Not usable yet, as the set timeout netlink output isn't captured so far, but it adds groundwork to add this as a follow-up. Set definition syntax changes a little, if you want to add multiple elements they now have to be separated by "," just like in nftables. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- tests/py/inet/sets.t | 18 ++++++++++++++++++ tests/py/inet/sets.t.payload.bridge | 15 +++++++++++++++ tests/py/inet/sets.t.payload.inet | 17 +++++++++++++++++ tests/py/inet/sets.t.payload.netdev | 16 ++++++++++++++++ tests/py/ip/sets.t | 16 ++++++++-------- tests/py/ip6/sets.t | 6 +++--- tests/py/nft-test.py | 25 +++++++++++++++++-------- 7 files changed, 94 insertions(+), 19 deletions(-) create mode 100644 tests/py/inet/sets.t create mode 100644 tests/py/inet/sets.t.payload.bridge create mode 100644 tests/py/inet/sets.t.payload.inet create mode 100644 tests/py/inet/sets.t.payload.netdev diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t new file mode 100644 index 000000000000..8f1cbff7093a --- /dev/null +++ b/tests/py/inet/sets.t @@ -0,0 +1,18 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*inet;test-inet;input +*bridge;test-inet;input +*netdev;test-netdev;ingress + +!set1 type ipv4_addr timeout 60s;ok +?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok + +!set2 type ipv6_addr timeout 23d23h59m59s;ok +?set2 dead::beef timeout 1s;ok + +ip saddr @set1 drop;ok +ip saddr != @set2 drop;fail + +ip6 daddr != @set2 accept;ok +ip6 daddr @set1 drop;fail diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge new file mode 100644 index 000000000000..6f21f827bc96 --- /dev/null +++ b/tests/py/inet/sets.t.payload.bridge @@ -0,0 +1,15 @@ +# ip saddr @set1 drop +bridge test-inet input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +bridge test-inet input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet new file mode 100644 index 000000000000..1584fc07451e --- /dev/null +++ b/tests/py/inet/sets.t.payload.inet @@ -0,0 +1,17 @@ +# ip saddr @set1 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] + + diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev new file mode 100644 index 000000000000..9c94e38429fb --- /dev/null +++ b/tests/py/inet/sets.t.payload.netdev @@ -0,0 +1,16 @@ +# ip saddr @set1 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] + diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t index 658579aa499b..7b7e07226492 100644 --- a/tests/py/ip/sets.t +++ b/tests/py/ip/sets.t @@ -14,19 +14,19 @@ ?set1 192.168.3.4;ok ?set1 192.168.3.4;ok -?set1 192.168.3.5 192.168.3.6;ok -?set1 192.168.3.5 192.168.3.6;ok -?set1 192.168.3.8 192.168.3.9;ok -?set1 192.168.3.10 192.168.3.11;ok +?set1 192.168.3.5, 192.168.3.6;ok +?set1 192.168.3.5, 192.168.3.6;ok +?set1 192.168.3.8, 192.168.3.9;ok +?set1 192.168.3.10, 192.168.3.11;ok ?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail ?set2 192.168.3.4;fail !set2 type ipv4_addr;ok ?set2 192.168.3.4;ok -?set2 192.168.3.5 192.168.3.6;ok -?set2 192.168.3.5 192.168.3.6;ok -?set2 192.168.3.8 192.168.3.9;ok -?set2 192.168.3.10 192.168.3.11;ok +?set2 192.168.3.5, 192.168.3.6;ok +?set2 192.168.3.5, 192.168.3.6;ok +?set2 192.168.3.8, 192.168.3.9;ok +?set2 192.168.3.10, 192.168.3.11;ok ip saddr @set1 drop;ok ip saddr != @set1 drop;ok diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t index d5bcf74d38c1..5adec53f56ce 100644 --- a/tests/py/ip6/sets.t +++ b/tests/py/ip6/sets.t @@ -15,8 +15,8 @@ ?set2 1234:1234::1234:1234:1234:1234:1234;ok ?set2 1234:1234::1234:1234:1234:1234:1234;ok ?set2 1234::1234:1234:1234;ok -?set2 1234:1234:1234:1234:1234::1234:1234 1234:1234::123;ok -?set2 192.168.3.8 192.168.3.9;fail +?set2 1234:1234:1234:1234:1234::1234:1234, 1234:1234::123;ok +?set2 192.168.3.8, 192.168.3.9;fail ?set2 1234:1234::1234:1234:1234:1234;ok ?set2 1234:1234::1234:1234:1234:1234;ok ?set2 1234:1234:1234::1234;ok @@ -34,7 +34,7 @@ ip6 saddr != @set33 drop;fail ?set3 1324:1234:1234:1236::/64;ok !set4 type ipv6_addr flags interval;ok -?set4 1234:1234:1234:1234::/64 4321:1234:1234:1234::/64;ok +?set4 1234:1234:1234:1234::/64,4321:1234:1234:1234::/64;ok ?set4 4321:1234:1234:1234:1234:1234::/96;fail !set5 type ipv6_addr . ipv6_addr;ok diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index d4b22817d766..c00782d3b890 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -77,11 +77,12 @@ class Table: class Set: """Class that represents a set""" - def __init__(self, family, table, name, type, flags): + def __init__(self, family, table, name, type, timeout, flags): self.family = family self.table = table self.name = name self.type = type + self.timeout = timeout self.flags = flags def __eq__(self, other): @@ -321,7 +322,7 @@ def set_add(s, test_result, filename, lineno): if flags != "": flags = "flags %s; " % flags - cmd = "add set %s %s { type %s; %s}" % (table, s.name, s.type, flags) + cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) ret = execute_cmd(cmd, filename, lineno) if (ret == 0 and test_result == "fail") or \ @@ -850,22 +851,28 @@ def chain_process(chain_line, lineno): def set_process(set_line, filename, lineno): test_result = set_line[1] + timeout="" tokens = set_line[0].split(" ") set_name = tokens[0] set_type = tokens[2] + set_flags = "" i = 3 while len(tokens) > i and tokens[i] == ".": set_type += " . " + tokens[i+1] i += 2 + if len(tokens) == i+2 and tokens[i] == "timeout": + timeout = "timeout " + tokens[i+1] + ";" + i += 2 + if len(tokens) == i+2 and tokens[i] == "flags": set_flags = tokens[i+1] - else: - set_flags = "" + elif len(tokens) != i: + print_error(set_name + " bad flag: " + tokens[i], filename, lineno) - s = Set("", "", set_name, set_type, set_flags) + s = Set("", "", set_name, set_type, timeout, set_flags) ret = set_add(s, test_result, filename, lineno) if ret == 0: @@ -876,9 +883,11 @@ def set_process(set_line, filename, lineno): def set_element_process(element_line, filename, lineno): rule_state = element_line[1] - set_name = element_line[0].split(" ")[0] - set_element = element_line[0].split(" ") - set_element.remove(set_name) + element_line = element_line[0] + space = element_line.find(" ") + set_name = element_line[:space] + set_element = element_line[space:].split(",") + return set_add_elements(set_element, set_name, rule_state, filename, lineno) -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html