[nft PATCH 1/3] tests/regression: masquerade: fix invalid syntax

[nft PATCH 1/3] tests/regression: masquerade: fix invalid syntax

[Arturo Borrero Gonzalez]

This patch fixes invalid syntax in the masquerade test files.

I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 tests/regression/ip/masquerade.t  |   34 +++++++++++++++++-----------------
 tests/regression/ip6/masquerade.t |   34 +++++++++++++++++-----------------
 2 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/tests/regression/ip/masquerade.t b/tests/regression/ip/masquerade.t
index c1371b5..c2840b0 100644
--- a/tests/regression/ip/masquerade.t
+++ b/tests/regression/ip/masquerade.t
@@ -2,24 +2,24 @@
 :output;type nat hook output priority 0
 
 # nf_nat flags combination
-udp dport 53 masquerade ;ok
-udp dport 53 masquerade random ;ok
-udp dport 53 masquerade random,persistent ;ok
-udp dport 53 masquerade random,persistent,random-fully ;ok ;udp dport 53 masquerade random,random-fully,persistent
-udp dport 53 masquerade random,random-fully ;ok
-udp dport 53 masquerade random,random-fully,persistent ;ok
-udp dport 53 masquerade persistent ;ok
-udp dport 53 masquerade persistent,random ;ok ;udp dport 53 masquerade random,persistent
-udp dport 53 masquerade persistent,random,random-fully ;ok ;udp dport 53 masquerade random,random-fully,persistent
-udp dport 53 masquerade persistent,random-fully ;ok ;udp dport 53 masquerade random-fully,persistent
-udp dport 53 masquerade persistent,random-fully,random;ok ;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade;ok
+udp dport 53 masquerade random;ok
+udp dport 53 masquerade random,persistent;ok
+udp dport 53 masquerade random,persistent,random-fully;ok;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade random,random-fully;ok
+udp dport 53 masquerade random,random-fully,persistent;ok
+udp dport 53 masquerade persistent;ok
+udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent
+udp dport 53 masquerade persistent,random,random-fully;ok;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade persistent,random-fully;ok;udp dport 53 masquerade random-fully,persistent
+udp dport 53 masquerade persistent,random-fully,random;ok;udp dport 53 masquerade random,random-fully,persistent
 
 # masquerade is a terminal statement
-tcp dport 22 masquerade counter packets 0 bytes 0 accept ;nok
-tcp sport 22 masquerade accept ;nok
-ip saddr 10.1.1.1 masquerade drop ;nok
+tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail
+tcp sport 22 masquerade accept;fail
+ip saddr 10.1.1.1 masquerade drop;fail
 
 # masquerade with sets
-tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade ;ok
-ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade ;ok ;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade
-iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade ;ok
+tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/regression/ip6/masquerade.t b/tests/regression/ip6/masquerade.t
index edbf317..c0f8b87 100644
--- a/tests/regression/ip6/masquerade.t
+++ b/tests/regression/ip6/masquerade.t
@@ -2,24 +2,24 @@
 :output;type nat hook output priority 0
 
 # nf_nat flags combination
-udp dport 53 masquerade ;ok
-udp dport 53 masquerade random ;ok
-udp dport 53 masquerade random,persistent ;ok
-udp dport 53 masquerade random,persistent,random-fully ;ok ;udp dport 53 masquerade random,random-fully,persistent
-udp dport 53 masquerade random,random-fully ;ok
-udp dport 53 masquerade random,random-fully,persistent ;ok
-udp dport 53 masquerade persistent ;ok
-udp dport 53 masquerade persistent,random ;ok ;udp dport 53 masquerade random,persistent
-udp dport 53 masquerade persistent,random,random-fully ;ok ;udp dport 53 masquerade random,random-fully,persistent
-udp dport 53 masquerade persistent,random-fully ;ok ;udp dport 53 masquerade random-fully,persistent
-udp dport 53 masquerade persistent,random-fully,random;ok ;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade;ok
+udp dport 53 masquerade random;ok
+udp dport 53 masquerade random,persistent;ok
+udp dport 53 masquerade random,persistent,random-fully;ok;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade random,random-fully;ok
+udp dport 53 masquerade random,random-fully,persistent;ok
+udp dport 53 masquerade persistent;ok
+udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent
+udp dport 53 masquerade persistent,random,random-fully;ok;udp dport 53 masquerade random,random-fully,persistent
+udp dport 53 masquerade persistent,random-fully;ok;udp dport 53 masquerade random-fully,persistent
+udp dport 53 masquerade persistent,random-fully,random;ok;udp dport 53 masquerade random,random-fully,persistent
 
