From patchwork Wed Oct 2 19:38:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992154 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Q0vIyk8h; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4203-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVp6nvXz1xtn for ; Thu, 3 Oct 2024 05:39:14 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2E1551C22F47 for ; Wed, 2 Oct 2024 19:39:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C9E60215F4F; Wed, 2 Oct 2024 19:39:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Q0vIyk8h" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D932D157A6C for ; Wed, 2 Oct 2024 19:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; cv=none; b=aD/TlX7DUaLIYLBFJLXJ27tOJjb1JkVBuemBYJ6CvTRzk20kb+mr4uFRFizSniKvoe85sRUTWstFYIMPRc9o8c8J76C9um+OHG7YJZPjKXR7URUbF5QVPfJxL+IA5AkE4rTwZ6i/ugvY+l3YHYJt9ez1yNfrUYNJYfRsevK6dso= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; c=relaxed/simple; bh=3s293thHo04txU8rSKHspo6pIl/l/RC0RuDJjRyzO2M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cjG4wmRQlwfbSTpbvm9dItFpK+UHWAjqjkpSiknhnWb0hF/DM+lhjwRDzZTZgS9HYy/nE/8fJd7EnxJIjsZ142V6cosAYS5+Phx+A8BJSN7Mcbza5nhO0QMSeRatTJ7NNEVNtsqsrsZqeCl8V+g6GlApG8oQ40jDBrYSeRGN5FQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Q0vIyk8h; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=C0e8tUF8zM2X/jOtO8ofNlxinbhLsF+r1tJKBbCpDi8=; b=Q0vIyk8hPHtXu3GToPr++9LFpS eX/YBtgu4AoSV6ZRfQjAdSyfht4c4u5Q27U2puh3rJZQJki0Bz5EGtNN0PxHktyCoXGcgrDnTKfyG 9hYDCBFoUnCQ+SoablI3bnHHFEAmGikaGZaoer8T1s9k0cn3Zz5av+FMBwiGhhha8DmnpXyMsFswu +d7VJPJf7BBUei/PMmVDtVOq0UAWQyAZIBqgyFrInbAIAMt5q+P1TOTS6Ssu5GvDN6khRgVVk3T0V 2OYEw2zuVvBSGOzg+U3MR9546c4UlGVakRTHHyAYTrMpbXtweEoodNQZypHDTimpFITHGEp8w8yJm Gdr69FMg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5BZ-0000000030U-1QhF; Wed, 02 Oct 2024 21:38:57 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 1/9] json: Support typeof in set and map types Date: Wed, 2 Oct 2024 21:38:45 +0200 Message-ID: <20241002193853.13818-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Implement this as a special "type" property value which is an object with sole property "typeof". The latter's value is the JSON representation of the expression in set->key, so for concatenated typeofs it is a concat expression. All this is a bit clumsy right now but it works and it should be possible to tear it down a bit for more user-friendliness in a compatible way by either replacing the concat expression by the array it contains or even the whole "typeof" object - the parser would just assume any object (or objects in an array) in the "type" property value are expressions to extract a type from. Signed-off-by: Phil Sutter --- doc/libnftables-json.adoc | 7 ++- src/json.c | 13 ++++- src/parser_json.c | 9 +++ tests/monitor/testcases/map-expr.t | 2 +- tests/monitor/testcases/set-concat-interval.t | 3 + .../maps/dumps/0012map_concat_0.json-nft | 21 +++++-- .../maps/dumps/0017_map_variable_0.json-nft | 18 +++++- .../maps/dumps/named_limits.json-nft | 55 ++++++++++++++++--- .../dumps/typeof_maps_add_delete.json-nft | 9 ++- .../maps/dumps/typeof_maps_update_0.json-nft | 9 ++- .../maps/dumps/vmap_timeout.json-nft | 22 ++++++-- .../packetpath/dumps/set_lookups.json-nft | 42 +++++++++++--- .../sets/dumps/0048set_counters_0.json-nft | 9 ++- .../testcases/sets/dumps/inner_0.json-nft | 34 ++++++++++-- .../set_element_timeout_updates.json-nft | 9 ++- 15 files changed, 222 insertions(+), 40 deletions(-) diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index a8a6165fde59d..593d407c924e9 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -341,7 +341,7 @@ ____ "auto-merge":* 'BOOLEAN' *}}* -'SET_TYPE' := 'STRING' | *[* 'SET_TYPE_LIST' *]* +'SET_TYPE' := 'STRING' | *[* 'SET_TYPE_LIST' *]* | *{ "typeof":* 'EXPRESSION' *}* 'SET_TYPE_LIST' := 'STRING' [*,* 'SET_TYPE_LIST' ] 'SET_POLICY' := *"performance"* | *"memory"* 'SET_FLAG_LIST' := 'SET_FLAG' [*,* 'SET_FLAG_LIST' ] @@ -381,8 +381,9 @@ that they translate a unique key to a value. Automatic merging of adjacent/overlapping set elements in interval sets. ==== TYPE -The set type might be a string, such as *"ipv4_addr"* or an array -consisting of strings (for concatenated types). +The set type might be a string, such as *"ipv4_addr"*, an array +consisting of strings (for concatenated types) or a *typeof* object containing +an expression to extract the type from. ==== ELEM A single set element might be given as string, integer or boolean value for diff --git a/src/json.c b/src/json.c index b1531ff3f4c9e..1f609bf2b03e9 100644 --- a/src/json.c +++ b/src/json.c @@ -96,6 +96,17 @@ static json_t *set_dtype_json(const struct expr *key) return root; } +static json_t *set_key_dtype_json(const struct set *set, + struct output_ctx *octx) +{ + bool use_typeof = set->key_typeof_valid; + + if (!use_typeof) + return set_dtype_json(set->key); + + return json_pack("{s:o}", "typeof", expr_print_json(set->key, octx)); +} + static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) { char buf[1024]; @@ -158,7 +169,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) "family", family2str(set->handle.family), "name", set->handle.set.name, "table", set->handle.table.name, - "type", set_dtype_json(set->key), + "type", set_key_dtype_json(set, octx), "handle", set->handle.handle.id); if (set->comment) diff --git a/src/parser_json.c b/src/parser_json.c index bbe3b1c59192c..f8200db1fe114 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1729,7 +1729,16 @@ static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root) compound_expr_add(expr, i); } return expr; + } else if (json_is_object(root)) { + const char *key; + json_t *val; + + if (!json_unpack_stmt(ctx, root, &key, &val) && + !strcmp(key, "typeof")) { + return json_parse_expr(ctx, val); + } } + json_error(ctx, "Invalid set datatype."); return NULL; } diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t index 8729c0b44ee2c..d11ad0ebc0d57 100644 --- a/tests/monitor/testcases/map-expr.t +++ b/tests/monitor/testcases/map-expr.t @@ -3,4 +3,4 @@ I add table ip t I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; } O - J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} -J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} +J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": {"typeof": {"concat": [{"meta": {"key": "day"}}, {"meta": {"key": "hour"}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} diff --git a/tests/monitor/testcases/set-concat-interval.t b/tests/monitor/testcases/set-concat-interval.t index 763dc319f0d13..3542b8225ebd1 100644 --- a/tests/monitor/testcases/set-concat-interval.t +++ b/tests/monitor/testcases/set-concat-interval.t @@ -10,3 +10,6 @@ I add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; elem O add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; } O add element ip t s { 20-80 . 0x14 : accept } O add element ip t s { 1-10 . 