* [v3 nft 0/7] tests: Automated regression testing
@ 2014-09-18 10:39 Ana Rey
2014-09-18 10:39 ` [v3 nft 1/7] tests: Add automated " Ana Rey
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
This is a new version of the automated regression testing of nftables.
There is no infrastructure to allow us to check all options/features in
nft. So, if anyone sends a patch, we cannot check if it breaks something.
I send in this patchset the nftables automated regression tests. It
contains a python script (nft-add.py) and a set of test files.
This allow us to check the input of rules of nft-tool from the
command-line and the output from nft-tool of this rule. Then, it
compares if the rule input matches the rule output automatically.
We also have plans to add automated regression testing in the packet
path in the future, which should come in a follow up step.
Comments welcome, thanks
[Changes in v3]
* I fix signal handlers when press ctrl + c repeatedly.
* I add the output_clean function. This function improves the parser of
rules is shown by nft.
Ana Rey (7):
tests: Add automated regression testing
tests: Add ip folder with test files
tests: Add ip6 folder with test files.
tests: Add inet folder with test files.
tests: Add arp folder with test files.
tests: Add bridge folder with test files.
tests: Add any folder with test files.
tests/regression/any/ct.t | 105 +++++
tests/regression/any/frag.t | 64 +++
tests/regression/any/limit.t | 12 +
tests/regression/any/log.t | 27 ++
tests/regression/any/meta.t | 160 +++++++
tests/regression/any/queue.t | 15 +
tests/regression/arp/arp.t | 53 +++
tests/regression/arp/chains.t | 5 +
tests/regression/bridge/chains.t | 7 +
tests/regression/inet/ah.t | 58 +++
tests/regression/inet/comp.t | 31 ++
tests/regression/inet/dccp.t | 32 ++
tests/regression/inet/esp.t | 23 +
tests/regression/inet/sctp.t | 42 ++
tests/regression/inet/tcp.t | 103 +++++
tests/regression/inet/udp.t | 49 +++
tests/regression/inet/udplite.t | 42 ++
tests/regression/ip/chains.t | 22 +
tests/regression/ip/icmp.t | 93 +++++
tests/regression/ip/ip.t | 107 +++++
tests/regression/ip/nat.t | 18 +
tests/regression/ip/reject.t | 5 +
tests/regression/ip/sets.t | 31 ++
tests/regression/ip6/chains.t | 18 +
tests/regression/ip6/dst.t | 25 ++
tests/regression/ip6/hbh.t | 25 ++
tests/regression/ip6/icmpv6.t | 96 +++++
tests/regression/ip6/ip6.t | 142 +++++++
tests/regression/ip6/mh.t | 49 +++
tests/regression/ip6/nat.t | 6 +
tests/regression/ip6/reject.t | 5 +
tests/regression/ip6/rt.t | 45 ++
tests/regression/ip6/sets.t | 22 +
tests/regression/ip6/vmap.t | 54 +++
tests/regression/nft-test.py | 859 ++++++++++++++++++++++++++++++++++++++
35 files changed, 2450 insertions(+)
create mode 100644 tests/regression/any/ct.t
create mode 100644 tests/regression/any/frag.t
create mode 100644 tests/regression/any/limit.t
create mode 100644 tests/regression/any/log.t
create mode 100644 tests/regression/any/meta.t
create mode 100644 tests/regression/any/queue.t
create mode 100644 tests/regression/arp/arp.t
create mode 100644 tests/regression/arp/chains.t
create mode 100644 tests/regression/bridge/chains.t
create mode 100644 tests/regression/inet/ah.t
create mode 100644 tests/regression/inet/comp.t
create mode 100644 tests/regression/inet/dccp.t
create mode 100644 tests/regression/inet/esp.t
create mode 100644 tests/regression/inet/sctp.t
create mode 100644 tests/regression/inet/tcp.t
create mode 100644 tests/regression/inet/udp.t
create mode 100644 tests/regression/inet/udplite.t
create mode 100644 tests/regression/ip/chains.t
create mode 100644 tests/regression/ip/icmp.t
create mode 100644 tests/regression/ip/ip.t
create mode 100644 tests/regression/ip/nat.t
create mode 100644 tests/regression/ip/reject.t
create mode 100644 tests/regression/ip/sets.t
create mode 100644 tests/regression/ip6/chains.t
create mode 100644 tests/regression/ip6/dst.t
create mode 100644 tests/regression/ip6/hbh.t
create mode 100644 tests/regression/ip6/icmpv6.t
create mode 100644 tests/regression/ip6/ip6.t
create mode 100644 tests/regression/ip6/mh.t
create mode 100644 tests/regression/ip6/nat.t
create mode 100644 tests/regression/ip6/reject.t
create mode 100644 tests/regression/ip6/rt.t
create mode 100644 tests/regression/ip6/sets.t
create mode 100644 tests/regression/ip6/vmap.t
create mode 100755 tests/regression/nft-test.py
--
1.7.10.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [v3 nft 1/7] tests: Add automated regression testing
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 2/7] tests: Add ip folder with test files Ana Rey
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey, Pablo Neira Ayuso
Here, the automated regression testing for nftables and some test
files.
This script checks that the rule input and output of nft matches.
More details here below.
A) What is this testing?
This script tests two different paths:
* The rule input from the command-line. This checks the different steps
from the command line to the kernel. This includes the parsing,
evaluation and netlink generation steps.
* The output listing that is obtained from the kernel. This checks the
different steps from the kernel to the command line: The netlink
message parsing, postprocess and textify steps to display the rule
listing.
As a final step, this script compares that the rule that is added can
be listed by nft.
B) What options are available?
The script offers the following options:
* Execute test files:
./nft-test.py # Run all test files
./nft-test.py path/file.t # Run this test file
If there is a problem, it shows the differences between the rule that
is added and the rule that is listed by nft.
In case you hit an error, the script doesn't keep testing for more
families. Unless you specify the --force-family option.
* Execute broken tests:
./nft-test.sh -e
This runs tests for rules that need a fix: This mode runs the lines that
that start with a "-" symbol.
* Debugging:
./nft-test.sh -d
This shows all the commands that the script executes, so you can watch
its internal behaviour.
* Keep testing all families on error.
./nft-test.sh -f
Don't stop testing for more families in case of error.
C) What is the structure of the test file?
A test file contains a set of rules that are added in the system.
Here, an example of a test file:
*ip;test-ipv4 # line 1
*ip6;test-ipv6 # line 2
*inet;test-inet # line 3
:input;type filter hook input priority 0 # line 4
ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23 # line 5
- tcp dport != {22-25} # line 6
!set1 ipv4_addr;ok # line 7
?set1 192.168.3.8 192.168.3.9;ok # line 8
# This is a commented-line. # line 9
Line 1 defines a table. The name of the table is 'test-ip' and the
family is ip. Lines 2 and 3 defines more tables for different families
so the rules in this test file are also tested there.
Line 4 defines the chain. The name of this chain is "input". The type is
"filter", the hook is "input" and the priority is 0.
Line 5 defines the rule, the ";" character is used as separator of several
parts:
* Part 1: "ah hdrlength != 11-23" is the rule to check.
* Part 2: "ok" is the result expected with the execute of this rule.
* Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the expected
output. You can leave this empty if the output is the same as the
input.
Line 6 is a marked line. This means that this rule is tested if
'-e' is passed as argument to nft-test.py.
Line 7 adds a new set. The name of this set is "set1" and the type
of this set is "ipv4_add".
Line 8 adds two elements into the 'set1' set: "192.168.3.8" and
"192.168.3.9". A whitespace separates the elements of the set.
Line 9 uses the "#" symbol that means that this line is commented out.
D) The test folders
The test files are divided in several directories: ip, ip6, inet, arp,
bridge and any.
* "ip" folder contains the test files that are executed in ip and inet
table.
* "ip" folder contains the test files that are executed in ip6 and inet
table.
* "inet" folder contains the test files that are executed in the ip, ip6
and inet table.
* "arp" folder contains the test files that are executed in the arp
table.
* "bridge" folder: Here are the test files are executed in bridge
tables.
* "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
E) Meaning of messages:
* A warning message means the rule input and output of nft mismatches.
* An error message means the nft-tool shows an error when we add it or
the listing is broken after the rule is added.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/regression/nft-test.py | 859 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 859 insertions(+)
create mode 100755 tests/regression/nft-test.py
diff --git a/tests/regression/nft-test.py b/tests/regression/nft-test.py
new file mode 100755
index 0000000..d4929f0
--- /dev/null
+++ b/tests/regression/nft-test.py
@@ -0,0 +1,859 @@
+#!/usr/bin/python
+#
+# (C) 2014 by Ana Rey Botello <anarey@gmail.com>
+#
+# Based on iptables-test.py:
+# (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>"
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Thanks to the Outreach Program for Women (OPW) for sponsoring this test
+# infrastructure.
+
+import sys
+import os
+import subprocess
+import argparse
+import signal
+
+TERMINAL_PATH = os.getcwd()
+TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
+TESTS_DIRECTORY = ["any", "arp", "bridge", "inet", "ip", "ip6"]
+LOGFILE = "/tmp/nftables-test.log"
+log_file = None
+table_list = []
+chain_list = []
+all_set = dict()
+signal_received = 0
+
+
+class Colors:
+ HEADER = '\033[95m'
+ GREEN = '\033[92m'
+ YELLOW = '\033[93m'
+ RED = '\033[91m'
+ ENDC = '\033[0m'
+
+
+def print_error(reason, filename=None, lineno=None):
+ '''
+ Prints an error with nice colors, indicating file and line number.
+ '''
+ if filename and lineno:
+ print (filename + ": " + Colors.RED + "ERROR:" +
+ Colors.ENDC + " line %d: %s" % (lineno + 1, reason))
+ else:
+ print (Colors.RED + "ERROR:" + Colors.ENDC + " %s" % (reason))
+
+
+def print_warning(reason, filename=None, lineno=None):
+ '''
+ Prints a warning with nice colors, indicating file and line number.
+ '''
+ if filename and lineno:
+ print (filename + ": " + Colors.YELLOW + "WARNING:" + \
+ Colors.ENDC + " line %d: %s" % (lineno + 1, reason))
+ else:
+ print (Colors.YELLOW + "WARNING:" + " %s" % (reason))
+
+
+def print_differences_warning(filename, lineno, rule1, rule2, cmd):
+ reason = "'" + rule1 + "' mismatches '" + rule2 + "'"
+ print filename + ": " + Colors.YELLOW + "WARNING: " + Colors.ENDC + \
+ "line: " + str(lineno + 1) + ": '" + cmd + "': " + reason
+
+
+def print_differences_error(filename, lineno, output, cmd):
+ reason = "Listing is broken."
+ print filename + ": " + Colors.RED + "ERROR: " + Colors.ENDC + \
+ "line: " + str(lineno + 1) + ": '" + cmd + "': " + reason
+
+
+def table_exist(table, filename, lineno):
+ '''
+ Exists a table.
+ '''
+ cmd = "nft list -nnn table " + table[0] + " " + table[1]
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret == 0) else False
+
+
+def table_flush(table, filename, lineno):
+ '''
+ Flush a table.
+ '''
+ cmd = "nft flush table " + str(table[0]) + " " + str(table[1])
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return cmd
+
+
+def table_create(table, filename, lineno):
+ '''
+ Adds a table.
+ '''
+ ## We check if table exists.
+ if table_exist(table, filename, lineno):
+ reason = "Table " + table[1] + " already exists"
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_list.append(table)
+
+ ## We add a new table
+ cmd = "nft add table " + table[0] + " " + table[1]
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if ret != 0:
+ reason = "Cannot add table " + table[1]
+ print_error(reason, filename, lineno)
+ table_list.remove(table)
+ return -1
+
+ ## We check if table was added correctly.
+ if not table_exist(table, filename, lineno):
+ table_list.remove(table)
+ reason = "I have just added the table " + table[1] + \
+ " but it does not exist. Giving up!"
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def table_delete(table, filename=None, lineno=None):
+ '''
+ Deletes a table.
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if not table_exist(table, filename, lineno):
+ reason = "Table " + table[1] + \
+ " does not exist but I added it before."
+ print_error(reason, filename, lineno)
+ return -1
+
+ cmd = "nft delete table" + table_info
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = cmd + ": " \
+ "I cannot delete table '" + table[1] + "'. Giving up! "
+ print_error(reason, filename, lineno)
+ return -1
+
+ if table_exist(table, filename, lineno):
+ reason = "I have just deleted the table " + table[1] + \
+ " but the table still exists."
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def chain_exist(chain, table, filename, lineno):
+ '''
+ Checks a chain
+ '''
+
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft list -nnn chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret == 0) else False
+
+
+def chain_create(chain, chain_type, chain_list, table, filename, lineno):
+ '''
+ Adds a chain
+ '''
+
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if chain_exist(chain, table, filename, lineno):
+ reason = "This chain '" + chain + "' exists in " + table[1] + "." + \
+ "I cannot create two chains with same name."
+ print_error(reason, filename, lineno)
+ return -1
+
+ if chain_type:
+ cmd = "nft add chain" + table_info + chain + "\{ " + chain_type + "\; \}"
+ else:
+ cmd = "nft add chain" + table_info + chain
+
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = "I cannot create the chain '" + chain
+ print_error(reason, filename, lineno)
+ return -1
+
+ if not chain in chain_list:
+ chain_list.append(chain)
+
+ if not chain_exist(chain, table, filename, lineno):
+ reason = "I have added the chain '" + chain + \
+ "' but it does not exist in " + table[1]
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def chain_delete(chain, table, filename=None, lineno=None):
+ '''
+ Flushes and deletes a chain.
+ '''
+
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if not chain_exist(chain, table, filename, lineno):
+ reason = "The chain " + chain + " does not exists in " + table[1] + \
+ ". I cannot delete it."