 # masquerade is a terminal statement
-tcp dport 22 masquerade counter packets 0 bytes 0 accept ;nok
-tcp sport 22 masquerade accept ;nok
-ip6 saddr ::1 masquerade drop ;nok
+tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail
+tcp sport 22 masquerade accept;fail
+ip6 saddr ::1 masquerade drop;fail
 
 # masquerade with sets
-tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade ;ok
-ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade ;ok ;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade
-iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade ;ok
+tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade;ok;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 masquerade
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade;ok

[nft PATCH 2/3] tests/regression: redirect: fix invalid syntax

[Arturo Borrero Gonzalez]

This patch fixes invalid syntax in the redirect test files.

I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 tests/regression/ip/redirect.t  |   54 +++++++++++++++++++-------------------
 tests/regression/ip6/redirect.t |   56 ++++++++++++++++++++-------------------
 2 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/tests/regression/ip/redirect.t b/tests/regression/ip/redirect.t
index 8e0f783..f69fd07 100644
--- a/tests/regression/ip/redirect.t
+++ b/tests/regression/ip/redirect.t
@@ -2,40 +2,40 @@
 :output;type nat hook output priority 0
 
 # without arguments
-udp dport 53 redirect ;ok
+udp dport 53 redirect;ok
 
 # nf_nat flags combination
-udp dport 53 redirect random ;ok
-udp dport 53 redirect random,persistent ;ok
-udp dport 53 redirect random,persistent,random-fully ;ok ;udp dport 53 redirect random,random-fully,persistent
-udp dport 53 redirect random,random-fully ;ok
-udp dport 53 redirect random,random-fully,persistent ;ok
-udp dport 53 redirect persistent ;ok
-udp dport 53 redirect persistent,random ;ok ;udp dport 53 redirect random,persistent
-udp dport 53 redirect persistent,random,random-fully ;ok ;udp dport 53 redirect random,random-fully,persistent
-udp dport 53 redirect persistent,random-fully ;ok ;udp dport 53 redirect random-fully,persistent
-udp dport 53 redirect persistent,random-fully,random;ok ;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect random;ok
+udp dport 53 redirect random,persistent;ok
+udp dport 53 redirect random,persistent,random-fully;ok;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect random,random-fully;ok
+udp dport 53 redirect random,random-fully,persistent;ok
+udp dport 53 redirect persistent;ok
+udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent
+udp dport 53 redirect persistent,random,random-fully;ok;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect persistent,random-fully;ok;udp dport 53 redirect random-fully,persistent
+udp dport 53 redirect persistent,random-fully,random;ok;udp dport 53 redirect random,random-fully,persistent
 
 # port specification
-tcp dport 22 redirect :22 ;ok
-udp dport 1234 redirect :4321 ;ok
-ip daddr 172.16.0.1 udp dport 9998 redirect :6515 ;ok
-tcp dport 39128 redirect :993 ;ok
-redirect :1234 ;nok
-redirect :12341111 ;nok
+tcp dport 22 redirect :22;ok
+udp dport 1234 redirect :4321;ok
+ip daddr 172.16.0.1 udp dport 9998 redirect :6515;ok
+tcp dport 39128 redirect :993;ok
+redirect :1234;fail
+redirect :12341111;fail
 
 # invalid arguments
-tcp dport 9128 redirect :993 random ;nok
-tcp dport 9128 redirect :993 random-fully ;nok
-tcp dport 9128 redirect persistent :123 ;nok
-tcp dport 9128 redirect random,persistent :123 ;nok
+tcp dport 9128 redirect :993 random;fail
+tcp dport 9128 redirect :993 random-fully;fail
+tcp dport 9128 redirect persistent :123;fail
+tcp dport 9128 redirect random,persistent :123;fail
 
 # redirect is a terminal statement
-tcp dport 22 redirect counter packets 0 bytes 0 accept ;nok
-tcp sport 22 redirect accept ;nok
-ip saddr 10.1.1.1 redirect drop ;nok
+tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
+tcp sport 22 redirect accept;fail
+ip saddr 10.1.1.1 redirect drop;fail
 
