* [nft PATCH 0/9] Testsuite-indicated fixes for JSON
@ 2019-05-09 11:35 Phil Sutter
2019-05-09 11:35 ` [nft PATCH 1/9] json: Support nat in inet family Phil Sutter
` (9 more replies)
0 siblings, 10 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Running tests/py/nft-test.py with -j flag and trying to eliminate
errors/warnings resulted in the following series of fixes. They are
about half and half changes to code and test cases.
Phil Sutter (9):
json: Support nat in inet family
parser_json: Fix igmp support
netlink: Fix printing of zero-length prefixes
tests/py: Fix JSON equivalents of osf tests
json: Fix tproxy support regarding latest changes
parser_json: Fix ct timeout object support
tests/py: Fix for ip dscp symbol "le"
tests/py: Fix JSON expexted output after expr merge change
tests/py: Fix JSON expected output for icmpv6 code values
doc/libnftables-json.adoc | 5 +
src/json.c | 31 +--
src/netlink_delinearize.c | 4 +-
src/parser_json.c | 26 ++-
tests/py/inet/dnat.t.json | 166 +++++++++++++++
tests/py/inet/osf.t.json | 59 +++++-
tests/py/inet/snat.t.json | 131 ++++++++++++
tests/py/inet/tcp.t.json.output | 44 +---
tests/py/inet/tproxy.t | 2 +-
tests/py/inet/tproxy.t.json | 80 ++++++++
tests/py/inet/tproxy.t.payload | 2 +-
tests/py/ip/igmp.t.json | 323 ++++++++++++++++++++++++++++++
tests/py/ip/ip.t | 2 +-
tests/py/ip/ip.t.json | 2 +-
tests/py/ip/ip.t.payload | 4 +-
tests/py/ip/tproxy.t | 2 +-
tests/py/ip/tproxy.t.json | 26 ++-
tests/py/ip/tproxy.t.json.output | 61 ++++++
tests/py/ip6/icmpv6.t.json.output | 59 ++++++
tests/py/ip6/ip6.t | 2 +-
tests/py/ip6/ip6.t.json | 2 +-
tests/py/ip6/ip6.t.payload.inet | 4 +-
tests/py/ip6/ip6.t.payload.ip6 | 4 +-
tests/py/ip6/tproxy.t | 2 +-
tests/py/ip6/tproxy.t.json | 26 ++-
tests/py/ip6/tproxy.t.json.output | 60 ++++++
26 files changed, 1041 insertions(+), 88 deletions(-)
create mode 100644 tests/py/inet/dnat.t.json
create mode 100644 tests/py/inet/snat.t.json
create mode 100644 tests/py/ip/igmp.t.json
create mode 100644 tests/py/ip/tproxy.t.json.output
create mode 100644 tests/py/ip6/tproxy.t.json.output
--
2.21.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [nft PATCH 1/9] json: Support nat in inet family
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 2/9] parser_json: Fix igmp support Phil Sutter
` (8 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Add the missing bits to JSON parser, printer, man page and testsuite.
Fixes: fbe27464dee45 ("src: add nat support for the inet family")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
doc/libnftables-json.adoc | 5 ++
src/json.c | 8 ++
src/parser_json.c | 7 +-
tests/py/inet/dnat.t.json | 166 ++++++++++++++++++++++++++++++++++++++
tests/py/inet/snat.t.json | 131 ++++++++++++++++++++++++++++++
5 files changed, 316 insertions(+), 1 deletion(-)
create mode 100644 tests/py/inet/dnat.t.json
create mode 100644 tests/py/inet/snat.t.json
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
index dbe5ac33d999e..429f530db913c 100644
--- a/doc/libnftables-json.adoc
+++ b/doc/libnftables-json.adoc
@@ -808,12 +808,14 @@ Duplicate a packet to a different destination.
____
*{ "snat": {
"addr":* 'EXPRESSION'*,
+ "family":* 'STRING'*,
"port":* 'EXPRESSION'*,
"flags":* 'FLAGS'
*}}*
*{ "dnat": {
"addr":* 'EXPRESSION'*,
+ "family":* 'STRING'*,
"port":* 'EXPRESSION'*,
"flags":* 'FLAGS'
*}}*
@@ -837,6 +839,9 @@ Perform Network Address Translation.
*addr*::
Address to translate to.
+*family*::
+ Family of *addr*, either *ip* or *ip6*. Required in *inet*
+ table family.
*port*::
Port to translate to.