+ print_error(reason, filename, lineno)
+ return -1
+
+ cmd = "nft flush chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = "I cannot flush this chain " + chain
+ print_error(reason, filename, lineno)
+ return -1
+
+ cmd = "nft delete chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = cmd + "I cannot delete this chain. DD"
+ print_error(reason, filename, lineno)
+ return -1
+
+ if chain_exist(chain, table, filename, lineno):
+ reason = "The chain " + chain + " exists in " + table[1] + \
+ ". I cannot delete this chain"
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def set_add(set_info, table_list, filename, lineno):
+ '''
+ Adds a set.
+ '''
+
+ if not table_list:
+ reason = "Missing table to add rule"
+ print_error(reason, filename, lineno)
+ return -1
+
+ for table in table_list:
+ if set_exist(set_info[0], table, filename, lineno):
+ reason = "This set " + set_info + " exists in " + table[1] + \
+ ". I cannot add it again"
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_info = " " + table[0] + " " + table[1] + " "
+ set_text = " " + set_info[0] + " { type " + set_info[1] + " \;}"
+ cmd = "nft add set" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if (ret == 0 and set_info[2].rstrip() == "fail") or \
+ (ret != 0 and set_info[2].rstrip() == "ok"):
+ reason = cmd + ": " + "I cannot add the set " + set_info[0]
+ print_error(reason, filename, lineno)
+ return -1
+
+ if not set_exist(set_info[0], table, filename, lineno):
+ reason = "I have just added the set " + set_info[0] + \
+ " to the table " + table[1] + " but it does not exist"
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def set_add_elements(set_element, set_name, set_all, state, table_list,
+ filename, lineno):
+ '''
+ Adds elements to the set.
+ '''
+
+ if not table_list:
+ reason = "Missing table to add rules"
+ print_error(reason, filename, lineno)
+ return -1
+
+ for table in table_list:
+ # Check if set exists.
+ if (not set_exist(set_name, table, filename, lineno) or
+ not set_name in set_all) and state == "ok":
+ reason = "I cannot add an element to the set " + set_name + \
+ " since it does not exist."
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ element = ""
+ for e in set_element:
+ if not element:
+ element = e
+ else:
+ element = element + ", " + e
+
+ set_text = set_name + " { " + element + " }"
+ cmd = "nft add element -nnn" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if (state == "fail" and ret == 0) or (state == "ok" and ret != 0):
+ test_state = "This rule should have failed."
+ reason = cmd + ": " + test_state
+ print_error(reason, filename, lineno)
+ return -1
+
+ # Add element into a all_set.
+ if (ret == 0 and state == "ok"):
+ for e in set_element:
+ set_all[set_name].add(e)
+
+ return 0
+
+
+def set_delete_elements(set_element, set_name, table, filename=None,
+ lineno=None):
+ '''
+ Deletes elements in a set.
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ for element in set_element:
+ set_text = set_name + " {" + element + "}"
+ cmd = "nft delete element -nnn" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = "I cannot delete an element" + element + \
+ " from the set '" + set_name
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def set_delete(all_set, table, filename=None, lineno=None):
+ '''
+ Deletes set and its content.
+ '''
+
+ for set_name in all_set.keys():
+ # Check if exists the set
+ if not set_exist(set_name, table, filename, lineno):
+ reason = "The set " + set_name + \
+ " does not exist, I cannot delete it"
+ print_error(reason, filename, lineno)
+ return -1
+
+ # We delete all elements in the set
+ set_delete_elements(all_set[set_name], set_name, table, filename,
+ lineno)
+
+ # We delete the set.
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft delete set " + table_info + " " + set_name
+ ret = execute_cmd(cmd, filename, lineno)
+
+ # Check if the set still exists after I deleted it.
+ if ret != 0 or set_exist(set_name, table, filename, lineno):
+ reason = "Cannot remove the set " + set_name
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def set_exist(set_name, table, filename, lineno):
+ '''
+ Check if the set exists.
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft list -nnn set" + table_info + set_name
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret == 0) else False
+
+
+def set_check_element(rule1, rule2):
+ '''
+ Check if element exists in anonymous sets.
+ '''
+ ret = -1
+ pos1 = rule1.find("{")
+ pos2 = rule2.find("{")
+ end1 = rule1.find("}")
+ end2 = rule2.find("}")
+
+ if ((pos1 != -1) and (pos2 != -1) and (end1 != -1) and (end2 != -1)):
+ list1 = (rule1[pos1 + 1:end1].replace(" ", "")).split(",")
+ list2 = (rule2[pos2 + 1:end2].replace(" ", "")).split(",")
+ list1.sort()
+ list2.sort()
+ if (cmp(list1, list2) == 0):
+ ret = 0
+ return ret
+
+
+def output_clean(pre_output, chain):
+ pos_chain = pre_output[0].find(chain)
+ if pos_chain == -1:
+ return ""
+ output_intermediate = pre_output[0][pos_chain:]
+ brace_start = output_intermediate.find("{")
+ brace_end = output_intermediate.find("}")
+ pre_rule = output_intermediate[brace_start:brace_end]
+ if pre_rule[1:].find("{") > -1: # this rule has a set.
+ set = pre_rule[1:].replace("\t", "").replace("\n", "").strip()
+ set = set.split(";")[1].strip() + "}"
+ return set
+ else:
+ rule = pre_rule.split(";")[1].replace("\t", "").replace("\n", "").strip()
+ if len(rule) < 0:
+ return ""
+ return rule
+
+
+def rule_add(rule, table_list, chain_list, filename, lineno,
+ force_all_family_option):
+ '''
+ Adds a rule
+ '''
+ # TODO Check if a rule is added correctly.
+ ret = warning = error = unit_tests = 0
+
+ if not table_list or not chain_list:
+ reason = "Missing table or chain to add rule."
+ print_error(reason, filename, lineno)
+ return [-1, warning, error, unit_tests]
+
+ for table in table_list:
+ for chain in chain_list:
+ if len(rule) == 1:
+ reason = "Skipping malformed test. (" + \
+ str(rule[0].rstrip('\n')) + ")"
+ print_warning(reason, filename, lineno)
+ continue
+
+ unit_tests += 1
+ table_flush(table, filename, lineno)
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft add rule -nnn" + table_info + chain + " " + rule[0]
+
+ ret = execute_cmd(cmd, filename, lineno)
+
+ state = rule[1].rstrip()
+ if (ret == 0 and state == "fail") or (ret != 0 and state == "ok"):
+ if state == "fail":
+ test_state = "This rule should have failed."
+ else:
+ test_state = "This rule should not have failed."
+ reason = cmd + ": " + test_state
+ print_error(reason, filename, lineno)
+ ret = -1
+ error += 1
+ if not force_all_family_option:
+ return [ret, warning, error, unit_tests]
+
+ if (state == "fail" and ret != 0):
+ ret = 0
+ continue
+
+ if ret == 0:
+ # Check output of nft
+ process = subprocess.Popen(['nft', '-nnn', 'list', 'table'] + table,
+ shell=False, stdout=subprocess.PIPE,
+ preexec_fn=preexec)
+ pre_output = process.communicate()
+ output = pre_output[0].split(";")
+ if len(output) < 2:
+ reason = cmd + ": Listing is broken."
+ print_error(reason, filename, lineno)
+ ret = -1
+ error += 1
+ if not force_all_family_option:
+ return [ret, warning, error, unit_tests]
+ else:
+ rule_output = output_clean(pre_output, chain)
+ if (len(rule) == 3):
+ teoric_exit = rule[2]
+ else:
+ teoric_exit = rule[0]
+
+ if (rule_output.rstrip() != teoric_exit.rstrip()):
+ if (rule[0].find("{") != -1): # anonymous sets
+ if (set_check_element(teoric_exit, rule_output) != 0):
+ warning += 1
+ print_differences_warning(filename, lineno,
+ rule[0], rule_output,
+ cmd)
+ if not force_all_family_option:
+ return [ret, warning, error, unit_tests]
+ else:
+ if len(rule_output) <= 0:
+ error += 1
+ print_differences_error(filename, lineno,
+ rule_output, cmd)
+ if not force_all_family_option:
+ return [ret, warning, error, unit_tests]
+ if rule[0].find(rule_output.split(" ")[0]) > -1:
+ warning += 1
+ print_differences_warning(filename, lineno,
+ rule[0], rule_output,
+ cmd)
+ else:
+ error += 1
+ print_differences_error(filename, lineno,
+ rule_output, cmd)
+ if not force_all_family_option:
+ return [ret, warning, error, unit_tests]
+
+ return [ret, warning, error, unit_tests]
+
+
+def preexec():
+ os.setpgrp() # Don't forward signals.
+
+
+def cleanup_on_exit():
+ for table in table_list:
+ for chain in chain_list:
+ ret = chain_delete(chain, table, "", "")
+ if all_set:
+ ret = set_delete(all_set, table)
+ ret = table_delete(table)
+
+
+def signal_handler(signal, frame):
+ global signal_received
+ signal_received = 1
+
+
+def execute_cmd(cmd, filename, lineno):
+ '''
+ Executes a command, checks for segfaults and returns the command exit
+ code.
+
+ :param cmd: string with the command to be executed
+ :param filename: name of the file tested (used for print_error purposes)
+ :param lineno: line number being tested (used for print_error purposes)
+ '''
+ global log_file
+ print >> log_file, "command: %s" % cmd
+ if debug_option:
+ print cmd
+ ret = subprocess.call(cmd, shell=True, universal_newlines=True,
+ stderr=subprocess.STDOUT, stdout=log_file,
+ preexec_fn=preexec)
+ log_file.flush()
+
+ if ret == -11:
+ reason = "command segfaults: " + cmd
+ print_error(reason, filename, lineno)
+
+ return ret
+
+
+def print_result(filename, tests, warning, error):
+ return str(filename) + ": " + str(tests) + " unit tests, " + \
+ str(error) + " error, " + str(warning) + " warning"
+
+
+def print_result_all(filename, tests, warning, error, unit_tests):
+ return str(filename) + ": " + str(tests) + " unit tests, " +\
+ str(unit_tests) + " total test executed, " + \
+ str(error) + " error, " + \
+ str(warning) + " warning"
+
+
+def table_process(table_line, filename, lineno):
+ if ";" in table_line:
+ table_info = table_line.split(";")
+ else:
+ table_info.append("ip")
+ table_info.append(table_line)
+
+ return table_create(table_info, filename, lineno)
+
+
+def chain_process(chain_line, filename, lineno):
+ chain_name = chain_line[0]
+ chain_type = ""
+ for table in table_list:
+ if len(chain_line) > 1:
+ chain_type = chain_line[1]
+ ret = chain_create(chain_name, chain_type, chain_list, table,
+ filename, lineno)
+ if ret != 0:
+ return -1
+ return ret
+
+
+def set_process(set_line, filename, lineno):
+ set_info = []
+ set_name = "".join(set_line[0].rstrip()[1:])
+ set_info.append(set_name)
+ set_type = set_line[1].split(";")[0]
+ set_state = set_line[1].split(";")[1] # ok or fail
+ set_info.append(set_type)
+ set_info.append(set_state)
+ ret = set_add(set_info, table_list, filename, lineno)
+ if ret == 0:
+ all_set[set_name] = set()
+
+ return ret
+
+
+def set_element_process(element_line, filename, lineno):
+ rule_state = element_line[1]
+ set_name = element_line[0].split(" ")[0]
+ set_element = element_line[0].split(" ")
+ set_element.remove(set_name)
+ return set_add_elements(set_element, set_name, all_set, rule_state,
+ table_list, filename, lineno)
+
+
+def run_test_file(filename, force_all_family_option, specific_file):
+ '''
+ Runs a test file
+
+ :param filename: name of the file with the test rules
+ '''
+
+ if specific_file:
+ filename_path = os.path.join(TERMINAL_PATH, filename)
+ else:
+ filename_path = os.path.join(TESTS_PATH, filename)
+
+ f = open(filename_path)
+ tests = passed = total_unit_run = total_warning = total_error = 0
+ table = ""
+ total_test_passed = True
+
+ for lineno, line in enumerate(f):
+ if signal_received == 1:
+ print "\nSignal received. Cleaning up and Exitting..."
+ cleanup_on_exit()
+ sys.exit(0)
+
+ if line.isspace():
+ continue
+
+ if line[0] == "#": # Command-line
+ continue
+
+ if line[0] == '*': # Table
+ table_line = line.rstrip()[1:]
+ ret = table_process(table_line, filename, lineno)
+ if (ret != 0):
+ total_test_passed = False
+ break
+ continue
+
+ if line[0] == ":": # Chain
+ chain_line = line.rstrip()[1:].split(";")
+ ret = chain_process(chain_line, filename, lineno)
+ if ret != 0:
+ total_test_passed = False
+ break
+ continue
+
+ if line[0] == "!": # Adds this set
+ set_line = line.rstrip()[0:].split(" ")
+ ret = set_process(set_line, filename, lineno)
+ tests += 1
+ if ret == -1:
+ total_test_passed = False
+ continue
+ passed += 1
+ continue
+
+ if line[0] == "?": # Adds elements in a set
+ element_line = line.rstrip()[1:].split(";")
+ ret = set_element_process(element_line, filename, lineno)
+ tests += 1
+ if ret == -1:
+ total_test_passed = False
+ continue
+
+ passed += 1
+ continue
+
+ # Rule
+ rule = line.split(';') # rule[1] Ok or FAIL
+ if line[0] == "-": # Run omitted lines
+ if line[1:].find("*") != -1:
+ continue
+ if need_fix_option:
+ rule[0] = rule[0].rstrip()[1:]
+ result = rule_add(rule, table_list, chain_list, filename,
+ lineno, force_all_family_option)
+ tests += 1
+ warning = result[1]
+ ret = result[0]
+ total_warning += warning
+ total_error += result[2]
+ total_unit_run += result[3]
+
+ if ret != 0:
+ total_test_passed = False
+ elif warning == 0:
+ passed += 1
+ continue
+ else:
+ continue
+ if need_fix_option:
+ continue
+
+ result = rule_add(rule, table_list, chain_list, filename, lineno,
+ force_all_family_option)
+ tests += 1
+ ret = result[0]
+ warning = result[1]
+ total_warning += warning
+ total_error += result[2]
+ total_unit_run += result[3]
+
+ if ret != 0:
+ total_test_passed = False
+ continue
+
+ if warning == 0: # All ok.
