[nftables] tests/py: Add Test for `meta time`

[nftables] tests/py: Add Test for `meta time`

[Karuna Grewal]

Signed-off-by: Karuna Grewal <karunagrewal98@gmail.com>
---
 tests/py/any/meta.t         |  3 +++
 tests/py/any/meta.t.json    | 12 ++++++++++++
 tests/py/any/meta.t.payload |  5 +++++
 3 files changed, 20 insertions(+)

diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index d69b8b4e..3d23dc75 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -205,3 +205,6 @@ meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo"
 
 meta random eq 1;ok;meta random 1
 meta random gt 1000000;ok;meta random > 1000000
+
+meta time 100;ok;meta timestamp 1m40s
+meta time ;fail
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 2cf91cda..faef4e26 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -2499,3 +2499,15 @@
     }
 ]
 
+# meta time 100
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "time" }
+            },
+            "op": "==",
+            "right": 100
+        }
+    }
+]
\ No newline at end of file
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index b32770f5..71c68e42 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -1021,3 +1021,8 @@ ip test-ip4 input
   [ meta load priority => reg 1 ]
   [ cmp eq reg 1 0x87654321 ]
 
+# meta time 100
+ip test-ip4 input
+  [ meta load timestamp => reg 1 ]
+  [ cmp eq reg 1 0x00000064 ]
+
-- 
2.17.1

Re: [nftables] tests/py: Add Test for `meta time`

[Karuna Grewal]

On Tue, Mar 19, 2019 at 3:39 AM Florian Westphal <fw@strlen.de> wrote:
>
> Karuna Grewal <karunagrewal98@gmail.com> wrote:
> > command: add rule ip test-ip4 input meta time 100
> > Error: Could not process rule: Operation not supported
>
> This means that nft_meta.c doesn't recognize the TIME key.
> You need to run the modified/patched kernel for this to work --
> it looks like nft_meta_get_init() hits the "default:" switch label.
I'm running the tests against the new modified kernel (I've applied
the patch to kernel 5.0.2) and when I logged a debug message it
confirms that it's indeed hitting the default switch.
But previously running nft against the nf-next fork of the kernel was
recognising the `meta time`. This leaves me in a bit of confusion.
Meanwhile I'm trying to verify other things, could you please confirm
if the kernel tree isn't any issue here.

Re: [nftables] tests/py: Add Test for `meta time`

[Florian Westphal]

Karuna Grewal <karunagrewal98@gmail.com> wrote:
> On Tue, Mar 19, 2019 at 3:39 AM Florian Westphal <fw@strlen.de> wrote:
> >
> > Karuna Grewal <karunagrewal98@gmail.com> wrote:
> > > command: add rule ip test-ip4 input meta time 100
> > > Error: Could not process rule: Operation not supported
> >
> > This means that nft_meta.c doesn't recognize the TIME key.
> > You need to run the modified/patched kernel for this to work --
> > it looks like nft_meta_get_init() hits the "default:" switch label.
> I'm running the tests against the new modified kernel (I've applied
> the patch to kernel 5.0.2) and when I logged a debug message it
> confirms that it's indeed hitting the default switch.
> But previously running nft against the nf-next fork of the kernel was
> recognising the `meta time`. This leaves me in a bit of confusion.
> Meanwhile I'm trying to verify other things, could you please confirm
> if the kernel tree isn't any issue here.

It looks like kernel and userspace disagree on the TIME_NS meta attribute
enum value.

Re: [nftables] tests/py: Add Test for `meta time`

[Karuna Grewal]

Thanks. I checked that in the userspace the enum nft_meta_keys has
additional values as compared to the linux 5.0.2 's nft_meta_keys but
this isn't the case with the nf-next.
I'll run the tests again with the nf-next kernel tree.
Also, does this mean that I should stick to the nf-next kernel tree
instead of the latest kernel release itself?

On Tue, Mar 19, 2019 at 12:47 PM Florian Westphal <fw@strlen.de> wrote:
>
> Karuna Grewal <karunagrewal98@gmail.com> wrote:
> > On Tue, Mar 19, 2019 at 3:39 AM Florian Westphal <fw@strlen.de> wrote:
> > >
> > > Karuna Grewal <karunagrewal98@gmail.com> wrote:
> > > > command: add rule ip test-ip4 input meta time 100
> > > > Error: Could not process rule: Operation not supported
> > >
> > > This means that nft_meta.c doesn't recognize the TIME key.
> > > You need to run the modified/patched kernel for this to work --
> > > it looks like nft_meta_get_init() hits the "default:" switch label.
> > I'm running the tests against the new modified kernel (I've applied
> > the patch to kernel 5.0.2) and when I logged a debug message it
> > confirms that it's indeed hitting the default switch.
> > But previously running nft against the nf-next fork of the kernel was
> > recognising the `meta time`. This leaves me in a bit of confusion.
> > Meanwhile I'm trying to verify other things, could you please confirm
> > if the kernel tree isn't any issue here.
>
> It looks like kernel and userspace disagree on the TIME_NS meta attribute
> enum value.

Re: [nftables] tests/py: Add Test for `meta time`

[Florian Westphal]

Karuna Grewal <karunagrewal98@gmail.com> wrote:
> Thanks. I checked that in the userspace the enum nft_meta_keys has
> additional values as compared to the linux 5.0.2 's nft_meta_keys but
> this isn't the case with the nf-next.
> I'll run the tests again with the nf-next kernel tree.
> Also, does this mean that I should stick to the nf-next kernel tree
> instead of the latest kernel release itself?

nf-next lags behind at the moment, it will catch up soon.

So, meanwhile you can use nf or even linus tree until nf-next is
back in sync.

Re: [nftables] tests/py: Add Test for `meta time`

[Pablo Neira Ayuso]

On Mon, Mar 18, 2019 at 03:17:45PM +0530, Karuna Grewal wrote:
> Signed-off-by: Karuna Grewal <karunagrewal98@gmail.com>
> ---
>  tests/py/any/meta.t         |  3 +++
>  tests/py/any/meta.t.json    | 12 ++++++++++++
>  tests/py/any/meta.t.payload |  5 +++++
>  3 files changed, 20 insertions(+)
> 
> diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
> index d69b8b4e..3d23dc75 100644
> --- a/tests/py/any/meta.t
> +++ b/tests/py/any/meta.t
> @@ -205,3 +205,6 @@ meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo"
>  
>  meta random eq 1;ok;meta random 1
>  meta random gt 1000000;ok;meta random > 1000000
> +
> +meta time 100;ok;meta timestamp 1m40s

I think the important thing here is to support for dates.

I remember Florian mentioned we need a new datatype for this, to
express dates.

Still we need support for time range, ie. hh:mm[:ss]-hh:mm[:ss],
monthdays and weekdays.

We should _not_ support --kerneltz, that broken. We should just
provide an alternative that works with UTC. Hopefully daylight saving
will be removed everywhere soon (EU is planning for this), so we won't
need --kerneltz.

Talking by looking at what I see in man iptables-extensions when I
look for the `time' match.

Will you work on this?