| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Here some tests for optional things like rule handles and comments.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This testcase for sets catch a cache bug.
By the time of this commit this test is failing, so the test suite shows:
% sudo ./run-tests.sh
I: using nft binary /usr/local/sbin/nft
I: [OK] ./testcases/maps/anonymous_snat_map_0
I: [OK] ./testcases/maps/named_snat_map_0
W: [FAILED] ./testcases/sets/cache_handling_0
I: [OK] ./testcases/optionals/comments_0
I: [OK] ./testcases/optionals/comments_handles_monitor_0
I: [OK] ./testcases/optionals/handles_1
I: [OK] ./testcases/optionals/handles_0
I: [OK] ./testcases/optionals/comments_handles_0
I: results: [OK] 7 [FAILED] 1 [TOTAL] 8
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's add some tests cases for maps.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new test-suite is intended to perform tests of higher level than
the other reggresion test-suite.
It can run arbitrary executables which can perform any test apart of testing
the nft syntax or netlink code (which is what the regression tests does).
To run the test suite (as root):
% cd tests/shell
% ./run-tests.sh
Test files are executables files with the pattern <<name_N>>, where N is the
expected return code of the executable. Since they are located with `find',
test-files can be spreaded in any sub-directories.
You can turn on a verbose execution by calling:
% ./run-tests.sh -v
Before each call to the test-files, `nft flush ruleset' will be called.
Also, test-files will receive the environment variable $NFT which contains the
path to the nftables binary being tested.
You can pass an arbitrary $NFT value as well:
% NFT=../../src/nft ./run-tests.sh
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rearrange the directory to obtain a better organization of files and
tests-suites.
We end with a tree like this:
tests
|
.--- py
.--- shell
.--- files
This was suggested by Pablo.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Adjust tests to fix wrong payloads, both pcp and cfi are located in the
first nibble of the first byte.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The tests script suffers a crash when a rule test line is malformed
(e.g. if expected result is missing). This commit fixes these crashes
and now the line is skipped and a warning is printed.
While at it, fix a malformed test line too.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In the test files, some lines defining tables was commented out with a
minus "-" sign, also used to mark broken rules. This commit replaces
these signs with actual comments "#" and removes the code that handled
the situation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
During tests execution, some *.payload.got files may be generated. To
avoid annoyances, this commit adds the pattern to .gitignore. Also, the
file "dup.t.payload.got", that was presumably included by mistake, has
been deleted.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
previous commit fixed arp header definition so fix payload as well.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since 357d8cf "tests: use the src/nft binary instead of $PATH one", the
tests script needs to be executed from nftables repository root. Now
the script can be run from any location and also checks the binary
existence.
To run a single test file, the path must be relative from the directory
where you launch the script.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Python interpreter doesn't like mixed indentation. So in order to
prevent future problems, this commit replace some tabs found in the
script with space indentation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Test rule from Pablo, it caused assertion failure with earlier
versions of nft (caused by 7ead4932f9ab, later fixed via
775e7ff1f5ddaa32).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Adds ether saddr statements for inet, bridge and ip/ip6 families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Contrary to iptables, we use the asterisk character '*' as wildcard.
# nft --debug=netlink add rule test test iifname eth\*
ip test test
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x00687465 ]
Note that this generates an optimized comparison without bitwise.
In case you want to match a device that contains an asterisk, you have
to escape the asterisk, ie.
# nft add rule test test iifname eth\\*
The wildcard string handling occurs from the evaluation step, where we
convert from:
relational
/ \
/ \
meta value
oifname eth*
to:
relational
/ \
/ \
meta prefix
ofiname
As Patrick suggested, this not actually a wildcard but a prefix since it
only applies to the string when placed at the end.
More comments:
* This relaxes the left->size > right->size from netlink_parse_cmp()
for strings since the optimization that this patch applies may now
result in bogus errors.