+ passed += 1
+
+ # Delete rules, sets, chains and tables
+ for table in table_list:
+ # We delete chains
+ for chain in chain_list:
+ ret = chain_delete(chain, table, filename, lineno)
+ if ret != 0:
+ total_test_passed = False
+
+ # We delete sets.
+ if all_set:
+ ret = set_delete(all_set, table, filename, lineno)
+ if ret != 0:
+ total_test_passed = False
+ reason = "There is a problem when we delete a set"
+ print_error(reason, filename, lineno)
+
+ # We delete tables.
+ ret = table_delete(table, filename, lineno)
+
+ if ret != 0:
+ total_test_passed = False
+
+ if specific_file:
+ if force_all_family_option:
+ print print_result_all(filename, tests, total_warning, total_error,
+ total_unit_run)
+ else:
+ print print_result(filename, tests, total_warning, total_error)
+ else:
+ if (tests == passed and tests > 0):
+ print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC
+
+ f.close()
+ del table_list[:]
+ del chain_list[:]
+ all_set.clear()
+
+ return [tests, passed, total_warning, total_error, total_unit_run]
+
+
+def main():
+ parser = argparse.ArgumentParser(description='Run nft tests',
+ version='1.0')
+
+ parser.add_argument('filename', nargs='?',
+ metavar='path/to/file.t',
+ help='Run only this test')
+
+ parser.add_argument('-d', '--debug', action='store_true',
+ dest='debug',
+ help='enable debugging mode')
+
+ parser.add_argument('-e', '--need-fix', action='store_true',
+ dest='need_fix_line',
+ help='run rules that need a fix')
+
+ parser.add_argument('-f', '--force-family', action='store_true',
+ dest='force_all_family',
+ help='keep testing all families on error')
+
+ args = parser.parse_args()
+ global debug_option, need_fix_option
+ debug_option = args.debug
+ need_fix_option = args.need_fix_line
+ force_all_family_option = args.force_all_family
+ specific_file = False
+
+ signal.signal(signal.SIGINT, signal_handler)
+ signal.signal(signal.SIGTERM, signal_handler)
+
+ if os.getuid() != 0:
+ print "You need to be root to run this, sorry"
+ return
+
+ test_files = files_ok = run_total = 0
+ tests = passed = warnings = errors = 0
+ global log_file
+ try:
+ log_file = open(LOGFILE, 'w')
+ except IOError:
+ print "Cannot open log file %s" % LOGFILE
+ return
+
+ file_list = []
+ if args.filename:
+ file_list = [args.filename]
+ specific_file = True
+ else:
+ for directory in TESTS_DIRECTORY:
+ path = os.path.join(TESTS_PATH, directory)
+ for root, dirs, files in os.walk(path):
+ for f in files:
+ if f.endswith(".t"):
+ file_list.append(os.path.join(directory, f))
+
+ for filename in file_list:
+ result = run_test_file(filename, force_all_family_option, specific_file)
+ file_tests = result[0]
+ file_passed = result[1]
+ file_warnings = result[2]
+ file_errors = result[3]
+ file_unit_run = result[4]
+
+ if file_warnings == 0 and file_tests == file_passed:
+ files_ok += 1
+ if file_tests:
+ tests += file_tests
+ passed += file_passed
+ errors += file_errors
+ warnings += file_warnings
+ test_files += 1
+ if force_all_family_option:
+ run_total += file_unit_run
+
+ if test_files == 0:
+ print "No test files to run"
+ else:
+ if not specific_file:
+ if force_all_family_option:
+ print ("%d test files, %d files passed, %d unit tests, %d total executed, %d error, %d warning" %
+ (test_files, files_ok, tests, run_total, errors, warnings))
+ else:
+ print ("%d test files, %d files passed, %d unit tests, %d error, %d warning" %
+ (test_files, files_ok, tests, errors, warnings))
+
+if __name__ == '__main__':
+ main()
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 2/7] tests: Add ip folder with test files
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
2014-09-18 10:39 ` [v3 nft 1/7] tests: Add automated " Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 3/7] tests: Add ip6 " Ana Rey
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"ip" folder contains the test files that are executed in ip and inet
family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/ip/chains.t | 22 +++++++++
tests/regression/ip/icmp.t | 93 ++++++++++++++++++++++++++++++++++++
tests/regression/ip/ip.t | 107 ++++++++++++++++++++++++++++++++++++++++++
tests/regression/ip/nat.t | 18 +++++++
tests/regression/ip/reject.t | 5 ++
tests/regression/ip/sets.t | 31 ++++++++++++
6 files changed, 276 insertions(+)
create mode 100644 tests/regression/ip/chains.t
create mode 100644 tests/regression/ip/icmp.t
create mode 100644 tests/regression/ip/ip.t
create mode 100644 tests/regression/ip/nat.t
create mode 100644 tests/regression/ip/reject.t
create mode 100644 tests/regression/ip/sets.t
diff --git a/tests/regression/ip/chains.t b/tests/regression/ip/chains.t
new file mode 100644
index 0000000..92a1147
--- /dev/null
+++ b/tests/regression/ip/chains.t
@@ -0,0 +1,22 @@
+*ip;test-ip4
+-*inet;test-inet
+
+# filter chains available are: input, output, forward, prerouting, postrouting
+:filter-input;type filter hook input priority 0
+:filter-pre;type filter hook prerouting priority 0
+:filter-forw;type filter hook forward priority 0
+:filter-out;type filter hook output priority 0
+:filter-post;type filter hook postrouting priority 0
+# nat chains available are: input, output, prerouting, postrouting
+:nat-input-t;type nat hook input priority 0
+:nat-pre-t;type nat hook prerouting priority 0
+:nat-out-t;type nat hook output priority 0
+:nat-post-t;type nat hook postrouting priority 0
+# route chain available are: output
+:route-out-t;type route hook output priority 0
+
+#ip daddr 192.168.0.1-192.168.0.250;ok
+#ip daddr 192.168.0.1;ok
+#ip daddr 192.168.0.1 drop;ok
+#ip daddr 192.168.0.2 log;ok
+#ip daddr 192.168.0.2 log;ok
diff --git a/tests/regression/ip/icmp.t b/tests/regression/ip/icmp.t
new file mode 100644
index 0000000..cd43a66
--- /dev/null
+++ b/tests/regression/ip/icmp.t
@@ -0,0 +1,93 @@
+*ip;test-ip4
+# BUG: There is a bug with icmp protocol and inet family.
+- *inet;test-inet
+:input;type filter hook input priority 0
+
+icmp type echo-reply accept;ok
+icmp type destination-unreachable accept;ok
+icmp type source-quench accept;ok
+icmp type redirect accept;ok
+icmp type echo-request accept;ok
+icmp type time-exceeded accept;ok
+icmp type parameter-problem accept;ok
+icmp type timestamp-request accept;ok
+icmp type timestamp-reply accept;ok
+icmp type info-request accept;ok
+icmp type info-reply accept;ok
+icmp type address-mask-request accept;ok
+icmp type address-mask-reply accept;ok
+icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept;ok
+- icmp type != {echo-reply, destination-unreachable, source-quench};ok
+# BUG: icmp type != {echo-reply, destination-unreachable, source-quench}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp code 111 accept;ok
+icmp code != 111 accept;ok
+icmp code 33-55;ok;icmp code >= 33 icmp code <= 55
+icmp code != 33-55;ok;icmp code < 33 icmp code > 55
+icmp code { 33-55};ok
+- icmp code != { 33-55};ok
+icmp code { 2, 4, 54, 33, 56};ok
+- icmp code != { 2, 4, 54, 33, 56};ok
+# $ sudo nft add rule ip test input icmp code != {2, 4, 54, 33, 56}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp checksum 12343 accept;ok
+icmp checksum != 12343 accept;ok
+icmp checksum 11-343 accept;ok;icmp checksum >= 11 icmp checksum <= 343 accept
+icmp checksum != 11-343 accept;ok;icmp checksum < 11 icmp checksum > 343 accept
+icmp checksum { 11-343} accept;ok
+- icmp checksum != { 11-343} accept;ok
+icmp checksum { 1111, 222, 343} accept;ok
+- icmp checksum != { 1111, 222, 343} accept;ok
+# BUG: invalid expression type set
+# icmp checksum != { 1111, 222, 343} accept;ok
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp id 1245 log;ok
+icmp id 22;ok
+icmp id != 233;ok
+icmp id 33-45;ok;icmp id >= 33 icmp id <= 45
+icmp id != 33-45;ok;icmp id < 33 icmp id > 45
+icmp id { 33-55};ok
+- icmp id != { 33-55};ok
+icmp id { 22, 34, 333};ok
+- icmp id != { 22, 34, 333};ok
+# BUG: invalid expression type set
+# icmp id != { 22, 34, 333}
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp sequence 22;ok
+icmp sequence != 233;ok
+icmp sequence 33-45;ok;icmp sequence >= 33 icmp sequence <= 45
+icmp sequence != 33-45;ok;icmp sequence < 33 icmp sequence > 45
+icmp sequence { 33, 55, 67, 88};ok
+- icmp sequence != { 33, 55, 67, 88};ok
+icmp sequence { 33-55};ok
+- icmp sequence != { 33-55};ok
+
+icmp mtu 33;ok
+icmp mtu 22-33;ok
+icmp mtu { 22-33};ok
+- icmp mtu != { 22-33};ok
+icmp mtu 22;ok
+icmp mtu != 233;ok
+icmp mtu 33-45;ok
+icmp mtu != 33-45;ok
+icmp mtu { 33, 55, 67, 88};ok
+- icmp mtu != { 33, 55, 67, 88};ok
+icmp mtu { 33-55};ok
+- icmp mtu != { 33-55};ok
+
+icmp gateway 22;ok
+icmp gateway != 233;ok
+icmp gateway 33-45;ok;icmp gateway >= 33 icmp gateway <= 45
+icmp gateway != 33-45;ok;icmp gateway < 33 icmp gateway > 45
+icmp gateway { 33, 55, 67, 88};ok
+- icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway { 33-55};ok
+- icmp gateway != { 33-55};ok
+icmp gateway != 34;ok
+- icmp gateway != { 333, 334};ok
diff --git a/tests/regression/ip/ip.t b/tests/regression/ip/ip.t
new file mode 100644
index 0000000..a781de5
--- /dev/null
+++ b/tests/regression/ip/ip.t
@@ -0,0 +1,107 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+- ip version 2;ok
+
+# bug ip hdrlength
+- ip hdrlength 10;ok
+- ip hdrlength != 5;ok
+- ip hdrlength 5-8;ok
+- ip hdrlength != 3-13;ok
+- ip hdrlength {3, 5, 6, 8};ok
+- ip hdrlength != {3, 5, 7, 8};ok
+- ip hdrlength { 3-5};ok
+- ip hdrlength != { 3-59};ok
+# ip hdrlength 12
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip test input ip hdrlength 12
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15
+# add rule ip test input ip hdrlength 22
+
+- ip dscp CS1;ok
+- ip dscp != CS1;ok
+- ip dscp 0x38;ok
+- ip dscp != 0x20;ok
+- ip dscp {CS1, CS2, CS3, CS4, CS5, CS6, CS7, BE, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, EF};ok
+- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
+- ip dscp != {CS0, CS3};ok
+
+ip length 232;ok
+ip length != 233;ok
+ip length 333-435;ok;ip length >= 333 ip length <= 435
+ip length != 333-453;ok;ip length < 333 ip length > 453
+ip length { 333, 553, 673, 838};ok
+- ip length != { 333, 535, 637, 883};ok
+ip length { 333-535};ok
+- ip length != { 333-553};ok
+
+ip id 22;ok
+ip id != 233;ok
+ip id 33-45;ok;ip id >= 33 ip id <= 45
+ip id != 33-45;ok;ip id < 33 ip id > 45
+ip id { 33, 55, 67, 88};ok
+- ip id != { 33, 55, 67, 88};ok
+ip id { 33-55};ok
+- ip id != { 33-55};ok
+
+ip frag-off 222 accept;ok
+ip frag-off != 233;ok
+ip frag-off 33-45;ok;ip frag-off >= 33 ip frag-off <= 45
+ip frag-off != 33-45;ok;ip frag-off < 33 ip frag-off > 45
+ip frag-off { 33, 55, 67, 88};ok
+- ip frag-off != { 33, 55, 67, 88};ok
+ip frag-off { 33-55};ok
+- ip frag-off != { 33-55};ok
+
+ip ttl 0 drop;ok
+ip ttl 233 log;ok
+ip ttl 33-55;ok;ip ttl >= 33 ip ttl <= 55
+ip ttl != 45-50;ok;ip ttl < 45 ip ttl > 50
+ip ttl {43, 53, 45 };ok
+- ip ttl != {46, 56, 93 };ok
+# BUG: ip ttl != {46, 56, 93 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+ip ttl { 33-55};ok
+- ip ttl != { 33-55};ok
+
+ip protocol tcp log;ok;ip protocol 6 log
+ip protocol != tcp log;ok;ip protocol != 6 log
+ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
+- ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
+
+ip checksum 13172 drop;ok
+ip checksum 22;ok
+ip checksum != 233;ok
+ip checksum 33-45;ok;ip checksum >= 33 ip checksum <= 45
+ip checksum != 33-45;ok;ip checksum < 33 ip checksum > 45
+ip checksum { 33, 55, 67, 88};ok
+- ip checksum != { 33, 55, 67, 88};ok
+ip checksum { 33-55};ok
+- ip checksum != { 33-55};ok
+
+ip saddr 192.168.2.0/24;ok
+ip saddr != 192.168.2.0/24;ok
+ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
+ip saddr != 1.1.1.1 log prefix giuseppe;ok;ip saddr != 1.1.1.1 log prefix "giuseppe"
+ip saddr 1.1.1.1 log prefix example group 1;ok;ip saddr 1.1.1.1 log prefix "example" group 1
+ip daddr 192.168.0.1-192.168.0.250;ok;ip daddr >= 192.168.0.1 ip daddr <= 192.168.0.250
+ip daddr 10.0.0.0-10.255.255.255;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.255.255.255
+ip daddr 172.16.0.0-172.31.255.255;ok;ip daddr >= 172.16.0.0 ip daddr <= 172.31.255.255
+ip daddr 192.168.3.1-192.168.4.250;ok;ip daddr >= 192.168.3.1 ip daddr <= 192.168.4.250
+ip daddr != 192.168.0.1-192.168.0.250;ok;ip daddr < 192.168.0.1 ip daddr > 192.168.0.250
+ip daddr { 192.168.0.1-192.168.0.250};ok
+- ip daddr != { 192.168.0.1-192.168.0.250};ok
+ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+- ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+
+ip daddr 192.168.1.2-192.168.1.55;ok;ip daddr >= 192.168.1.2 ip daddr <= 192.168.1.55
+ip daddr != 192.168.1.2-192.168.1.55;ok;ip daddr < 192.168.1.2 ip daddr > 192.168.1.55
+ip saddr 192.168.1.3-192.168.33.55;ok;ip saddr >= 192.168.1.3 ip saddr <= 192.168.33.55
+ip saddr != 192.168.1.3-192.168.33.55;ok;ip saddr < 192.168.1.3 ip saddr > 192.168.33.55
+
+ip daddr 192.168.0.1;ok
+ip daddr 192.168.0.1 drop;ok
+ip daddr 192.168.0.2 log;ok
diff --git a/tests/regression/ip/nat.t b/tests/regression/ip/nat.t
new file mode 100644
index 0000000..5afe823
--- /dev/null
+++ b/tests/regression/ip/nat.t
@@ -0,0 +1,18 @@
+*ip;test-ip4
+# bug: Nat tables is not supported yet in inet table.
