tests/py: Use libnftables instead of calling nft binary

This adds a simple nftables Python class in py/nftables.py which gives
access to libnftables API via ctypes module.

nft-test.py is extended to make use of the above class instead of
calling nft binary. Since command line formatting had to be touched
anyway, this patch also streamlines things a bit by introducing
__str__ methods to classes Table and Chain and making extensive use of
format strings instead of onerously adding all string parts together.

Since the called commands don't see a shell anymore, all shell meta
character escaping done in testcases is removed.

The visible effects of this change are:

* Four new warnings in ip/flowtable.t due to changing objref IDs (will
  be addressed later in a patch to libnftnl).

* Reported command line in warning and error messages changed slightly
  for obvious reasons.

* Reduction of a full test run's runtime by a factor of four. Status
  diff after running with 'time':

  < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning
  < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k
  < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps

  > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning
  > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k
  > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps

Signed-off-by: Phil Sutter <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>

Author: Phil Sutter

py/.gitignore

@@ -0,0 +1 @@
+*.pyc

py/nftables.py

@@ -0,0 +1,224 @@
+import json
+from ctypes import *
+import sys
+
+class Nftables:
+    """A class representing libnftables interface"""
+
+    debug_flags = {
+        "scanner":   0x1,
+        "parser":    0x2,
+        "eval":      0x4,
+        "netlink":   0x8,
+        "mnl":       0x10,
+        "proto-ctx": 0x20,
+        "segtree":   0x40,
+    }
+
+    numeric_levels = {
+        "none": 0,
+        "addr": 1,
+        "port": 2,
+        "all":  3,
+    }
+
+    def __init__(self, sofile="libnftables.so"):
+        """Instantiate a new Nftables class object.
+
+        Accepts a shared object file to open, by default standard search path
+        is searched for a file named 'libnftables.so'.
+
+        After loading the library using ctypes module, a new nftables context
+        is requested from the library and buffering of output and error streams
+        is turned on.
+        """
+        lib = cdll.LoadLibrary(sofile)
+
+        ### API function definitions
+
+        self.nft_ctx_new = lib.nft_ctx_new
+        self.nft_ctx_new.restype = c_void_p
+        self.nft_ctx_new.argtypes = [c_int]
+
+        self.nft_ctx_output_get_handle = lib.nft_ctx_output_get_handle
+        self.nft_ctx_output_get_handle.restype = c_bool
+        self.nft_ctx_output_get_handle.argtypes = [c_void_p]
+
+        self.nft_ctx_output_set_handle = lib.nft_ctx_output_set_handle
+        self.nft_ctx_output_set_handle.argtypes = [c_void_p, c_bool]
+
+        self.nft_ctx_output_get_numeric = lib.nft_ctx_output_get_numeric
+        self.nft_ctx_output_get_numeric.restype = c_int
+        self.nft_ctx_output_get_numeric.argtypes = [c_void_p]
+
+        self.nft_ctx_output_set_numeric = lib.nft_ctx_output_set_numeric
+        self.nft_ctx_output_set_numeric.argtypes = [c_void_p, c_int]
+
+        self.nft_ctx_output_get_stateless = lib.nft_ctx_output_get_stateless
+        self.nft_ctx_output_get_stateless.restype = c_bool
+        self.nft_ctx_output_get_stateless.argtypes = [c_void_p]
+
+        self.nft_ctx_output_set_stateless = lib.nft_ctx_output_set_stateless
+        self.nft_ctx_output_set_stateless.argtypes = [c_void_p, c_bool]
+
+        self.nft_ctx_output_get_debug = lib.nft_ctx_output_get_debug
+        self.nft_ctx_output_get_debug.restype = c_int
+        self.nft_ctx_output_get_debug.argtypes = [c_void_p]
+
+        self.nft_ctx_output_set_debug = lib.nft_ctx_output_set_debug
+        self.nft_ctx_output_set_debug.argtypes = [c_void_p, c_int]
+
+        self.nft_ctx_buffer_output = lib.nft_ctx_buffer_output
+        self.nft_ctx_buffer_output.restype = c_int
+        self.nft_ctx_buffer_output.argtypes = [c_void_p]
+
+        self.nft_ctx_get_output_buffer = lib.nft_ctx_get_output_buffer
+        self.nft_ctx_get_output_buffer.restype = c_char_p
+        self.nft_ctx_get_output_buffer.argtypes = [c_void_p]
+
+        self.nft_ctx_buffer_error = lib.nft_ctx_buffer_error
+        self.nft_ctx_buffer_error.restype = c_int
+        self.nft_ctx_buffer_error.argtypes = [c_void_p]
+