0xa : drop } +J {"add": {"map": {"family": "ip", "name": "s", "table": "t", "type": {"typeof": {"concat": [{"payload": {"protocol": "udp", "field": "length"}}, {"payload": {"base": "ih", "offset": 32, "len": 32}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"]}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [20, 80]}, 20]}, {"accept": null}]]}}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [1, 10]}, 10]}, {"drop": null}]]}}}} diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft index 000522365df9f..88bf4984dbde7 100644 --- a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft @@ -31,10 +31,23 @@ "family": "ip", "name": "w", "table": "x", - "type": [ - "ipv4_addr", - "mark" - ], + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + } + }, "handle": 0, "map": "verdict", "flags": [ diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft index 725498cdcbef8..8eacf612d12fb 100644 --- a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft @@ -19,7 +19,14 @@ "family": "ip", "name": "y", "table": "x", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "map": "mark", "elem": [ @@ -39,7 +46,14 @@ "family": "ip", "name": "z", "table": "x", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "map": "mark", "elem": [ diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft index 7fa1298103832..3c6845ac43b42 100644 --- a/tests/shell/testcases/maps/dumps/named_limits.json-nft +++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft @@ -75,7 +75,14 @@ "family": "inet", "name": "tarpit4", "table": "filter", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "size": 10000, "flags": [ @@ -90,7 +97,14 @@ "family": "inet", "name": "tarpit6", "table": "filter", - "type": "ipv6_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, "handle": 0, "size": 10000, "flags": [ @@ -105,11 +119,29 @@ "family": "inet", "name": "addr4limit", "table": "filter", - "type": [ - "inet_proto", - "ipv4_addr", - "inet_service" - ], + "type": { + "typeof": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + } + }, "handle": 0, "map": "limit", "flags": [ @@ -244,7 +276,14 @@ "family": "inet", "name": "saddr6limit", "table": "filter", - "type": "ipv6_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, "handle": 0, "map": "limit", "flags": [ diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft index b3204a283d0ad..effe02dcf8364 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -39,7 +39,14 @@ "family": "ip", "name": "dynmark", "table": "dynset", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + }, "handle": 0, "map": "mark", "size": 64, diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft index 1d50477d783df..731514663b1aa 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft @@ -50,7 +50,14 @@ "family": "ip", "name": "sticky-set-svc-153CN2XYVUHRQ7UB", "table": "kube-nfproxy-v4", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + }, "handle": 0, "map": "mark", "size": 65535, diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft index 1c3aa590f846e..71e9a9ee9f21b 100644 --- a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft @@ -87,10 +87,24 @@ "family": "inet", "name": "portaddrmap", "table": "filter", - "type": [ - "ipv4_addr", - "inet_service" - ], + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + } + }, "handle": 0, "map": "verdict", "flags": [ diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft index 24363f9071b22..bcf6914e95cb9 100644 --- a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft @@ -60,10 +60,23 @@ "family": "ip", "name": "s2", "table": "t", - "type": [ - "ipv4_addr", - "iface_index" - ], + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, "handle": 0, "elem": [ { @@ -113,10 +126,23 @@ "family": "ip", "name": "nomatch", "table": "t", - "type": [ - "ipv4_addr", - "iface_index" - ], + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, "handle": 0, "elem": [ { diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft index 62a6a177b7776..4be4112bf7935 100644 --- a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -31,7 +31,14 @@ "family": "ip", "name": "y", "table": "x", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "elem": [ { diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft index 8d84e1ccecb9f..e5dc198f436be 100644 --- a/tests/shell/testcases/sets/dumps/inner_0.json-nft +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -27,10 +27,26 @@ "family": "netdev", "name": "x", "table": "x", - "type": [ - "ipv4_addr", - "ipv4_addr" - ], + "type": { + "typeof": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + } + }, "handle": 0, "elem": [ { @@ -47,7 +63,15 @@ "family": "netdev", "name": "y", "table": "x", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "size": 65535, "flags": [ diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft index aa908297e49ea..d92d8d7a54940 100644 --- a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft @@ -31,7 +31,14 @@ "family": "ip", "name": "s", "table": "t", - "type": "ipv4_addr", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, "handle": 0, "flags": [ "timeout" From patchwork Wed Oct 2 19:38:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992158 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Cfl6x2zG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4207-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVx6BSbz1xtn for ; Thu, 3 Oct 2024 05:39:21 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2DAF31C22E2C for ; Wed, 2 Oct 2024 19:39:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 834E6216A27; Wed, 2 Oct 2024 19:39:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Cfl6x2zG" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEB99216A17 for ; Wed, 2 Oct 2024 19:39:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897944; cv=none; b=aOZiiLNmNXBpVDHs0orcPKCsk1YQfxfUhe4Ifd0BA7PN2Ff0IjWo1+VqTwnowY+PlVJB5R02oqfUQeDAGqPrRqLz03gNeSXfGn2Ygk6X62gyEEoHPRvaDgAqN/3K4CN2paO3BfZpkDkecCckCYlOppkGtbfjL0EuBodKE9qNiT0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897944; c=relaxed/simple; bh=IDnHKcZqf2GEl7M7gI3Pi/spP4OywpP6k9V21EeYvQc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=f58Rf+nhm19mwNYUKbzJR0T4h/aQBDBdswebWF+yXy+yQEe/QO6hKOoPM6hk2RJj8uPftHKVXjVAXy2rQfuXRC64CDPpvO5B53ifaIkmWzCwUzggqOYXGs4YVRKdbZlGNA8wXvxEHjhhGZ63TfjXJUUfiolFOMoQqSN35tNPUkM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Cfl6x2zG; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Cox4wjgEoc/0Ey3Rh1muV92rnCEA/9hRe01iPKQop04=; b=Cfl6x2zG/xt1ZBJu4yaSgEMubP zzUiDyvYP3S61elfhGo1rKRp29/kYUbjQbXleAe/fqrkLOzLXfKJf4/Q2QfAsf970UyvtNQ1gxasy m4Euds1eGHOsDknvQJar5WcMwo4OwS39SLdGzGbA2ETFncJuMrA7DLaAxRpulz+xmJJHPD95HAN/q FeoMQnngBC/rvm+2rVnZGPX/YWzQf70/O2vUvGpm9KmBuwHHstJ+EZq+zTmH+xqB/oJPkZv9YHRRM So8ah8Hq4rSJdxu/YCUOfbBmISv/0TGYhE5s42DN2R+ZpjkY31A4RsvBgeRelN1ijra/ypo6EWk8B GJgyBMWQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Bd-0000000031K-0tnd; Wed, 02 Oct 2024 21:39:01 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 2/9] tests: py: Fix for storing payload into missing file Date: Wed, 2 Oct 2024 21:38:46 +0200 Message-ID: <20241002193853.13818-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When running a test for which no corresponding *.payload file exists, the *.payload.got file name was incorrectly constructed due to 'payload_path' variable not being set. Fixes: 2cfab7a3e10fc ("tests/py: Write dissenting payload into the right file") Signed-off-by: Phil Sutter --- tests/py/nft-test.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 00799e281d566..7acdb77f2d0a2 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -769,10 +769,9 @@ def set_delete_elements(set_element, set_name, table, filename=None, if rule[1].strip() == "ok": payload_expected = None - payload_path = None + payload_path = "%s.payload" % filename_path try: - payload_log = open("%s.payload" % filename_path) - payload_path = payload_log.name + payload_log = open(payload_path) payload_expected = payload_find_expected(payload_log, rule[0]) except: payload_log = None From patchwork Wed Oct 2 19:38:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992150 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=IsASnZ5I; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4199-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVg5VjKz1xtY for ; Thu, 3 Oct 2024 05:39:07 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 5BED0B23787 for ; Wed, 2 Oct 2024 19:39:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9B31B215F56; Wed, 2 Oct 2024 19:39:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="IsASnZ5I" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 696B82629C for ; Wed, 2 Oct 2024 19:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897940; cv=none; b=EgyO4ActmLsqgDlamPV4FOnrRGml1TpA1f8K8GorypPAIzywEVLoNFs5Sh2TmBqfVmpE6dzDy1y7H1xZiMpgsCZHzeJg2JZ3V1vxEahhxQdxX5m2boFym28EOVwBN1x4MhkFJDKRjgyTWNKKruQP3F2FSs6k5Dd5lVzARBrLd20= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897940; c=relaxed/simple; bh=bDN6NM9WjaJLg30aAx9vrYHnOlQIaOxKt0yYgRuvoxw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t/WriM5MGDrX1JluRGkrlvMrTHDgQZyBU7ev/5paFRRYKPtxb8xHfWw71pQUjNEkP8YpCkyRXHeqFJXUjObgWLu3QQpsvk4IEEUe1hwrsobf184mRwQbiMmX7+uNP/KPVS8shRZtpk78cVM6nPXPYpD5K8cfharedbuAAj7qfi0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=IsASnZ5I; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rqdJ+5AjaRgRQCiv2ht7uxoNDmXaEAo3De9wmIz0OsI=; b=IsASnZ5Ix7zbjtQ+A7k0bPwvGY