[libnftnl PATCH 1/3] expr: masq: optional printing of flags attr in snprintf_default

[libnftnl PATCH 1/3] expr: masq: optional printing of flags attr in snprintf_default

[Arturo Borrero Gonzalez]

The flags attribute is optional. Thus we should print only if it
was originally set.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 0 files changed

diff --git a/src/expr/masq.c b/src/expr/masq.c
index 6a1c609..c8a6a8d 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -169,8 +169,10 @@ static int nft_rule_expr_masq_snprintf_default(char *buf, size_t len,
 {
 	struct nft_expr_masq *masq = nft_expr_data(e);
 
-	return snprintf(buf, len, " flags %u ",
-			 masq->flags);
+	if (e->flags & (1 << NFT_EXPR_MASQ_FLAGS))
+		return snprintf(buf, len, "flags %u", masq->flags);
+
+	return 0;
 }
 
 static int nft_rule_expr_masq_snprintf(char *buf, size_t len, uint32_t type,

[libnftnl PATCH 2/3] tests: add tests for the masq expression

[Arturo Borrero Gonzalez]

The masq expression is lacking of tests. Let's add some.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 tests/Makefile.am                 |    4 ++
 tests/jsonfiles/68-rule-masq.json |    2 +
 tests/nft-expr_masq-test.c        |   89 +++++++++++++++++++++++++++++++++++++
 tests/test-script.sh              |    1 
 tests/xmlfiles/79-rule-masq.xml   |    2 +
 5 files changed, 98 insertions(+)
 create mode 100644 tests/jsonfiles/68-rule-masq.json
 create mode 100644 tests/nft-expr_masq-test.c
 create mode 100644 tests/xmlfiles/79-rule-masq.xml