*flags*::
diff --git a/src/json.c b/src/json.c
index 4900c02336b56..a8538bdca973b 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1260,6 +1260,14 @@ json_t *nat_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
json_t *root = json_object();
json_t *array = nat_flags_json(stmt->nat.flags);
+ switch (stmt->nat.family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ json_object_set_new(root, "family",
+ json_string(family2str(stmt->nat.family)));
+ break;
+ }
+
if (stmt->nat.addr)
json_object_set_new(root, "addr",
expr_print_json(stmt->nat.addr, octx));
diff --git a/src/parser_json.c b/src/parser_json.c
index 315f247811567..0c4f5d913813a 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1840,9 +1840,9 @@ static int nat_type_parse(const char *type)
static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx,
const char *key, json_t *value)
{
+ int type, familyval;
struct stmt *stmt;
json_t *tmp;
- int type;
type = nat_type_parse(key);
if (type < 0) {
@@ -1850,7 +1850,12 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx,
return NULL;
}
+ familyval = json_parse_family(ctx, value);
+ if (familyval < 0)
+ return NULL;
+
stmt = nat_stmt_alloc(int_loc, type);
+ stmt->nat.family = familyval;
if (!json_unpack(value, "{s:o}", "addr", &tmp)) {
stmt->nat.addr = json_parse_stmt_expr(ctx, tmp);
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
new file mode 100644
index 0000000000000..ac6dac620a85e
--- /dev/null
+++ b/tests/py/inet/dnat.t.json
@@ -0,0 +1,166 @@
+# iifname "foo" tcp dport 80 redirect to :8080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "foo"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "redirect": {
+ "port": 8080
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 443
+ }
+ },
+ {
+ "dnat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 443
+ }
+ },
+ {
+ "dnat": {
+ "addr": "dead::beef",
+ "family": "ip6",
+ "port": 4443
+ }
+ }
+]
+
+# dnat ip to ct mark map { 0x00000014 : 1.2.3.4}
+[
+ {
+ "dnat": {
+ "addr": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ 20,
+ "1.2.3.4"
+ ]
+ ]
+ },
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ }
+ }
+ },
+ "family": "ip"
+ }
+ }
+]
+
+# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+[
+ {
+ "dnat": {
+ "addr": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ 20,
+ "1.1.1.1"
+ ]
+ },
+ "1.2.3.4"
+ ]
+ ]
+ },
+ "key": {
+ "concat": [
+ {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ }
+ ]
+ }
+ }
+ },
+ "family": "ip"
+ }
+ }
+]
+
diff --git a/tests/py/inet/snat.t.json b/tests/py/inet/snat.t.json
new file mode 100644
index 0000000000000..4671625dc06d9
--- /dev/null
+++ b/tests/py/inet/snat.t.json
@@ -0,0 +1,131 @@
+# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "snat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "10.1.1.1"
+ }
+ },
+ {
+ "snat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 81 snat ip6 to dead::beef
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "snat": {
+ "addr": "dead::beef",
+ "family": "ip6"
+ }
+ }
+]
+
+# iifname "foo" masquerade random
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "foo"
+ }
+ },
+ {
+ "masquerade": {
+ "flags": "random"
+ }
+ }
+]
+
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 2/9] parser_json: Fix igmp support
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
2019-05-09 11:35 ` [nft PATCH 1/9] json: Support nat in inet family Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 3/9] netlink: Fix printing of zero-length prefixes Phil Sutter
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Parser didn't know about that protocol, also testsuite bits were
missing.
