* [PATCH 0/6] tests: Automated regression testing
@ 2014-07-31 9:08 Ana Rey
2014-07-31 9:08 ` [PATCH 1/6] [nft] tests: Add " Ana Rey
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
This is the automated regression testing of nftables.
In all development is important to have a good system to let us
check all features in our tools automatically. In nftables, there is
not an automated tests to check it so far.
There is not system to let us check all options/features in nft. So,
If anyone sends a patch, we can not check all nft-tool automatically.
It's impossible check if anything is broken, or if a change adds a fail
in the system, or fix a problem in all cases.
I send in this patchset the nftables automated regression tests. It
contains a python script (nft-add.py) and a set of test files.
This let us check the input of rules of nft-tool from the command-line
and the output from nft-tool of this rule. Then, It compares if the
rule input matches the rule output automatically. And, the most
important things: It do it automatically.
We also have plans to add automated regression testing in the packet
path in the future, which should come in a follow up step.
Comments welcome, thanks
Ana Rey (6):
[nft] tests: Add Automated regression testing
[nft] tests: Add ip6 folder with test files.
[nft] tests: Add inet folder with test files.
[nft] tests: Add any folder with test files.
[nft] tests: Add arp folder with test files.
[nft] tests: Add bridge folder with test files.
tests/any/ct.t | 113 +++++++
tests/any/frag.t | 69 +++++
tests/any/limit.t | 13 +
tests/any/log.t | 14 +
tests/any/meta.t | 157 ++++++++++
tests/any/queue.t | 15 +
tests/arp/arp.t | 58 ++++
tests/arp/chains.t | 5 +
tests/bridge/chains.t | 8 +
tests/inet/ah.t | 63 ++++
tests/inet/comp.t | 31 ++
tests/inet/dccp.t | 31 ++
tests/inet/esp.t | 23 ++
tests/inet/sctp.t | 42 +++
tests/inet/tcp.t | 104 +++++++
tests/inet/udp.t | 49 +++
tests/inet/udplite.t | 42 +++
tests/ip/chains.t | 22 ++
tests/ip/icmp.t | 98 ++++++
tests/ip/ip.t | 108 +++++++
tests/ip/nat.t | 18 ++
tests/ip/reject.t | 5 +
tests/ip/sets.t | 31 ++
tests/ip6/chains.t | 16 +
tests/ip6/dst.t | 25 ++
tests/ip6/hbh.t | 17 +
tests/ip6/icmpv6.t | 115 +++++++
tests/ip6/ip6.t | 141 +++++++++
tests/ip6/mh.t | 50 +++
tests/ip6/nat.t | 8 +
tests/ip6/reject.t | 5 +
tests/ip6/rt.t | 50 +++
tests/ip6/sets.t | 27 ++
tests/ip6/vmap.t | 54 ++++
tests/nft-test.py | 842 ++++++++++++++++++++++++++++++++++++++++++++++++++
35 files changed, 2469 insertions(+)
create mode 100644 tests/any/ct.t
create mode 100644 tests/any/frag.t
create mode 100644 tests/any/limit.t
create mode 100644 tests/any/log.t
create mode 100644 tests/any/meta.t
create mode 100644 tests/any/queue.t
create mode 100644 tests/arp/arp.t
create mode 100644 tests/arp/chains.t
create mode 100644 tests/bridge/chains.t
create mode 100644 tests/inet/ah.t
create mode 100644 tests/inet/comp.t
create mode 100644 tests/inet/dccp.t
create mode 100644 tests/inet/esp.t
create mode 100644 tests/inet/sctp.t
create mode 100644 tests/inet/tcp.t
create mode 100644 tests/inet/udp.t
create mode 100644 tests/inet/udplite.t
create mode 100644 tests/ip/chains.t
create mode 100644 tests/ip/icmp.t
create mode 100644 tests/ip/ip.t
create mode 100644 tests/ip/nat.t
create mode 100644 tests/ip/reject.t
create mode 100644 tests/ip/sets.t
create mode 100644 tests/ip6/chains.t
create mode 100644 tests/ip6/dst.t
create mode 100644 tests/ip6/hbh.t
create mode 100644 tests/ip6/icmpv6.t
create mode 100644 tests/ip6/ip6.t
create mode 100644 tests/ip6/mh.t
create mode 100644 tests/ip6/nat.t
create mode 100644 tests/ip6/reject.t
create mode 100644 tests/ip6/rt.t
create mode 100644 tests/ip6/sets.t
create mode 100644 tests/ip6/vmap.t
create mode 100755 tests/nft-test.py
--
2.0.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/6] [nft] tests: Add Automated regression testing
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
2014-07-31 9:08 ` [PATCH 2/6] [nft] tests: Add ip6 folder with test files Ana Rey
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
Here, the automated regression testing to nftables and some test files.
This is a python script to check the command-line in nft.
This script checks the input of rules of nft-tool from the command-line
and the output of them to the command-line. A bit more details here
below.
A) What is it checking?
This script tests two different paths:
1) The input of rules of nft-tool from the command-line. It checks the
different steps from the command-line to the kernel: parse step,
evaluate step, compile step, the generate of netlink message and after
this is sent into the kernel.
2) The output that is obtained from the kernel. It checks the different
steps from the kernel to the command-line: getting the netlink message,
the parse step, the postproces step, the textify step and the listing
the rule in the command-line.
As a last step, It compares the rule is added and rule is listed by nft.
B) What options are available?
The script offers the following options:
1) Execute all set of test files (or one test file):
./nft-test.sh => Run all test files
./nft-test.sh path/file.t => Run this test file
So, It tests the input of rules of nft-tool from the command-line and
then, It checks if the rule is added correctly.
If there is a problem, It lists the differences between the rule is
added and the rule is listed by nft.
(If there are more than one family of table indicated in the test file
and there is an error or a warning in this execution of the rule, the
execution of this rule stop and it does not run in the others families
of the tables).
2) List all rules are added in nft-tool while this script is run. (It
is similar a debug mode of this test.)
./nft-test.sh -d
./nft-test.sh -d path/file.t
3) Run marked-line. This mode runs the lines that starts with a "-"
symbol (these rules only).
./nft-test.sh -r
./nft-test.sh -r path/file.t
4) Run a rule in all families of table. Run all rules in all families
of the tables defined in the test file. (although there were an error
or a warning in a previous families.)
./nft-test.sh -a
./nft-test.sh -a path/file.t
C) What is the structure of the test file?
A test file contains a set of rules that are added in the system.
Here, an example of a test file:
*ip;test-ipv4 # line 1
*ip6;test-ipv6 # line 2
*inet;test-inet # line 3
:input;type filter hook input priority 0 # line 4
ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23 # line 5
- tcp dport != {22-25} # line 6
!set1 ipv4_addr;ok # line 7
?set1 192.168.3.8 192.168.3.9;ok # line 8
# This is a commented-line. # line 9
1) Tables:
# Line 1: it defines a table where chains and rules are added.
It defines a table. the name of the table is test-ip and the family is
ip.
In line 2 and 3, It define more tables of different families (ip6 and
inet). It's possible to add different type of tables.
2) Chains:
# Line 4: It defines the chain/s (and the type, hook and priority of
this chain) where rules are added. The name of this chain is "input".
The type is "filter", the hook is "input" and the priority is 0.
3) Rules:
line: 4: This line is divided by a ";" character.
Part 1: "ah hdrlength != 11-23" is the rule to check.
Part 2: "ok" is the result expected with the execute of this rule.
(This rule is added without errors.)
Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the look of
the rule if it is run in the command-line. If the look of the output
rule is the same that the rule in the input, this part is omit.
4) Marked-line:
Line 6: This is a marked-line. It means this rule is not run in a
general execution of this script.
If if want to execute this line, It's necessary run this script with
"-r" option.
It's useful to mark a known bugs or lines that don't want to execute.
5) Named set:
Line 7: It adds a new set. The name of this set is "set1" and the type
of this set is "ipv4_add"
Line 8: It adds two element into the set1 set: "192.168.3.8" and
"192.168.3.9" A whitespace divide the diferent elements of the set.
The Anonymous sets is added as a normal rule. It doesn't an especial
handling.
6) Comments:
Line 9: "#" symbol means that line is a comment about the test.
D) The test folders
The test files are divide in directory: ip, ip6, inet, arp, bridge
and any folders:
* "ip" folder: Here are the test files are executed in ip and inet
table.
* "ip" folder: Here are the test files are executed in ip6 and inet
table.
* "inet" folder: Here are the test files are executed in ip, ip6 and
inet table.
* "arp" folder: Here are the test files are executed in arp tables.
"bridge" folder: Here are the test files are executed in bridge
table.
* "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
Moreover, It adds the "ip4" folder with expecific test files for ip and
inet tables.
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/ip/chains.t | 22 ++
tests/ip/icmp.t | 98 +++++++
tests/ip/ip.t | 108 +++++++
tests/ip/nat.t | 18 ++
tests/ip/reject.t | 5 +
tests/ip/sets.t | 31 ++
tests/nft-test.py | 842 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 1124 insertions(+)
create mode 100644 tests/ip/chains.t
create mode 100644 tests/ip/icmp.t
create mode 100644 tests/ip/ip.t
create mode 100644 tests/ip/nat.t
create mode 100644 tests/ip/reject.t
create mode 100644 tests/ip/sets.t
create mode 100755 tests/nft-test.py
diff --git a/tests/ip/chains.t b/tests/ip/chains.t
new file mode 100644
index 0000000..92a1147
--- /dev/null
+++ b/tests/ip/chains.t
@@ -0,0 +1,22 @@
+*ip;test-ip4
+-*inet;test-inet
+
+# filter chains available are: input, output, forward, prerouting, postrouting
+:filter-input;type filter hook input priority 0
+:filter-pre;type filter hook prerouting priority 0
+:filter-forw;type filter hook forward priority 0
+:filter-out;type filter hook output priority 0
+:filter-post;type filter hook postrouting priority 0
+# nat chains available are: input, output, prerouting, postrouting
+:nat-input-t;type nat hook input priority 0
+:nat-pre-t;type nat hook prerouting priority 0
+:nat-out-t;type nat hook output priority 0
+:nat-post-t;type nat hook postrouting priority 0
+# route chain available are: output
+:route-out-t;type route hook output priority 0
+
+#ip daddr 192.168.0.1-192.168.0.250;ok
+#ip daddr 192.168.0.1;ok
+#ip daddr 192.168.0.1 drop;ok
+#ip daddr 192.168.0.2 log;ok
+#ip daddr 192.168.0.2 log;ok
diff --git a/tests/ip/icmp.t b/tests/ip/icmp.t
new file mode 100644
index 0000000..57a8d8f
--- /dev/null
+++ b/tests/ip/icmp.t
@@ -0,0 +1,98 @@
+*ip;test-ip4
+# BUG: There is a bug with icmp and inet tables.
+- *inet;test-inet
+:input;type filter hook input priority 0
+
+icmp type echo-reply accept;ok
+icmp type destination-unreachable accept;ok
+icmp type source-quench accept;ok
+icmp type redirect accept;ok
+icmp type echo-request accept;ok
+icmp type time-exceeded accept;ok
+icmp type parameter-problem accept;ok
+icmp type timestamp-request accept;ok
+icmp type timestamp-reply accept;ok
+icmp type info-request accept;ok
+icmp type info-reply accept;ok
+icmp type address-mask-request accept;ok
+icmp type address-mask-reply accept;ok
+icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept;ok
+# $ sudo nft add rule ip test input icmp type != {echo-reply, destination-unreachable, source-quench}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp code 111 accept;ok
+icmp code != 111 accept;ok
+icmp code 33-55;ok;icmp code >= 33 icmp code <= 55
+icmp code != 33-55;ok;icmp code < 33 icmp code > 55
+icmp code { 33-55};ok
+-icmp code != { 33-55};ok
+icmp code { 2, 4, 54, 33, 56};ok
+-icmp code != { 2, 4, 54, 33, 56};ok
+# $ sudo nft add rule ip test input icmp code != {2, 4, 54, 33, 56}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp checksum 12343 accept;ok
+icmp checksum != 12343 accept;ok
+icmp checksum 11-343 accept;ok;icmp checksum >= 11 icmp checksum <= 343 accept
+icmp checksum != 11-343 accept;ok;icmp checksum < 11 icmp checksum > 343 accept
+icmp checksum { 11-343} accept;ok
+-icmp checksum != { 11-343} accept;ok
+icmp checksum { 1111, 222, 343} accept;ok
+-icmp checksum != { 1111, 222, 343} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp id 1245 log;ok
+icmp id 22;ok
+icmp id != 233;ok
+icmp id 33-45;ok;icmp id >= 33 icmp id <= 45
+icmp id != 33-45;ok;icmp id < 33 icmp id > 45
+icmp id { 33-55};ok
+- icmp id != { 33-55};ok
+icmp id { 22, 34, 333};ok
+- icmp id != { 22, 34, 333};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp sequence 22;ok
+icmp sequence != 233;ok
+icmp sequence 33-45;ok;icmp sequence >= 33 icmp sequence <= 45
+icmp sequence != 33-45;ok;icmp sequence < 33 icmp sequence > 45
+icmp sequence { 33, 55, 67, 88};ok
+- icmp sequence != { 33, 55, 67, 88};ok
+icmp sequence { 33-55};ok
+- icmp sequence != { 33-55};ok
+
+icmp mtu 33;ok
+# BUG It set sequence value.
+icmp mtu 22-33;ok
+# BUG: invalid byte order conversion 0 => 2
+# nft: src/evaluate.c:153: byteorder_conversion_op: Assertion '0' failed.
