* [nft PATCH 0/7] A bunch of JSON printer/parser fixes
@ 2024-03-09 11:35 Phil Sutter
2024-03-09 11:35 ` [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Phil Sutter
` (8 more replies)
0 siblings, 9 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Fix the following flaws in JSON input/output code:
* Patch 3:
Wrong ordering of 'nft -j list ruleset' preventing a following restore
of the dump. Code assumed dumping objects before chains was fine in
all cases, when actually verdict maps may reference chains already.
Dump like nft_cmd_expand() does when expanding nested syntax for
kernel submission (chains first, objects second, finally rules).
* Patch 5:
Maps may contain concatenated "targets". Both printer and parser were
entirely ignorant of that fact.
* Patch 6:
Synproxy objects were "mostly" supported, some hooks missing to
cover for named ones.
Patch 4 applies the new ordering to all stored json-nft dumps. Patch 7
adds new dumps which are now parseable given the fixes above.
Patches 1 and 2 are fallout fixes to initially make the whole shell
testsuite pass on my testing system.
Bugs still present after this series:
* Nested chains remain entirely unsupported
* Maps specifying interval "targets" (i.e., set->data->flags contains
EXPR_F_INTERVAL bit) will be printed like regular ones and the parser
then rejects them.
Phil Sutter (7):
tests: shell: maps/named_ct_objects: Fix for recent kernel
tests: shell: packetpath/flowtables: Avoid spurious EPERM
json: Order output like nft_cmd_expand()
tests: shell: Regenerate all json-nft dumps
json: Support maps with concatenated data
parser: json: Support for synproxy objects
tests: shell: Add missing json-nft dumps
src/json.c | 18 +-
src/parser_json.c | 35 +-
.../dumps/0001_cache_handling_0.json-nft | 16 +-
.../dumps/0005_cache_chain_flush.json-nft | 28 +-
.../dumps/0006_cache_table_flush.json-nft | 28 +-
.../dumps/0011endless_jump_loop_1.json-nft | 75 +++
.../comments/dumps/comments_0.json-nft | 16 +-
.../flowtable/dumps/0001flowtable_0.json-nft | 16 +-
.../dumps/0005delete_in_use_1.json-nft | 16 +-
.../dumps/0014addafterdelete_0.json-nft | 22 +-
.../json/dumps/0001set_statements_0.json-nft | 24 +-
.../json/dumps/0005secmark_objref_0.json-nft | 18 +-
.../listing/dumps/0013objects_0.json-nft | 16 +-
.../dumps/0021ruleset_json_terse_0.json-nft | 16 +-
.../listing/dumps/0022terse_0.json-nft | 24 +-
.../dumps/0007named_ifname_dtype_0.json-nft | 16 +-
.../dumps/0008interval_map_delete_0.json-nft | 24 +-
.../maps/dumps/0010concat_map_0.json-nft | 106 ++++
.../testcases/maps/dumps/0011vmap_0.json-nft | 145 +++++
.../testcases/maps/dumps/0012map_0.json-nft | 16 +-
.../maps/dumps/0012map_concat_0.json-nft | 24 +-
.../testcases/maps/dumps/0013map_0.json-nft | 24 +-
.../maps/dumps/0024named_objects_0.json-nft | 165 ++++++
.../maps/dumps/anon_objmap_concat.json-nft | 24 +-
.../dumps/map_catchall_double_free_2.json-nft | 46 ++
.../testcases/maps/dumps/named_ct_objects.nft | 4 +-
.../maps/dumps/named_limits.json-nft | 24 +-
.../maps/dumps/named_snat_map_0.json-nft | 16 +-
.../maps/dumps/pipapo_double_flush.json-nft | 16 +-
.../dumps/typeof_maps_add_delete.json-nft | 40 +-
.../maps/dumps/typeof_maps_update_0.json-nft | 32 +-
.../maps/dumps/vmap_mark_bitwise_0.json-nft | 158 +++++
.../maps/dumps/vmap_timeout.json-nft | 229 ++++++++
tests/shell/testcases/maps/named_ct_objects | 2 -
.../nft-f/dumps/0002rollback_rule_0.json-nft | 22 +-
.../nft-f/dumps/0003rollback_jump_0.json-nft | 22 +-
.../nft-f/dumps/0004rollback_set_0.json-nft | 22 +-
.../nft-f/dumps/0005rollback_map_0.json-nft | 22 +-
.../nft-f/dumps/0017ct_timeout_obj_0.json-nft | 16 +-
.../dumps/0018ct_expectation_obj_0.json-nft | 16 +-
.../nft-f/dumps/0022variables_0.json-nft | 24 +-
.../nft-f/dumps/0029split_file_0.json-nft | 18 +-
.../nft-f/dumps/0032pknock_0.json-nft | 24 +-
.../optimizations/dumps/merge_vmaps.json-nft | 26 +-
.../optimizations/dumps/skip_merge.json-nft | 32 +-
.../dumps/skip_unsupported.json-nft | 16 +-
.../dumps/comments_objects_0.json-nft | 102 ++++
.../owner/dumps/0002-persist.json-nft | 19 +
.../testcases/owner/dumps/0002-persist.nft | 3 +
.../packetpath/dumps/set_lookups.json-nft | 24 +-
tests/shell/testcases/packetpath/flowtables | 6 +-
.../dumps/0011reset_0.json-nft | 32 +-
.../sets/dumps/0001named_interval_0.json-nft | 16 +-
.../dumps/0008create_verdict_map_0.json-nft | 78 +++
.../dumps/0022type_selective_flush_0.json-nft | 16 +-
.../sets/dumps/0024synproxy_0.json-nft | 131 +++++
.../sets/dumps/0026named_limit_0.json-nft | 22 +-
.../sets/dumps/0028autoselect_0.json-nft | 24 +-
.../0037_set_with_inet_service_0.json-nft | 24 +-
.../sets/dumps/0038meter_list_0.json-nft | 16 +-
.../sets/dumps/0042update_set_0.json-nft | 16 +-
.../dumps/0043concatenated_ranges_0.json-nft | 24 +-
.../dumps/0045concat_ipv4_service.json-nft | 16 +-
.../sets/dumps/0048set_counters_0.json-nft | 24 +-
.../sets/dumps/0049set_define_0.json-nft | 24 +-
.../dumps/0051set_interval_counter_0.json-nft | 24 +-
.../dumps/0058_setupdate_timeout_0.json-nft | 16 +-
.../dumps/0059set_update_multistmt_0.json-nft | 24 +-
.../sets/dumps/0060set_multistmt_0.json-nft | 24 +-
.../sets/dumps/0060set_multistmt_1.json-nft | 24 +-
.../sets/dumps/0064map_catchall_0.json-nft | 16 +-
.../0071unclosed_prefix_interval_0.json-nft | 16 +-
.../sets/dumps/dynset_missing.json-nft | 24 +-
.../testcases/sets/dumps/inner_0.json-nft | 16 +-
.../testcases/sets/dumps/set_eval_0.json-nft | 24 +-
.../sets/dumps/sets_with_ifnames.json-nft | 551 ++++++++++++++++++
.../sets/dumps/type_set_symbol.json-nft | 32 +-
.../transactions/dumps/0040set_0.json-nft | 20 +-
78 files changed, 2490 insertions(+), 677 deletions(-)
create mode 100644 tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0011vmap_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/vmap_timeout.json-nft
create mode 100644 tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft
create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.json-nft
create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.nft
create mode 100644 tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
create mode 100644 tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
create mode 100644 tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
--
2.43.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:39 ` Florian Westphal
2024-03-09 11:35 ` [nft PATCH 2/7] tests: shell: packetpath/flowtables: Avoid spurious EPERM Phil Sutter
` (7 subsequent siblings)
8 siblings, 1 reply; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Since kernel commit 8059918a1377 ("netfilter: nft_ct: sanitize layer 3
and 4 protocol number in custom expectations"), ct expectations
specifying an l3proto which does not match the table family are
rejected.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/shell/testcases/maps/dumps/named_ct_objects.nft | 4 ++--
tests/shell/testcases/maps/named_ct_objects | 2 --
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.nft b/tests/shell/testcases/maps/dumps/named_ct_objects.nft
index 59f18932b28ad..457a08ebc32ca 100644
--- a/tests/shell/testcases/maps/dumps/named_ct_objects.nft
+++ b/tests/shell/testcases/maps/dumps/named_ct_objects.nft
@@ -4,7 +4,7 @@ table inet t {
dport 9876
timeout 1m
size 12
- l3proto ip
+ l3proto inet
}
ct expectation exp2 {
@@ -12,7 +12,7 @@ table inet t {
dport 9876
timeout 3s
size 13
- l3proto ip6
+ l3proto inet
}
ct helper myftp {
diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects
index 61b87c1ab14a9..d0bf95012491c 100755
--- a/tests/shell/testcases/maps/named_ct_objects
+++ b/tests/shell/testcases/maps/named_ct_objects
@@ -9,7 +9,6 @@ table inet t {
dport 9876
timeout 1m
size 12
- l3proto ip
}
ct expectation exp2 {
@@ -17,7 +16,6 @@ table inet t {
dport 9876
timeout 3s
size 13
- l3proto ip6
}
ct helper myftp {
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 2/7] tests: shell: packetpath/flowtables: Avoid spurious EPERM
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
2024-03-09 11:35 ` [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 3/7] json: Order output like nft_cmd_expand() Phil Sutter
` (6 subsequent siblings)
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
On my system for testing, called socat is not allowed to create the pipe
file in local directory (probably due to sshfs). Specify a likely unique
path in /tmp to avoid such problems.