+        self.nft_ctx_get_error_buffer = lib.nft_ctx_get_error_buffer
+        self.nft_ctx_get_error_buffer.restype = c_char_p
+        self.nft_ctx_get_error_buffer.argtypes = [c_void_p]
+
+        self.nft_run_cmd_from_buffer = lib.nft_run_cmd_from_buffer
+        self.nft_run_cmd_from_buffer.restype = c_int
+        self.nft_run_cmd_from_buffer.argtypes = [c_void_p, c_char_p, c_int]
+
+        self.nft_ctx_free = lib.nft_ctx_free
+        lib.nft_ctx_free.argtypes = [c_void_p]
+
+        # initialize libnftables context
+        self.__ctx = self.nft_ctx_new(0)
+        self.nft_ctx_buffer_output(self.__ctx)
+        self.nft_ctx_buffer_error(self.__ctx)
+
+    def get_handle_output(self):
+        """Get the current state of handle output.
+
+        Returns a boolean indicating whether handle output is active or not.
+        """
+        return self.nft_ctx_output_get_handle(self.__ctx)
+
+    def set_handle_output(self, val):
+        """Enable or disable handle output.
+
+        Accepts a boolean turning handle output on or off.
+
+        Returns the previous value.
+        """
+        old = self.get_handle_output()
+        self.nft_ctx_output_set_handle(self.__ctx, val)
+        return old
+
+    def get_numeric_output(self):
+        """Get the current state of numeric output.
+
+        Returns a boolean indicating whether boolean output is active or not.
+        """
+        return self.nft_ctx_output_get_numeric(self.__ctx)
+
+    def set_numeric_output(self, val):
+        """Enable or disable numeric output.
+
+        Accepts a boolean turning numeric output on or off.
+
+        Returns the previous value.
+        """
+        old = self.get_numeric_output()
+
+        if type(val) is str:
+            val = self.numeric_levels[val]
+        self.nft_ctx_output_set_numeric(self.__ctx, val)
+
+        return old
+
+    def get_stateless_output(self):
+        """Get the current state of stateless output.
+
+        Returns a boolean indicating whether stateless output is active or not.
+        """
+        return self.nft_ctx_output_get_stateless(self.__ctx)
+
+    def set_stateless_output(self, val):
+        """Enable or Disable stateless output.
+
+        Accepts a boolean turning stateless output either on or off.
+
+        Returns the previous value.
+        """
+        old = self.get_stateless_output()
+        self.nft_ctx_output_set_stateless(self.__ctx, val)
+        return old
+
+    def get_debug(self):
+        """Get currently active debug flags.
+
+        Returns a set of flag names. See set_debug() for details.
+        """
+        val = self.nft_ctx_output_get_debug(self.__ctx)
+
+        names = []
+        for n,v in self.debug_flags.items():
+            if val & v:
+                names.append(n)
+                val &= ~v
+        if val:
+            names.append(val)
+
+        return names
+
+    def set_debug(self, values):
+        """Set debug output flags.
+
+        Accepts either a single flag or a set of flags. Each flag might be
+        given either as string or integer value as shown in the following
+        table:
+
+        Name      | Value (hex)
+        -----------------------
+        scanner   | 0x1
+        parser    | 0x2
+        eval      | 0x4
+        netlink   | 0x8
+        mnl       | 0x10
+        proto-ctx | 0x20
+        segtree   | 0x40
+
+        Returns a set of previously active debug flags, as returned by
+        get_debug() method.
+        """
+        old = self.get_debug()
+
+        if type(values) in [str, int]:
+            values = [values]
+
+        val = 0
+        for v in values:
+            if type(v) is str:
+                v = self.debug_flags[v]
+            val |= v
+
+        self.nft_ctx_output_set_debug(self.__ctx, val)
+
+        return old
+
+    def cmd(self, cmdline):
+        """Run a simple nftables command via libnftables.
+
+        Accepts a string containing an nftables command just like what one
+        would enter into an interactive nftables (nft -i) session.
+
+        Returns a tuple (rc, output, error):
+        rc     -- return code as returned by nft_run_cmd_from_buffer() fuction
+        output -- a string containing output written to stdout
+        error  -- a string containing output written to stderr
+        """
+        rc = self.nft_run_cmd_from_buffer(self.__ctx, cmdline, len(cmdline))
+        output = self.nft_ctx_get_output_buffer(self.__ctx)
+        error = self.nft_ctx_get_error_buffer(self.__ctx)
+
+        return (rc, output, error)