+
+# bug to list icmp sequence 33
+icmp mtu { 22-33};ok
+-icmp mtu != { 22-33};ok
+icmp mtu 22;ok
+icmp mtu != 233;ok
+icmp mtu 33-45;ok
+icmp mtu != 33-45;ok
+icmp mtu { 33, 55, 67, 88};ok
+-icmp mtu != { 33, 55, 67, 88};ok
+icmp mtu { 33-55};ok
+-icmp mtu != { 33-55};ok
+
+icmp gateway 22;ok
+icmp gateway != 233;ok
+icmp gateway 33-45;ok;icmp gateway >= 33 icmp gateway <= 45
+icmp gateway != 33-45;ok;icmp gateway < 33 icmp gateway > 45
+icmp gateway { 33, 55, 67, 88};ok
+-icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway { 33-55};ok
+-icmp gateway != { 33-55};ok
+icmp gateway != 34;ok
+# BUG list: icmp id 0 icmp sequence 22
+- icmp gateway != { 333, 334};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed
diff --git a/tests/ip/ip.t b/tests/ip/ip.t
new file mode 100644
index 0000000..f1b4a70
--- /dev/null
+++ b/tests/ip/ip.t
@@ -0,0 +1,108 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+# bug ip version
+-ip version 2;ok
+
+# bug ip hdrlength
+-ip hdrlength 10;ok
+-ip hdrlength != 5;ok
+-ip hdrlength 5-8;ok
+-ip hdrlength != 3-13;ok
+-ip hdrlength {3, 5, 6, 8};ok
+-ip hdrlength != {3, 5, 7, 8};ok
+-ip hdrlength { 3-5};ok
+-ip hdrlength != { 3-59};ok
+# ip hdrlength 12
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip test input ip hdrlength 12
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15
+# add rule ip test input ip hdrlength 22
+
+# bug: ip dscp
+-ip dscp CS1;ok
+-ip dscp != CS1;ok
+-ip dscp 0x38;ok
+-ip dscp != 0x20;ok
+-ip dscp {CS1, CS2, CS3, CS4, CS5, CS6, CS7, BE, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, EF};ok
+-ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
+-ip dscp != {CS0, CS3};ok
+
+ip length 232;ok
+ip length != 233;ok
+ip length 333-435;ok;ip length >= 333 ip length <= 435
+ip length != 333-453;ok;ip length < 333 ip length > 453
+ip length { 333, 553, 673, 838};ok
+-ip length != { 333, 535, 637, 883};ok
+ip length { 333-535};ok
+-ip length != { 333-553};ok
+
+ip id 22;ok
+ip id != 233;ok
+ip id 33-45;ok;ip id >= 33 ip id <= 45
+ip id != 33-45;ok;ip id < 33 ip id > 45
+ip id { 33, 55, 67, 88};ok
+- ip id != { 33, 55, 67, 88};ok
+ip id { 33-55};ok
+- ip id != { 33-55};ok
+
+ip frag-off 222 accept;ok
+ip frag-off != 233;ok
+ip frag-off 33-45;ok;ip frag-off >= 33 ip frag-off <= 45
+ip frag-off != 33-45;ok;ip frag-off < 33 ip frag-off > 45
+ip frag-off { 33, 55, 67, 88};ok
+-ip frag-off != { 33, 55, 67, 88};ok
+ip frag-off { 33-55};ok
+-ip frag-off != { 33-55};ok
+
+ip ttl 0 drop;ok
+ip ttl 233 log;ok
+ip ttl 33-55;ok;ip ttl >= 33 ip ttl <= 55
+ip ttl != 45-50;ok;ip ttl < 45 ip ttl > 50
+ip ttl {43, 53, 45 };ok
+- ip ttl != {46, 56, 93 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+ip ttl { 33-55};ok
+- ip ttl != { 33-55};ok
+
+ip protocol tcp log;ok
+ip protocol != tcp log;ok
+ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
+- ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
+
+ip checksum 13172 drop;ok
+ip checksum 22;ok
+ip checksum != 233;ok
+ip checksum 33-45;ok;ip checksum >= 33 ip checksum <= 45
+ip checksum != 33-45;ok;ip checksum < 33 ip checksum > 45
+ip checksum { 33, 55, 67, 88};ok
+-ip checksum != { 33, 55, 67, 88};ok
+ip checksum { 33-55};ok
+-ip checksum != { 33-55};ok
+
+ip saddr 192.168.2.0/24;ok
+ip saddr != 192.168.2.0/24;ok
+ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
+ip saddr != 1.1.1.1 log prefix giuseppe;ok
+ip saddr 1.1.1.1 log prefix example group 1;ok
+ip daddr 192.168.0.1-192.168.0.250;ok;ip daddr >= 192.168.0.1 ip daddr <= 192.168.0.250
+ip daddr 10.0.0.0-10.255.255.255;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.255.255.255
+ip daddr 172.16.0.0-172.31.255.255;ok;ip daddr >= 172.16.0.0 ip daddr <= 172.31.255.255
+ip daddr 192.168.3.1-192.168.4.250;ok;ip daddr >= 192.168.3.1 ip daddr <= 192.168.4.250
+ip daddr != 192.168.0.1-192.168.0.250;ok;ip daddr < 192.168.0.1 ip daddr > 192.168.0.250
+ip daddr { 192.168.0.1-192.168.0.250};ok
+-ip daddr != { 192.168.0.1-192.168.0.250};ok
+ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+-ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+
+ip daddr 192.168.1.2-192.168.1.55;ok;ip daddr >= 192.168.1.2 ip daddr <= 192.168.1.55
+ip daddr != 192.168.1.2-192.168.1.55;ok;ip daddr < 192.168.1.2 ip daddr > 192.168.1.55
+ip saddr 192.168.1.3-192.168.33.55;ok;ip saddr >= 192.168.1.3 ip saddr <= 192.168.33.55
+ip saddr != 192.168.1.3-192.168.33.55;ok;ip saddr < 192.168.1.3 ip saddr > 192.168.33.55
+
+ip daddr 192.168.0.1;ok
+ip daddr 192.168.0.1 drop;ok
+ip daddr 192.168.0.2 log;ok
diff --git a/tests/ip/nat.t b/tests/ip/nat.t
new file mode 100644
index 0000000..23e0bce
--- /dev/null
+++ b/tests/ip/nat.t
@@ -0,0 +1,18 @@
+*ip;test-ip4
+# bug: Nat tables is not supported yet in inet table.
+-*inet;test-inet
+
+:output;type nat hook output priority 0
+
+iifname eth0 tcp dport 80-90 dnat 192.168.3.2;ok
+iifname eth0 tcp dport != 80-90 dnat 192.168.3.2;ok
+iifname eth0 tcp dport {80, 90, 23} dnat 192.168.3.2;ok
+- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+
+iifname eth0 tcp sport 23-34 snat 192.168.3.2;ok
+
+- iifname eth0 tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+iifname eth0 tcp dport != 23-34 dnat 192.168.3.2;ok
diff --git a/tests/ip/reject.t b/tests/ip/reject.t
new file mode 100644
index 0000000..e7fb15b
--- /dev/null
+++ b/tests/ip/reject.t
@@ -0,0 +1,5 @@
+*ip;test-ip4
+*ip;test-inet
+:output;type filter hook output priority 0
+
+reject;ok
diff --git a/tests/ip/sets.t b/tests/ip/sets.t
new file mode 100644
index 0000000..a74d308
--- /dev/null
+++ b/tests/ip/sets.t
@@ -0,0 +1,31 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+!set_ipv4_add ipv4_addr;ok
+!set_inet inet_proto;ok
+!set_inet_serv inet_service;ok
+!set_time time;ok
+
+!set1 ipv4_addr;ok
+?set1 192.168.3.4;ok
+
+?set1 192.168.3.4;fail
+?set1 192.168.3.5 192.168.3.6;ok
+?set1 192.168.3.5 192.168.3.6;fail
+?set1 192.168.3.8 192.168.3.9;ok
+?set1 192.168.3.10 192.168.3.11;ok
+?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail
+?set2 192.168.3.4;fail
+
+!set2 ipv4_addr;ok
+?set2 192.168.3.4;ok
+?set2 192.168.3.5 192.168.3.6;ok
+?set2 192.168.3.5 192.168.3.6;fail
+?set2 192.168.3.8 192.168.3.9;ok
+?set2 192.168.3.10 192.168.3.11;ok
+
+-ip saddr @set1 drop;ok
+-ip saddr @set2 drop;ok
+-ip saddr @set33 drop;fail
+-ip saddr @set21 drop;fail
diff --git a/tests/nft-test.py b/tests/nft-test.py
new file mode 100755
index 0000000..28799c1
--- /dev/null
+++ b/tests/nft-test.py
@@ -0,0 +1,842 @@
+#!/usr/bin/python
+#
+# (C) 2014 by Ana Rey Botello <anarey@gmail.com>
+#
+# Based on iptables-test.py:
+# (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>"
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+import sys
+import os
+import subprocess
+import argparse
+
+TESTS_PATH = os.getcwd()
+LOGFILE = "/tmp/nftables-test.log"
+log_file = None
+
+
+class Colors:
+ HEADER = '\033[95m'
+ GREEN = '\033[92m'
+ YELLOW = '\033[93m'
+ RED = '\033[91m'
+ ENDC = '\033[0m'
+
+
+def print_error(reason, filename=None, lineno=None):
+ '''
+ Prints an error with nice colors, indicating file and line number.
+ '''
+ print (filename + ": " + Colors.RED + "ERROR" +
+ Colors.ENDC + ": line %d: %s" % (lineno + 1, reason))
+
+
+def print_warning(reason, filename=None, lineno=None):
+ '''
+ Prints a warning with nice colors, indicating file and line number.
+ '''
+ print (filename + ": " + Colors.YELLOW + "WARNING" + \
+ Colors.ENDC + ": line %d: %s" % (lineno + 1, reason))
+
+
+def exist_table(table, filename, lineno):
+ '''
+ Exists a table.
+ '''
+ cmd = "nft list -n table " + table[0] + " " + table[1]
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret != 1) else False
+
+
+def flush_table(table, filename, lineno):
+ '''
+ Flush a table.
+ '''
+ cmd = "nft flush table " + str(table[0]) + " " + str(table[1])
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return cmd
+
+
+def create_table(table, table_list, filename, lineno):
+ '''
+ Adds a table.
+ '''
+ ## We check if table exists.
+ if exist_table(table, filename, lineno):
+ reason = "Reason: Table " + table[1] + " exists: " + \
+ Colors.RED + "The test execution stops here." + Colors.ENDC
+ print_error(reason, filename, lineno)
+ return -1
+
+ ## We add a new table
+ cmd = "nft add table " + table[0] + " " + table[1]
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if ret != 0:
+ reason = cmd + "Reason: Cannot add the table '" + table[1] + "'. " + \
+ Colors.RED + "The test execution stops here." + Colors.ENDC
+ print_error(reason, filename, lineno)
+ return -1
+
+ ## We check if table was added correctly.
+ if not exist_table(table, filename, lineno):
+ reason = "You have just added the table " + table[1] + \
+ " but It does not exist." + \
+ Colors.RED + "The test execution stops here." + Colors.ENDC
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_list.append(table)
+
+ return 0
+
+
+def delete_table(table, filename, lineno):
+ '''
+ Deletes a table.
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if not exist_table(table, filename, lineno):
+ reason = "Table " + table[1] + "does not exist." + \
+ Colors.RED + " The test execution stops here." + Colors.ENDC
+ return -1
+
+ cmd = "nft delete table" + table_info
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret == 1:
+ reason = cmd + ": " \
+ "Cannot delete table '" + table[1] + "'. " + \
+ print_error(reason, filename, lineno)
+ return -1
+
+ if exist_table(table, filename, lineno):
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + \
+ "Reason: You have just deleted the table " + table[1] + \
+ " but the table exists." \
+ + Colors.RED + "Can not delete the table" \
+ + "The test execution stops here." + Colors.ENDC
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def chain_exist(chain, table, filename, lineno):
+ '''
+ Checks a chain
+ '''
+
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft list -n chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret != 1) else False
+
+
+def create_chain(chain, f_chain, chain_list, table, filename, lineno):
+ '''
+ Adds a chain
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if chain_exist(chain, table, filename, lineno):
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + \
+ "Reason: This chain '" + chain + "' exits in " + table[1] + "." + \
+ "You cannot create two chains with same name."
+ print_error(reason, filename, lineno)
+ return -1
+
+ if f_chain:
+ cmd = "nft add chain" + table_info + chain + "\{ " + f_chain + "\; \}"
+ else:
+ cmd = "nft add chain" + table_info + chain
+
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret == 1:
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + cmd + ": " \
+ "Reason: cannot create this chain"
+ print_error(reason, filename, lineno)
+ return -1
+
+ if not chain_exist(chain, table, filename, lineno):
+ info = "Reason: This chain '" + chain + "' does not exits in " + \
+ table[1] + ". There was a problem. Can not add the chain"
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + info
+ print_error(reason, filename, lineno)
+ return -1
+
+ if not chain in chain_list:
+ chain_list.append(chain)
+
+ return 0
+
+
+def delete_chain(chain, table, filename, lineno):
+ '''
+ Deletes (and flushes) a chain.
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ if not chain_exist(chain, table, filename, lineno):
+ info = "This chain " + chain + " not exits in " + table[1] + ". " +\
+ "It can not delete it."
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + info + Colors.RED + \
+ Colors.ENDC
+ print_error(reason, filename, lineno)
+ return -1
+
+ cmd = "nft flush chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret == 1:
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + cmd + ": " \
+ "Reason: Cannot flush this chain."
+ print_error(reason, filename, lineno)
+ return -1
+
+ cmd = "nft delete chain" + table_info + chain
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + cmd + ": " \
+ "Reason: cannot delete this chain."
