summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: don't assume fixed handle value in cache/0008_delete_by_handle_0Pablo Neira Ayuso4 days1-5/+10
| | | | | | | | This test is occasionally reporting warning in one of my test boxes. Update this test to extract the handle from ruleset listing, use rudimentary invocation of the cut command to work around this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element catch-all supportPablo Neira Ayuso5 days8-0/+155
| | | | | | | | | | | | | | | | | | | | | | | | | Add a catchall expression (EXPR_SET_ELEM_CATCHALL). Use the asterisk (*) to represent the catch-all set element, e.g. table x { set y { type ipv4_addr counter elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 } } } Special handling for segtree: zap the catch-all element from the set element list and re-add it after processing. Remove wildcard_expr deadcode in src/parser_bison.y This patch also adds several tests for the tests/py and tests/shell infrastructures. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizesStefano Brivio8 days1-0/+23
| | | | | | | | | | | The report from https://bugzilla.netfilter.org/show_bug.cgi?id=1520 showed a display issue with particular IPv6 mask lengths in elements of sets with concatenations. Make sure we cover insertion and listing of different mask lengths in concatenated set elements for IPv4 and IPv6. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: skip fuzzy lookup for unexisting 64-bit handlePablo Neira Ayuso14 days1-0/+8
| | | | | | | | Deletion by handle, if incorrect, should not exercise the misspell lookup functions. Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unbreak deletion by table handlePablo Neira Ayuso14 days1-0/+20
| | | | | | | | | Use NFTA_TABLE_HANDLE instead of NFTA_TABLE_NAME to refer to the table 64-bit unique handle. Fixes: 7840b9224d5b ("evaluate: remove table from cache on delete table") Fixes: f8aec603aa7e ("src: initial extended netlink error reporting") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove missing modulesPablo Neira Ayuso14 days1-2/+3
| | | | | | | | | | Update run-tests.sh to remove the following modules: - nft_reject_netdev - nft_xfrm - nft_synproxy Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing relational operation on flag listPablo Neira Ayuso14 days3-0/+27
| | | | | | | | | | | | | | | Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") which was missing comma-separated list of flags. This patch provides a shortcut for: tcp flags and fin,rst == 0 which allows to check for the packet whose fin and rst bits are unset: # nft add rule x y tcp flags not fin,rst counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow to load stateful ct connlimit elements in setsLaura Garcia Liebana14 days1-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a syntax error after loading a nft dump with a set including stateful ct connlimit elements. Having a nft dump as per below: table ip nftlb { set connlimit-set { type ipv4_addr size 65535 flags dynamic elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } } } The syntax error is shown when loading the ruleset. root# nft -f connlimit.nft connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}' elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , ^^ connlimit.nft:16000:9-22: Error: syntax error, unexpected string 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } ^^^^^^^^^^^^^^ After applying this patch a kernel panic is raised running nft_rhash_gc() although no packet reaches the set. The following patch [0] should be used as well: 4d8f9065830e5 ("netfilter: nftables: clone set element expression template") Note that the kernel patch will produce the emptying of the connection tracking, so the restore of the conntrack states should be considered. [0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2 Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: replace vlan ether type with 8021qFlorian Westphal2021-04-0315-35/+34
| | | | | | | | | | | | | Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type. This adds the 8021q shorthand for the existing 'vlan' frame type. nft will continue to recognize 'ether type vlan', but listing will now print 8021q. Adjust all test cases accordingly. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add 8021.AD vlan test casesFlorian Westphal2021-04-035-0/+450
| | | | | | | Check nft doesn't remove the explicit '8021ad' type check and that the expected dependency chains are generated. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: fix scope closure of COUNTER tokenFlorian Westphal2021-03-254-0/+96
| | | | | | | | | It is closed after allocation, which is too early: this stopped 'packets' and 'bytes' from getting parsed correctly. Also add a test case for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: fix 0025empty_dynset_0Pablo Neira Ayuso2021-03-241-1/+1
| | | | | | | | Use bash, otherwise it reports here: testcases/nft-f/0025empty_dynset_0: 22: Syntax error: redirection unexpected Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: flowtable add after delete in batchPablo Neira Ayuso2021-03-242-0/+63
| | | | | | Check for bogus EEXIST and EBUSY errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: release single element already contained in an intervalPablo Neira Ayuso2021-03-242-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch: table ip x { chain y { ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 } } } results in: table ip x { chain y { ip saddr { 1.1.1.1 } } } due to incorrect interval merge logic. If the element 1.1.1.1 is already contained in an existing interval 1.1.1.1-1.1.1.2, release it. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1512 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix for missing JSON equivalent in any/ct.t.jsonPhil Sutter2021-03-091-0/+15
