summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: Add a test for failing ipsec after counterPhil Sutter5 hours3-0/+29
| | | | | | | | | | | This is a bug in parser/scanner due to scoping: | Error: syntax error, unexpected string, expecting saddr or daddr | add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2 | ^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: fix segfault when adding elements to invalid setPeter Tirsek5 hours1-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding elements to a set or map with an invalid definition causes nft to segfault. The following nftables.conf triggers the crash: flush ruleset create table inet filter set inet filter foo {} add element inet filter foo { foobar } Simply parsing and checking the config will trigger it: $ nft -c -f nftables.conf.crash Segmentation fault The error in the set/map definition is correctly caught and queued, but because the set is invalid and does not contain a key type, adding to it causes a NULL pointer dereference of set->key within setelem_evaluate(). I don't think it's necessary to queue another error since the underlying problem is correctly detected and reported when parsing the definition of the set. Simply checking the validity of set->key before using it seems to fix it, causing the error in the definition of the set to be reported properly. The element type error isn't caught, but that seems reasonable since the key type is invalid or unknown anyway: $ ./nft -c -f ~/nftables.conf.crash /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key set inet filter foo {} ^ [ Add tests to cover this case --pablo ] Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597 Signed-off-by: Peter Tirsek <peter@tirsek.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: check for EXPR_F_REMOVE in case of element mismatchPablo Neira Ayuso4 days1-2/+18
| | | | | | | | If auto-merge is disable and element to be deleted finds no exact matching, then bail out. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: fix crash when trying to remove element in empty setPablo Neira Ayuso4 days1-0/+14
| | | | | | | The set deletion routine expects an initialized set, otherwise it crashes. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: release top level scopePablo Neira Ayuso4 days1-0/+15
| | | | | | | | | | Otherwise bogus variable redefinition are reported via -o/--optimize: redefinition.conf:5:8-21: Error: redefinition of symbol 'interface_inet' define interface_inet = enp5s0 ^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: assume verdict is same when rules have no verdictPablo Neira Ayuso4 days2-0/+17
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: only merge OP_IMPLICIT and OP_EQ relationalPablo Neira Ayuso4 days2-0/+18
| | | | | | Add test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: run -c -o on rulesetPablo Neira Ayuso4 days1-0/+168
| | | | | | Just run -o/--optimize on a ruleset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: add unsupported statementPablo Neira Ayuso4 days2-0/+21
| | | | | | | | | | | | | | | | Do not try to merge rules with unsupported statements. This patch adds a dummy unsupported statement which is included in the statement collection and the rule vs statement matrix. When looking for possible rule mergers, rules using unsupported statements are discarded, otherwise bogus rule mergers might occur. Note that __stmt_type_eq() already returns false for unsupported statements. Add a test using meta mark statement, which is not yet supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: fix reject statementPablo Neira Ayuso4 days2-0/+22
| | | | | | | | Add missing code to the statement collection routine. Compare reject expressions when available. Add tests/shell. Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: remove comment after mergingPablo Neira Ayuso4 days1-3/+3
| | | | | | | | | Remove rule comment after merging rules, let the user decide if they want to reintroduce the comment in the ruleset file. Update optimizations/merge_stmt test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: do not merge rules with set reference in rhsPablo Neira Ayuso4 days2-0/+57
| | | | | | | Otherwise set reference ends up included in an anonymous set, as an element, which is not supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: do not report exact overlaps for new elementsPablo Neira Ayuso9 days1-0/+22
| | | | | | | | | | | | | | | | | | | | Two new elements that represent an exact overlap should not trigger an error. add table t add set t s { type ipv4_addr; flags interval; } add element t s { 1.0.1.0/24 } ... add element t s { 1.0.1.0/24 } result in a bogus error. # nft -f set.nft set.nft:1002:19-28: Error: conflicting intervals specified add element t s { 1.0.1.0/24 } ^^^^^^^^^^ Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: runtime set element automergePablo Neira Ayuso14 days1-0/+64
| | | | | | Add a test to cover runtime set element automerge. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "scanner: flags: move to own scope"Florian Westphal2022-06-101-0/+10
| | | | | | | | | | | | | | | | | | | | | | | Excess nesting of scanner scopes is very fragile and error prone: rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop` fails with `Error: No symbol type information` hinting at `prefix` Problem is that we nest via: counter limit log flags By the time 'prefix' is scanned, state is still stuck in 'counter' due to this nesting. Working around "prefix" isn't enough, any other keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too. So, revert this. Fixes: a16697097e2b ("scanner: flags: move to own scope") Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: remove leftover modules on cleanupPablo Neira Ayuso2022-06-021-0/+1
