diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
| commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
| tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/shell/testcases/maps | |
| parent | Initial commit. (diff) | |
| download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip | |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/shell/testcases/maps')
62 files changed, 2118 insertions, 0 deletions
diff --git a/tests/shell/testcases/maps/0003map_add_many_elements_0 b/tests/shell/testcases/maps/0003map_add_many_elements_0 new file mode 100755 index 0000000..2b254c5 --- /dev/null +++ b/tests/shell/testcases/maps/0003map_add_many_elements_0 @@ -0,0 +1,67 @@ +#!/bin/bash + +# test adding many map elements + +HOWMANY=31 + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=HOWMANY; i>=1; i--)) ; do + for ((j=HOWMANY; j>=1; j--)) ; do + [ "$i" == 1 ] && [ "$j" == 1 ] && break + echo -n "10.0.${i}.${j} : 10.0.${i}.${j}, " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.0.${i}.${j} : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +n=$HOWMANY +echo "add element x y { 10.0.1.1 : 10.0.1.1 }" > $tmpfile +$NFT -f $tmpfile + +EXPECTED="table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { "$(generate_test)" } + } +}" +GET=$($NFT list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + diff --git a/tests/shell/testcases/maps/0004interval_map_create_once_0 b/tests/shell/testcases/maps/0004interval_map_create_once_0 new file mode 100755 index 0000000..64f434a --- /dev/null +++ b/tests/shell/testcases/maps/0004interval_map_create_once_0 @@ -0,0 +1,74 @@ +#!/bin/bash + +# test adding many elements to an interval map +# this always works because nft is only called once + +HOWMANY=63 + +if [ "$NFT_TEST_SKIP_slow" = y ] ; then + HOWMANY=5 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +EXPECTED="table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { "$(generate_test)" } + } +}" +GET=$($NFT list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +if [ "$HOWMANY" != 63 ] ; then + echo "Run a partial test due to NFT_TEST_SKIP_slow=y. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 new file mode 100755 index 0000000..0714963 --- /dev/null +++ b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 @@ -0,0 +1,58 @@ +#!/bin/bash + +# test adding many elements to an interval map +# even with HOWMANY=2 there are memory allocation failures in the current +# master - the patch fixes that +# NOTE this is only an issue with two separate nft calls + +HOWMANY=2 + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}, " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +n=$HOWMANY +echo "add element x y { 10.${n}.${n}.0/24 : 10.0.${n}.${n} }" > $tmpfile + +$NFT -f $tmpfile diff --git a/tests/shell/testcases/maps/0006interval_map_overlap_0 b/tests/shell/testcases/maps/0006interval_map_overlap_0 new file mode 100755 index 0000000..4606ce3 --- /dev/null +++ b/tests/shell/testcases/maps/0006interval_map_overlap_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +# test adding elements to an interval map +# shows how disjoint intervals are seen as overlaps +# NOTE this is only an issue with two separate nft calls + +n=1 +RULESET="add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" + +set -e +$NFT -f - <<< "$RULESET" + +n=2 +$NFT "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" diff --git a/tests/shell/testcases/maps/0007named_ifname_dtype_0 b/tests/shell/testcases/maps/0007named_ifname_dtype_0 new file mode 100755 index 0000000..b5c5116 --- /dev/null +++ b/tests/shell/testcases/maps/0007named_ifname_dtype_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +# support for ifname in named maps + +EXPECTED="table inet t { + map m1 { + type ifname : ipv4_addr + elements = { \"eth0\" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +}" + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0008interval_map_delete_0 b/tests/shell/testcases/maps/0008interval_map_delete_0 new file mode 100755 index 0000000..39ea312 --- /dev/null +++ b/tests/shell/testcases/maps/0008interval_map_delete_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter accept + meta mark 0x00000003 counter accept + counter + } +}" + +$NFT -f - <<< "$EXPECTED" +$NFT delete element filter m { 127.0.0.2 } +$NFT delete element filter m { 127.0.0.3 } +$NFT add element filter m { 127.0.0.3 : 0x3 } +$NFT add element filter m { 127.0.0.2 : 0x2 } + +GET=$($NFT -s list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 new file mode 100755 index 0000000..d31e160 --- /dev/null +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" counter : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0 new file mode 100755 index 0000000..4848d97 --- /dev/null +++ b/tests/shell/testcases/maps/0010concat_map_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { + 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 + } + } + + chain y { + type nat hook prerouting priority dstnat; + dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0 new file mode 100755 index 0000000..3e6fa78 --- /dev/null +++ b/tests/shell/testcases/maps/0011vmap_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + map portmap { + type inet_service : verdict + counter + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" + +if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then + $NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }' +fi + +if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then + echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0 new file mode 100755 index 0000000..49e51b7 --- /dev/null +++ b/tests/shell/testcases/maps/0012map_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +EXPECTED="define interfaces = { eth0, eth1 } + +table ip x { + map z { + type ifname : verdict + elements = { \$interfaces : drop, lo : accept } + } + chain y { + iifname vmap { lo : accept, \$interfaces : drop } + } +}" + +$NFT -f - <<< "$EXPECTED" + +EXPECTED="table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, + } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x123434 + ip saddr . meta mark vmap @w + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 new file mode 100755 index 0000000..70d7fd3 --- /dev/null +++ b/tests/shell/testcases/maps/0013map_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET=" +flush ruleset + +add table ip filter +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; } +add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter +add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0 