Fixes: 419c0199774c6 ("tests: shell: add test to cover ct offload by using nft flowtables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/shell/testcases/packetpath/flowtables | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
index 852a05c6d0ab1..18a57a9b2b726 100755
--- a/tests/shell/testcases/packetpath/flowtables
+++ b/tests/shell/testcases/packetpath/flowtables
@@ -79,17 +79,17 @@ ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86
# A trick to control the timing to send a packet
ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof &
sleep 1
-ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 &
+ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' &
sleep 1
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
ip netns exec $R cat /proc/net/nf_conntrack
sleep 6
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
-ip netns exec $C echo "send sth" >> pipefile
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
ip netns exec $C sleep 3
-ip netns exec $C echo "send sth" >> pipefile
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
ip netns exec $C sleep 3
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 3/7] json: Order output like nft_cmd_expand()
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
2024-03-09 11:35 ` [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Phil Sutter
2024-03-09 11:35 ` [nft PATCH 2/7] tests: shell: packetpath/flowtables: Avoid spurious EPERM Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 4/7] tests: shell: Regenerate all json-nft dumps Phil Sutter
` (5 subsequent siblings)
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Print empty chain add commands early in list so following verdict maps
and rules referring to them won't cause spurious errors when loading the
resulting ruleset dump.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/json.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/json.c b/src/json.c
index b3e1e4e14a5f9..bb515164d2587 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1704,6 +1704,11 @@ static json_t *table_print_json_full(struct netlink_ctx *ctx,
tmp = table_print_json(table);
json_array_append_new(root, tmp);
+ /* both maps and rules may refer to chains, list them first */
+ list_for_each_entry(chain, &table->chain_cache.list, cache.list) {
+ tmp = chain_print_json(chain);
+ json_array_append_new(root, tmp);
+ }
list_for_each_entry(obj, &table->obj_cache.list, cache.list) {
tmp = obj_print_json(obj);
json_array_append_new(root, tmp);
@@ -1719,9 +1724,6 @@ static json_t *table_print_json_full(struct netlink_ctx *ctx,
json_array_append_new(root, tmp);
}
list_for_each_entry(chain, &table->chain_cache.list, cache.list) {
- tmp = chain_print_json(chain);
- json_array_append_new(root, tmp);
-
list_for_each_entry(rule, &chain->rules, list) {
tmp = rule_print_json(&ctx->nft->output, rule);
json_array_append_new(rules, tmp);
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 4/7] tests: shell: Regenerate all json-nft dumps
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (2 preceding siblings ...)
2024-03-09 11:35 ` [nft PATCH 3/7] json: Order output like nft_cmd_expand() Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 5/7] json: Support maps with concatenated data Phil Sutter
` (4 subsequent siblings)
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Ordering of 'nft -j list ruleset' output has changed, Regenerate
existing json-nft dumps. No functional change intended, merely the
position of chain objects should have moved up in the "nftables" array.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
.../dumps/0001_cache_handling_0.json-nft | 16 ++++----
.../dumps/0005_cache_chain_flush.json-nft | 28 ++++++-------
.../dumps/0006_cache_table_flush.json-nft | 28 ++++++-------
| 16 ++++----
.../flowtable/dumps/0001flowtable_0.json-nft | 16 ++++----
.../dumps/0005delete_in_use_1.json-nft | 16 ++++----
.../dumps/0014addafterdelete_0.json-nft | 22 +++++-----
.../json/dumps/0001set_statements_0.json-nft | 24 +++++------
.../json/dumps/0005secmark_objref_0.json-nft | 18 ++++-----
.../listing/dumps/0013objects_0.json-nft | 16 ++++----
.../dumps/0021ruleset_json_terse_0.json-nft | 16 ++++----
.../listing/dumps/0022terse_0.json-nft | 24 +++++------
.../dumps/0007named_ifname_dtype_0.json-nft | 16 ++++----
.../dumps/0008interval_map_delete_0.json-nft | 24 +++++------
.../testcases/maps/dumps/0012map_0.json-nft | 16 ++++----
.../maps/dumps/0012map_concat_0.json-nft | 24 +++++------
.../testcases/maps/dumps/0013map_0.json-nft | 24 +++++------
.../maps/dumps/anon_objmap_concat.json-nft | 24 +++++------
.../maps/dumps/named_limits.json-nft | 24 +++++------
.../maps/dumps/named_snat_map_0.json-nft | 16 ++++----
.../maps/dumps/pipapo_double_flush.json-nft | 16 ++++----
.../dumps/typeof_maps_add_delete.json-nft | 40 +++++++++----------
.../maps/dumps/typeof_maps_update_0.json-nft | 32 +++++++--------
.../nft-f/dumps/0002rollback_rule_0.json-nft | 22 +++++-----
.../nft-f/dumps/0003rollback_jump_0.json-nft | 22 +++++-----
.../nft-f/dumps/0004rollback_set_0.json-nft | 22 +++++-----
.../nft-f/dumps/0005rollback_map_0.json-nft | 22 +++++-----
.../nft-f/dumps/0017ct_timeout_obj_0.json-nft | 16 ++++----
.../dumps/0018ct_expectation_obj_0.json-nft | 16 ++++----
.../nft-f/dumps/0022variables_0.json-nft | 24 +++++------
.../nft-f/dumps/0029split_file_0.json-nft | 18 ++++-----
.../nft-f/dumps/0032pknock_0.json-nft | 24 +++++------
.../optimizations/dumps/merge_vmaps.json-nft | 26 ++++++------
.../optimizations/dumps/skip_merge.json-nft | 32 +++++++--------
.../dumps/skip_unsupported.json-nft | 16 ++++----
.../packetpath/dumps/set_lookups.json-nft | 24 +++++------
.../dumps/0011reset_0.json-nft | 32 +++++++--------
.../sets/dumps/0001named_interval_0.json-nft | 16 ++++----
.../dumps/0022type_selective_flush_0.json-nft | 16 ++++----
.../sets/dumps/0026named_limit_0.json-nft | 22 +++++-----
.../sets/dumps/0028autoselect_0.json-nft | 24 +++++------
.../0037_set_with_inet_service_0.json-nft | 24 +++++------
.../sets/dumps/0038meter_list_0.json-nft | 16 ++++----
.../sets/dumps/0042update_set_0.json-nft | 16 ++++----
.../dumps/0043concatenated_ranges_0.json-nft | 24 +++++------
.../dumps/0045concat_ipv4_service.json-nft | 16 ++++----
.../sets/dumps/0048set_counters_0.json-nft | 24 +++++------
.../sets/dumps/0049set_define_0.json-nft | 24 +++++------
.../dumps/0051set_interval_counter_0.json-nft | 24 +++++------
.../dumps/0058_setupdate_timeout_0.json-nft | 16 ++++----
.../dumps/0059set_update_multistmt_0.json-nft | 24 +++++------
.../sets/dumps/0060set_multistmt_0.json-nft | 24 +++++------
.../sets/dumps/0060set_multistmt_1.json-nft | 24 +++++------
.../sets/dumps/0064map_catchall_0.json-nft | 16 ++++----
.../0071unclosed_prefix_interval_0.json-nft | 16 ++++----
.../sets/dumps/dynset_missing.json-nft | 24 +++++------
.../testcases/sets/dumps/inner_0.json-nft | 16 ++++----
.../testcases/sets/dumps/set_eval_0.json-nft | 24 +++++------
.../sets/dumps/type_set_symbol.json-nft | 32 +++++++--------
.../transactions/dumps/0040set_0.json-nft | 20 +++++-----
60 files changed, 647 insertions(+), 647 deletions(-)
diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft
index 752196624c33f..7a2eacdd7b614 100644
--- a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft
+++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "test",
+ "name": "test",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -27,14 +35,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "test",
- "name": "test",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft
index dbf561175a1b7..1c47d3ef0a266 100644
--- a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft
+++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft
@@ -15,34 +15,34 @@
}
},
{
- "map": {
+ "chain": {
"family": "ip",
- "name": "mapping",
"table": "x",
- "type": "ipv4_addr",
- "handle": 0,
- "map": "inet_service",
- "size": 65535,
- "flags": [
- "timeout",
- "dynamic"
- ]
+ "name": "y",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "x",
- "name": "y",
+ "name": "z",
"handle": 0
}
},
{
- "chain": {
+ "map": {
"family": "ip",
+ "name": "mapping",
"table": "x",
- "name": "z",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "inet_service",
+ "size": 65535,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
}
},
{
diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft
index dbf561175a1b7..1c47d3ef0a266 100644
--- a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft
+++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft
@@ -15,34 +15,34 @@
}
},
{
- "map": {
+ "chain": {
"family": "ip",
- "name": "mapping",
"table": "x",
- "type": "ipv4_addr",
- "handle": 0,
- "map": "inet_service",
- "size": 65535,
- "flags": [
- "timeout",
- "dynamic"
- ]
+ "name": "y",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "x",
- "name": "y",
+ "name": "z",
"handle": 0
}
},
{
- "chain": {
+ "map": {
"family": "ip",
+ "name": "mapping",
"table": "x",
- "name": "z",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "inet_service",
+ "size": 65535,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
}
},
{
--git a/tests/shell/testcases/comments/dumps/comments_0.json-nft b/tests/shell/testcases/comments/dumps/comments_0.json-nft
index 28898a52608d3..201abd6fb5ce1 100644
--- a/tests/shell/testcases/comments/dumps/comments_0.json-nft
+++ b/tests/shell/testcases/comments/dumps/comments_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -27,14 +35,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "x",
- "name": "y",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft
index 090c974456ca6..4d15fe3a39d17 100644
--- a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft
+++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"flowtable": {
"family": "inet",
@@ -25,14 +33,6 @@
"dev": "lo"
}
},
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft
index db73a53036632..302502dcab098 100644
--- a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft
+++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "x",
+ "handle": 0
+ }
+ },
{
"flowtable": {
"family": "ip",
@@ -25,14 +33,6 @@
"dev": "lo"
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "x",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft
index 79707ca30d958..471ba5be0faeb 100644
--- a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft
+++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft
@@ -14,17 +14,6 @@
"handle": 0
}
},
- {
- "flowtable": {
- "family": "inet",
- "name": "f",
- "table": "filter",
- "handle": 0,
- "hook": "ingress",
- "prio": -1,
- "dev": "lo"
- }
- },
{
"chain": {
"family": "inet",
@@ -37,6 +26,17 @@
"policy": "accept"
}
},
+ {
+ "flowtable": {
+ "family": "inet",
+ "name": "f",
+ "table": "filter",
+ "handle": 0,
+ "hook": "ingress",
+ "prio": -1,
+ "dev": "lo"
+ }
+ },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft
index 3830b8450a93b..91db43e29ea9f 100644
--- a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft
+++ b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "testt",
+ "name": "testc",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -27,18 +39,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "testt",
- "name": "testc",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft
index f5519a6ed49ac..3783c6b78f5b2 100644
--- a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft
+++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft
@@ -14,15 +14,6 @@
"handle": 0
}
},
- {
- "secmark": {
- "family": "inet",
- "name": "ssh_server",
- "table": "x",
- "handle": 0,
- "context": "system_u:object_r:ssh_server_packet_t:s0"
- }
- },
{
"chain": {
"family": "inet",
@@ -47,6 +38,15 @@