+ print_error(reason, filename, lineno)
+ return -1
+
+ if chain_exist(chain, table, filename, lineno):
+ err_info = "Reason: This chain " + chain + " exits in " + table[1] + \
+ ". There was problem. Can not delete the chain"
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + err_info
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def add_set(set_info, table_list, filename, lineno):
+ '''
+ Adds a set
+ '''
+ if not table_list:
+ reason = "Missing table to add rule"
+ print_error(reason, filename, lineno)
+ return -1
+
+ for table in table_list:
+ if exist_set(set_info[0], table, filename, lineno):
+ reason = "This set " + set_info + " exists in " + table[1] + \
+ ". You cannot add it"
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_info = " " + table[0] + " " + table[1] + " "
+ set_text = " " + set_info[0] + " { type " + set_info[1] + " \;}"
+ cmd = "nft add set" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if (ret == 0 and set_info[2].rstrip() == "fail") or \
+ (ret != 0 and set_info[2].rstrip() == "ok"):
+ reason = cmd + ": " + "Can not add this set."
+ print_error(reason, filename, lineno)
+ return -1
+
+ if not exist_set(set_info[0], table, filename, lineno):
+ reason = "You have just add this set " + set_info[0] + \
+ " but it does not exist in " + table[1]
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def add_elements_set(element_set, set_name, set_set, state, table_list,
+ filename, lineno):
+ '''
+ Adds elements in a set
+ '''
+ if not table_list:
+ reason = "ERROR: " + "Missing table to add rule"
+ print_error(reason, filename, lineno)
+ return -1
+
+ # TODO Check if a element was added correctly into the set.
+ for t in table_list:
+ # Check if set exists.
+ if (not exist_set(set_name, t, filename, lineno) or
+ not set_name in set_set) and state == "ok":
+ reason = "ERROR: " + "You can not add a element. The set " + \
+ set_name + " does not exists."
+ print_error(reason, filename, lineno)
+ return -1
+
+ table_info = " " + t[0] + " " + t[1] + " "
+
+ # Add element-elements in the set.
+ element = ""
+ for e in element_set:
+ if not element:
+ element = e
+ else:
+ element = element + ", " + e
+
+ set_text = set_name + " { " + element + " }"
+ cmd = "nft add element -n" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if (state == "fail" and ret == 0) or (state == "ok" and ret == 1):
+ test_state = "This rule should have failed."
+ reason = cmd + ": " + test_state
+ print_error(reason, filename, lineno)
+ return -1
+
+ # Add element into a dic_set.
+ if (ret == 0 and state == "ok"):
+ for e in element_set:
+ set_set[set_name].add(e)
+
+ return 0
+
+
+def delete_elements_set(element_set, set_name, table, filename, lineno):
+ '''
+ Deletes elements in a set
+ '''
+
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ for element in element_set:
+ set_text = set_name + " {" + element + "}"
+ cmd = "nft delete element -n" + table_info + set_text
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret != 0:
+ reason = "ERROR:" + "Can not delete a element" + element + \
+ " in the set '" + set_name
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def delete_set(dic_set, table, filename, lineno):
+ '''
+ Deletes elememts of the set and deletes the set.
+ '''
+ for set_name in dic_set.keys():
+ # Check if exists the set
+ if not exist_set(set_name, table, filename, lineno):
+ reason = "ERROR:" + "The set " + set_name + \
+ " is not exits. It can not delete it"
+ print_error(reason, filename, lineno)
+ return -1
+
+ # We delete all elements in the set
+ delete_elements_set(dic_set[set_name], set_name, table, filename,
+ lineno)
+
+ # We delete the set.
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft delete set" + table_info + " " + set_name
+ ret = execute_cmd(cmd, filename, lineno)
+
+ # Check if exits the set after I deleted it.
+ if ret != 0 or exist_set(set_name, table, filename, lineno):
+ reason = "ERROR:" + "Error to remove the set'" + set_name
+ print_error(reason, filename, lineno)
+ return -1
+ return 0
+
+
+def exist_set(set_name, table, filename, lineno):
+ '''
+ Exits a set
+ '''
+ table_info = " " + table[0] + " " + table[1] + " "
+ cmd = "nft list -n set" + table_info + set_name
+ ret = execute_cmd(cmd, filename, lineno)
+
+ return True if (ret == 0) else False
+
+
+def set_check(rule1, rule2):
+ '''
+ Check element in anonymous sets.
+ '''
+ ret = -1
+ pos1 = rule1.find("{")
+ pos2 = rule2.find("{")
+ end1 = rule1.find("}")
+ end2 = rule2.find("}")
+
+ if ((pos1 != -1) and (pos2 != -1) and (end1 != -1) and (end2 != -1)):
+ list1 = (rule1[pos1 + 1:end1].replace(" ", "")).split(",")
+ list2 = (rule2[pos2 + 1:end2].replace(" ", "")).split(",")
+ list1.sort()
+ list2.sort()
+ if (cmp(list1, list2) == 0):
+ ret = 0
+ return ret
+
+
+def print_differences(table, rule1, rule2, cmd, lineno):
+ print Colors.YELLOW + "[WARNING] " + Colors.ENDC + \
+ "[" + table + "] line " + str(lineno + 1) + ": '" + rule1 + \
+ "' mismatches '" + rule2 + "'"
+
+
+def add_rule_op(rule, table_list, chain_list, filename, lineno, run_all):
+ '''
+ Adds a rule
+ '''
+ # TODO Check if a rule was added correctly.
+ # We need a get_handler_rule(rule)
+ ret = warning = error = unit_tests = 0
+
+ if not table_list or not chain_list:
+ reason = "ERROR: Missing table or chain to add rule"
+ print_error(reason, filename, lineno)
+ return [-1, warning, error, unit_tests]
+
+ for t in table_list:
+ for c in chain_list:
+ if len(rule) == 1:
+ reason = "Skipping malformed test. (" + str(rule[0].rstrip('\n')) + ")"
+ print_warning(reason, filename, lineno)
+ continue
+
+ unit_tests += 1
+ flush_table(t, filename, lineno)
+ table_info = " " + t[0] + " " + t[1] + " "
+ cmd = "nft add rule -n" + table_info + c + " " + rule[0]
+
+ ret = execute_cmd(cmd, filename, lineno)
+
+ state = rule[1].rstrip()
+ if (ret == 0 and state == "fail") or (ret != 0 and state == "ok"):
+ if state == "fail":
+ test_state = "This rule should have failed."
+ else:
+ test_state = "This rule should not have failed."
+ reason = "[" + t[0] + "] " + cmd + ": " + test_state
+ print_error(reason, filename, lineno)
+ ret = -1
+ error += 1
+ if not run_all:
+ return [ret, warning, error, unit_tests]
+
+ if (state == "fail" and ret != 0):
+ ret = 0
+ continue
+
+ if ret == 0:
+ # Check output of nft
+ num_word = len(rule[0])
+ process = subprocess.Popen(['nft', '-n', 'list', 'table'] + t,
+ shell=False, stdout=subprocess.PIPE)
+ pre_output = process.communicate()
+ output = pre_output[0].split(";")
+ if len(output) < 2:
+ reason = cmd + ": " + "This rule braeks the list of rule in this tables"
+ print_error(reason, filename, lineno)
+ ret = -1
+ error += 1
+ if not run_all:
+ return [ret, warning, error, unit_tests]
+ else:
+ rule_exit = output[1]
+ rule_exit = rule_exit.replace("\t", "").replace("\n", "")
+ rule_exit = rule_exit.strip()
+ rule_exit = rule_exit[:-2] # It Deletes two last braces.
+ if (len(rule) == 3):
+ teoric_exit = rule[2]
+ else:
+ teoric_exit = rule[0]
+ if (rule_exit.rstrip() != teoric_exit.rstrip()):
+ if (rule[0].find("{") != -1):
+ if (set_check(teoric_exit, rule_exit) != 0):
+ warning += 1
+ print_differences(t[0], rule[0], rule_exit, cmd,
+ lineno)
+ if not run_all:
+ return [ret, warning, error, unit_tests]
+ else:
+ warning += 1
+ print_differences(t[0], rule[0], rule_exit, cmd,
+ lineno)
+ if not run_all:
+ return [ret, warning, error, unit_tests]
+
+ return [ret, warning, error, unit_tests]
+
+
+def insert_rule(rule, position, table_list, chain_list, filename, lineno):
+ '''
+ Inserts a rule
+ '''
+
+ # TODO Check if a rule was added correctly.
+ # We need a get_handler_rule(rule)
+ if not table_list or not chain_list:
+ reason = "ERROR: Missing table or chain to add rule"
+ print_error(reason, filename, lineno)
+ return -1
+
+ if position:
+ position_info = " position " + position
+ else:
+ position_info = ""
+
+ ret = 0
+ for t in table_list:
+ for c in chain_list:
+ table_info = " " + t[0] + " " + t[1] + " "
+ cmd = "nft insert rule" + table_info + c + position_info + " " +\
+ rule[0]
+ ret = execute_cmd(cmd, filename, lineno)
+
+ if (ret == 0 and rule[1].rstrip() == "fail") or \
+ (ret != 0 and rule[1].rstrip() == "ok"):
+ if rule[1].rstrip() == "fail":
+ test_state = "This rule should have failed."
+ else:
+ test_state = "This rule should not have failed."
+ reason = cmd + ": " + test_state
+ print_error(reason, filename, lineno)
+ ret = -1
+
+ return ret
+
+
+def delete_rule(chain, table, filename, lineno):
+ '''
+ Deletes rules.
+ '''
+ # TODO Check if a rule was deleted correctly.
+ # We need a get_handler_rule(rule)
+
+ table_info = " " + table[0] + " " + table[1] + " "
+
+ cmd = "nft delete rule" + table_info + chain[0]
+ ret = execute_cmd(cmd, filename, lineno)
+ if (ret == 0 and chain[1].rstrip() == "fail") or \
+ (ret != 0 and chain[1].rstrip() == "ok"):
+ reason = "cannot delete rule in a chain: " + cmd
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
+def execute_cmd(cmd, filename, lineno):
+ '''
+ Executes a command, checking for segfaults and returning the command exit
+ code.
+
+ :param cmd: string with the command to be executed
+ :param filename: name of the file tested (used for print_error purposes)
+ :param lineno: line number being tested (used for print_error purposes)
+ '''
+ global log_file
+ print >> log_file, "command: %s" % cmd
+ if debug_option:
+ print cmd
+ ret = subprocess.call(cmd, shell=True, universal_newlines=True,
+ stderr=subprocess.STDOUT, stdout=log_file)
+ log_file.flush()
+
+ if ret == -11:
+ reason = "command segfaults: " + cmd
+ print_error(reason, filename, lineno)
+
+ return ret
+
+
+def print_result(tests, passed, warning):
+ return str(tests) + " unit tests, " + \
+ str(tests - passed - warning) + " error, " + \
+ str(warning) + " warning"
+
+
+def print_result_all(tests, passed, warning, error, unit_tests):
+ return str(tests) + " unit tests, " +\
+ str(unit_tests) + " total test executed, " + \
+ str(error) + " error, " + \
+ str(warning) + " warning"
+
+
+def run_test_file(filename, run_all):
+ '''
+ Runs a test file
+
+ :param filename: name of the file with the test rules
+ '''
+ #
+ # if this is not a test file, skip.
+ #
+ if not filename.endswith(".t"):
+ return [0, 0, 0, 0, 0]
+
+ f = open(filename)
+
+ tests = passed = total_unit_run = total_warning = total_error = 0
+ table = ""
+ total_test_passed = True
+ table_list = []
+ chain_list = []
+ dic_set = dict()
+
+ for lineno, line in enumerate(f):
+ if line.isspace():
+ continue
+
+ if line[0] == "#":
+ continue
+
+ # Table
+ if line[0] == '*':
+ table = []
+ t = line.rstrip()[1:]
+ if ";" in t:
+ table = t.split(";")
+ else:
+ table.append("ip")
+ table.append(t)
+
+ if create_table(table, table_list, filename, lineno) != 0:
+ total_test_passed = False
+ break
+ continue
+
+ # Chain
+ if line[0] == ":":
+ chain_array = line.rstrip()[1:].split(",")
+ for t in table_list:
+ for chain in chain_array:
+ f_chain = ""
+ if ";" in chain:
+ cc = chain.split(";")
+ chain = cc[0]
+ f_chain = cc[1]
+ ret = create_chain(chain, f_chain, chain_list, t, filename,
+ lineno)
+ if ret != 0:
+ total_test_passed = False
+ break
+ continue
+
+ if line[0] == "!": # Adds this set
+ set_t = []
+ set_info = line.rstrip()[0:].split(" ")
+ set_t.append("".join(set_info[0].rstrip()[1:]))
+ set_name = set_info[1].split(";") # rule[1] Ok or FAIL
+ set_t.append(set_name[0])
+ set_t.append(set_name[1])
+ ret = add_set(set_t, table_list, filename, lineno)
+ tests += 1
+ if ret == -1:
+ total_test_passed = False
+ continue
+ passed += 1
+ # adds a empty set in dic_set with the key 'set_name'
+ dic_set[set_t[0]] = set()
+ continue
+
+ if line[0] == "?": # Adds elements in a set
+ set_t = []
+ l_info = line.rstrip()[0:].split(";")
+ info_estado = l_info[1]
+ ii = l_info[0].split(" ")
+ set_name = ii[0].rstrip()[1:]
+ # Delete the name
+ ii.remove(ii[0])
+ ret = add_elements_set(ii, set_name, dic_set, info_estado,
+ table_list, filename, lineno)
+ tests += 1
+ if ret == -1:
+ total_test_passed = False
+ continue
+
+ passed += 1
+ continue
+
+ # Rule
+ rule = line.split(';') # rule[1] Ok or FAIL
+ if line[0] == "-": # Run Marked-line
+ if run_option:
+ rule[0] = rule[0].rstrip()[1:]
+ result = add_rule_op(rule, table_list, chain_list, filename,
+ lineno, run_all)
+ tests += 1
+ warning = result[1]
+ ret = result[0]
+ total_warning += warning
+ total_error += result[2]
+ total_unit_run += result[3]
+
+ if ret != 0:
+ total_test_passed = False
+ elif warning == 0:
+ passed += 1
+ continue
+ else:
+ continue
+ if run_option:
+ continue
+
+ result = add_rule_op(rule, table_list, chain_list, filename,
+ lineno, run_all)
+ tests += 1
+ ret = result[0]
+ warning = result[1]
+ total_warning += warning
+ total_error += result[2]
+ total_unit_run += result[3]
+
+ if ret != 0:
+ total_test_passed = False
+ continue
+
+ if warning == 0: # All ok.