new file mode 100755 index 0000000..ee81e3c --- /dev/null +++ b/tests/shell/testcases/maps/0014destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent map +$NFT destroy map x y + +# successfully delete existing map +$NFT add map x y '{ type ipv4_addr : ipv4_addr; }' +$NFT destroy map x y diff --git a/tests/shell/testcases/maps/0016map_leak_0 b/tests/shell/testcases/maps/0016map_leak_0 new file mode 100755 index 0000000..e110ee4 --- /dev/null +++ b/tests/shell/testcases/maps/0016map_leak_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0 new file mode 100755 index 0000000..e01adb4 --- /dev/null +++ b/tests/shell/testcases/maps/0017_map_variable_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then + CATCHALL="* : 3," +else + CATCHALL="," +fi + +RULESET="define x = { + 1.1.1.1 : 2, + $CATCHALL +} + +table ip x { + map y { + typeof ip saddr : mark + elements = \$x + } + map z { + typeof ip saddr : mark + elements = \$x + } +}" + +$NFT -f - <<< "$RULESET" + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0018map_leak_timeout_0 b/tests/shell/testcases/maps/0018map_leak_timeout_0 new file mode 100755 index 0000000..09db315 --- /dev/null +++ b/tests/shell/testcases/maps/0018map_leak_timeout_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + timeout 3s + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" + +# wait for elements to expire +sleep 5 + +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + timeout 3s + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak + +# wait for elements to expire +sleep 5 + +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/anon_objmap_concat b/tests/shell/testcases/maps/anon_objmap_concat new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/maps/anon_objmap_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/anonymous_snat_map_0 b/tests/shell/testcases/maps/anonymous_snat_map_0 new file mode 100755 index 0000000..32aac8a --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# anonymous map can be added to a snat rule + +set -e +$NFT add table nat +$NFT add chain nat postrouting +$NFT add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2} diff --git a/tests/shell/testcases/maps/different_map_types_1 b/tests/shell/testcases/maps/different_map_types_1 new file mode 100755 index 0000000..a7e831f --- /dev/null +++ b/tests/shell/testcases/maps/different_map_types_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# must fail: expr MAP { expr : type1, expr : type2, .. } expr + +set -e + +$NFT add table ip filter +$NFT add chain ip filter output { type filter hook output priority 0 \; } + +$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 } || exit 0 + +echo "E: Added two different types of expression to map" +exit 1 diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft new file mode 100644 index 0000000..c651af0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft @@ -0,0 +1,486 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.0.1.1 : 10.0.1.1, 10.0.1.2 : 10.0.1.2, + 10.0.1.3 : 10.0.1.3, 10.0.1.4 : 10.0.1.4, + 10.0.1.5 : 10.0.1.5, 10.0.1.6 : 10.0.1.6, + 10.0.1.7 : 10.0.1.7, 10.0.1.8 : 10.0.1.8, + 10.0.1.9 : 10.0.1.9, 10.0.1.10 : 10.0.1.10, + 10.0.1.11 : 10.0.1.11, 10.0.1.12 : 10.0.1.12, + 10.0.1.13 : 10.0.1.13, 10.0.1.14 : 10.0.1.14, + 10.0.1.15 : 10.0.1.15, 10.0.1.16 : 10.0.1.16, + 10.0.1.17 : 10.0.1.17, 10.0.1.18 : 10.0.1.18, + 10.0.1.19 : 10.0.1.19, 10.0.1.20 : 10.0.1.20, + 10.0.1.21 : 10.0.1.21, 10.0.1.22 : 10.0.1.22, + 10.0.1.23 : 10.0.1.23, 10.0.1.24 : 10.0.1.24, + 10.0.1.25 : 10.0.1.25, 10.0.1.26 : 10.0.1.26, + 10.0.1.27 : 10.0.1.27, 10.0.1.28 : 10.0.1.28, + 10.0.1.29 : 10.0.1.29, 10.0.1.30 : 10.0.1.30, + 10.0.1.31 : 10.0.1.31, 10.0.2.1 : 10.0.2.1, + 10.0.2.2 : 10.0.2.2, 10.0.2.3 : 10.0.2.3, + 10.0.2.4 : 10.0.2.4, 10.0.2.5 : 10.0.2.5, + 10.0.2.6 : 10.0.2.6, 10.0.2.7 : 10.0.2.7, + 10.0.2.8 : 10.0.2.8, 10.0.2.9 : 10.0.2.9, + 10.0.2.10 : 10.0.2.10, 10.0.2.11 : 10.0.2.11, + 10.0.2.12 : 10.0.2.12, 10.0.2.13 : 10.0.2.13, + 10.0.2.14 : 10.0.2.14, 10.0.2.15 : 10.0.2.15, + 10.0.2.16 : 10.0.2.16, 10.0.2.17 : 10.0.2.17, + 10.0.2.18 : 10.0.2.18, 10.0.2.19 : 10.0.2.19, + 10.0.2.20 : 10.0.2.20, 10.0.2.21 : 10.0.2.21, + 10.0.2.22 : 10.0.2.22, 10.0.2.23 : 10.0.2.23, + 10.0.2.24 : 10.0.2.24, 10.0.2.25 : 10.0.2.25, + 10.0.2.26 : 10.0.2.26, 10.0.2.27 : 10.0.2.27, + 10.0.2.28 : 10.0.2.28, 10.0.2.29 : 10.0.2.29, + 10.0.2.30 : 10.0.2.30, 10.0.2.31 : 10.0.2.31, + 10.0.3.1 : 10.0.3.1, 10.0.3.2 : 10.0.3.2, + 10.0.3.3 : 10.0.3.3, 10.0.3.4 : 10.0.3.4, + 10.0.3.5 : 10.0.3.5, 10.0.3.6 : 10.0.3.6, + 10.0.3.7 : 10.0.3.7, 10.0.3.8 : 10.0.3.8, + 10.0.3.9 : 10.0.3.9, 10.0.3.10 : 10.0.3.10, + 10.0.3.11 : 10.0.3.11, 10.0.3.12 : 10.0.3.12, + 10.0.3.13 : 10.0.3.13, 10.0.3.14 : 10.0.3.14, + 10.0.3.15 : 10.0.3.15, 10.0.3.16 : 10.0.3.16, + 10.0.3.17 : 10.0.3.17, 10.0.3.18 : 10.0.3.18, + 10.0.3.19 : 10.0.3.19, 10.0.3.20 : 10.0.3.20, + 10.0.3.21 : 10.0.3.21, 10.0.3.22 : 10.0.3.22, + 10.0.3.23 : 10.0.3.23, 10.0.3.24 : 10.0.3.24, + 10.0.3.25 : 10.0.3.25, 10.0.3.26 : 10.0.3.26, + 10.0.3.27 : 10.0.3.27, 10.0.3.28 : 10.0.3.28, + 10.0.3.29 : 10.0.3.29, 10.0.3.30 : 10.0.3.30, + 10.0.3.31 : 10.0.3.31, 10.0.4.1 : 10.0.4.1, + 10.0.4.2 : 10.0.4.2, 10.0.4.3 : 10.0.4.3, + 10.0.4.4 : 10.0.4.4, 10.0.4.5 : 10.0.4.5, + 10.0.4.6 : 10.0.4.6, 10.0.4.7 : 10.0.4.7, + 10.0.4.8 : 10.0.4.8, 10.0.4.9 : 10.0.4.9, + 10.0.4.10 : 10.0.4.10, 10.0.4.11 : 10.0.4.11, + 10.0.4.12 : 10.0.4.12, 10.0.4.13 : 10.0.4.13, + 10.0.4.14 : 10.0.4.14, 10.0.4.15 : 10.0.4.15, + 10.0.4.16 : 10.0.4.16, 10.0.4.17 : 10.0.4.17, + 10.0.4.18 : 10.0.4.18, 10.0.4.19 : 10.0.4.19, + 10.0.4.20 : 10.0.4.20, 10.0.4.21 : 10.0.4.21, + 10.0.4.22 : 10.0.4.22, 10.0.4.23 : 10.0.4.23, + 10.0.4.24 : 10.0.4.24, 10.0.4.25 : 10.0.4.25, + 10.0.4.26 : 10.0.4.26, 10.0.4.27 : 10.0.4.27, + 10.0.4.28 : 10.0.4.28, 10.0.4.29 : 10.0.4.29, + 10.0.4.30 : 10.0.4.30, 10.0.4.31 : 10.0.4.31, + 10.0.5.1 : 10.0.5.1, 10.0.5.2 : 10.0.5.2, + 10.0.5.3 : 10.0.5.3, 10.0.5.4 : 10.0.5.4, + 10.0.5.5 : 10.0.5.5, 10.0.5.6 : 10.0.5.6, + 10.0.5.7 : 10.0.5.7, 10.0.5.8 : 10.0.5.8, + 10.0.5.9 : 10.0.5.9, 10.0.5.10 : 10.0.5.10, + 10.0.5.11 : 10.0.5.11, 10.0.5.12 : 10.0.5.12, + 10.0.5.13 : 10.0.5.13, 10.0.5.14 : 10.0.5.14, + 10.0.5.15 : 10.0.5.15, 10.0.5.16 : 10.0.5.16, + 10.0.5.17 : 10.0.5.17, 10.0.5.18 : 10.0.5.18, + 10.0.5.19 : 10.0.5.19, 10.0.5.20 : 10.0.5.20, + 10.0.5.21 : 10.0.5.21, 10.0.5.22 : 10.0.5.22, + 10.0.5.23 : 10.0.5.23, 10.0.5.24 : 10.0.5.24, + 10.0.5.25 : 10.0.5.25, 10.0.5.26 : 10.0.5.26, + 10.0.5.27 : 