summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: py: Actually use all available hooks in bridge/chains.tHEADmasterStefano Brivio18 hours1-2/+2
| | | | | | | | | | Despite being explicitly mentioned as available, prerouting and postrouting hooks are not used, filter-pre and filter-post chains are both built to hook on input. Fixes: 25851df85e85 ("tests: regression: revisit chain tests") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix get element command with prefixesPhil Sutter2020-05-041-18/+44
| | | | | | | | | | | | Code wasn't aware of prefix elements in interval sets. With previous changes in place, they merely need to be accepted in get_set_interval_find() - value comparison and expression duplication is identical to ranges. Extend sets/0034get_element_0 test to cover prefixes as well. While being at it, also cover concatenated ranges. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: dump generated use new nft toolMichael Braun2020-05-011-1/+1
| | | | | | | | | | | Instead of using an (possibly outdated) system nft to generate dumps, use the newly build tool. This fixes the dump output being corrupted if the system tool does not support parsing new features. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Add support for the 'id' keyBrett Mastbergen2020-05-012-0/+7
| | | | | | | | | The 'id' key allows for matching on the id of the conntrack entry. v2: Remove ct_id_type Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: transform range to prefix expression when possiblePablo Neira Ayuso2020-04-301-2/+2
| | | | | | | This patch transform a range of IP addresses to prefix when listing the ruleset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: incorrect byteorder with typeof and integer_datatypePablo Neira Ayuso2020-04-292-0/+10
| | | | | | | | | | | | | | | | | | | | table bridge t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } } } # nft --debug=netlink -f test.nft s3 t 0 s3 t 0 element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] ^^^^^^^^ The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly handled as BYTEORDER_BIG_ENDIAN). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add NAT mappings testsPablo Neira Ayuso2020-04-284-0/+53
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove range test with service namesPablo Neira Ayuso2020-04-281-1/+0
| | | | | | | Service names printing are not default these days, using service names with ranges is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: concatenation, netmap and nat mappingsPablo Neira Ayuso2020-04-282-0/+31
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: broken error reporting with mappingsPablo Neira Ayuso2020-04-111-0/+2
| | | | | | | | | | | | | Segfault on error reporting when intervals overlap. ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* concat: provide proper dtype when parsing typeof udataFlorian Westphal2020-04-012-0/+14
| | | | | | | | | | | | | | | | Pablo reports following list bug: table ip foo { map whitelist { typeof ip saddr . ip daddr : meta mark elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001, 0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 } } } Problem is that concat provided 'invalid' dtype. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Introduce test for insertion of overlapping and ↵Stefano Brivio2020-03-261-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | non-overlapping ranges Insertion of overlapping ranges should return success only if the new elements are identical to existing ones, or, for concatenated ranges, if the new element is less specific (in all its fields) than any existing one. Note that, in case the range is identical to an existing one, insertion won't actually be performed, but no error will be returned either on 'add element'. This was inspired by a failing case reported by Phil Sutter (where concatenated overlapping ranges would fail insertion silently) and is fixed by kernel series with subject: nftables: Consistently report partial and entire set overlaps With that series, these tests now pass also if the call to set_overlap() on insertion is skipped. Partial or entire overlapping was already detected by the kernel for concatenated ranges (nft_set_pipapo) from the beginning, and that series makes the nft_set_rbtree implementation consistent in terms of detection and reporting. Without that, overlap checks are performed by nft but not guaranteed by the kernel. However, we can't just drop set_overlap() now, as we need to preserve compatibility with older kernels. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update nat expressions payload to include proto flagsPablo Neira Ayuso2020-03-208-29/+29
| | | | | | | Update tests according to 6c84577b0d23 ("evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Move tcpopt.t to any/ directoryPhil Sutter2020-03-1013-1528/+649
| | | | | | | Merge tcpopt.t files in ip, ip6 and inet into a common one, they were just marignally different. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add tests involving concatenated rangesPhil Sutter2020-03-105-0/+77
| | | | | | | | | | | | | | | Very basic testing, just a set definition, a rule which references it and another one with an anonymous set. Sadly this is already enough to expose some pending issues: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. * Anonymous sets don't accept concatenated ranges yet, so the second rule is manually disabled for now. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Fix JSON output for changed timezonePhil Sutter2020-03-101-1/+1
| | | | | | | | When setting a fixed timezone, JSON expected output for one (known) asymmetric rule was left out by accident. Fixes: 7e326d697ecf4 ("tests/py: Set a fixed timezone in nft-test.py") Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: no need to swap byte-order for values of fewer than 16 bits.Jeremy Sowden2020-03-041-4/+0