+-*inet;test-inet
+
+:output;type nat hook output priority 0
+
+iifname eth0 tcp dport 80-90 dnat 192.168.3.2;ok;iifname "eth0" tcp dport >= 80 tcp dport <= 90 dnat 192.168.3.2
+iifname eth0 tcp dport != 80-90 dnat 192.168.3.2;ok;iifname "eth0" tcp dport < 80 tcp dport > 90 dnat 192.168.3.2
+iifname eth0 tcp dport {80, 90, 23} dnat 192.168.3.2;ok
+- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+
+iifname eth0 tcp sport 23-34 snat 192.168.3.2;ok;iifname "eth0" tcp sport >= 23 tcp sport <= 34 snat 192.168.3.2
+
+- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+iifname eth0 tcp dport != 23-34 dnat 192.168.3.2;ok;iifname "eth0" tcp dport < 23 tcp dport > 34 dnat 192.168.3.2
diff --git a/tests/regression/ip/reject.t b/tests/regression/ip/reject.t
new file mode 100644
index 0000000..e7fb15b
--- /dev/null
+++ b/tests/regression/ip/reject.t
@@ -0,0 +1,5 @@
+*ip;test-ip4
+*ip;test-inet
+:output;type filter hook output priority 0
+
+reject;ok
diff --git a/tests/regression/ip/sets.t b/tests/regression/ip/sets.t
new file mode 100644
index 0000000..a74d308
--- /dev/null
+++ b/tests/regression/ip/sets.t
@@ -0,0 +1,31 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+!set_ipv4_add ipv4_addr;ok
+!set_inet inet_proto;ok
+!set_inet_serv inet_service;ok
+!set_time time;ok
+
+!set1 ipv4_addr;ok
+?set1 192.168.3.4;ok
+
+?set1 192.168.3.4;fail
+?set1 192.168.3.5 192.168.3.6;ok
+?set1 192.168.3.5 192.168.3.6;fail
+?set1 192.168.3.8 192.168.3.9;ok
+?set1 192.168.3.10 192.168.3.11;ok
+?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail
+?set2 192.168.3.4;fail
+
+!set2 ipv4_addr;ok
+?set2 192.168.3.4;ok
+?set2 192.168.3.5 192.168.3.6;ok
+?set2 192.168.3.5 192.168.3.6;fail
+?set2 192.168.3.8 192.168.3.9;ok
+?set2 192.168.3.10 192.168.3.11;ok
+
+-ip saddr @set1 drop;ok
+-ip saddr @set2 drop;ok
+-ip saddr @set33 drop;fail
+-ip saddr @set21 drop;fail
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 3/7] tests: Add ip6 folder with test files.
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
2014-09-18 10:39 ` [v3 nft 1/7] tests: Add automated " Ana Rey
2014-09-18 10:39 ` [v3 nft 2/7] tests: Add ip folder with test files Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 4/7] tests: Add inet " Ana Rey
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"ip6" folder contains the test files that are executed in ip6 and inet
family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/ip6/chains.t | 18 ++++++
tests/regression/ip6/dst.t | 25 ++++++++
tests/regression/ip6/hbh.t | 25 ++++++++
tests/regression/ip6/icmpv6.t | 96 ++++++++++++++++++++++++++++
tests/regression/ip6/ip6.t | 142 +++++++++++++++++++++++++++++++++++++++++
tests/regression/ip6/mh.t | 49 ++++++++++++++
tests/regression/ip6/nat.t | 6 ++
tests/regression/ip6/reject.t | 5 ++
tests/regression/ip6/rt.t | 45 +++++++++++++
tests/regression/ip6/sets.t | 22 +++++++
tests/regression/ip6/vmap.t | 54 ++++++++++++++++
11 files changed, 487 insertions(+)
create mode 100644 tests/regression/ip6/chains.t
create mode 100644 tests/regression/ip6/dst.t
create mode 100644 tests/regression/ip6/hbh.t
create mode 100644 tests/regression/ip6/icmpv6.t
create mode 100644 tests/regression/ip6/ip6.t
create mode 100644 tests/regression/ip6/mh.t
create mode 100644 tests/regression/ip6/nat.t
create mode 100644 tests/regression/ip6/reject.t
create mode 100644 tests/regression/ip6/rt.t
create mode 100644 tests/regression/ip6/sets.t
create mode 100644 tests/regression/ip6/vmap.t
diff --git a/tests/regression/ip6/chains.t b/tests/regression/ip6/chains.t
new file mode 100644
index 0000000..ef975b2
--- /dev/null
+++ b/tests/regression/ip6/chains.t
@@ -0,0 +1,18 @@
+*ip6;test-ip6
+-*inet;test-inet
+
+# filter chains available are: input, output, forward, forward, prerouting and postrouting.
+:filter-input;type filter hook input priority 0
+:filter-prer;type filter hook prerouting priority 0
+:filter-forw-t;type filter hook forward priority 0
+:filter-out-t;type filter hook output priority 0
+:filter-post-t;type filter hook postrouting priority 0
+
+# nat chains available are: input, output, forward, prerouting and postrouting.
+:nat-input;type nat hook input priority 0
+:nat-prerouting;type nat hook prerouting priority 0
+:nat-output;type nat hook output priority 0
+:nat-postrou;type nat hook postrouting priority 0
+
+# route chain available is output.
+:route-out;type route hook output priority 0
diff --git a/tests/regression/ip6/dst.t b/tests/regression/ip6/dst.t
new file mode 100644
index 0000000..1b1bc52
--- /dev/null
+++ b/tests/regression/ip6/dst.t
@@ -0,0 +1,25 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+dst nexthdr 22;ok
+dst nexthdr != 233;ok
+dst nexthdr 33-45;ok;dst nexthdr >= 33 dst nexthdr <= 45
+dst nexthdr != 33-45;ok;dst nexthdr < 33 dst nexthdr > 45
+dst nexthdr { 33, 55, 67, 88};ok
+- dst nexthdr != { 33, 55, 67, 88};ok
+dst nexthdr { 33-55};ok
+- dst nexthdr != { 33-55};ok
+dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108}
+- dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+dst nexthdr icmp;ok;dst nexthdr 1
+dst nexthdr != icmp;ok;dst nexthdr != 1
+
+dst hdrlength 22;ok
+dst hdrlength != 233;ok
+dst hdrlength 33-45;ok;dst hdrlength >= 33 dst hdrlength <= 45
+dst hdrlength != 33-45;ok;dst hdrlength < 33 dst hdrlength > 45
+dst hdrlength { 33, 55, 67, 88};ok
+- dst hdrlength != { 33, 55, 67, 88};ok
+dst hdrlength { 33-55};ok
+- dst hdrlength != { 33-55};ok
diff --git a/tests/regression/ip6/hbh.t b/tests/regression/ip6/hbh.t
new file mode 100644
index 0000000..b274b8b
--- /dev/null
+++ b/tests/regression/ip6/hbh.t
@@ -0,0 +1,25 @@
+*ip6;test-ip6
+*inet;test-inet
+:filter-input;type filter hook input priority 0
+
+hbh hdrlength 22;ok
+hbh hdrlength != 233;ok
+hbh hdrlength 33-45;ok;hbh hdrlength >= 33 hbh hdrlength <= 45
+hbh hdrlength != 33-45;ok;hbh hdrlength < 33 hbh hdrlength > 45
+hbh hdrlength {33, 55, 67, 88};ok
+- hbh hdrlength != {33, 55, 67, 88};ok
+hbh hdrlength { 33-55};ok
+- hbh hdrlength != {33-55};ok
+
+hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108}
+- hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+hbh nexthdr 22;ok
+hbh nexthdr != 233;ok
+hbh nexthdr 33-45;ok;hbh nexthdr >= 33 hbh nexthdr <= 45
+hbh nexthdr != 33-45;ok;hbh nexthdr < 33 hbh nexthdr > 45
+hbh nexthdr {33, 55, 67, 88};ok
+- hbh nexthdr != {33, 55, 67, 88};ok
+hbh nexthdr { 33-55};ok
+- hbh nexthdr != {33-55};ok
+hbh nexthdr ip;ok;hbh nexthdr 0
+hbh nexthdr != ip;ok;hbh nexthdr != 0
diff --git a/tests/regression/ip6/icmpv6.t b/tests/regression/ip6/icmpv6.t
new file mode 100644
index 0000000..7a86ee9
--- /dev/null
+++ b/tests/regression/ip6/icmpv6.t
@@ -0,0 +1,96 @@
+*ip6;test-ip4
+# BUG: There is a bug with icmpv6 and inet tables
+- *inet;test-inet
+:input;type filter hook input priority 0
+
+icmpv6 type destination-unreachable accept;ok
+icmpv6 type packet-too-big accept;ok
+icmpv6 type time-exceeded accept;ok
+icmpv6 type echo-request accept;ok
+icmpv6 type echo-reply accept;ok
+icmpv6 type mld-listener-query accept;ok
+icmpv6 type mld-listener-report accept;ok
+icmpv6 type mld-listener-reduction accept;ok
+icmpv6 type nd-router-solicit accept;ok
+icmpv6 type nd-router-advert accept;ok
+icmpv6 type nd-neighbor-solicit accept;ok
+icmpv6 type nd-neighbor-advert accept;ok
+icmpv6 type nd-redirect accept;ok
+icmpv6 type router-renumbering accept;ok
+icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {router-renumbering, mld-listener-reduction, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+- icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+
+icmpv6 code 4;ok
+icmpv6 code 3-66;ok;icmpv6 code >= 3 icmpv6 code <= 66
+icmpv6 code {5, 6, 7} accept;ok
+- icmpv6 code != {3, 66, 34};ok
+icmpv6 code { 3-66};ok
+- icmpv6 code != { 3-44};ok
+
+icmpv6 checksum 2222 log;ok
+icmpv6 checksum != 2222 log;ok
+icmpv6 checksum 222-226;ok;icmpv6 checksum >= 222 icmpv6 checksum <= 226
+icmpv6 checksum != 2222 log;ok
+icmpv6 checksum { 222, 226};ok
+- icmpv6 checksum != { 222, 226};ok
+icmpv6 checksum { 222-226};ok
+- icmpv6 checksum != { 222-226};ok
+
+# BUG: icmpv6 parameter-problem, pptr, mtu, packet-too-big
+# [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
+# [ICMP6HDR_MTU] = ICMP6HDR_FIELD("packet-too-big", icmp6_mtu),
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 35
+# <cmdline>:1:53-53: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 35
+# ^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem
+# <cmdline>:1:26-31: Error: Value 58 exceeds valid range 0-0
+# add rule ip6 test6 input icmpv6 parameter-problem
+# ^^^^^^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 2-4
+# <cmdline>:1:54-54: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 2-4
+
+# BUG: packet-too-big
+# $ sudo nft add rule ip6 test6 input icmpv6 packet-too-big 34
+# <cmdline>:1:50-50: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 packet-too-big 34
+
+icmpv6 mtu 22;ok
+icmpv6 mtu != 233;ok
+icmpv6 mtu 33-45;ok
+icmpv6 mtu != 33-45;ok
+icmpv6 mtu {33, 55, 67, 88};ok
+- icmpv6 mtu != {33, 55, 67, 88};ok
+icmpv6 mtu {33-55};ok
+- icmpv6 mtu != {33-55};ok
+
+- icmpv6 id 2;ok
+- icmpv6 id != 233;ok
+icmpv6 id 33-45;ok
+icmpv6 id != 33-45;ok
+icmpv6 id {33, 55, 67, 88};ok
+- icmpv6 id != {33, 55, 67, 88};ok
+icmpv6 id {33-55};ok
+- icmpv6 id != {33-55};ok
+
+icmpv6 sequence 2;ok
+icmpv6 sequence {3, 4, 5, 6, 7} accept;ok
+
+icmpv6 sequence {2, 4};ok
+- icmpv6 sequence != {2, 4};ok
+icmpv6 sequence 2-4;ok;icmpv6 sequence >= 2 icmpv6 sequence <= 4
+icmpv6 sequence != 2-4;ok;icmpv6 sequence < 2 icmpv6 sequence > 4
+icmpv6 sequence { 2-4};ok
+- icmpv6 sequence != {2-4};ok
+
+- icmpv6 max-delay 22;ok
+- icmpv6 max-delay != 233;ok
+icmpv6 max-delay 33-45;ok
+icmpv6 max-delay != 33-45;ok
+icmpv6 max-delay {33, 55, 67, 88};ok
+- icmpv6 max-delay != {33, 55, 67, 88};ok
+icmpv6 max-delay {33-55};ok
+- icmpv6 max-delay != {33-55};ok
diff --git a/tests/regression/ip6/ip6.t b/tests/regression/ip6/ip6.t
new file mode 100644
index 0000000..243c789
--- /dev/null
+++ b/tests/regression/ip6/ip6.t
@@ -0,0 +1,142 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+# BUG: Problem with version, priority
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip6 test6 input ip6 version 1
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- ip6 version 6;ok
+- ip6 priority 3;ok
+
+# $ sudo nft add rule ip6 test6 input ip6 priority 33
+# <cmdline>:1:39-40: Error: Value 33 exceeds valid range 0-15
+# $ sudo nft add rule ip6 test6 input ip6 priority 3