10.0.5.27, 10.0.5.28 : 10.0.5.28, + 10.0.5.29 : 10.0.5.29, 10.0.5.30 : 10.0.5.30, + 10.0.5.31 : 10.0.5.31, 10.0.6.1 : 10.0.6.1, + 10.0.6.2 : 10.0.6.2, 10.0.6.3 : 10.0.6.3, + 10.0.6.4 : 10.0.6.4, 10.0.6.5 : 10.0.6.5, + 10.0.6.6 : 10.0.6.6, 10.0.6.7 : 10.0.6.7, + 10.0.6.8 : 10.0.6.8, 10.0.6.9 : 10.0.6.9, + 10.0.6.10 : 10.0.6.10, 10.0.6.11 : 10.0.6.11, + 10.0.6.12 : 10.0.6.12, 10.0.6.13 : 10.0.6.13, + 10.0.6.14 : 10.0.6.14, 10.0.6.15 : 10.0.6.15, + 10.0.6.16 : 10.0.6.16, 10.0.6.17 : 10.0.6.17, + 10.0.6.18 : 10.0.6.18, 10.0.6.19 : 10.0.6.19, + 10.0.6.20 : 10.0.6.20, 10.0.6.21 : 10.0.6.21, + 10.0.6.22 : 10.0.6.22, 10.0.6.23 : 10.0.6.23, + 10.0.6.24 : 10.0.6.24, 10.0.6.25 : 10.0.6.25, + 10.0.6.26 : 10.0.6.26, 10.0.6.27 : 10.0.6.27, + 10.0.6.28 : 10.0.6.28, 10.0.6.29 : 10.0.6.29, + 10.0.6.30 : 10.0.6.30, 10.0.6.31 : 10.0.6.31, + 10.0.7.1 : 10.0.7.1, 10.0.7.2 : 10.0.7.2, + 10.0.7.3 : 10.0.7.3, 10.0.7.4 : 10.0.7.4, + 10.0.7.5 : 10.0.7.5, 10.0.7.6 : 10.0.7.6, + 10.0.7.7 : 10.0.7.7, 10.0.7.8 : 10.0.7.8, + 10.0.7.9 : 10.0.7.9, 10.0.7.10 : 10.0.7.10, + 10.0.7.11 : 10.0.7.11, 10.0.7.12 : 10.0.7.12, + 10.0.7.13 : 10.0.7.13, 10.0.7.14 : 10.0.7.14, + 10.0.7.15 : 10.0.7.15, 10.0.7.16 : 10.0.7.16, + 10.0.7.17 : 10.0.7.17, 10.0.7.18 : 10.0.7.18, + 10.0.7.19 : 10.0.7.19, 10.0.7.20 : 10.0.7.20, + 10.0.7.21 : 10.0.7.21, 10.0.7.22 : 10.0.7.22, + 10.0.7.23 : 10.0.7.23, 10.0.7.24 : 10.0.7.24, + 10.0.7.25 : 10.0.7.25, 10.0.7.26 : 10.0.7.26, + 10.0.7.27 : 10.0.7.27, 10.0.7.28 : 10.0.7.28, + 10.0.7.29 : 10.0.7.29, 10.0.7.30 : 10.0.7.30, + 10.0.7.31 : 10.0.7.31, 10.0.8.1 : 10.0.8.1, + 10.0.8.2 : 10.0.8.2, 10.0.8.3 : 10.0.8.3, + 10.0.8.4 : 10.0.8.4, 10.0.8.5 : 10.0.8.5, + 10.0.8.6 : 10.0.8.6, 10.0.8.7 : 10.0.8.7, + 10.0.8.8 : 10.0.8.8, 10.0.8.9 : 10.0.8.9, + 10.0.8.10 : 10.0.8.10, 10.0.8.11 : 10.0.8.11, + 10.0.8.12 : 10.0.8.12, 10.0.8.13 : 10.0.8.13, + 10.0.8.14 : 10.0.8.14, 10.0.8.15 : 10.0.8.15, + 10.0.8.16 : 10.0.8.16, 10.0.8.17 : 10.0.8.17, + 10.0.8.18 : 10.0.8.18, 10.0.8.19 : 10.0.8.19, + 10.0.8.20 : 10.0.8.20, 10.0.8.21 : 10.0.8.21, + 10.0.8.22 : 10.0.8.22, 10.0.8.23 : 10.0.8.23, + 10.0.8.24 : 10.0.8.24, 10.0.8.25 : 10.0.8.25, + 10.0.8.26 : 10.0.8.26, 10.0.8.27 : 10.0.8.27, + 10.0.8.28 : 10.0.8.28, 10.0.8.29 : 10.0.8.29, + 10.0.8.30 : 10.0.8.30, 10.0.8.31 : 10.0.8.31, + 10.0.9.1 : 10.0.9.1, 10.0.9.2 : 10.0.9.2, + 10.0.9.3 : 10.0.9.3, 10.0.9.4 : 10.0.9.4, + 10.0.9.5 : 10.0.9.5, 10.0.9.6 : 10.0.9.6, + 10.0.9.7 : 10.0.9.7, 10.0.9.8 : 10.0.9.8, + 10.0.9.9 : 10.0.9.9, 10.0.9.10 : 10.0.9.10, + 10.0.9.11 : 10.0.9.11, 10.0.9.12 : 10.0.9.12, + 10.0.9.13 : 10.0.9.13, 10.0.9.14 : 10.0.9.14, + 10.0.9.15 : 10.0.9.15, 10.0.9.16 : 10.0.9.16, + 10.0.9.17 : 10.0.9.17, 10.0.9.18 : 10.0.9.18, + 10.0.9.19 : 10.0.9.19, 10.0.9.20 : 10.0.9.20, + 10.0.9.21 : 10.0.9.21, 10.0.9.22 : 10.0.9.22, + 10.0.9.23 : 10.0.9.23, 10.0.9.24 : 10.0.9.24, + 10.0.9.25 : 10.0.9.25, 10.0.9.26 : 10.0.9.26, + 10.0.9.27 : 10.0.9.27, 10.0.9.28 : 10.0.9.28, + 10.0.9.29 : 10.0.9.29, 10.0.9.30 : 10.0.9.30, + 10.0.9.31 : 10.0.9.31, 10.0.10.1 : 10.0.10.1, + 10.0.10.2 : 10.0.10.2, 10.0.10.3 : 10.0.10.3, + 10.0.10.4 : 10.0.10.4, 10.0.10.5 : 10.0.10.5, + 10.0.10.6 : 10.0.10.6, 10.0.10.7 : 10.0.10.7, + 10.0.10.8 : 10.0.10.8, 10.0.10.9 : 10.0.10.9, + 10.0.10.10 : 10.0.10.10, 10.0.10.11 : 10.0.10.11, + 10.0.10.12 : 10.0.10.12, 10.0.10.13 : 10.0.10.13, + 10.0.10.14 : 10.0.10.14, 10.0.10.15 : 10.0.10.15, + 10.0.10.16 : 10.0.10.16, 10.0.10.17 : 10.0.10.17, + 10.0.10.18 : 10.0.10.18, 10.0.10.19 : 10.0.10.19, + 10.0.10.20 : 10.0.10.20, 10.0.10.21 : 10.0.10.21, + 10.0.10.22 : 10.0.10.22, 10.0.10.23 : 10.0.10.23, + 10.0.10.24 : 10.0.10.24, 10.0.10.25 : 10.0.10.25, + 10.0.10.26 : 10.0.10.26, 10.0.10.27 : 10.0.10.27, + 10.0.10.28 : 10.0.10.28, 10.0.10.29 : 10.0.10.29, + 10.0.10.30 : 10.0.10.30, 10.0.10.31 : 10.0.10.31, + 10.0.11.1 : 10.0.11.1, 10.0.11.2 : 10.0.11.2, + 10.0.11.3 : 10.0.11.3, 10.0.11.4 : 10.0.11.4, + 10.0.11.5 : 10.0.11.5, 10.0.11.6 : 10.0.11.6, + 10.0.11.7 : 10.0.11.7, 10.0.11.8 : 10.0.11.8, + 10.0.11.9 : 10.0.11.9, 10.0.11.10 : 10.0.11.10, + 10.0.11.11 : 10.0.11.11, 10.0.11.12 : 10.0.11.12, + 10.0.11.13 : 10.0.11.13, 10.0.11.14 : 10.0.11.14, + 10.0.11.15 : 10.0.11.15, 10.0.11.16 : 10.0.11.16, + 10.0.11.17 : 10.0.11.17, 10.0.11.18 : 10.0.11.18, + 10.0.11.19 : 10.0.11.19, 10.0.11.20 : 10.0.11.20, + 10.0.11.21 : 10.0.11.21, 10.0.11.22 : 10.0.11.22, + 10.0.11.23 : 10.0.11.23, 10.0.11.24 : 10.0.11.24, + 10.0.11.25 : 10.0.11.25, 10.0.11.26 : 10.0.11.26, + 10.0.11.27 : 10.0.11.27, 10.0.11.28 : 10.0.11.28, + 10.0.11.29 : 10.0.11.29, 10.0.11.30 : 10.0.11.30, + 10.0.11.31 : 10.0.11.31, 10.0.12.1 : 10.0.12.1, + 10.0.12.2 : 10.0.12.2, 10.0.12.3 : 10.0.12.3, + 10.0.12.4 : 10.0.12.4, 10.0.12.5 : 10.0.12.5, + 10.0.12.6 : 10.0.12.6, 10.0.12.7 : 10.0.12.7, + 10.0.12.8 : 10.0.12.8, 10.0.12.9 : 10.0.12.9, + 10.0.12.10 : 10.0.12.10, 10.0.12.11 : 10.0.12.11, + 10.0.12.12 : 10.0.12.12, 10.0.12.13 : 10.0.12.13, + 10.0.12.14 : 10.0.12.14, 10.0.12.15 : 10.0.12.15, + 10.0.12.16 : 10.0.12.16, 10.0.12.17 : 10.0.12.17, + 10.0.12.18 : 10.0.12.18, 10.0.12.19 : 10.0.12.19, + 10.0.12.20 : 10.0.12.20, 10.0.12.21 : 10.0.12.21, + 10.0.12.22 : 10.0.12.22, 10.0.12.23 : 10.0.12.23, + 10.0.12.24 : 10.0.12.24, 10.0.12.25 : 10.0.12.25, + 10.0.12.26 : 10.0.12.26, 10.0.12.27 : 10.0.12.27, + 10.0.12.28 : 10.0.12.28, 10.0.12.29 : 10.0.12.29, + 10.0.12.30 : 10.0.12.30, 10.0.12.31 : 10.0.12.31, + 10.0.13.1 : 10.0.13.1, 10.0.13.2 : 10.0.13.2, + 10.0.13.3 : 10.0.13.3, 10.0.13.4 : 10.0.13.4, + 10.0.13.5 : 10.0.13.5, 10.0.13.6 : 10.0.13.6, + 10.0.13.7 : 10.0.13.7, 10.0.13.8 : 10.0.13.8, + 10.0.13.9 : 10.0.13.9, 10.0.13.10 : 10.0.13.10, + 10.0.13.11 : 10.0.13.11, 10.0.13.12 : 10.0.13.12, + 10.0.13.13 : 10.0.13.13, 10.0.13.14 : 10.0.13.14, + 10.0.13.15 : 10.0.13.15, 10.0.13.16 : 10.0.13.16, + 10.0.13.17 : 10.0.13.17, 10.0.13.18 : 10.0.13.18, + 10.0.13.19 : 10.0.13.19, 10.0.13.20 : 10.0.13.20, + 10.0.13.21 : 10.0.13.21, 10.0.13.22 : 10.0.13.22, + 10.0.13.23 : 10.0.13.23, 10.0.13.24 : 10.0.13.24, + 10.0.13.25 : 10.0.13.25, 10.0.13.26 : 10.0.13.26, + 10.0.13.27 : 10.0.13.27, 10.0.13.28 : 10.0.13.28, + 10.0.13.29 : 10.0.13.29, 10.0.13.30 : 10.0.13.30, + 10.0.13.31 : 10.0.13.31, 10.0.14.1 : 10.0.14.1, + 10.0.14.2 : 10.0.14.2, 10.0.14.3 : 10.0.14.3, + 10.0.14.4 : 10.0.14.4, 10.0.14.5 : 10.0.14.5, + 10.0.14.6 : 10.0.14.6, 10.0.14.7 : 10.0.14.7, + 10.0.14.8 : 10.0.14.8, 10.0.14.9 : 10.0.14.9, + 10.0.14.10 : 10.0.14.10, 10.0.14.11 : 10.0.14.11, + 10.0.14.12 : 10.0.14.12, 10.0.14.13 : 10.0.14.13, + 10.0.14.14 : 10.0.14.14, 