diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
| commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
| tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/shell/testcases/flowtable | |
| parent | Initial commit. (diff) | |
| download | nftables-upstream.tar.xz nftables-upstream.zip | |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
30 files changed, 336 insertions, 0 deletions
diff --git a/tests/shell/testcases/flowtable/0001flowtable_0 b/tests/shell/testcases/flowtable/0001flowtable_0 new file mode 100755 index 0000000..2e18099 --- /dev/null +++ b/tests/shell/testcases/flowtable/0001flowtable_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +EXPECTED='table inet t { + flowtable f { + hook ingress priority 10 + devices = { lo } + } + + chain c { + flow add @f + } +}' + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0 new file mode 100755 index 0000000..4c85c3f --- /dev/null +++ b/tests/shell/testcases/flowtable/0002create_flowtable_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e +$NFT add table t +$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } +if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then + echo "E: flowtable creation not failing on existing set" >&2 + exit 1 +fi +$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } + +exit 0 diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0 new file mode 100755 index 0000000..481c7ed --- /dev/null +++ b/tests/shell/testcases/flowtable/0003add_after_flush_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT flush ruleset +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0 new file mode 100755 index 0000000..8d9a842 --- /dev/null +++ b/tests/shell/testcases/flowtable/0004delete_after_add_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT delete flowtable x y diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1 new file mode 100755 index 0000000..ef52620 --- /dev/null +++ b/tests/shell/testcases/flowtable/0005delete_in_use_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x x flow add @y + +$NFT delete flowtable x y || exit 0 +echo "E: delete flowtable in use" +exit 1 diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0 new file mode 100755 index 0000000..fb7c52f --- /dev/null +++ b/tests/shell/testcases/flowtable/0006segfault_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands. + +$NFT add table ip t + +$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } } +[[ $? -eq 1 ]] || exit 1 + +$NFT add flowtable ip t f { hook ingress\; priority 10\; } +[[ $? -eq 1 ]] || exit 1 diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0 new file mode 100755 index 0000000..49bbcac --- /dev/null +++ b/tests/shell/testcases/flowtable/0007prio_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +format_offset () { + i=$1 + if ((i == 0)) + then + echo "" + elif ((i > 0)) + then + echo "+$i" + else + echo "$i" + fi +} + +$NFT add table t +for offset in -11 -10 0 10 11 +do + $NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }" + $NFT delete flowtable t f +done + diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1 new file mode 100755 index 0000000..48953d7 --- /dev/null +++ b/tests/shell/testcases/flowtable/0008prio_1 @@ -0,0 +1,14 @@ +#!/bin/bash + +$NFT add table t +for prioname in raw mangle dstnar security srcnat out dummy +do + $NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; } + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for flowtables" >&2 + exit 1 + fi +done + +exit 0 diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0 new file mode 100755 index 0000000..2cda563 --- /dev/null +++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x y +$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x y flow add @f +$NFT flush chain x y +$NFT delete flowtable x f diff --git a/tests/shell/testcases/flowtable/0010delete_handle_0 b/tests/shell/testcases/flowtable/0010delete_handle_0 new file mode 100755 index 0000000..8dd8d9f --- /dev/null +++ b/tests/shell/testcases/flowtable/0010delete_handle_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# delete flowtable by handle + +set -e + +$NFT add table inet t +$NFT add flowtable inet t f { hook ingress priority filter\; devices = { lo }\; } + +FH=$($NFT -a list ruleset | awk '/flowtable f/ { print $NF }') + +$NFT delete flowtable inet t handle $FH + +EXPECTED="table inet t { +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/flowtable/0011deleteafterflush_0 b/tests/shell/testcases/flowtable/0011deleteafterflush_0 new file mode 100755 index 0000000..4f519a7 --- /dev/null +++ b/tests/shell/testcases/flowtable/0011deleteafterflush_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x y +$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x y ip protocol tcp flow add @f +$NFT add rule x y ip protocol udp flow add @f +$NFT flush chain x y +$NFT delete flowtable x f diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0 new file mode 100755 index 0000000..080059d --- /dev/null +++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0 @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +iface_cleanup() { + ip link del dummy1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add name dummy1 type dummy + +EXPECTED="define if_main = { lo, dummy1 } + +table filter1 { + flowtable Main_ft1 { + hook ingress priority filter + counter + devices = \$if_main + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="define if_main = \"lo\" + +table filter2 { + flowtable Main_ft2 { + hook ingress priority filter + counter + devices = { \$if_main, dummy1 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/flowtable/0013addafterdelete_0 b/tests/shell/testcases/flowtable/0013addafterdelete_0 new file mode 100755 index 0000000..b23ab97 --- /dev/null +++ b/tests/shell/testcases/flowtable/0013addafterdelete_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete flowtable inet filter f + +table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0014addafterdelete_0 b/tests/shell/testcases/flowtable/0014addafterdelete_0 new file mode 100755 index 0000000..6a24c4b --- /dev/null +++ b/tests/shell/testcases/flowtable/0014addafterdelete_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete rule inet filter y handle 3 +delete flowtable inet filter f + +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0 new file mode 100755 index 0000000..d2a87da --- /dev/null +++ b/tests/shell/testcases/flowtable/0015destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t + +# pass for non-existent flowtable +$NFT destroy flowtable t f + +# successfully delete existing flowtable +$NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }' +$NFT destroy flowtable t f diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft new file mode 100644 index 0000000..629bfe8 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft @@ -0,0 +1,10 @@ +table inet t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } + + chain c { + flow add @f + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft new file mode 100644 index 0000000..aecfb2a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft @@ -0,0 +1,6 @@ +table ip t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft new file mode 100644 index 0000000..dd904f4 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft @@ -0,0 +1,6 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft new file mode 100644 index 0000000..c1d79e7 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft @@ -0,0 +1,10 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } + + chain x { + flow add @y + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft new file mode 100644 index 0000000..17838bd --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft @@ -0,0 +1,2 @@ +table inet t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft new file mode 100644 index 0000000..df1c51a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft @@ -0,0 +1,14 @@ +table ip filter1 { + flowtable Main_ft1 { + hook ingress priority filter + devices = { lo } + counter + } +} +table ip filter2 { + flowtable Main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft new file mode 100644 index 0000000..83fdd5d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft @@ -0,0 +1,7 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft new file mode 100644 index 0000000..145aa08 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft @@ -0,0 +1,12 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority filter; policy accept; + flow add @f counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} |