+# <cmdline>:1:1-39: Error: Could not process rule: Invalid argument
+# add rule ip6 test6 input ip6 priority 3
+#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ip6 flowlabel 22;ok
+ip6 flowlabel != 233;ok
+- ip6 flowlabel 33-45;ok
+- ip6 flowlabel != 33-45;ok
+ip6 flowlabel { 33, 55, 67, 88};ok
+# BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
+- ip6 flowlabel != { 33, 55, 67, 88};ok
+ip6 flowlabel { 33-55};ok
+- ip6 flowlabel != { 33-55};ok
+
+ip6 length 22;ok
+ip6 length != 233;ok
+ip6 length 33-45;ok;ip6 length >= 33 ip6 length <= 45
+ip6 length != 33-45;ok;ip6 length < 33 ip6 length > 45
+- ip6 length { 33, 55, 67, 88};ok
+- ip6 length != {33, 55, 67, 88};ok
+ip6 length { 33-55};ok
+- ip6 length != { 33-55};ok
+
+ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} log;ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6} log
+ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51}
+- ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+ip6 nexthdr esp;ok;ip6 nexthdr 50
+ip6 nexthdr != esp;ok;ip6 nexthdr != 50
+ip6 nexthdr { 33-44};ok
+- p6 nexthdr != { 33-44};ok
+ip6 nexthdr 33-44;ok;ip6 nexthdr >= 33 ip6 nexthdr <= 44
+ip6 nexthdr != 33-44;ok;ip6 nexthdr < 33 ip6 nexthdr > 44
+
+ip6 hoplimit 1 log;ok
+ip6 hoplimit != 233;ok
+ip6 hoplimit 33-45;ok;ip6 hoplimit >= 33 ip6 hoplimit <= 45
+ip6 hoplimit != 33-45;ok;ip6 hoplimit < 33 ip6 hoplimit > 45
+ip6 hoplimit {33, 55, 67, 88};ok
+- ip6 hoplimit != {33, 55, 67, 88};ok
+ip6 hoplimit {33-55};ok
+- ip6 hoplimit != {33-55};ok
+
+# from src/scanner.l
+# v680 (({hex4}:){7}{hex4})
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234;ok
+# v670 ((:)(:{hex4}{7}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234:1234;ok
+# v671 ((({hex4}:){1})(:{hex4}{6}))
+ip6 saddr 1234::1234:1234:1234:1234:1234:1234;ok
+# v672 ((({hex4}:){2})(:{hex4}{5}))
+ip6 saddr 1234:1234::1234:1234:1234:1234:1234;ok
+# v673 ((({hex4}:){3})(:{hex4}{4}))
+ip6 saddr 1234:1234:1234::1234:1234:1234:1234;ok
+# v674 ((({hex4}:){4})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234:1234::1234:1234:1234;ok
+# v675 ((({hex4}:){5})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234:1234::1234:1234;ok
+# v676 ((({hex4}:){6})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234:1234::1234;ok
+# v677 ((({hex4}:){7})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234::;ok
+# v67 ({v670}|{v671}|{v672}|{v673}|{v674}|{v675}|{v676}|{v677})
+# v660 ((:)(:{hex4}{6}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234;ok
+# v661 ((({hex4}:){1})(:{hex4}{5}))
+ip6 saddr 1234::1234:1234:1234:1234:1234;ok
+# v662 ((({hex4}:){2})(:{hex4}{4}))
+ip6 saddr 1234:1234::1234:1234:1234:1234;ok
+# v663 ((({hex4}:){3})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234::1234:1234:1234;ok
+# v664 ((({hex4}:){4})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234::1234:1234;ok
+# v665 ((({hex4}:){5})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234::1234;ok
+# v666 ((({hex4}:){6})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234::;ok
+# v66 ({v660}|{v661}|{v662}|{v663}|{v664}|{v665}|{v666})
+# v650 ((:)(:{hex4}{5}))
+ip6 saddr ::1234:1234:1234:1234:1234;ok
+# v651 ((({hex4}:){1})(:{hex4}{4}))
+ip6 saddr 1234::1234:1234:1234:1234;ok
+# v652 ((({hex4}:){2})(:{hex4}{3}))
+ip6 saddr 1234:1234::1234:1234:1234;ok
+# v653 ((({hex4}:){3})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234::1234:1234;ok
+# v654 ((({hex4}:){4})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234::1234;ok
+# v655 ((({hex4}:){5})(:))
+ip6 saddr 1234:1234:1234:1234:1234::;ok
+# v65 ({v650}|{v651}|{v652}|{v653}|{v654}|{v655})
+# v640 ((:)(:{hex4}{4}))
+ip6 saddr ::1234:1234:1234:1234;ok
+# v641 ((({hex4}:){1})(:{hex4}{3}))
+ip6 saddr 1234::1234:1234:1234;ok
+# v642 ((({hex4}:){2})(:{hex4}{2}))
+ip6 saddr 1234:1234::1234:1234;ok
+# v643 ((({hex4}:){3})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234::1234;ok
+# v644 ((({hex4}:){4})(:))
+ip6 saddr 1234:1234:1234:1234::;ok
+# v64 ({v640}|{v641}|{v642}|{v643}|{v644})
+# v630 ((:)(:{hex4}{3}))
+ip6 saddr ::1234:1234:1234;ok
+# v631 ((({hex4}:){1})(:{hex4}{2}))
+ip6 saddr 1234::1234:1234;ok
+# v632 ((({hex4}:){2})(:{hex4}{1}))
+ip6 saddr 1234:1234::1234;ok
+# v633 ((({hex4}:){3})(:))
+ip6 saddr 1234:1234:1234::;ok
+# v63 ({v630}|{v631}|{v632}|{v633})
+# v620 ((:)(:{hex4}{2}))
+ip6 saddr ::1234:1234;ok
+# v621 ((({hex4}:){1})(:{hex4}{1}))
+ip6 saddr 1234::1234;ok
+# v622 ((({hex4}:){2})(:))
+ip6 saddr 1234:1234::;ok
+# v62 ({v620}|{v621}|{v622})
+# v610 ((:)(:{hex4}{1}))
+ip6 saddr ::1234;ok
+# v611 ((({hex4}:){1})(:))
+ip6 saddr 1234::;ok
+# v61 ({v610}|{v611})
+# v60 (::)
+ip6 saddr ::/64;ok
+
+- ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok
+ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234;ok
diff --git a/tests/regression/ip6/mh.t b/tests/regression/ip6/mh.t
new file mode 100644
index 0000000..4ff58a1
--- /dev/null
+++ b/tests/regression/ip6/mh.t
@@ -0,0 +1,49 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+mh nexthdr 1;ok
+mh nexthdr != 1;ok
+mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok;mh nexthdr { 58, 17, 108, 6, 51, 136, 50, 132, 33}
+- mh nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+mh nexthdr icmp;ok;mh nexthdr 1
+mh nexthdr != icmp;ok;mh nexthdr != 1
+mh nexthdr 22;ok
+mh nexthdr != 233;ok
+mh nexthdr 33-45;ok;mh nexthdr >= 33 mh nexthdr <= 45
+mh nexthdr != 33-45;ok;mh nexthdr < 33 mh nexthdr > 45
+mh nexthdr { 33, 55, 67, 88 };ok
+- mh nexthdr != { 33, 55, 67, 88 };ok
+mh nexthdr { 33-55 };ok
+- mh nexthdr != { 33-55 };ok
+
+mh hdrlength 22;ok
+mh hdrlength != 233;ok
+mh hdrlength 33-45;ok;mh hdrlength >= 33 mh hdrlength <= 45
+mh hdrlength != 33-45;ok;mh hdrlength < 33 mh hdrlength > 45
+mh hdrlength { 33, 55, 67, 88 };ok;mh hdrlength { 67, 33, 88, 55}
+- mh hdrlength != { 33, 55, 67, 88 };ok
+mh hdrlength { 33-55 };ok
+- mh hdrlength != { 33-55 };ok
+
+mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
+mh type home-agent-switch-message;ok
+mh type != home-agent-switch-message;ok
+
+mh reserved 22;ok
+mh reserved != 233;ok
+mh reserved 33-45;ok;mh reserved >= 33 mh reserved <= 45
+mh reserved != 33-45;ok;mh reserved < 33 mh reserved > 45
+mh reserved { 33, 55, 67, 88};ok
+- mh reserved != {33, 55, 67, 88};ok
+mh reserved { 33-55};ok
+- mh reserved != { 33-55};ok
+
+mh checksum 22;ok
+mh checksum != 233;ok
+mh checksum 33-45;ok;mh checksum >= 33 mh checksum <= 45
+mh checksum != 33-45;ok;mh checksum < 33 mh checksum > 45
+mh checksum { 33, 55, 67, 88};ok
+- mh checksum != { 33, 55, 67, 88};ok
+mh checksum { 33-55};ok
+- mh checksum != { 33-55};ok
diff --git a/tests/regression/ip6/nat.t b/tests/regression/ip6/nat.t
new file mode 100644
index 0000000..2fb4ac8
--- /dev/null
+++ b/tests/regression/ip6/nat.t
@@ -0,0 +1,6 @@
+*ip6;test-ip6
+- *inet;test-inet
+:input;type nat hook input priority 0
+
+tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok
+tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :100;ok
diff --git a/tests/regression/ip6/reject.t b/tests/regression/ip6/reject.t
new file mode 100644
index 0000000..b49c50b
--- /dev/null
+++ b/tests/regression/ip6/reject.t
@@ -0,0 +1,5 @@
+*ip6;test-ip6
+*inet;test-inet
+:output;type filter hook output priority 0
+
+reject;ok
diff --git a/tests/regression/ip6/rt.t b/tests/regression/ip6/rt.t
new file mode 100644
index 0000000..76579ba
--- /dev/null
+++ b/tests/regression/ip6/rt.t
@@ -0,0 +1,45 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+rt nexthdr 1;ok
+rt nexthdr != 1;ok
+rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;rt nexthdr { 33, 136, 50, 132, 51, 17, 108, 6, 58}
+- rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+rt nexthdr icmp;ok;rt nexthdr 1
+rt nexthdr != icmp;ok;rt nexthdr != 1
+rt nexthdr 22;ok
+rt nexthdr != 233;ok
+rt nexthdr 33-45;ok;rt nexthdr >= 33 rt nexthdr <= 45
+rt nexthdr != 33-45;ok;rt nexthdr < 33 rt nexthdr > 45
+rt nexthdr { 33, 55, 67, 88};ok
+- rt nexthdr != { 33, 55, 67, 88};ok
+rt nexthdr { 33-55};ok;rt nexthdr { 33-55}
+- rt nexthdr != { 33-55};ok
+
+rt hdrlength 22;ok
+rt hdrlength != 233;ok
+rt hdrlength 33-45;ok;rt hdrlength >= 33 rt hdrlength <= 45
+rt hdrlength != 33-45;ok;rt hdrlength < 33 rt hdrlength > 45
+rt hdrlength { 33, 55, 67, 88};ok
+- rt hdrlength != { 33, 55, 67, 88};ok
+rt hdrlength { 33-55};ok
+- rt hdrlength != { 33-55};ok
+
+rt type 22;ok
+rt type != 233;ok
+rt type 33-45;ok;rt type >= 33 rt type <= 45
+rt type != 33-45;ok;rt type < 33 rt type > 45
+rt type { 33, 55, 67, 88};ok
+- rt type != { 33, 55, 67, 88};ok
+rt type { 33-55};ok
+- rt type != { 33-55};ok
+
+rt seg-left 22;ok
+rt seg-left != 233;ok
+rt seg-left 33-45;ok;rt seg-left >= 33 rt seg-left <= 45
+rt seg-left != 33-45;ok;rt seg-left < 33 rt seg-left > 45
+rt seg-left { 33, 55, 67, 88};ok
+- rt seg-left != { 33, 55, 67, 88};ok
+rt seg-left { 33-55};ok
+- rt seg-left != { 33-55};ok
diff --git a/tests/regression/ip6/sets.t b/tests/regression/ip6/sets.t
new file mode 100644
index 0000000..4938929
--- /dev/null
+++ b/tests/regression/ip6/sets.t
@@ -0,0 +1,22 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+!set_ipv6_add1 ipv6_addr;ok
+!set_inet1 inet_proto;ok
+!set_inet inet_service;ok
+!set_time time;ok
+
+?set2 192.168.3.4;fail
+!set2 ipv6_addr;ok
+?set2 1234:1234::1234:1234:1234:1234:1234;ok
+?set2 1234:1234::1234:1234:1234:1234:1234;fail
+?set2 1234::1234:1234:1234;ok
+?set2 1234:1234:1234:1234:1234::1234:1234 1234:1234::123;ok
+?set2 192.168.3.8 192.168.3.9;fail
+?set2 1234:1234::1234:1234:1234:1234;ok
+?set2 1234:1234::1234:1234:1234:1234;fail
+?set2 1234:1234:1234::1234;ok
+
+ip6 saddr @set2 drop;ok
+ip6 saddr @set33 drop;fail
diff --git a/tests/regression/ip6/vmap.t b/tests/regression/ip6/vmap.t
new file mode 100644
index 0000000..705f369
--- /dev/null
+++ b/tests/regression/ip6/vmap.t
@@ -0,0 +1,54 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+ip6 saddr vmap { abcd::3 : accept };ok
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234:1234;fail
+
+# Ipv6 address combinations
+# from src/scanner.l
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234 : accept};ok
+ip6 saddr vmap { 1234:: : accept};ok
+ip6 saddr vmap { ::/64 : accept};ok
+
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop};ok
+
+# rule without comma:
+filter-input ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:bbbb:::accept::adda : drop};fail
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 4/7] tests: Add inet folder with test files.