+ passed += 1
+
+ # Delete rules, sets, chains and tables
+ for t in table_list:
+ # We delete chains
+ for c in chain_list:
+ ret = delete_chain(c, t, filename, lineno)
+ if ret != 0:
+ total_test_passed = False
+
+ # We delete sets.
+ if dic_set:
+ ret = delete_set(dic_set, t, filename, lineno)
+ if ret != 0:
+ total_test_passed = False
+ info = "There is a problem when we delete a set"
+ reason = Colors.RED + "FAIL: " + Colors.ENDC + info + \
+ Colors.RED + Colors.ENDC
+
+ print_error(reason, filename, lineno)
+
+ # We delete tables.
+ ret = delete_table(t, filename, lineno)
+
+ if ret != 0:
+ total_test_passed = False
+
+ if run_all:
+ if not total_test_passed:
+ print filename + ": " + Colors.RED + "ERROR: " + Colors.ENDC + \
+ print_result_all(tests, passed, total_warning, total_error,
+ total_unit_run)
+ elif total_warning > 0:
+ print filename + ": " + Colors.YELLOW + "WARNING IN THE OUTPUT: " \
+ + Colors.ENDC + print_result_all(tests, passed, total_warning,
+ total_error, total_unit_run)
+ else:
+ print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC
+ else:
+ if not total_test_passed:
+ print filename + ": " + Colors.RED + "ERROR: " + Colors.ENDC + \
+ print_result(tests, passed, total_warning)
+ elif total_warning > 0:
+ print filename + ": " + Colors.YELLOW + "WARNING IN THE OUTPUT: " \
+ + Colors.ENDC + print_result(tests, passed, total_warning)
+ else:
+ print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC
+ f.close()
+ return [tests, passed, total_warning, total_error, total_unit_run]
+
+
+#
+# main
+#
+def main():
+ parser = argparse.ArgumentParser(description='Run nft tests',
+ version='1.0')
+
+ parser.add_argument('filename', nargs='?',
+ metavar='path/to/file.t',
+ help='Run only this test')
+
+ parser.add_argument('-d', '--debug', action='store_true',
+ dest='debug',
+ help='Debug mode: list all commands that are run')
+
+ parser.add_argument('-r', '--run-marked-lines', action='store_true',
+ dest='run_lines',
+ help='Run marked-lines in test files')
+
+ parser.add_argument('-a', '--run_all', action='store_true',
+ dest='run_all',
+ help='Run rules in all families of tables indicated.')
+
+ args = parser.parse_args()
+ global debug_option, run_option
+ debug_option = args.debug
+ run_option = args.run_lines
+ run_all = args.run_all
+
+ #
+ # show list of missing test files
+ #
+ if os.getuid() != 0:
+ print "You need to be root to run this, sorry"
+ return
+
+ test_files = files_ok = run_total = 0
+ tests = passed = warnings = errors = 0
+ # setup global var log file
+ global log_file
+ try:
+ log_file = open(LOGFILE, 'w')
+ except IOError:
+ print "Couldn't open log file %s" % LOGFILE
+ return
+
+ file_list = []
+ if args.filename:
+ file_list = [args.filename]
+ else:
+ for root, dirs, files in os.walk(TESTS_PATH):
+ for f in files:
+ if f.endswith(".t"):
+ file_list.append(os.path.join(root, f))
+ for filename in file_list:
+ result = run_test_file(filename, run_all)
+ file_tests = result[0]
+ file_passed = result[1]
+ file_warnings = result[2]
+ file_errors = result[3]
+ file_unit_run = result[4]
+
+ if file_warnings == 0 and file_tests == file_passed:
+ files_ok += 1
+ if file_tests:
+ tests += file_tests
+ passed += file_passed
+ errors += file_errors
+ warnings += file_warnings
+ test_files += 1
+ if run_all:
+ run_total += file_unit_run
+
+ if test_files == 0:
+ print Colors.YELLOW + "WARNING: There are not any tests to run" + \
+ Colors.ENDC
+ else:
+ if run_all:
+ print ("%d test files, %d files passed, %d unit tests, %d total executed, %d error, %d warning" %
+ (test_files, files_ok, tests, run_total, errors, warnings))
+ else:
+ print ("%d test files, %d files passed, %d unit tests, %d error, %d warning" %
+ (test_files, files_ok, tests, tests - passed - warnings,
+ warnings))
+
+if __name__ == '__main__':
+ main()
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/6] [nft] tests: Add ip6 folder with test files.
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
2014-07-31 9:08 ` [PATCH 1/6] [nft] tests: Add " Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
2014-07-31 9:08 ` [PATCH 3/6] [nft] tests: Add inet " Ana Rey
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"ip6" folder contains the test files that are executed in ip6 and inet
family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/ip6/chains.t | 16 ++++++
tests/ip6/dst.t | 25 ++++++++++
tests/ip6/hbh.t | 17 +++++++
tests/ip6/icmpv6.t | 115 +++++++++++++++++++++++++++++++++++++++++++
tests/ip6/ip6.t | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++
tests/ip6/mh.t | 50 +++++++++++++++++++
tests/ip6/nat.t | 8 +++
tests/ip6/reject.t | 5 ++
tests/ip6/rt.t | 50 +++++++++++++++++++
tests/ip6/sets.t | 27 ++++++++++
tests/ip6/vmap.t | 54 ++++++++++++++++++++
11 files changed, 508 insertions(+)
create mode 100644 tests/ip6/chains.t
create mode 100644 tests/ip6/dst.t
create mode 100644 tests/ip6/hbh.t
create mode 100644 tests/ip6/icmpv6.t
create mode 100644 tests/ip6/ip6.t
create mode 100644 tests/ip6/mh.t
create mode 100644 tests/ip6/nat.t
create mode 100644 tests/ip6/reject.t
create mode 100644 tests/ip6/rt.t
create mode 100644 tests/ip6/sets.t
create mode 100644 tests/ip6/vmap.t
diff --git a/tests/ip6/chains.t b/tests/ip6/chains.t
new file mode 100644
index 0000000..36c33af
--- /dev/null
+++ b/tests/ip6/chains.t
@@ -0,0 +1,16 @@
+*ip6;test-ip6
+-*inet;test-inet
+
+# filter chains available are: input, output, forward, forward, prerouting and postrouting.
+:filter-input;type filter hook input priority 0
+:filter-prer;type filter hook prerouting priority 0
+:filter-forw-t;type filter hook forward priority 0
+:filter-out-t;type filter hook output priority 0
+:filter-post-t;type filter hook postrouting priority 0
+# nat chains available are: input, output, forward, prerouting and postrouting.
+:nat-input;type nat hook input priority 0
+:nat-prerouting;type nat hook prerouting priority 0
+:nat-output;type nat hook output priority 0
+:nat-postrou;type nat hook postrouting priority 0
+# route chain available is output.
+:route-out;type route hook output priority 0
diff --git a/tests/ip6/dst.t b/tests/ip6/dst.t
new file mode 100644
index 0000000..71e71e3
--- /dev/null
+++ b/tests/ip6/dst.t
@@ -0,0 +1,25 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+dst nexthdr 22;ok;dst nexthdr xns-idp
+dst nexthdr != 233;ok
+dst nexthdr 33-45;ok;dst nexthdr >= dccp dst nexthdr <= idrp
+dst nexthdr != 33-45;ok;dst nexthdr < dccp dst nexthdr > idrp
+dst nexthdr { 33, 55, 67, 88};ok;dst nexthdr { 67, dccp, eigrp, 55}
+- dst nexthdr != { 33, 55, 67, 88};ok
+dst nexthdr { 33-55};ok;dst nexthdr { dccp-55}
+- dst nexthdr != { 33-55};ok
+dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+-dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+-dst nexthdr icmp;ok
+dst nexthdr != icmp;ok
+
+dst hdrlength 22;ok
+dst hdrlength != 233;ok
+dst hdrlength 33-45;ok;dst hdrlength >= 33 dst hdrlength <= 45
+dst hdrlength != 33-45;ok;dst hdrlength < 33 dst hdrlength > 45
+dst hdrlength { 33, 55, 67, 88};ok
+-dst hdrlength != { 33, 55, 67, 88};ok
+dst hdrlength { 33-55};ok
+-dst hdrlength != { 33-55};ok
diff --git a/tests/ip6/hbh.t b/tests/ip6/hbh.t
new file mode 100644
index 0000000..ea4ac9c
--- /dev/null
+++ b/tests/ip6/hbh.t
@@ -0,0 +1,17 @@
+*ip6;test-ip6
+*inet;test-inet
+:filter-input;type filter hook input priority 0
+
+hbh hdrlength 22;ok
+hbh hdrlength != 233;ok
+hbh hdrlength 33-45;ok;hbh hdrlength >= 33 hbh hdrlength <= 45
+hbh hdrlength != 33-45;ok;hbh hdrlength < 33 hbh hdrlength > 45
+hbh hdrlength {33, 55, 67, 88};ok
+-hbh hdrlength != {33, 55, 67, 88};ok
+hbh hdrlength { 33-55};ok
+-hbh hdrlength != {33-55};ok
+
+hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+-hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+hbh nexthdr ip;ok
+hbh nexthdr != ip;ok
diff --git a/tests/ip6/icmpv6.t b/tests/ip6/icmpv6.t
new file mode 100644
index 0000000..a15fb8f
--- /dev/null
+++ b/tests/ip6/icmpv6.t
@@ -0,0 +1,115 @@
+*ip6;test-ip4
+# There is a bug with icmpv6 and inet tables
+-*inet;test-inet
+
+:input;type filter hook input priority 0
+
+icmpv6 type destination-unreachable accept;ok
+icmpv6 type packet-too-big accept;ok
+icmpv6 type time-exceeded accept;ok
+icmpv6 type echo-request accept;ok
+icmpv6 type echo-reply accept;ok
+icmpv6 type mld-listener-query accept;ok
+icmpv6 type mld-listener-report accept;ok
+icmpv6 type mld-listener-reduction accept;ok
+icmpv6 type nd-router-solicit accept;ok
+icmpv6 type nd-router-advert accept;ok
+icmpv6 type nd-neighbor-solicit accept;ok
+icmpv6 type nd-neighbor-advert accept;ok
+icmpv6 type nd-redirect accept;ok
+icmpv6 type router-renumbering accept;ok
+
+icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {router-renumbering, mld-listener-reduction, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+
+-# icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmpv6 code 4;ok
+icmpv6 code 3-66;ok;icmpv6 code >= 3 icmpv6 code <= 66
+icmpv6 code {5, 6, 7} accept;ok
+- icmpv6 code != {3, 66, 34};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+icmpv6 code { 3-66};ok
+- icmpv6 code != { 3-44};ok
+
+icmpv6 checksum 2222 log;ok
+icmpv6 checksum != 2222 log;ok
+icmpv6 checksum 222-226;ok;icmpv6 checksum >= 222 icmpv6 checksum <= 226
+icmpv6 checksum != 2222 log;ok
+icmpv6 checksum { 222, 226};ok
+- icmpv6 checksum != { 222, 226};ok
+icmpv6 checksum { 222-226};ok
+- icmpv6 checksum != { 222-226};ok
+
+# icmpv6 parameter-problem, pptr, mtu, packet-too-big
+# [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
+# [ICMP6HDR_MTU] = ICMP6HDR_FIELD("packet-too-big", icmp6_mtu),
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 35
+# <cmdline>:1:53-53: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 35
+# ^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem
+# <cmdline>:1:26-31: Error: Value 58 exceeds valid range 0-0
+# add rule ip6 test6 input icmpv6 parameter-problem
+# ^^^^^^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 2-4
+# <cmdline>:1:54-54: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 2-4
+
+#packet-too-big
+#$ sudo nft add rule ip6 test6 input icmpv6 packet-too-big 34
+#<cmdline>:1:50-50: Error: syntax error, unexpected end of file
+#add rule ip6 test6 input icmpv6 packet-too-big 34
+
+icmpv6 mtu 22;ok
+icmpv6 mtu != 233;ok
+icmpv6 mtu 33-45;ok
+icmpv6 mtu != 33-45;ok
+# bug to list icmpv6 parameter-problem { 738197504, 1142226944 }
+icmpv6 mtu {33, 55, 67, 88};ok
+-icmpv6 mtu != {33, 55, 67, 88};ok
+icmpv6 mtu {33-55};ok
+-icmpv6 mtu != {33-55};ok
+
+##- id
+icmpv6 id 2;ok
+# $ sudo nft list table ip6 test6
+#table ip6 test6 {
+# chain input {
+# payload @th,32,16 0x2 [invalid type]
+# }
+#}
+
+icmpv6 sequence 2;ok
+icmpv6 sequence {3, 4, 5, 6, 7} accept;ok
+
+# icmpv6 sequence 2-4;ok
+# BUG: invalid byte order conversion 0 => 2
+# nft: src/evaluate.c:153: byteorder_conversion_op: Assertion '0' failed.
