Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nft v5] tests: Introduce test for set with concatenated ranges
@ 2020-02-14 15:27 Stefano Brivio
  2020-02-14 16:02 ` Phil Sutter
  2020-02-19 17:53 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 3+ messages in thread
From: Stefano Brivio @ 2020-02-14 15:27 UTC (permalink / raw)
  To: Pablo Neira Ayuso, netfilter-devel
  Cc: Florian Westphal, Kadlecsik József, Eric Garver, Phil Sutter

This test checks that set elements can be added, deleted, that
addition and deletion are refused when appropriate, that entries
time out properly, and that they can be fetched by matching values
in the given ranges.

v5:
 - speed this up by performing the timeout test for one single
   permutation (Phil Sutter), by decreasing the number of
   permutations from 96 to 12 if this is invoked by run-tests.sh
   (Pablo Neira Ayuso) and by combining some commands into single
   nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the
   test now takes 1.8s instead of 82.5s
 - renumber test to 0043, 0042 was added meanwhile
v4: No changes
v3:
 - renumber test to 0042, 0041 was added meanwhile
v2:
 - actually check an IPv6 prefix, instead of specifying everything
   as explicit ranges in ELEMS_ipv6_addr
 - renumber test to 0041, 0038 already exists

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 .../testcases/sets/0043concatenated_ranges_0  | 180 ++++++++++++++++++
 1 file changed, 180 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0043concatenated_ranges_0

diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0
new file mode 100755
index 000000000000..a783dacc361c
--- /dev/null
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_0
@@ -0,0 +1,180 @@
+#!/bin/sh -e
+#
+# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges
+#
+# Cycle over supported data types, forming concatenations of three fields, for
+# all possible permutations, and:
+# - add entries to set
+# - list them
+# - check that they can't be added again
+# - get entries by specifying a value matching ranges for all fields
+# - delete them
+# - add them with 1s timeout
+# - check that they can't be added again right away
+# - check that they are not listed after 1s, just once, for the first entry
+# - delete them
+# - make sure they can't be deleted again
+
+if [ "$(ps -o comm= $PPID)" = "run-tests.sh" ]; then
+	# Skip some permutations on a full test suite run to keep it quick
+	TYPES="ipv4_addr ipv6_addr ether_addr inet_service"
+else
+	TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark"
+fi
+
+RULESPEC_ipv4_addr="ip saddr"
+ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129"
+ADD_ipv4_addr="192.0.2.252/31"
+GET_ipv4_addr="198.51.100.127 198.51.100.0/25"
+
+RULESPEC_ipv6_addr="ip6 daddr"
+ELEMS_ipv6_addr="2001:db8:c0c:c0de::1-2001:db8:cacc::a 2001:db8::1 2001:db8:dada:da::/64"
+ADD_ipv6_addr="2001:db8::d1ca:d1ca"
+GET_ipv6_addr="2001:db8::1 2001:db8::1"
+
+RULESPEC_ether_addr="ether saddr"
+ELEMS_ether_addr="00:0a:c1:d1:f1:ed-00:0a:c1:dd:ec:af 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 f0:ca:cc:1a:b0:1a"
+ADD_ether_addr="00:be:1d:ed:ab:e1"
+GET_ether_addr="ac:c1:ac:c0:ce:c0 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00"
+
+RULESPEC_inet_proto="meta l4proto"
+ELEMS_inet_proto="tcp udp icmp"
+ADD_inet_proto="sctp"
+GET_inet_proto="udp udp"
+
+RULESPEC_inet_service="tcp dport"
+ELEMS_inet_service="22-23 1024-32768 31337"
+ADD_inet_service="32769-65535"
+GET_inet_service="32768 1024-32768"
+
+RULESPEC_mark="mark"
+ELEMS_mark="0x00000064-0x000000c8 0x0000006f 0x0000fffd-0x0000ffff"
+ADD_mark="0x0000002a"
+GET_mark="0x0000006f 0x0000006f"
+
+tmp="$(mktemp)"
+trap "rm -f ${tmp}" EXIT
+
+render() {
+	eval "echo \"$(cat ${1})\""
+}
+
+cat <<'EOF' > "${tmp}"
+flush ruleset
+
+table inet filter {
+	set test {
+		type ${ta} . ${tb} . ${tc}
+		flags interval,timeout
+		elements = { ${a1} . ${b1} . ${c1} ,
+			     ${a2} . ${b2} . ${c2} ,
+			     ${a3} . ${b3} . ${c3} }
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+		${sa} . ${sb} . ${sc} @test counter
+	}
+}
+EOF
+
+timeout_tested=0
+for ta in ${TYPES}; do
+	eval a=\$ELEMS_${ta}
+	a1=${a%% *}; a2=$(expr "$a" : ".* \(.*\) .*"); a3=${a##* }
+	eval sa=\$RULESPEC_${ta}
+
+	for tb in ${TYPES}; do
+		[ "${tb}" = "${ta}" ] && continue
+		if [ "${tb}" = "ipv6_addr" ]; then
+			[ "${ta}" = "ipv4_addr" ] && continue
+		elif [ "${tb}" = "ipv4_addr" ]; then
+			[ "${ta}" = "ipv6_addr" ] && continue
+		fi
+
+		eval b=\$ELEMS_${tb}
+		b1=${b%% *}; b2=$(expr "$b" : ".* \(.*\) .*"); b3=${b##* }
+		eval sb=\$RULESPEC_${tb}
+
+		for tc in ${TYPES}; do
+			[ "${tc}" = "${ta}" ] && continue
+			[ "${tc}" = "${tb}" ] && continue
+			if [ "${tc}" = "ipv6_addr" ]; then
+				[ "${ta}" = "ipv4_addr" ] && continue
+				[ "${tb}" = "ipv4_addr" ] && continue
+			elif [ "${tc}" = "ipv4_addr" ]; then
+				[ "${ta}" = "ipv6_addr" ] && continue
+				[ "${tb}" = "ipv6_addr" ] && continue
+			fi
+
+			echo "TYPE: ${ta} ${tb} ${tc}"
+
+			eval c=\$ELEMS_${tc}
+			c1=${c%% *}; c2=$(expr "$c" : ".* \(.*\) .*"); c3=${c##* }
+			eval sc=\$RULESPEC_${tc}
+
+			render ${tmp} | ${NFT} -f -
+
+			[ $(${NFT} list set inet filter test |		\
+			   grep -c -e "${a1} . ${b1} . ${c1}"		\
+				   -e "${a2} . ${b2} . ${c2}"		\
+				   -e "${a3} . ${b3} . ${c3}") -eq 3 ]
+
+			! ${NFT} "add element inet filter test \
+				  { ${a1} . ${b1} . ${c1} };
+				  add element inet filter test \
+				  { ${a2} . ${b2} . ${c2} };
+				  add element inet filter test \
+				  { ${a3} . ${b3} . ${c3} }" 2>/dev/null
+
+			${NFT} delete element inet filter test \
+				"{ ${a1} . ${b1} . ${c1} }"
+			! ${NFT} delete element inet filter test \
+				"{ ${a1} . ${b1} . ${c1} }" 2>/dev/null
+
+			eval add_a=\$ADD_${ta}
+			eval add_b=\$ADD_${tb}
+			eval add_c=\$ADD_${tc}
+			${NFT} add element inet filter test \
+				"{ ${add_a} . ${add_b} . ${add_c} timeout 1s}"
+			[ $(${NFT} list set inet filter test |		\
+			   grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ]
+			! ${NFT} add element inet filter test \
+				"{ ${add_a} . ${add_b} . ${add_c} timeout 1s}" \
+				2>/dev/null
+
+			eval get_a=\$GET_${ta}
+			eval get_b=\$GET_${tb}
+			eval get_c=\$GET_${tc}
+			exp_a=${get_a##* }; get_a=${get_a%% *}
+			exp_b=${get_b##* }; get_b=${get_b%% *}
+			exp_c=${get_c##* }; get_c=${get_c%% *}
+			[ $(${NFT} get element inet filter test 	\
+			   "{ ${get_a} . ${get_b} . ${get_c} }" |	\
+			   grep -c "${exp_a} . ${exp_b} . ${exp_c}") -eq 1 ]
+
+			${NFT} "delete element inet filter test \
+				{ ${a2} . ${b2} . ${c2} };
+				delete element inet filter test \
+				{ ${a3} . ${b3} . ${c3} }"
+			! ${NFT} "delete element inet filter test \
+				  { ${a2} . ${b2} . ${c2} };
+				  delete element inet filter test \
+				  { ${a3} . ${b3} . ${c3} }" 2>/dev/null
+
+			if [ ${timeout_tested} -eq 1 ]; then
+				${NFT} delete element inet filter test \
+					"{ ${add_a} . ${add_b} . ${add_c} }"
+				! ${NFT} delete element inet filter test \
+					"{ ${add_a} . ${add_b} . ${add_c} }" \
+					2>/dev/null
+				continue
+			fi
+
+			sleep 1
+			[ $(${NFT} list set inet filter test |		\
+			   grep -c "${add_a} . ${add_b} . ${add_c}") -eq 0 ]
+			timeout_tested=1
+		done
+	done
+done
-- 
2.25.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH nft v5] tests: Introduce test for set with concatenated ranges
  2020-02-14 15:27 [PATCH nft v5] tests: Introduce test for set with concatenated ranges Stefano Brivio
@ 2020-02-14 16:02 ` Phil Sutter
  2020-02-19 17:53 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 3+ messages in thread
From: Phil Sutter @ 2020-02-14 16:02 UTC (permalink / raw)
  To: Stefano Brivio
  Cc: Pablo Neira Ayuso, netfilter-devel, Florian Westphal,
	Kadlecsik József, Eric Garver