| | | | | | | | | Endianness is not meaningful for objects smaller than 2 bytes and the byte-order conversions are no-ops in the kernel, so just update the expression as if it were constant. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: update nat_addr_port with typeof+concat mapsFlorian Westphal2020-02-262-0/+80
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: adjust tests to new nat concatenation syntaxPablo Neira Ayuso2020-02-242-16/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nat: add and use maps with both address and serviceFlorian Westphal2020-02-242-0/+160
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add initial nat map testFlorian Westphal2020-02-242-0/+96
| | | | | | | | | | | Will be extended to cover upcoming 'dnat to ip saddr . tcp dport map { \ 1.2.3.4 . 80 : 5.6.7.8 : 8080, 2.2.3.4 . 80 : 7.6.7.8 : 1234, ... Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: avoid spurious failure when running in host namespaceFlorian Westphal2020-02-222-2/+2
| | | | | | | | | | Dump validation may fail: - tcp dport { 22, 23 } counter packets 0 bytes 0 + tcp dport { 22, 23 } counter packets 9 bytes 3400 ... which is normal on host namespace. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: 0034get_element_0: do not discard stderrFlorian Westphal2020-02-221-1/+1
| | | | | | | | | | run_tests.sh alreadty discards stderr by default, but will show it in case the test script is run directly (passed as argument). Discarding stderr also in the script prevents one from seeing BUG() assertions and the like. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: Introduce test for set with concatenated rangesStefano Brivio2020-02-191-0/+180
| | | | | | | | | | | | | | | | | | | | | | | | | | | This test checks that set elements can be added, deleted, that addition and deletion are refused when appropriate, that entries time out properly, and that they can be fetched by matching values in the given ranges. v5: - speed this up by performing the timeout test for one single permutation (Phil Sutter), by decreasing the number of permutations from 96 to 12 if this is invoked by run-tests.sh (Pablo Neira Ayuso) and by combining some commands into single nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the test now takes 1.8s instead of 82.5s - renumber test to 0043, 0042 was added meanwhile v4: No changes v3: - renumber test to 0042, 0041 was added meanwhile v2: - actually check an IPv6 prefix, instead of specifying everything as explicit ranges in ELEMS_ipv6_addr - renumber test to 0041, 0038 already exists Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: maps: update data expression dtype based on setFlorian Westphal2020-02-132-0/+49
| | | | | | | | | | | What we want: - update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } what we got: + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2000000 [invalid type] } Reported-by: Serguei Bezverkhi <sbezverk@gmail.com> Close: https://bugzilla.netfilter.org/show_bug.cgi?id=1405 Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: validate error reporting with include and globPablo Neira Ayuso2020-02-132-0/+97
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add test for glob includesLaurent Fasnacht2020-02-131-0/+39
| | | | | | | | | Including more than MAX_INCLUDE_DEPTH file in one statement should succeed. This reproduces bug #1243. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add bit-shift tests.Jeremy Sowden2020-02-076-0/+79
| | | | | | | | Add a couple of Python test-cases for setting the CT mark to a bitwise expression derived from the packet mark and vice versa. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing JSON output.Jeremy Sowden2020-02-073-0/+93
| | | | | | | The JSON output was missing for some existing tests. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add bit-shift tests.Jeremy Sowden2020-02-074-0/+34
| | | | | | | | Add a couple of shell test-cases for setting the CT mark to a bitwise expression derived from the packet mark and vice versa. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Support testing host binariesPhil Sutter2020-02-071-4/+18
| | | | | | | Support -H/--host option to use host's libnftables.so.1. Alternatively users may specify a custom library path via -l/--library option. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: monitor: Support testing host's nft binaryPhil Sutter2020-02-071-0/+4
| | | | | | | Add support for -H/--host flag to use 'nft' tool from $PATH instead of the local one. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: json_echo: Support testing host binariesPhil Sutter2020-02-071-4/+19
| | | | | | | Support -H/--host option to use host's libnftables.so.1. Alternatively users may specify a custom library path via -l/--library option. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: json_echo: Fix for Python3Phil Sutter2020-02-071-1/+1
| | | | | | | | The keys() method returns an object which does not support indexing, so convert it to a list prior to doing so. Fixes: a35e3a0cdc63a ("tests: json_echo: convert to py3") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: update list of rmmod modulesPablo Neira Ayuso2020-01-221-2/+2
| | | | | | | * Missing nft_fib_inet. * nft_chain_nat_ipv4 and nft_chain_nat_ipv6 became nft_chain_nat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set lookup and set updatePablo Neira Ayuso2020-01-221-0/+21
| | | | | | A simple test to cover set lookup and update in one rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: Fix for doubled output after reset commandPhil Sutter2020-01-161-1/+11
| | | | | | | | | | | | | | | Reset command causes a dump of the objects to reset and adds those to cache. Yet it ignored if the object in question was already there and up to now CMD_RESET was flagged as NFT_CACHE_FULL. Tackle this from two angles: First, reduce cache requirements of reset command to the necessary bits which is table cache. This alone would suffice if there wasn't interactive mode (and other libnftables users): A cache containing the objects to reset might be in place already, so add dumped objects to cache only if they don't exist already. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Search diff tool once and for allPhil Sutter2020-01-1633-75/+46