| | | | | | | JSON equivalent for recently added test of the '!' shortcut was missing. Fixes: e6c32b2fa0b82 ("src: add negation match on singleton bitmask value") Signed-off-by: Phil Sutter <phil@nwl.cc>
* mnl: Set NFTNL_SET_DATA_TYPE before dumping set elementsPhil Sutter2021-03-0917-148/+148
| | | | | | | | In combination with libnftnl's commit "set_elem: Fix printing of verdict map elements", This adds the vmap target to netlink dumps. Adjust dumps in tests/py accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Adjust payloads for fixed nat statement dumpsPhil Sutter2021-03-0910-31/+31
| | | | | | Libnftnl no longer dumps unused regs, so drop those. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: allow use of 'verdict' in typeof definitionsFlorian Westphal2021-02-222-0/+8
| | | | | | | | | | | | | | | 'verdict' cannot be used as part of a map typeof-based key definition, its a datatype and not an expression, e.g.: typeof iifname . ip protocol . th dport : verdic ... will fail. Make the parser convert a 'verdict' symbol to a verdict expression and allow to store its presence as part of the typeof key definition. Reported-by: Frank Myhr <fmyhr@fhmtech.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: extend dtype test case to cover expression with integer typeFlorian Westphal2021-02-162-2/+83
| | | | | | | | | ... nft doesn't handle this correctly at the moment: they are added as network byte order (invalid byte order). ct zone has integer_type, the byte order has to be taken from the expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: extend 0025empty_dynset_0 to cover multi-statement supportPablo Neira Ayuso2021-02-092-0/+12
| | | | | | Add a test to cover multi-statement support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add negation match on singleton bitmask valuePablo Neira Ayuso2021-02-052-0/+7
| | | | | | | | | | | | | | | | | This patch provides a shortcut for: ct status and dnat == 0 which allows to check for the packet whose dnat bit is unset: # nft add rule x y ct status ! dnat counter This operation is only available for expression with a bitmask basetype, eg. # nft describe ct status ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add empty dynamic setFlorian Westphal2021-02-052-0/+28
| | | | | | nft crashes on restore. Signed-off-by: Florian Westphal <fw@strlen.de>
* testcases: move two dump files to correct locationFlorian Westphal2021-02-052-0/+0
| | | | | | | The test cases were moved but the dumps remained in the old location. Fixes: eb14363d44cea5 ("tests: shell: move chain priority and policy to chain folder") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Add a test sanitizer and fix its findingsPhil Sutter2021-02-0439-780/+160
| | | | | | | | | | | | | | | | This is just basic housekeeping: - Remove duplicate tests in any of the *.t files - Remove explicit output if equal to command itself in *.t files - Remove duplicate payload records in any of the *.t.payload* files - Remove stale payload records (for which no commands exist in the respective *.t file - Remove duplicate/stale entries in any of the *.t.json files In some cases, tests were added instead of removing a stale payload record if it fit nicely into the sequence of tests. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Write dissenting payload into the right filePhil Sutter2021-02-041-1/+4
| | | | | | | | | | | | The testsuite supports diverging payloads depending on table family. This is necessary since for some families, dependency matches are created. If a payload mismatch happens, record it into a "got"-file which matches the family-specific payload file, not the common one. This eases use of diff-tools a lot as the extra other families' payloads confuse the tools. Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Do not abbreviate reject statement objectPhil Sutter2021-02-034-112/+47
| | | | | | | | | No need to reduce output size, also this way output is more predictable. While being at it, drop some pointless chunks from tests/py/bridge/reject.t.json.output. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: add icmp/6 test where dependency should be left aloneFlorian Westphal2021-02-016-0/+73
| | | | | | These tests fail: nft should leave the type as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: limit: Always include burst valuePhil Sutter2021-01-271-0/+277
| | | | | | The default burst value is non-zero, so JSON output should include it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Unify inet, netdev and bridge delinearizationPhil Sutter2021-01-275-196/+292
| | | | | | | | | | | | | | Postprocessing for inet family did not attempt to kill any existing payload dependency, although it is perfectly fine to do so. The mere culprit is to not abbreviate default code rejects as that would drop needed protocol info as a side-effect. Since postprocessing is then almost identical to that of bridge and netdev families, merge them. While being at it, extend tests/py/netdev/reject.t by a few more tests taken from inet/reject.t so this covers icmpx rejects as well. Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Fix for missing dependencies in netdev familyPhil Sutter2021-01-273-21/+184
