From patchwork Fri Oct 17 12:24:37 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alvaro Neira X-Patchwork-Id: 400516 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 7125314009E for ; Fri, 17 Oct 2014 23:24:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751441AbaJQMYa (ORCPT ); Fri, 17 Oct 2014 08:24:30 -0400 Received: from mail-wg0-f47.google.com ([74.125.82.47]:37425 "EHLO mail-wg0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751403AbaJQMY3 (ORCPT ); Fri, 17 Oct 2014 08:24:29 -0400 Received: by mail-wg0-f47.google.com with SMTP id x13so783897wgg.6 for ; Fri, 17 Oct 2014 05:24:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=j/VFlaPhVTqGYh+1C25KywPB1r+XneSthCYJwP5yTmQ=; b=WcvUe2PfID7PUjzdRcD3hMTATGdM3kEHMRiUBsSsMvSZK/TGOUgKwAVSTDDwu/F6/M Fv2lnlFnv3tC/I7XCQtEE0s4hpX+chocIwc43tpTG28X77z3yGpaq+O0M34icUYq2+3I 02U0CjJfsdhzxIW/n9W7L9oJhU2Aipg1ZBRBRsQ7NYLN5+E0bdmjKxeo+/cflViY2fF3 h3+mkRnzyiZAe/3tX78j+vw+P4Icn1MkOPuFQ00BiwxxkajT61WhVJzM0o3UiJ+fOXeN XzUpG03davkHQXDApeDK1z6Ggv9TFRnVpUjHEFc1vwfy1kjTu5P+binyYJujXAd3RJov hqEg== X-Received: by 10.194.161.166 with SMTP id xt6mr10206988wjb.1.1413548667925; Fri, 17 Oct 2014 05:24:27 -0700 (PDT) Received: from localhost.localdomain (129.166.216.87.static.jazztel.es. [87.216.166.129]) by mx.google.com with ESMTPSA id hr10sm5492311wib.9.2014.10.17.05.24.26 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Oct 2014 05:24:27 -0700 (PDT) From: Alvaro Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net Subject: [nft PATCH 4/4 v2] test: update and add the reject tests for ip, ip6, bridge and inet. Date: Fri, 17 Oct 2014 14:24:37 +0200 Message-Id: <1413548677-10287-4-git-send-email-alvaroneay@gmail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1413548677-10287-1-git-send-email-alvaroneay@gmail.com> References: <1413548677-10287-1-git-send-email-alvaroneay@gmail.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Alvaro Neira Ayuso --- [changes in v2] * Changed the format and added the rules with all the posible reasons tests/regression/bridge/reject.t | 30 ++++++++++++++++++++++++++++++ tests/regression/inet/reject.t | 28 ++++++++++++++++++++++++++++ tests/regression/ip/reject.t | 11 ++++++++++- tests/regression/ip6/reject.t | 9 ++++++++- 4 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 tests/regression/bridge/reject.t create mode 100644 tests/regression/inet/reject.t diff --git a/tests/regression/bridge/reject.t b/tests/regression/bridge/reject.t new file mode 100644 index 0000000..68e6051 --- /dev/null +++ b/tests/regression/bridge/reject.t @@ -0,0 +1,30 @@ +*bridge;test-bridge +:input;type filter hook input priority 0 + +reject with icmp type host-unreachable;ok;ether type ip reject with icmp type host-unreachable +reject with icmp type net-unreachable;ok;ether type ip reject with icmp type net-unreachable +reject with icmp type prot-unreachable;ok;ether type ip reject with icmp type prot-unreachable +reject with icmp type port-unreachable;ok;ether type ip reject +reject with icmp type net-prohibited;ok;ether type ip reject with icmp type net-prohibited +reject with icmp type host-prohibited;ok;ether type ip reject with icmp type host-prohibited +reject with icmp type admin-prohibited;ok;ether type ip reject with icmp type admin-prohibited + +reject with icmpv6 type no-route;ok;ether type ip6 reject with icmpv6 type no-route +reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 type admin-prohibited +reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable +reject with icmpv6 type port-unreachable;ok;ether type ip6 reject + +ip protocol tcp reject with tcp reset;ok;ip protocol 6 reject with tcp reset + +reject;ok +reject with icmpx type host-unreachable;ok +reject with icmpx type no-route;ok +reject with icmpx type admin-prohibited;ok +reject with icmpx type port-unreachable;ok;reject + +ether type ipv6 reject with icmp type host-unreachable;fail +ether type ip6 reject with icmp type host-unreachable;fail +ether type ip reject with icmpv6 type no-route;fail +ether type vlan reject;fail +ether type arp reject;fail +ip protocol udp reject with tcp reset;fail diff --git a/tests/regression/inet/reject.t b/tests/regression/inet/reject.t new file mode 100644 index 0000000..7dd4598 --- /dev/null +++ b/tests/regression/inet/reject.t @@ -0,0 +1,28 @@ +*inet;test-inet +:input;type filter hook input priority 0 + +reject with icmp type host-unreachable;ok;meta nfproto ipv4 reject with icmp type host-unreachable +reject with icmp type net-unreachable;ok;meta nfproto ipv4 reject with icmp type net-unreachable +reject with icmp type prot-unreachable;ok;meta nfproto ipv4 reject with icmp type prot-unreachable +reject with icmp type port-unreachable;ok;meta nfproto ipv4 reject +reject with icmp type net-prohibited;ok;meta nfproto ipv4 reject with icmp type net-prohibited +reject with icmp type host-prohibited;ok;meta nfproto ipv4 reject with icmp type host-prohibited +reject with icmp type admin-prohibited;ok;meta nfproto ipv4 reject with icmp type admin-prohibited + +reject with icmpv6 type no-route;ok;meta nfproto ipv6 reject with icmpv6 type no-route +reject with icmpv6 type admin-prohibited;ok;meta nfproto ipv6 reject with icmpv6 type admin-prohibited +reject with icmpv6 type addr-unreachable;ok;meta nfproto ipv6 reject with icmpv6 type addr-unreachable +reject with icmpv6 type port-unreachable;ok;meta nfproto ipv6 reject + +reject with tcp reset;ok;meta l4proto 6 reject with tcp reset + +reject;ok +reject with icmpx type host-unreachable;ok +reject with icmpx type no-route;ok +reject with icmpx type admin-prohibited;ok +reject with icmpx type port-unreachable;ok;reject + +meta nfproto ipv6 reject with icmp type host-unreachable;fail +meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail +meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail +ip protocol udp reject with tcp reset;fail diff --git a/tests/regression/ip/reject.t b/tests/regression/ip/reject.t index e7fb15b..70a63a0 100644 --- a/tests/regression/ip/reject.t +++ b/tests/regression/ip/reject.t @@ -1,5 +1,14 @@ *ip;test-ip4 -*ip;test-inet :output;type filter hook output priority 0 reject;ok +reject with icmp type host-unreachable;ok +reject with icmp type net-unreachable;ok +reject with icmp type prot-unreachable;ok +reject with icmp type port-unreachable;ok;reject +reject with icmp type net-prohibited;ok +reject with icmp type host-prohibited;ok +reject with icmp type admin-prohibited;ok + +reject with icmp type no-route;fail +reject with icmpv6 type no-route;fail diff --git a/tests/regression/ip6/reject.t b/tests/regression/ip6/reject.t index b49c50b..60dec90 100644 --- a/tests/regression/ip6/reject.t +++ b/tests/regression/ip6/reject.t @@ -1,5 +1,12 @@ *ip6;test-ip6 -*inet;test-inet :output;type filter hook output priority 0 reject;ok +reject with icmpv6 type no-route;ok +reject with icmpv6 type admin-prohibited;ok +reject with icmpv6 type addr-unreachable;ok +reject with icmpv6 type port-unreachable;ok;reject +reject with tcp reset;ok;ip6 nexthdr 6 reject with tcp reset + +reject with icmpv6 type host-unreachable;fail +reject with icmp type host-unreachable;fail