[PATCH nft] tests: py: allow to specify sets with a timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Not usable yet, as the set timeout netlink output isn't captured so far,
but it adds groundwork to add this as a follow-up.

Set definition syntax changes a little, if you want to
add multiple elements they now have to be separated by "," just
like in nftables.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 tests/py/inet/sets.t                | 18 ++++++++++++++++++
 tests/py/inet/sets.t.payload.bridge | 15 +++++++++++++++
 tests/py/inet/sets.t.payload.inet   | 17 +++++++++++++++++
 tests/py/inet/sets.t.payload.netdev | 16 ++++++++++++++++
 tests/py/ip/sets.t                  | 16 ++++++++--------
 tests/py/ip6/sets.t                 |  6 +++---
 tests/py/nft-test.py                | 25 +++++++++++++++++--------
 7 files changed, 94 insertions(+), 19 deletions(-)
 create mode 100644 tests/py/inet/sets.t
 create mode 100644 tests/py/inet/sets.t.payload.bridge
 create mode 100644 tests/py/inet/sets.t.payload.inet
 create mode 100644 tests/py/inet/sets.t.payload.netdev

diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t
new file mode 100644
index 000000000000..8f1cbff7093a
--- /dev/null
+++ b/tests/py/inet/sets.t
@@ -0,0 +1,18 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-inet;input
+*netdev;test-netdev;ingress
+
+!set1 type ipv4_addr timeout 60s;ok
+?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok
+
+!set2 type ipv6_addr timeout 23d23h59m59s;ok
+?set2 dead::beef timeout 1s;ok
+
+ip saddr @set1 drop;ok
+ip saddr != @set2 drop;fail
+
+ip6 daddr != @set2 accept;ok
+ip6 daddr @set1 drop;fail
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
new file mode 100644
index 000000000000..6f21f827bc96
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -0,0 +1,15 @@
+# ip saddr @set1 drop
+bridge test-inet input 
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+bridge test-inet input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet
new file mode 100644
index 000000000000..1584fc07451e
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.inet
@@ -0,0 +1,17 @@
+# ip saddr @set1 drop
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
+
+
diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev
new file mode 100644
index 000000000000..9c94e38429fb
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.netdev
@@ -0,0 +1,16 @@
+# ip saddr @set1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
+
diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
index 658579aa499b..7b7e07226492 100644
--- a/tests/py/ip/sets.t
+++ b/tests/py/ip/sets.t
@@ -14,19 +14,19 @@
 ?set1 192.168.3.4;ok
 
 ?set1 192.168.3.4;ok
-?set1 192.168.3.5 192.168.3.6;ok
-?set1 192.168.3.5 192.168.3.6;ok
-?set1 192.168.3.8 192.168.3.9;ok
-?set1 192.168.3.10 192.168.3.11;ok
+?set1 192.168.3.5, 192.168.3.6;ok
+?set1 192.168.3.5, 192.168.3.6;ok
+?set1 192.168.3.8, 192.168.3.9;ok
+?set1 192.168.3.10, 192.168.3.11;ok
 ?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail
 ?set2 192.168.3.4;fail
 
 !set2 type ipv4_addr;ok
 ?set2 192.168.3.4;ok
-?set2 192.168.3.5 192.168.3.6;ok
-?set2 192.168.3.5 192.168.3.6;ok
-?set2 192.168.3.8 192.168.3.9;ok
-?set2 192.168.3.10 192.168.3.11;ok
+?set2 192.168.3.5, 192.168.3.6;ok
+?set2 192.168.3.5, 192.168.3.6;ok
+?set2 192.168.3.8, 192.168.3.9;ok
+?set2 192.168.3.10, 192.168.3.11;ok
 
 ip saddr @set1 drop;ok
 ip saddr != @set1 drop;ok
diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t
index d5bcf74d38c1..5adec53f56ce 100644
--- a/tests/py/ip6/sets.t
+++ b/tests/py/ip6/sets.t
@@ -15,8 +15,8 @@
 ?set2 1234:1234::1234:1234:1234:1234:1234;ok
 ?set2 1234:1234::1234:1234:1234:1234:1234;ok
 ?set2 1234::1234:1234:1234;ok
-?set2 1234:1234:1234:1234:1234::1234:1234 1234:1234::123;ok
-?set2 192.168.3.8 192.168.3.9;fail
+?set2 1234:1234:1234:1234:1234::1234:1234, 1234:1234::123;ok
+?set2 192.168.3.8, 192.168.3.9;fail
 ?set2 1234:1234::1234:1234:1234:1234;ok
 ?set2 1234:1234::1234:1234:1234:1234;ok
 ?set2 1234:1234:1234::1234;ok
@@ -34,7 +34,7 @@ ip6 saddr != @set33 drop;fail
 ?set3 1324:1234:1234:1236::/64;ok
 
 !set4 type ipv6_addr flags interval;ok
-?set4 1234:1234:1234:1234::/64 4321:1234:1234:1234::/64;ok
+?set4 1234:1234:1234:1234::/64,4321:1234:1234:1234::/64;ok
 ?set4 4321:1234:1234:1234:1234:1234::/96;fail
 
 !set5 type ipv6_addr . ipv6_addr;ok
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index d4b22817d766..c00782d3b890 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -77,11 +77,12 @@ class Table:
 class Set:
     """Class that represents a set"""
 
-    def __init__(self, family, table, name, type, flags):
+    def __init__(self, family, table, name, type, timeout, flags):
         self.family = family
         self.table = table
         self.name = name
         self.type = type
+        self.timeout = timeout
         self.flags = flags
 
     def __eq__(self, other):
@@ -321,7 +322,7 @@ def set_add(s, test_result, filename, lineno):
         if flags != "":
             flags = "flags %s; " % flags
 
-        cmd = "add set %s %s { type %s; %s}" % (table, s.name, s.type, flags)
+        cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags)
         ret = execute_cmd(cmd, filename, lineno)
 
         if (ret == 0 and test_result == "fail") or \
@@ -850,22 +851,28 @@ def chain_process(chain_line, lineno):
 
 def set_process(set_line, filename, lineno):
     test_result = set_line[1]
+    timeout=""
 
     tokens = set_line[0].split(" ")
     set_name = tokens[0]
     set_type = tokens[2]
+    set_flags = ""
 
     i = 3
     while len(tokens) > i and tokens[i] == ".":
         set_type += " . " + tokens[i+1]
         i += 2
 
+    if len(tokens) == i+2 and tokens[i] == "timeout":
+        timeout = "timeout " + tokens[i+1] + ";"
+        i += 2
+
     if len(tokens) == i+2 and tokens[i] == "flags":
         set_flags = tokens[i+1]
-    else:
-        set_flags = ""
+    elif len(tokens) != i:
+        print_error(set_name + " bad flag: " + tokens[i], filename, lineno)
 
-    s = Set("", "", set_name, set_type, set_flags)
+    s = Set("", "", set_name, set_type, timeout, set_flags)
 
     ret = set_add(s, test_result, filename, lineno)
     if ret == 0:
@@ -876,9 +883,11 @@ def set_process(set_line, filename, lineno):
 
 def set_element_process(element_line, filename, lineno):
     rule_state = element_line[1]
-    set_name = element_line[0].split(" ")[0]
-    set_element = element_line[0].split(" ")
-    set_element.remove(set_name)
+    element_line = element_line[0]
+    space = element_line.find(" ")
+    set_name = element_line[:space]
+    set_element = element_line[space:].split(",")
+
     return set_add_elements(set_element, set_name, rule_state, filename, lineno)
 
 
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux