| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Andreas reports that he cannot use variables in set definitions:
define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143
set s-ext-2-int {
type ipv4_addr . inet_service
elements = { $s-ext-2-int }
}
This syntax is not correct though, since the curly braces should be
placed in the variable definition itself, so we have context to handle
this variable as a list of set elements.
The correct syntax that works after this patch is:
define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
table inet forward {
set s-ext-2-int {
type ipv4_addr . inet_service
elements = $s-ext-2-int
}
}
Reported-by: Andreas Hainke <andreas.hainke@foteviken.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is special expression that transforms an input expression into a
32-bit unsigned integer. This expression takes a modulus parameter to
scale the result and the random seed so the hash result becomes harder
to predict.
You can use it to set the packet mark, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef
You can combine this with maps too, eg.
# nft add rule x y dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { \
0 : 192.168.20.100, \
1 : 192.168.30.100 \
}
Currently, this expression implements the jenkins hash implementation
available in the Linux kernel:
http://lxr.free-electrons.com/source/include/linux/jhash.h
But it should be possible to extend it to support any other hash
function type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new expression allows us to generate incremental and random numbers
bound to a specified modulus value.
The following rule sets the conntrack mark of 0 to the first packet seen,
then 1 to second packet, then 0 again to the third packet and so on:
# nft add rule x y ct mark set numgen inc mod 2
A more useful example is a simple load balancing scenario, where you can
also use maps to set the destination NAT address based on this new numgen
expression:
# nft add rule nat prerouting \
dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 }
So this is distributing new connections in a round-robin fashion between
192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain
semantics: Only the first packet evaluates the rule, follow up packets
rely on conntrack to apply the NAT information.
You can also emulate flow distribution with different backend weights
using intervals:
# nft add rule nat prerouting \
dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 }
So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%.
We can also be mixed with dynamic sets, thus weight can be updated in
runtime.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This new statement is stateful, so it can be used from flow tables, eg.
# nft add rule filter input \
flow table http { ip saddr timeout 60s quota over 50 mbytes } drop
This basically sets a quota per source IP address of 50 mbytes after
which packets are dropped. Note that the timeout releases the entry if
no traffic is seen from this IP after 60 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since fd33d96 ("src: create element command"), add element doesn't
fail anymore if the element exists, you have to use create instead in
case you want to check if the element already exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch validates that creation of an already existing element
bails out with EEXIST.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch validates that creation of an already existing set bails out
with EEXIST.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
... and add test cases for ct label.
Currently this dumped 'label 0x2', now 'label 1' would be shown.
This makes add/list behave the same.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reject expr is only valid in input/forward/output chain,
and if user can add reject expr in prerouting chain, kernel
panic will happen.
So add a simple test case to cover this situation.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use the colon port syntax for consistency with other statements.
Existing syntax is still preserved but the output displays the colon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.
The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.
Here below, several example on how to match the packet priority field:
nft add rule filter forward meta priority abcd:0
nft add rule filter forward meta priority abcd:1234
and to set it, you have to:
nft add rule filter forward meta priority set abcd:1234
The priority expression in flex looks ahead to restrict the pattern to
avoid problems with mappings:
{classid}/[ \t\n:\-},]
So the following doesn't break:
... vmap { 25:accept }
^^^^^
The lookahead expression requires a slight change to extend the input
string in one byte.
This patch is conservative as you always have to explicity indicate
major and minor numbers even if zero.
We could consider supporting this shortcut in the future:
abcd:
However, with regards to this:
:abcd
We don't need to support it since major number is assumed to be >= 1.
However, if we ever decide to support this, we'll have problems since
this clashes with our port representation in redirect and mangle.
So let's keep this simple and start with this approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The statement:
dnat to 2001:838:35f:1:::80
is very confusing as it is not so easy to identify where address ends
and the port starts. This even harder to read with ranges.
So this patch adds squared brackets as RFC2732 to enclose the IPv6
address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is extra syntaxtic sugar to get this consistent with other
statements such as redirect, masquerade, dup and fwd that indicates
where to go.
Existing syntax is still preserved, but the listing shows the one
including 'to'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following selectors display strings using quotes:
* meta iifname
* meta oifname
* meta ibriport
* meta obriport
However, the following do not:
* meta oif
* meta iif
* meta skuid
* meta skgid
* meta iifgroup
* meta oifgroup
* meta rtclassid
* ct label
Given they refer to user-defined values, neither keywords nor internal
built-in known values, let's quote the output of this.
This patch modifies symbolic_constant_print() so we can signal this to
indicate if the string needs to be quoted.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Four tests to cover file inclusion using:
1) Absolute path.
2) Relative path.
3) Default include directory path.
And one more test to cover endless file inclusion loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you add a map with timeouts, eg.
# nft add table x
# nft add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; }
The listing shows a set instead of a map:
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags timeout
}
}
This patch fixes the parser to keep the map flag around when timeout
flag (or any other flags) are specified.