+
+icmpv6 sequence {2, 4};ok
+-icmpv6 sequence != {2, 4};ok
+icmpv6 sequence 2-4;ok
+icmpv6 sequence != 2-4;ok
+icmpv6 sequence { 2-4};ok
+- icmpv6 sequence != {2-4};ok
+
+# BUG max-delay payload @th,32,16 0x21 [invalid type]
+# $ sudo nft add rule ip6 test6 input icmpv6 max-delay 33
+# $ sudo nft list table ip6 test6
+# table ip6 test6 {
+# chain input {
+# payload @th,32,16 0x21 [invalid type]
+
+icmpv6 max-delay 22;ok
+icmpv6 max-delay != 233;ok
+icmpv6 max-delay 33-45;ok
+icmpv6 max-delay != 33-45;ok
+icmpv6 max-delay {33, 55, 67, 88};ok
+-icmpv6 max-delay != {33, 55, 67, 88};ok
+icmpv6 max-delay {33-55};ok
+-icmpv6 max-delay != {33-55};ok
diff --git a/tests/ip6/ip6.t b/tests/ip6/ip6.t
new file mode 100644
index 0000000..c905223
--- /dev/null
+++ b/tests/ip6/ip6.t
@@ -0,0 +1,141 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+# Problem with version, priority
+-ip6 version 6;ok
+-ip6 priority 3;ok
+
+# $ sudo nft add rule ip6 test6 input ip6 priority 33
+# <cmdline>:1:39-40: Error: Value 33 exceeds valid range 0-15
+# add rule ip6 test6 input ip6 priority 33
+# $ sudo nft add rule ip6 test6 input ip6 version 33
+# <cmdline>:1:38-39: Error: Value 33 exceeds valid range 0-15
+# add rule ip6 test6 input ip6 version 33
+# $ sudo nft add rule ip6 test6 input ip6 version 2
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip6 test6 input ip6 version 2
+#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ip6 flowlabel 22;ok
+ip6 flowlabel != 233;ok
+-ip6 flowlabel 33-45;ok
+-ip6 flowlabel != 33-45;ok
+ip6 flowlabel { 33, 55, 67, 88};ok
+# BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
+-ip6 flowlabel != { 33, 55, 67, 88};ok
+ip6 flowlabel { 33-55};ok
+-ip6 flowlabel != { 33-55};ok
+
+ip6 length 2222;ok
+
+ip6 length 22;ok
+ip6 length != 233;ok
+ip6 length 33-45;ok;ip6 length >= 33 ip6 length <= 45
+ip6 length != 33-45;ok;ip6 length < 33 ip6 length > 45
+-ip6 length { 33, 55, 67, 88};ok
+# BUG to list: ip6 length { 11266, 5632, 8704 }
+-ip6 length != {33, 55, 67, 88};ok
+ip6 length { 33-55};ok
+-ip6 length != { 33-55};ok
+
+ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} log;ok
+ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+-ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+ip6 nexthdr esp;ok
+ip6 nexthdr != esp;ok
+
+ip6 hoplimit 1 log;ok
+ip6 hoplimit != 233;ok
+ip6 hoplimit 33-45;ok;ip6 hoplimit >= 33 ip6 hoplimit <= 45
+ip6 hoplimit != 33-45;ok;ip6 hoplimit < 33 ip6 hoplimit > 45
+ip6 hoplimit {33, 55, 67, 88};ok
+-ip6 hoplimit != {33, 55, 67, 88};ok
+ip6 hoplimit {33-55};ok
+-ip6 hoplimit != {33-55};ok
+
+#from src/scanner.l
+#v680 (({hex4}:){7}{hex4})
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234;ok
+#v670 ((:)(:{hex4}{7}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234:1234;ok
+#v671 ((({hex4}:){1})(:{hex4}{6}))
+ip6 saddr 1234::1234:1234:1234:1234:1234:1234;ok
+#v672 ((({hex4}:){2})(:{hex4}{5}))
+ip6 saddr 1234:1234::1234:1234:1234:1234:1234;ok
+#v673 ((({hex4}:){3})(:{hex4}{4}))
+ip6 saddr 1234:1234:1234::1234:1234:1234:1234;ok
+#v674 ((({hex4}:){4})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234:1234::1234:1234:1234;ok
+#v675 ((({hex4}:){5})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234:1234::1234:1234;ok
+#v676 ((({hex4}:){6})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234:1234::1234;ok
+#v677 ((({hex4}:){7})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234::;ok
+#v67 ({v670}|{v671}|{v672}|{v673}|{v674}|{v675}|{v676}|{v677})
+#v660 ((:)(:{hex4}{6}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234;ok
+#v661 ((({hex4}:){1})(:{hex4}{5}))
+ip6 saddr 1234::1234:1234:1234:1234:1234;ok
+#v662 ((({hex4}:){2})(:{hex4}{4}))
+ip6 saddr 1234:1234::1234:1234:1234:1234;ok
+#v663 ((({hex4}:){3})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234::1234:1234:1234;ok
+#v664 ((({hex4}:){4})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234::1234:1234;ok
+#v665 ((({hex4}:){5})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234::1234;ok
+#v666 ((({hex4}:){6})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234::;ok
+#v66 ({v660}|{v661}|{v662}|{v663}|{v664}|{v665}|{v666})
+#v650 ((:)(:{hex4}{5}))
+ip6 saddr ::1234:1234:1234:1234:1234;ok
+#v651 ((({hex4}:){1})(:{hex4}{4}))
+ip6 saddr 1234::1234:1234:1234:1234;ok
+#v652 ((({hex4}:){2})(:{hex4}{3}))
+ip6 saddr 1234:1234::1234:1234:1234;ok
+#v653 ((({hex4}:){3})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234::1234:1234;ok
+#v654 ((({hex4}:){4})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234::1234;ok
+#v655 ((({hex4}:){5})(:))
+ip6 saddr 1234:1234:1234:1234:1234::;ok
+#v65 ({v650}|{v651}|{v652}|{v653}|{v654}|{v655})
+#v640 ((:)(:{hex4}{4}))
+ip6 saddr ::1234:1234:1234:1234;ok
+#v641 ((({hex4}:){1})(:{hex4}{3}))
+ip6 saddr 1234::1234:1234:1234;ok
+#v642 ((({hex4}:){2})(:{hex4}{2}))
+ip6 saddr 1234:1234::1234:1234;ok
+#v643 ((({hex4}:){3})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234::1234;ok
+#v644 ((({hex4}:){4})(:))
+ip6 saddr 1234:1234:1234:1234::;ok
+#v64 ({v640}|{v641}|{v642}|{v643}|{v644})
+#v630 ((:)(:{hex4}{3}))
+ip6 saddr ::1234:1234:1234;ok
+#v631 ((({hex4}:){1})(:{hex4}{2}))
+ip6 saddr 1234::1234:1234;ok
+#v632 ((({hex4}:){2})(:{hex4}{1}))
+ip6 saddr 1234:1234::1234;ok
+#v633 ((({hex4}:){3})(:))
+ip6 saddr 1234:1234:1234::;ok
+#v63 ({v630}|{v631}|{v632}|{v633})
+#v620 ((:)(:{hex4}{2}))
+ip6 saddr ::1234:1234;ok
+#v621 ((({hex4}:){1})(:{hex4}{1}))
+ip6 saddr 1234::1234;ok
+#v622 ((({hex4}:){2})(:))
+ip6 saddr 1234:1234::;ok
+#v62 ({v620}|{v621}|{v622})
+#v610 ((:)(:{hex4}{1}))
+ip6 saddr ::1234;ok
+#v611 ((({hex4}:){1})(:))
+ip6 saddr 1234::;ok
+#v61 ({v610}|{v611})
+#v60 (::)
+ip6 saddr ::/64;ok
+
+- ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok
+ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234;ok
diff --git a/tests/ip6/mh.t b/tests/ip6/mh.t
new file mode 100644
index 0000000..1ad7ec4
--- /dev/null
+++ b/tests/ip6/mh.t
@@ -0,0 +1,50 @@
+*ip6;test-ip6
+*inet;test-inet
+
+:input;type filter hook input priority 0
+
+mh nexthdr 1;ok;mh nexthdr icmp
+mh nexthdr != 1;ok;mh nexthdr != icmp
+mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok
+-mh nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+mh nexthdr icmp;ok
+mh nexthdr != icmp;ok
+mh nexthdr 22;ok;mh nexthdr xns-idp
+mh nexthdr != 233;ok
+mh nexthdr 33-45;ok;mh nexthdr >= dccp mh nexthdr <= idrp
+mh nexthdr != 33-45;ok;mh nexthdr < dccp mh nexthdr > idrp
+mh nexthdr { 33, 55, 67, 88 };ok;mh nexthdr { 67, dccp, eigrp, 55}
+- mh nexthdr != { 33, 55, 67, 88 };ok
+mh nexthdr { 33-55 };ok;mh nexthdr { dccp-55}
+- mh nexthdr != { 33-55 };ok
+
+mh hdrlength 22;ok
+mh hdrlength != 233;ok
+mh hdrlength 33-45;ok;mh hdrlength >= 33 mh hdrlength <= 45
+mh hdrlength != 33-45;ok;mh hdrlength < 33 mh hdrlength > 45
+mh hdrlength { 33, 55, 67, 88 };ok;mh hdrlength { 67, 33, 88, 55}
+-mh hdrlength != { 33, 55, 67, 88 };ok
+mh hdrlength { 33-55 };ok
+-mh hdrlength != { 33-55 };ok
+
+mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
+mh type home-agent-switch-message;ok
+mh type != home-agent-switch-message;ok
+
+mh reserved 22;ok
+mh reserved != 233;ok
+mh reserved 33-45;ok;mh reserved >= 33 mh reserved <= 45
+mh reserved != 33-45;ok;mh reserved < 33 mh reserved > 45
+mh reserved { 33, 55, 67, 88};ok
+-mh reserved != {33, 55, 67, 88};ok
+mh reserved { 33-55};ok
+-mh reserved != { 33-55};ok
+
+mh checksum 22;ok
+mh checksum != 233;ok
+mh checksum 33-45;ok;mh checksum >= 33 mh checksum <= 45
+mh checksum != 33-45;ok;mh checksum < 33 mh checksum > 45
+mh checksum { 33, 55, 67, 88};ok
+-mh checksum != { 33, 55, 67, 88};ok
+mh checksum { 33-55};ok
+-mh checksum != { 33-55};ok
diff --git a/tests/ip6/nat.t b/tests/ip6/nat.t
new file mode 100644
index 0000000..bd795de
--- /dev/null
+++ b/tests/ip6/nat.t
@@ -0,0 +1,8 @@
+*ip6;test-ip6
+-*inet;test-inet
+
+:input;type nat hook input priority 0
+
+# TODO
+tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok
+tcp dport 80-90 dnat 2001:838:35f:1::-2001:838:35f:2:: :100;ok
diff --git a/tests/ip6/reject.t b/tests/ip6/reject.t
new file mode 100644
index 0000000..b49c50b
--- /dev/null
+++ b/tests/ip6/reject.t
@@ -0,0 +1,5 @@
+*ip6;test-ip6
+*inet;test-inet
+:output;type filter hook output priority 0
+
+reject;ok
diff --git a/tests/ip6/rt.t b/tests/ip6/rt.t
new file mode 100644
index 0000000..5a076e4
--- /dev/null
+++ b/tests/ip6/rt.t
@@ -0,0 +1,50 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+rt nexthdr 1;ok;rt nexthdr icmp
+rt nexthdr != 1;ok;rt nexthdr != icmp
+
+rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+-rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+
+rt nexthdr icmp;ok
+rt nexthdr != icmp;ok
+
+rt nexthdr 22;ok;rt nexthdr xns-idp
+rt nexthdr != 233;ok
+rt nexthdr 33-45;ok;rt nexthdr >= dccp rt nexthdr <= idrp
+rt nexthdr != 33-45;ok;rt nexthdr < dccp rt nexthdr > idrp
+rt nexthdr { 33, 55, 67, 88};ok;rt nexthdr { 67, dccp, eigrp, 55}
+- rt nexthdr != { 33, 55, 67, 88};ok
+rt nexthdr { 33-55};ok;rt nexthdr { dccp-55}
+- rt nexthdr != { 33-55};ok
+
+rt hdrlength 22;ok
+rt hdrlength != 233;ok
+rt hdrlength 33-45;ok;rt hdrlength >= 33 rt hdrlength <= 45
+rt hdrlength != 33-45;ok;rt hdrlength < 33 rt hdrlength > 45
+rt hdrlength { 33, 55, 67, 88};ok
+-rt hdrlength != { 33, 55, 67, 88};ok
+rt hdrlength { 33-55};ok
+-rt hdrlength != { 33-55};ok
+
+rt type 22;ok
+rt type != 233;ok
+rt type 33-45;ok;rt type >= 33 rt type <= 45
+rt type != 33-45;ok;rt type < 33 rt type > 45
+rt type { 33, 55, 67, 88};ok
+
+# BUG rt type and set
+-rt type != { 33, 55, 67, 88};ok
+rt type { 33-55};ok
+-rt type != { 33-55};ok
+
+rt seg-left 22;ok
+rt seg-left != 233;ok
+rt seg-left 33-45;ok;rt seg-left >= 33 rt seg-left <= 45
+rt seg-left != 33-45;ok;rt seg-left < 33 rt seg-left > 45
+rt seg-left { 33, 55, 67, 88};ok
+-rt seg-left != { 33, 55, 67, 88};ok
+rt seg-left { 33-55};ok
+-rt seg-left != { 33-55};ok
diff --git a/tests/ip6/sets.t b/tests/ip6/sets.t
new file mode 100644
index 0000000..3645e94
--- /dev/null
+++ b/tests/ip6/sets.t
@@ -0,0 +1,27 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+!set_ipv6_add1 ipv6_addr;ok
+!set_inet1 inet_proto;ok
+!set_inet inet_service;ok
+!set_time time;ok
+
+?set2 192.168.3.4;fail
+!set2 ipv6_addr;ok
+?set2 1234:1234::1234:1234:1234:1234:1234;ok
+# Bug: nft shows the error (for a repeat value in the set but the return value is 0
+# nft does not return an error code.