10.0.14.15 : 10.0.14.15, + 10.0.14.16 : 10.0.14.16, 10.0.14.17 : 10.0.14.17, + 10.0.14.18 : 10.0.14.18, 10.0.14.19 : 10.0.14.19, + 10.0.14.20 : 10.0.14.20, 10.0.14.21 : 10.0.14.21, + 10.0.14.22 : 10.0.14.22, 10.0.14.23 : 10.0.14.23, + 10.0.14.24 : 10.0.14.24, 10.0.14.25 : 10.0.14.25, + 10.0.14.26 : 10.0.14.26, 10.0.14.27 : 10.0.14.27, + 10.0.14.28 : 10.0.14.28, 10.0.14.29 : 10.0.14.29, + 10.0.14.30 : 10.0.14.30, 10.0.14.31 : 10.0.14.31, + 10.0.15.1 : 10.0.15.1, 10.0.15.2 : 10.0.15.2, + 10.0.15.3 : 10.0.15.3, 10.0.15.4 : 10.0.15.4, + 10.0.15.5 : 10.0.15.5, 10.0.15.6 : 10.0.15.6, + 10.0.15.7 : 10.0.15.7, 10.0.15.8 : 10.0.15.8, + 10.0.15.9 : 10.0.15.9, 10.0.15.10 : 10.0.15.10, + 10.0.15.11 : 10.0.15.11, 10.0.15.12 : 10.0.15.12, + 10.0.15.13 : 10.0.15.13, 10.0.15.14 : 10.0.15.14, + 10.0.15.15 : 10.0.15.15, 10.0.15.16 : 10.0.15.16, + 10.0.15.17 : 10.0.15.17, 10.0.15.18 : 10.0.15.18, + 10.0.15.19 : 10.0.15.19, 10.0.15.20 : 10.0.15.20, + 10.0.15.21 : 10.0.15.21, 10.0.15.22 : 10.0.15.22, + 10.0.15.23 : 10.0.15.23, 10.0.15.24 : 10.0.15.24, + 10.0.15.25 : 10.0.15.25, 10.0.15.26 : 10.0.15.26, + 10.0.15.27 : 10.0.15.27, 10.0.15.28 : 10.0.15.28, + 10.0.15.29 : 10.0.15.29, 10.0.15.30 : 10.0.15.30, + 10.0.15.31 : 10.0.15.31, 10.0.16.1 : 10.0.16.1, + 10.0.16.2 : 10.0.16.2, 10.0.16.3 : 10.0.16.3, + 10.0.16.4 : 10.0.16.4, 10.0.16.5 : 10.0.16.5, + 10.0.16.6 : 10.0.16.6, 10.0.16.7 : 10.0.16.7, + 10.0.16.8 : 10.0.16.8, 10.0.16.9 : 10.0.16.9, + 10.0.16.10 : 10.0.16.10, 10.0.16.11 : 10.0.16.11, + 10.0.16.12 : 10.0.16.12, 10.0.16.13 : 10.0.16.13, + 10.0.16.14 : 10.0.16.14, 10.0.16.15 : 10.0.16.15, + 10.0.16.16 : 10.0.16.16, 10.0.16.17 : 10.0.16.17, + 10.0.16.18 : 10.0.16.18, 10.0.16.19 : 10.0.16.19, + 10.0.16.20 : 10.0.16.20, 10.0.16.21 : 10.0.16.21, + 10.0.16.22 : 10.0.16.22, 10.0.16.23 : 10.0.16.23, + 10.0.16.24 : 10.0.16.24, 10.0.16.25 : 10.0.16.25, + 10.0.16.26 : 10.0.16.26, 10.0.16.27 : 10.0.16.27, + 10.0.16.28 : 10.0.16.28, 10.0.16.29 : 10.0.16.29, + 10.0.16.30 : 10.0.16.30, 10.0.16.31 : 10.0.16.31, + 10.0.17.1 : 10.0.17.1, 10.0.17.2 : 10.0.17.2, + 10.0.17.3 : 10.0.17.3, 10.0.17.4 : 10.0.17.4, + 10.0.17.5 : 10.0.17.5, 10.0.17.6 : 10.0.17.6, + 10.0.17.7 : 10.0.17.7, 10.0.17.8 : 10.0.17.8, + 10.0.17.9 : 10.0.17.9, 10.0.17.10 : 10.0.17.10, + 10.0.17.11 : 10.0.17.11, 10.0.17.12 : 10.0.17.12, + 10.0.17.13 : 10.0.17.13, 10.0.17.14 : 10.0.17.14, + 10.0.17.15 : 10.0.17.15, 10.0.17.16 : 10.0.17.16, + 10.0.17.17 : 10.0.17.17, 10.0.17.18 : 10.0.17.18, + 10.0.17.19 : 10.0.17.19, 10.0.17.20 : 10.0.17.20, + 10.0.17.21 : 10.0.17.21, 10.0.17.22 : 10.0.17.22, + 10.0.17.23 : 10.0.17.23, 10.0.17.24 : 10.0.17.24, + 10.0.17.25 : 10.0.17.25, 10.0.17.26 : 10.0.17.26, + 10.0.17.27 : 10.0.17.27, 10.0.17.28 : 10.0.17.28, + 10.0.17.29 : 10.0.17.29, 10.0.17.30 : 10.0.17.30, + 10.0.17.31 : 10.0.17.31, 10.0.18.1 : 10.0.18.1, + 10.0.18.2 : 10.0.18.2, 10.0.18.3 : 10.0.18.3, + 10.0.18.4 : 10.0.18.4, 10.0.18.5 : 10.0.18.5, + 10.0.18.6 : 10.0.18.6, 10.0.18.7 : 10.0.18.7, + 10.0.18.8 : 10.0.18.8, 10.0.18.9 : 10.0.18.9, + 10.0.18.10 : 10.0.18.10, 10.0.18.11 : 10.0.18.11, + 10.0.18.12 : 10.0.18.12, 10.0.18.13 : 10.0.18.13, + 10.0.18.14 : 10.0.18.14, 10.0.18.15 : 10.0.18.15, + 10.0.18.16 : 10.0.18.16, 10.0.18.17 : 10.0.18.17, + 10.0.18.18 : 10.0.18.18, 10.0.18.19 : 10.0.18.19, + 10.0.18.20 : 10.0.18.20, 10.0.18.21 : 10.0.18.21, + 10.0.18.22 : 10.0.18.22, 10.0.18.23 : 10.0.18.23, + 10.0.18.24 : 10.0.18.24, 10.0.18.25 : 10.0.18.25, + 10.0.18.26 : 10.0.18.26, 10.0.18.27 : 10.0.18.27, + 10.0.18.28 : 10.0.18.28, 10.0.18.29 : 10.0.18.29, + 10.0.18.30 : 10.0.18.30, 10.0.18.31 : 10.0.18.31, + 10.0.19.1 : 10.0.19.1, 10.0.19.2 : 10.0.19.2, + 10.0.19.3 : 10.0.19.3, 10.0.19.4 : 10.0.19.4, + 10.0.19.5 : 10.0.19.5, 10.0.19.6 : 10.0.19.6, + 10.0.19.7 : 10.0.19.7, 10.0.19.8 : 10.0.19.8, + 10.0.19.9 : 10.0.19.9, 10.0.19.10 : 10.0.19.10, + 10.0.19.11 : 10.0.19.11, 10.0.19.12 : 10.0.19.12, + 10.0.19.13 : 10.0.19.13, 10.0.19.14 : 10.0.19.14, + 10.0.19.15 : 10.0.19.15, 10.0.19.16 : 10.0.19.16, + 10.0.19.17 : 10.0.19.17, 10.0.19.18 : 10.0.19.18, + 10.0.19.19 : 10.0.19.19, 10.0.19.20 : 10.0.19.20, + 10.0.19.21 : 10.0.19.21, 10.0.19.22 : 10.0.19.22, + 10.0.19.23 : 10.0.19.23, 10.0.19.24 : 10.0.19.24, + 10.0.19.25 : 10.0.19.25, 10.0.19.26 : 10.0.19.26, + 10.0.19.27 : 10.0.19.27, 10.0.19.28 : 10.0.19.28, + 10.0.19.29 : 10.0.19.29, 10.0.19.30 : 10.0.19.30, + 10.0.19.31 : 10.0.19.31, 10.0.20.1 : 10.0.20.1, + 10.0.20.2 : 10.0.20.2, 10.0.20.3 : 10.0.20.3, + 10.0.20.4 : 10.0.20.4, 10.0.20.5 : 10.0.20.5, + 10.0.20.6 : 10.0.20.6, 10.0.20.7 : 10.0.20.7, + 10.0.20.8 : 10.0.20.8, 10.0.20.9 : 10.0.20.9, + 10.0.20.10 : 10.0.20.10, 10.0.20.11 : 10.0.20.11, + 10.0.20.12 : 10.0.20.12, 10.0.20.13 : 10.0.20.13, + 10.0.20.14 : 10.0.20.14, 10.0.20.15 : 10.0.20.15, + 10.0.20.16 : 10.0.20.16, 10.0.20.17 : 10.0.20.17, + 10.0.20.18 : 10.0.20.18, 10.0.20.19 : 10.0.20.19, + 10.0.20.20 : 10.0.20.20, 10.0.20.21 : 10.0.20.21, + 10.0.20.22 : 10.0.20.22, 10.0.20.23 : 10.0.20.23, + 10.0.20.24 : 10.0.20.24, 10.0.20.25 : 10.0.20.25, + 10.0.20.26 : 10.0.20.26, 10.0.20.27 : 10.0.20.27, + 10.0.20.28 : 10.0.20.28, 10.0.20.29 : 10.0.20.29, + 10.0.20.30 : 10.0.20.30, 10.0.20.31 : 10.0.20.31, + 10.0.21.1 : 10.0.21.1, 10.0.21.2 : 10.0.21.2, + 10.0.21.3 : 10.0.21.3, 10.0.21.4 : 10.0.21.4, + 10.0.21.5 : 10.0.21.5, 10.0.21.6 : 10.0.21.6, + 10.0.21.7 : 10.0.21.7, 10.0.21.8 : 10.0.21.8, + 10.0.21.9 : 10.0.21.9, 10.0.21.10 : 10.0.21.10, + 10.0.21.11 : 10.0.21.11, 10.0.21.12 : 10.0.21.12, + 10.0.21.13 : 10.0.21.13, 10.0.21.14 : 10.0.21.14, + 10.0.21.15 : 10.0.21.15, 10.0.21.16 : 10.0.21.16, + 10.0.21.17 : 10.0.21.17, 10.0.21.18 : 10.0.21.18, + 10.0.21.19 : 10.0.21.19, 10.0.21.20 : 10.0.21.20, + 10.0.21.21 : 10.0.21.21, 10.0.21.22 : 10.0.21.22, + 10.0.21.23 : 10.0.21.23, 10.0.21.24 : 10.0.21.24, + 10.0.21.25 : 10.0.21.25, 10.0.21.26 : 10.0.21.26, + 10.0.21.27 : 10.0.21.27, 10.0.21.28 : 10.0.21.28, + 10.0.21.29 : 10.0.21.29, 10.0.21.30 : 10.0.21.30, + 10.0.21.31 : 10.0.21.31, 10.0.22.1 : 10.0.22.1, + 10.0.22.2 : 10.0.22.2, 10.0.22.3 : 10.0.22.3, + 10.0.22.4 : 10.0.22.4, 10.0.22.5 : 10.0.22.5, + 10.0.22.6 : 10.0.22.6, 10.0.22.7 : 10.0.22.7, + 10.0.22.8 : 10.0.22.8, 10.0.22.9 : 10.0.22.9, + 10.0.22.10 : 10.0.22.10, 10.0.22.11 : 10.0.22.11, + 10.0.22.12 : 10.0.22.12, 10.0.22.13 : 10.0.22.13, + 10.0.22.14 : 10.0.22.14, 10.0.22.15 : 10.0.22.15, + 10.0.22.16 : 10.0.22.16, 10.0.22.17 : 10.0.22.17, + 10.0.22.18 : 10.0.22.18, 10.0.22.19 : 10.0.22.19, + 10.0.22.20 : 10.0.22.20, 10.0.22.21 : 10.0.22.21, + 10.0.22.22 : 10.0.22.22, 