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
` (2 preceding siblings ...)
2014-09-18 10:39 ` [v3 nft 3/7] tests: Add ip6 " Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 5/7] tests: Add arp " Ana Rey
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"inet" folder contains the test files that are executed in ipv4, ipv6
and inet family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/inet/ah.t | 58 ++++++++++++++++++++++
tests/regression/inet/comp.t | 31 ++++++++++++
tests/regression/inet/dccp.t | 32 ++++++++++++
tests/regression/inet/esp.t | 23 +++++++++
tests/regression/inet/sctp.t | 42 ++++++++++++++++
tests/regression/inet/tcp.t | 103 +++++++++++++++++++++++++++++++++++++++
tests/regression/inet/udp.t | 49 +++++++++++++++++++
tests/regression/inet/udplite.t | 42 ++++++++++++++++
8 files changed, 380 insertions(+)
create mode 100644 tests/regression/inet/ah.t
create mode 100644 tests/regression/inet/comp.t
create mode 100644 tests/regression/inet/dccp.t
create mode 100644 tests/regression/inet/esp.t
create mode 100644 tests/regression/inet/sctp.t
create mode 100644 tests/regression/inet/tcp.t
create mode 100644 tests/regression/inet/udp.t
create mode 100644 tests/regression/inet/udplite.t
diff --git a/tests/regression/inet/ah.t b/tests/regression/inet/ah.t
new file mode 100644
index 0000000..6defc35
--- /dev/null
+++ b/tests/regression/inet/ah.t
@@ -0,0 +1,58 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+# nexthdr Bug to list table.
+
+- ah nexthdr esp;ok
+- ah nexthdr ah;ok
+- ah nexthdr comp;ok
+- ah nexthdr udp;ok
+- ah nexthdr udplite;ok
+- ah nexthdr tcp;ok
+- ah nexthdr dccp;ok
+- ah nexthdr sctp;ok
+
+- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;ah nexthdr { 6, 132, 50, 17, 136, 33, 51, 108}
+- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+
+ah hdrlength 11-23;ok;ah hdrlength >= 11 ah hdrlength <= 23
+ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23
+ah hdrlength { 11-23};ok
+- ah hdrlength != { 11-23};ok
+ah hdrlength {11, 23, 44 };ok
+- ah hdrlength != {11-23 };ok
+
+ah reserved 22;ok
+ah reserved != 233;ok
+ah reserved 33-45;ok;ah reserved >= 33 ah reserved <= 45
+ah reserved != 33-45;ok;ah reserved < 33 ah reserved > 45
+ah reserved {23, 100};ok
+- ah reserved != {33, 55, 67, 88};ok
+ah reserved { 33-55};ok
+- ah reserved != { 33-55};ok
+
+ah spi 111;ok
+ah spi != 111;ok
+ah spi 111-222;ok;ah spi >= 111 ah spi <= 222
+ah spi != 111-222;ok;ah spi < 111 ah spi > 222
+ah spi {111, 122};ok
+- ah spi != {111, 122};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+ah spi { 111-122};ok
+- ah spi != { 111-122};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+# sequence
+ah sequence 123;ok
+ah sequence != 123;ok
+ah sequence {23, 25, 33};ok
+- ah sequence != {23, 25, 33};ok
+ah sequence { 23-33};ok
+- ah sequence != { 33-44};ok
+ah sequence 23-33;ok;ah sequence >= 23 ah sequence <= 33
+ah sequence != 23-33;ok;ah sequence < 23 ah sequence > 33
diff --git a/tests/regression/inet/comp.t b/tests/regression/inet/comp.t
new file mode 100644
index 0000000..32db32b
--- /dev/null
+++ b/tests/regression/inet/comp.t
@@ -0,0 +1,31 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+
+:input;type filter hook input priority 0
+
+# BUG: Do no list table.
+- comp nexthdr esp;ok;comp nexthdr 50
+comp nexthdr != esp;ok
+
+- comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok
+# comp flags ## 8-bit field. Reserved for future use. MUST be set to zero.
+
+# Bug comp flags: to list. List the decimal value.
+comp flags 0x00;ok
+comp flags != 0x23;ok
+comp flags 0x33-0x45;ok
+comp flags != 0x33-0x45;ok
+comp flags {0x33, 0x55, 0x67, 0x88};ok
+- comp flags != {0x33, 0x55, 0x67, 0x88};ok
+comp flags { 0x33-0x55};ok
+- comp flags != { 0x33-0x55};ok
+
+comp cpi 22;ok
+comp cpi != 233;ok
+comp cpi 33-45;ok;comp cpi >= 33 comp cpi <= 45
+comp cpi != 33-45;ok;comp cpi < 33 comp cpi > 45
+comp cpi {33, 55, 67, 88};ok
+- comp cpi != {33, 55, 67, 88};ok
+comp cpi { 33-55};ok
+- comp cpi != { 33-55};ok
diff --git a/tests/regression/inet/dccp.t b/tests/regression/inet/dccp.t
new file mode 100644
index 0000000..272c0e2
--- /dev/null
+++ b/tests/regression/inet/dccp.t
@@ -0,0 +1,32 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+dccp sport 21-35;ok;dccp sport >= 21 dccp sport <= 35
+dccp sport != 21-35;ok;dccp sport < 21 dccp sport > 35
+dccp sport {23, 24, 25};ok;dccp sport { 23, 24, 25}
+- dccp sport != { 27, 34};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+dccp sport { ftp-data - re-mail-ck};ok;dccp sport { 20-50}
+dccp sport ftp-data - re-mail-ck;ok;dccp sport >= 20 dccp sport <= 50
+dccp sport { 20-50};ok
+- dccp sport != {27-34};ok
+# dccp sport != {27-34};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+# dccp dport 21-35;ok
+# dccp dport != 21-35;ok
+dccp dport {23, 24, 25};ok
+# dccp dport != {27, 34};ok
+dccp dport { 20-50};ok
+# dccp dport != {27-34};ok
+
+# BUG dccp type
+# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+# dccp type request;ok
+# dccp type != request;ok
diff --git a/tests/regression/inet/esp.t b/tests/regression/inet/esp.t
new file mode 100644
index 0000000..1f23aa4
--- /dev/null
+++ b/tests/regression/inet/esp.t
@@ -0,0 +1,23 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+esp spi 100;ok
+esp spi != 100;ok
+esp spi 111-222;ok;esp spi >= 111 esp spi <= 222
+esp spi != 111-222;ok;esp spi < 111 esp spi > 222
+esp spi { 100, 102};ok
+- esp spi != { 100, 102};ok
+esp spi { 100-102};ok
+- esp spi {100-102};ok
+
+esp sequence 22;ok
+esp sequence 22-24;ok;esp sequence >= 22 esp sequence <= 24
+esp sequence != 22-24;ok;esp sequence < 22 esp sequence > 24
+esp sequence { 22, 24};ok
+- esp sequence != { 22, 24};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+esp sequence { 22-25};ok
+- esp sequence != { 22-25};ok
diff --git a/tests/regression/inet/sctp.t b/tests/regression/inet/sctp.t
new file mode 100644
index 0000000..b98b0af
--- /dev/null
+++ b/tests/regression/inet/sctp.t
@@ -0,0 +1,42 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+sctp sport 23;ok
+sctp sport != 23;ok
+sctp sport 23-44;ok;sctp sport >= 23 sctp sport <= 44
+sctp sport != 23-44;ok;sctp sport < 23 sctp sport > 44
+sctp sport { 23, 24, 25};ok
+- sctp sport != { 23, 24, 25};ok
+sctp sport { 23-44};ok
+- sctp sport != { 23-44};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+sctp dport 23;ok
+sctp dport != 23;ok
+sctp dport 23-44;ok;sctp dport >= 23 sctp dport <= 44
+sctp dport != 23-44;ok;sctp dport < 23 sctp dport > 44
+sctp dport { 23, 24, 25};ok
+- sctp dport != { 23, 24, 25};ok
+sctp dport { 23-44};ok
+- sctp dport != { 23-44};ok
+
+sctp checksum 1111;ok
+sctp checksum != 11;ok
+sctp checksum 21-333;ok;sctp checksum >= 21 sctp checksum <= 333
+sctp checksum != 32-111;ok;sctp checksum < 32 sctp checksum > 111
+sctp checksum { 22, 33, 44};ok
+- sctp checksum != { 22, 33, 44};ok
+sctp checksum { 22-44};ok
+- sctp checksum != { 22-44};ok
+
+sctp vtag 22;ok
+sctp vtag != 233;ok
+sctp vtag 33-45;ok;sctp vtag >= 33 sctp vtag <= 45
+sctp vtag != 33-45;ok;sctp vtag < 33 sctp vtag > 45
+sctp vtag {33, 55, 67, 88};ok
+- sctp vtag != {33, 55, 67, 88};ok
+sctp vtag { 33-55};ok
+- sctp vtag != { 33-55};ok
diff --git a/tests/regression/inet/tcp.t b/tests/regression/inet/tcp.t
new file mode 100644
index 0000000..f72ec52
--- /dev/null
+++ b/tests/regression/inet/tcp.t
@@ -0,0 +1,103 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+tcp dport 22;ok
+tcp dport != 233;ok
+tcp dport 33-45;ok;tcp dport >= 33 tcp dport <= 45
+tcp dport != 33-45;ok;tcp dport < 33 tcp dport > 45
+tcp dport { 33, 55, 67, 88};ok
+- tcp dport != { 33, 55, 67, 88};ok
+tcp dport { 33-55};ok
+- tcp dport != { 33-55};ok
+tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
+tcp dport vmap { 22 : accept, 23 : drop };ok
+tcp dport vmap { 25:accept, 28:drop };ok
+tcp dport { 22, 53, 80, 110 };ok
+- tcp dport != { 22, 53, 80, 110 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+tcp sport 22;ok
+tcp sport != 233;ok
+tcp sport 33-45;ok;tcp sport >= 33 tcp sport <= 45
+tcp sport != 33-45;ok;tcp sport < 33 tcp sport > 45
+tcp sport { 33, 55, 67, 88};ok
+- tcp sport != { 33, 55, 67, 88};ok
+tcp sport { 33-55};ok
+- tcp sport != { 33-55};ok
+tcp sport vmap { 25:accept, 28:drop };ok
+
+tcp sport 8080 drop;ok
+tcp sport 1024 tcp dport 22;ok
+tcp sport 1024 tcp dport 22 tcp sequence 0;ok
+
+tcp sequence 0 tcp sport 1024 tcp dport 22;ok;tcp sport 1024 tcp dport 22 tcp sequence 0
+tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok
+
+tcp sequence 22;ok
+tcp sequence != 233;ok
+tcp sequence 33-45;ok;tcp sequence >= 33 tcp sequence <= 45
+tcp sequence != 33-45;ok;tcp sequence < 33 tcp sequence > 45
+tcp sequence { 33, 55, 67, 88};ok
+- tcp sequence != { 33, 55, 67, 88};ok
+tcp sequence { 33-55};ok
+- tcp sequence != { 33-55};ok
+
+tcp ackseq 42949672 drop;ok
+tcp ackseq 22;ok
+tcp ackseq != 233;ok
+tcp ackseq 33-45;ok;tcp ackseq >= 33 tcp ackseq <= 45
+tcp ackseq != 33-45;ok;tcp ackseq < 33 tcp ackseq > 45
+tcp ackseq { 33, 55, 67, 88};ok
+- tcp ackseq != { 33, 55, 67, 88};ok
+tcp ackseq { 33-55};ok
+- tcp ackseq != { 33-55};ok
+
+- tcp doff 22;ok
+- tcp doff != 233;ok
+- tcp doff 33-45;ok
+- tcp doff != 33-45;ok
+- tcp doff { 33, 55, 67, 88};ok
+- tcp doff != { 33, 55, 67, 88};ok
+- tcp doff { 33-55};ok
+- tcp doff != { 33-55};ok
+
+# BUG reserved
+# BUG: It is accepted but it is not shown then. tcp reserver
+
+tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
+- tcp flags != { fin, urg, ecn, cwr} drop;ok
+tcp flags cwr;ok
+tcp flags != cwr;ok
+
+tcp window 22222;ok
+tcp window 22;ok
+tcp window != 233;ok
+tcp window 33-45;ok;tcp window >= 33 tcp window <= 45
+tcp window != 33-45;ok;tcp window < 33 tcp window > 45
