 'ether type ip tcp dport 22' mismatches 'tcp dport 22' All of these are actual errors, i.e. meaning of rule is changed. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: enable ip/ip.t for bridge protocol, tooFlorian Westphal2017-10-262-0/+761
| | | | | | | This does not add any additional warnings, it just increases coverage to bridge. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: nft removes required payload protocol expressionsFlorian Westphal2017-10-264-0/+144
| | | | | | | | | | | | | This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* same as 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required, as it restricts matching to ipv4. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test case that checks icmp6 in-ipv4Florian Westphal2017-10-262-0/+12
| | | | | | | | | | | | | nft does not handle this correctly. This test fails. In: inet input ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 Out: meta l4proto 58 icmpv6 type destination-unreachable which loses the "ipv4" dependency, i.e. listing should show the rule as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmpX: fix expected outputFlorian Westphal2017-10-262-2/+2
| | | | | | | | | | | both of these rules succeed, but they should fail instead. nft removes the ip6 nexthdr' clause, but this is not correct, it is an explicit test for the ipv6 nexthdr value. Implicit dependencies use meta l4proto to skip extension headers (if any), ipv6 nexthdr does not. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix harmess typo in table nameFlorian Westphal2017-10-262-3/+3
| | | | | | table name should be 'test-ip', not inet. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: files: Remove tests for verdict maps.Varsha Rao2017-10-171-20/+0
| | | | | | | | Remove test cases for verdict maps. As they are already there in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for table.Varsha Rao2017-10-171-9/+0
| | | | | | | | This patch removes test case for table. As test case for it is present in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for chain.Varsha Rao2017-10-171-22/+0
| | | | | | | | Test cases for chain are there in tests/shell file. So, remove these testcases. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove test cases for variable definition.Varsha Rao2017-10-173-20/+0
| | | | | | | | New test cases for variable definition are added in tests/shell file. So, remove these test cases. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add tests for variable definition.Varsha Rao2017-10-173-0/+74
| | | | | | | This patch adds test cases for a variable definition and redefinition. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for set.Varsha Rao2017-10-171-14/+0
| | | | | | | | This patch removes test case for set. As new test case is added to tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for sets.Varsha Rao2017-10-171-0/+17
| | | | | | | This patch adds test case for anonymous sets. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for jump chain.Varsha Rao2017-10-171-0/+11
| | | | | | | This patch adds test case for checking jump to non existing chain. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove jump chain tests.Varsha Rao2017-10-174-29/+0
| | | | | | | | | Tests for loop-detect 1, 2 and 3 are already there in tests/shell file. New test for loop-detect.4 has been added to tests/shell file. So, remove them. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcases for named limitsHarsha Sharma2017-10-171-0/+27
| | | | | | | | Add testcases for creating named limits and referencing them from rule Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: shell: update shell/run-tests.sh to refer to relative path of testcaseHarsha Sharma2017-10-091-1/+1
| | | | | | | | Refer to relative path for tests from any directory if path for testcases is specified. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: skip set element expression in set statement keyAnders K. Pedersen2017-10-069-2/+109
| | | | | | | | | | | | | | | | | | | | Before this patch the following fails: # nft add rule ip6 filter x \ set add ip6 saddr . ip6 daddr @test nft: netlink_linearize.c:648: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. Aborted This is was previously fixed for flow statements in fbea4a6f4449 ("netlink_linearize: skip set element expression in flow table key"), and this patch implements the same change for set statements by using the set element key in netlink_gen_set_stmt(). nft-test.py is updated to support set types with concatenated data types in order to support testing of this. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcases for named objectsHarsha Sharma2017-10-061-0/+41
| | | | | | | | Add testcases for creating named objects with unique name, defined by user and referencing them from rule. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove old tests for chain rename.Varsha Rao2017-10-063-16/+0
| | | | | | | | These tests are not required as new test cases are added in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add tests for chain rename.Varsha Rao2017-10-062-0/+22
| | | | | | | | This patch adds test cases for renaming chain with existing and non existing chains. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: shell: execute shell/run-tests.sh from any directoryHarsha Sharma2017-10-061-1/+1