Fixes: bad27ca386276 ("src: add igmp support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 1 +
tests/py/ip/igmp.t.json | 323 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 324 insertions(+)
create mode 100644 tests/py/ip/igmp.t.json
diff --git a/src/parser_json.c b/src/parser_json.c
index 0c4f5d913813a..3a78f8860aaca 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -492,6 +492,7 @@ static const struct proto_desc *proto_lookup_byname(const char *name)
&proto_arp,
&proto_ip,
&proto_icmp,
+ &proto_igmp,
&proto_ip6,
&proto_icmp6,
&proto_ah,
diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json
new file mode 100644
index 0000000000000..66dd3bb70c5b9
--- /dev/null
+++ b/tests/py/ip/igmp.t.json
@@ -0,0 +1,323 @@
+# igmp type membership-query
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": "membership-query"
+ }
+ }
+]
+
+# igmp type membership-report-v1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": "membership-report-v1"
+ }
+ }
+]
+
+# igmp type membership-report-v2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": "membership-report-v2"
+ }
+ }
+]
+
+# igmp type membership-report-v3
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": "membership-report-v3"
+ }
+ }
+]
+
+# igmp type leave-group
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": "leave-group"
+ }
+ }
+]
+
+# igmp type { membership-report-v1, membership-report-v2, membership-report-v3}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "membership-report-v1",
+ "membership-report-v2",
+ "membership-report-v3"
+ ]
+ }
+ }
+ }
+]
+
+# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "membership-report-v1",
+ "membership-report-v2",
+ "membership-report-v3"
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum 12343
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": 12343
+ }
+ }
+]
+
+# igmp checksum != 12343
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": 12343
+ }
+ }
+]
+
+# igmp checksum 11-343
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [
+ 11,
+ 343
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum != 11-343
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [
+ 11,
+ 343
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum { 11-343}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "range": [
+ 11,
+ 343
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum != { 11-343}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ {
+ "range": [
+ 11,
+ 343
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum { 1111, 222, 343}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 222,
+ 343,
+ 1111
+ ]
+ }
+ }
+ }
+]
+
+# igmp checksum != { 1111, 222, 343}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 222,
+ 343,
+ 1111
+ ]
+ }
+ }
+ }
+]
+
+# igmp mrt 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mrt",
+ "protocol": "igmp"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# igmp mrt != 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mrt",
+ "protocol": "igmp"
+ }
+ },
+ "op": "!=",
+ "right": 10
+ }
+ }
+]
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 3/9] netlink: Fix printing of zero-length prefixes
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
2019-05-09 11:35 ` [nft PATCH 1/9] json: Support nat in inet family Phil Sutter
2019-05-09 11:35 ` [nft PATCH 2/9] parser_json: Fix igmp support Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 4/9] tests/py: Fix JSON equivalents of osf tests Phil Sutter
` (6 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
When delinearizing, an all-zero mask didn't qualify as prefix. Therefore
a statement:
| ip daddr 0.0.0.0/0
would be printed as:
| ip daddr & 0.0.0.0 == 0.0.0.0
To fix this, expr_mask_is_prefix() must return true if the initial 1-bit
search fails (the given value must be zero in this case). Additionally,
a shortcut is needed in conversion algorithm of expr_mask_to_prefix()
to not turn the zero prefix into a 1 by accident.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/netlink_delinearize.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 2c9b0a32a932e..c018e78b02925 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1734,6 +1734,8 @@ static unsigned int expr_mask_to_prefix(const struct expr *expr)
unsigned long n;
n = mpz_scan1(expr->value, 0);
+ if (n == ULONG_MAX)
+ return 0;
return mpz_scan0(expr->value, n + 1) - n;
}
@@ -1744,7 +1746,7 @@ static bool expr_mask_is_prefix(const struct expr *expr)
n1 = mpz_scan1(expr->value, 0);
if (n1 == ULONG_MAX)
- return false;
+ return true;
n2 = mpz_scan0(expr->value, n1 + 1);
if (n2 < expr->len || n2 == ULONG_MAX)
return false;
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 4/9] tests/py: Fix JSON equivalents of osf tests
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (2 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 3/9] netlink: Fix printing of zero-length prefixes Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 5/9] json: Fix tproxy support regarding latest changes Phil Sutter
` (5 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Fixes: 12adf747a3f62 ("tests: py: add osf tests with versions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/py/inet/osf.t.json | 59 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/tests/py/inet/osf.t.json b/tests/py/inet/osf.t.json
index a2e744952140d..cedb7f67bd52f 100644
--- a/tests/py/inet/osf.t.json
+++ b/tests/py/inet/osf.t.json
@@ -45,13 +45,14 @@
}
]
-# osf name version "Linux:3.0"
+# osf ttl skip version "Linux:3.0"
[
{
"match": {
"left": {
"osf": {
- "key": "version"
+ "key": "version",
+ "ttl": "skip"
}
},
"op": "==",
@@ -80,6 +81,26 @@
}
]
+# osf version { "Windows:XP", "MacOs:Sierra" }
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "version"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "Windows:XP",
+ "MacOs:Sierra"
+ ]
+ }
+ }
+ }
+]
+
# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
[
{
@@ -113,3 +134,37 @@
}
}
]
+
+# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }
+[
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ "Windows:XP",
+ 3
+ ],
+ [
+ "MacOs:Sierra",
+ 4
+ ]
+ ]
+ },
+ "key": {
+ "osf": {
+ "key": "version"
+ }
+ }
+ }
+ }
+ }
+ }
+]
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 5/9] json: Fix tproxy support regarding latest changes
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (3 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 4/9] tests/py: Fix JSON equivalents of osf tests Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 6/9] parser_json: Fix ct timeout object support Phil Sutter
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Family may be specified also if no address is given at the same time,
make parser/printer tolerant to that. Also fix for missing/incorrect
JSON equivalents in tests/py.
