diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/py/netdev | |
parent | Initial commit. (diff) | |
download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/py/netdev')
-rw-r--r-- | tests/py/netdev/dup.t | 8 | ||||
-rw-r--r-- | tests/py/netdev/dup.t.json | 30 | ||||
-rw-r--r-- | tests/py/netdev/dup.t.payload | 14 | ||||
-rw-r--r-- | tests/py/netdev/fwd.t | 9 | ||||
-rw-r--r-- | tests/py/netdev/fwd.t.json | 47 | ||||
-rw-r--r-- | tests/py/netdev/fwd.t.json.output | 27 | ||||
-rw-r--r-- | tests/py/netdev/fwd.t.payload | 20 | ||||
-rw-r--r-- | tests/py/netdev/reject.t | 40 | ||||
-rw-r--r-- | tests/py/netdev/reject.t.json | 293 | ||||
-rw-r--r-- | tests/py/netdev/reject.t.payload | 142 |
10 files changed, 630 insertions, 0 deletions
diff --git a/tests/py/netdev/dup.t b/tests/py/netdev/dup.t new file mode 100644 index 0000000..5632802 --- /dev/null +++ b/tests/py/netdev/dup.t @@ -0,0 +1,8 @@ +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*netdev;test-netdev;ingress,egress + +dup to "lo";ok +dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok + diff --git a/tests/py/netdev/dup.t.json b/tests/py/netdev/dup.t.json new file mode 100644 index 0000000..dc56f64 --- /dev/null +++ b/tests/py/netdev/dup.t.json @@ -0,0 +1,30 @@ +# dup to "lo" +[ + { + "dup": { + "addr": "lo" + } + } +] + +# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +[ + { + "dup": { + "addr": { + "map": { + "key": { + "meta": { "key": "mark" } + }, + "data": { + "set": [ + [ 1, "lo" ], + [ 2, "lo" ] + ] + } + } + } + } + } +] + diff --git a/tests/py/netdev/dup.t.payload b/tests/py/netdev/dup.t.payload new file mode 100644 index 0000000..51ff782 --- /dev/null +++ b/tests/py/netdev/dup.t.payload @@ -0,0 +1,14 @@ +# dup to "lo" +netdev test-netdev ingress + [ immediate reg 1 0x00000001 ] + [ dup sreg_dev 1 ] + +# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +__map%d test-netdev b +__map%d test-netdev 0 + element 00000001 : 00000001 0 [end] element 00000002 : 00000001 0 [end] +netdev test-netdev ingress + [ meta load mark => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ dup sreg_dev 1 ] + diff --git a/tests/py/netdev/fwd.t b/tests/py/netdev/fwd.t new file mode 100644 index 0000000..6051560 --- /dev/null +++ b/tests/py/netdev/fwd.t @@ -0,0 +1,9 @@ +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*netdev;test-netdev;ingress,egress + +fwd to "lo";ok +fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok + +fwd ip to 192.168.2.200 device "lo";ok diff --git a/tests/py/netdev/fwd.t.json b/tests/py/netdev/fwd.t.json new file mode 100644 index 0000000..583606c --- /dev/null +++ b/tests/py/netdev/fwd.t.json @@ -0,0 +1,47 @@ +# fwd to "lo" +[ + { + "fwd": { + "dev": "lo" + } + } +] + +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +[ + { + "fwd": { + "dev": { + "map": { + "key": { + "meta": { "key": "mark" } + }, + "data": { + "set": [ + [ + "0x00000001", + "lo" + ], + [ + "0x00000002", + "lo" + ] + ] + } + } + } + } + } +] + +# fwd ip to 192.168.2.200 device "lo" +[ + { + "fwd": { + "addr": "192.168.2.200", + "dev": "lo", + "family": "ip" + } + } +] + diff --git a/tests/py/netdev/fwd.t.json.output b/tests/py/netdev/fwd.t.json.output new file mode 100644 index 0000000..8433e49 --- /dev/null +++ b/tests/py/netdev/fwd.t.json.output @@ -0,0 +1,27 @@ +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +[ + { + "fwd": { + "dev": { + "map": { + "key": { + "meta": { "key": "mark" } + }, + "data": { + "set": [ + [ + 1, + "lo" + ], + [ + 2, + "lo" + ] + ] + } + } + } + } + } +] + diff --git a/tests/py/netdev/fwd.t.payload b/tests/py/netdev/fwd.t.payload new file mode 100644 index 0000000..f03077a --- /dev/null +++ b/tests/py/netdev/fwd.t.payload @@ -0,0 +1,20 @@ +# fwd to "lo" +netdev test-netdev ingress + [ immediate reg 1 0x00000001 ] + [ fwd sreg_dev 1 ] + +# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"} +__map%d test-netdev b +__map%d test-netdev 0 + element 00000001 : 00000001 0 [end] element 00000002 : 00000001 0 [end] +netdev test-netdev ingress + [ meta load mark => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ fwd sreg_dev 1 ] + +# fwd ip to 192.168.2.200 device "lo" +netdev test-netdev ingress + [ immediate reg 1 0x00000001 ] + [ immediate reg 2 0xc802a8c0 ] + [ fwd sreg_dev 1 sreg_addr 2 nfproto 2 ] + diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t new file mode 100644 index 0000000..c66e649 --- /dev/null +++ b/tests/py/netdev/reject.t @@ -0,0 +1,40 @@ +:ingress;type filter hook ingress device lo priority 0 + +*netdev;test-netdev;ingress + +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok +reject with icmpv6 policy-fail;ok +reject with icmpv6 reject-route;ok + +mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset + +reject;ok +meta protocol ip reject;ok;reject with icmp port-unreachable +meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable + +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject + +meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route + +meta protocol ip6 reject with icmp host-unreachable;fail +meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail +meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail +meta l4proto udp reject with tcp reset;fail + +meta protocol ip reject with icmpx admin-prohibited;ok +meta protocol ip6 reject with icmpx admin-prohibited;ok diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json new file mode 100644 index 0000000..9968aaf --- /dev/null +++ b/tests/py/netdev/reject.t.json @@ -0,0 +1,293 @@ +# reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 policy-fail +[ + { + "reject": { + "expr": "policy-fail", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 reject-route +[ + { + "reject": { + "expr": "reject-route", + "type": "icmpv6" + } + } +] + +# mark 12345 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "meta": { + "key": "mark" + } + }, + "op": "==", + "right": 12345 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# meta protocol ip reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# meta protocol ip6 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpx host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmpx" + } + } +] + +# reject with icmpx no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpx" + } + } +] + +# reject with icmpx admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# reject with icmpx port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# meta protocol ip reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# meta protocol ip6 reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# meta protocol ip reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta protocol ip6 reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload new file mode 100644 index 0000000..d014ada --- /dev/null +++ b/tests/py/netdev/reject.t.payload @@ -0,0 +1,142 @@ +# reject with icmp host-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 1 ] + +# reject with icmp net-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 0 ] + +# reject with icmp prot-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 2 ] + +# reject with icmp port-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 3 ] + +# reject with icmp net-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 9 ] + +# reject with icmp host-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 10 ] + +# reject with icmp admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 13 ] + +# reject with icmpv6 no-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 0 ] + +# reject with icmpv6 admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 1 ] + +# reject with icmpv6 addr-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 3 ] + +# reject with icmpv6 port-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 4 ] + +# reject with icmpv6 policy-fail +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 5 ] + +# reject with icmpv6 reject-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 6 ] + +# mark 12345 reject with tcp reset +netdev + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ cmp eq reg 1 0x00003039 ] + [ reject type 1 code 0 ] + +# reject +netdev + [ reject type 2 code 1 ] + +# meta protocol ip reject +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 3 ] + +# meta protocol ip6 reject +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 4 ] + +# reject with icmpx host-unreachable +netdev + [ reject type 2 code 2 ] + +# reject with icmpx no-route +netdev + [ reject type 2 code 0 ] + +# reject with icmpx admin-prohibited +netdev + [ reject type 2 code 3 ] + +# reject with icmpx port-unreachable +netdev + [ reject type 2 code 1 ] + +# meta protocol ip reject with icmp host-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 1 ] + +# meta protocol ip6 reject with icmpv6 no-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 0 ] + +# meta protocol ip reject with icmpx admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 2 code 3 ] + +# meta protocol ip6 reject with icmpx admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 2 code 3 ] + |