[PATCH nft 1/4] tests: frag: enable more tests

[PATCH nft 1/4] tests: frag: enable more tests

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/ip6/frag.t              |  8 ++++----
 tests/py/ip6/frag.t.payload.inet | 38 ++++++++++++++++++++++++++++++++++++++
 tests/py/ip6/frag.t.payload.ip6  | 30 ++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 4 deletions(-)

diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t
index 56801ed..1551044 100644
--- a/tests/py/ip6/frag.t
+++ b/tests/py/ip6/frag.t
@@ -23,13 +23,13 @@ frag reserved { 33-55};ok
 # BUG: frag frag-off 22 and frag frag-off { 33-55}
 # This breaks table listing: "netlink: Error: Relational expression size mismatch"
 
-- frag frag-off 22;ok
-- frag frag-off != 233;ok
+frag frag-off 22;ok
+frag frag-off != 233;ok
 - frag frag-off 33-45;ok
 - frag frag-off != 33-45;ok
-- frag frag-off { 33, 55, 67, 88};ok
+frag frag-off { 33, 55, 67, 88};ok
 - frag frag-off != { 33, 55, 67, 88};ok
-- frag frag-off { 33-55};ok
+frag frag-off { 33-55};ok
 - frag frag-off != { 33-55};ok
 
 # BUG  frag reserved2 33 and frag reserved2 1
diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet
index 7cedaf3..e04d128 100644
--- a/tests/py/ip6/frag.t.payload.inet
+++ b/tests/py/ip6/frag.t.payload.inet
@@ -86,6 +86,44 @@ inet test-inet output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
+# frag frag-off 22
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set set%d ]
+
+# frag frag-off { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set set%d ]
+
 # frag id 1
 inet test-inet output
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6
index f2d04b6..b3da6fe 100644
--- a/tests/py/ip6/frag.t.payload.ip6
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -64,6 +64,36 @@ ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set set%d ]
 
+# frag frag-off 22
+ip6 test-ip6 output
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+ip6 test-ip6 output
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off { 33, 55, 67, 88}
+set%d test-ip6 3
+set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set set%d ]
+
+# frag frag-off { 33-55}
+set%d test-ip6 7
+set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 output 
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set set%d ]
+
 # frag id 1
 ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
-- 
2.4.10

[PATCH nft 2/4] netlink_delinearize: fix bogus offset w exthdr expressions

[Florian Westphal]

Need to fetch the offset from the exthdr template.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_linearize.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 07f70e0..49b4676 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -320,19 +320,24 @@ static void netlink_gen_range(struct netlink_linearize_ctx *ctx,
 
 static void payload_shift_value(const struct expr *left, struct expr *right)
 {
+	unsigned int offset;
+
 	if (right->ops->type != EXPR_VALUE)
 		return;
 
 	switch (left->ops->type) {
 	case EXPR_PAYLOAD:
+		offset = left->payload.offset;
+		break;
 	case EXPR_EXTHDR:
+		offset = left->exthdr.tmpl->offset;
 		break;
 	default:
 		return;
 	}
 
 	mpz_lshift_ui(right->value,
-			payload_shift_calc(left, left->payload.offset));
+			payload_shift_calc(left, offset));
 }
 
 static struct expr *netlink_gen_prefix(struct netlink_linearize_ctx *ctx,
-- 
2.4.10

[PATCH nft 3/4] nft-test: don't zap remainder of rule after handling a set

[Florian Westphal]

Don't delete the part after the set, i.e. given

 chain input {
     type filter hook input priority 0; policy accept;
     vlan id { 1, 2, 4, 100, 4095} vlan pcp 1-3
 }

don't remove the vlan pcp 1-3 part.

This exposes following bug:

bridge/vlan.t: WARNING: line: 32:
'nft add rule --debug=netlink bridge test-bridge input vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3': 'vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3' mismatches 'vlan id { 4, 1, 2, 4095, 100} vlan pcp 0-0'

We do not shift the range, so on reverse translation we get a 0-0 output.
The bug will be fixes in a followup commit.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/inet/tcp.t  |  2 +-
 tests/py/nft-test.py | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index f99035e..9618e53 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -37,7 +37,7 @@ tcp sport 1024 tcp dport 22;ok
 tcp sport 1024 tcp dport 22 tcp sequence 0;ok
 
 tcp sequence 0 tcp sport 1024 tcp dport 22;ok;tcp sport 1024 tcp dport 22 tcp sequence 0
-tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok
+tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok;tcp sport { 1022, 1024} tcp dport 22 tcp sequence 0
 
 tcp sequence 22;ok
 tcp sequence != 233;ok
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 9dc2b95..1256a33 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -436,21 +436,27 @@ def set_check_element(rule1, rule2):
         list2.sort()
         if cmp(list1, list2) == 0:
             ret = 0
-    return ret
 