| | | | | | | | | | | | | | | Like with bridge family, rejecting with either icmp or icmpv6 must create a dependency match on meta protocol. Upon delinearization, treat netdev reject identical to bridge as well so no family info is lost. This makes reject statement in netdev family fully symmetric so fix the tests in tests/py/netdev/reject.t, adjust the related payload dumps and add JSON equivalents which were missing altogether. Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default") Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases") Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: monitor: use correct $nft value in EXIT trapŠtěpán Němec2021-01-271-1/+1
| | | | | | | | | | With double quotes, $nft was being expanded to the default value even in presence of the -H option. Signed-off-by: Štěpán Němec <snemec@redhat.com> Helped-by: Tomáš Doležal <todoleza@redhat.com> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: evaluate: reset context maxlen value before prio evaluationFlorian Westphal2021-01-262-0/+24
| | | | | | | | | | unshare -n tests/shell/run-tests.sh tests/shell/testcases/nft-f/0024priority_0 W: [FAILED] tests/shell/testcases/nft-f/0024priority_0: got 1 /dev/stdin:8:47-49: Error: Value 100 exceeds valid range 0-15 type filter hook postrouting priority 100 Reported-by: Andreas Schultz <andreas.schultz@travelping.com Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: remove tcp dependency for tcp option matchingFlorian Westphal2021-01-261-60/+0
| | | | | | Kernel won't search for tcp options in non-tcp packets. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing test inputFlorian Westphal2021-01-261-0/+79
| | | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }' ERROR: did not find JSON equivalent for rule 'ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: icmp: move expected parts to json.outputFlorian Westphal2021-01-262-109/+98
| | | | | | | | | | | | Phil Sutter says: In general, *.t.json files should contain JSON equivalents for rules as they are *input* into nft. So we want them to be as close to the introductory standard syntax comment as possible. Undo earlier change and place the expected dependency added by nft internals to json.output rather than icmp.t.json. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from concatenationsPablo Neira Ayuso2021-01-252-0/+23
| | | | | | | | | | | | | | | | Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from maps") to cover concatenations too. Error: specify either ip or ip6 for address matching add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 } ^^^^^^^^^^^^^^^^^ The old syntax for ct original saddr without either ip or ip6 results in unknown key size, which breaks the listing. The old syntax is only allowed in simple rules for backward compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: icmp: refresh json outputFlorian Westphal2021-01-211-80/+568
| | | | | | | nft inserts dependencies for icmp header types, but I forgot to update the json test files to reflect this change. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: ct: add missing ruleFlorian Westphal2021-01-211-0/+30
| | | | | | ERROR: did not find JSON equivalent for rule 'meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }' Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix icmpv6.t test casesFlorian Westphal2021-01-212-16/+597
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from mapsPablo Neira Ayuso2021-01-152-0/+12
| | | | | | | | | test.nft:6:55-71: Error: specify either ip or ip6 for address matching add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 } ^^^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: add libedit supportPablo Neira Ayuso2021-01-051-1/+1
| | | | | | | | Extend cli to support for libedit readline shim code: ./configure --with-cli=editline Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set element multi-statement supportPablo Neira Ayuso2020-12-184-0/+93
| | | | | | | | | This patch adds two tests to add multistatement support: - Dynamic set updates from packet path. - Set that is updated from the control plane. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-22/+22
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Fix for changed concatenated ranges outputPhil Sutter2020-12-153-3/+3
| | | | | | | Payload didn't change but libnftnl was fixed to print the key_end data reg of concat-range elements, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: icmp, icmpv6: check we don't add second dependencyFlorian Westphal2020-12-094-0/+23
| | | | | | If dependency is already fulfilled, do not add another one. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ip: add one test case to cover both id and sequenceFlorian Westphal2020-12-092-0/+14
| | | | | | | | | These are two 2-byte matches, so nft will merge the accesses to a single 4-byte load+compare. Check this is properly demangled. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmp, icmpv6: avoid remaining warningsFlorian Westphal2020-12-092-42/+34
| | | | | | | | | In case of id/sequence, both 'reply' and 'request' are valid types. nft currently does not remove dependencies that don't have a fixed rhs constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmpv6 expressionsFlorian Westphal2020-12-091-10/+97
| | | | | | nft will now auto-insert a icmpv6 type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmp expressionsFlorian Westphal2020-12-091-1/+130
| | | | | | after previous change nft will insert explicit icmp type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: timeouts later than 23 daysPablo Neira Ayuso2020-12-082-0/+29
| | | | | | | Test timeout later than 23 days in set definitions and dynamic set insertions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>