 # redirect with sets
-tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} redirect ;ok
-ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect ;ok ;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect
-iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect ;ok
+tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} redirect;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect;ok;ip daddr >= 10.0.0.0 ip daddr <= 10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
diff --git a/tests/regression/ip6/redirect.t b/tests/regression/ip6/redirect.t
index 84ed88f..d972871 100644
--- a/tests/regression/ip6/redirect.t
+++ b/tests/regression/ip6/redirect.t
@@ -2,41 +2,41 @@
 :output;type nat hook output priority 0
 
 # with no arguments
-redirect ;ok
-udp dport 954 redirect ;ok
-ip6 saddr fe00::cafe counter packets 0 bytes 0 redirect ;ok
+redirect;ok
+udp dport 954 redirect;ok
+ip6 saddr fe00::cafe counter packets 0 bytes 0 redirect;ok
 
 # nf_nat flags combination
-udp dport 53 redirect random ;ok
-udp dport 53 redirect random,persistent ;ok
-udp dport 53 redirect random,persistent,random-fully ;ok ;udp dport 53 redirect random,random-fully,persistent
-udp dport 53 redirect random,random-fully ;ok
-udp dport 53 redirect random,random-fully,persistent ;ok
-udp dport 53 redirect persistent ;ok
-udp dport 53 redirect persistent,random ;ok ;udp dport 53 redirect random,persistent
-udp dport 53 redirect persistent,random,random-fully ;ok ;udp dport 53 redirect random,random-fully,persistent
-udp dport 53 redirect persistent,random-fully ;ok ;udp dport 53 redirect random-fully,persistent
-udp dport 53 redirect persistent,random-fully,random;ok ;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect random;ok
+udp dport 53 redirect random,persistent;ok
+udp dport 53 redirect random,persistent,random-fully;ok;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect random,random-fully;ok
+udp dport 53 redirect random,random-fully,persistent;ok
+udp dport 53 redirect persistent;ok
+udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent
+udp dport 53 redirect persistent,random,random-fully;ok;udp dport 53 redirect random,random-fully,persistent
+udp dport 53 redirect persistent,random-fully;ok;udp dport 53 redirect random-fully,persistent
+udp dport 53 redirect persistent,random-fully,random;ok;udp dport 53 redirect random,random-fully,persistent
 
 # port specification
-udp dport 1234 redirect :1234 ;ok
-ip6 daddr fe00::cafe udp dport 9998 redirect :6515 ;ok
-tcp dport 39128 redirect :993 ;ok
-redirect :1234 ;nok
-redirect :12341111 ;nok
+udp dport 1234 redirect :1234;ok
+ip6 daddr fe00::cafe udp dport 9998 redirect :6515;ok
+tcp dport 39128 redirect :993;ok
+redirect :1234;fail
+redirect :12341111;fail
 
 # invalid arguments
-tcp dport 9128 redirect :993 random ;nok
-tcp dport 9128 redirect :993 random-fully ;nok
-tcp dport 9128 redirect persistent :123 ;nok
-tcp dport 9128 redirect random,persistent :123 ;nok
+tcp dport 9128 redirect :993 random;fail
+tcp dport 9128 redirect :993 random-fully;fail
+tcp dport 9128 redirect persistent :123;fail
+tcp dport 9128 redirect random,persistent :123;fail
 
 # redirect is a terminal statement
-tcp dport 22 redirect counter packets 0 bytes 0 accept ;nok
-tcp sport 22 redirect accept ;nok
-ip6 saddr ::1 redirect drop ;nok
+tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
+tcp sport 22 redirect accept;fail
+ip6 saddr ::1 redirect drop;fail
 
 # redirect with sets
-tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} redirect ;ok
-ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 redirect ;ok ;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 redirect
-iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect ;ok
+tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} redirect;ok
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter packets 0 bytes 0 redirect;ok;ip6 daddr >= fe00::1 ip6 daddr <= fe00::200 udp dport 53 counter packets 0 bytes 0 redirect
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok

[nft PATCH 3/3] parser: allow both nat_flags and port specification in redirect

[Arturo Borrero Gonzalez]

This patch changes the parser to permit both nat_flags and port specification
in the redirect expression.