+    if ret != 0:
+        return ret
+
+    return cmp(rule1[end1:], rule2[end2:])
 
 def output_clean(pre_output, chain):
-    pos_chain = pre_output[0].find(chain.name)
+    pos_chain = pre_output.find(chain.name)
     if pos_chain == -1:
         return ""
-    output_intermediate = pre_output[0][pos_chain:]
+    output_intermediate = pre_output[pos_chain:]
     brace_start = output_intermediate.find("{")
     brace_end = output_intermediate.find("}")
     pre_rule = output_intermediate[brace_start:brace_end]
     if pre_rule[1:].find("{") > -1:  # this rule has a set.
         set = pre_rule[1:].replace("\t", "").replace("\n", "").strip()
         set = set.split(";")[2].strip() + "}"
-        return set
+        remainder = output_clean(chain.name + " {;;" + output_intermediate[brace_end+1:], chain)
+        if len(remainder) <= 0:
+            return set
+        return set + " " + remainder
     else:
         rule = pre_rule.split(";")[2].replace("\t", "").replace("\n", "").\
             strip()
@@ -604,7 +610,7 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
                     if not force_all_family_option:
                         return [ret, warning, error, unit_tests]
                 else:
-                    rule_output = output_clean(pre_output, chain)
+                    rule_output = output_clean(pre_output[0], chain)
                     if len(rule) == 3:
                         teoric_exit = rule[2]
                     else:
@@ -612,7 +618,7 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
 
                     if rule_output.rstrip() != teoric_exit.rstrip():
                         if rule[0].find("{") != -1:  # anonymous sets
-                            if set_check_element(teoric_exit, rule_output) != 0:
+                            if set_check_element(teoric_exit.rstrip(), rule_output.rstrip()) != 0:
                                 warning += 1
                                 print_differences_warning(filename, lineno,
                                                           rule[0], rule_output,
-- 
2.4.10

[PATCH nft 4/4] netlink_delinarize: shift constant for ranges too

[Florian Westphal]

... else rule like vlan pcp 1-3 won't work and will be displayed
as 0-0 (reverse direction already works since range is represented
as two lte/gte compare expressions).

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_linearize.c               | 2 ++
 tests/py/bridge/vlan.t.payload        | 4 ++--
 tests/py/bridge/vlan.t.payload.netdev | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 49b4676..bb51de7 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -446,6 +446,7 @@ static void netlink_gen_range(struct netlink_linearize_ctx *ctx,
 		BUG("invalid range operation %u\n", expr->op);
 	}
 
+	payload_shift_value(expr->left, range->left);
 	netlink_gen_data(range->left, &nld);
 	nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len);
 	nftnl_rule_add_expr(ctx->nlr, nle);
@@ -466,6 +467,7 @@ static void netlink_gen_range(struct netlink_linearize_ctx *ctx,
 		BUG("invalid range operation %u\n", expr->op);
 	}
 
+	payload_shift_value(expr->left, range->right);
 	netlink_gen_data(range->right, &nld);
 	nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len);
 	nftnl_rule_add_expr(ctx->nlr, nle);
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
index 02242d2..78ee7ef 100644
--- a/tests/py/bridge/vlan.t.payload
+++ b/tests/py/bridge/vlan.t.payload
@@ -196,6 +196,6 @@ bridge test-bridge input
   [ lookup reg 1 set set%d ]
   [ payload load 1b @ link header + 14 => reg 1 ]
   [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ]
-  [ cmp gte reg 1 0x00000001 ]
-  [ cmp lte reg 1 0x00000003 ]
+  [ cmp gte reg 1 0x00000020 ]
+  [ cmp lte reg 1 0x00000060 ]
 
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
index 62c7adf..f60587f 100644
--- a/tests/py/bridge/vlan.t.payload.netdev
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -230,6 +230,6 @@ netdev test-netdev ingress
   [ lookup reg 1 set set%d ]
   [ payload load 1b @ link header + 14 => reg 1 ]
   [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ]
-  [ cmp gte reg 1 0x00000001 ]
-  [ cmp lte reg 1 0x00000003 ]
+  [ cmp gte reg 1 0x00000020 ]
+  [ cmp lte reg 1 0x00000060 ]
 
-- 
2.4.10

Re: [PATCH nft 1/4] tests: frag: enable more tests

[Pablo Neira Ayuso]

On Wed, Mar 09, 2016 at 12:09:45AM +0100, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>

Thanks for these fixes Florian.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

for the entire series.