+-?set2 1234:1234::1234:1234:1234:1234:1234;fail
+
+?set2 1234::1234:1234:1234;ok
+?set2 1234:1234:1234:1234:1234::1234:1234 1234:1234::123;ok
+?set2 192.168.3.8 192.168.3.9;fail
+?set2 1234:1234::1234:1234:1234:1234;ok
+-?set2 1234:1234::1234:1234:1234:1234;fail
+?set2 1234:1234:1234::1234;ok
+
+ip saddr @set2 drop;fail
+
+ip6 saddr @set2 drop;ok
+ip6 saddr @set33 drop;fail
diff --git a/tests/ip6/vmap.t b/tests/ip6/vmap.t
new file mode 100644
index 0000000..50fca82
--- /dev/null
+++ b/tests/ip6/vmap.t
@@ -0,0 +1,54 @@
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+ip6 saddr vmap { abcd::3 : accept };ok
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234:1234;fail
+
+# Ipv6 address combinations
+#from src/scanner.l
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234 : accept};ok
+ip6 saddr vmap { 1234:: : accept};ok
+ip6 saddr vmap { ::/64 : accept};ok
+
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop};ok
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop};ok
+
+# rule without comma:
+filter-input ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:bbbb:::accept::adda : drop};fail
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/6] [nft] tests: Add inet folder with test files.
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
2014-07-31 9:08 ` [PATCH 1/6] [nft] tests: Add " Ana Rey
2014-07-31 9:08 ` [PATCH 2/6] [nft] tests: Add ip6 folder with test files Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
2014-07-31 9:08 ` [PATCH 4/6] [nft] tests: Add any " Ana Rey
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"inet" folder contains the test files that are executed in ipv4, ipv6
and inet family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/inet/ah.t | 63 +++++++++++++++++++++++++++++++
tests/inet/comp.t | 31 +++++++++++++++
tests/inet/dccp.t | 31 +++++++++++++++
tests/inet/esp.t | 23 ++++++++++++
tests/inet/sctp.t | 42 +++++++++++++++++++++
tests/inet/tcp.t | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++
tests/inet/udp.t | 49 ++++++++++++++++++++++++
tests/inet/udplite.t | 42 +++++++++++++++++++++
8 files changed, 385 insertions(+)
create mode 100644 tests/inet/ah.t
create mode 100644 tests/inet/comp.t
create mode 100644 tests/inet/dccp.t
create mode 100644 tests/inet/esp.t
create mode 100644 tests/inet/sctp.t
create mode 100644 tests/inet/tcp.t
create mode 100644 tests/inet/udp.t
create mode 100644 tests/inet/udplite.t
diff --git a/tests/inet/ah.t b/tests/inet/ah.t
new file mode 100644
index 0000000..5f710ca
--- /dev/null
+++ b/tests/inet/ah.t
@@ -0,0 +1,63 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+
+:input;type filter hook input priority 0
+
+# nexthdr
+# Bug to list table.
+
+- ah nexthdr esp;ok
+- ah nexthdr ah;ok
+- ah nexthdr comp;ok
+- ah nexthdr udp;ok
+- ah nexthdr udplite;ok
+- ah nexthdr tcp;ok
+- ah nexthdr dccp;ok
+- ah nexthdr sctp;ok
+
+- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+
+# hdrlength
+ah hdrlength 11-23;ok;ah hdrlength >= 11 ah hdrlength <= 23
+ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23
+ah hdrlength { 11-23};ok
+- ah hdrlength != { 11-23};ok
+ah hdrlength {11, 23, 44 };ok
+- ah hdrlength != {11-23 };ok
+
+# reserved
+ah reserved 22;ok
+ah reserved != 233;ok
+ah reserved 33-45;ok;ah reserved >= 33 ah reserved <= 45
+ah reserved != 33-45;ok;ah reserved < 33 ah reserved > 45
+ah reserved {23, 100};ok
+- ah reserved != {33, 55, 67, 88};ok
+ah reserved { 33-55};ok
+- ah reserved != { 33-55};ok
+
+#spi
+ah spi 111;ok
+ah spi != 111;ok
+ah spi 111-222;ok;ah spi >= 111 ah spi <= 222
+ah spi != 111-222;ok;ah spi < 111 ah spi > 222
+ah spi {111, 122};ok
+-ah spi != {111, 122};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+ah spi { 111-122};ok
+-ah spi != { 111-122};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+# sequence
+ah sequence 123;ok
+ah sequence != 123;ok
+ah sequence {23, 25, 33};ok
+-ah sequence != {23, 25, 33};ok
+ah sequence { 23-33};ok
+-ah sequence != { 33-44};ok
+ah sequence 23-33;ok;ah sequence >= 23 ah sequence <= 33
+ah sequence != 23-33;ok;ah sequence < 23 ah sequence > 33
diff --git a/tests/inet/comp.t b/tests/inet/comp.t
new file mode 100644
index 0000000..315026e
--- /dev/null
+++ b/tests/inet/comp.t
@@ -0,0 +1,31 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+
+:input;type filter hook input priority 0
+
+# BUG: Do no list table.
+-comp nexthdr esp;ok
+comp nexthdr != esp;ok
+
+-comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok
+# comp flags ## 8-bit field. Reserved for future use. MUST be set to zero.
+
+# Bug comp flags: to list. List the decimal value.
+comp flags 0x00;ok
+comp flags != 0x23;ok
+comp flags 0x33-0x45;ok
+comp flags != 0x33-0x45;ok
+comp flags {0x33, 0x55, 0x67, 0x88};ok
+-comp flags != {0x33, 0x55, 0x67, 0x88};ok
+comp flags { 0x33-0x55};ok
+-comp flags != { 0x33-0x55};ok
+
+comp cpi 22;ok
+comp cpi != 233;ok
+comp cpi 33-45;ok;comp cpi >= 33 comp cpi <= 45
+comp cpi != 33-45;ok;comp cpi < 33 comp cpi > 45
+comp cpi {33, 55, 67, 88};ok
+-comp cpi != {33, 55, 67, 88};ok
+comp cpi { 33-55};ok
+-comp cpi != { 33-55};ok
diff --git a/tests/inet/dccp.t b/tests/inet/dccp.t
new file mode 100644
index 0000000..d91ce53
--- /dev/null
+++ b/tests/inet/dccp.t
@@ -0,0 +1,31 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+dccp sport 21-35;ok;dccp sport >= ftp dccp sport <= 35
+dccp sport != 21-35;ok;dccp sport < ftp dccp sport > 35
+dccp sport {23, 24, 25};ok;dccp sport { smtp, 24, telnet}
+- dccp sport != { 27, 34};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+dccp sport { ftp-data - re-mail-ck};ok
+dccp sport ftp-data - re-mail-ck;ok;dccp sport >= ftp-data dccp sport <= re-mail-ck
+dccp sport { 20-50};ok;dccp sport { ftp-data-re-mail-ck}
+# dccp sport != {27-34};ok
+- BUG: invalid expression type set
+- nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+#dccp dport 21-35;ok
+#dccp dport != 21-35;ok
+dccp dport {23, 24, 25};ok;dccp dport { smtp, 24, telnet}
+# dccp dport != {27, 34};ok
+dccp dport { 20-50};ok;dccp dport { ftp-data-re-mail-ck}
+# dccp dport != {27-34};ok
+
+# BUG dccp type
+#dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+#dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+#dccp type request;ok
+#dccp type != request;ok
diff --git a/tests/inet/esp.t b/tests/inet/esp.t
new file mode 100644
index 0000000..4436a59
--- /dev/null
+++ b/tests/inet/esp.t
@@ -0,0 +1,23 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+esp spi 100;ok
+esp spi != 100;ok
+esp spi 111-222;ok;esp spi >= 111 esp spi <= 222
+esp spi != 111-222;ok;esp spi < 111 esp spi > 222
+esp spi { 100, 102};ok
+-esp spi != { 100, 102};ok
+esp spi { 100-102};ok
+-esp spi {100-102};ok
+
+esp sequence 22;ok
+esp sequence 22-24;ok;esp sequence >= 22 esp sequence <= 24
+esp sequence != 22-24;ok;esp sequence < 22 esp sequence > 24
+esp sequence { 22, 24};ok
+- esp sequence != { 22, 24};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+esp sequence { 22-25};ok
+-esp sequence != { 22-25};ok
diff --git a/tests/inet/sctp.t b/tests/inet/sctp.t
new file mode 100644
index 0000000..cf5b65c
--- /dev/null
+++ b/tests/inet/sctp.t
@@ -0,0 +1,42 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+sctp sport 23;ok;sctp sport telnet
+sctp sport != 23;ok;sctp sport != telnet
+sctp sport 23-44;ok;sctp sport >= telnet sctp sport <= 44
+sctp sport != 23-44;ok;sctp sport < telnet sctp sport > 44
+sctp sport { 23, 24, 25};ok;sctp sport { smtp, 24, telnet}
+# sctp sport != { 23, 24, 25};ok
+sctp sport { 23-44};ok;sctp sport { telnet-44}
+# sctp sport != { 23-44};ok
+-# BUG: invalid expression type set
+-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+sctp dport 23;ok;sctp dport telnet
+sctp dport != 23;ok;sctp dport != telnet
+sctp dport 23-44;ok;sctp dport >= telnet sctp dport <= 44
+sctp dport != 23-44;ok;sctp dport < telnet sctp dport > 44
+sctp dport { 23, 24, 25};ok;sctp dport { smtp, 24, telnet}
+# sctp dport != { 23, 24, 25};ok
+sctp dport { 23-44};ok;sctp dport { telnet-44}
+# sctp dport != { 23-44};ok
+
+sctp checksum 1111;ok
+sctp checksum != 11;ok
+sctp checksum 21-333;ok;sctp checksum >= 21 sctp checksum <= 333
+sctp checksum != 32-111;ok;sctp checksum < 32 sctp checksum > 111
+sctp checksum { 22, 33, 44};ok
+# sctp checksum != { 22, 33, 44};ok
+sctp checksum { 22-44};ok
+# sctp checksum != { 22-44};ok
+
+sctp vtag 22;ok
+sctp vtag != 233;ok
+sctp vtag 33-45;ok;sctp vtag >= 33 sctp vtag <= 45
+sctp vtag != 33-45;ok;sctp vtag < 33 sctp vtag > 45
+sctp vtag {33, 55, 67, 88};ok
+# sctp vtag != {33, 55, 67, 88};ok
+sctp vtag { 33-55};ok
+# sctp vtag != { 33-55};ok
diff --git a/tests/inet/tcp.t b/tests/inet/tcp.t
new file mode 100644
index 0000000..9799365
--- /dev/null
+++ b/tests/inet/tcp.t
@@ -0,0 +1,104 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+tcp dport 22;ok;tcp dport ssh
+tcp dport != 233;ok
+tcp dport 33-45;ok;tcp dport >= 33 tcp dport <= 45
+tcp dport != 33-45;ok;tcp dport < 33 tcp dport > 45
+tcp dport { 33, 55, 67, 88};ok;tcp dport { 33, 55, kerberos, bootps}
+-tcp dport != { 33, 55, 67, 88};ok
+tcp dport { 33-55};ok
+-tcp dport != { 33-55};ok
+tcp dport {telnet, http, https} accept;ok
+tcp dport vmap { 22 : accept, 23 : drop };ok;tcp dport vmap { ssh : accept, telnet : drop}
+tcp dport vmap { 25:accept, 28:drop };ok;tcp dport vmap { 28 : drop, smtp : accept}
+tcp dport { 22, 53, 80, 110 };ok;tcp dport { pop3, domain, ssh, http}
+- tcp dport != { 22, 53, 80, 110 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+tcp sport 22;ok;tcp sport ssh
+tcp sport != 233;ok
+tcp sport 33-45;ok;tcp sport >= 33 tcp sport <= 45
+tcp sport != 33-45;ok;tcp sport < 33 tcp sport > 45
+tcp sport { 33, 55, 67, 88};ok;tcp sport { 33, 55, kerberos, bootps}
+- tcp sport != { 33, 55, 67, 88};ok
+tcp sport { 33-55};ok
+- tcp sport != { 33-55};ok