"policy": "accept"
}
},
+ {
+ "secmark": {
+ "family": "inet",
+ "name": "ssh_server",
+ "table": "x",
+ "handle": 0,
+ "context": "system_u:object_r:ssh_server_packet_t:s0"
+ }
+ },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft
index feb32b1b34329..830aad85cad87 100644
--- a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft
+++ b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "input",
+ "handle": 0
+ }
+ },
{
"quota": {
"family": "ip",
@@ -62,14 +70,6 @@
"size": 12,
"l3proto": "ip"
}
- },
- {
- "chain": {
- "family": "ip",
- "table": "test",
- "name": "input",
- "handle": 0
- }
}
]
}
diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft
index e9bc05ac7be1a..d1131bb4045fd 100644
--- a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft
+++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -26,14 +34,6 @@
"192.168.3.5"
]
}
- },
- {
- "chain": {
- "family": "ip",
- "table": "test",
- "name": "c",
- "handle": 0
- }
}
]
}
diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft
index db19d0c3c2b5b..bd6383dac5e37 100644
--- a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft
+++ b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "prerouting",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "inet",
@@ -30,18 +42,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "prerouting",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft
index ec409c6cb361a..ef57a749fbeed 100644
--- a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "inet",
@@ -30,14 +38,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft
index 0f8f25dcf77c5..bd3c6cc7ebf55 100644
--- a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"map": {
"family": "ip",
@@ -37,18 +49,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "filter",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/0012map_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_0.json-nft
index e546a67979369..2892e11d71f54 100644
--- a/tests/shell/testcases/maps/dumps/0012map_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/0012map_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "ip",
@@ -44,14 +52,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "y",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft
index 08fce28624c01..000522365df9f 100644
--- a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "k",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 1,
+ "policy": "accept"
+ }
+ },
{
"map": {
"family": "ip",
@@ -66,18 +78,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "k",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 1,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/0013map_0.json-nft b/tests/shell/testcases/maps/dumps/0013map_0.json-nft
index 0379746a1e062..e91a269d8e6e6 100644
--- a/tests/shell/testcases/maps/dumps/0013map_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/0013map_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "filter",
+ "name": "FORWARD",
+ "handle": 0,
+ "type": "filter",
+ "hook": "forward",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
{
"map": {
"family": "ip",
@@ -58,18 +70,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "filter",
- "name": "FORWARD",
- "handle": 0,
- "type": "filter",
- "hook": "forward",
- "prio": 0,
- "policy": "drop"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft
index f8352344eec73..642098427e6f9 100644
--- a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft
+++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"ct helper": {
"family": "inet",
@@ -36,18 +48,6 @@
"l3proto": "ip"
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft
index 28a92529c8d29..7fa1298103832 100644
--- a/tests/shell/testcases/maps/dumps/named_limits.json-nft
+++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"limit": {
"family": "inet",
@@ -251,18 +263,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft
index ed141597f7f85..ad9eb36eac94e 100644
--- a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "nat",
+ "name": "postrouting",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "ip",
@@ -30,14 +38,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "nat",
- "name": "postrouting",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft
index 5cb600dbd0eed..ef8c3930f8153 100644
--- a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft
+++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "inet",
@@ -29,14 +37,6 @@
"interval"
]
}
- },
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
}
]
}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
index 4a58602a99cd4..8130c46c154cd 100644
--- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
@@ -14,26 +14,6 @@
"handle": 0
}
},
- {
- "map": {
- "family": "ip",
- "name": "dynmark",
- "table": "dynset",
- "type": "ipv4_addr",
- "handle": 0,
- "map": "mark",
- "size": 64,
- "flags": [
- "timeout"
- ],
- "timeout": 300,
- "stmt": [
- {
- "counter": null
- }
- ]
- }
- },
{
"chain": {
"family": "ip",
@@ -54,6 +34,26 @@
"policy": "accept"
}
},
+ {
+ "map": {
+ "family": "ip",
+ "name": "dynmark",
+ "table": "dynset",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "mark",
+ "size": 64,
+ "flags": [
+ "timeout"
+ ],
+ "timeout": 300,
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft
index 826785d1fc04d..1d50477d783df 100644
--- a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft
@@ -14,6 +14,22 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "kube-nfproxy-v4",
+ "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "kube-nfproxy-v4",
+ "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "ip",
@@ -44,22 +60,6 @@
"timeout": 60
}
},
- {
- "chain": {
- "family": "ip",
- "table": "kube-nfproxy-v4",
- "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62",
- "handle": 0
- }
- },
- {
- "chain": {
- "family": "ip",
- "table": "kube-nfproxy-v4",
- "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft
index 8d500578d998c..99b0b28defb4d 100644
--- a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft
@@ -15,31 +15,31 @@
}
},
{
- "set": {
+ "chain": {
"family": "ip",
- "name": "t",
"table": "t",
- "type": "ipv4_addr",
- "handle": 0,
- "elem": [
- "1.1.1.1"
- ]
+ "name": "c",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "t",
- "name": "c",
+ "name": "other",
"handle": 0
}
},
{
- "chain": {
+ "set": {
"family": "ip",
+ "name": "t",
"table": "t",
- "name": "other",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ "1.1.1.1"
+ ]
}
},
{
diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft
index 8d500578d998c..99b0b28defb4d 100644
--- a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft
@@ -15,31 +15,31 @@
}
},
{
- "set": {
+ "chain": {
"family": "ip",
- "name": "t",
"table": "t",
- "type": "ipv4_addr",
- "handle": 0,
- "elem": [
- "1.1.1.1"
- ]
+ "name": "c",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "t",
- "name": "c",
+ "name": "other",
"handle": 0
}
},
{
- "chain": {
+ "set": {
"family": "ip",
+ "name": "t",
"table": "t",
- "name": "other",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ "1.1.1.1"
+ ]
}
},
{
diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft
index 8d500578d998c..99b0b28defb4d 100644
--- a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft
@@ -15,31 +15,31 @@
}
},
{
- "set": {
+ "chain": {
"family": "ip",
- "name": "t",
"table": "t",
- "type": "ipv4_addr",
- "handle": 0,
- "elem": [
- "1.1.1.1"
- ]
+ "name": "c",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "t",
- "name": "c",
+ "name": "other",
"handle": 0
}
},
{
- "chain": {
+ "set": {
"family": "ip",
+ "name": "t",
"table": "t",
- "name": "other",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ "1.1.1.1"
+ ]
}
},
{
diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft
index 8d500578d998c..99b0b28defb4d 100644
--- a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft
@@ -15,31 +15,31 @@
}
},
{
- "set": {
+ "chain": {
"family": "ip",
- "name": "t",
"table": "t",
- "type": "ipv4_addr",
- "handle": 0,
- "elem": [
- "1.1.1.1"
- ]
+ "name": "c",
+ "handle": 0
}
},
{
"chain": {
"family": "ip",
"table": "t",
- "name": "c",
+ "name": "other",
"handle": 0
}
},
{
- "chain": {
+ "set": {
"family": "ip",
+ "name": "t",
"table": "t",
- "name": "other",
- "handle": 0
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ "1.1.1.1"
+ ]
}
},
{
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft
index 581d4d415ae58..b56240eab0cf3 100644
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "filter",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"ct timeout": {
"family": "ip",
@@ -28,14 +36,6 @@
}
}
},
- {
- "chain": {
- "family": "ip",
- "table": "filter",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft
index 5e2b07f0d7ace..21c979703e096 100644
--- a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "filter",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"ct expectation": {
"family": "ip",
@@ -27,14 +35,6 @@
"l3proto": "ip"
}
},
- {
- "chain": {
- "family": "ip",
- "table": "filter",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft
index b971454fc3ae0..09a4c1e3deb8f 100644
--- a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "z",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -28,18 +40,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "z",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft
index c2aa400aa150f..ab680af8712d6 100644
--- a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft
@@ -14,15 +14,6 @@
"handle": 0
}
},
- {
- "set": {
- "family": "inet",
- "name": "whitelist_v4",
- "table": "filter",
- "type": "ipv4_addr",
- "handle": 0
- }
- },
{
"chain": {
"family": "inet",
@@ -35,6 +26,15 @@
"policy": "accept"
}
},
+ {
+ "set": {
+ "family": "inet",
+ "name": "whitelist_v4",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft
index 57d57bb9ea8c3..4c7d2bbe3f843 100644
--- a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft
+++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "portknock",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": -10,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "inet",
@@ -45,18 +57,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "portknock",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": -10,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft
index f2ac7917cd590..e87f1c4c082eb 100644
--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft
@@ -14,19 +14,6 @@
"handle": 0
}
},
- {
- "set": {
- "family": "ip",
- "name": "s",
- "table": "x",
- "type": "ipv4_addr",
- "handle": 0,
- "size": 65535,
- "flags": [
- "dynamic"
- ]
- }
- },
{
"chain": {
"family": "ip",
@@ -51,6 +38,19 @@
"handle": 0
}
},
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft
index 3404a2e7521a6..7bb6c656435f5 100644
--- a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft
+++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft
@@ -14,6 +14,22 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "udp_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "tcp_input",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -40,22 +56,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "udp_input",
- "handle": 0
- }
- },
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "tcp_input",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft
index a082020695b63..d6347b1eeed6e 100644
--- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft
+++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -100,14 +108,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "x",
- "name": "y",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft
index 49b51ababd773..24363f9071b22 100644
--- a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft
+++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -136,18 +148,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
index 94203517cedb3..bc242467e22a7 100644
--- a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
+++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
@@ -14,6 +14,22 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c2",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -43,22 +59,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c2",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft
index c48f3a9c918f4..b9c66a21aa084 100644
--- a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -124,14 +132,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft
index c82c12a171a54..ce391a6c37f9c 100644
--- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -33,14 +41,6 @@
"map": "inet_service"
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft
index 5307e26567f16..5d21f26cd5a37 100644
--- a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft
@@ -14,17 +14,6 @@
"handle": 0
}
},
- {
- "limit": {
- "family": "ip",
- "name": "http-traffic",
- "table": "filter",
- "handle": 0,
- "rate": 1,
- "per": "second",
- "burst": 5
- }
- },
{
"chain": {
"family": "ip",
@@ -37,6 +26,17 @@
"policy": "accept"
}
},
+ {
+ "limit": {
+ "family": "ip",
+ "name": "http-traffic",
+ "table": "filter",
+ "handle": 0,
+ "rate": 1,
+ "per": "second",
+ "burst": 5
+ }
+ },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft
index 682496a71c5c5..5968b2e0c11f0 100644
--- a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -53,18 +65,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft
index 3305f040e69cd..1c3b559d48d43 100644
--- a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "forward",
+ "handle": 0,
+ "type": "filter",
+ "hook": "forward",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
{
"set": {
"family": "inet",
@@ -64,18 +76,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "forward",
- "handle": 0,
- "type": "filter",
- "hook": "forward",
- "prio": 0,
- "policy": "drop"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft
index be24687c96d79..40b86f82eba33 100644
--- a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -28,14 +36,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft
index 8521adb8283d1..bc1d4cc2284d8 100644
--- a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -36,14 +44,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft
index d51db88452872..ffb76e2f3641d 100644
--- a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "output",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"map": {
"family": "inet",
@@ -32,18 +44,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "output",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft
index 211942c9ae63a..8473c3333889e 100644
--- a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft
+++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -39,14 +47,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft
index 2fa0e78848308..62a6a177b7776 100644
--- a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "z",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -57,18 +69,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "z",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft
index 79e376b6e2931..f8495bab8b0f3 100644
--- a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
{
"set": {
"family": "inet",
@@ -30,18 +42,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "input",
- "handle": 0,
- "type": "filter",
- "hook": "input",
- "prio": 0,
- "policy": "drop"
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft
index 0e67375999382..b468b5f9044ca 100644
--- a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -47,18 +59,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "y",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft
index a727b25bdcb1b..ac8d8bef71e7e 100644
--- a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "test",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -29,14 +37,6 @@
"timeout": 2592000
}
},
- {
- "chain": {
- "family": "inet",
- "table": "filter",
- "name": "test",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft
index 9e5fae761fd70..16ecdb2ab8993 100644
--- a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "z",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -29,18 +41,6 @@
"timeout": 3600
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "z",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft
index 0026ba915af10..1aede147cacf3 100644
--- a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -67,18 +79,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "y",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft
index 86b70b20c42c6..6098dc563141f 100644
--- a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -67,18 +79,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "y",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft
index eba5d40ef5645..64dd26670528b 100644
--- a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
{
"map": {
"family": "ip",
@@ -62,14 +70,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "x",
- "name": "y",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft
index 426bf2d1e1577..6b579a2e09fff 100644
--- a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "inet",
@@ -66,14 +74,6 @@
]
}
},
- {
- "chain": {
- "family": "inet",
- "table": "t",
- "name": "c",
- "handle": 0
- }
- },
{
"rule": {
"family": "inet",
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft
index 3462d67f05562..ad8a7cc0564a8 100644
--- a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft
+++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft
@@ -14,6 +14,18 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "output",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
{
"set": {
"family": "ip",
@@ -27,18 +39,6 @@
]
}
},
- {
- "chain": {
- "family": "ip",
- "table": "test",
- "name": "output",
- "handle": 0,
- "type": "filter",
- "hook": "output",
- "prio": 0,
- "policy": "accept"
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft
index cc48de6b4f47f..8d84e1ccecb9f 100644
--- a/tests/shell/testcases/sets/dumps/inner_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft
@@ -14,6 +14,14 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "netdev",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "netdev",
@@ -47,14 +55,6 @@
]
}
},
- {
- "chain": {
- "family": "netdev",
- "table": "x",
- "name": "y",
- "handle": 0
- }
- },
{
"rule": {
"family": "netdev",
diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft
index 4590b88403985..6f692381b6f7c 100644
--- a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft
+++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft
@@ -14,18 +14,6 @@
"handle": 0
}
},
- {
- "set": {
- "family": "ip",
- "name": "set_with_interval",
- "table": "nat",
- "type": "ipv4_addr",
- "handle": 0,
- "flags": [
- "interval"
- ]
- }
- },
{
"chain": {
"family": "ip",
@@ -38,6 +26,18 @@
"policy": "accept"
}
},
+ {
+ "set": {
+ "family": "ip",
+ "name": "set_with_interval",
+ "table": "nat",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ]
+ }
+ },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft
index e4ae0a2e3df24..e22213ea3437a 100644
--- a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft
+++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft
@@ -14,6 +14,22 @@
"handle": 0
}
},
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c1",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c2",
+ "handle": 0
+ }
+ },
{
"set": {
"family": "ip",
@@ -33,22 +49,6 @@
"timeout": 10800
}
},
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c1",
- "handle": 0
- }
- },
- {
- "chain": {
- "family": "ip",
- "table": "t",
- "name": "c2",
- "handle": 0
- }
- },
{
"rule": {
"family": "ip",
diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft
index f8130d95a0fc5..1718a5b9d8b3b 100644
--- a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft
+++ b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft
@@ -14,16 +14,6 @@
"handle": 0
}
},
- {
- "map": {
- "family": "ip",
- "name": "client_to_any",
- "table": "filter",
- "type": "ipv4_addr",
- "handle": 0,
- "map": "verdict"
- }
- },
{
"chain": {
"family": "ip",
@@ -44,6 +34,16 @@
"handle": 0
}
},
+ {
+ "map": {
+ "family": "ip",
+ "name": "client_to_any",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "verdict"
+ }
+ },
{
"rule": {
"family": "ip",
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 5/7] json: Support maps with concatenated data
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (3 preceding siblings ...)
2024-03-09 11:35 ` [nft PATCH 4/7] tests: shell: Regenerate all json-nft dumps Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 6/7] parser: json: Support for synproxy objects Phil Sutter
` (3 subsequent siblings)
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Dump such maps with an array of types in "map" property, make the parser
aware of this.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/json.c | 10 +++++-----
src/parser_json.c | 18 +++++++++---------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/src/json.c b/src/json.c
index bb515164d2587..29fbd0cfdba28 100644
--- a/src/json.c
+++ b/src/json.c
@@ -130,15 +130,15 @@ static json_t *set_stmt_list_json(const struct list_head *stmt_list,
static json_t *set_print_json(struct output_ctx *octx, const struct set *set)
{
- json_t *root, *tmp;
- const char *type, *datatype_ext = NULL;
+ json_t *root, *tmp, *datatype_ext = NULL;
+ const char *type;
if (set_is_datamap(set->flags)) {
type = "map";
- datatype_ext = set->data->dtype->name;
+ datatype_ext = set_dtype_json(set->data);
} else if (set_is_objmap(set->flags)) {
type = "map";
- datatype_ext = obj_type_name(set->objtype);
+ datatype_ext = json_string(obj_type_name(set->objtype));
} else if (set_is_meter(set->flags)) {
type = "meter";
} else {
@@ -155,7 +155,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set)
if (set->comment)
json_object_set_new(root, "comment", json_string(set->comment));
if (datatype_ext)
- json_object_set_new(root, "map", json_string(datatype_ext));
+ json_object_set_new(root, "map", datatype_ext);
if (!(set->flags & (NFT_SET_CONSTANT))) {
if (set->policy != NFT_SET_POL_PERFORMANCE) {
diff --git a/src/parser_json.c b/src/parser_json.c
index ff52423af4d7f..bb027448319c5 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3255,7 +3255,7 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root,
enum cmd_ops op, enum cmd_obj obj)
{
struct handle h = { 0 };
- const char *family = "", *policy, *dtype_ext = NULL;
+ const char *family = "", *policy;
json_t *tmp, *stmt_json;
struct set *set;
@@ -3308,19 +3308,19 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root,
return NULL;
}
- if (!json_unpack(root, "{s:s}", "map", &dtype_ext)) {
- const struct datatype *dtype;
+ if (!json_unpack(root, "{s:o}", "map", &tmp)) {
+ if (json_is_string(tmp)) {
+ const char *s = json_string_value(tmp);
- set->objtype = string_to_nft_object(dtype_ext);
+ set->objtype = string_to_nft_object(s);
+ }
if (set->objtype) {
set->flags |= NFT_SET_OBJECT;
- } else if ((dtype = datatype_lookup_byname(dtype_ext))) {
- set->data = constant_expr_alloc(&netlink_location,
- dtype, dtype->byteorder,
- dtype->size, NULL);
+ } else if ((set->data = json_parse_dtype_expr(ctx, tmp))) {
set->flags |= NFT_SET_MAP;
} else {
- json_error(ctx, "Invalid map type '%s'.", dtype_ext);
+ json_error(ctx, "Invalid map type '%s'.",
+ json_dumps(tmp, 0));
set_free(set);
handle_free(&h);
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 6/7] parser: json: Support for synproxy objects
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (4 preceding siblings ...)