While being at it, fix two issues in non-JSON tests:
* Ruleset is printed in numeric mode, so use 'l4proto 6' instead of
'l4proto tcp' in rules to avoid having to specify expected output for
that unrelated bit.
* In ip and ip6 family tables, family parameter is not deserialized on
output.
Fixes: 3edb96200690b ("parser_bison: missing tproxy syntax with port only for inet family")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/json.c | 23 ++++-----
src/parser_json.c | 16 +++----
tests/py/inet/tproxy.t | 2 +-
tests/py/inet/tproxy.t.json | 80 +++++++++++++++++++++++++++++++
tests/py/inet/tproxy.t.payload | 2 +-
tests/py/ip/tproxy.t | 2 +-
tests/py/ip/tproxy.t.json | 26 ++++++++--
tests/py/ip/tproxy.t.json.output | 61 +++++++++++++++++++++++
tests/py/ip6/tproxy.t | 2 +-
tests/py/ip6/tproxy.t.json | 26 ++++++++--
tests/py/ip6/tproxy.t.json.output | 60 +++++++++++++++++++++++
11 files changed, 268 insertions(+), 32 deletions(-)
create mode 100644 tests/py/ip/tproxy.t.json.output
create mode 100644 tests/py/ip6/tproxy.t.json.output
diff --git a/src/json.c b/src/json.c
index a8538bdca973b..ff79b0cc729c7 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1437,26 +1437,23 @@ json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
{
- json_t *root = json_object();
-
- if (stmt->tproxy.addr) {
- int family;
- json_t *tmp;
-
- family = stmt->tproxy.table_family;
- if (family == NFPROTO_INET)
- family = stmt->tproxy.family;
+ json_t *tmp, *root = json_object();
- tmp = json_string(family2str(family));
+ if (stmt->tproxy.table_family == NFPROTO_INET &&
+ stmt->tproxy.family != NFPROTO_UNSPEC) {
+ tmp = json_string(family2str(stmt->tproxy.family));
json_object_set_new(root, "family", tmp);
+ }
+ if (stmt->tproxy.addr) {
tmp = expr_print_json(stmt->tproxy.addr, octx);
json_object_set_new(root, "addr", tmp);
}
- if (stmt->tproxy.port)
- json_object_set_new(root, "port",
- expr_print_json(stmt->tproxy.port, octx));
+ if (stmt->tproxy.port) {
+ tmp = expr_print_json(stmt->tproxy.port, octx);
+ json_object_set_new(root, "port", tmp);
+ }
return json_pack("{s:o}", "tproxy", root);
}
diff --git a/src/parser_json.c b/src/parser_json.c
index 3a78f8860aaca..8707d2c74d0a7 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1899,17 +1899,15 @@ static struct stmt *json_parse_tproxy_stmt(struct json_ctx *ctx,
if (familyval < 0)
goto out_free;
- if (familyval == NFPROTO_UNSPEC ||
- json_unpack(value, "{s:o}", "addr", &jaddr))
- goto try_port;
-
stmt->tproxy.family = familyval;
- stmt->tproxy.addr = json_parse_stmt_expr(ctx, jaddr);
- if (!stmt->tproxy.addr) {
- json_error(ctx, "Invalid addr.");
- goto out_free;
+
+ if (!json_unpack(value, "{s:o}", "addr", &jaddr)) {
+ stmt->tproxy.addr = json_parse_stmt_expr(ctx, jaddr);
+ if (!stmt->tproxy.addr) {
+ json_error(ctx, "Invalid addr.");
+ goto out_free;
+ }
}
-try_port:
if (!json_unpack(value, "{s:o}", "port", &tmp)) {
stmt->tproxy.port = json_parse_stmt_expr(ctx, tmp);
if (!stmt->tproxy.port) {
diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
index 0ba78ef1826a2..d23bbcb56cdcd 100644
--- a/tests/py/inet/tproxy.t
+++ b/tests/py/inet/tproxy.t
@@ -18,4 +18,4 @@ ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
meta l4proto 17 tproxy ip to :50080;ok
meta l4proto 17 tproxy ip6 to :50080;ok
meta l4proto 17 tproxy to :50080;ok
-ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000;ok
+ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok
diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json
index 2897d2007192a..7b3b11c49205a 100644
--- a/tests/py/inet/tproxy.t.json
+++ b/tests/py/inet/tproxy.t.json
@@ -84,6 +84,48 @@
}
]
+# meta l4proto 17 tproxy ip to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 17 tproxy ip6 to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip6",
+ "port": 50080
+ }
+ }
+]
+
# meta l4proto 17 tproxy to :50080
[