| | | | | | | | | | | | | | | Instead of calling 'which diff' over and over again, just detect the tool's presence in run-tests.sh and pass $DIFF to each testcase just like with nft binary. Fall back to using 'true' command to avoid the need for any conditional calling in test cases. While being at it, unify potential diff calls so that a string comparison in shell happens irrespective of diff presence. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xfrm: spi is big-endianFlorian Westphal2020-01-141-1/+0
| | | | | | | the kernel stores spi in a __be32, so fix up the byteorder annotation. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix output for ranges in anonymous setsPhil Sutter2020-01-131-0/+5
| | | | | | | | | | | | | | | | | | Previous fix for named interval sets was simply wrong: Instead of limiting decomposing to anonymous interval sets, it effectively disabled it entirely. Since code needs to check for both interval and anonymous bits separately, introduce set_is_interval() helper to keep the code readable. Also extend test case to assert ranges in anonymous sets are correctly printed by echo or monitor modes. Without this fix, range boundaries are printed as individual set elements. Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: Support running individual test casesPhil Sutter2020-01-101-2/+7
| | | | | | | | Recognize testcase paths on command line and limit testing on those only. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Do not decompose non-anonymous setsPhil Sutter2020-01-101-0/+20
| | | | | | | | | They have been decomposed already, trying to do that again causes a segfault. This is a similar fix as in commit 8ecb885589591 ("src: restore --echo with anonymous sets"). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete flowtable after flushing chainPablo Neira Ayuso2020-01-051-0/+10
| | | | | | | This patch adds a test to cover delete flowtable after chain flush including two rule references to the flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add slave device matchingFlorian Westphal2020-01-034-0/+29
| | | | | | | | Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* main: enforce options before commandsPablo Neira Ayuso2019-12-1810-11/+19
| | | | | | | | | | | | | | | | | This patch turns on POSIXLY_CORRECT on the getopt parser to enforce options before commands. Users get a hint in such a case: # nft list ruleset -a Error: syntax error, options must be specified before commands nft list ruleset -a ^ ~~ This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with negative chain priority"). Tests have been updated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add typeof test casesFlorian Westphal2019-12-174-0/+91
| | | | | | | | Add sets using unspecific string/integer types, one with osf name, other with vlan id. Neither type can be used directly, as they lack the type size information. Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: don't remove nul-root element from interval setPablo Neira Ayuso2019-12-091-0/+25
| | | | | | | | | | | | | Check from the delinearize set element path if the nul-root element already exists in the interval set. Hence, the element insertion path skips the implicit nul-root interval insertion. Under some circunstances, nft bogusly fails to delete the last element of the interval set and to create an element in an existing empty internal set. This patch includes a test that reproduces the issue. Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix out-of-bound memory write in include_file()Eric Jallot2019-12-021-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # echo 'include "/tmp/rules.nft"' > /tmp/rules.nft # nft -f /tmp/rules.nft In file included from /tmp/rules.nft:1:1-25: from /tmp/rules.nft:1:1-25: [snip] from /tmp/rules.nft:1:1-25: /tmp/rules.nft:1:1-25: Error: Include nested too deeply, max 16 levels include "/tmp/rules.nft" ^^^^^^^^^^^^^^^^^^^^^^^^^ double free or corruption (out) Aborted (core dumped) valgrind reports: ==8856== Invalid write of size 8 ==8856== at 0x4E8FCAF: include_file (scanner.l:718) ==8856== by 0x4E8FEF6: include_glob (scanner.l:793) ==8856== by 0x4E9985D: scanner_include_file (scanner.l:875) ==8856== by 0x4E89D7A: nft_parse (parser_bison.y:828) ==8856== by 0x4E765E1: nft_parse_bison_filename (libnftables.c:394) ==8856== by 0x4E765E1: nft_run_cmd_from_filename (libnftables.c:497) ==8856== by 0x40172D: main (main.c:340) So perform bounds checking on MAX_INCLUDE_DEPTH before writing. After patch: # nft -f /tmp/rules.nft In file included from /tmp/rules.nft:1:1-25: from /tmp/rules.nft:1:1-25: [snip] from /tmp/rules.nft:1:1-25: /tmp/rules.nft:1:1-25: Error: Include nested too deeply, max 16 levels include "/tmp/rules.nft" ^^^^^^^^^^^^^^^^^^^^^^^^^ # echo $? 1 Also: Update scanner_push_file() function definition accordingly. Fixes: 32325e3c3fab4 ("libnftables: Store top_scope in struct nft_ctx") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Set a fixed timezone in nft-test.pyPhil Sutter2019-11-293-2/+3
| | | | | | | | | | | | Payload generated for 'meta time' matches depends on host's timezone and DST setting. To produce constant output, set a fixed timezone in nft-test.py. Choose UTC-2 since most payloads are correct then, adjust the remaining two tests. Fixes: 0518ea3f70d8c ("tests: add meta time test cases") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Ander Juaristi <a@juaristi.eus> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set reference from variable definitionPablo Neira Ayuso2019-11-181-0/+21
| | | | | | | | Allow to define variable using set reference, eg. define x = @z Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>