10.0.22.23 : 10.0.22.23, + 10.0.22.24 : 10.0.22.24, 10.0.22.25 : 10.0.22.25, + 10.0.22.26 : 10.0.22.26, 10.0.22.27 : 10.0.22.27, + 10.0.22.28 : 10.0.22.28, 10.0.22.29 : 10.0.22.29, + 10.0.22.30 : 10.0.22.30, 10.0.22.31 : 10.0.22.31, + 10.0.23.1 : 10.0.23.1, 10.0.23.2 : 10.0.23.2, + 10.0.23.3 : 10.0.23.3, 10.0.23.4 : 10.0.23.4, + 10.0.23.5 : 10.0.23.5, 10.0.23.6 : 10.0.23.6, + 10.0.23.7 : 10.0.23.7, 10.0.23.8 : 10.0.23.8, + 10.0.23.9 : 10.0.23.9, 10.0.23.10 : 10.0.23.10, + 10.0.23.11 : 10.0.23.11, 10.0.23.12 : 10.0.23.12, + 10.0.23.13 : 10.0.23.13, 10.0.23.14 : 10.0.23.14, + 10.0.23.15 : 10.0.23.15, 10.0.23.16 : 10.0.23.16, + 10.0.23.17 : 10.0.23.17, 10.0.23.18 : 10.0.23.18, + 10.0.23.19 : 10.0.23.19, 10.0.23.20 : 10.0.23.20, + 10.0.23.21 : 10.0.23.21, 10.0.23.22 : 10.0.23.22, + 10.0.23.23 : 10.0.23.23, 10.0.23.24 : 10.0.23.24, + 10.0.23.25 : 10.0.23.25, 10.0.23.26 : 10.0.23.26, + 10.0.23.27 : 10.0.23.27, 10.0.23.28 : 10.0.23.28, + 10.0.23.29 : 10.0.23.29, 10.0.23.30 : 10.0.23.30, + 10.0.23.31 : 10.0.23.31, 10.0.24.1 : 10.0.24.1, + 10.0.24.2 : 10.0.24.2, 10.0.24.3 : 10.0.24.3, + 10.0.24.4 : 10.0.24.4, 10.0.24.5 : 10.0.24.5, + 10.0.24.6 : 10.0.24.6, 10.0.24.7 : 10.0.24.7, + 10.0.24.8 : 10.0.24.8, 10.0.24.9 : 10.0.24.9, + 10.0.24.10 : 10.0.24.10, 10.0.24.11 : 10.0.24.11, + 10.0.24.12 : 10.0.24.12, 10.0.24.13 : 10.0.24.13, + 10.0.24.14 : 10.0.24.14, 10.0.24.15 : 10.0.24.15, + 10.0.24.16 : 10.0.24.16, 10.0.24.17 : 10.0.24.17, + 10.0.24.18 : 10.0.24.18, 10.0.24.19 : 10.0.24.19, + 10.0.24.20 : 10.0.24.20, 10.0.24.21 : 10.0.24.21, + 10.0.24.22 : 10.0.24.22, 10.0.24.23 : 10.0.24.23, + 10.0.24.24 : 10.0.24.24, 10.0.24.25 : 10.0.24.25, + 10.0.24.26 : 10.0.24.26, 10.0.24.27 : 10.0.24.27, + 10.0.24.28 : 10.0.24.28, 10.0.24.29 : 10.0.24.29, + 10.0.24.30 : 10.0.24.30, 10.0.24.31 : 10.0.24.31, + 10.0.25.1 : 10.0.25.1, 10.0.25.2 : 10.0.25.2, + 10.0.25.3 : 10.0.25.3, 10.0.25.4 : 10.0.25.4, + 10.0.25.5 : 10.0.25.5, 10.0.25.6 : 10.0.25.6, + 10.0.25.7 : 10.0.25.7, 10.0.25.8 : 10.0.25.8, + 10.0.25.9 : 10.0.25.9, 10.0.25.10 : 10.0.25.10, + 10.0.25.11 : 10.0.25.11, 10.0.25.12 : 10.0.25.12, + 10.0.25.13 : 10.0.25.13, 10.0.25.14 : 10.0.25.14, + 10.0.25.15 : 10.0.25.15, 10.0.25.16 : 10.0.25.16, + 10.0.25.17 : 10.0.25.17, 10.0.25.18 : 10.0.25.18, + 10.0.25.19 : 10.0.25.19, 10.0.25.20 : 10.0.25.20, + 10.0.25.21 : 10.0.25.21, 10.0.25.22 : 10.0.25.22, + 10.0.25.23 : 10.0.25.23, 10.0.25.24 : 10.0.25.24, + 10.0.25.25 : 10.0.25.25, 10.0.25.26 : 10.0.25.26, + 10.0.25.27 : 10.0.25.27, 10.0.25.28 : 10.0.25.28, + 10.0.25.29 : 10.0.25.29, 10.0.25.30 : 10.0.25.30, + 10.0.25.31 : 10.0.25.31, 10.0.26.1 : 10.0.26.1, + 10.0.26.2 : 10.0.26.2, 10.0.26.3 : 10.0.26.3, + 10.0.26.4 : 10.0.26.4, 10.0.26.5 : 10.0.26.5, + 10.0.26.6 : 10.0.26.6, 10.0.26.7 : 10.0.26.7, + 10.0.26.8 : 10.0.26.8, 10.0.26.9 : 10.0.26.9, + 10.0.26.10 : 10.0.26.10, 10.0.26.11 : 10.0.26.11, + 10.0.26.12 : 10.0.26.12, 10.0.26.13 : 10.0.26.13, + 10.0.26.14 : 10.0.26.14, 10.0.26.15 : 10.0.26.15, + 10.0.26.16 : 10.0.26.16, 10.0.26.17 : 10.0.26.17, + 10.0.26.18 : 10.0.26.18, 10.0.26.19 : 10.0.26.19, + 10.0.26.20 : 10.0.26.20, 10.0.26.21 : 10.0.26.21, + 10.0.26.22 : 10.0.26.22, 10.0.26.23 : 10.0.26.23, + 10.0.26.24 : 10.0.26.24, 10.0.26.25 : 10.0.26.25, + 10.0.26.26 : 10.0.26.26, 10.0.26.27 : 10.0.26.27, + 10.0.26.28 : 10.0.26.28, 10.0.26.29 : 10.0.26.29, + 10.0.26.30 : 10.0.26.30, 10.0.26.31 : 10.0.26.31, + 10.0.27.1 : 10.0.27.1, 10.0.27.2 : 10.0.27.2, + 10.0.27.3 : 10.0.27.3, 10.0.27.4 : 10.0.27.4, + 10.0.27.5 : 10.0.27.5, 10.0.27.6 : 10.0.27.6, + 10.0.27.7 : 10.0.27.7, 10.0.27.8 : 10.0.27.8, + 10.0.27.9 : 10.0.27.9, 10.0.27.10 : 10.0.27.10, + 10.0.27.11 : 10.0.27.11, 10.0.27.12 : 10.0.27.12, + 10.0.27.13 : 10.0.27.13, 10.0.27.14 : 10.0.27.14, + 10.0.27.15 : 10.0.27.15, 10.0.27.16 : 10.0.27.16, + 10.0.27.17 : 10.0.27.17, 10.0.27.18 : 10.0.27.18, + 10.0.27.19 : 10.0.27.19, 10.0.27.20 : 10.0.27.20, + 10.0.27.21 : 10.0.27.21, 10.0.27.22 : 10.0.27.22, + 10.0.27.23 : 10.0.27.23, 10.0.27.24 : 10.0.27.24, + 10.0.27.25 : 10.0.27.25, 10.0.27.26 : 10.0.27.26, + 10.0.27.27 : 10.0.27.27, 10.0.27.28 : 10.0.27.28, + 10.0.27.29 : 10.0.27.29, 10.0.27.30 : 10.0.27.30, + 10.0.27.31 : 10.0.27.31, 10.0.28.1 : 10.0.28.1, + 10.0.28.2 : 10.0.28.2, 10.0.28.3 : 10.0.28.3, + 10.0.28.4 : 10.0.28.4, 10.0.28.5 : 10.0.28.5, + 10.0.28.6 : 10.0.28.6, 10.0.28.7 : 10.0.28.7, + 10.0.28.8 : 10.0.28.8, 10.0.28.9 : 10.0.28.9, + 10.0.28.10 : 10.0.28.10, 10.0.28.11 : 10.0.28.11, + 10.0.28.12 : 10.0.28.12, 10.0.28.13 : 10.0.28.13, + 10.0.28.14 : 10.0.28.14, 10.0.28.15 : 10.0.28.15, + 10.0.28.16 : 10.0.28.16, 10.0.28.17 : 10.0.28.17, + 10.0.28.18 : 10.0.28.18, 10.0.28.19 : 10.0.28.19, + 10.0.28.20 : 10.0.28.20, 10.0.28.21 : 10.0.28.21, + 10.0.28.22 : 10.0.28.22, 10.0.28.23 : 10.0.28.23, + 10.0.28.24 : 10.0.28.24, 10.0.28.25 : 10.0.28.25, + 10.0.28.26 : 10.0.28.26, 10.0.28.27 : 10.0.28.27, + 10.0.28.28 : 10.0.28.28, 10.0.28.29 : 10.0.28.29, + 10.0.28.30 : 10.0.28.30, 10.0.28.31 : 10.0.28.31, + 10.0.29.1 : 10.0.29.1, 10.0.29.2 : 10.0.29.2, + 10.0.29.3 : 10.0.29.3, 10.0.29.4 : 10.0.29.4, + 10.0.29.5 : 10.0.29.5, 10.0.29.6 : 10.0.29.6, + 10.0.29.7 : 10.0.29.7, 10.0.29.8 : 10.0.29.8, + 10.0.29.9 : 10.0.29.9, 10.0.29.10 : 10.0.29.10, + 10.0.29.11 : 10.0.29.11, 10.0.29.12 : 10.0.29.12, + 10.0.29.13 : 10.0.29.13, 10.0.29.14 : 10.0.29.14, + 10.0.29.15 : 10.0.29.15, 10.0.29.16 : 10.0.29.16, + 10.0.29.17 : 10.0.29.17, 10.0.29.18 : 10.0.29.18, + 10.0.29.19 : 10.0.29.19, 10.0.29.20 : 10.0.29.20, + 10.0.29.21 : 10.0.29.21, 10.0.29.22 : 10.0.29.22, + 10.0.29.23 : 10.0.29.23, 10.0.29.24 : 10.0.29.24, + 10.0.29.25 : 10.0.29.25, 10.0.29.26 : 10.0.29.26, + 10.0.29.27 : 10.0.29.27, 10.0.29.28 : 10.0.29.28, + 10.0.29.29 : 10.0.29.29, 10.0.29.30 : 10.0.29.30, + 10.0.29.31 : 10.0.29.31, 10.0.30.1 : 10.0.30.1, + 10.0.30.2 : 10.0.30.2, 10.0.30.3 : 10.0.30.3, + 10.0.30.4 : 10.0.30.4, 10.0.30.5 : 10.0.30.5, + 10.0.30.6 : 10.0.30.6, 10.0.30.7 : 10.0.30.7, + 10.0.30.8 : 10.0.30.8, 10.0.30.9 : 10.0.30.9, + 10.0.30.10 : 10.0.30.10, 10.0.30.11 : 10.0.30.11, + 10.0.30.12 : 10.0.30.12, 10.0.30.13 : 10.0.30.13, + 10.0.30.14 : 10.0.30.14, 10.0.30.15 : 10.0.30.15, + 10.0.30.16 : 10.0.30.16, 10.0.30.17 : 10.0.30.17, + 10.0.30.18 : 10.0.30.18, 10.0.30.19 : 10.0.30.19, + 10.0.30.20 : 10.0.30.20, 10.0.30.21 : 10.0.30.21, + 10.0.30.22 : 10.0.30.22, 10.0.30.23 : 10.0.30.23, + 10.0.30.24 : 10.0.30.24, 10.0.30.25 : 10.0.30.25, + 10.0.30.26 : 10.0.30.26, 10.0.30.27 : 10.0.30.27, + 10.0.30.28 : 10.0.30.28, 10.0.30.29 : 10.0.30.29, + 10.0.30.30 : 