+tcp sport vmap { 25:accept, 28:drop };ok;tcp sport vmap { 28 : drop, smtp : accept}
+
+tcp sport 8080 drop;ok;tcp sport http-alt drop
+tcp sport 1024 tcp dport 22;ok;tcp sport 1024 tcp dport ssh
+tcp sport 1024 tcp dport 22 tcp sequence 0;ok;tcp sport 1024 tcp dport ssh tcp sequence 0
+
+tcp sequence 0 tcp sport 1024 tcp dport 22;ok;tcp sport 1024 tcp dport ssh tcp sequence 0
+tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok
+
+tcp sequence 22;ok
+tcp sequence != 233;ok
+tcp sequence 33-45;ok;tcp sequence >= 33 tcp sequence <= 45
+tcp sequence != 33-45;ok;tcp sequence < 33 tcp sequence > 45
+tcp sequence { 33, 55, 67, 88};ok
+-tcp sequence != { 33, 55, 67, 88};ok
+tcp sequence { 33-55};ok
+-tcp sequence != { 33-55};ok
+
+tcp ackseq 42949672 drop;ok
+tcp ackseq 22;ok
+tcp ackseq != 233;ok
+tcp ackseq 33-45;ok;tcp ackseq >= 33 tcp ackseq <= 45
+tcp ackseq != 33-45;ok;tcp ackseq < 33 tcp ackseq > 45
+tcp ackseq { 33, 55, 67, 88};ok
+-tcp ackseq != { 33, 55, 67, 88};ok
+tcp ackseq { 33-55};ok
+-tcp ackseq != { 33-55};ok
+
+# BUG doff
+-tcp doff 22;ok
+-tcp doff != 233;ok
+-tcp doff 33-45;ok
+-tcp doff != 33-45;ok
+-tcp doff { 33, 55, 67, 88};ok
+-tcp doff != { 33, 55, 67, 88};ok
+-tcp doff { 33-55};ok
+-tcp doff != { 33-55};ok
+
+# BUG reserved
+# BUG: It is accepted but it is not shown then. tcp reserver
+
+tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
+-tcp flags != { fin, urg, ecn, cwr} drop;ok
+tcp flags cwr;ok
+tcp flags != cwr;ok
+
+tcp window 22222;ok
+tcp window 22;ok
+tcp window != 233;ok
+tcp window 33-45;ok;tcp window >= 33 tcp window <= 45
+tcp window != 33-45;ok;tcp window < 33 tcp window > 45
+tcp window { 33, 55, 67, 88};ok
+-tcp window != { 33, 55, 67, 88};ok
+tcp window { 33-55};ok
+-tcp window != { 33-55};ok
+
+tcp checksum 23456 log drop;ok
+tcp checksum 22;ok
+tcp checksum != 233;ok
+tcp checksum 33-45;ok;tcp checksum >= 33 tcp checksum <= 45
+tcp checksum != 33-45;ok;tcp checksum < 33 tcp checksum > 45
+tcp checksum { 33, 55, 67, 88};ok
+-tcp checksum != { 33, 55, 67, 88};ok
+tcp checksum { 33-55};ok
+-tcp checksum != { 33-55};ok
+
+tcp urgptr 1234 accept;ok
+tcp urgptr 22;ok
+tcp urgptr != 233;ok
+tcp urgptr 33-45;ok;tcp urgptr >= 33 tcp urgptr <= 45
+tcp urgptr != 33-45;ok;tcp urgptr < 33 tcp urgptr > 45
+tcp urgptr { 33, 55, 67, 88};ok
+-tcp urgptr != { 33, 55, 67, 88};ok
+tcp urgptr { 33-55};ok
+-tcp urgptr != { 33-55};ok
diff --git a/tests/inet/udp.t b/tests/inet/udp.t
new file mode 100644
index 0000000..aab7155
--- /dev/null
+++ b/tests/inet/udp.t
@@ -0,0 +1,49 @@
+*ip;test-ip4
+*ip;test-ip6
+*ip;test-inet
+:input;type filter hook input priority 0
+
+udp sport 80 accept;ok;udp sport http accept
+udp sport != 60 accept;ok
+udp sport 50-70 accept;ok;udp sport >= re-mail-ck udp sport <= gopher accept
+udp sport != 50-60 accept;ok;udp sport < re-mail-ck udp sport > 60 accept
+udp sport { 49, 50} drop;ok;udp sport { re-mail-ck, tacacs} drop
+- udp sport != { 50, 60} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp sport { 12-40};ok
+-udp sport != { 13-24};ok
+
+udp dport 80 accept;ok;udp dport http accept
+udp dport != 60 accept;ok
+udp dport 70-75 accept;ok;udp dport >= gopher udp dport <= 75 accept
+udp dport != 50-60 accept;ok;udp dport < re-mail-ck udp dport > 60 accept
+udp dport { 49, 50} drop;ok;udp dport { re-mail-ck, tacacs} drop
+-udp dport != { 50, 60} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp dport { 70-75} accept;ok;udp dport { gopher-75} accept
+- udp dport != { 50-60} accept;ok
+
+udp length 6666;ok
+udp length != 6666;ok
+udp length 50-65 accept;ok;udp length >= 50 udp length <= 65 accept
+udp length != 50-65 accept;ok;udp length < 50 udp length > 65 accept
+udp length { 50, 65} accept;ok
+-udp length != { 50, 65} accept;ok
+udp length { 35-50};ok
+-udp length != { 35-50};ok
+
+udp checksum 6666 drop;ok
+- udp checksum != { 444, 555} accept;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+udp checksum 22;ok
+udp checksum != 233;ok
+udp checksum 33-45;ok;udp checksum >= 33 udp checksum <= 45
+udp checksum != 33-45;ok;udp checksum < 33 udp checksum > 45
+udp checksum { 33, 55, 67, 88};ok
+-udp checksum != { 33, 55, 67, 88};ok
+udp checksum { 33-55};ok
+-udp checksum != { 33-55};ok
diff --git a/tests/inet/udplite.t b/tests/inet/udplite.t
new file mode 100644
index 0000000..be931ce
--- /dev/null
+++ b/tests/inet/udplite.t
@@ -0,0 +1,42 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+:input;type filter hook input priority 0
+
+udplite sport 80 accept;ok;udplite sport http accept
+udplite sport != 60 accept;okudplite sport http != accept
+udplite sport 50-70 accept;ok;udplite sport >= re-mail-ck udplite sport <= gopher accept
+udplite sport != 50-60 accept;ok;udplite sport < re-mail-ck udplite sport > 60 accept
+udplite sport { 49, 50} drop;ok;udplite sport { re-mail-ck, tacacs} drop
+-udplite sport != { 50, 60} accept;ok
+udplite sport { 12-40};ok
+-udplite sport != { 13-24};ok
+
+udplite dport 80 accept;ok;udplite dport http accept
+udplite dport != 60 accept;ok
+udplite dport 70-75 accept;ok;udplite dport >= gopher udplite dport <= 75 accept
+udplite dport != 50-60 accept;ok;udplite dport < re-mail-ck udplite dport > 60 accept
+udplite dport { 49, 50} drop;ok;udplite dport { re-mail-ck, tacacs} drop
+-udplite dport != { 50, 60} accept;ok
+udplite dport { 70-75} accept;ok;udplite dport { gopher-75} accept
+-udplite dport != { 50-60} accept;ok
+
+-udplite csumcov 6666;ok
+-udplite csumcov != 6666;ok
+-udplite csumcov 50-65 accept;ok
+-udplite csumcov != 50-65 accept;ok
+-udplite csumcov { 50, 65} accept;ok
+-udplite csumcov != { 50, 65} accept;ok
+-udplite csumcov { 35-50};ok
+-udplite csumcov != { 35-50};ok
+
+udplite checksum 6666 drop;ok
+-udplite checksum != { 444, 555} accept;ok
+udplite checksum 22;ok
+udplite checksum != 233;ok
+udplite checksum 33-45;ok;udplite checksum >= 33 udplite checksum <= 45
+udplite checksum != 33-45;ok;udplite checksum < 33 udplite checksum > 45
+udplite checksum { 33, 55, 67, 88};ok
+-udplite checksum != { 33, 55, 67, 88};ok
+udplite checksum { 33-55};ok
+-udplite checksum != { 33-55};ok
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/6] [nft] tests: Add any folder with test files.
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
` (2 preceding siblings ...)
2014-07-31 9:08 ` [PATCH 3/6] [nft] tests: Add inet " Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
2014-07-31 9:08 ` [PATCH 5/6] [nft] tests: Add arp " Ana Rey
2014-07-31 9:08 ` [PATCH 6/6] [nft] tests: Add bridge " Ana Rey
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"any" folder contains the test files that are executed in ipv4, ipv6,
inet, arp, bridge family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/any/ct.t | 113 +++++++++++++++++++++++++++++++++++++++
tests/any/frag.t | 69 ++++++++++++++++++++++++
tests/any/limit.t | 13 +++++
tests/any/log.t | 14 +++++
tests/any/meta.t | 157 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
tests/any/queue.t | 15 ++++++
6 files changed, 381 insertions(+)
create mode 100644 tests/any/ct.t
create mode 100644 tests/any/frag.t
create mode 100644 tests/any/limit.t
create mode 100644 tests/any/log.t
create mode 100644 tests/any/meta.t
create mode 100644 tests/any/queue.t
diff --git a/tests/any/ct.t b/tests/any/ct.t
new file mode 100644
index 0000000..e2f1f53
--- /dev/null
+++ b/tests/any/ct.t
@@ -0,0 +1,113 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+# ct expresion is not supported in arp type table yet.
+-*arp;test-arp
+-*bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+ct state new,established, related, untracked;ok;ct state established,related,new,untracked
+ct state != related;ok
+ct state {new,established, related, untracked};ok
+-ct state != {new,established, related, untracked};ok
+ct state invalid drop;ok
+ct state established accept;ok
+
+ct direction original;ok
+ct direction != original;ok
+ct direction reply;ok
+ct direction != reply;ok
+ct direction {reply, original};ok
+-ct direction != {reply, original};ok
+
+ct status expected;ok
+ct status != expected;ok
+ct status seen-reply;ok
+ct status != seen-reply;ok
+ct status {expected, seen-reply, assured, confirmed, dying};ok
+
+# BUG:
+# SYMBOL("snat", IPS_SRC_NAT)
+# SYMBOL("dnat", IPS_DST_NAT),
+-ct status snat;ok
+-ct status dnat;ok
+
+ct mark 0;ok
+ct mark or 0x23 == 0x11;ok
+ct mark or 0x3 != 0x1;ok
+ct mark and 0x23 == 0x11;ok
+ct mark and 0x3 != 0x1;ok
+ct mark xor 0x23 == 0x11;ok
+ct mark xor 0x3 != 0x1;ok
+
+ct mark 0x32;ok
+ct mark != 0x32;ok
+ct mark 0x32-0x45;ok
+ct mark != 0x32-0x43;ok
+ct mark {0x32, 0x2222, 0x42de3};ok
+- ct mark != {0x32, 0x2222, 0x42de3};ok
+
+# ct mark != {0x32, 0x2222, 0x42de3};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+ct mark set 0x11 xor 0x1331;ok
+ct mark set 0x11333 and 0x11;ok
+ct mark set 0x12 or 0x11;ok
+ct mark set 0x11;ok
+
+ct expiration 30;ok
+ct expiration 22;ok
+ct expiration != 233;ok
+ct expiration 33-45;ok
+# BUG: ct expiration 33-45;ok
+# BUG to list ct expiration >= "33s" ct expiration <= "9709d53m20s"
+ct expiration != 33-45;ok
+ct expiration {33, 55, 67, 88};ok
+-ct expiration != {33, 55, 67, 88};ok
+ct expiration {33-55};ok
+# BUG: ct expiration {33-55};ok
+# BUG to list ct expiration { "4271d23h25m52s"-"8738d3h11m59s" }
+-ct expiration != {33-55};ok
+
+ct helper "ftp";ok
+#ct helper "12345678901234567";fail
+
+-ct l3proto ?? "Layer 3 protocol of the connection";ok
+
+# If table is ip6 or inet or bridge, It is failed. I can not test it
+-ct saddr 1.2.3.4;ok
+
+
+# ct saddr 192.168.3.4
+# <cmdline>:1:1-43: Error: Could not process rule: Invalid argument
+# add rule ip test input ct saddr 192.168.3.4
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+# If table is ip6 or inet or bridge, It is failed. I can not test it
+-ct daddr 1.3.4.4;ok
+
+# There is a bug in bridge and inet tables.