2024-03-09 11:35 ` [nft PATCH 5/7] json: Support maps with concatenated data Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 7/7] tests: shell: Add missing json-nft dumps Phil Sutter
` (2 subsequent siblings)
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Parsing code was there already, merely the entry in json_parse_cmd_add()
missing.
To support maps with synproxy target, an entry in string_to_nft_object()
is required. While being at it, add other missing entries as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index bb027448319c5..4fc0479cf4972 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3217,14 +3217,18 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root,
static int string_to_nft_object(const char *str)
{
const char *obj_tbl[__NFT_OBJECT_MAX] = {
- [NFT_OBJECT_COUNTER] = "counter",
- [NFT_OBJECT_QUOTA] = "quota",
- [NFT_OBJECT_LIMIT] = "limit",
- [NFT_OBJECT_SECMARK] = "secmark",
+ [NFT_OBJECT_COUNTER] = "counter",
+ [NFT_OBJECT_QUOTA] = "quota",
+ [NFT_OBJECT_CT_HELPER] = "ct helper",
+ [NFT_OBJECT_LIMIT] = "limit",
+ [NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
+ [NFT_OBJECT_SECMARK] = "secmark",
+ [NFT_OBJECT_CT_EXPECT] = "ct expectation",
+ [NFT_OBJECT_SYNPROXY] = "synproxy",
};
unsigned int i;
- for (i = 0; i < NFT_OBJECT_MAX; i++) {
+ for (i = 0; i <= NFT_OBJECT_MAX; i++) {
if (obj_tbl[i] && !strcmp(str, obj_tbl[i]))
return i;
}
@@ -3759,7 +3763,8 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
{ "ct timeout", NFT_OBJECT_CT_TIMEOUT, json_parse_cmd_add_object },
{ "ct expectation", NFT_OBJECT_CT_EXPECT, json_parse_cmd_add_object },
{ "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object },
- { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }
+ { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object },
+ { "synproxy", CMD_OBJ_SYNPROXY, json_parse_cmd_add_object }
};
unsigned int i;
json_t *tmp;
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [nft PATCH 7/7] tests: shell: Add missing json-nft dumps
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (5 preceding siblings ...)
2024-03-09 11:35 ` [nft PATCH 6/7] parser: json: Support for synproxy objects Phil Sutter
@ 2024-03-09 11:35 ` Phil Sutter
2024-03-19 17:26 ` [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
2024-04-24 20:06 ` Pablo Neira Ayuso
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:35 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Given that a bunch of issues got fixed, add some more dumps.
Also add tests/shell/testcases/owner/dumps/0002-persist.nft while at it,
even though it's really small.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
.../dumps/0011endless_jump_loop_1.json-nft | 75 +++
.../maps/dumps/0010concat_map_0.json-nft | 106 ++++
.../testcases/maps/dumps/0011vmap_0.json-nft | 145 +++++
.../maps/dumps/0024named_objects_0.json-nft | 165 ++++++
.../dumps/map_catchall_double_free_2.json-nft | 46 ++
.../maps/dumps/vmap_mark_bitwise_0.json-nft | 158 +++++
.../maps/dumps/vmap_timeout.json-nft | 229 ++++++++
| 102 ++++
.../owner/dumps/0002-persist.json-nft | 19 +
.../testcases/owner/dumps/0002-persist.nft | 3 +
.../dumps/0008create_verdict_map_0.json-nft | 78 +++
.../sets/dumps/0024synproxy_0.json-nft | 131 +++++
.../sets/dumps/sets_with_ifnames.json-nft | 551 ++++++++++++++++++
13 files changed, 1808 insertions(+)
create mode 100644 tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0011vmap_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft
create mode 100644 tests/shell/testcases/maps/dumps/vmap_timeout.json-nft
create mode 100644 tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft
create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.json-nft
create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.nft
create mode 100644 tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
create mode 100644 tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
create mode 100644 tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
new file mode 100644
index 0000000000000..e1a2262fdf04f
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
@@ -0,0 +1,75 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c1",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c2",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "m",
+ "table": "t",
+ "type": "inet_service",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ 2,
+ {
+ "jump": {
+ "target": "c2"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c1",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "data": "@m"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft
new file mode 100644
index 0000000000000..fcc23bb8095fa
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft
@@ -0,0 +1,106 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "nat",
+ "hook": "prerouting",
+ "prio": -100,
+ "policy": "accept"
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "z",
+ "table": "x",
+ "type": [
+ "ipv4_addr",
+ "inet_proto",
+ "inet_service"
+ ],
+ "handle": 0,
+ "map": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "elem": [
+ [
+ {
+ "concat": [
+ "1.1.1.1",
+ "tcp",
+ 20
+ ]
+ },
+ {
+ "concat": [
+ "2.2.2.2",
+ 30
+ ]
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "dnat": {
+ "family": "ip",
+ "addr": {
+ "map": {
+ "key": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ }
+ ]
+ },
+ "data": "@z"
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft
new file mode 100644
index 0000000000000..8f07378a84e4c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft
@@ -0,0 +1,145 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "ssh_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "wan_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "prerouting",
+ "handle": 0,
+ "type": "filter",
+ "hook": "prerouting",
+ "prio": -300,
+ "policy": "accept"
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "portmap",
+ "table": "filter",
+ "type": "inet_service",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ {
+ "elem": {
+ "val": 22,
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "jump": {
+ "target": "ssh_input"
+ }
+ }
+ ],
+ [
+ {
+ "elem": {
+ "val": "*",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "wan_input",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "data": "@portmap"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "prerouting",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "meta": {
+ "key": "iif"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "lo",
+ {
+ "jump": {
+ "target": "wan_input"
+ }
+ }
+ ]
+ ]
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft
new file mode 100644
index 0000000000000..aa2f6f8c22874
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft
@@ -0,0 +1,165 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "packets": 12,
+ "bytes": 1433
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user321",
+ "table": "x",
+ "handle": 0,
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user124",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "test",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "quota",
+ "elem": [
+ [
+ "192.168.2.2",
+ "user124"
+ ],
+ [
+ "192.168.2.3",
+ "user124"
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "counter": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ "user123"
+ ],
+ [
+ "2.2.2.2",
+ "user123"
+ ],
+ [
+ "192.168.2.2",
+ "user123"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "quota": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": "@test"
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft
new file mode 100644
index 0000000000000..a9d4c8e9fde3c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft
@@ -0,0 +1,46 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "testchain",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "testmap",
+ "table": "test",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ "*",
+ {
+ "jump": {
+ "target": "testchain"
+ }
+ }
+ ]
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft
new file mode 100644
index 0000000000000..df156411c346c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft
@@ -0,0 +1,158 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "sctm_o0_0",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "sctm_o0_1",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "SET_ctmark_RPLYroute",
+ "handle": 0
+ }
+ },
+ {
+ "counter": {
+ "family": "ip",
+ "name": "c_o0_0",
+ "table": "x",
+ "handle": 0,
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "sctm_o0",
+ "table": "x",
+ "type": "mark",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ 0,
+ {
+ "jump": {
+ "target": "sctm_o0_0"
+ }
+ }
+ ],
+ [
+ 1,
+ {
+ "jump": {
+ "target": "sctm_o0_1"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "sctm_o1",
+ "table": "x",
+ "type": "mark",
+ "handle": 0,
+ "map": "counter",
+ "elem": [
+ [
+ 0,
+ "c_o0_0"
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "SET_ctmark_RPLYroute",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "&": [
+ {
+ ">>": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ 8
+ ]
+ },
+ 15
+ ]
+ },
+ "data": "@sctm_o0"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "SET_ctmark_RPLYroute",
+ "handle": 0,
+ "expr": [
+ {
+ "counter": {
+ "map": {
+ "key": {
+ "&": [
+ {
+ ">>": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ 8
+ ]
+ },
+ 15
+ ]
+ },
+ "data": "@sctm_o1"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft
new file mode 100644
index 0000000000000..1c3aa590f846e
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft
@@ -0,0 +1,229 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "ssh_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "log_and_drop",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "other_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "wan_input",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "prerouting",
+ "handle": 0,
+ "type": "filter",
+ "hook": "prerouting",
+ "prio": -300,
+ "policy": "accept"
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "portmap",
+ "table": "filter",
+ "type": "inet_service",
+ "handle": 0,
+ "map": "verdict",
+ "flags": [
+ "timeout"
+ ],
+ "gc-interval": 10,
+ "elem": [
+ [
+ 22,
+ {
+ "jump": {
+ "target": "ssh_input"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "portaddrmap",
+ "table": "filter",
+ "type": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "map": "verdict",
+ "flags": [
+ "timeout"
+ ],
+ "gc-interval": 10,
+ "elem": [
+ [
+ {
+ "concat": [
+ "1.2.3.4",
+ 22
+ ]
+ },
+ {
+ "jump": {
+ "target": "ssh_input"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "log_and_drop",
+ "handle": 0,
+ "expr": [
+ {
+ "drop": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "other_input",
+ "handle": 0,
+ "expr": [
+ {
+ "goto": {
+ "target": "log_and_drop"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "wan_input",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ }
+ ]
+ },
+ "data": "@portaddrmap"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "wan_input",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "data": "@portmap"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "prerouting",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "meta": {
+ "key": "iif"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "lo",
+ {
+ "jump": {
+ "target": "wan_input"
+ }
+ }
+ ]
+ ]
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
--git a/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft
new file mode 100644
index 0000000000000..b5359d8b10c0f
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft
@@ -0,0 +1,102 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "quota": {
+ "family": "ip",
+ "name": "foo1",
+ "table": "filter",
+ "handle": 0,
+ "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678",
+ "bytes": 0,
+ "used": 0,
+ "inv": false
+ }
+ },
+ {
+ "quota": {
+ "family": "ip",
+ "name": "q",
+ "table": "filter",
+ "handle": 0,
+ "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678",
+ "bytes": 1200,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "counter": {
+ "family": "ip",
+ "name": "c",
+ "table": "filter",
+ "handle": 0,
+ "comment": "test2",
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "ct helper": {
+ "family": "ip",
+ "name": "h",
+ "table": "filter",
+ "handle": 0,
+ "comment": "test3",
+ "type": "sip",
+ "protocol": "tcp",
+ "l3proto": "ip"
+ }
+ },
+ {
+ "ct expectation": {
+ "family": "ip",
+ "name": "e",
+ "table": "filter",
+ "handle": 0,
+ "comment": "test4",
+ "protocol": "tcp",
+ "dport": 666,
+ "timeout": 100,
+ "size": 96,
+ "l3proto": "ip"
+ }
+ },
+ {
+ "limit": {
+ "family": "ip",
+ "name": "l",
+ "table": "filter",
+ "handle": 0,
+ "comment": "test5",
+ "rate": 400,
+ "per": "hour",
+ "burst": 5
+ }
+ },
+ {
+ "synproxy": {
+ "family": "ip",
+ "name": "s",
+ "table": "filter",
+ "handle": 0,
+ "comment": "test6",
+ "mss": 1460,
+ "wscale": 2
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/owner/dumps/0002-persist.json-nft b/tests/shell/testcases/owner/dumps/0002-persist.json-nft
new file mode 100644
index 0000000000000..f0c336a86e52f
--- /dev/null
+++ b/tests/shell/testcases/owner/dumps/0002-persist.json-nft
@@ -0,0 +1,19 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0,
+ "flags": "persist"
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/owner/dumps/0002-persist.nft b/tests/shell/testcases/owner/dumps/0002-persist.nft
new file mode 100644
index 0000000000000..b47027d35a30c
--- /dev/null
+++ b/tests/shell/testcases/owner/dumps/0002-persist.nft
@@ -0,0 +1,3 @@
+table ip t {
+ flags persist
+}
diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
new file mode 100644
index 0000000000000..fa5dcb2571b1a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
@@ -0,0 +1,78 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "postrouting",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "sourcemap",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ "100.123.10.2",
+ {
+ "jump": {
+ "target": "c"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "postrouting",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": "@sourcemap"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
new file mode 100644
index 0000000000000..0af613333592d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
@@ -0,0 +1,131 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "synproxy": {
+ "family": "inet",
+ "name": "https-synproxy",
+ "table": "x",
+ "handle": 0,
+ "mss": 1460,
+ "wscale": 7,
+ "flags": [
+ "timestamp",
+ "sack-perm"
+ ]
+ }
+ },
+ {
+ "synproxy": {
+ "family": "inet",
+ "name": "other-synproxy",
+ "table": "x",
+ "handle": 0,
+ "mss": 1460,
+ "wscale": 5
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "test2",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "synproxy",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.1.0",
+ "len": 24
+ }
+ },
+ "https-synproxy"
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ },
+ "other-synproxy"
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "synproxy": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.1.0",
+ "len": 24
+ }
+ },
+ "https-synproxy"
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ },
+ "other-synproxy"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
new file mode 100644
index 0000000000000..ac4284293c32a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
@@ -0,0 +1,551 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "testifsets",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "v4icmp",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "v4icmpc",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "do_nothing",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "simple",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "elem": [
+ "abcdef0",
+ "abcdef1",
+ "othername"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "simple_wild",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ "abcdef*",
+ "othername",
+ "ppp0"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "concat",
+ "table": "testifsets",
+ "type": [
+ "ipv4_addr",
+ "ifname"
+ ],
+ "handle": 0,
+ "elem": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef0"
+ ]
+ },
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef1"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "concat_wild",
+ "table": "testifsets",
+ "type": [
+ "ipv4_addr",
+ "ifname"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef*"
+ ]
+ },
+ {
+ "concat": [
+ "10.1.2.1",
+ "bar"
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "1.1.2.0",
+ "len": 24
+ }
+ },
+ "abcdef0"
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "12.2.2.0",
+ "len": 24
+ }
+ },
+ "abcdef*"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "map_wild",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "map": "verdict",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ "abcdef*",
+ {
+ "jump": {
+ "target": "do_nothing"
+ }
+ }
+ ],
+ [
+ "eth0",
+ {
+ "jump": {
+ "target": "do_nothing"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "@simple"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "@simple_wild"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": {
+ "set": [
+ "eth0",
+ "abcdef0"
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": {
+ "set": [
+ "abcdef*",
+ "eth0"
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "data": "@map_wild"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": "@concat"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": "@concat_wild"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef0"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef*"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "right": "icmp"
+ }
+ },
+ {
+ "jump": {
+ "target": "v4icmp"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "right": "icmp"
+ }
+ },
+ {
+ "goto": {
+ "target": "v4icmpc"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
--
2.43.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel
2024-03-09 11:35 ` [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Phil Sutter
@ 2024-03-09 11:39 ` Florian Westphal
2024-03-09 11:44 ` Phil Sutter
0 siblings, 1 reply; 14+ messages in thread
From: Florian Westphal @ 2024-03-09 11:39 UTC (permalink / raw)
To: Phil Sutter; +Cc: Pablo Neira Ayuso, netfilter-devel, Florian Westphal
Phil Sutter <phil@nwl.cc> wrote:
> Since kernel commit 8059918a1377 ("netfilter: nft_ct: sanitize layer 3
> and 4 protocol number in custom expectations"), ct expectations
> specifying an l3proto which does not match the table family are
> rejected.
> - l3proto ip
> + l3proto inet
> }
This can't be right, the kernel must reject this.
99993789966a ("netfilter: nft_ct: fix l3num expectations with inet pseudo family")
was supposed to fix this up.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel
2024-03-09 11:39 ` Florian Westphal
@ 2024-03-09 11:44 ` Phil Sutter
0 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-09 11:44 UTC (permalink / raw)
To: Florian Westphal; +Cc: Pablo Neira Ayuso, netfilter-devel
On Sat, Mar 09, 2024 at 12:39:20PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Since kernel commit 8059918a1377 ("netfilter: nft_ct: sanitize layer 3
> > and 4 protocol number in custom expectations"), ct expectations
> > specifying an l3proto which does not match the table family are
> > rejected.
>
> > - l3proto ip
> > + l3proto inet
> > }
>
> This can't be right, the kernel must reject this.
>
> 99993789966a ("netfilter: nft_ct: fix l3num expectations with inet pseudo family")
>
> was supposed to fix this up.
Ah, thanks for the catch! My testing VM currently runs nf-next kernel
which doesn't have that commit. :(
I'll drop this patch from the series.
Cheers, Phil
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 0/7] A bunch of JSON printer/parser fixes
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (6 preceding siblings ...)
2024-03-09 11:35 ` [nft PATCH 7/7] tests: shell: Add missing json-nft dumps Phil Sutter
@ 2024-03-19 17:26 ` Phil Sutter
2024-04-24 20:06 ` Pablo Neira Ayuso
8 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-03-19 17:26 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
On Sat, Mar 09, 2024 at 12:35:20PM +0100, Phil Sutter wrote:
> Fix the following flaws in JSON input/output code:
>
> * Patch 3:
> Wrong ordering of 'nft -j list ruleset' preventing a following restore
> of the dump. Code assumed dumping objects before chains was fine in
> all cases, when actually verdict maps may reference chains already.
> Dump like nft_cmd_expand() does when expanding nested syntax for
> kernel submission (chains first, objects second, finally rules).
>
> * Patch 5:
> Maps may contain concatenated "targets". Both printer and parser were
> entirely ignorant of that fact.
>
> * Patch 6:
> Synproxy objects were "mostly" supported, some hooks missing to
> cover for named ones.
>
> Patch 4 applies the new ordering to all stored json-nft dumps. Patch 7
> adds new dumps which are now parseable given the fixes above.
>
> Patches 1 and 2 are fallout fixes to initially make the whole shell
> testsuite pass on my testing system.
>
> Bugs still present after this series:
>
> * Nested chains remain entirely unsupported
> * Maps specifying interval "targets" (i.e., set->data->flags contains
> EXPR_F_INTERVAL bit) will be printed like regular ones and the parser
> then rejects them.
>
> Phil Sutter (7):
> tests: shell: maps/named_ct_objects: Fix for recent kernel
> tests: shell: packetpath/flowtables: Avoid spurious EPERM
> json: Order output like nft_cmd_expand()
> tests: shell: Regenerate all json-nft dumps
> json: Support maps with concatenated data
> parser: json: Support for synproxy objects
> tests: shell: Add missing json-nft dumps
Series applied after dropping patch 1 and rebasing onto current HEAD.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 0/7] A bunch of JSON printer/parser fixes
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
` (7 preceding siblings ...)
2024-03-19 17:26 ` [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
@ 2024-04-24 20:06 ` Pablo Neira Ayuso
2024-04-24 20:08 ` Pablo Neira Ayuso
8 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-24 20:06 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]
Hi Phil,
On Sat, Mar 09, 2024 at 12:35:20PM +0100, Phil Sutter wrote:
> Fix the following flaws in JSON input/output code:
>
> * Patch 3:
> Wrong ordering of 'nft -j list ruleset' preventing a following restore
> of the dump. Code assumed dumping objects before chains was fine in
> all cases, when actually verdict maps may reference chains already.
> Dump like nft_cmd_expand() does when expanding nested syntax for
> kernel submission (chains first, objects second, finally rules).
>
> * Patch 5:
> Maps may contain concatenated "targets". Both printer and parser were
> entirely ignorant of that fact.
>
> * Patch 6:
> Synproxy objects were "mostly" supported, some hooks missing to
> cover for named ones.
>
> Patch 4 applies the new ordering to all stored json-nft dumps. Patch 7
> adds new dumps which are now parseable given the fixes above.
>
> Patches 1 and 2 are fallout fixes to initially make the whole shell
> testsuite pass on my testing system.