On Fri, Feb 14, 2020 at 04:27:25PM +0100, Stefano Brivio wrote:
> This test checks that set elements can be added, deleted, that
> addition and deletion are refused when appropriate, that entries
> time out properly, and that they can be fetched by matching values
> in the given ranges.
> 
> v5:
>  - speed this up by performing the timeout test for one single
>    permutation (Phil Sutter), by decreasing the number of
>    permutations from 96 to 12 if this is invoked by run-tests.sh
>    (Pablo Neira Ayuso) and by combining some commands into single
>    nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the
>    test now takes 1.8s instead of 82.5s
>  - renumber test to 0043, 0042 was added meanwhile
> v4: No changes
> v3:
>  - renumber test to 0042, 0041 was added meanwhile
> v2:
>  - actually check an IPv6 prefix, instead of specifying everything
>    as explicit ranges in ELEMS_ipv6_addr
>  - renumber test to 0041, 0038 already exists
> 
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Acked-by: Phil Sutter <phil@nwl.cc>

Thanks!

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH nft v5] tests: Introduce test for set with concatenated ranges
  2020-02-14 15:27 [PATCH nft v5] tests: Introduce test for set with concatenated ranges Stefano Brivio
  2020-02-14 16:02 ` Phil Sutter
@ 2020-02-19 17:53 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-19 17:53 UTC (permalink / raw)
  To: Stefano Brivio
  Cc: netfilter-devel, Florian Westphal, Kadlecsik József,
	Eric Garver, Phil Sutter

On Fri, Feb 14, 2020 at 04:27:25PM +0100, Stefano Brivio wrote:
> This test checks that set elements can be added, deleted, that
> addition and deletion are refused when appropriate, that entries
> time out properly, and that they can be fetched by matching values
> in the given ranges.

Applied, thanks Stefano.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-14 15:27 [PATCH nft v5] tests: Introduce test for set with concatenated ranges Stefano Brivio
2020-02-14 16:02 ` Phil Sutter
2020-02-19 17:53 ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git