{
@@ -103,3 +145,41 @@
}
}
]
+
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "0.0.0.0",
+ "len": 0
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip",
+ "port": 2000
+ }
+ }
+]
diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
index 8a6ba03656059..82ff928db772f 100644
--- a/tests/py/inet/tproxy.t.payload
+++ b/tests/py/inet/tproxy.t.payload
@@ -49,7 +49,7 @@ inet x y
[ immediate reg 1 0x0000a0c3 ]
[ tproxy ip6 port reg 1 ]
-# ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
inet x y
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t
index 966898c037b26..544c5193efea6 100644
--- a/tests/py/ip/tproxy.t
+++ b/tests/py/ip/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 6 tproxy to 192.0.2.1:50080;ok
ip protocol 6 tproxy to :50080;ok
meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
-ip protocol 6 tproxy ip to :50080;ok
+ip protocol 6 tproxy ip to :50080;ok;ip protocol 6 tproxy to :50080
diff --git a/tests/py/ip/tproxy.t.json b/tests/py/ip/tproxy.t.json
index 1936b5f43be00..4635fc1f84e4b 100644
--- a/tests/py/ip/tproxy.t.json
+++ b/tests/py/ip/tproxy.t.json
@@ -13,8 +13,7 @@
},
{
"tproxy": {
- "addr": "192.0.2.1",
- "family": "ip"
+ "addr": "192.0.2.1"
}
}
]
@@ -35,7 +34,6 @@
{
"tproxy": {
"addr": "192.0.2.1",
- "family": "ip",
"port": 50080
}
}
@@ -104,3 +102,25 @@
}
}
]
+
+# ip protocol 6 tproxy ip to :50080
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip",
+ "port": 50080
+ }
+ }
+]
diff --git a/tests/py/ip/tproxy.t.json.output b/tests/py/ip/tproxy.t.json.output
new file mode 100644
index 0000000000000..2690f22539867
--- /dev/null
+++ b/tests/py/ip/tproxy.t.json.output
@@ -0,0 +1,61 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "192.0.2.1"
+ }
+ }
+]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "192.0.2.1",
+ "port": 50080
+ }
+ }
+]
+
+# ip protocol 6 tproxy ip to :50080
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "port": 50080
+ }
+ }
+]
diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t
index 48fe4ca765052..d4c6bffb969bc 100644
--- a/tests/py/ip6/tproxy.t
+++ b/tests/py/ip6/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
meta l4proto 6 tproxy to :50080;ok
meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
-meta l4proto 6 tproxy ip6 to :50080;ok
+meta l4proto 6 tproxy ip6 to :50080;ok;meta l4proto 6 tproxy to :50080
diff --git a/tests/py/ip6/tproxy.t.json b/tests/py/ip6/tproxy.t.json
index 7372acb93f500..0e02d49c9b9db 100644
--- a/tests/py/ip6/tproxy.t.json
+++ b/tests/py/ip6/tproxy.t.json
@@ -13,8 +13,7 @@
},
{
"tproxy": {
- "addr": "2001:db8::1",
- "family": "ip6"
+ "addr": "2001:db8::1"
}
}
]
@@ -35,7 +34,6 @@
{
"tproxy": {
"addr": "2001:db8::1",
- "family": "ip6",
"port": 50080
}
}
@@ -103,3 +101,25 @@
}
}
]
+
+# meta l4proto 6 tproxy ip6 to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip6",
+ "port": 50080
+ }
+ }
+]
+
diff --git a/tests/py/ip6/tproxy.t.json.output b/tests/py/ip6/tproxy.t.json.output
new file mode 100644
index 0000000000000..461738bd2061f
--- /dev/null
+++ b/tests/py/ip6/tproxy.t.json.output
@@ -0,0 +1,60 @@
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "2001:db8::1"
+ }
+ }
+]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "2001:db8::1",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 6 tproxy ip6 to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "port": 50080
+ }
+ }
+]
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 6/9] parser_json: Fix ct timeout object support
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (4 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 5/9] json: Fix tproxy support regarding latest changes Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le" Phil Sutter
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Seems like it wasn't possible to add or list ct timeout objects.