>
> Bugs still present after this series:
>
> * Nested chains remain entirely unsupported
> * Maps specifying interval "targets" (i.e., set->data->flags contains
> EXPR_F_INTERVAL bit) will be printed like regular ones and the parser
> then rejects them.
I am seeing memleaks when running tests after this series, please see
attachment for reference.
Thanks.
[-- Attachment #2: leaks.txt --]
[-- Type: text/plain, Size: 17856 bytes --]
Command `./../../src/nft -j list ruleset` failed
>>>>
=================================================================
==84914==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
#2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#11 0x7fad73ab3410 in rule_print_json src/json.c:248
#12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#15 0x7fad73a8e84f in do_command_list src/rule.c:2354
#16 0x7fad73a90f1d in do_command src/rule.c:2624
#17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#19 0x55c43466d377 in main src/main.c:533
#20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
#2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#7 0x7fad73ab3410 in rule_print_json src/json.c:248
#8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#11 0x7fad73a8e84f in do_command_list src/rule.c:2354
#12 0x7fad73a90f1d in do_command src/rule.c:2624
#13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#15 0x55c43466d377 in main src/main.c:533
#16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
#2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#7 0x7fad73ab3410 in rule_print_json src/json.c:248
#8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#11 0x7fad73a8e84f in do_command_list src/rule.c:2354
#12 0x7fad73a90f1d in do_command src/rule.c:2624
#13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#15 0x55c43466d377 in main src/main.c:533
#16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
#2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#11 0x7fad73ab3410 in rule_print_json src/json.c:248
#12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#15 0x7fad73a8e84f in do_command_list src/rule.c:2354
#16 0x7fad73a90f1d in do_command src/rule.c:2624
#17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#19 0x55c43466d377 in main src/main.c:533
#20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 256 byte(s) in 2 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74bdeaac (/lib/x86_64-linux-gnu/libjansson.so.4+0x3aac)
#2 0x7ffd4687548f ([stack]+0x1c48f)
Indirect leak of 250 byte(s) in 4 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74bdecda (/lib/x86_64-linux-gnu/libjansson.so.4+0x3cda)
Indirect leak of 144 byte(s) in 2 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be396b in json_object (/lib/x86_64-linux-gnu/libjansson.so.4+0x896b)
#2 0x7ffd4687548f ([stack]+0x1c48f)
Indirect leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74bdeaac (/lib/x86_64-linux-gnu/libjansson.so.4+0x3aac)
#2 0x7ffd46875a9f ([stack]+0x1ca9f)
Indirect leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be396b in json_object (/lib/x86_64-linux-gnu/libjansson.so.4+0x896b)
#2 0x7ffd46875a9f ([stack]+0x1ca9f)
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
#2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#11 0x7fad73ab3410 in rule_print_json src/json.c:248
#12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#15 0x7fad73a8e84f in do_command_list src/rule.c:2354
#16 0x7fad73a90f1d in do_command src/rule.c:2624
#17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#19 0x55c43466d377 in main src/main.c:533
#20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
#2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#11 0x7fad73ab3410 in rule_print_json src/json.c:248
#12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#15 0x7fad73a8e84f in do_command_list src/rule.c:2354
#16 0x7fad73a90f1d in do_command src/rule.c:2624
#17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#19 0x55c43466d377 in main src/main.c:533
#20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
#2 0x7fad73ab8571 in binop_expr_json src/json.c:559
#3 0x7fad73aaff68 in expr_print_json src/json.c:53
#4 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#5 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#6 0x7fad73ab8571 in binop_expr_json src/json.c:559
#7 0x7fad73aaff68 in expr_print_json src/json.c:53
#8 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#9 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#10 0x7fad73ab3410 in rule_print_json src/json.c:248
#11 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#12 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#13 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#14 0x7fad73a8e84f in do_command_list src/rule.c:2354
#15 0x7fad73a90f1d in do_command src/rule.c:2624
#16 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#17 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#18 0x55c43466d377 in main src/main.c:533
#19 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
#2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#7 0x7fad73ab3410 in rule_print_json src/json.c:248
#8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#11 0x7fad73a8e84f in do_command_list src/rule.c:2354
#12 0x7fad73a90f1d in do_command src/rule.c:2624
#13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#15 0x55c43466d377 in main src/main.c:533
#16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
#2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#3 0x7fad73ab8571 in binop_expr_json src/json.c:559
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#7 0x7fad73ab3410 in rule_print_json src/json.c:248
#8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#11 0x7fad73a8e84f in do_command_list src/rule.c:2354
#12 0x7fad73a90f1d in do_command src/rule.c:2624
#13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#15 0x55c43466d377 in main src/main.c:533
#16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 2 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3ed4 in json_stringn_nocheck (/lib/x86_64-linux-gnu/libjansson.so.4+0x8ed4)
Indirect leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
#2 0x7fad73ab8571 in binop_expr_json src/json.c:559
#3 0x7fad73aaff68 in expr_print_json src/json.c:53
#4 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#5 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#6 0x7fad73ab8571 in binop_expr_json src/json.c:559
#7 0x7fad73aaff68 in expr_print_json src/json.c:53
#8 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#9 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#10 0x7fad73ab3410 in rule_print_json src/json.c:248
#11 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#12 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#13 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#14 0x7fad73a8e84f in do_command_list src/rule.c:2354
#15 0x7fad73a90f1d in do_command src/rule.c:2624
#16 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#17 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#18 0x55c43466d377 in main src/main.c:533
#19 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be431d in json_integer (/lib/x86_64-linux-gnu/libjansson.so.4+0x931d)
#2 0x7fad73abe8dc in datatype_json src/json.c:975
#3 0x7fad73abf15a in constant_expr_json src/json.c:1003
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#10 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
#11 0x7fad73ab8571 in binop_expr_json src/json.c:559
#12 0x7fad73aaff68 in expr_print_json src/json.c:53
#13 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#14 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#15 0x7fad73ab3410 in rule_print_json src/json.c:248
#16 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#17 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#18 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#19 0x7fad73a8e84f in do_command_list src/rule.c:2354
#20 0x7fad73a90f1d in do_command src/rule.c:2624
#21 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#22 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#23 0x55c43466d377 in main src/main.c:533
#24 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be431d in json_integer (/lib/x86_64-linux-gnu/libjansson.so.4+0x931d)
#2 0x7fad73abe8dc in datatype_json src/json.c:975
#3 0x7fad73abf15a in constant_expr_json src/json.c:1003
#4 0x7fad73aaff68 in expr_print_json src/json.c:53
#5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
#6 0x7fad73ab8483 in __binop_expr_json src/json.c:550
#7 0x7fad73ab8571 in binop_expr_json src/json.c:559
#8 0x7fad73aaff68 in expr_print_json src/json.c:53
#9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
#10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
#11 0x7fad73ab3410 in rule_print_json src/json.c:248
#12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
#13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
#14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
#15 0x7fad73a8e84f in do_command_list src/rule.c:2354
#16 0x7fad73a90f1d in do_command src/rule.c:2624
#17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
#18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
#19 0x55c43466d377 in main src/main.c:533
#20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 8 byte(s) in 2 object(s) allocated from:
#0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fad74be0fb4 (/lib/x86_64-linux-gnu/libjansson.so.4+0x5fb4)
SUMMARY: AddressSanitizer: 1490 byte(s) leaked in 26 allocation(s).
<<<<
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 0/7] A bunch of JSON printer/parser fixes
2024-04-24 20:06 ` Pablo Neira Ayuso
@ 2024-04-24 20:08 ` Pablo Neira Ayuso
2024-04-24 20:41 ` Phil Sutter
0 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-24 20:08 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel, Florian Westphal
On Wed, Apr 24, 2024 at 10:06:14PM +0200, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> On Sat, Mar 09, 2024 at 12:35:20PM +0100, Phil Sutter wrote:
> > Fix the following flaws in JSON input/output code:
> >
> > * Patch 3:
> > Wrong ordering of 'nft -j list ruleset' preventing a following restore
> > of the dump. Code assumed dumping objects before chains was fine in
> > all cases, when actually verdict maps may reference chains already.
> > Dump like nft_cmd_expand() does when expanding nested syntax for
> > kernel submission (chains first, objects second, finally rules).
> >
> > * Patch 5:
> > Maps may contain concatenated "targets". Both printer and parser were
> > entirely ignorant of that fact.
> >
> > * Patch 6:
> > Synproxy objects were "mostly" supported, some hooks missing to
> > cover for named ones.
> >
> > Patch 4 applies the new ordering to all stored json-nft dumps. Patch 7
> > adds new dumps which are now parseable given the fixes above.
> >
> > Patches 1 and 2 are fallout fixes to initially make the whole shell
> > testsuite pass on my testing system.
> >
> > Bugs still present after this series:
> >
> > * Nested chains remain entirely unsupported
> > * Maps specifying interval "targets" (i.e., set->data->flags contains
> > EXPR_F_INTERVAL bit) will be printed like regular ones and the parser
> > then rejects them.
>
> I am seeing memleaks when running tests after this series, please see
> attachment for reference.
It could actually be related to:
0ac39384fd9e json: Accept more than two operands in binary expressions
I did not bisect yet.