cRTQYCvFNz9eNn9ygY6WDEphXpo923L02RlX+UAZXasg9iLKUlG+gKnWBCgpEyhhjesMtgLjopQYc GDDvwhVvRr+HSJp8kujIw8lMWbgs8ocYcNZzRnQVEoAeJ1twgKBNzH+RVAuW+HeT2G8dqgCtPFuR4 aquRyDUub/VTOPR64n2P64d5udFm/b0d4LdTwDP4iHwSifLfxHtG1nYASIP/kvwd+onLG2EPFabU6 hatbApOGU8UEARRynf6nUAHwiIDjews+R0iDCynSuDdBzvI1t95p0Phv4xudcMF3n+QtvxGw0JEGw NKrpVCfg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5BY-0000000030N-3Blk; Wed, 02 Oct 2024 21:38:56 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 3/9] monitor: Recognize flowtable add/del events Date: Wed, 2 Oct 2024 21:38:47 +0200 Message-ID: <20241002193853.13818-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 These were entirely ignored before, add the necessary code analogous to e.g. objects. Signed-off-by: Phil Sutter --- include/json.h | 10 ++++ include/netlink.h | 1 + include/rule.h | 1 + src/json.c | 6 +++ src/monitor.c | 61 ++++++++++++++++++++++ src/parser_json.c | 6 +++ src/rule.c | 15 ++++++ tests/monitor/testcases/flowtable-simple.t | 10 ++++ 8 files changed, 110 insertions(+) create mode 100644 tests/monitor/testcases/flowtable-simple.t diff --git a/include/json.h b/include/json.h index 39be8928e8ee0..0670b8714519b 100644 --- a/include/json.h +++ b/include/json.h @@ -11,6 +11,7 @@ struct nlmsghdr; struct rule; struct set; struct obj; +struct flowtable; struct stmt; struct symbol_table; struct table; @@ -113,6 +114,8 @@ void monitor_print_element_json(struct netlink_mon_handler *monh, const char *cmd, struct set *s); void monitor_print_obj_json(struct netlink_mon_handler *monh, const char *cmd, struct obj *o); +void monitor_print_flowtable_json(struct netlink_mon_handler *monh, + const char *cmd, struct flowtable *ft); void monitor_print_rule_json(struct netlink_mon_handler *monh, const char *cmd, struct rule *r); @@ -254,6 +257,13 @@ static inline void monitor_print_obj_json(struct netlink_mon_handler *monh, /* empty */ } +static inline void +monitor_print_flowtable_json(struct netlink_mon_handler *monh, + const char *cmd, struct flowtable *ft) +{ + /* empty */ +} + static inline void monitor_print_rule_json(struct netlink_mon_handler *monh, const char *cmd, struct rule *r) { diff --git a/include/netlink.h b/include/netlink.h index cf7ba3693885a..e9667a24b0d11 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -97,6 +97,7 @@ extern struct nftnl_table *netlink_table_alloc(const struct nlmsghdr *nlh); extern struct nftnl_chain *netlink_chain_alloc(const struct nlmsghdr *nlh); extern struct nftnl_set *netlink_set_alloc(const struct nlmsghdr *nlh); extern struct nftnl_obj *netlink_obj_alloc(const struct nlmsghdr *nlh); +extern struct nftnl_flowtable *netlink_flowtable_alloc(const struct nlmsghdr *nlh); extern struct nftnl_rule *netlink_rule_alloc(const struct nlmsghdr *nlh); struct nft_data_linearize { diff --git a/include/rule.h b/include/rule.h index 5b3e12b5d7dcf..75166b48446f5 100644 --- a/include/rule.h +++ b/include/rule.h @@ -551,6 +551,7 @@ extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, const struct table **table); void flowtable_print(const struct flowtable *n, struct output_ctx *octx); +void flowtable_print_plain(const struct flowtable *ft, struct output_ctx *octx); /** * enum cmd_ops - command operations diff --git a/src/json.c b/src/json.c index 1f609bf2b03e9..64a6888f9e0ac 100644 --- a/src/json.c +++ b/src/json.c @@ -2108,6 +2108,12 @@ void monitor_print_obj_json(struct netlink_mon_handler *monh, monitor_print_json(monh, cmd, obj_print_json(o)); } +void monitor_print_flowtable_json(struct netlink_mon_handler *monh, + const char *cmd, struct flowtable *ft) +{ + monitor_print_json(monh, cmd, flowtable_print_json(ft)); +} + void monitor_print_rule_json(struct netlink_mon_handler *monh, const char *cmd, struct rule *r) { diff --git a/src/monitor.c b/src/monitor.c index 2fc16d6776a28..a787db8cbf5a3 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -127,6 +127,19 @@ struct nftnl_obj *netlink_obj_alloc(const struct nlmsghdr *nlh) return nlo; } +struct nftnl_flowtable *netlink_flowtable_alloc(const struct nlmsghdr *nlh) +{ + struct nftnl_flowtable *nlf; + + nlf = nftnl_flowtable_alloc(); + if (nlf == NULL) + memory_allocation_error(); + if (nftnl_flowtable_nlmsg_parse(nlh, nlf) < 0) + netlink_abi_error(); + + return nlf; +} + static uint32_t netlink_msg2nftnl_of(uint32_t type, uint16_t flags) { switch (type) { @@ -542,6 +555,50 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, return MNL_CB_OK; } +static int netlink_events_flowtable_cb(const struct nlmsghdr *nlh, int type, + struct netlink_mon_handler *monh) +{ + const char *family, *cmd; + struct nftnl_flowtable *nlf; + struct flowtable *ft; + + nlf = netlink_flowtable_alloc(nlh); + + ft = netlink_delinearize_flowtable(monh->ctx, nlf); + if (!ft) { + nftnl_flowtable_free(nlf); + return MNL_CB_ERROR; + } + family = family2str(ft->handle.family); + cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); + + switch (monh->format) { + case NFTNL_OUTPUT_DEFAULT: + nft_mon_print(monh, "%s ", cmd); + + switch (type) { + case NFT_MSG_NEWFLOWTABLE: + flowtable_print_plain(ft, &monh->ctx->nft->output); + break; + case NFT_MSG_DELFLOWTABLE: + nft_mon_print(monh, "flowtable %s %s %s", family, + ft->handle.table.name, + ft->handle.flowtable.name); + break; + } + nft_mon_print(monh, "\n"); + break; + case NFTNL_OUTPUT_JSON: + monitor_print_flowtable_json(monh, cmd, ft); + if (!nft_output_echo(&monh->ctx->nft->output)) + nft_mon_print(monh, "\n"); + break; + } + flowtable_free(ft); + nftnl_flowtable_free(nlf); + return MNL_CB_OK; +} + static void rule_map_decompose_cb(struct set *s, void *data) { if (!set_is_anonymous(s->flags)) @@ -962,6 +1019,10 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) case NFT_MSG_DELOBJ: ret = netlink_events_obj_cb(nlh, type, monh); break; + case NFT_MSG_NEWFLOWTABLE: + case NFT_MSG_DELFLOWTABLE: + ret = netlink_events_flowtable_cb(nlh, type, monh); + break; case NFT_MSG_NEWGEN: ret = netlink_events_newgen_cb(nlh, type, monh); break; diff --git a/src/parser_json.c b/src/parser_json.c index f8200db1fe114..bcc216e12e51c 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -4421,6 +4421,7 @@ static int json_echo_error(struct netlink_mon_handler *monh, static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) { + struct nftnl_flowtable *nlf; struct nftnl_table *nlt; struct nftnl_chain *nlc; struct nftnl_rule *nlr; @@ -4457,6 +4458,11 @@ static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) handle = nftnl_obj_get_u64(nlo, NFTNL_OBJ_HANDLE); nftnl_obj_free(nlo); break; + case NFT_MSG_NEWFLOWTABLE: + nlf = netlink_flowtable_alloc(nlh); + handle = nftnl_flowtable_get_u64(nlf, NFTNL_FLOWTABLE_HANDLE); + nftnl_flowtable_free(nlf); + break; } return handle; } diff --git a/src/rule.c b/src/rule.c index 9bc160ec0d888..dc6b9d89fc967 100644 --- a/src/rule.c +++ b/src/rule.c @@ -2155,6 +2155,21 @@ void flowtable_print(const struct flowtable *s, struct output_ctx *octx) do_flowtable_print(s, &opts, octx); } +void flowtable_print_plain(const struct flowtable *ft, struct output_ctx *octx) +{ + struct print_fmt_options opts = { + .tab = "", + .nl = " ", + .table = ft->handle.table.name, + .family = family2str(ft->handle.family), + .stmt_separator = "; ", + }; + + flowtable_print_declaration(ft, &opts, octx); + nft_print(octx, "}"); +} + + struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, const struct nft_cache *cache, const struct table **t) diff --git a/tests/monitor/testcases/flowtable-simple.t b/tests/monitor/testcases/flowtable-simple.t new file mode 100644 index 0000000000000..df8eccbd91e0a --- /dev/null +++ b/tests/monitor/testcases/flowtable-simple.t @@ -0,0 +1,10 @@ +# setup first +I add table ip t +I add flowtable ip t ft { hook ingress priority 0; devices = { lo }; } +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} + +I delete flowtable ip t ft +O - +J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} From patchwork Wed Oct 2 19:38:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992159 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=dsbraUPJ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4208-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVz3TC4z1xtY for ; Thu, 3 Oct 2024 05:39:23 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id B93FC1C2331C for ; Wed, 2 Oct 2024 19:39:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 86845216A06; Wed, 2 Oct 2024 19:39:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="dsbraUPJ" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C010D1D173A for ; Wed, 2 Oct 2024 19:39:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897945; cv=none; b=DlP5VlXLKlons3Jx6dTDeEnFDWuAFk0+zxXmkHwq32C3eCnQIGExLLv7um+UKj54Uk7a5GF9SvtuGJrjwvMo3SR0Ovhqqt2HFw85Fcl1xOZ+ATEdeHKvVrKlfKvqpyPyAEQ1ZDb09M/3sS9zdpdfx7oMAv76h5aunt/pZ/h/Icw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897945; c=relaxed/simple; bh=eLNda0Wnk+IMfrpjF6NFArZJ4iLcMpBxjUM2NkduRVU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UFz4dDAg/XDZyQ3DtQjfdZW4gog3PAgFAhMnj1hzbx4Ih+hPDgjFQgCBEPohb2kxY7/9lS6aocRZAwBjpXf7xzhprv50DcdUthYtrbvxIdlmvqZbjJOefjVTnWGZsaTLO5vu1tMrv6xK4JXTdpaZoIY72EtrRQw9tk65lpf+pgU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=dsbraUPJ; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hAZ75g/LWhELt0dEh5Q/uOCIuhCuQx4iRWkWGP75SQ4=; b=dsbraUPJvJ4E/bprmY40juoWj0 wthPqbkT0TNM6/Dk3Lw4vSH4R0VOtk1Q4dlvN53ag2tEEk6fAbLu9Xjjq8qARxILdxO25peFXn9m8 e1rvAAQZ7+VTy4G1/pACrSD56pUEdGdfxhoqw6ykF7TK5uXDiYhrj75jLcJXabeLtKKkct4xAS/tT a6/o8vRidt7OFt2lL4SxOX1C7I+x0L4jZD2edytNPe/cPu34IZnnhajEKV3JXYAXEg2aAb2kAUqtO bZfCd0FQDODrLlYddI9Mo/rkW34aXbgQq7zIP86Xm6svlNU+RmKPBq9WlzaqViz+Ep/vvoiEit+Nn WplHIVnA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Be-0000000031Q-1sUT; Wed, 02 Oct 2024 21:39:02 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 4/9] tests: monitor: Run in own netns Date: Wed, 2 Oct 2024 21:38:48 +0200 Message-ID: <20241002193853.13818-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Have the script call itself prefixed by unshare. This won't prevent clashing test case contents, but at least leave the host netns alone. Signed-off-by: Phil Sutter --- tests/monitor/run-tests.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index f1ac790acf80c..214512d269e8d 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -120,6 +120,14 @@ echo_run_test() { return $rc } +netns=true +for arg in "$@"; do + [[ "$arg" == "--no-netns" ]] && netns=false +done +if $netns; then + exec unshare -n $0 --no-netns "$@" +fi + testcases="" while [ -n "$1" ]; do case "$1" in @@ -131,6 +139,9 @@ while [ -n "$1" ]; do test_json=true shift ;; + --no-netns) + shift + ;; -H|--host) nft=nft shift From patchwork Wed Oct 2 19:38:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992151 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=e28bWNfj; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4200-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVk4FLwz1xtY for ; Thu, 3 Oct 2024 05:39:10 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1CC061C230B8 for ; Wed, 2 Oct 2024 19:39:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 696B5215F7D; Wed, 2 Oct 2024 19:39:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="e28bWNfj" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A48F1D173A for ; Wed, 2 Oct 2024 19:38:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897940; cv=none; b=tNlbb/IkdMOMuilHSmA0q6jpSLlBqbkd79LCsO8s8KWwJ5wLQgLN8p1gUiGrsCMXeTEsao/wl7zQqAPwuwxtdQ8xBtQ+jA6iS762aUIxmbgJv5M3oQtAI4gdWyNfCl4HwpgV50gr/KzWqLttmpkTP37Fq6YeZoaiBfw4EB13/V4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897940; c=relaxed/simple; bh=tkITBLXaBNCmUlQG1kOlkhIw8JVZpPiXeIE8QafDVok=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sYRWKc4FllaDrzrG+APU5WZp25L6P3vw8foAgESBJzdV1KPGVS8akap7n5Trmtxj5Udk3lwFXr/2GgGziRimLEtDL1eeTRQt6FDXR1wvmvramettK3kAlprlmMpJq0Iop6ENewUNcdT3iLp09Y0sXXlYWJhQTsQXdNNhMWMgac8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=e28bWNfj; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Iv0viVwM4zRZjTBOd8ED+p0XahLKdgVU0tvc17PtuQ4=; b=e28bWNfjcgwARLF5nkGN9E7E1n 8xsfbCcidiBz3Odnm2IrYt2sauUYXoQnbRMtOJ9T5ckXpDbs0c5ehBtNWnZqxqjamxVZR3kaFYFA/ on/8aldKHlDRJGdqE9RHeIyM1PFS4jbRuMcw+5xXV1NqO6ccgfFmzMHeaYA8jkHlH57X6ONXqVa1b zcWIyrBOLaC+vX9QFjUqumG5pVLnU91/4fSoayypvziUJ/UdgK6TFwj12hFBXVYc/2k8ohpbhGJWr PxfnUwyUozSItfL+eZPbLXLrSRH9Ud4a0I3qSd/yHbra/yys70rstZSbs7igUHHvPGbTgArHr/poI YzRVtpmA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5BZ-0000000030Z-3dzP; Wed, 02 Oct 2024 21:38:57 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 5/9] mnl: Support simple wildcards in netdev hooks Date: Wed, 2 Oct 2024 21:38:49 +0200 Message-ID: <20241002193853.13818-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When building NFTA_FLOWTABLE_HOOK_DEVS, NFTA_HOOK_DEV or NFTA_HOOK_DEVS attributes, detect trailing asterisks in interface names and reduce attribute length accordingly. Kernel will use strncmp(), effectively performing a prefix search this way. Deserialization (i.e., appending asterisk to interface names which don't include a trailing nul-char) happens in libnftnl. Signed-off-by: Phil Sutter --- src/mnl.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/mnl.c b/src/mnl.c index db53a60b43cb9..4faf027ce1027 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -787,18 +787,24 @@ static void mnl_nft_chain_devs_build(struct nlmsghdr *nlh, struct cmd *cmd) { const struct expr *dev_expr = cmd->chain->dev_expr; const struct nft_dev *dev_array; + int i, len, num_devs = 0; struct nlattr *nest_dev; - int i, num_devs = 0; dev_array = nft_dev_array(dev_expr, &num_devs); if (num_devs == 1) { cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[0].location); - mnl_attr_put_strz(nlh, NFTA_HOOK_DEV, dev_array[0].ifname); + len = strlen(dev_array[0].ifname) + 1; + if (dev_array[0].ifname[len - 2] == '*') + len -= 2; + mnl_attr_put(nlh, NFTA_HOOK_DEV, len, dev_array[0].ifname); } else { nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS); for (i = 0; i < num_devs; i++) { cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[i].location); - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname); + len = strlen(dev_array[i].ifname) + 1; + if (dev_array[i].ifname[len - 2] == '*') + len -= 2; + mnl_attr_put(nlh, NFTA_DEVICE_NAME, len, dev_array[i].ifname); mnl_attr_nest_end(nlh, nest_dev); } } @@ -1999,14 +2005,17 @@ static void mnl_nft_ft_devs_build(struct nlmsghdr *nlh, struct cmd *cmd) { const struct expr *dev_expr = cmd->flowtable->dev_expr; const struct nft_dev *dev_array; + int i, len, num_devs = 0; struct nlattr *nest_dev; - int i, num_devs= 0; dev_array = nft_dev_array(dev_expr, &num_devs); nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS); for (i = 0; i < num_devs; i++) { cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[i].location); - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname); + len = strlen(dev_array[i].ifname) + 1; + if (dev_array[i].ifname[len - 2] == '*') + len -= 2; + mnl_attr_put(nlh, NFTA_DEVICE_NAME, len, dev_array[i].ifname); } mnl_attr_nest_end(nlh, nest_dev); From patchwork Wed Oct 2 19:38:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992153 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=BGPNSNGf; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4202-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVp5C0Pz1xtY for ; Thu, 3 Oct 2024 05:39:14 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 511B51C2317F for ; Wed, 2 Oct 2024 19:39:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 93546216A13; Wed, 2 Oct 2024 19:39:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="BGPNSNGf" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A0BD215F4F for ; Wed, 2 Oct 2024 