+tcp window { 33, 55, 67, 88};ok
+- tcp window != { 33, 55, 67, 88};ok
+tcp window { 33-55};ok
+- tcp window != { 33-55};ok
+
+tcp checksum 23456 log drop;ok
+tcp checksum 22;ok
+tcp checksum != 233;ok
+tcp checksum 33-45;ok;tcp checksum >= 33 tcp checksum <= 45
+tcp checksum != 33-45;ok;tcp checksum < 33 tcp checksum > 45
+tcp checksum { 33, 55, 67, 88};ok
+- tcp checksum != { 33, 55, 67, 88};ok
+tcp checksum { 33-55};ok
+- tcp checksum != { 33-55};ok
+
+tcp urgptr 1234 accept;ok
+tcp urgptr 22;ok
+tcp urgptr != 233;ok
+tcp urgptr 33-45;ok;tcp urgptr >= 33 tcp urgptr <= 45
+tcp urgptr != 33-45;ok;tcp urgptr < 33 tcp urgptr > 45
+tcp urgptr { 33, 55, 67, 88};ok
+- tcp urgptr != { 33, 55, 67, 88};ok
+tcp urgptr { 33-55};ok
+- tcp urgptr != { 33-55};ok
diff --git a/tests/regression/inet/udp.t b/tests/regression/inet/udp.t
new file mode 100644
index 0000000..0e8a01f
--- /dev/null
+++ b/tests/regression/inet/udp.t
@@ -0,0 +1,49 @@
+*ip;test-ip4
+*ip;test-ip6
+*ip;test-inet
+:input;type filter hook input priority 0
+
+udp sport 80 accept;ok
+udp sport != 60 accept;ok
+udp sport 50-70 accept;ok;udp sport >= 50 udp sport <= 70 accept
+udp sport != 50-60 accept;ok;udp sport < 50 udp sport > 60 accept
+udp sport { 49, 50} drop;ok;udp sport { 49, 50} drop
+- udp sport != { 50, 60} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp sport { 12-40};ok
+- udp sport != { 13-24};ok
+
+udp dport 80 accept;ok
+udp dport != 60 accept;ok
+udp dport 70-75 accept;ok;udp dport >= 70 udp dport <= 75 accept
+udp dport != 50-60 accept;ok;udp dport < 50 udp dport > 60 accept
+udp dport { 49, 50} drop;ok
+- udp dport != { 50, 60} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp dport { 70-75} accept;ok;udp dport { 70-75} accept
+- udp dport != { 50-60} accept;ok
+
+udp length 6666;ok
+udp length != 6666;ok
+udp length 50-65 accept;ok;udp length >= 50 udp length <= 65 accept
+udp length != 50-65 accept;ok;udp length < 50 udp length > 65 accept
+udp length { 50, 65} accept;ok
+- udp length != { 50, 65} accept;ok
+udp length { 35-50};ok
+- udp length != { 35-50};ok
+
+udp checksum 6666 drop;ok
+- udp checksum != { 444, 555} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+udp checksum 22;ok
+udp checksum != 233;ok
+udp checksum 33-45;ok;udp checksum >= 33 udp checksum <= 45
+udp checksum != 33-45;ok;udp checksum < 33 udp checksum > 45
+udp checksum { 33, 55, 67, 88};ok
+- udp checksum != { 33, 55, 67, 88};ok
+udp checksum { 33-55};ok
+- udp checksum != { 33-55};ok
diff --git a/tests/regression/inet/udplite.t b/tests/regression/inet/udplite.t
new file mode 100644
index 0000000..1d5fbb3
--- /dev/null
+++ b/tests/regression/inet/udplite.t
@@ -0,0 +1,42 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+udplite sport 80 accept;ok
+udplite sport != 60 accept;ok
+udplite sport 50-70 accept;ok;udplite sport >= 50 udplite sport <= 70 accept
+udplite sport != 50-60 accept;ok;udplite sport < 50 udplite sport > 60 accept
+udplite sport { 49, 50} drop;ok;udplite sport { 49, 50} drop
+- udplite sport != { 50, 60} accept;ok
+udplite sport { 12-40};ok
+- udplite sport != { 13-24};ok
+
+udplite dport 80 accept;ok
+udplite dport != 60 accept;ok
+udplite dport 70-75 accept;ok;udplite dport >= 70 udplite dport <= 75 accept
+udplite dport != 50-60 accept;ok;udplite dport < 50 udplite dport > 60 accept
+udplite dport { 49, 50} drop;ok;udplite dport { 49, 50} drop
+- udplite dport != { 50, 60} accept;ok
+udplite dport { 70-75} accept;ok;udplite dport { 70-75} accept
+- udplite dport != { 50-60} accept;ok
+
+- udplite csumcov 6666;ok
+- udplite csumcov != 6666;ok
+- udplite csumcov 50-65 accept;ok
+- udplite csumcov != 50-65 accept;ok
+- udplite csumcov { 50, 65} accept;ok
+- udplite csumcov != { 50, 65} accept;ok
+- udplite csumcov { 35-50};ok
+- udplite csumcov != { 35-50};ok
+
+udplite checksum 6666 drop;ok
+- udplite checksum != { 444, 555} accept;ok
+udplite checksum 22;ok
+udplite checksum != 233;ok
+udplite checksum 33-45;ok;udplite checksum >= 33 udplite checksum <= 45
+udplite checksum != 33-45;ok;udplite checksum < 33 udplite checksum > 45
+udplite checksum { 33, 55, 67, 88};ok
+- udplite checksum != { 33, 55, 67, 88};ok
+udplite checksum { 33-55};ok
+- udplite checksum != { 33-55};ok
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 5/7] tests: Add arp folder with test files.
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
` (3 preceding siblings ...)
2014-09-18 10:39 ` [v3 nft 4/7] tests: Add inet " Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 6/7] tests: Add bridge " Ana Rey
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"arp" folder contains the test files that are executed in arp tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/arp/arp.t | 53 +++++++++++++++++++++++++++++++++++++++++
tests/regression/arp/chains.t | 5 ++++
2 files changed, 58 insertions(+)
create mode 100644 tests/regression/arp/arp.t
create mode 100644 tests/regression/arp/chains.t
diff --git a/tests/regression/arp/arp.t b/tests/regression/arp/arp.t
new file mode 100644
index 0000000..797e394
--- /dev/null
+++ b/tests/regression/arp/arp.t
@@ -0,0 +1,53 @@
+*arp;test-arp
+# filter chains available are: input, output, forward
+:input;type filter hook input priority 0
+
+arp htype 1;ok
+arp htype != 1;ok
+arp htype 22;ok
+arp htype != 233;ok
+arp htype 33-45;ok;arp htype >= 33 arp htype <= 45
+arp htype != 33-45;ok;arp htype < 33 arp htype > 45
+arp htype { 33, 55, 67, 88};ok
+- arp htype != { 33, 55, 67, 88};ok
+arp htype { 33-55};ok
+- arp htype != { 33-55};ok
+
+arp ptype 0x0800;ok
+
+arp hlen 22;ok
+arp hlen != 233;ok
+arp hlen 33-45;ok;arp hlen >= 33 arp hlen <= 45
+arp hlen != 33-45;ok;arp hlen < 33 arp hlen > 45
+arp hlen { 33, 55, 67, 88};ok
+- arp hlen != { 33, 55, 67, 88};ok
+arp hlen { 33-55};ok
+- arp hlen != { 33-55};ok
+
+arp plen 22;ok
+arp plen != 233;ok
+arp plen 33-45;ok;arp plen >= 33 arp plen <= 45
+arp plen != 33-45;ok;arp plen < 33 arp plen > 45
+arp plen { 33, 55, 67, 88};ok
+- arp plen != { 33, 55, 67, 88};ok
+arp plen { 33-55};ok
+- arp plen != {33-55};ok
+
+arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+- arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+arp operation request;ok
+arp operation reply;ok
+arp operation rrequest;ok
+arp operation rreply;ok
+arp operation inrequest;ok
+arp operation inreply;ok
+arp operation nak;ok
+arp operation reply;ok
+arp operation != request;ok
+arp operation != reply;ok
+arp operation != rrequest;ok
+arp operation != rreply;ok
+arp operation != inrequest;ok
+arp operation != inreply;ok
+arp operation != nak;ok
+arp operation != reply;ok
diff --git a/tests/regression/arp/chains.t b/tests/regression/arp/chains.t
new file mode 100644
index 0000000..6b0c042
--- /dev/null
+++ b/tests/regression/arp/chains.t
@@ -0,0 +1,5 @@
+*arp;test-arp
+- filter chains available are: input, output, forward
+:input;type filter hook input priority 0
+:forward;type filter hook forward priority 0
+:output;type filter hook output priority 0
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 6/7] tests: Add bridge folder with test files.
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
` (4 preceding siblings ...)
2014-09-18 10:39 ` [v3 nft 5/7] tests: Add arp " Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 10:39 ` [v3 nft 7/7] tests: Add any " Ana Rey
2014-09-18 11:02 ` [v3 nft 0/7] tests: Automated regression testing Pablo Neira Ayuso
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"bridge" folder contains the test files that are executed in bridge tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/bridge/chains.t | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 tests/regression/bridge/chains.t
diff --git a/tests/regression/bridge/chains.t b/tests/regression/bridge/chains.t
new file mode 100644
index 0000000..3fb1c89
--- /dev/null
+++ b/tests/regression/bridge/chains.t
@@ -0,0 +1,7 @@
+*bridge;test-bridge
+# filter chains available are: input, output, forward
+:filter-input;type filter hook input priority 0
+:filter-forward;type filter hook forward priority 0
+:filter-output;type filter hook output priority 0
+
+- ether type 1;ok
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [v3 nft 7/7] tests: Add any folder with test files.
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
` (5 preceding siblings ...)
2014-09-18 10:39 ` [v3 nft 6/7] tests: Add bridge " Ana Rey
@ 2014-09-18 10:39 ` Ana Rey
2014-09-18 11:02 ` [v3 nft 0/7] tests: Automated regression testing Pablo Neira Ayuso
7 siblings, 0 replies; 9+ messages in thread
From: Ana Rey @ 2014-09-18 10:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"any" folder contains the test files that are executed in ipv4, ipv6,
inet, arp, bridge family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/regression/any/ct.t | 105 +++++++++++++++++++++++++++
tests/regression/any/frag.t | 64 +++++++++++++++++
tests/regression/any/limit.t | 12 ++++
tests/regression/any/log.t | 27 +++++++
tests/regression/any/meta.t | 160 ++++++++++++++++++++++++++++++++++++++++++
tests/regression/any/queue.t | 15 ++++
6 files changed, 383 insertions(+)
create mode 100644 tests/regression/any/ct.t
create mode 100644 tests/regression/any/frag.t
create mode 100644 tests/regression/any/limit.t
create mode 100644 tests/regression/any/log.t
create mode 100644 tests/regression/any/meta.t
create mode 100644 tests/regression/any/queue.t
diff --git a/tests/regression/any/ct.t b/tests/regression/any/ct.t
new file mode 100644
index 0000000..7ce898d
--- /dev/null
+++ b/tests/regression/any/ct.t
@@ -0,0 +1,105 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+# ct expresion is not supported in arp and bridge family yet.
+- *arp;test-arp
+- *bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+ct state new,established, related, untracked;ok;ct state established,related,new,untracked
+ct state != related;ok
+ct state {new,established, related, untracked};ok
+- ct state != {new,established, related, untracked};ok
+ct state invalid drop;ok
+ct state established accept;ok
+
+ct direction original;ok
+ct direction != original;ok
+ct direction reply;ok
+ct direction != reply;ok
+ct direction {reply, original};ok
+- ct direction != {reply, original};ok
+
+ct status expected;ok
+ct status != expected;ok
+ct status seen-reply;ok
+ct status != seen-reply;ok
+ct status {expected, seen-reply, assured, confirmed, dying};ok
+
+# SYMBOL("snat", IPS_SRC_NAT)
+# SYMBOL("dnat", IPS_DST_NAT)
+- ct status snat;ok
+- ct status dnat;ok
+
+ct mark 0;ok;ct mark 0x00000000
+ct mark or 0x23 == 0x11;ok;ct mark | 0x00000023 == 0x00000011
+ct mark or 0x3 != 0x1;ok;ct mark | 0x00000003 != 0x00000001
+ct mark and 0x23 == 0x11;ok;ct mark & 0x00000023 == 0x00000011
+ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001
+ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032
+ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002
+
+ct mark 0x32;ok;ct mark 0x00000032
+ct mark != 0x32;ok;ct mark != 0x00000032
+ct mark 0x32-0x45;ok;ct mark >= 0x00000032 ct mark <= 0x45000000
+ct mark != 0x32-0x43;ok;ct mark < 0x00000032 ct mark > 0x43000000
+ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
+- ct mark != {0x32, 0x2222, 0x42de3};ok
+
+# ct mark != {0x32, 0x2222, 0x42de3};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+ct mark set 0x11 xor 0x1331;ok;ct mark set 0x00001320
+ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
+ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
+ct mark set 0x11;ok;ct mark set 0x00000011
+
+ct expiration 30;ok
+ct expiration 22;ok
+ct expiration != 233;ok
+ct expiration 33-45;ok
+# BUG: ct expiration 33-45 and ct expiration != 33-45
+# Broken output: ct expiration >= "33s" ct expiration <= "9709d53m20s"
+ct expiration != 33-45;ok
+ct expiration {33, 55, 67, 88};ok
+- ct expiration != {33, 55, 67, 88};ok
+ct expiration {33-55};ok
+# BUG: ct expiration {33-55}
+# Broken output: ct expiration { "4271d23h25m52s"-"8738d3h11m59s" }
+- ct expiration != {33-55};ok
+
+ct helper "ftp";ok
+ct helper "12345678901234567";fail
+
+# BUG: ct l3proto "Layer 3 protocol of the connection"
+# nft add rule ip test input ct l3proto arp
+# <cmdline>:1:35-37: Error: Can t parse symbolic invalid expressions
+
+
+# If table is ip6 or inet or bridge family,, It is failed. I can not test it
+# ct saddr 1.2.3.4;ok
+
+# BUG: ct saddr 192.168.3.4
+# <cmdline>:1:1-43: Error: Could not process rule: Invalid argument
+# add rule ip test input ct saddr 192.168.3.4
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- ct saddr 192.168.3.4;ok
+- ct daddr 192.168.3.4;ok
+
+# BUG: ct protocol tcp
+# <cmdline>:1:1-37: Error: Could not process rule: Invalid argument
+# input ct protocol bgp <cmdline>:1:36-38: Error: Could not resolve protocol name
+# ct protocol tcp;ok
+- ct protocol tcp;ok
+
+- ct proto-src udp;ok
+- ct proto-dst udp;ok
+# BUG: ct proto-src udp and ct proto-dst udp
+# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
+# add rule ip test input ct proto-src udp
+# ~~~~~~~~~~~~ ^^^
+# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
+# add rule ip test input ct proto-dst udp
+# ~~~~~~~~~~~~ ^^^
diff --git a/tests/regression/any/frag.t b/tests/regression/any/frag.t
new file mode 100644
index 0000000..92caf1e
--- /dev/null
+++ b/tests/regression/any/frag.t
@@ -0,0 +1,64 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+:output;type filter hook output priority 0
+
+frag nexthdr tcp;ok;frag nexthdr 6
+frag nexthdr != icmp;ok;frag nexthdr != 1
+frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;frag nexthdr { 51, 136, 132, 6, 108, 50, 17, 33}
+- frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+frag nexthdr esp;ok;frag nexthdr 50
+frag nexthdr ah;ok;frag nexthdr 51
+
+frag reserved 22;ok
+frag reserved != 233;ok
+frag reserved 33-45;ok;frag reserved >= 33 frag reserved <= 45
+frag reserved != 33-45;ok;frag reserved < 33 frag reserved > 45
+frag reserved { 33, 55, 67, 88};ok;frag reserved { 88, 33, 67, 55}
+- frag reserved != { 33, 55, 67, 88};ok
+frag reserved { 33-55};ok
+- frag reserved != { 33-55};ok
+
+# BUG: frag frag-off 22 and frag frag-off { 33-55}
+# This breaks table listing: "netlink: Error: Relational expression size mismatch"
+
+- frag frag-off 22;ok
+- frag frag-off != 233;ok
+- frag frag-off 33-45;ok
+- frag frag-off != 33-45;ok
+- frag frag-off { 33, 55, 67, 88};ok
+- frag frag-off != { 33, 55, 67, 88};ok
+- frag frag-off { 33-55};ok
+- frag frag-off != { 33-55};ok
+
+# BUG frag reserved2 33 and frag reserved2 1
+# $ sudo nft add rule ip test input frag reserved2 33
+# <cmdline>:1:39-40: Error: Value 33 exceeds valid range 0-3
+# add rule ip test input frag reserved2 33
+# ^^
+# sudo nft add rule ip test input frag reserved2 1
+# <cmdline>:1:1-39: Error: Could not process rule: Invalid argument
+# add rule ip test input frag reserved2 1
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+# BUG more-fragments 1 and frag more-fragments 4
+# frag more-fragments 1
+# <cmdline>:1:1-44: Error: Could not process rule: Invalid argument
+# add rule ip test input frag more-fragments 1
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# $ sudo nft add rule ip test input frag more-fragments 4
+# <cmdline>:1:44-44: Error: Value 4 exceeds valid range 0-1
+# add rule ip test input frag more-fragments 4
+# ^
+
+frag id 1;ok
+frag id 22;ok
+frag id != 33;ok
+frag id 33-45;ok;frag id >= 33 frag id <= 45
+frag id != 33-45;ok;frag id < 33 frag id > 45
+frag id { 33, 55, 67, 88};ok
+- frag id != { 33, 55, 67, 88};ok
+frag id { 33-55};ok
+- frag id != { 33-55};ok
diff --git a/tests/regression/any/limit.t b/tests/regression/any/limit.t
new file mode 100644
index 0000000..9af1ea8
--- /dev/null
+++ b/tests/regression/any/limit.t
@@ -0,0 +1,12 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+:output;type filter hook output priority 0
+
+limit rate 400/minute;ok
+limit rate 20/second;ok
+limit rate 400/hour;ok
+limit rate 400/week;ok
+limit rate 40/day;ok
diff --git a/tests/regression/any/log.t b/tests/regression/any/log.t
new file mode 100644
index 0000000..2bc2543
--- /dev/null
+++ b/tests/regression/any/log.t
@@ -0,0 +1,27 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+- *arp;test-arp
+- *bridge;test-bridge
+:output;type filter hook output priority 0
+
+ct direction original log;ok
+log;ok
+log level emerg;ok
+log level alert;ok
+log level crit;ok
+log level err;ok
+log level warn;ok;log
+log level notice;ok
+log level info;ok
+log level debug;ok
+
+log level emerg group 2;fail
+log level alert group 2 prefix "log test2";fail
+
+udp dport 200 log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;udp dport 200 log prefix "aaaaa-aaaaaa" group 2 snaplen 33
+# TODO: Add an exception: 'queue-threshold' attribute needs 'group' attribute
+# The correct rule is log group 2 queue-threshold 2
+log group 2 queue-threshold 2;ok
+log group 2 snaplen 33;ok
+tcp dport 300 log group 2 prefix \"IPTABLES-NFT SSH\";ok;tcp dport 300 log prefix "IPTABLES-NFT SSH" group 2
diff --git a/tests/regression/any/meta.t b/tests/regression/any/meta.t
new file mode 100644
index 0000000..2c2609d
--- /dev/null
+++ b/tests/regression/any/meta.t
@@ -0,0 +1,160 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:input;type filter hook input priority 0
+
+meta length 1000;ok
+meta length 22;ok
+meta length != 233;ok
+meta length 33-45;ok
+meta length != 33-45;ok
+meta length { 33, 55, 67, 88};ok
+- meta length != { 33, 55, 67, 88};ok
+meta length { 33-55};ok
+- meta length != { 33-55};ok
+
+meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp}
+- meta protocol != {ip, arp, ip6, vlan};ok
+meta protocol ip;ok
+meta protocol != ip;ok
+
+meta nfproto ipv4;ok
+meta nfproto ipv6;ok
+meta nfproto {ipv4, ipv6};ok
+
+meta l4proto 22;ok
+meta l4proto != 233;ok
+meta l4proto 33-45;ok;meta l4proto >= 33 meta l4proto <= 45
+meta l4proto != 33-45;ok;meta l4proto < 33 meta l4proto > 45
+meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
+- meta l4proto != { 33, 55, 67, 88};ok
+meta l4proto { 33-55};ok
+- meta l4proto != { 33-55};ok
+
+- meta priority :aabb;ok
+- meta priority bcad:dadc;ok
+- meta priority aabb:;ok
+- meta priority != :aabb;ok
+- meta priority != bcad:dadc;ok
+- meta priority != aabb:;ok
+- meta priority bcad:dada-bcad:dadc;ok
+- meta priority != bcad:dada-bcad:dadc;ok
+- meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+- meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+
+meta mark 0x4;ok;mark 0x00000004
+meta mark 0x32;ok;mark 0x00000032
+meta mark and 0x03 == 0x01;ok;mark & 0x00000003 == 0x00000001
+meta mark and 0x03 != 0x01;ok;mark & 0x00000003 != 0x00000001
+meta mark 0x10;ok;mark 0x00000010
+meta mark != 0x10;ok;mark != 0x00000010
+
+meta mark or 0x03 == 0x01;ok;mark | 0x00000003 == 0x00000001
+meta mark or 0x03 != 0x01;ok;mark | 0x00000003 != 0x00000001
+meta mark xor 0x03 == 0x01;ok;mark 0x00000002
+meta mark xor 0x03 != 0x01;ok;mark != 0x00000002
+
+meta iif wlan0 accept;ok;iif wlan0 accept
+meta iif eth0 accept;ok;iif eth0 accept
+meta iif != wlan0 accept;ok;iif != wlan0 accept
+meta iif != eth0 accept;ok;iif != eth0 accept
+
+meta iifname "eth0";ok;iifname "eth0"
+meta iifname != "eth0";ok;iifname != "eth0"
+meta iifname {"eth0", "wlan0"};ok
+- meta iifname != {"eth0", "wlan0"};ok
+
+meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+- meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta iiftype != ether;ok;iiftype != ether
+meta iiftype ether;ok;iiftype ether
+meta iiftype != ppp;ok;iiftype != ppp
+meta iiftype ppp;ok;iiftype ppp
+
+meta oif lo accept;ok;oif lo accept
+meta oif != lo accept;ok;oif != lo accept
+meta oif {wlan0, eth0, lo} accept;ok
+- meta oif != {wlan0, eth0, lo} accept;ok
+
+meta oifname "eth0";ok;oifname "eth0"
+meta oifname != "eth0";ok;oifname != "eth0"
+meta oifname { "eth0", "wlan0"};ok
+- meta iifname != {"eth0", "wlan0"};ok
+
+meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+- meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta oiftype != ether;ok;oiftype != ether
+meta oiftype ether;ok;oiftype ether
+
+meta skuid {man, root, backup} accept;ok;skuid { 0, 6, 34} accept
+- meta skuid != {man, root, backup} accept;ok
+meta skuid man;ok;skuid 6
+meta skuid != man;ok;skuid != 6
+meta skuid lt 3000 accept;ok;skuid < 3000 accept
+meta skuid gt 3000 accept;ok;skuid > 3000 accept
+meta skuid eq 3000 accept;ok;skuid 3000 accept
+meta skuid 3001-3005 accept;ok
+meta skuid != 2001-2005 accept;ok
+meta skuid { 2001-2005} accept;ok
+- meta skuid != { 2001-2005} accept;ok
+
+meta skgid {man, root, backup} accept;ok;skgid { 34, 12, 0} accept
+- meta skgid != {man, root, backup} accept;ok
+meta skgid man;ok;skgid 12
+meta skgid != man;ok;skgid != 12
+meta skgid lt 3000 accept;ok;skgid < 3000 accept
+meta skgid gt 3000 accept;ok;skgid > 3000 accept
+meta skgid eq 3000 accept;ok;skgid 3000 accept
+meta skgid 2001-2005 accept;ok
+meta skgid != 2001-2005 accept;ok
+meta skgid { 2001-2005} accept;ok
+- meta skgid != { 2001-2005} accept;ok
+
+# BUG: meta nftrace 2 and meta nftrace 1
+# $ sudo nft add rule ip test input meta nftrace 2
+# <cmdline>:1:37-37: Error: Value 2 exceeds valid range 0-1
+# add rule ip test input meta nftrace 2
+# ^
+# $ sudo nft add rule ip test input meta nftrace 1
+# <cmdline>:1:1-37: Error: Could not process rule: Operation not supported
+# add rule ip test input meta nftrace 1
+# -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+meta mark set 0xffffffc8 xor 0x16;ok;meta mark set 0xffffffde
+meta mark set 0x16 and 0x16;ok;meta mark set 0x00000016
+meta mark set 0xffffffe9 or 0x16;ok;meta mark set 0xffffffff
+meta mark set 0xffffffde and 0x16;ok;meta mark set 0x00000016
+meta mark set 0xf045ffde or 0x10;ok;meta mark set 0xf045ffde
+meta mark set 0xffffffde or 0x16;ok;meta mark set 0xffffffde
+meta mark set 0x32 or 0xfffff;ok;meta mark set 0x000fffff
+meta mark set 0xfffe xor 0x16;ok;meta mark set 0x0000ffe8
+
+meta iif lo;ok;iif lo
+meta oif lo;ok;oif lo
+meta oifname "eth2" accept;ok;oifname "eth2" accept
+meta skuid 3000;ok;skuid 3000
+meta skgid 3000;ok;skgid 3000
+# BUG: meta nftrace 1;ok
+# <cmdline>:1:1-37: Error: Could not process rule: Operation not supported
+- meta nftrace 1;ok
+meta rtclassid cosmos;ok;rtclassid cosmos
+
+meta pkttype broadcast;ok;pkttype broadcast
+meta pkttype unicast;ok;pkttype unicast
+meta pkttype multicast;ok;pkttype multicast
+meta pkttype != broadcast;ok;pkttype != broadcast
+meta pkttype != unicast;ok;pkttype != unicast
+meta pkttype != multicast;ok;pkttype != multicast
+meta pkttype broadcastttt;fail
+-meta pkttype { broadcast, multicast} accept;ok
+
+meta cpu 1;ok;cpu 1
+meta cpu != 1;ok;cpu != 1
+meta cpu 1-3;ok;cpu >= 1 cpu <= 3
+# BUG: there is not matching of packets with this rule.
+meta cpu != 1-2;ok;cpu < 1 cpu > 2
+meta cpu { 2,3};ok;cpu { 2, 3}
+-meta cpu != { 2,3};ok
diff --git a/tests/regression/any/queue.t b/tests/regression/any/queue.t
new file mode 100644
index 0000000..8307411
--- /dev/null
+++ b/tests/regression/any/queue.t
@@ -0,0 +1,15 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+queue;ok;queue num 0
+queue num 2;ok
+queue num 2-3;ok
+- queue num {3, 4, 6};ok
+queue num 4-5 fanout bypass;ok;queue num 4-5 bypass fanout
+queue num 4-5 fanout;ok
+queue num 4-5 bypass;ok
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [v3 nft 0/7] tests: Automated regression testing
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
` (6 preceding siblings ...)
2014-09-18 10:39 ` [v3 nft 7/7] tests: Add any " Ana Rey
@ 2014-09-18 11:02 ` Pablo Neira Ayuso
7 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2014-09-18 11:02 UTC (permalink / raw)
To: Ana Rey; +Cc: netfilter-devel
On Thu, Sep 18, 2014 at 12:39:14PM +0200, Ana Rey wrote:
> This is a new version of the automated regression testing of nftables.
>
> There is no infrastructure to allow us to check all options/features in
> nft. So, if anyone sends a patch, we cannot check if it breaks something.
>
> I send in this patchset the nftables automated regression tests. It
> contains a python script (nft-add.py) and a set of test files.
>
> This allow us to check the input of rules of nft-tool from the
> command-line and the output from nft-tool of this rule. Then, it
> compares if the rule input matches the rule output automatically.
>
> We also have plans to add automated regression testing in the packet
> path in the future, which should come in a follow up step.
>
> Comments welcome, thanks
Finally :-). Series applied, thanks Ana.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-09-18 11:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-18 10:39 [v3 nft 0/7] tests: Automated regression testing Ana Rey
2014-09-18 10:39 ` [v3 nft 1/7] tests: Add automated " Ana Rey
2014-09-18 10:39 ` [v3 nft 2/7] tests: Add ip folder with test files Ana Rey
2014-09-18 10:39 ` [v3 nft 3/7] tests: Add ip6 " Ana Rey
2014-09-18 10:39 ` [v3 nft 4/7] tests: Add inet " Ana Rey
2014-09-18 10:39 ` [v3 nft 5/7] tests: Add arp " Ana Rey
2014-09-18 10:39 ` [v3 nft 6/7] tests: Add bridge " Ana Rey
2014-09-18 10:39 ` [v3 nft 7/7] tests: Add any " Ana Rey
2014-09-18 11:02 ` [v3 nft 0/7] tests: Automated regression testing Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.