10.0.30.30, 10.0.30.31 : 10.0.30.31, + 10.0.31.1 : 10.0.31.1, 10.0.31.2 : 10.0.31.2, + 10.0.31.3 : 10.0.31.3, 10.0.31.4 : 10.0.31.4, + 10.0.31.5 : 10.0.31.5, 10.0.31.6 : 10.0.31.6, + 10.0.31.7 : 10.0.31.7, 10.0.31.8 : 10.0.31.8, + 10.0.31.9 : 10.0.31.9, 10.0.31.10 : 10.0.31.10, + 10.0.31.11 : 10.0.31.11, 10.0.31.12 : 10.0.31.12, + 10.0.31.13 : 10.0.31.13, 10.0.31.14 : 10.0.31.14, + 10.0.31.15 : 10.0.31.15, 10.0.31.16 : 10.0.31.16, + 10.0.31.17 : 10.0.31.17, 10.0.31.18 : 10.0.31.18, + 10.0.31.19 : 10.0.31.19, 10.0.31.20 : 10.0.31.20, + 10.0.31.21 : 10.0.31.21, 10.0.31.22 : 10.0.31.22, + 10.0.31.23 : 10.0.31.23, 10.0.31.24 : 10.0.31.24, + 10.0.31.25 : 10.0.31.25, 10.0.31.26 : 10.0.31.26, + 10.0.31.27 : 10.0.31.27, 10.0.31.28 : 10.0.31.28, + 10.0.31.29 : 10.0.31.29, 10.0.31.30 : 10.0.31.30, + 10.0.31.31 : 10.0.31.31 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft new file mode 100644 index 0000000..ab992c4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft @@ -0,0 +1,8 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2, + 10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft new file mode 100644 index 0000000..1f5343f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft @@ -0,0 +1,7 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft new file mode 100644 index 0000000..878e7c0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + map m1 { + type ifname : ipv4_addr + elements = { "eth0" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft new file mode 100644 index 0000000..a470a34 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft @@ -0,0 +1,15 @@ +table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter packets 0 bytes 0 accept + meta mark 0x00000003 counter packets 0 bytes 0 accept + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft new file mode 100644 index 0000000..c37574a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft @@ -0,0 +1,13 @@ +table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft new file mode 100644 index 0000000..2f796b5 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft @@ -0,0 +1,11 @@ +table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 } + } + + chain y { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip saddr . ip protocol . tcp dport map @z + } +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft new file mode 100644 index 0000000..4a72b5e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft @@ -0,0 +1,19 @@ +table inet filter { + map portmap { + type inet_service : verdict + counter + elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft new file mode 100644 index 0000000..895490c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_0.nft @@ -0,0 +1,25 @@ +table ip x { + map z { + type ifname : verdict + elements = { "lo" : accept, + "eth0" : drop, + "eth1" : drop } + } + + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } + } + + chain y { + iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x00123434 + ip saddr . meta mark vmap @w + } +} diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft new file mode 100644 index 0000000..1455877 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.nft @@ -0,0 +1,13 @@ +table ip filter { + map forwport { + type ipv4_addr . inet_proto . inet_service : verdict + flags interval + counter + elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept } + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.nft b/tests/shell/testcases/maps/dumps/0014destroy_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft new file mode 100644 index 0000000..796dd72 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft @@ -0,0 +1,11 @@ +table ip x { + map y { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } + + map z { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft new file mode 100644 index 0000000..23aca0a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft @@ -0,0 +1,16 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + } + + ct helper sip-5060t { + type "sip" protocol tcp + l3proto ip + } + + chain input { + type filter hook input priority filter; policy accept; + ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft new file mode 100644 index 0000000..5009560 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.nft b/tests/shell/testcases/maps/dumps/different_map_types_1.nft new file mode 100644 index 0000000..3c18b5c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.nft @@ -0,0 +1,5 @@ +table ip filter { + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft new file mode 100644 index 0000000..37c48bf --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft @@ -0,0 +1,4 @@ +table ip test { + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft new file mode 100644 index 0000000..c96b1ed --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft @@ -0,0 +1,6 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags timeout + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft new file mode 100644 index 0000000..a7c5751 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft @@ -0,0 +1,10 @@ +table ip nat { + map m { + type ipv4_addr : ipv4_addr + elements = { 1.1.1.1 : 2.2.2.2 } + } + + chain postrouting { + snat to ip saddr map @m + } +} diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft new file mode 100644 index 0000000..c8493b3 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft @@ -0,0 +1,129 @@ +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y + dnat ip to ip saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2 + } +} +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + + map y { + type ipv6_addr : ipv6_addr . inet_service + } + + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y + dnat ip6 to ip6 saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2 + } +} +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + map x6 { + type ipv6_addr : ipv6_addr + } + + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat ip to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y4 + dnat ip to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat ip6 to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y6 + dnat ip6 to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6 + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft new file mode 100644 index 0000000..19c24fe --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft @@ -0,0 +1,20 @@ +table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, + 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 30 . 0x1e : drop, + 20 . 