> Command `./../../src/nft -j list ruleset` failed
> >>>>
>
> =================================================================
> ==84914==ERROR: LeakSanitizer: detected memory leaks
>
> Direct leak of 40 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
> #2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #11 0x7fad73ab3410 in rule_print_json src/json.c:248
> #12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #15 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #16 0x7fad73a90f1d in do_command src/rule.c:2624
> #17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #19 0x55c43466d377 in main src/main.c:533
> #20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Direct leak of 40 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
> #2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #7 0x7fad73ab3410 in rule_print_json src/json.c:248
> #8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #11 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #12 0x7fad73a90f1d in do_command src/rule.c:2624
> #13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #15 0x55c43466d377 in main src/main.c:533
> #16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Direct leak of 40 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
> #2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #7 0x7fad73ab3410 in rule_print_json src/json.c:248
> #8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #11 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #12 0x7fad73a90f1d in do_command src/rule.c:2624
> #13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #15 0x55c43466d377 in main src/main.c:533
> #16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Direct leak of 40 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
> #2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #11 0x7fad73ab3410 in rule_print_json src/json.c:248
> #12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #15 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #16 0x7fad73a90f1d in do_command src/rule.c:2624
> #17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #19 0x55c43466d377 in main src/main.c:533
> #20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 256 byte(s) in 2 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74bdeaac (/lib/x86_64-linux-gnu/libjansson.so.4+0x3aac)
> #2 0x7ffd4687548f ([stack]+0x1c48f)
>
> Indirect leak of 250 byte(s) in 4 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74bdecda (/lib/x86_64-linux-gnu/libjansson.so.4+0x3cda)
>
> Indirect leak of 144 byte(s) in 2 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be396b in json_object (/lib/x86_64-linux-gnu/libjansson.so.4+0x896b)
> #2 0x7ffd4687548f ([stack]+0x1c48f)
>
> Indirect leak of 128 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74bdeaac (/lib/x86_64-linux-gnu/libjansson.so.4+0x3aac)
> #2 0x7ffd46875a9f ([stack]+0x1ca9f)
>
> Indirect leak of 72 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be396b in json_object (/lib/x86_64-linux-gnu/libjansson.so.4+0x896b)
> #2 0x7ffd46875a9f ([stack]+0x1ca9f)
>
> Indirect leak of 64 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
> #2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #11 0x7fad73ab3410 in rule_print_json src/json.c:248
> #12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #15 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #16 0x7fad73a90f1d in do_command src/rule.c:2624
> #17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #19 0x55c43466d377 in main src/main.c:533
> #20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 64 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
> #2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #11 0x7fad73ab3410 in rule_print_json src/json.c:248
> #12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #15 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #16 0x7fad73a90f1d in do_command src/rule.c:2624
> #17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #19 0x55c43466d377 in main src/main.c:533
> #20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 64 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
> #2 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #3 0x7fad73aaff68 in expr_print_json src/json.c:53
> #4 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #5 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #6 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #7 0x7fad73aaff68 in expr_print_json src/json.c:53
> #8 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #9 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #10 0x7fad73ab3410 in rule_print_json src/json.c:248
> #11 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #12 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #13 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #14 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #15 0x7fad73a90f1d in do_command src/rule.c:2624
> #16 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #17 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #18 0x55c43466d377 in main src/main.c:533
> #19 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 64 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
> #2 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #7 0x7fad73ab3410 in rule_print_json src/json.c:248
> #8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #11 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #12 0x7fad73a90f1d in do_command src/rule.c:2624
> #13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #15 0x55c43466d377 in main src/main.c:533
> #16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 64 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c6b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c6b)
> #2 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #3 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #6 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #7 0x7fad73ab3410 in rule_print_json src/json.c:248
> #8 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #9 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #10 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #11 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #12 0x7fad73a90f1d in do_command src/rule.c:2624
> #13 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #14 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #15 0x55c43466d377 in main src/main.c:533
> #16 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 64 byte(s) in 2 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3ed4 in json_stringn_nocheck (/lib/x86_64-linux-gnu/libjansson.so.4+0x8ed4)
>
> Indirect leak of 40 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be3c3b in json_array (/lib/x86_64-linux-gnu/libjansson.so.4+0x8c3b)
> #2 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #3 0x7fad73aaff68 in expr_print_json src/json.c:53
> #4 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #5 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #6 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #7 0x7fad73aaff68 in expr_print_json src/json.c:53
> #8 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #9 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #10 0x7fad73ab3410 in rule_print_json src/json.c:248
> #11 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #12 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #13 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #14 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #15 0x7fad73a90f1d in do_command src/rule.c:2624
> #16 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #17 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #18 0x55c43466d377 in main src/main.c:533
> #19 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 24 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be431d in json_integer (/lib/x86_64-linux-gnu/libjansson.so.4+0x931d)
> #2 0x7fad73abe8dc in datatype_json src/json.c:975
> #3 0x7fad73abf15a in constant_expr_json src/json.c:1003
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #10 0x7fad73ab83e7 in __binop_expr_json src/json.c:549
> #11 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #12 0x7fad73aaff68 in expr_print_json src/json.c:53
> #13 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #14 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #15 0x7fad73ab3410 in rule_print_json src/json.c:248
> #16 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #17 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #18 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #19 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #20 0x7fad73a90f1d in do_command src/rule.c:2624
> #21 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #22 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #23 0x55c43466d377 in main src/main.c:533
> #24 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 24 byte(s) in 1 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be431d in json_integer (/lib/x86_64-linux-gnu/libjansson.so.4+0x931d)
> #2 0x7fad73abe8dc in datatype_json src/json.c:975
> #3 0x7fad73abf15a in constant_expr_json src/json.c:1003
> #4 0x7fad73aaff68 in expr_print_json src/json.c:53
> #5 0x7fad73ab84aa in __binop_expr_json src/json.c:552
> #6 0x7fad73ab8483 in __binop_expr_json src/json.c:550
> #7 0x7fad73ab8571 in binop_expr_json src/json.c:559
> #8 0x7fad73aaff68 in expr_print_json src/json.c:53
> #9 0x7fad73ac1b55 in ct_stmt_json src/json.c:1248
> #10 0x7fad73ab09a6 in stmt_print_json src/json.c:96
> #11 0x7fad73ab3410 in rule_print_json src/json.c:248
> #12 0x7fad73ac7ff8 in table_print_json_full src/json.c:1741
> #13 0x7fad73ac8537 in do_list_ruleset_json src/json.c:1763
> #14 0x7fad73acbcc0 in do_command_list_json src/json.c:1986
> #15 0x7fad73a8e84f in do_command_list src/rule.c:2354
> #16 0x7fad73a90f1d in do_command src/rule.c:2624
> #17 0x7fad7399e2f4 in nft_netlink src/libnftables.c:42
> #18 0x7fad739a488c in nft_run_cmd_from_buffer src/libnftables.c:598
> #19 0x55c43466d377 in main src/main.c:533
> #20 0x7fad72a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> Indirect leak of 8 byte(s) in 2 object(s) allocated from:
> #0 0x7fad744b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7fad74be0fb4 (/lib/x86_64-linux-gnu/libjansson.so.4+0x5fb4)
>
> SUMMARY: AddressSanitizer: 1490 byte(s) leaked in 26 allocation(s).
> <<<<
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [nft PATCH 0/7] A bunch of JSON printer/parser fixes
2024-04-24 20:08 ` Pablo Neira Ayuso
@ 2024-04-24 20:41 ` Phil Sutter
0 siblings, 0 replies; 14+ messages in thread
From: Phil Sutter @ 2024-04-24 20:41 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
On Wed, Apr 24, 2024 at 10:08:00PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Apr 24, 2024 at 10:06:14PM +0200, Pablo Neira Ayuso wrote:
> > Hi Phil,
> >
> > On Sat, Mar 09, 2024 at 12:35:20PM +0100, Phil Sutter wrote:
> > > Fix the following flaws in JSON input/output code:
> > >
> > > * Patch 3:
> > > Wrong ordering of 'nft -j list ruleset' preventing a following restore
> > > of the dump. Code assumed dumping objects before chains was fine in
> > > all cases, when actually verdict maps may reference chains already.
> > > Dump like nft_cmd_expand() does when expanding nested syntax for
> > > kernel submission (chains first, objects second, finally rules).
> > >
> > > * Patch 5:
> > > Maps may contain concatenated "targets". Both printer and parser were
> > > entirely ignorant of that fact.
> > >
> > > * Patch 6:
> > > Synproxy objects were "mostly" supported, some hooks missing to
> > > cover for named ones.
> > >
> > > Patch 4 applies the new ordering to all stored json-nft dumps. Patch 7
> > > adds new dumps which are now parseable given the fixes above.
> > >
> > > Patches 1 and 2 are fallout fixes to initially make the whole shell
> > > testsuite pass on my testing system.
> > >
> > > Bugs still present after this series:
> > >
> > > * Nested chains remain entirely unsupported
> > > * Maps specifying interval "targets" (i.e., set->data->flags contains
> > > EXPR_F_INTERVAL bit) will be printed like regular ones and the parser
> > > then rejects them.
> >
> > I am seeing memleaks when running tests after this series, please see
> > attachment for reference.
>
> It could actually be related to:
>
> 0ac39384fd9e json: Accept more than two operands in binary expressions
>
> I did not bisect yet.
Good catch! I missed the fact that json_array_extend() does not decref
the emptied array. The fix is simple, will submit after the testsuite
has passed.
Thanks, Phil
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2024-04-24 20:41 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-09 11:35 [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
2024-03-09 11:35 ` [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Phil Sutter
2024-03-09 11:39 ` Florian Westphal
2024-03-09 11:44 ` Phil Sutter
2024-03-09 11:35 ` [nft PATCH 2/7] tests: shell: packetpath/flowtables: Avoid spurious EPERM Phil Sutter
2024-03-09 11:35 ` [nft PATCH 3/7] json: Order output like nft_cmd_expand() Phil Sutter
2024-03-09 11:35 ` [nft PATCH 4/7] tests: shell: Regenerate all json-nft dumps Phil Sutter
2024-03-09 11:35 ` [nft PATCH 5/7] json: Support maps with concatenated data Phil Sutter
2024-03-09 11:35 ` [nft PATCH 6/7] parser: json: Support for synproxy objects Phil Sutter
2024-03-09 11:35 ` [nft PATCH 7/7] tests: shell: Add missing json-nft dumps Phil Sutter
2024-03-19 17:26 ` [nft PATCH 0/7] A bunch of JSON printer/parser fixes Phil Sutter
2024-04-24 20:06 ` Pablo Neira Ayuso
2024-04-24 20:08 ` Pablo Neira Ayuso
2024-04-24 20:41 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).