tests/py/any/ct.t

@@ -75,19 +75,19 @@ ct expiration != {33-55};ok;ct expiration != { 33s-55s}
 
 ct helper "ftp";ok
 ct helper "12345678901234567";fail
-ct helper '""';fail
+ct helper "";fail
 
 ct state . ct mark { new . 0x12345678};ok
 ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
 ct direction . ct mark { original . 0x12345678};ok
 ct state . ct mark vmap { new . 0x12345678 : drop};ok
 
-ct original bytes \> 100000;ok;ct original bytes > 100000
-ct reply packets \< 100;ok;ct reply packets < 100
-ct bytes \> 100000;ok;ct bytes > 100000
+ct original bytes > 100000;ok
+ct reply packets < 100;ok
+ct bytes > 100000;ok
 
-ct avgpkt \> 200;ok;ct avgpkt > 200
-ct original avgpkt \< 500;ok;ct original avgpkt < 500
+ct avgpkt > 200;ok
+ct original avgpkt < 500;ok
 
 # bogus direction
 ct both bytes gt 1;fail
@@ -107,7 +107,7 @@ ct mark original;fail
 
 ct event set new;ok
 ct event set new or related or destroy or foobar;fail
-ct event set 'new | related | destroy | label';ok;ct event set new,related,destroy,label
+ct event set new | related | destroy | label;ok;ct event set new,related,destroy,label
 ct event set new,related,destroy,label;ok
 ct event set new,destroy;ok
 ct event set 1;ok;ct event set new

tests/py/any/ct.t.payload

@@ -343,31 +343,31 @@ ip test-ip4 output
   [ lookup reg 1 set __map%d dreg 1 ]
   [ ct set mark with reg 1 ]
 
-# ct original bytes \> 100000
+# ct original bytes > 100000
 ip test-ip4 output
   [ ct load bytes => reg 1 , dir original ]
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp gt reg 1 0x00000000 0xa0860100 ]
 
-# ct reply packets \< 100
+# ct reply packets < 100
 ip test-ip4 output
   [ ct load packets => reg 1 , dir reply ]
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp lt reg 1 0x00000000 0x64000000 ]
 
-# ct bytes \> 100000
+# ct bytes > 100000
 ip test-ip4 output
   [ ct load bytes => reg 1 ]
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp gt reg 1 0x00000000 0xa0860100 ]
 
-# ct avgpkt \> 200
+# ct avgpkt > 200
 ip test-ip4 output
   [ ct load avgpkt => reg 1 ]
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp gt reg 1 0x00000000 0xc8000000 ]
 
-# ct original avgpkt \< 500
+# ct original avgpkt < 500
 ip test-ip4 output
   [ ct load avgpkt => reg 1 , dir original ]
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
@@ -396,7 +396,7 @@ ip test-ip4 output
   [ immediate reg 1 0x00000001 ]
   [ ct set event with reg 1 ]
 