0x24 : accept } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft new file mode 100644 index 0000000..a5c0a60 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft @@ -0,0 +1,36 @@ +table inet t { + map m1 { + typeof osf name : ct mark + elements = { "Linux" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { "eth0" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . "eth0" : accept } + } + + chain c { + ct mark set osf name map @m1 + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft new file mode 100644 index 0000000..9134673 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -0,0 +1,22 @@ +table ip dynset { + map dynmark { + typeof ip daddr : meta mark + size 64 + counter + timeout 5m + } + + chain test_ping { + ip saddr @dynmark counter packets 0 bytes 0 comment "should not increment" + ip saddr != @dynmark add @dynmark { ip saddr : 0x00000001 } counter packets 1 bytes 84 + ip saddr @dynmark counter packets 1 bytes 84 comment "should increment" + ip saddr @dynmark delete @dynmark { ip saddr : 0x00000001 } + ip saddr @dynmark counter packets 0 bytes 0 comment "delete should be instant but might fail under memory pressure" + } + + chain input { + type filter hook input priority filter; policy accept; + add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft new file mode 100644 index 0000000..1ca98d8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft @@ -0,0 +1,11 @@ +table netdev t { + map m { + typeof ether saddr . vlan id : meta mark + size 1234 + flags dynamic,timeout + } + + chain c { + ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft new file mode 100644 index 0000000..f8b574f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft @@ -0,0 +1,13 @@ +table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft new file mode 100644 index 0000000..698219c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft @@ -0,0 +1,21 @@ +table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } + } + + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft new file mode 100644 index 0000000..476169f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft @@ -0,0 +1,13 @@ +table ip x { + map y { + typeof ip saddr . @ih,32,32 : verdict + elements = { 1.1.1.1 . 0x14 : accept, + 7.7.7.7 . 0x86 : accept, + 7.7.7.8 . 0x97 : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft new file mode 100644 index 0000000..beb5ffb --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft @@ -0,0 +1,26 @@ +table ip x { + counter c_o0_0 { + packets 0 bytes 0 + } + + map sctm_o0 { + type mark : verdict + elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 } + } + + map sctm_o1 { + type mark : counter + elements = { 0x00000000 : "c_o0_0" } + } + + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.nft b/tests/shell/testcases/maps/dumps/vmap_timeout.nft new file mode 100644 index 0000000..095f894 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.nft @@ -0,0 +1,36 @@ +table inet filter { + map portmap { + type inet_service : verdict + flags timeout + gc-interval 10s + elements = { 22 : jump ssh_input } + } + + map portaddrmap { + typeof ip daddr . th dport : verdict + flags timeout + gc-interval 10s + elements = { 1.2.3.4 . 22 : jump ssh_input } + } + + chain ssh_input { + } + + chain log_and_drop { + drop + } + + chain other_input { + goto log_and_drop + } + + chain wan_input { + ip daddr . tcp dport vmap @portaddrmap + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate new file mode 100755 index 0000000..651c08a --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_deactivate @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr : verdict; }; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap; delete map ip test testmap" 2>/dev/null && exit 1 +$NFT "flush map ip test testmap; delete map ip test testmap; delete element ip test testmap { * : jump testchain }" 2>/dev/null && exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap" || exit 1 diff --git a/tests/shell/testcases/maps/map_with_flags_0 b/tests/shell/testcases/maps/map_with_flags_0 new file mode 100755 index 0000000..68bd80d --- /dev/null +++ b/tests/shell/testcases/maps/map_with_flags_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +$NFT add table x +$NFT add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } diff --git a/tests/shell/testcases/maps/named_snat_map_0 b/tests/shell/testcases/maps/named_snat_map_0 new file mode 100755 index 0000000..addb9f7 --- /dev/null +++ b/tests/shell/testcases/maps/named_snat_map_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +# nameds map can be addedd to a snat rule + +set -e +$NFT add table nat +$NFT add chain nat postrouting +$NFT add map nat m { type ipv4_addr : ipv4_addr\; } +$NFT add element nat m {1.1.1.1: 2.2.2.2} +$NFT add rule nat postrouting snat ip saddr map @m diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port new file mode 100755 index 0000000..2804d48 --- /dev/null +++ b/tests/shell/testcases/maps/nat_addr_port @@ -0,0 +1,207 @@ +#!/bin/bash + +# skeleton +$NFT -f /dev/stdin <<EOF || exit 1 +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z + dnat ip to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1 + +# skeleton 6 +$NFT -f /dev/stdin <<EOF || exit 1 +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + map y { + type ipv6_addr : ipv6_addr . inet_service + } + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z + dnat ip6 to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1 + +# skeleton inet +$NFT -f /dev/stdin <<EOF || exit 1 +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport; + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + map x6 { + type ipv6_addr : ipv6_addr + } + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y4 + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6 + } +} +EOF + +# should fail: map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1 + +# should fail: map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1 + +# should fail: rule has no test for l4 protocol +$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1 + +# fail: inet_service, but expect ipv4_addr +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map a { + type ipv4_addr : inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: maps to inet_service . inet_service, not addr . service +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: only accept exactly two sub-expressions: 'addr . service' +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_addr . inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +exit 0 diff --git a/tests/shell/testcases/maps/typeof_integer_0 b/tests/shell/testcases/maps/typeof_integer_0 new file mode 100755 index 0000000..0deff5e --- /dev/null +++ b/tests/shell/testcases/maps/typeof_integer_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +EXPECTED="table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 20 . 