Fixes: c82a26ebf7e9f ("json: Add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/parser_json.c b/src/parser_json.c
index 8707d2c74d0a7..d154babbfd6bc 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3002,6 +3002,7 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object },
{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object },
{ "ct helper", NFT_OBJECT_CT_HELPER, json_parse_cmd_add_object },
+ { "ct timeout", NFT_OBJECT_CT_TIMEOUT, json_parse_cmd_add_object },
{ "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object },
{ "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }
};
@@ -3168,6 +3169,7 @@ static struct cmd *json_parse_cmd_list(struct json_ctx *ctx,
{ "quotas", CMD_OBJ_QUOTAS, json_parse_cmd_list_multiple },
{ "ct helper", NFT_OBJECT_CT_HELPER, json_parse_cmd_add_object },
{ "ct helpers", CMD_OBJ_CT_HELPERS, json_parse_cmd_list_multiple },
+ { "ct timeout", NFT_OBJECT_CT_TIMEOUT, json_parse_cmd_add_object },
{ "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object },
{ "limits", CMD_OBJ_LIMIT, json_parse_cmd_list_multiple },
{ "ruleset", CMD_OBJ_RULESET, json_parse_cmd_list_multiple },
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le"
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (5 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 6/9] parser_json: Fix ct timeout object support Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 15:11 ` Pablo Neira Ayuso
2019-05-09 11:35 ` [nft PATCH 8/9] tests/py: Fix JSON expexted output after expr merge change Phil Sutter
` (2 subsequent siblings)
9 siblings, 1 reply; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
In scanner.l, that name is defined as alternative to "<=" symbol. To
avoid the clash, it must be quoted on input.
Fixes: 55715486efba4 ("proto: support for draft-ietf-tsvwg-le-phb-10.txt")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Note that nft still produces invalid output since it doesn't quote
symbol table values.
---
tests/py/ip/ip.t | 2 +-
tests/py/ip/ip.t.json | 2 +-
tests/py/ip/ip.t.payload | 4 ++--
tests/py/ip6/ip6.t | 2 +-
tests/py/ip6/ip6.t.json | 2 +-
tests/py/ip6/ip6.t.payload.inet | 4 ++--
tests/py/ip6/ip6.t.payload.ip6 | 4 ++--
7 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
index dc6b173def36d..f224e1d21033c 100644
--- a/tests/py/ip/ip.t
+++ b/tests/py/ip/ip.t
@@ -28,7 +28,7 @@ ip dscp cs1;ok
ip dscp != cs1;ok
ip dscp 0x38;ok;ip dscp cs7
ip dscp != 0x20;ok;ip dscp != cs4
-ip dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
+ip dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
ip dscp != {cs0, cs3};ok
ip dscp vmap { cs1 : continue , cs4 : accept } counter;ok
diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json
index 69e8d02540b87..51bc15e71cd2f 100644
--- a/tests/py/ip/ip.t.json
+++ b/tests/py/ip/ip.t.json
@@ -62,7 +62,7 @@
}
]
-# ip dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+# ip dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
[
{
"match": {
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
index 37d4ef85a8e97..f62ce823586d1 100644
--- a/tests/py/ip/ip.t.payload
+++ b/tests/py/ip/ip.t.payload
@@ -22,10 +22,10 @@ ip test-ip4 input
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000080 ]
-# ip dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+# ip dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
__set%d test-ip4 3
__set%d test-ip4 0
- element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000000 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end]
+ element 00000000 : 0 [end] element 00000004 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end]
ip test-ip4 input
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t
index a266fddfb5783..985c21625691e 100644
--- a/tests/py/ip6/ip6.t
+++ b/tests/py/ip6/ip6.t
@@ -14,7 +14,7 @@ ip6 dscp cs1;ok
ip6 dscp != cs1;ok
ip6 dscp 0x38;ok;ip6 dscp cs7
ip6 dscp != 0x20;ok;ip6 dscp != cs4
-ip6 dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
+ip6 dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok
ip6 flowlabel 22;ok
diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json
index a46c2b1f50553..943f5411a9cc7 100644
--- a/tests/py/ip6/ip6.t.json
+++ b/tests/py/ip6/ip6.t.json
@@ -62,7 +62,7 @@
}
]
-# ip6 dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+# ip6 dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
[
{
"match": {
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
index ada1c5f020511..aafb027fdc424 100644
--- a/tests/py/ip6/ip6.t.payload.inet
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -30,10 +30,10 @@ inet test-inet input
[ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000008 ]
-# ip6 dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+# ip6 dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
__set%d test-inet 3
__set%d test-inet 0
- element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end]
+ element 00000000 : 0 [end] element 00004000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end]
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
index efab25565d09b..632b222e1b43a 100644
--- a/tests/py/ip6/ip6.t.payload.ip6
+++ b/tests/py/ip6/ip6.t.payload.ip6
@@ -22,10 +22,10 @@ ip6 test-ip6 input
[ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000008 ]
-# ip6 dscp {cs0, le, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+# ip6 dscp {cs0, "le", cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
__set%d test-ip6 3
__set%d test-ip6 0
- element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000000 : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end]
+ element 00000000 : 0 [end] element 00004000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end]
ip6 test-ip6 input
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 8/9] tests/py: Fix JSON expexted output after expr merge change
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (6 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le" Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 9/9] tests/py: Fix JSON expected output for icmpv6 code values Phil Sutter
2019-05-09 15:00 ` [nft PATCH 0/9] Testsuite-indicated fixes for JSON Pablo Neira Ayuso
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Looks like original patch missed this one.
Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/py/inet/tcp.t.json.output | 44 ++-------------------------------
1 file changed, 2 insertions(+), 42 deletions(-)
diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output
index 143490f7322d2..0f7a593b788c1 100644
--- a/tests/py/inet/tcp.t.json.output
+++ b/tests/py/inet/tcp.t.json.output
@@ -23,32 +23,8 @@
}
]
-# tcp sequence 0 tcp sport 1024 tcp dport 22
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": 1024
- }
- },
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": 22
- }
- },
{
"match": {
"left": {
@@ -60,11 +36,7 @@
"op": "==",
"right": 0
}
- }
-]
-
-# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
-[
+ },
{
"match": {
"left": {
@@ -93,18 +65,6 @@
"op": "==",
"right": 22
}
- },
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": 0
- }
}
]
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 9/9] tests/py: Fix JSON expected output for icmpv6 code values
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (7 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 8/9] tests/py: Fix JSON expexted output after expr merge change Phil Sutter
@ 2019-05-09 11:35 ` Phil Sutter
2019-05-09 15:00 ` [nft PATCH 0/9] Testsuite-indicated fixes for JSON Pablo Neira Ayuso
9 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Reverse translation is happening for values which are known, even if
they are part of a range. In contrast to standard output, this is OK
because in JSON lower and upper bounds are properties and there is no
ambiguity if names contain a dash.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/py/ip6/icmpv6.t.json.output | 59 +++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output
index 17032a03d80bd..3a1066211f56b 100644
--- a/tests/py/ip6/icmpv6.t.json.output
+++ b/tests/py/ip6/icmpv6.t.json.output
@@ -109,6 +109,24 @@
}
]
+# icmpv6 code 3-66
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ "addr-unreachable", 66 ]
+ }
+ }
+ }
+]
+
# icmpv6 code {5, 6, 7} accept
[
{
@@ -133,3 +151,44 @@
"accept": null
}
]
+
+# icmpv6 code { 3-66}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ "addr-unreachable", 66 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 code != { 3-66}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ "addr-unreachable", 66 ] }
+ ]
+ }
+ }
+ }
+]
+
--
2.21.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [nft PATCH 0/9] Testsuite-indicated fixes for JSON
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
` (8 preceding siblings ...)
2019-05-09 11:35 ` [nft PATCH 9/9] tests/py: Fix JSON expected output for icmpv6 code values Phil Sutter
@ 2019-05-09 15:00 ` Pablo Neira Ayuso
9 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2019-05-09 15:00 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Thu, May 09, 2019 at 01:35:36PM +0200, Phil Sutter wrote:
> Running tests/py/nft-test.py with -j flag and trying to eliminate
> errors/warnings resulted in the following series of fixes. They are
> about half and half changes to code and test cases.
Series applied, thanks Phil.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le"
2019-05-09 11:35 ` [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le" Phil Sutter
@ 2019-05-09 15:11 ` Pablo Neira Ayuso
2019-05-09 15:11 ` Pablo Neira Ayuso
0 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2019-05-09 15:11 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel, logan
On Thu, May 09, 2019 at 01:35:43PM +0200, Phil Sutter wrote:
> In scanner.l, that name is defined as alternative to "<=" symbol. To
> avoid the clash, it must be quoted on input.