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 7942bc0..d4f44af 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -20,6 +20,7 @@ check_PROGRAMS = 	nft-parsing-test		\
 			nft-expr_lookup-test		\
 			nft-expr_log-test		\
 			nft-expr_match-test		\
+			nft-expr_masq-test		\
 			nft-expr_meta-test		\
 			nft-expr_nat-test		\
 			nft-expr_payload-test		\
@@ -75,6 +76,9 @@ nft_expr_log_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 nft_expr_match_test_SOURCES = nft-expr_match-test.c
 nft_expr_match_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
+nft_expr_masq_test_SOURCES = nft-expr_masq-test.c
+nft_expr_masq_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+
 nft_expr_meta_test_SOURCES = nft-expr_meta-test.c
 nft_expr_meta_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
diff --git a/tests/jsonfiles/68-rule-masq.json b/tests/jsonfiles/68-rule-masq.json
new file mode 100644
index 0000000..cfaed4c
--- /dev/null
+++ b/tests/jsonfiles/68-rule-masq.json
@@ -0,0 +1,2 @@
+{"nftables":[{"rule":{"family":"ip6","table":"nat","chain":"postrouting","handle":4,"expr":[{"type":"masq","flags":12}]}}]}
+
diff --git a/tests/nft-expr_masq-test.c b/tests/nft-expr_masq-test.c
new file mode 100644
index 0000000..58db7f5
--- /dev/null
+++ b/tests/nft-expr_masq-test.c
@@ -0,0 +1,89 @@
+/*
+ * (C) 2013 by Ana Rey Botello <anarey@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <linux/netfilter/nf_tables.h>
+#include <libmnl/libmnl.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+
+static int test_ok = 1;
+
+static void print_err(const char *msg)
+{
+	test_ok = 0;
+	printf("\033[31mERROR:\e[0m %s\n", msg);
+}
+
+static void cmp_nft_rule_expr(struct nft_rule_expr *rule_a,
+			      struct nft_rule_expr *rule_b)
+{
+	if (nft_rule_expr_get_u32(rule_a, NFT_EXPR_MASQ_FLAGS) !=
+	    nft_rule_expr_get_u32(rule_b, NFT_EXPR_MASQ_FLAGS))
+		print_err("Expr NFT_EXPR_MASQ_FLAGS mismatches");
+}
+
+int main(int argc, char *argv[])
+{
+	struct nft_rule *a, *b;
+	struct nft_rule_expr *ex;
+	struct nlmsghdr *nlh;
+	char buf[4096];
+	struct nft_rule_expr_iter *iter_a, *iter_b;
+	struct nft_rule_expr *rule_a, *rule_b;
+
+	a = nft_rule_alloc();
+	b = nft_rule_alloc();
+	if (a == NULL || b == NULL)
+		print_err("OOM");
+	ex = nft_rule_expr_alloc("nat");
+	if (ex == NULL)
+		print_err("OOM");
+
+	nft_rule_expr_set_u32(ex, NFT_EXPR_MASQ_FLAGS, 0x1234568);
+
+	nft_rule_add_expr(a, ex);
+
+	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
+	nft_rule_nlmsg_build_payload(nlh, a);
+
+	if (nft_rule_nlmsg_parse(nlh, b) < 0)
+		print_err("parsing problems");
+
+	iter_a = nft_rule_expr_iter_create(a);
+	iter_b = nft_rule_expr_iter_create(b);
+	if (iter_a == NULL || iter_b == NULL)
+		print_err("OOM");
+
+	rule_a = nft_rule_expr_iter_next(iter_a);
+	rule_b = nft_rule_expr_iter_next(iter_b);
+	if (rule_a == NULL || rule_b == NULL)
+		print_err("OOM");
+
+	cmp_nft_rule_expr(rule_a, rule_b);
+
+	if (nft_rule_expr_iter_next(iter_a) != NULL ||
+	    nft_rule_expr_iter_next(iter_b) != NULL)
+		print_err("More 1 expr.");
+
+	nft_rule_expr_iter_destroy(iter_a);
+	nft_rule_expr_iter_destroy(iter_b);
+	nft_rule_free(a);
+	nft_rule_free(b);
+
+	if (!test_ok)
+		exit(EXIT_FAILURE);
+
+	printf("%s: \033[32mOK\e[0m\n", argv[0]);
+	return EXIT_SUCCESS;
+}
diff --git a/tests/test-script.sh b/tests/test-script.sh
index 44725d8..93caeb8 100755
--- a/tests/test-script.sh
+++ b/tests/test-script.sh
@@ -10,6 +10,7 @@
 ./nft-expr_log-test
 ./nft-expr_lookup-test
 ./nft-expr_match-test
+./nft-expr_masq-test
 ./nft-expr_meta-test
 ./nft-expr_nat-test
 ./nft-expr_payload-test
diff --git a/tests/xmlfiles/79-rule-masq.xml b/tests/xmlfiles/79-rule-masq.xml
new file mode 100644
index 0000000..b5c5948
--- /dev/null
+++ b/tests/xmlfiles/79-rule-masq.xml
@@ -0,0 +1,2 @@
+<nftables><rule><family>ip6</family><table>nat</table><chain>postrouting</chain><handle>4</handle><expr type="masq"><flags>12</flags></expr></rule></nftables>
+

[libnftnl PATCH 3/3] tests: also test nat's flags attribute

[Arturo Borrero Gonzalez]

The nat expression has a new attribute. Let's give some testing.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 tests/jsonfiles/33-rule-nat6.json |    2 +-
 tests/nft-expr_nat-test.c         |    4 ++++
 tests/xmlfiles/33-rule-nat4.xml   |    2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/jsonfiles/33-rule-nat6.json b/tests/jsonfiles/33-rule-nat6.json
index e5d8c8f..a76eb71 100644
--- a/tests/jsonfiles/33-rule-nat6.json
+++ b/tests/jsonfiles/33-rule-nat6.json
@@ -1 +1 @@
-{"nftables":[{"rule":{"family":"ip6","table":"nat","chain":"output","handle":33,"expr":[{"type":"nat","nat_type":"snat","family":"ip6","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4}]}}]}
+{"nftables":[{"rule":{"family":"ip6","table":"nat","chain":"output","handle":33,"expr":[{"type":"nat","nat_type":"snat","family":"ip6","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4,"flags":12}]}}]}
diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c
index 64966b2..8982b98 100644
--- a/tests/nft-expr_nat-test.c
+++ b/tests/nft-expr_nat-test.c
@@ -49,6 +49,9 @@ static void cmp_nft_rule_expr(struct nft_rule_expr *rule_a,
 	if (nft_rule_expr_get_u32(rule_a, NFT_EXPR_NAT_REG_PROTO_MAX) !=
 	    nft_rule_expr_get_u32(rule_b, NFT_EXPR_NAT_REG_PROTO_MAX))
 		print_err("Expr NFT_EXPR_NAT_REG_PROTO_MAX mismatches");
+	if (nft_rule_expr_get_u32(rule_a, NFT_EXPR_NAT_FLAGS) !=
+	    nft_rule_expr_get_u32(rule_b, NFT_EXPR_NAT_FLAGS))
+		print_err("Expr NFT_EXPR_NAT_FLAGS mismatches");
 }
 