This patch also comes with a regression test.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
... and fix missing line in ip6 test.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
payload set operations should work at least for byte-sized
quantities >= 2 byte.
Before adding support for odd-sized writes (ecn, dscp, ip6 flowlabel
...) add a bunch of tests to cover current state.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add test to cover split table definition in one single file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Kernel expects milliseconds, so fix this datatype to use
milliseconds instead of seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Better use the local tree nft binary rather than the installed one.
Requested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch covers transactions using the flat syntax representation, eg.
add table x
add chain x y { type filter hook forward priority 0; }
add chain x y { policy drop; }
This also covers things like:
add element x whitelist { 1.1.1.1 }
delete element x whitelist { 1.1.1.1 }
The one above may look silly from a human behaviour point of view, but
silly robots may very well behave like this.
These tests require several kernel patches though in order to pass
successfully.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
| |
It uses a bogus pattern which was cleaned up already in others testscases,
and this is a leftover.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This ${TESTS_OUTPUT} variable is empty. Delete it.
It was probably an idea about dinamically redirecting testscases output.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add some tests for endless jump loop validation.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In my mechain, port 12345 is mapped to italk in /etc/services:
italk 12345/tcp # Italk Chat System
So when we add nft rule with udp port "12345", nft list ruleset
will displayed it as "italk", that cause the result is not same
with expected, then testcase fail.
Add "-nn" option when dump the rulesets from the kernel, make
testcases which using tcp/udp port more rubost.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit
20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking")
we deref null pointer if we can't find a description for the desired
protocol, so "ip protocol 254" crashes while testing protocols 6 or 17
(tcp, udp) works.
Also add a test case for this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, get rid of bug comments on ip6/frag.t, since they are not
valid anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Original patch posted in the mailing list from Patrick, I have refreshed
this so it applies on top of current HEAD.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Print a line with the name of the testcase being executed, and then delete it
with the result.
There are tests which may take a long time and its good to know what is doing
the testsuite.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Let's sort tests files before iterating over them.
Put the find string in a separated function so it's more readable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This helps to catch 5afa5a1 ("evaluate: check for NULL datatype in rhs
in lookup expr").
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's tests loading a ruleset with actions.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This value needs to be lshift one bit to be correct.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set elements were miscalculated.
After this patch:
element 00000801 : 0 [end]
^^^^
Which looks correct according to my calculations:
>>> print hex(socket.htons(33 << 3))
0x801
^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This supports both IPv4:
# nft --debug=netlink add rule filter forward ip dscp cs1 counter
ip filter forward
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000080 ]
[ counter pkts 0 bytes 0 ]
And also IPv6, note that in this case we take two bytes from the payload:
# nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter
ip6 filter input
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000008 ]
[ counter pkts 0 bytes 0 ]
Given the DSCP is split in two bytes, the less significant nibble
of the first byte and the two most significant 2 bits of the second
byte.
The 8 bit traffic class in RFC2460 after the version field are used for
DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up
patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This is actually part of the traffic class field according to RFC2460.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This is a 20 bit field according to Section 3. IPv6 Header Format.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow to run tests with other nft binaries by reading a 'NFT'
environment variable, allowing arbitrary locations for the nft binary.
This is what the tests/shell/run-tests.sh script does.
Among other thing, this allow us to properly hook this testsuite
from the Debian CI environment (https://ci.debian.net) where we can perform
tests for packages 'as installed'.
Examples:
# run with default config (ie src/nft)
% ./nft-test.py
# run with installed binary (ie /usr/sbin/nft)
% NFT=/usr/sbin/nft ./nft-test.py
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add some initial tests to cover dynamic interval sets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds explicit set type in test definitions, as well as flags.
This has triggered a rework that starts by introducing a Set class to
make this whole code more extensible and maintainable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's add some testcases for named sets with intervals and ranges.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add rule ip6 filter input ip6 saddr ::1/128 ip6 daddr ::1/128 fails,
we ask to compare a 32byte immediate which is not supported:
[ payload load 32b @ network header + 8 => reg 1 ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 0x00000000 0x00000000 0x00000000 0x02000000 ]
We would need to use two cmps in this case, i.e.:
[ payload load 32b @ network header + 8 => reg 1 ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
[ cmp eq reg 2 0x00000000 0x00000000 0x00000000 0x02000000 ]
Seems however that this requires a bit more changes to how nft
handles register allocations, we'd also need to undo the constant merge.
Lets disable merging for now so that we generate
[ payload load 16b @ network header + 8 => reg 1 ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
[ payload load 16b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]
... if merge would bring us over the 128 bit register size.
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1032
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It seems both Debian/Fedora (and derivates) contains mktemp (from the coreutils
package) so it makes no sense to have this failover, which looks buggy also.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Testscases for Netfilter bug #965:
* add rule at position
* insert rule at position
* replace rule with given handle
* delete rule with given handle
* don't allow to delete rules with position keyword
Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=965
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
