2022-06-11 16:10:56 -05:00
|
|
|
// Package nftest contains utility functions for nftables testing.
|
|
|
|
|
package nftest
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/google/nftables"
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
"github.com/google/nftables/binaryutil"
|
2022-06-11 16:10:56 -05:00
|
|
|
"github.com/mdlayher/netlink"
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
"golang.org/x/sys/unix"
|
2022-06-11 16:10:56 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Recorder provides an nftables connection that does not send to the Linux
|
|
|
|
|
// kernel but instead records netlink messages into the recorder. The recorded
|
|
|
|
|
// requests can later be obtained using Requests and compared using Diff.
|
|
|
|
|
type Recorder struct {
|
|
|
|
|
requests []netlink.Message
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Conn opens an nftables connection that records netlink messages into the
|
|
|
|
|
// Recorder.
|
|
|
|
|
func (r *Recorder) Conn() (*nftables.Conn, error) {
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
nextHandle := uint64(1)
|
2022-06-11 16:10:56 -05:00
|
|
|
return nftables.New(nftables.WithTestDial(
|
|
|
|
|
func(req []netlink.Message) ([]netlink.Message, error) {
|
|
|
|
|
r.requests = append(r.requests, req...)
|
|
|
|
|
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
replies := make([]netlink.Message, 0, len(req))
|
|
|
|
|
// Generate replies.
|
|
|
|
|
for _, msg := range req {
|
|
|
|
|
if msg.Header.Flags&netlink.Echo != 0 {
|
|
|
|
|
data := append([]byte{}, msg.Data...)
|
|
|
|
|
switch msg.Header.Type {
|
|
|
|
|
case netlink.HeaderType((unix.NFNL_SUBSYS_NFTABLES << 8) | unix.NFT_MSG_NEWRULE):
|
|
|
|
|
attrs, _ := netlink.MarshalAttributes([]netlink.Attribute{
|
|
|
|
|
{Type: unix.NFTA_RULE_HANDLE, Data: binaryutil.BigEndian.PutUint64(nextHandle)},
|
|
|
|
|
})
|
|
|
|
|
nextHandle++
|
|
|
|
|
data = append(data, attrs...)
|
|
|
|
|
}
|
|
|
|
|
replies = append(replies, netlink.Message{
|
|
|
|
|
Header: msg.Header,
|
|
|
|
|
Data: data,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Generate acknowledgements.
|
2022-06-11 16:10:56 -05:00
|
|
|
for _, msg := range req {
|
2022-06-11 16:25:19 -05:00
|
|
|
if msg.Header.Flags&netlink.Acknowledge != 0 {
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
replies = append(replies, netlink.Message{
|
2022-06-11 16:25:19 -05:00
|
|
|
Header: netlink.Header{
|
|
|
|
|
Length: 4,
|
|
|
|
|
Type: netlink.Error,
|
|
|
|
|
Sequence: msg.Header.Sequence,
|
|
|
|
|
PID: msg.Header.PID,
|
|
|
|
|
},
|
|
|
|
|
Data: []byte{0, 0, 0, 0},
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-06-11 16:10:56 -05:00
|
|
|
}
|
Set rule handle during flush
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Rules can be deleted both
before and after they are flushed. Additionally, this allows positioning
a new rule next to an existing rule, both before and after the existing
rule is flushed.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
There was an existing mechanism to allocate IDs for sets, but this was
using a global counter without any synchronization to prevent data
races. I replaced this by a new mechanism which uses a connection-scoped
counter.
I implemented a new mechanism for retrieving replies in Flush, and
handling these replies by adding a callback to netlink messages. There
was some existing code to handle "overrun", which I deleted, because it
was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact
not a flag, but a complete message type, so the (re&netlink.Overrun)
masking makes no sense. Even better, NLMSG_OVERRUN is never actually
used by Linux. What this code was actually doing was skipping over the
NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply.
I had to update all existing tests which compared generated netlink
messages against a reference, by inserting the newly added ID attribute.
We also need to generate replies for the NFT_MSG_NEWRULE messages with a
handle added.