* This patch can be later on extended to apply a similar optimization to
payload expressions when:
expr->len % BITS_PER_BYTE == 0
For meta and ct, the kernel checks for the exact length of the attributes
(it expects integer 32 bits) so we can't do it unless we relax that.
* Wildcard strings are not supported from sets and maps yet. Error
reporting is not very good at this stage since expr_evaluate_prefix()
doesn't have enough context (ctx->set is NULL, the set object is
currently created later after evaluating the lhs and rhs of the
relational). I'll be following up on this later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| |
|
|
|
|
|
| |
add a few regression tests that match vlan id/dei/pcp fields
of the vlan header.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Header fields of 4 bit lengths. Requires implicit masks and
shifting of RHS constant.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reported test failures because the order of returned set entries
is not deterministic.
This sorts set elements before comparision.
Patrick suggested to move ordering into libnftnl (since we could f.e.
also get duplicate entries due to how netlink dumps work), but thats a bit
more work. Hence this quick workaround.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This patch adds simple tests for concatenation and maps, including more
advanced tests that combine them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since 357d8cfcceb2 ("tests: use the src/nft binary instead of $PATH one"), the
tests fail if you try to run them if you are not under the root directory of
the nftables repository.
Display an error so I don't forget I have to do it like this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Its just a more complicated way of saying 'ip saddr 255.255.0.0/16'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
... so one doesn't need to install new binary into $PATH (or
change PATH... ) during development.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This has to be related to libnftnl's 0edeb667a2cf ("expr: redir: fix snprintf
to return the number of bytes printed").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since e715f6d1241c ("netlink: don't call netlink_dump_*() from listing
functions with --debug=netlink"), there is no debugging from the listing path.
Thus, we can remove the set line from the test files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
[ cmp eq reg 1 ...
.. to make sure that later support to match header elements that have odd
(non-byte aligned) lengths/offsets doesn't erronously eliminate explicitly
added binops while searching expressions for implicit binops.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
compare netlink instructions generated by given nft command line
with recorded version.
Example: udp dport 80 accept in ip family should look like
ip test-ip4 input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005000 ]
[ immediate reg 0 accept ]
This is stored in udp.t.payload.ip
Other suffixes:
.payload.ip6
.payload.inet
.payload ('any')
The test script first looks for 'testname.t.payload.$family', if that
doesn't exist 'testname.t.payload' is used.
This allows for family independent test (e.g. meta), where we don't
expect/have any family specific expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I get failures here since 'man' has different uid vs. what
test suite expects.
Furthermore, this box does not have a 'backup' user.
Switch to root/bin/daemon -- those exist on both debian and fedora.
After this meta.t passes on all my machines.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... 2001:838:35f:1::-2001:838:35f:2:: :80-100' mismatches
... 2001:838:35f:1::-2001:838:35f:2:::80-100'
nft accepts both, so just alter test to not complain.
Also, fix test script to display the expected output rather than
the input. Otherwise, a rule like
some_input;ok;expected_output
may display nonsensical message like
warning: some_input mismatches some_input
This also fixes the icmpv6 test accordingly, nft displays ranges
correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
getnameinfo() displays this:
::1234:1234:1234:1234:1234:1234:1234
as:
0:1234:1234:1234:1234:1234:1234:1234
which is basically equivalent. nft accepts both inputs.
So add some exceptions to the tests to reduce the amount of noise in the tests,
so we can focus on real problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I think flags should be displayed in hexadecimal and should be handled as a
bitmask.