+# ct protocol tcp;ok
+-ct protocol tcp;ok
+
+# ct daddr x.x.x.x;ok
+# ct protocol tcp;ok
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip test input ct protocol tcp
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+-ct proto-src udp;ok
+
+# ct proto-src udp
+# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
+# add rule ip test input ct proto-src udp
+# ~~~~~~~~~~~~ ^^^
+
+-ct proto-dst udp;ok
+
+# ct proto-dst udp
+# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
+# add rule ip test input ct proto-dst udp
+# ~~~~~~~~~~~~ ^^^
diff --git a/tests/any/frag.t b/tests/any/frag.t
new file mode 100644
index 0000000..599d26a
--- /dev/null
+++ b/tests/any/frag.t
@@ -0,0 +1,69 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+frag nexthdr tcp;ok
+frag nexthdr != icmp;ok
+frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+-frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+frag nexthdr esp;ok
+frag nexthdr ah;ok
+
+frag reserved 22;ok
+frag reserved != 233;ok
+frag reserved 33-45;ok;frag reserved >= 33 frag reserved <= 45
+frag reserved != 33-45;ok;frag reserved < 33 frag reserved > 45
+frag reserved { 33, 55, 67, 88};ok;frag reserved { 88, 33, 67, 55}
+-frag reserved != { 33, 55, 67, 88};ok
+frag reserved { 33-55};ok
+-frag reserved != { 33-55};ok
+
+# netlink: Error: Relational expression size mismatch
+# bug: frag frag-off 22 =>
+# If we list it:
+# netlink: Error: Relational expression size mismatch
+
+frag frag-off 22;ok
+-frag frag-off 0;ok
+-frag frag-off 22;ok
+-frag frag-off != 233;ok
+-frag frag-off 33-45;ok
+-frag frag-off != 33-45;ok
+-frag frag-off { 33, 55, 67, 88};ok
+-frag frag-off != { 33, 55, 67, 88};ok
+-frag frag-off { 33-55};ok
+-frag frag-off != { 33-55};ok
+
+#BUG reserved2
+#$ sudo nft add rule ip test input frag reserved2 33
+#<cmdline>:1:39-40: Error: Value 33 exceeds valid range 0-3
+# add rule ip test input frag reserved2 33
+# ^^
+#sudo nft add rule ip test input frag reserved2 1
+#<cmdline>:1:1-39: Error: Could not process rule: Invalid argument
+#add rule ip test input frag reserved2 1
+#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+# BUG more-fragments
+# frag more-fragments 1
+# <cmdline>:1:1-44: Error: Could not process rule: Invalid argument
+# add rule ip test input frag more-fragments 1
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# $ sudo nft add rule ip test input frag more-fragments 4
+#<cmdline>:1:44-44: Error: Value 4 exceeds valid range 0-1
+# add rule ip test input frag more-fragments 4
+# ^
+
+frag id 1;ok
+frag id 22;ok
+frag id != 33;ok
+frag id 33-45;ok;frag id >= 33 frag id <= 45
+frag id != 33-45;ok;frag id < 33 frag id > 45
+frag id { 33, 55, 67, 88};ok
+-frag id != { 33, 55, 67, 88};ok
+frag id { 33-55};ok
+-frag id != { 33-55};ok
diff --git a/tests/any/limit.t b/tests/any/limit.t
new file mode 100644
index 0000000..b2c8dfb
--- /dev/null
+++ b/tests/any/limit.t
@@ -0,0 +1,13 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+limit rate 400/minute;ok
+limit rate 20/second;ok
+limit rate 400/hour;ok
+limit rate 400/week;ok
+limit rate 40/day;ok
diff --git a/tests/any/log.t b/tests/any/log.t
new file mode 100644
index 0000000..3bd52f8
--- /dev/null
+++ b/tests/any/log.t
@@ -0,0 +1,14 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+-*arp;test-arp
+*bridge;test-bridge
+:output;type filter hook output priority 0
+
+# Bug in bridge family
+-ct direction original log;ok
+log;ok
+udp dport 200 log group 2 prefix aaaaa-aaaaaa snaplen 33;ok
+# BUG log qthreshold
+- log qthreshold ;ok
+tcp dport 300 log group 2 prefix \"IPTABLES-NFT SSH\";ok
diff --git a/tests/any/meta.t b/tests/any/meta.t
new file mode 100644
index 0000000..76259d1
--- /dev/null
+++ b/tests/any/meta.t
@@ -0,0 +1,157 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:input;type filter hook input priority 0
+
+meta length 1000;ok
+meta length 22;ok
+meta length != 233;ok
+meta length 33-45;ok
+#meta length != 33-45;ok
+meta length { 33, 55, 67, 88};ok
+#meta length != { 33, 55, 67, 88};ok
+meta length { 33-55};ok
+# BUG to list meta length { 738197504, 553648128 }
+-meta length != { 33-55};ok
+
+-meta protocol { ip, arp, ip6, vlan };ok
+# BUG Do not list this set
+# <cmdline>:1:40-41: Evaluate
+# add rule ip test input meta protocol { ip, arp, ip6, vlan }
+
+-meta protocol != {ip, arp, ip6, vlan};ok
+-meta protocol ip;ok
+-meta protocol != ip;ok
+
+meta nfproto ipv4;ok
+meta nfproto ipv6;ok
+meta nfproto {ipv4, ipv6};ok
+
+meta l4proto 22;ok
+meta l4proto != 233;ok
+meta l4proto 33-45;ok;meta l4proto >= 33 meta l4proto <= 45
+meta l4proto != 33-45;ok;meta l4proto < 33 meta l4proto > 45
+meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
+-meta l4proto != { 33, 55, 67, 88};ok
+meta l4proto { 33-55};ok
+-meta l4proto != { 33-55};ok
+
+meta priority 22;ok
+meta priority 22;ok
+meta priority != 233;ok
+meta priority 33-45;ok
+# BUG list meta priority >= 7f68:0034 meta priority <= 5500:ff7f
+
+meta priority != 33-45;ok
+meta priority { 33, 55, 67, 88};ok
+#meta priority { 4400:ff7f, 5500:ff7f, 3400:887f };ok
+-meta priority != { 33, 55, 67, 88};ok
+meta priority { 33-55};ok
+-meta priority != { 33-55};ok
+
+# mark
+meta mark 0x4;ok
+meta mark 0x32;ok
+meta mark and 0x03 == 0x01;ok
+meta mark and 0x03 != 0x01;ok
+meta mark 0x10;ok
+meta mark != 0x10;ok
+
+meta mark or 0x03 == 0x01;ok
+meta mark or 0x03 != 0x01;ok
+meta mark xor 0x03 == 0x01;ok
+meta mark xor 0x03 != 0x01;ok
+
+meta iif wlan0 accept;ok
+meta iif eth0 accept;ok
+meta iif != wlan0 accept;ok
+meta iif != eth0 accept;ok
+
+meta iifname "eth0";ok
+meta iifname != "eth0";ok
+meta iifname {"eth0", "wlan0"};ok
+- meta iifname != {"eth0", "wlan0"};ok
+# BUG to list iifname { "", "" }
+
+meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+-meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta iiftype != ether;ok
+meta iiftype ether;ok
+meta iiftype != ppp;ok
+meta iiftype ppp;ok
+
+meta oif lo accept;ok
+meta oif != lo accept;ok
+meta oif {wlan0, eth0, lo} accept;ok
+-meta oif != {wlan0, eth0, lo} accept;ok
+
+meta oifname "eth0";ok
+meta oifname != "eth0";ok
+meta oifname { "eth0", "wlan0"};ok
+- meta iifname != {"eth0", "wlan0"};ok
+# BUG to list iifname { "", "" }
+
+meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+-meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta oiftype != ether;ok;oiftype != ether
+meta oiftype ether;ok;oiftype ether
+
+meta skuid {man, root, backup} accept;ok
+-meta skuid != {man, root, backup} accept;ok
+meta skuid man;ok;skuid man
+meta skuid != man;ok;skuid != man
+meta skuid lt 3000 accept;ok
+meta skuid gt 3000 accept;ok
+meta skuid eq 3000 accept;ok
+meta skuid 3001-3005 accept;ok;ok;skuid >= 3001 skuid <= -1123352576 accept
+# BUG to list skuid >= Debian-exim skuid <= 1761607680 accept
+- meta skuid != 2001-2005 accept;ok;skuid < 2001 skuid > -720961536 accept
+meta skuid { 2001-2005} accept;ok
+# BUG skuid { 1694498816-1778384895 } accept
+- meta skuid != { 2001-2005} accept;ok
+
+meta skgid {man, root, backup} accept;ok
+-meta skgid != {man, root, backup} accept;ok
+meta skgid man;ok;skgid man
+meta skgid != man;ok;skgid != man
+meta skgid lt 3000 accept;ok
+meta skgid gt 3000 accept;ok
+meta skgid eq 3000 accept;ok
+-meta skgid 2001-2005 accept;ok;skgid >= 2001 skgid <= 3574005760 accept
+# BUG to list skgid >= libuuid skgid <= 1761607680 accept;ok
+-meta skgid != 2001-2005 accept;ok;skgid < 2001 skgid > 3574005760 accept
+meta skgid { 2001-2005} accept;ok
+# BUG skgid { 1694498816-1778384895 } accept
+# meta skgid != { 2001-2005} accept
+
+# BUG nftrace
+# $ sudo nft add rule ip test input meta nftrace 2
+#<cmdline>:1:37-37: Error: Value 2 exceeds valid range 0-1
+#add rule ip test input meta nftrace 2
+# ^
+#$ sudo nft add rule ip test input meta nftrace 1
+#<cmdline>:1:1-37: Error: Could not process rule: Operation not supported
+#add rule ip test input meta nftrace 1
+#-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+meta rtclassid cosmos;ok;rtclassid cosmos
+
+meta mark set 0xffffffc8 xor 0x16;ok
+meta mark set 0x16 and 0x16;ok
+meta mark set 0xffffffe9 or 0x16;ok
+meta mark set 0xffffffde and 0x16;ok
+meta mark set 0xf045ffde or 0x10;ok
+meta mark set 0xffffffde or 0x16;ok
+meta mark set 0x32 or 0xfffff;ok
+meta mark set 0xfffe xor 0x16;ok
+
+meta iif lo;ok;iif lo
+meta oif lo;ok;oif lo
+meta oifname "eth2" accept;ok
+meta skuid 3000;ok;skuid 3000
+meta skgid 3000;ok;skgid 3000
+-meta nftrace 1;ok
+meta rtclassid cosmos;ok;rtclassid cosmos
diff --git a/tests/any/queue.t b/tests/any/queue.t
new file mode 100644
index 0000000..8307411
--- /dev/null
+++ b/tests/any/queue.t
@@ -0,0 +1,15 @@
+*ip;test-ip4
+*ip6;test-ip6
+*inet;test-inet
+*arp;test-arp
+*bridge;test-bridge
+
+:output;type filter hook output priority 0
+
+queue;ok;queue num 0
+queue num 2;ok
+queue num 2-3;ok
+- queue num {3, 4, 6};ok
+queue num 4-5 fanout bypass;ok;queue num 4-5 bypass fanout
+queue num 4-5 fanout;ok
+queue num 4-5 bypass;ok
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/6] [nft] tests: Add arp folder with test files.
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
` (3 preceding siblings ...)
2014-07-31 9:08 ` [PATCH 4/6] [nft] tests: Add any " Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
2014-07-31 9:08 ` [PATCH 6/6] [nft] tests: Add bridge " Ana Rey
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"arp" folder contains the test files that are executed in arp tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/arp/arp.t | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
tests/arp/chains.t | 5 +++++
2 files changed, 63 insertions(+)
create mode 100644 tests/arp/arp.t
create mode 100644 tests/arp/chains.t
diff --git a/tests/arp/arp.t b/tests/arp/arp.t
new file mode 100644
index 0000000..e7f3cf7
--- /dev/null
+++ b/tests/arp/arp.t
@@ -0,0 +1,58 @@
+*arp;test-arp
+# filter chains available are: input, output, forward
+:input;type filter hook input priority 0
+
+arp htype 1;ok
+arp htype != 1;ok
+# http://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml
+arp htype 22;ok
+arp htype != 233;ok
+arp htype 33-45;ok;arp htype >= 33 arp htype <= 45
+arp htype != 33-45;ok;arp htype < 33 arp htype > 45
+arp htype { 33, 55, 67, 88};ok
+# Bug to list arp htype { 1280, 1024, 256 }
+-arp htype != { 33, 55, 67, 88};ok
+arp htype { 33-55};ok
+-arp htype != { 33-55};ok
+
+arp ptype 0x0800;ok
+
+arp hlen 22;ok
+arp hlen != 233;ok
+arp hlen 33-45;ok;arp hlen >= 33 arp hlen <= 45
+arp hlen != 33-45;ok;arp hlen < 33 arp hlen > 45
+arp hlen { 33, 55, 67, 88};ok
+-arp hlen != { 33, 55, 67, 88};ok
+arp hlen { 33-55};ok
+-arp hlen != { 33-55};ok
+
+arp plen 22;ok
+arp plen != 233;ok
+arp plen 33-45;ok;arp plen >= 33 arp plen <= 45
+arp plen != 33-45;ok;arp plen < 33 arp plen > 45
+arp plen { 33, 55, 67, 88};ok
+-arp plen != { 33, 55, 67, 88};ok
+arp plen { 33-55};ok
+-arp plen != {33-55};ok
+
+
+arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+-arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+# BUG to list arp operation { 1024, 2304, 768, 2048, 512, 2560, 256}
+
+arp operation request;ok
+arp operation reply;ok
+arp operation rrequest;ok
+arp operation rreply;ok
+arp operation inrequest;ok
+arp operation inreply;ok
+arp operation nak;ok
+arp operation reply;ok
+arp operation != request;ok
+arp operation != reply;ok
+arp operation != rrequest;ok
+arp operation != rreply;ok
+arp operation != inrequest;ok
+arp operation != inreply;ok
+arp operation != nak;ok
+arp operation != reply;ok
diff --git a/tests/arp/chains.t b/tests/arp/chains.t
new file mode 100644
index 0000000..6b0c042
--- /dev/null
+++ b/tests/arp/chains.t
@@ -0,0 +1,5 @@
+*arp;test-arp
+- filter chains available are: input, output, forward
+:input;type filter hook input priority 0
+:forward;type filter hook forward priority 0
+:output;type filter hook output priority 0
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 6/6] [nft] tests: Add bridge folder with test files.
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
` (4 preceding siblings ...)
2014-07-31 9:08 ` [PATCH 5/6] [nft] tests: Add arp " Ana Rey
@ 2014-07-31 9:08 ` Ana Rey
5 siblings, 0 replies; 7+ messages in thread
From: Ana Rey @ 2014-07-31 9:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ana Rey
"bridge" folder contains the test files that are executed in bridge tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/bridge/chains.t | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 tests/bridge/chains.t
diff --git a/tests/bridge/chains.t b/tests/bridge/chains.t
new file mode 100644
index 0000000..2c534b5
--- /dev/null
+++ b/tests/bridge/chains.t
@@ -0,0 +1,8 @@
+*bridge;test-bridge
+
+# filter chains available are: input, output, forward
+:filter-input;type filter hook input priority 0
+:filter-forward;type filter hook forward priority 0
+:filter-output;type filter hook output priority 0
+
+-ether type 1;ok
--
2.0.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-07-31 9:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-31 9:08 [PATCH 0/6] tests: Automated regression testing Ana Rey
2014-07-31 9:08 ` [PATCH 1/6] [nft] tests: Add " Ana Rey
2014-07-31 9:08 ` [PATCH 2/6] [nft] tests: Add ip6 folder with test files Ana Rey
2014-07-31 9:08 ` [PATCH 3/6] [nft] tests: Add inet " Ana Rey
2014-07-31 9:08 ` [PATCH 4/6] [nft] tests: Add any " Ana Rey
2014-07-31 9:08 ` [PATCH 5/6] [nft] tests: Add arp " Ana Rey
2014-07-31 9:08 ` [PATCH 6/6] [nft] tests: Add bridge " Ana Rey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).