2025-02-20 13:12:30 -06:00
|
|
|
return replies, nil
|
2022-06-11 16:10:56 -05:00
|
|
|
}))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Requests returns the recorded netlink messages (typically nftables requests).
|
|
|
|
|
func (r *Recorder) Requests() []netlink.Message {
|
|
|
|
|
return r.requests
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewRecorder returns a ready-to-use Recorder.
|
|
|
|
|
func NewRecorder() *Recorder {
|
|
|
|
|
return &Recorder{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Diff returns the first difference between the specified netlink messages and
|
|
|
|
|
// the expected netlink message payloads.
|
|
|
|
|
func Diff(got []netlink.Message, want [][]byte) string {
|
|
|
|
|
for idx, msg := range got {
|
|
|
|
|
b, err := msg.MarshalBinary()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Sprintf("msg.MarshalBinary: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if len(b) < 16 {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
b = b[16:]
|
|
|
|
|
if len(want) == 0 {
|
|
|
|
|
return fmt.Sprintf("no want entry for message %d: %x", idx, b)
|
|
|
|
|
}
|
|
|
|
|
if got, want := b, want[0]; !bytes.Equal(got, want) {
|
|
|
|
|
return fmt.Sprintf("message %d: %s", idx, linediff(nfdump(got), nfdump(want)))
|
|
|
|
|
}
|
|
|
|
|
want = want[1:]
|
|
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MatchRulesetBytes is a test helper that ensures the fillRuleset modifications
|
|
|
|
|
// correspond to the provided want netlink message payloads
|
|
|
|
|
func MatchRulesetBytes(t *testing.T, fillRuleset func(c *nftables.Conn), want [][]byte) {
|
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
|
|
rec := NewRecorder()
|
|
|
|
|
|
|
|
|
|
c, err := rec.Conn()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.FlushRuleset()
|
|
|
|
|
|
|
|
|
|
fillRuleset(c)
|
|
|
|
|
|
|
|
|
|
if err := c.Flush(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if diff := Diff(rec.Requests(), want); diff != "" {
|
|
|
|
|
t.Errorf("unexpected netlink messages: diff: %s", diff)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// nfdump returns a hexdump of 4 bytes per line (like nft --debug=all), allowing
|
|
|
|
|
// users to make sense of large byte literals more easily.
|
|
|
|
|
func nfdump(b []byte) string {
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
i := 0
|
|
|
|
|
for ; i < len(b); i += 4 {
|
|
|
|
|
// TODO: show printable characters as ASCII
|
|
|
|
|
fmt.Fprintf(&buf, "%02x %02x %02x %02x\n",
|
|
|
|
|
b[i],
|
|
|
|
|
b[i+1],
|
|
|
|
|
b[i+2],
|
|
|
|
|
b[i+3])
|
|
|
|
|
}
|
|
|
|
|
for ; i < len(b); i++ {
|
|
|
|
|
fmt.Fprintf(&buf, "%02x ", b[i])
|
|
|
|
|
}
|
|
|
|
|
return buf.String()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// linediff returns a side-by-side diff of two nfdump() return values, flagging
|
|
|
|
|
// lines which are not equal with an exclamation point prefix.
|
|
|
|
|
func linediff(a, b string) string {
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
fmt.Fprintf(&buf, "got -- want\n")
|
|
|
|
|
linesA := strings.Split(a, "\n")
|
|
|
|
|
linesB := strings.Split(b, "\n")
|
|
|
|
|
for idx, lineA := range linesA {
|
|
|
|
|
if idx >= len(linesB) {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
lineB := linesB[idx]
|
|
|
|
|
prefix := "! "
|
|
|
|
|
if lineA == lineB {
|
|
|
|
|
prefix = " "
|
|
|
|
|
}
|
|
|
|
|
fmt.Fprintf(&buf, "%s%s -- %s\n", prefix, lineA, lineB)
|
|
|
|
|
}
|
|
|
|
|
return buf.String()
|
|
|
|
|
}
|