| | | | | | | Update shell/run-tests.sh to refer /src/nft with a relative path Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: rt: fix test casesFlorian Westphal2017-09-294-7/+12
| | | | | | | | | | nfproto meta dependency is no longer needed, keep one test since we still support this syntax. When meta is not provided, no need to add a dependency because nft_rt already checks pf number before checking skb->dst. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct: adjust test case commandsFlorian Westphal2017-09-294-21/+24
| | | | | | use 'ip saddr', 'ip6 saddr', etc. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: update inet/bridge icmp test caseFlorian Westphal2017-09-292-4/+4
| | | | | | | | after previous change nft now culls the dependency chain: 'icmpv6 type echo-request' is shown as-is, and not 'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* bison: permit keywords in list_stmt_expressionsFlorian Westphal2017-09-272-0/+6
| | | | | | | | | | | | | 'ct event set label' and 'ct event set new or label' work, but 'ct event set new, label' did not: nft add rule filter input ct event set new,label Error: syntax error, unexpected label This changes the definition to also contain keyword symbol expressions. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add tests for limit stateful objectPablo M. Bermudo Garay2017-09-043-3/+35
| | | | | | | The patch also reorganizes ip/objects.t file. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: convert expr_rt byteorder when evaluating statment argFlorian Westphal2017-08-281-0/+1
| | | | | | | | | | | | | | expr_rt might write data in host byte order, so make sure to convert if needed. This makes 'tcp option maxseg size rt mtu' actually work, right now such rules are no-ops because nft_exthdr never increases the mss. While at it, extend the example to not bother testing non-syn packets. Reported-by: Matteo Croce <technoboy85@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tcp option set support / tcp mss mangling test casesFlorian Westphal2017-08-224-1/+15
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test case for ttl/protocol setFlorian Westphal2017-08-174-0/+58
| | | | | | | | | nft .. ip ttl set 42 did set the protocol field and left ttl alone, add test cases for this. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Merge monitor and echo test suitesPhil Sutter2017-08-154-88/+96
| | | | | | | | | The two test suites were pretty similar already, and since echo output is supposed to be identical to monitor output apart from delete commands, they can be merged together with litte effort. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add a simple test suite for --echo optionPhil Sutter2017-08-142-0/+57
| | | | | | | | The fancy thing about this is that it uses the actual echo output to undo the changes to the rule set. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix arp chain testFlorian Westphal2017-08-081-3/+2
| | | | | | | | | | The forward chain isn't supported anymore (on kernel side it only worked if bridge netfilter 'call-arptables' sysctl is on), so this test now fails with nf-next kernel. In nftables one can filter/test arp packets in bridge family directly. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/monitor: Clear ruleset after testingPhil Sutter2017-07-271-5/+6
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Simplify testcasesPhil Sutter2017-07-275-29/+20
| | | | | | | | By introducing 'O -' indicating that output should be identical as input, testcases can be simplified quite a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix printing of set declarationsPhil Sutter2017-07-274-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | The optional attributes 'flags', 'gc-interval' and 'timeout' have to be delimited by stmt_separator (either newline or semicolon), not 'nl' which is set to whitespace by set_print_plain(). In order to restore readability, change stmt_separator to include a single whitespace after the semicolon. Here's monitor output for the following command: | # nft add set ip t testset { type inet_service; \ | timeout 60s; gc-interval 120s; } Before this patch: | add set ip t testset { type inet_service;timeout 1m gc-interval 2m } With this patch applied: | add set ip t testset { type inet_service; timeout 1m; gc-interval 2m; } Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Add a small READMEPhil Sutter2017-07-251-0/+48
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Ignore newgen messages in outputPhil Sutter2017-07-251-2/+5
| | | | | | | | | | | | Predicting the new ID value is not feasible and neither is implementing support for regular expressions when matching monitor output, so simply ignore them. Also use diff option '-w' instead of '-Z' to ignore all whitespace, not just at EOL. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add basic monitor testing frameworkPhil Sutter2017-07-195-0/+168
| | | | | | | | This implements testing of 'nft monitor' output correctness and adds a number of testcases for named sets. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update include directory tests to support wildcard syntax.Ismo Puustinen2017-06-2711-13/+171
| | | | | Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>