Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nft] tests: Introduce test for insertion of overlapping and non-overlapping ranges
@ 2020-03-05 20:34 Stefano Brivio
  2020-03-26 14:08 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Stefano Brivio @ 2020-03-05 20:34 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Phil Sutter, netfilter-devel

Insertion of overlapping ranges should return success only if the new
elements are identical to existing ones, or, for concatenated ranges,
if the new element is less specific (in all its fields) than any
existing one.

Note that, in case the range is identical to an existing one, insertion
won't actually be performed, but no error will be returned either on
'add element'.

This was inspired by a failing case reported by Phil Sutter (where
concatenated overlapping ranges would fail insertion silently) and is
fixed by kernel series with subject:
	nftables: Consistently report partial and entire set overlaps

With that series, these tests now pass also if the call to set_overlap()
on insertion is skipped. Partial or entire overlapping was already
detected by the kernel for concatenated ranges (nft_set_pipapo) from
the beginning, and that series makes the nft_set_rbtree implementation
consistent in terms of detection and reporting. Without that, overlap
checks are performed by nft but not guaranteed by the kernel.

However, we can't just drop set_overlap() now, as we need to preserve
compatibility with older kernels.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 .../testcases/sets/0044interval_overlap_0     | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0044interval_overlap_0

diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0
new file mode 100755
index 000000000000..fad92ddcf356
--- /dev/null
+++ b/tests/shell/testcases/sets/0044interval_overlap_0
@@ -0,0 +1,66 @@
+#!/bin/sh -e
+#
+# 0044interval_overlap_0 - Add overlapping and non-overlapping intervals
+#
+# Check that adding overlapping intervals to a set returns an error, unless:
+# - the inserted element overlaps entirely, that is, it's identical to an
+#   existing one
+# - for concatenated ranges, the new element is less specific than any existing
+#   overlapping element, as elements are evaluated in order of insertion
+
+#	Accept	Interval	List
+intervals_simple="
+	y	 0 -  2		0-2
+	y	 0 -  2		0-2
+	n	 0 -  1		0-2
+	n	 0 -  3		0-2
+	y	 3 - 10		0-2, 3-10
+	n	 3 -  9		0-2, 3-10
+	n	 4 - 10		0-2, 3-10
+	n	 4 -  9		0-2, 3-10
+	y	20 - 30		0-2, 3-10, 20-30
+	y	11 - 12		0-2, 3-10, 11-12, 20-30
+	y	13 - 19		0-2, 3-10, 11-12, 13-19, 20-30
+	n	25 - 40		0-2, 3-10, 11-12, 13-19, 20-30
+	y	50 - 60		0-2, 3-10, 11-12, 13-19, 20-30, 50-60
+	y	31 - 49		0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60
+	n	59 - 60		0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60
+"
+
+intervals_concat="
+	y	0-2 . 0-3	0-2 . 0-3
+	y	0-2 . 0-3	0-2 . 0-3
+	n	0-1 . 0-2	0-2 . 0-3
+	y	10-20 . 30-40	0-2 . 0-3, 10-20 . 30-40
+	n	15-20 . 50-60	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60
+	y	3-9 . 4-29	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	y	3-9 . 4-29	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	n	11-19 . 30-40	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	y	15-20 . 49-61	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29, 15-20 . 49-61
+"
+
+$NFT add table t
+$NFT add set t s '{ type inet_service ; flags interval ; }'
+$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }'
+
+IFS='	
+'
+set="s"
+for t in ${intervals_simple} switch ${intervals_concat}; do
+	[ "${t}" = "switch" ] && set="c"         && continue
+	[ -z "${pass}" ]      && pass="${t}"     && continue
+	[ -z "${interval}" ]  && interval="${t}" && continue
+
+	if [ "${pass}" = "y" ]; then
+		$NFT add element t ${set} "{ ${interval} }"
+	else
+		! $NFT add element t ${set} "{ ${interval} }" 2>/dev/null
+	fi
+	$NFT list set t ${set} | tr -d '\n\t' | tr -s ' ' | \
+		grep -q "elements = { ${t} }"
+
+	pass=
+	interval=
+done
+
+unset IFS
-- 
2.25.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH nft] tests: Introduce test for insertion of overlapping and non-overlapping ranges
  2020-03-05 20:34 [PATCH nft] tests: Introduce test for insertion of overlapping and non-overlapping ranges Stefano Brivio
@ 2020-03-26 14:08 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-26 14:08 UTC (permalink / raw)
  To: Stefano Brivio; +Cc: Phil Sutter, netfilter-devel

On Thu, Mar 05, 2020 at 09:34:11PM +0100, Stefano Brivio wrote:
> Insertion of overlapping ranges should return success only if the new
> elements are identical to existing ones, or, for concatenated ranges,
> if the new element is less specific (in all its fields) than any
> existing one.
> 
> Note that, in case the range is identical to an existing one, insertion
> won't actually be performed, but no error will be returned either on
> 'add element'.
> 
> This was inspired by a failing case reported by Phil Sutter (where
> concatenated overlapping ranges would fail insertion silently) and is
> fixed by kernel series with subject:
> 	nftables: Consistently report partial and entire set overlaps
> 
> With that series, these tests now pass also if the call to set_overlap()
> on insertion is skipped. Partial or entire overlapping was already
> detected by the kernel for concatenated ranges (nft_set_pipapo) from
> the beginning, and that series makes the nft_set_rbtree implementation
> consistent in terms of detection and reporting. Without that, overlap
> checks are performed by nft but not guaranteed by the kernel.
> 
> However, we can't just drop set_overlap() now, as we need to preserve
> compatibility with older kernels.

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05 20:34 [PATCH nft] tests: Introduce test for insertion of overlapping and non-overlapping ranges Stefano Brivio
2020-03-26 14:08 ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git