From d196dccf1853039656f15c8da94ad349a3b7d07c Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 8 May 2018 13:08:45 +0200 Subject: tests/py: Support testing JSON input and output as well This extends nft-test.py by optional JSON testing capabilities, activated via '-j'/'--enable-json' parameter). JSON testing happens for all rules which are supposed to work: After a rule has been added and the existing tests (payload, ruleset listing output) have been performed, basically the same test is done again using a recorded JSON equivalent and (if necessary) a recorded listing output. The code tries to ease new test case creation overhead by auto-generating JSON equivalent input via listing the (non-JSON) rule in JSON format. Also, differing netlink debug and listing output are stored in *.got files to assist in analyzing/fixing failing test cases. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- tests/py/bridge/ether.t.json | 180 ++++++++++++++ tests/py/bridge/ether.t.json.output | 77 ++++++ tests/py/bridge/icmpX.t.json | 82 ++++++ tests/py/bridge/icmpX.t.json.output | 52 ++++ tests/py/bridge/meta.t.json | 23 ++ tests/py/bridge/reject.t.json | 221 +++++++++++++++++ tests/py/bridge/reject.t.json.output | 260 +++++++++++++++++++ tests/py/bridge/vlan.t.json | 468 +++++++++++++++++++++++++++++++++++ 8 files changed, 1363 insertions(+) create mode 100644 tests/py/bridge/ether.t.json create mode 100644 tests/py/bridge/ether.t.json.output create mode 100644 tests/py/bridge/icmpX.t.json create mode 100644 tests/py/bridge/icmpX.t.json.output create mode 100644 tests/py/bridge/meta.t.json create mode 100644 tests/py/bridge/reject.t.json create mode 100644 tests/py/bridge/reject.t.json.output create mode 100644 tests/py/bridge/vlan.t.json (limited to 'tests/py/bridge') diff --git a/tests/py/bridge/ether.t.json b/tests/py/bridge/ether.t.json new file mode 100644 index 00000000..89cd128c --- /dev/null +++ b/tests/py/bridge/ether.t.json @@ -0,0 +1,180 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + }, + { + "match": { + "left": { + "meta": "iiftype" + }, + "right": "ether" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + } +] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + } +] + +# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + }, + { + "accept": null + } +] + +# ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ether" + } + }, + "right": "00:01:02:03:04:05" + } + }, + { + "mangle": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "ff:fe:dc:ba:98:76" + } + }, + { + "drop": null + } +] + diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output new file mode 100644 index 00000000..f68748cb --- /dev/null +++ b/tests/py/bridge/ether.t.json.output @@ -0,0 +1,77 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + }, + { + "accept": null + } +] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ether" + } + }, + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "name": "ip" + } + }, + "right": "1.2.3.4" + } + } +] + diff --git a/tests/py/bridge/icmpX.t.json b/tests/py/bridge/icmpX.t.json new file mode 100644 index 00000000..77638825 --- /dev/null +++ b/tests/py/bridge/icmpX.t.json @@ -0,0 +1,82 @@ +# ip protocol icmp icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "name": "ip" + } + }, + "right": "icmp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmp" + } + }, + "right": "echo-request" + } + } +] + +# icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmp" + } + }, + "right": "echo-request" + } + } +] + +# ip6 nexthdr icmpv6 icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "name": "ip6" + } + }, + "right": "icmpv6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmpv6" + } + }, + "right": "echo-request" + } + } +] + +# icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmpv6" + } + }, + "right": "echo-request" + } + } +] + diff --git a/tests/py/bridge/icmpX.t.json.output b/tests/py/bridge/icmpX.t.json.output new file mode 100644 index 00000000..e2695750 --- /dev/null +++ b/tests/py/bridge/icmpX.t.json.output @@ -0,0 +1,52 @@ +# ip protocol icmp icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "name": "ip" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmp" + } + }, + "right": "echo-request" + } + } +] + +# ip6 nexthdr icmpv6 icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "name": "ip6" + } + }, + "right": 58 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "icmpv6" + } + }, + "right": "echo-request" + } + } +] + diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json new file mode 100644 index 00000000..dad5c6e1 --- /dev/null +++ b/tests/py/bridge/meta.t.json @@ -0,0 +1,23 @@ +# meta obrname "br0" +[ + { + "match": { + "left": { + "meta": "obrname" + }, + "right": "br0" + } + } +] + +# meta ibrname "br0" +[ + { + "match": { + "left": { + "meta": "ibrname" + }, + "right": "br0" + } + } +] diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json new file mode 100644 index 00000000..aa716f80 --- /dev/null +++ b/tests/py/bridge/reject.t.json @@ -0,0 +1,221 @@ +# reject with icmp type