| | | | | | After ./run-tests.sh no nf_tables modules are left in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reset ctx->set after set interval evaluationPablo Neira Ayuso2022-06-012-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise bogus error reports on set datatype mismatch might occur, such as: Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 ~~~~~~~~~~~~ ^^^^^^^^^^^^ with an unrelated set declaration. table ip test { set set_with_interval { type ipv4_addr flags interval } chain prerouting { type nat hook prerouting priority dstnat; policy accept; meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 } } This bug has been introduced in the evaluation step. Reported-by: Roman Petrov <nwhisper@gmail.com> Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)" Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: sets_with_ifnames release netns on exitPablo Neira Ayuso2022-06-011-0/+1
| | | | | | | Missing ip netns del call from cleanup() Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: segfault when releasing unsupported statementPablo Neira Ayuso2022-06-012-0/+12
| | | | | | | | | Call xfree() instead since stmt_alloc() does not initialize the statement type fields. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sets_with_ifnames: add test case for concatenated rangeFlorian Westphal2022-05-092-24/+94
| | | | | | | Refactor existing test case for simple interace name ranges (without concatenations) to also cover "addr . ifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: merge nat rules with same selectors into mapPablo Neira Ayuso2022-05-032-0/+59
| | | | | | | | | | | | | | | | | | | | | | | Verdict and nat are mutually exclusive, no need to support for this combination. # cat ruleset.nft table ip x { chain y { type nat hook postrouting priority srcnat; policy drop; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } } # nft -o -c -f ruleset.nft Merging: ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 into: snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: incorrect logic in verdict comparisonPablo Neira Ayuso2022-05-031-1/+1
| | | | | | | | Keep inspecting rule verdicts before assuming they are equal. Update existing test to catch this bug. Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add concat test case with integer base type subkeyFlorian Westphal2022-04-184-0/+30
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* intervals: add support to automerge with kernel elementsPablo Neira Ayuso2022-04-132-0/+37
| | | | | | | | | | | | | | | | | | Extend the interval codebase to support for merging elements in the kernel with userspace element updates. Add a list of elements to be purged to cmd and set objects. These elements representing outdated intervals are deleted before adding the updated ranges. This routine splices the list of userspace and kernel elements, then it mergesorts to identify overlapping and contiguous ranges. This splice operation is undone so the set userspace cache remains consistent. Incrementally update the elements in the cache, this allows to remove dd44081d91ce ("segtree: Fix add and delete of element in same batch"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: add support for get element with sets that contain ifnamesFlorian Westphal2022-04-131-1/+20
| | | | | | | | | | | | | | | | nft get element inet filter s { bla, prefixfoo } table inet filter { set s { type ifname flags interval elements = { "prefixfoo*", "bla" } } Also add test cases for this. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add testcases for interface names in setsFlorian Westphal2022-04-132-0/+111
| | | | | | | | | | | | | Add initial test case, sets with names and interfaces, anonymous and named ones. Check match+no-match. netns with ppp1 and ppq veth, send packets via both interfaces. Rule counters should have incremented on the three rules. (that match on set that have "abcdef1" or "abcdef*" strings in them). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Add meta time tests without 'meta' keywordMartin Gignac2022-04-103-0/+52
| | | | | | | | | v1.0.2 of 'nft' fails on 'time < "2022-07-01 11:00:00"' but succeeds when 'meta' is specified ('meta time < "2022-07-01 11:00:00"'). This extends coverage by testing 'time' without 'meta'. Signed-off-by: Martin Gignac <martin.gignac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Don't colorize output if stderr is redirectedPhil Sutter2022-04-081-1/+1
| | | | | | | | Cover for calls with '2>/tmp/log' and avoid printing escape sequences to that file. One could still keep colored output on stdout, but that required a printing routine for non-errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: monitor: Hide temporary file names from error outputPhil Sutter2022-04-081-2/+2
| | | | | | | | Make error output deterministic by passing input to nft via stdin. This way error messages will contain "/dev/stdin" instead of the temporary file name. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: extend meta time coveragePablo Neira Ayuso2022-04-083-0/+52
| | | | | | Add meta time tests using < and > operands. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add inet/vmap testsPablo Neira Ayuso2022-03-294-0/+222
| | | | | | | Add a few tests with concatenations including raw and integer type expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: Restore optimization for raw payload expressionsPablo Neira Ayuso2022-03-292-0/+63
| | | | | | | | This patch reverts d0f14b5337e7 ("optimize: do not merge raw payload expressions") after adding support for concatenation with variable length TYPE_INTEGER. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use integer type header fields via typeof set declarationPablo Neira Ayuso2022-03-292-0/+47