-# ct event set 'new | related | destroy | label'
+# ct event set new | related | destroy | label
 ip test-ip4 output
   [ immediate reg 1 0x00000407 ]
   [ ct set event with reg 1 ]

tests/py/any/log.t

@@ -24,7 +24,7 @@ log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2
 # The correct rule is log group 2 queue-threshold 2
 log group 2 queue-threshold 2;ok
 log group 2 snaplen 33;ok
-log group 2 prefix \"nft-test: \";ok;log prefix "nft-test: " group 2
+log group 2 prefix "nft-test: ";ok;log prefix "nft-test: " group 2
 
 log flags all;ok
 log level debug flags ip options flags skuid;ok

tests/py/any/log.t.payload

@@ -46,7 +46,7 @@ ip test-ip4 output
 ip test-ip4 output
   [ log group 2 snaplen 33 qthreshold 0 ]
 
-# log group 2 prefix \"nft-test: \"
+# log group 2 prefix "nft-test: "
 ip test-ip4 output
   [ log prefix nft-test:  group 2 snaplen 0 qthreshold 0 ]
 

tests/py/any/meta.t

@@ -70,7 +70,7 @@ meta iifname {"dummy0", "lo"};ok;iifname {"dummy0", "lo"}
 meta iifname != {"dummy0", "lo"};ok;iifname != {"dummy0", "lo"}
 meta iifname "dummy*";ok;iifname "dummy*"
 meta iifname "dummy\*";ok;iifname "dummy\*"
-meta iifname '""';fail
+meta iifname "";fail
 
 meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
 meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
@@ -89,7 +89,7 @@ meta oifname != "dummy0";ok;oifname != "dummy0"
 meta oifname { "dummy0", "lo"};ok;oifname { "dummy0", "lo"}
 meta oifname "dummy*";ok;oifname "dummy*"
 meta oifname "dummy\*";ok;oifname "dummy\*"
-meta oifname '""';fail
+meta oifname "";fail
 
 meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
 meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok;oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}

tests/py/arp/arp.t

@@ -55,4 +55,4 @@ arp operation != inreply;ok
 arp operation != nak;ok
 arp operation != reply;ok
 
-meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 @nh,192,32 3232272144 @nh,144,48 set 18838586676582
+meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 @nh,192,32 3232272144 @nh,144,48 set 18838586676582

tests/py/arp/arp.t.payload

@@ -268,7 +268,7 @@ arp test-arp input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ cmp neq reg 1 0x00000200 ]
 
-# meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
 arp test-arp input
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ]

tests/py/arp/arp.t.payload.netdev

@@ -358,7 +358,7 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ cmp neq reg 1 0x00000200 ]
 
-# meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
 netdev test-netdev ingress
   [ meta load iifname => reg 1 ]
   [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ]

tests/py/inet/tcp.t

@@ -76,7 +76,7 @@ tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
 tcp flags != { fin, urg, ecn, cwr} drop;ok
 tcp flags cwr;ok
 tcp flags != cwr;ok
-tcp 'flags & (syn|fin) == (syn|fin)';ok;tcp flags & (fin | syn) == fin | syn
+tcp flags & (syn|fin) == (syn|fin);ok;tcp flags & (fin | syn) == fin | syn
 
 tcp window 22222;ok
 tcp window 22;ok

tests/py/inet/tcp.t.payload

@@ -421,7 +421,7 @@ inet test-inet input
   [ payload load 1b @ transport header + 13 => reg 1 ]
   [ cmp neq reg 1 0x00000080 ]
 
-# tcp 'flags & (syn|fin) == (syn|fin)'
+# tcp flags & (syn|fin) == (syn|fin)
 inet test-inet input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]

tests/py/ip/ip.t

@@ -113,10 +113,10 @@ ip daddr 192.168.0.1;ok
 ip daddr 192.168.0.1 drop;ok
 ip daddr 192.168.0.2;ok
 
-ip saddr \& 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1
-ip saddr \& 0.0.0.255 \< 0.0.0.127;ok;ip saddr & 0.0.0.255 < 0.0.0.127
+ip saddr & 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1
+ip saddr & 0.0.0.255 < 0.0.0.127;ok
 
-ip saddr \& 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
+ip saddr & 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
 
 ip version 4 ip hdrlength 5;ok
 ip hdrlength 0;ok