The resulting syntax is:
 % nft add rule nat prerouting redirect [port] [nat_flags]

The port specification requires a bit of context regardin the transport
protocol. Some examples:
 % nft add rule nat prerouting tcp dport 22 redirect :23
 % nft add rule add prerouting udp dport 53 redirect :5353

The nat_flags argument is the last argument:
 % nft add rule nat prerouting tdp dport 80 redirect :8080 random

The port specification can be a range:
 % nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random

While at it, the regression tests files are updated.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/parser.y                    |    5 +++++
 tests/regression/ip/redirect.t  |   14 +++++++++-----
 tests/regression/ip6/redirect.t |    8 +++++---
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/parser.y b/src/parser.y
index 6209e9e..3992c6a 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -1437,6 +1437,11 @@ redir_stmt_arg		:	COLON	expr
 			{
 				$<stmt>0->redir.flags = $1;
 			}
+			|	COLON	expr	nf_nat_flags
+			{
+				$<stmt>0->redir.proto = $2;
+				$<stmt>0->redir.flags = $3;
+			}
 			;
 
 nf_nat_flags		:	nf_nat_flag
diff --git a/tests/regression/ip/redirect.t b/tests/regression/ip/redirect.t
index f69fd07..cb230e2 100644
--- a/tests/regression/ip/redirect.t
+++ b/tests/regression/ip/redirect.t
@@ -24,11 +24,15 @@ tcp dport 39128 redirect :993;ok
 redirect :1234;fail
 redirect :12341111;fail
 
-# invalid arguments
-tcp dport 9128 redirect :993 random;fail
-tcp dport 9128 redirect :993 random-fully;fail
-tcp dport 9128 redirect persistent :123;fail
-tcp dport 9128 redirect random,persistent :123;fail
+# both port and nf_nat flags
+tcp dport 9128 redirect :993 random;ok
+tcp dport 9128 redirect :993 random-fully;ok
+tcp dport 9128 redirect :123 persistent;ok
+tcp dport 9128 redirect :123 random,persistent;ok
+
+# nf_nat flags is the last argument
+udp dport 1234 redirect random :123;fail
+udp dport 21234 redirect persistent,random-fully :431;fail
 
 # redirect is a terminal statement
 tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
diff --git a/tests/regression/ip6/redirect.t b/tests/regression/ip6/redirect.t
index d972871..dce4794 100644
--- a/tests/regression/ip6/redirect.t
+++ b/tests/regression/ip6/redirect.t
@@ -25,9 +25,11 @@ tcp dport 39128 redirect :993;ok
 redirect :1234;fail
 redirect :12341111;fail
 
-# invalid arguments
-tcp dport 9128 redirect :993 random;fail
-tcp dport 9128 redirect :993 random-fully;fail
+# both port and nf_nat flags
+tcp dport 9128 redirect :993 random;ok
+tcp dport 9128 redirect :993 random-fully,persistent;ok
+
+# nf_nat flags are the last argument
 tcp dport 9128 redirect persistent :123;fail
 tcp dport 9128 redirect random,persistent :123;fail
 

Re: [nft PATCH 1/3] tests/regression: masquerade: fix invalid syntax

[Pablo Neira Ayuso]

On Fri, Nov 07, 2014 at 12:39:24PM +0100, Arturo Borrero Gonzalez wrote:
> This patch fixes invalid syntax in the masquerade test files.
> 
> I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.

Applied.

Re: [nft PATCH 2/3] tests/regression: redirect: fix invalid syntax

[Pablo Neira Ayuso]

On Fri, Nov 07, 2014 at 12:39:30PM +0100, Arturo Borrero Gonzalez wrote:
> This patch fixes invalid syntax in the redirect test files.
> 
> I used ' ;ok' instead of ';ok', and ' ;nok' instead of ';fail'.

Also applied.

Re: [nft PATCH 3/3] parser: allow both nat_flags and port specification in redirect

[Pablo Neira Ayuso]

On Fri, Nov 07, 2014 at 12:39:35PM +0100, Arturo Borrero Gonzalez wrote:
> This patch changes the parser to permit both nat_flags and port specification
> in the redirect expression.
> 
> The resulting syntax is:
>  % nft add rule nat prerouting redirect [port] [nat_flags]
> 
> The port specification requires a bit of context regardin the transport
> protocol. Some examples:
>  % nft add rule nat prerouting tcp dport 22 redirect :23
>  % nft add rule add prerouting udp dport 53 redirect :5353
> 
> The nat_flags argument is the last argument:
>  % nft add rule nat prerouting tdp dport 80 redirect :8080 random
> 
> The port specification can be a range:
>  % nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random
> 
> While at it, the regression tests files are updated.

Applied, thanks.