 int main(int argc, char *argv[])
@@ -74,6 +77,7 @@ int main(int argc, char *argv[])
 	nft_rule_expr_set_u32(ex, NFT_EXPR_NAT_REG_ADDR_MAX, 0x1234568);
 	nft_rule_expr_set_u32(ex, NFT_EXPR_NAT_REG_PROTO_MIN, 0x1234568);
 	nft_rule_expr_set_u32(ex, NFT_EXPR_NAT_REG_PROTO_MAX, 0x1234568);
+	nft_rule_expr_set_u32(ex, NFT_EXPR_NAT_FLAGS, 0x1234568);
 
 	nft_rule_add_expr(a, ex);
 
diff --git a/tests/xmlfiles/33-rule-nat4.xml b/tests/xmlfiles/33-rule-nat4.xml
index 73c5b56..233c44e 100644
--- a/tests/xmlfiles/33-rule-nat4.xml
+++ b/tests/xmlfiles/33-rule-nat4.xml
@@ -1 +1 @@
-<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="nat"><type>dnat</type><family>ip</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max></expr></rule></nftables>
+<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="nat"><type>dnat</type><family>ip</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max><flags>12</flags></expr></rule></nftables>

Re: [libnftnl PATCH 1/3] expr: masq: optional printing of flags attr in snprintf_default

[Pablo Neira Ayuso]

On Thu, Oct 02, 2014 at 01:58:36PM +0200, Arturo Borrero Gonzalez wrote:
> The flags attribute is optional. Thus we should print only if it
> was originally set.

Applied with nitpick.

> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
> ---
>  0 files changed
> 
> diff --git a/src/expr/masq.c b/src/expr/masq.c
> index 6a1c609..c8a6a8d 100644
> --- a/src/expr/masq.c
> +++ b/src/expr/masq.c
> @@ -169,8 +169,10 @@ static int nft_rule_expr_masq_snprintf_default(char *buf, size_t len,
>  {
>  	struct nft_expr_masq *masq = nft_expr_data(e);
>  
> -	return snprintf(buf, len, " flags %u ",
> -			 masq->flags);
> +	if (e->flags & (1 << NFT_EXPR_MASQ_FLAGS))
> +		return snprintf(buf, len, "flags %u", masq->flags);
                                                   ^
                                      missing space there.

Otherwise the output shows flags 0].

And change it to use %x. Hex is better for flags.

Re: [libnftnl PATCH 2/3] tests: add tests for the masq expression

[Pablo Neira Ayuso]

On Thu, Oct 02, 2014 at 01:58:42PM +0200, Arturo Borrero Gonzalez wrote:
> The masq expression is lacking of tests. Let's add some.

Applied, thanks.

Please, make sure git am doesn't complain with trailing whitespace and
empty lines at the end of the file.

git am reported two in this patch.

> diff --git a/tests/jsonfiles/68-rule-masq.json b/tests/jsonfiles/68-rule-masq.json
> new file mode 100644
> index 0000000..cfaed4c
> --- /dev/null
> +++ b/tests/jsonfiles/68-rule-masq.json
> @@ -0,0 +1,2 @@
> +{"nftables":[{"rule":{"family":"ip6","table":"nat","chain":"postrouting","handle":4,"expr":[{"type":"masq","flags":12}]}}]}
> +

Here.

> +++ b/tests/xmlfiles/79-rule-masq.xml
                       ^^

BTW, I wonder when the file numbering diverted (in xml, this 79 but in
json this is 68), it seems we have more tests for XML than json.

For similar mirror tests, we should be using the same number.

Re: [libnftnl PATCH 3/3] tests: also test nat's flags attribute

[Pablo Neira Ayuso]

On Thu, Oct 02, 2014 at 01:58:47PM +0200, Arturo Borrero Gonzalez wrote:
> The nat expression has a new attribute. Let's give some testing.

Also applied, thanks.