>
> Fixes: 55715486efba4 ("proto: support for draft-ietf-tsvwg-le-phb-10.txt")
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
> Note that nft still produces invalid output since it doesn't quote
> symbol table values.
I have reverted 55715486efba42 by now, I overlook that tests/py/ were
never run because the update for non-json is broken. @Logan: Please,
fix this and resubmit.
BTW, a trick similar to what we do in primary_rhs_expr to deal with
the "le" token showing as a constant value will be needed.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le"
2019-05-09 15:11 ` Pablo Neira Ayuso
@ 2019-05-09 15:11 ` Pablo Neira Ayuso
2019-05-09 15:37 ` Phil Sutter
0 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2019-05-09 15:11 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel, logan
On Thu, May 09, 2019 at 05:11:06PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 09, 2019 at 01:35:43PM +0200, Phil Sutter wrote:
> > In scanner.l, that name is defined as alternative to "<=" symbol. To
> > avoid the clash, it must be quoted on input.
> >
> > Fixes: 55715486efba4 ("proto: support for draft-ietf-tsvwg-le-phb-10.txt")
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> > Note that nft still produces invalid output since it doesn't quote
> > symbol table values.
>
> I have reverted 55715486efba42 by now, I overlook that tests/py/ were
> never run because the update for non-json is broken. @Logan: Please,
> fix this and resubmit.
>
> BTW, a trick similar to what we do in primary_rhs_expr to deal with
> the "le" token showing as a constant value will be needed.
For the record, this 7/9 patch was left behind, not needed after the
revert.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le"
2019-05-09 15:11 ` Pablo Neira Ayuso
@ 2019-05-09 15:37 ` Phil Sutter
0 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2019-05-09 15:37 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, logan
On Thu, May 09, 2019 at 05:11:35PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 09, 2019 at 05:11:06PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, May 09, 2019 at 01:35:43PM +0200, Phil Sutter wrote:
> > > In scanner.l, that name is defined as alternative to "<=" symbol. To
> > > avoid the clash, it must be quoted on input.
> > >
> > > Fixes: 55715486efba4 ("proto: support for draft-ietf-tsvwg-le-phb-10.txt")
> > > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > > ---
> > > Note that nft still produces invalid output since it doesn't quote
> > > symbol table values.
> >
> > I have reverted 55715486efba42 by now, I overlook that tests/py/ were
> > never run because the update for non-json is broken. @Logan: Please,
> > fix this and resubmit.
> >
> > BTW, a trick similar to what we do in primary_rhs_expr to deal with
> > the "le" token showing as a constant value will be needed.
I'm not sure if that's possible - I would expect shift-reduce conflicts
since the parser can't decide between 'ip6 dscp <= cs1' and 'ip6 dscp
le'.
> For the record, this 7/9 patch was left behind, not needed after the
> revert.
Sure, it wasn't a complete fix anyway.
Thanks, Phil
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-05-09 15:37 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-09 11:35 [nft PATCH 0/9] Testsuite-indicated fixes for JSON Phil Sutter
2019-05-09 11:35 ` [nft PATCH 1/9] json: Support nat in inet family Phil Sutter
2019-05-09 11:35 ` [nft PATCH 2/9] parser_json: Fix igmp support Phil Sutter
2019-05-09 11:35 ` [nft PATCH 3/9] netlink: Fix printing of zero-length prefixes Phil Sutter
2019-05-09 11:35 ` [nft PATCH 4/9] tests/py: Fix JSON equivalents of osf tests Phil Sutter
2019-05-09 11:35 ` [nft PATCH 5/9] json: Fix tproxy support regarding latest changes Phil Sutter
2019-05-09 11:35 ` [nft PATCH 6/9] parser_json: Fix ct timeout object support Phil Sutter
2019-05-09 11:35 ` [nft PATCH 7/9] tests/py: Fix for ip dscp symbol "le" Phil Sutter
2019-05-09 15:11 ` Pablo Neira Ayuso
2019-05-09 15:11 ` Pablo Neira Ayuso
2019-05-09 15:37 ` Phil Sutter
2019-05-09 11:35 ` [nft PATCH 8/9] tests/py: Fix JSON expexted output after expr merge change Phil Sutter
2019-05-09 11:35 ` [nft PATCH 9/9] tests/py: Fix JSON expected output for icmpv6 code values Phil Sutter
2019-05-09 15:00 ` [nft PATCH 0/9] Testsuite-indicated fixes for JSON Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).