| | | | | | | | | | | | | | | Header fields such as udp length cannot be used in concatenations because it is using the generic integer_type: test.nft:3:10-19: Error: can not use variable sized data types (integer) in concat expressions typeof udp length . @th,32,32 ^^^^^^^^^^~~~~~~~~~~~~ This patch slightly extends ("src: allow to use typeof of raw expressions in set declaration") to set on NFTNL_UDATA_SET_KEY_PAYLOAD_LEN in userdata if TYPE_INTEGER is used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use typeof of raw expressions in set declarationPablo Neira Ayuso2022-03-294-0/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the dynamic datatype to allocate an instance of TYPE_INTEGER and set length and byteorder. Add missing information to the set userdata area for raw payload expressions which allows to rebuild the set typeof from the listing path. A few examples: - With anonymous sets: nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - With named sets: table x { set y { typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 } } } Incremental updates are also supported, eg. nft add element x y { 3.3.3.3 . 0x28 } expr_evaluate_concat() is used to evaluate both set key definitions and set key values, using two different function might help to simplify this code in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: typeof verdict needs verdict datatypePablo Neira Ayuso2022-03-292-0/+6
| | | | | | | | | | | | | | | | | Otherwise listing breaks showing [invalid type] notice. # nft list ruleset table inet x { map y { typeof ip saddr : verdict elements = { 1.1.1.1 : 0x1010101 [invalid type] } } } Update tests to cover this usecase. Fixes: 4ab1e5e60779 ("src: allow use of 'verdict' in typeof definitions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: copy field_count for anonymous object maps as wellFlorian Westphal2022-03-212-0/+22
| | | | | | | | | | without this test fails with: W: [FAILED] tests/shell/testcases/maps/anon_objmap_concat: got 134 BUG: invalid range expression type concat nft: expression.c:1452: range_expr_value_low: Assertion `0' failed. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: init cmd pointer for new on-stack contextFlorian Westphal2022-03-041-0/+6
| | | | | | | else, this will segfault when trying to print the "table 'x' doesn't exist" error message. Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: do not assume log prefixPablo Neira Ayuso2022-03-042-0/+2
| | | | | | ... log prefix might not be present in log statements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: more robust statement merge with vmapPablo Neira Ayuso2022-03-032-1/+2
| | | | | | | | | | | | | | Check expressions that are expected on the rhs rather than using a catch-all default case. Actually, lists and sets need to be their own routine, because this needs the set element key expression to be merged. This is a follow up to 99eb46969f3d ("optimize: fix vmap with anonymous sets"). Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: fix vmap with anonymous setsPablo Neira Ayuso2022-03-032-0/+8
| | | | | | | | | | | | | | | | The following example ruleset crashes: table inet a { chain b { tcp dport { 1 } accept tcp dport 2-3 drop } } because handling for EXPR_SET is missing. Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add tcp option reset supportFlorian Westphal2022-02-283-0/+53
| | | | | | | This allows to replace a tcp option with nops, similar to the TCPOPTSTRIP feature of iptables. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test case for flowtable with owner flagFlorian Westphal2022-02-221-0/+22
| | | | | | | | | | | | | | | BUG: KASAN: use-after-free in nf_hook_entries_grow+0x675/0x980 Read of size 4 at ... nft/19662 nf_hook_entries_grow+0x675/0x980 This is fixed by kernel commit 6069da443bf ("netfilter: nf_tables: unregister flowtable hooks on netns exit"). The test case here uses owner flag, netlink event handler doesn't release the flowtable, next attempt to add one then causes uaf because of dangling ingress hook reference. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: Test connlimit statementPhil Sutter2022-02-203-0/+30
| | | | | | This wasn't covered at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* optimize: merge verdict maps with same lookup keyPablo Neira Ayuso2022-01-262-0/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge two consecutive verdict maps with the same lookup key. For instance, merge the following: table inet x { chain filter_in_tcp { tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 931 : accept, 5001 : accept, 5201 : accept, } tcp dport vmap { 6800-6999 : accept, 33434-33499 : accept, } } } into: table inet x { chain filter_in_tcp { tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 931 : accept, 5001 : accept, 5201 : accept, 6800-6999 : accept, 33434-33499 : accept, } } } This patch updates statement comparison routine to inspect the verdict expression type to detect possible merger. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing synproxy support in map declarationsPablo Neira Ayuso2022-01-192-0/+33
| | | | | | | Update parser to allow for maps with synproxy. Fixes: f44ab88b1088 ("src: add synproxy stateful object support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove redundant payload expressionsJeremy Sowden2022-01-152-5/+5
| | | | | | | | Now that we keep track of more payload dependencies, more redundant payloads are eliminated. Remove these from the shell test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: remove redundant payload expressionsJeremy Sowden2022-01-153-21/+1
| | | | | | | | Now that we keep track of more payload dependencies, more redundant payloads are eliminated. Remove these from the Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip.t bridge payloadJeremy Sowden2022-01-151-1/+1
| | | | | | | | | | | | Correct the statement used to load the protocol in the bridge payload of one of the ip tests. A previous commit was supposed, in part, to do this, but the update got lost. Fixes: 4b8e51ea5fc8 ("tests: py: fix inet/ip.t payloads") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: 'nft list chain' prints anonymous chains correctlyPablo Neira Ayuso2022-01-151-0/+19
| | | | | | | | | If the user is requesting a chain listing, e.g. nft list chain x y and a rule refers to an anonymous chain that cannot be found in the cache, then fetch such anonymous chain and its ruleset. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1577 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merge several selectors with different verdict into verdict mapPablo Neira Ayuso2022-01-152-0/+18
| | | | | | | | | | | | | Transform: ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop into: ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>