19:39:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; cv=none; b=m8a3luJMtuxV/DUSJoLHErRx5bhfMBv+E7iCch/T35vQIXTRQjlNwtOoPPVl8CMIby3yk1FcrtFg0NaDODspomvmopv2yQu3Vy+tlpfEd1PqX9YZgDT5MMdq7T5hCPtBiIUAV/rahTykKBMbxyx640EhGzDUjIrnc/Dy+2V46zg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; c=relaxed/simple; bh=jn5GXlm22OHb6owPf7MhmZvtFd0GJw7VbNzk1hvm6uE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nkLWxbD44TAJC63gtbN7/B4qIsMpa7jZI4vSIWJeYY96DEFjH4IHiTbrmTZ59ONB+r52DIfUmyu+UGKvFFo5UKAf6+tntwJRfuwFoaiwag/4F6+zS788Hcq7B7v/GuEjWIgdRuSXybzpUMMvYiNE6kwa5PHeukEu/8hBGazrYyk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=BGPNSNGf; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+cZDeeOHFqUE1FJ65YOJLLxiPA1/yunArSCmg5lJGms=; b=BGPNSNGf2Y7CJuEIJDky9K1cuP Fcf3BYwut1PuDNLx/m/GbW+IVl9eMiyWB0+VcHs1Ks9g9t2NqB+1aRMki24svSZJNZ4lYH+Hqg1IJ ViBFwIanhPXOx+Wh50uKXLX8vToIQOfjVaqv7jNASxllpEBCtR/CfsmfvsEa+6wqy9HL3Pn5/cS8h lpCc1QKNQMuwqh+IE64uaHIVH0OrQCKA2/pEcIu3XSE8+ImNBKGnXSJHZ5WquECr2Lxs+TTNC+txi gUmpRL5LrGJ/lvuEPXRlI+ImIlFeKUyd/ZZqB5vLVUsPLGIGDThfzEqOA9iC3UuPUtxXlMLbE0Jn5 lL2KT7pA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Ba-0000000030j-48Zj; Wed, 02 Oct 2024 21:38:59 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 6/9] parser_bison: Accept ASTERISK_STRING in flowtable_expr_member Date: Wed, 2 Oct 2024 21:38:50 +0200 Message-ID: <20241002193853.13818-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 All clauses are identical, so instead of adding a third one for ASTERISK_STRING, use a single one for 'string' (which combines all three variants). Signed-off-by: Phil Sutter --- src/parser_bison.y | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/src/parser_bison.y b/src/parser_bison.y index e2936d10efe4c..d9cf2cd25c2f0 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2477,16 +2477,7 @@ flowtable_list_expr : flowtable_expr_member | flowtable_list_expr COMMA opt_newline ; -flowtable_expr_member : QUOTED_STRING - { - struct expr *expr = ifname_expr_alloc(&@$, state->msgs, $1); - - if (!expr) - YYERROR; - - $$ = expr; - } - | STRING +flowtable_expr_member : string { struct expr *expr = ifname_expr_alloc(&@$, state->msgs, $1); From patchwork Wed Oct 2 19:38:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992155 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=gHpz+5kW; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4204-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVs5q98z1xtY for ; Thu, 3 Oct 2024 05:39:17 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id DD8171C23285 for ; Wed, 2 Oct 2024 19:39:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51FA3216A1D; Wed, 2 Oct 2024 19:39:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="gHpz+5kW" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 195C4215F6B for ; Wed, 2 Oct 2024 19:39:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; cv=none; b=BBCfBfYcpGCTUF2J7hNjEnbp1vg/GaC2edWMR1q/vQ7+KGmL4dr8fM2A9gpwBMnY8pbnNq9eAd9UDHfLmGq3HXFnSo1jOo7di/TGZNrsA2KdWYz1zLoGHyejAElhcp5v7CspoA1uECUDXAcemAMYgYBw3dU0zIbCXk1ZfqvzPYE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897942; c=relaxed/simple; bh=QfhrtNMtE+tAI1PUYAegbOL4E+GFx/51cYhUkTFut98=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DpT529zuAeb4BYBOniY5128EYUCDJ6mtOZt9REdm5aDSVnPsamggx1Vr4lXLqruQwvKZ745+W+LypTrLtOo5fGHngpQ5z8No+qs4TFfU4fGPfhIs+viX+xYrdQ/RoR0AdUyUgQUua9F1/qAMUhRKLJgK6WkI+iUL4ScxyKwKRsE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=gHpz+5kW; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8brUj/HEw+T+2uSmbvegEqqVsSdb/dCfFVguNueJuNg=; b=gHpz+5kWDEl3Q0Q6eZTAfRhS0C L40gsaj2/vsCVCAX9lNrtLANThOAY61NaBY0BRyjNTKzLZy48PTPutbnoJ5am2xevM4Y1PXk8Scud OuFsj8iNGqzqjXLwGwQ4AYBHGl2S/4n2DoB7ztYqmX5CX/Gwmx8oUOFKqtnH8wPMsu/xbMhhJKuFX jKko6oL5+62N1+FOl2bjBIo22BEOJaG9oJWn1MbbbZSP2VDTRMVSluQTSFomf4mFbXL9+vPl0IaVL ISLfkZ8VDw6lsYHi5bwD1L0hnCyoFM/RiF/qPdGFGCd0em8LQ9CIuIyJuFVgnlyQUu5gK8a2S9ZIl XJri2pzQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Bb-0000000030o-2GwT; Wed, 02 Oct 2024 21:38:59 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 7/9] tests: shell: Adjust to ifname-based flowtables Date: Wed, 2 Oct 2024 21:38:51 +0200 Message-ID: <20241002193853.13818-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Removed interfaces will remain in place in dumps. Also drop transactions/0050rule_1 test entirely: It won't fail anymore as the flowtable is accepted despite the non-existent interfaces and thus the test as a whole does not work anymore. Signed-off-by: Phil Sutter --- .../chains/dumps/netdev_chain_0.json-nft | 17 +++++++++++++++++ .../testcases/chains/dumps/netdev_chain_0.nft | 3 +++ .../netdev_chain_dormant_autoremove.json-nft | 5 ++++- .../dumps/netdev_chain_dormant_autoremove.nft | 2 +- .../dumps/0012flowtable_variable_0.json-nft | 10 ++++++++-- .../dumps/0012flowtable_variable_0.nft | 4 ++-- .../testcases/json/dumps/netdev.json-nft | 13 +++++++++++++ tests/shell/testcases/json/dumps/netdev.nft | 3 +++ .../listing/dumps/0020flowtable_0.json-nft | 6 ++++-- .../listing/dumps/0020flowtable_0.nft | 2 ++ tests/shell/testcases/transactions/0050rule_1 | 19 ------------------- .../transactions/dumps/0050rule_1.json-nft | 11 ----------- .../transactions/dumps/0050rule_1.nft | 0 13 files changed, 57 insertions(+), 38 deletions(-) delete mode 100755 tests/shell/testcases/transactions/0050rule_1 delete mode 100644 tests/shell/testcases/transactions/dumps/0050rule_1.json-nft delete mode 100644 tests/shell/testcases/transactions/dumps/0050rule_1.nft diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft index 7d78bd6757034..13e9f6bb016f7 100644 --- a/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft @@ -13,6 +13,23 @@ "name": "x", "handle": 0 } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0, + "dev": [ + "d0", + "d1", + "d2" + ], + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } } ] } diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft index aa571e00885fe..6606d5bc3f608 100644 --- a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft @@ -1,2 +1,5 @@ table netdev x { + chain y { + type filter hook ingress devices = { d0, d1, d2 } priority filter; policy accept; + } } diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft index 9151d42f17d91..88b8958f4d86e 100644 --- a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft @@ -21,7 +21,10 @@ "table": "test", "name": "ingress", "handle": 0, - "dev": "dummy1", + "dev": [ + "dummy0", + "dummy1" + ], "type": "filter", "hook": "ingress", "prio": 0, diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft index aad7cb6337734..f4bd9556b3e03 100644 --- a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft @@ -2,6 +2,6 @@ table netdev test { flags dormant chain ingress { - type filter hook ingress device "dummy1" priority filter; policy drop; + type filter hook ingress devices = { dummy0, dummy1 } priority filter; policy drop; } } diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft index 10f1df98874ab..20da08fb2fc29 100644 --- a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft @@ -22,7 +22,10 @@ "handle": 0, "hook": "ingress", "prio": 0, - "dev": "lo" + "dev": [ + "dummy1", + "lo" + ] } }, { @@ -40,7 +43,10 @@ "handle": 0, "hook": "ingress", "prio": 0, - "dev": "lo" + "dev": [ + "dummy1", + "lo" + ] } } ] diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft index df1c51a247033..1cbb2f1103f03 100644 --- a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft @@ -1,14 +1,14 @@ table ip filter1 { flowtable Main_ft1 { hook ingress priority filter - devices = { lo } + devices = { dummy1, lo } counter } } table ip filter2 { flowtable Main_ft2 { hook ingress priority filter - devices = { lo } + devices = { dummy1, lo } counter } } diff --git a/tests/shell/testcases/json/dumps/netdev.json-nft b/tests/shell/testcases/json/dumps/netdev.json-nft index e0d2bfb4385b7..6eb19a17b31d9 100644 --- a/tests/shell/testcases/json/dumps/netdev.json-nft +++ b/tests/shell/testcases/json/dumps/netdev.json-nft @@ -13,6 +13,19 @@ "name": "test_table", "handle": 0 } + }, + { + "chain": { + "family": "netdev", + "table": "test_table", + "name": "test_chain", + "handle": 0, + "dev": "d0", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } } ] } diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft index 3c568ed3eb38d..373ea0a46d600 100644 --- a/tests/shell/testcases/json/dumps/netdev.nft +++ b/tests/shell/testcases/json/dumps/netdev.nft @@ -1,2 +1,5 @@ table netdev test_table { + chain test_chain { + type filter hook ingress device "d0" priority filter; policy accept; + } } diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft index d511739abd4b6..b1b3a5fba34a0 100644 --- a/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft @@ -32,7 +32,8 @@ "table": "filter", "handle": 0, "hook": "ingress", - "prio": 0 + "prio": 0, + "dev": "d0" } }, { @@ -60,7 +61,8 @@ "table": "filter", "handle": 0, "hook": "ingress", - "prio": 0 + "prio": 0, + "dev": "d0" } } ] diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft index 4a64e531db840..59fcbec8e5130 100644 --- a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft @@ -6,6 +6,7 @@ table inet filter { flowtable f2 { hook ingress priority filter + devices = { d0 } } } table ip filter { @@ -16,5 +17,6 @@ table ip filter { flowtable f2 { hook ingress priority filter + devices = { d0 } } } diff --git a/tests/shell/testcases/transactions/0050rule_1 b/tests/shell/testcases/transactions/0050rule_1 deleted file mode 100755 index 89e5f42fc9f4d..0000000000000 --- a/tests/shell/testcases/transactions/0050rule_1 +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -set -e - -RULESET="table inet filter { - flowtable ftable { - hook ingress priority 0; devices = { eno1, eno0, x }; - } - -chain forward { - type filter hook forward priority 0; policy drop; - - ip protocol { tcp, udp } ct mark and 1 == 1 counter flow add @ftable - ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter flow add @ftable - ct mark and 30 == 30 ct state established,related log prefix \"nftables accept: \" level info accept - } -}" - -$NFT -f - <<< "$RULESET" >/dev/null || exit 0 diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft deleted file mode 100644 index 546cc5977db61..0000000000000 --- a/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft +++ /dev/null @@ -1,11 +0,0 @@ -{ - "nftables": [ - { - "metainfo": { - "version": "VERSION", - "release_name": "RELEASE_NAME", - "json_schema_version": 1 - } - } - ] -} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.nft b/tests/shell/testcases/transactions/dumps/0050rule_1.nft deleted file mode 100644 index e69de29bb2d1d..0000000000000 From patchwork Wed Oct 2 19:38:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992152 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=P8VjmBTs; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4201-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVm0fjDz1xtY for ; Thu, 3 Oct 2024 05:39:12 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3BB0D1C2351F for ; Wed, 2 Oct 2024 19:39:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 367AE216A11; Wed, 2 Oct 2024 19:39:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="P8VjmBTs" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F2181DB93C for ; Wed, 2 Oct 2024 19:38:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897941; cv=none; b=keHA+M7WFWoBh3/wPAATVZPFc7UCgKW6W/y9pDPOS0fAjvXrDvy/NiU3jMEEKVyAr19cIoU9in7uxbPdWgLM7aWOOAem7bUsMiX+jky3D+MoqvrRnj25W6k0ciE4Kl7ppSVjwHDZj5yiYU5MffpOSy+sy4v/wE7roIuuwOURxMM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897941; c=relaxed/simple; bh=zMiExvh9Mg5h60VIoDVHrkIK+Ou8E6+80mqx4GfhnWE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TcUs9b0f8txGIaplsKPu1g46DWSjPYCy+m0c7TIpC6lxQ8nByGF17GSEqhcWk3oRTuUAwsDcztbk/F1TeuwyPkWZzbExgG6f3a+GsKWtzeC1868dUKNsbK6MoQ90xoaSMFPOMBNavNVCMe1HWk37uuSy55F/Kgb6d+C/+JQVw2k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=P8VjmBTs; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ub0ncQrXcos+Vtndci6TpolefcmtT3BLb8v5TL+7wkQ=; b=P8VjmBTswEn0GySQnBuNkvFEpD UYvBS6OCB470nd73ocN47a5OU3P2GfKA+uIsp5lkECxL044JSpY7bz0nMcxBaFf4CRZyVw6QdS/fI 4NKheyp0puCYmon5uOab9nuVYnl+6VeH0Utd1xaGREmH6oTMq//8Sg7UvkH8UOHZghu5Q4ZJsrv1v zVCL5xUHQzGTMcHkyBwPn14wCYH4TYg1GLT2tuqpWfmLvxEleEmyyzTIIsbMfUlH1f1II80+0mBF2 pTiijEaLSGmAGM++AcztaxR+T05DtVOGoQ8SrNc1tZHULb2G1/iSWmCY3VlXmiEk+G+ABRFNpBetf axInmazA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Ba-0000000030e-1sY6; Wed, 02 Oct 2024 21:38:58 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 8/9] tests: monitor: Support running external commands Date: Wed, 2 Oct 2024 21:38:52 +0200 Message-ID: <20241002193853.13818-9-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Accept '@'-prefixed lines mixed in between 'I'-prefixed ones and apply nft input and run commands in specified ordering. To keep things simple, ignore such test cases when in echo mode for now. Signed-off-by: Phil Sutter --- tests/monitor/run-tests.sh | 61 ++++++++++++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 5 deletions(-) diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index 214512d269e8d..36fc800c10520 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -59,6 +59,44 @@ json_output_filter() { # (filename) # unify handle values sed -i -e 's/\("handle":\) [0-9][0-9]*/\1 0/g' "$1" } +apply_commands_from_file() { # (command_file) + grep -q '^# run: ' $1 || { + $nft -f - <$1 || { + err "nft command failed!" + return 1 + } + return 0 + } + local nft_cmd="" + local sep="" + local line="" + while read line; do + [[ $line =~ ^#\ run: ]] || { + nft_cmd+="$sep$line" + sep="; " + continue + } + [[ -n $nft_cmd ]] && { + $nft -f - <<<"$nft_cmd" || { + err "nft command failed!" + return 1 + } + } + nft_cmd="" + sep="" + ${line#\# run: } || { + err "custom command failed!" + return 1 + } + done <$1 + [[ -n $nft_cmd ]] && { + $nft -f - <<<"$nft_cmd" || { + err "nft command failed!" + return 1 + } + } + return 0 +} monitor_run_test() { monitor_output=$(mktemp -p $testdir) monitor_args="" @@ -74,10 +112,7 @@ monitor_run_test() { echo "command file:" cat $command_file } - $nft -f - <$command_file || { - err "nft command failed!" - rc=1 - } + apply_commands_from_file $command_file || rc=1 sleep 0.5 kill $monitor_pid wait >/dev/null 2>&1 @@ -103,6 +138,17 @@ echo_run_test() { echo "command file:" cat $command_file } + grep -q '^# run: ' $command_file && { + $debug && { + echo "skipping unsuitable test case in command file:" + cat $command_file + } + rm $command_file + rm $output_file + touch $command_file + touch $output_file + return 0 + } $nft -nn -e -f - <$command_file >$echo_output || { err "nft command failed!" rc=1 @@ -182,18 +228,23 @@ for variant in $variants; do # O add table ip t # I add chain ip t c # O add chain ip t c + # I + # @ + # I + # O ... $nft flush ruleset input_complete=false while read dir line; do case $dir in - I) + I|@) $input_complete && { $run_test let "rc += $?" } input_complete=false + [[ $dir == '@' ]] && line="# run: $line" cmd_append "$line" ;; O) From patchwork Wed Oct 2 19:38:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1992157 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=U+aHybMR; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-4206-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJlVx2WR1z1xtY for ; Thu, 3 Oct 2024 05:39:21 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9C6DDB23EBD for ; Wed, 2 Oct 2024 19:39:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7CC64216A26; Wed, 2 Oct 2024 19:39:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="U+aHybMR" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F41AB216A0E for ; Wed, 2 Oct 2024 19:39:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897944; cv=none; b=dQ8j75ujYQKAc15WGkhOmVN8g6Y45IK3PSECTf6C4qiVDCnppFf/DjNMsTDRT3eKHzNXTQPNXvHUHspk/V4ul5PHs3VXHEeq2m6NSy+ojOB4lt5dZg/2DU5OdlapfBtR/H1FkUszIcX8q4R9LOnHGU9t04/hl0xUf33+u2MKnOA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727897944; c=relaxed/simple; bh=74CnUTSOHGcFKcmZ+1rR4Csd2KZvgPCC8zIDjhTjbx0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jigjl5HDCgweVdiAe8nrTBm8pgMv2VKiXZcXJTxqb7yobdvFIE754A+9HX2aoKK8Mc2H6j5clhUKdcJDbt9NL+eq/x182Mhc8xbHkh9buFzGBvNqCyNSfO+U2RQpVXfld1NnJHgmM5Z4vWL5kiexlh1Bm36CHey8YtfbKCKQJR8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=U+aHybMR; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/Z/PhoiMXdeyA0y5FGWHX7S4ytXdi8bDpkD5goAus+A=; b=U+aHybMRVahF1JcV1eTwgq8P35 