host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 type no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# mark 12345 ip protocol tcp reject with tcp reset +[ + { + "match": { + "left": { + "meta": "mark" + }, + "right": 12345 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "name": "ip" + } + }, + "right": "tcp" + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject +[ + { + "reject": null + } +] + +# ether type ip reject +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": null + } +] + +# ether type ip6 reject +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip6" + } + }, + { + "reject": null + } +] + +# reject with icmpx type host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmpx" + } + } +] + +# reject with icmpx type no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpx" + } + } +] + +# reject with icmpx type admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# reject with icmpx type port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output new file mode 100644 index 00000000..6effd179 --- /dev/null +++ b/tests/py/bridge/reject.t.json.output @@ -0,0 +1,260 @@ +# reject with icmp type host-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type net-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type prot-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp type port-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": null + } +] + +# reject with icmp type net-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type host-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp type admin-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 type no-route +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip6" + } + }, + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type admin-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip6" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type addr-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip6" + } + }, + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 type port-unreachable +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "name": "ether" + } + }, + "right": "ip6" + } + }, + { + "reject": null + } +] + +# mark 12345 ip protocol tcp reject with tcp reset +[ + { + "match": { + "left": { + "meta": "mark" + }, + "right": 12345 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "name": "ip" + } + }, + "right": 6 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject with icmpx type port-unreachable +[ + { + "reject": null + } +] + diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json new file mode 100644 index 00000000..b57deca7 --- /dev/null +++ b/tests/py/bridge/vlan.t.json @@ -0,0 +1,468 @@ +# vlan id 4094 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + } +] + +# vlan id 0 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 0 + } + } +] + +# vlan id 4094 vlan cfi 0 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 0 + } + } +] + +# vlan id 4094 vlan cfi != 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "op": "!=", + "right": 1 + } + } +] + +# vlan id 4094 vlan cfi 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 1 + } + } +] + +# vlan id 4094 vlan cfi 1 vlan pcp 7 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "pcp", + "name": "vlan" + } + }, + "right": 7 + } + } +] + +# vlan id 4094 vlan cfi 1 vlan pcp 3 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "pcp", + "name": "vlan" + } + }, + "right": 3 + } + } +] + +# ether type vlan vlan id 4094 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + } +] + +# ether type vlan vlan id 0 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 0 + } + } +] + +# ether type vlan vlan id 4094 vlan cfi 0 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 0 + } + } +] + +# ether type vlan vlan id 4094 vlan cfi 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "cfi", + "name": "vlan" + } + }, + "right": 1 + } + } +] + +# vlan id 4094 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "tcp" + } + }, + "right": 22 + } + } +] + +# vlan id 1 ip saddr 10.0.0.1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ip" + } + }, + "right": "10.0.0.1" + } + } +] + +# vlan id 1 ip saddr 10.0.0.0/23 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ip" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 23 + } + } + } + } +] + +# vlan id 1 ip saddr 10.0.0.0/23 udp dport 53 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ip" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 23 + } + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "udp" + } + }, + "right": 53 + } + } +] + +# ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "name": "ip" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 23 + } + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "name": "udp" + } + }, + "right": 53 + } + } +] + +# vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "name": "vlan" + } + }, + "right": { + "set": [ + 1, + 2, + 4, + 100, + 4095 + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "pcp", + "name": "vlan" + } + }, + "right": { + "range": [ 1, 3 ] + } + } + } +] + -- cgit v1.2.3