0x24 : accept, 30 . 0x1e : drop } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +}" + +$NFT add element inet t m1 { 90-100 . 40 : drop } +$NFT delete element inet t m2 { 20 . 20 : accept } + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0 new file mode 100755 index 0000000..98517fd --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_0 @@ -0,0 +1,101 @@ +#!/bin/bash + +# support for strings and integers in named maps. +# without typeof, this is 'type string' and 'type integer', +# but neither could be used because it lacks size information. + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_CT=" + ct mark set osf name map @m1" +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + INPUT_OSF_CT= +fi + +INPUT="table inet t { + map m1 { + typeof osf name : ct mark + elements = { Linux : 0x00000001 } + } + + map m2 { + typeof vlan id : mark + elements = { 1 : 0x1, + 4095 : 0x4095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { eth0 . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . meta iifname : verdict + elements = { 23 . eth0 : accept } + } + + chain c {$INPUT_OSF_CT + ether type vlan meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . meta iifname vmap @m5 + } +}" + +EXPECTED="table inet t { + map m1 { + typeof osf name : ct mark + elements = { \"Linux\" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { \"eth0\" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . \"eth0\" : accept } + } + + chain c {$INPUT_OSF_CT + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +}" + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete new file mode 100755 index 0000000..5e2f8ec --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -0,0 +1,54 @@ +#!/bin/bash + +CONDMATCH="ip saddr @dynmark" +NCONDMATCH="ip saddr != @dynmark" + +# use reduced feature set +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + CONDMATCH="" + NCONDMATCH="" +fi + +EXPECTED="table ip dynset { + map dynmark { + typeof ip daddr : meta mark + counter + size 64 + timeout 5m + } + + chain test_ping { + $CONDMATCH counter comment \"should not increment\" + $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter + $CONDMATCH counter comment \"should increment\" + $CONDMATCH delete @dynmark { ip saddr : 0x1 } + $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\" + } + + chain input { + type filter hook input priority 0; policy accept; + + add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT list ruleset + +ip link set lo up +ping -c 1 127.0.0.42 + +$NFT get element ip dynset dynmark { 10.2.3.4 } + +# wait so that 10.2.3.4 times out. +sleep 2 + +set +e +$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 + +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped." + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0 new file mode 100755 index 0000000..2a52ea0 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# check update statement does print both concatentations (key and data). + +EXPECTED="table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/maps/typeof_maps_update_0 b/tests/shell/testcases/maps/typeof_maps_update_0 new file mode 100755 index 0000000..c233b13 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_update_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +# check update statement doesn't print "invalid dtype" on the data element. + +EXPECTED="table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2 } + } + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x3 } + } +}" + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0 new file mode 100755 index 0000000..bcd2c6d --- /dev/null +++ b/tests/shell/testcases/maps/typeof_raw_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table ip x { + map y { + typeof ip saddr . @ih,32,32: verdict + elements = { 1.1.1.1 . 0x14 : accept, 2.2.2.2 . 0x1e : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element ip x y { 7.7.7.7 . 0x86 : accept, 7.7.7.8 . 0x97 : drop } +$NFT delete element ip x y { 2.2.2.2 . 0x1e : drop } diff --git a/tests/shell/testcases/maps/vmap_mark_bitwise_0 b/tests/shell/testcases/maps/vmap_mark_bitwise_0 new file mode 100755 index 0000000..0d93355 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_mark_bitwise_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + map sctm_o0 { + type mark : verdict + elements = { + 0x0 : jump sctm_o0_0, + 0x1 : jump sctm_o0_1, + } + } + + counter c_o0_0 {} + + map sctm_o1 { + type mark : counter + elements = { + 0x0 : \"c_o0_0\", + } + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + } + + chain SET_ctmark_RPLYroute { + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout new file mode 100755 index 0000000..0cd965f --- /dev/null +++ b/tests/shell/testcases/maps/vmap_timeout @@ -0,0 +1,53 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f $dumpfile + +port=23 +for i in $(seq 1 100) ; do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + j=1 + + batched="{ $port timeout 3s : jump other_input " + batched_addr="{ 10.0.$((i%256)).$j . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + for j in $(seq 2 400); do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + + batched="$batched, $port timeout ${timeout}s : jump other_input " + batched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + done + + fail_addr="$batched_addr, 1.2.3.4 . 23 timeout 5m : jump other_input, + 1.2.3.4 . 23 timeout 3m : jump other_input }" + fail="$batched, 23 timeout 1m : jump other_input, 23 : jump other_input }" + + batched="$batched }" + batched_addr="$batched_addr }" + + if [ $i -gt 90 ]; then + # must fail, we create and $fail/$fail_addr contain one element twice. + $NFT create element inet filter portmap "$fail" && exit 111 + $NFT create element inet filter portaddrmap "$fail_addr" && exit 112 + fi + + $NFT add element inet filter portmap "$batched" + $NFT add element inet filter portaddrmap "$batched_addr" +done + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_catchall_element=n." +else + $NFT add element inet filter portaddrmap { "* timeout 2s : drop" } + $NFT add element inet filter portmap { "* timeout 3s : drop" } +fi + +# wait for elements to time out +sleep 5 |