inet/comp.t: WARNING: line: 15: 'nft add rule ip test-ip4 input comp flags 0x00': 'comp flags 0x00' mismatches 'comp flags 0'
inet/comp.t: WARNING: line: 16: 'nft add rule ip test-ip4 input comp flags != 0x23': 'comp flags != 0x23' mismatches 'comp flags != 35'
inet/comp.t: WARNING: line: 17: 'nft add rule ip test-ip4 input comp flags 0x33-0x45': 'comp flags 0x33-0x45' mismatches 'comp flags 51-69'
inet/comp.t: WARNING: line: 18: 'nft add rule ip test-ip4 input comp flags != 0x33-0x45': 'comp flags != 0x33-0x45' mismatches 'comp flags != 51-69'
inet/comp.t: WARNING: line: 19: 'nft add rule ip test-ip4 input comp flags {0x33, 0x55, 0x67, 0x88}': 'comp flags {0x33, 0x55, 0x67, 0x88}' mismatches 'comp flags { 103, 85, 51, 136}'
inet/comp.t: WARNING: line: 21: 'nft add rule ip test-ip4 input comp flags { 0x33-0x55}': 'comp flags { 0x33-0x55}' mismatches 'comp flags { 51-85}'
rfc3173 says that this is unused for future use though.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
snat can be only used from prerouting and input, and dnat from output and
postrouting.
ip/nat.t: ERROR: line 12: nft add rule ip test-ip4 output iifname eth0 tcp sport 23-34 snat 192.168.3.2: This rule should not have failed.
Split the test file as they require different chain configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix lots of warnings, mostly related to the listing of ranges in many of the
tests that we have, eg.
any/meta.t: WARNING: line: 30: 'nft add rule ip test-ip4 input meta l4proto 33-45': 'meta l4proto 33-45' mismatches 'meta l4proto 33-45'
any/meta.t: WARNING: line: 31: 'nft add rule ip test-ip4 input meta l4proto != 33-45': 'meta l4proto != 33-45' mismatches 'meta l4proto != 33-45'
any/meta.t: WARNING: line: 99: 'nft add rule ip test-ip4 input meta skuid 3001-3005 accept': 'meta skuid 3001-3005 accept' mismatches 'skuid 3001-3005 accept'
any/meta.t: WARNING: line: 100: 'nft add rule ip test-ip4 input meta skuid != 2001-2005 accept': 'meta skuid != 2001-2005 accept' mismatches 'skuid != 2001-2005 accept'
any/meta.t: WARNING: line: 111: 'nft add rule ip test-ip4 input meta skgid 2001-2005 accept': 'meta skgid 2001-2005 accept' mismatches 'skgid 2001-2005 accept'
any/meta.t: WARNING: line: 112: 'nft add rule ip test-ip4 input meta skgid != 2001-2005 accept': 'meta skgid != 2001-2005 accept' mismatches 'skgid != 2001-2005 accept'
any/meta.t: WARNING: line: 156: 'nft add rule ip test-ip4 input meta cpu 1-3': 'meta cpu 1-3' mismatches 'cpu 1-3'
any/meta.t: WARNING: line: 158: 'nft add rule ip test-ip4 input meta cpu != 1-2': 'meta cpu != 1-2' mismatches 'cpu != 1-2'
any/meta.t: WARNING: line: 187: 'nft add rule ip test-ip4 input meta cgroup 0x100001 - 0x100003': 'meta cgroup 0x100001 - 0x100003' mismatches 'cgroup 1048577-1048579'
...
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Consolidate print_err() and print_warning() into print_msg() to reduce code
duplication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
'meta mark set 10' is a valid input, but the expected output is
'mark set 10'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Disable the tests from the output chain, the kernel rejects this with
operation not supported.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
nft now prints the default chain policy, consider this when parsing
the output to find mismatches.
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=995
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Make sure support chain don't stop working.
Remove some minor mistakes and out of scope tests from chain*.t
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Those tests work already, enable them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So tests log statement for those two families too and remove the
tests/selectors that are ip and ip6 specific, they don't belong here.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Avoid copy&paste coding style pattern by simplifying the code that
handles the `-e' option that allows us to run known broken tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Always increment the test file counter for each test file in the list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Small syntax update suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Separate values in set, otherwise bash interprets the brackets
and the test reports an error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