MxheSS3fuLA8tsgxyGcy5z1oF53Vafd0fJ4MicwMoMgjTWHu9OM7z+SgeIi/fESac1cLx3SxAEO2S xouclU4MqpTw+fvjokPV0qGobUym3TVSODdXXixm+NI0JhTu/ocv87k+PmaQ1Rtxlhb+GqNfA9qat csY27+zg1SgDXMPc8P+zaNWFUQRxDuX/yC02nWMU6ZIzyi2yXT9pdWvZBD8r/09v09Gq9p7XlBR1w /AW07DBnapNPx7NZ2zxxQAEJl9ZUZ65AQfdnxE0Tv0WH4d3Nvy0QxZh9YuzkeYqghX5UBi1US7QzX yRYxnYhA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sw5Bc-0000000031F-2rkw; Wed, 02 Oct 2024 21:39:00 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 9/9] monitor: Support NFT_MSG_(NEW|DEL)DEV events Date: Wed, 2 Oct 2024 21:38:53 +0200 Message-ID: <20241002193853.13818-10-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241002193853.13818-1-phil@nwl.cc> References: <20241002193853.13818-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Kernels with name-based netdev hooks emit these messages when a device is added to or removed from an existing flowtable or netdev-family base-chain. This patch depends on respective support code in libnftnl. Signed-off-by: Phil Sutter --- include/json.h | 10 ++++ include/linux/netfilter/nf_tables.h | 10 ++++ src/json.c | 27 +++++++++ src/monitor.c | 64 +++++++++++++++++++++ tests/monitor/testcases/chain-netdev.t | 66 ++++++++++++++++++++++ tests/monitor/testcases/flowtable-simple.t | 56 ++++++++++++++++++ 6 files changed, 233 insertions(+) create mode 100644 tests/monitor/testcases/chain-netdev.t diff --git a/include/json.h b/include/json.h index 0670b8714519b..10a75ba050a6c 100644 --- a/include/json.h +++ b/include/json.h @@ -20,6 +20,7 @@ struct nft_ctx; struct location; struct output_ctx; struct list_head; +struct nftnl_device; #ifdef HAVE_LIBJANSSON @@ -118,6 +119,8 @@ void monitor_print_flowtable_json(struct netlink_mon_handler *monh, const char *cmd, struct flowtable *ft); void monitor_print_rule_json(struct netlink_mon_handler *monh, const char *cmd, struct rule *r); +void monitor_print_device_json(struct netlink_mon_handler *monh, + const char *cmd, struct nftnl_device *nld); int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh); @@ -270,6 +273,13 @@ static inline void monitor_print_rule_json(struct netlink_mon_handler *monh, /* empty */ } +static inline void +monitor_print_device_json(struct netlink_mon_handler *monh, + const char *cmd, struct nftnl_device *nld) +{ + /* empty */ +} + static inline int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh) { diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index c62e6ac563988..206d90b190951 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -142,6 +142,8 @@ enum nf_tables_msg_types { NFT_MSG_DESTROYOBJ, NFT_MSG_DESTROYFLOWTABLE, NFT_MSG_GETSETELEM_RESET, + NFT_MSG_NEWDEV, + NFT_MSG_DELDEV, NFT_MSG_MAX, }; @@ -1761,10 +1763,18 @@ enum nft_synproxy_attributes { * enum nft_device_attributes - nf_tables device netlink attributes * * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) + * @NFTA_DEVICE_TABLE: table containing the flowtable or chain hooking into the device (NLA_STRING) + * @NFTA_DEVICE_FLOWTABLE: flowtable hooking into the device (NLA_STRING) + * @NFTA_DEVICE_CHAIN: chain hooking into the device (NLA_STRING) + * @NFTA_DEVICE_SPEC: hook spec matching the device (NLA_STRING) */ enum nft_devices_attributes { NFTA_DEVICE_UNSPEC, NFTA_DEVICE_NAME, + NFTA_DEVICE_TABLE, + NFTA_DEVICE_FLOWTABLE, + NFTA_DEVICE_CHAIN, + NFTA_DEVICE_SPEC, __NFTA_DEVICE_MAX }; #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) diff --git a/src/json.c b/src/json.c index 64a6888f9e0ac..02f21bb6b0d92 100644 --- a/src/json.c +++ b/src/json.c @@ -17,6 +17,8 @@ #include #include "nftutils.h" +#include + #include #include #include @@ -2122,6 +2124,31 @@ void monitor_print_rule_json(struct netlink_mon_handler *monh, monitor_print_json(monh, cmd, rule_print_json(octx, r)); } +void monitor_print_device_json(struct netlink_mon_handler *monh, + const char *cmd, struct nftnl_device *nld) +{ + int32_t family = nftnl_device_get_s32(nld, NFTNL_DEVICE_FAMILY); + const char *key, *val; + json_t *root; + + if (nftnl_device_is_set(nld, NFTNL_DEVICE_CHAIN)) { + key = "chain"; + val = nftnl_device_get_str(nld, NFTNL_DEVICE_CHAIN); + } else if (nftnl_device_is_set(nld, NFTNL_DEVICE_FLOWTABLE)) { + key = "flowtable"; + val = nftnl_device_get_str(nld, NFTNL_DEVICE_FLOWTABLE); + } else { + return; + } + root = json_pack("{s:{s:s, s:s, s:s, s:s, s:s}}", "device", + "family", family2str(family), + "table", nftnl_device_get_str(nld, NFTNL_DEVICE_TABLE), + key, val, + "name", nftnl_device_get_str(nld, NFTNL_DEVICE_NAME), + "spec", nftnl_device_get_str(nld, NFTNL_DEVICE_SPEC)); + monitor_print_json(monh, cmd, root); +} + void json_alloc_echo(struct nft_ctx *nft) { nft->json_echo = json_array(); diff --git a/src/monitor.c b/src/monitor.c index a787db8cbf5a3..3d53f62a61280 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -154,6 +155,7 @@ static uint32_t netlink_msg2nftnl_of(uint32_t type, uint16_t flags) case NFT_MSG_NEWSETELEM: case NFT_MSG_NEWOBJ: case NFT_MSG_NEWFLOWTABLE: + case NFT_MSG_NEWDEV: if (flags & NLM_F_EXCL) return NFT_OF_EVENT_CREATE; else @@ -165,6 +167,7 @@ static uint32_t netlink_msg2nftnl_of(uint32_t type, uint16_t flags) case NFT_MSG_DELRULE: case NFT_MSG_DELOBJ: case NFT_MSG_DELFLOWTABLE: + case NFT_MSG_DELDEV: return NFTNL_OF_EVENT_DEL; } @@ -599,6 +602,61 @@ static int netlink_events_flowtable_cb(const struct nlmsghdr *nlh, int type, return MNL_CB_OK; } +static struct nftnl_device *netlink_device_alloc(const struct nlmsghdr *nlh) +{ + struct nftnl_device *nld; + + nld = nftnl_device_alloc(); + if (nld == NULL) + memory_allocation_error(); + if (nftnl_device_nlmsg_parse(nlh, nld) < 0) + netlink_abi_error(); + + return nld; +} + +static int netlink_events_dev_cb(const struct nlmsghdr *nlh, int type, + struct netlink_mon_handler *monh) +{ + struct nftnl_device *nld = netlink_device_alloc(nlh); + const char *cmd, *obj; + uint32_t objattr; + int32_t family; + + if (nftnl_device_is_set(nld, NFTNL_DEVICE_CHAIN)) { + objattr = NFTNL_DEVICE_CHAIN; + obj = "chain"; + } else if (nftnl_device_is_set(nld, NFTNL_DEVICE_FLOWTABLE)) { + objattr = NFTNL_DEVICE_FLOWTABLE; + obj = "flowtable"; + } else { + return MNL_CB_ERROR; + } + + cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); + family = nftnl_device_get_s32(nld, NFTNL_DEVICE_FAMILY); + + switch (monh->format) { + case NFTNL_OUTPUT_DEFAULT: + nft_mon_print(monh, "%s device %s %s %s %s hook %s { %s }", + cmd, obj, family2str(family), + nftnl_device_get_str(nld, NFTNL_DEVICE_TABLE), + nftnl_device_get_str(nld, objattr), + nftnl_device_get_str(nld, NFTNL_DEVICE_SPEC), + nftnl_device_get_str(nld, NFTNL_DEVICE_NAME)); + nft_mon_print(monh, "\n"); + break; + case NFTNL_OUTPUT_JSON: + monitor_print_device_json(monh, cmd, nld); + if (!nft_output_echo(&monh->ctx->nft->output)) + nft_mon_print(monh, "\n"); + break; + } + + nftnl_device_free(nld); + return MNL_CB_OK; +} + static void rule_map_decompose_cb(struct set *s, void *data) { if (!set_is_anonymous(s->flags)) @@ -921,6 +979,8 @@ static const char *const nftnl_msg_types[NFT_MSG_MAX] = { [NFT_MSG_NEWGEN] = "NFT_MSG_NEWGEN", [NFT_MSG_NEWOBJ] = "NFT_MSG_NEWOBJ", [NFT_MSG_DELOBJ] = "NFT_MSG_DELOBJ", + [NFT_MSG_NEWDEV] = "NFT_MSG_NEWDEV", + [NFT_MSG_DELDEV] = "NFT_MSG_DELDEV", }; static const char *nftnl_msgtype2str(uint16_t type) @@ -1026,6 +1086,10 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) case NFT_MSG_NEWGEN: ret = netlink_events_newgen_cb(nlh, type, monh); break; + case NFT_MSG_NEWDEV: + case NFT_MSG_DELDEV: + ret = netlink_events_dev_cb(nlh, type, monh); + break; } return ret; diff --git a/tests/monitor/testcases/chain-netdev.t b/tests/monitor/testcases/chain-netdev.t new file mode 100644 index 0000000000000..3c004af0cd855 --- /dev/null +++ b/tests/monitor/testcases/chain-netdev.t @@ -0,0 +1,66 @@ +# setup first +I add table netdev t +I add chain netdev t c { type filter hook ingress devices = { lo } priority 0; policy accept; } +O - +J {"add": {"table": {"family": "netdev", "name": "t", "handle": 0}}} +J {"add": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "lo", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} + +I delete chain netdev t c +O delete chain netdev t c { type filter hook ingress devices = { lo } priority 0; policy accept; } +J {"delete": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "lo", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} + +I add chain netdev t c { type filter hook ingress devices = { eth1337, lo } priority 0; policy accept; } +O - +J {"add": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": ["eth1337", "lo"], "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} + +@ ip link add eth1337 type dummy +O add device chain netdev t c hook eth1337 { eth1337 } +J {"add": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "eth1337", "spec": "eth1337"}}} + +@ ip link del eth1337 +O delete device chain netdev t c hook eth1337 { eth1337 } +J {"delete": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "eth1337", "spec": "eth1337"}}} + +I delete chain netdev t c +O delete chain netdev t c { type filter hook ingress devices = { eth1337, lo } priority 0; policy accept; } +J {"delete": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": ["eth1337", "lo"], "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} + +I add chain netdev t c { type filter hook ingress devices = { wild* } priority 0; } +@ ip link add wild23 type dummy +@ ip link add wild42 type dummy +@ ip link del wild23 +I delete chain netdev t c +O add chain netdev t c { type filter hook ingress devices = { wild* } priority 0; policy accept; } +O add device chain netdev t c hook wild* { wild23 } +O add device chain netdev t c hook wild* { wild42 } +O delete device chain netdev t c hook wild* { wild23 } +O delete chain netdev t c { type filter hook ingress devices = { wild* } priority 0; policy accept; } +J {"add": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "wild*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} +J {"add": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wild23", "spec": "wild*"}}} +J {"add": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wild42", "spec": "wild*"}}} +J {"delete": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wild23", "spec": "wild*"}}} +J {"delete": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "wild*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} + +I add chain netdev t c { type filter hook ingress devices = { wild* } priority 0; } +I add chain netdev t c2 { type filter hook ingress devices = { wald* } priority 0; } +@ ip link add wild23 type dummy +@ ip link set wild42 name wald42 +@ ip link del wild23 +I delete chain netdev t c +I delete chain netdev t c2 +O add chain netdev t c { type filter hook ingress devices = { wild* } priority 0; policy accept; } +O add chain netdev t c2 { type filter hook ingress devices = { wald* } priority 0; policy accept; } +O add device chain netdev t c hook wild* { wild23 } +O add device chain netdev t c2 hook wald* { wald42 } +O delete device chain netdev t c hook wild* { wald42 } +O delete device chain netdev t c hook wild* { wild23 } +O delete chain netdev t c { type filter hook ingress devices = { wild* } priority 0; policy accept; } +O delete chain netdev t c2 { type filter hook ingress devices = { wald* } priority 0; policy accept; } +J {"add": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "wild*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} +J {"add": {"chain": {"family": "netdev", "table": "t", "name": "c2", "handle": 0, "dev": "wald*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} +J {"add": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wild23", "spec": "wild*"}}} +J {"add": {"device": {"family": "netdev", "table": "t", "chain": "c2", "name": "wald42", "spec": "wald*"}}} +J {"delete": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wald42", "spec": "wild*"}}} +J {"delete": {"device": {"family": "netdev", "table": "t", "chain": "c", "name": "wild23", "spec": "wild*"}}} +J {"delete": {"chain": {"family": "netdev", "table": "t", "name": "c", "handle": 0, "dev": "wild*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} +J {"delete": {"chain": {"family": "netdev", "table": "t", "name": "c2", "handle": 0, "dev": "wald*", "type": "filter", "hook": "ingress", "prio": 0, "policy": "accept"}}} diff --git a/tests/monitor/testcases/flowtable-simple.t b/tests/monitor/testcases/flowtable-simple.t index df8eccbd91e0a..113b15f20d1dc 100644 --- a/tests/monitor/testcases/flowtable-simple.t +++ b/tests/monitor/testcases/flowtable-simple.t @@ -8,3 +8,59 @@ J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0 I delete flowtable ip t ft O - J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} + +I add flowtable ip t ft { hook ingress priority 0; devices = { eth1337, lo }; } +O - +J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": ["eth1337", "lo"]}}} + +@ ip link add eth1337 type dummy +O add device flowtable ip t ft hook eth1337 { eth1337 } +J {"add": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "eth1337", "spec": "eth1337"}}} + +@ ip link del eth1337 +O delete device flowtable ip t ft hook eth1337 { eth1337 } +J {"delete": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "eth1337", "spec": "eth1337"}}} + +I delete flowtable ip t ft +O - +J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": ["eth1337", "lo"]}}} + +I add flowtable ip t ft { hook ingress priority 0; devices = { wild* }; } +@ ip link add wild23 type dummy +@ ip link add wild42 type dummy +@ ip link del wild23 +I delete flowtable ip t ft +O add flowtable ip t ft { hook ingress priority 0; devices = { wild* }; } +O add device flowtable ip t ft hook wild* { wild23 } +O add device flowtable ip t ft hook wild* { wild42 } +O delete device flowtable ip t ft hook wild* { wild23 } +O delete flowtable ip t ft +J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wild*"}}} +J {"add": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wild23", "spec": "wild*"}}} +J {"add": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wild42", "spec": "wild*"}}} +J {"delete": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wild23", "spec": "wild*"}}} +J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wild*"}}} + +I add flowtable ip t ft { hook ingress priority 0; devices = { wild* }; } +I add flowtable ip t ft2 { hook ingress priority 0; devices = { wald* }; } +@ ip link add wild23 type dummy +@ ip link set wild42 name wald42 +@ ip link del wild23 +I delete flowtable ip t ft +I delete flowtable ip t ft2 +O add flowtable ip t ft { hook ingress priority 0; devices = { wild* }; } +O add flowtable ip t ft2 { hook ingress priority 0; devices = { wald* }; } +O add device flowtable ip t ft hook wild* { wild23 } +O add device flowtable ip t ft2 hook wald* { wald42 } +O delete device flowtable ip t ft hook wild* { wald42 } +O delete device flowtable ip t ft hook wild* { wild23 } +O delete flowtable ip t ft +O delete flowtable ip t ft2 +J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wild*"}}} +J {"add": {"flowtable": {"family": "ip", "name": "ft2", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wald*"}}} +J {"add": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wild23", "spec": "wild*"}}} +J {"add": {"device": {"family": "ip", "table": "t", "flowtable": "ft2", "name": "wald42", "spec": "wald*"}}} +J {"delete": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wald42", "spec": "wild*"}}} +J {"delete": {"device": {"family": "ip", "table": "t", "flowtable": "ft", "name": "wild23", "spec": "wild*"}}} +J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wild*"}}} +J {"delete": {"flowtable": {"family": "ip", "name": "ft2", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "wald*"}}}