diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/shell/testcases/optionals | |
parent | Initial commit. (diff) | |
download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/shell/testcases/optionals')
22 files changed, 373 insertions, 0 deletions
diff --git a/tests/shell/testcases/optionals/comments_0 b/tests/shell/testcases/optionals/comments_0 new file mode 100755 index 0000000..ab85936 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# comments are shown + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept comment test_comment +$NFT -a list table test | grep 'accept comment \"test_comment\"' >/dev/null diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0 new file mode 100755 index 0000000..fba961c --- /dev/null +++ b/tests/shell/testcases/optionals/comments_chain_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +EXPECTED='table ip test_table { + chain test_chain { + comment "test" + } +} +' + +set -e + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/optionals/comments_handles_0 b/tests/shell/testcases/optionals/comments_handles_0 new file mode 100755 index 0000000..a01df1d --- /dev/null +++ b/tests/shell/testcases/optionals/comments_handles_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +# handles and comments mix well + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept comment test_comment +set -e +$NFT -a list table test | grep 'accept comment \"test_comment\" # handle '[[:digit:]]$ >/dev/null +$NFT list table test | grep 'accept comment \"test_comment\"' | grep -v '# handle '[[:digit:]]$ >/dev/null diff --git a/tests/shell/testcases/optionals/comments_objects_0 b/tests/shell/testcases/optionals/comments_objects_0 new file mode 100755 index 0000000..7437c77 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_0 @@ -0,0 +1,44 @@ +#!/bin/bash + +EXPECTED='table ip filter { + quota q { + over 1200 bytes + comment "test1" + } + + counter c { + packets 0 bytes 0 + comment "test2" + } + + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + } + + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + } + + limit l { + rate 400/hour + comment "test5" + } + + synproxy s { + mss 1460 + wscale 2 + comment "test6" + } +} +' + +set -e + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/optionals/comments_objects_dup_0 b/tests/shell/testcases/optionals/comments_objects_dup_0 new file mode 100755 index 0000000..79d975a --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_dup_0 @@ -0,0 +1,97 @@ +#!/bin/bash + +EXPECTED='table ip filter { + quota q { + over 1200 bytes + comment "test1" + comment "test1" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + counter c { + packets 0 bytes 0 + comment "test2" + comment "test2" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + comment "test3" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + comment "test4" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + limit l { + rate 400/hour + comment "test5" + comment "test5" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + synproxy s { + mss 1460 + wscale 2 + comment "test6" + comment "test6" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi diff --git a/tests/shell/testcases/optionals/comments_table_0 b/tests/shell/testcases/optionals/comments_table_0 new file mode 100755 index 0000000..a0dfd74 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_table_0 @@ -0,0 +1,5 @@ +#!/bin/bash + +# comments are shown + +$NFT add table test { comment \"test_comment\"\; } diff --git a/tests/shell/testcases/optionals/delete_object_handles_0 b/tests/shell/testcases/optionals/delete_object_handles_0 new file mode 100755 index 0000000..9b65e67 --- /dev/null +++ b/tests/shell/testcases/optionals/delete_object_handles_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add counter test-ip https-traffic +$NFT add quota test-ip https-quota 25 mbytes +$NFT add map test-ip ports { type inet_service : quota \; } +$NFT add table ip6 test-ip6 +$NFT add quota ip6 test-ip6 http-quota over 25 mbytes +$NFT add counter ip6 test-ip6 http-traffic +$NFT add quota ip6 test-ip6 ssh-quota 10 mbytes + +counter_handle=$($NFT -a list ruleset | awk '/https-traffic/{print $NF}') +quota_handle=$($NFT -a list ruleset | awk '/ssh-quota/{print $NF}') +$NFT delete counter test-ip handle $counter_handle +$NFT delete quota ip6 test-ip6 handle $quota_handle + +EXPECTED="table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft new file mode 100644 index 0000000..f47e0d5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft new file mode 100644 index 0000000..be3d8f3 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft @@ -0,0 +1,5 @@ +table ip test_table { + chain test_chain { + comment "test" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft new file mode 100644 index 0000000..f47e0d5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft new file mode 100644 index 0000000..b760ced --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft @@ -0,0 +1,37 @@ +table ip filter { + quota q { + comment "test1" + over 1200 bytes + } + + counter c { + comment "test2" + packets 0 bytes 0 + } + + ct helper h { + comment "test3" + type "sip" protocol tcp + l3proto ip + } + + ct expectation e { + comment "test4" + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + } + + limit l { + comment "test5" + rate 400/hour + } + + synproxy s { + comment "test6" + mss 1460 + wscale 2 + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.nft b/tests/shell/testcases/optionals/dumps/comments_table_0.nft new file mode 100644 index 0000000..32ae3c2 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_table_0.nft @@ -0,0 +1,3 @@ +table ip test { + comment "test_comment" +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft new file mode 100644 index 0000000..aac03cc --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft @@ -0,0 +1,18 @@ +table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft new file mode 100644 index 0000000..085c6cf --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.nft b/tests/shell/testcases/optionals/dumps/handles_1.nft new file mode 100644 index 0000000..085c6cf --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft new file mode 100644 index 0000000..8c11d69 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ct state invalid log prefix "invalid state match, logging:" + } +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft new file mode 100644 index 0000000..f391b63 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft @@ -0,0 +1,9 @@ +table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +} diff --git a/tests/shell/testcases/optionals/handles_0 b/tests/shell/testcases/optionals/handles_0 new file mode 100755 index 0000000..80f3c5b --- /dev/null +++ b/tests/shell/testcases/optionals/handles_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# handles are shown last + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept +$NFT -a list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null diff --git a/tests/shell/testcases/optionals/handles_1 b/tests/shell/testcases/optionals/handles_1 new file mode 100755 index 0000000..c00abfe --- /dev/null +++ b/tests/shell/testcases/optionals/handles_1 @@ -0,0 +1,10 @@ +#!/bin/bash + +# handles are not shown if not asked for them + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept +( $NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null ) && exit 1 + +exit 0 diff --git a/tests/shell/testcases/optionals/log_prefix_0 b/tests/shell/testcases/optionals/log_prefix_0 new file mode 100755 index 0000000..513a9e7 --- /dev/null +++ b/tests/shell/testcases/optionals/log_prefix_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +TMP=$(mktemp) + +RULESET='define test = "state" +define foo = "match, logging" + +table x { + chain y { + ct state invalid log prefix "invalid $test $foo:" + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 new file mode 100755 index 0000000..8b12b8c --- /dev/null +++ b/tests/shell/testcases/optionals/update_object_handles_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add counter test-ip traffic-counter +$NFT add counter test-ip traffic-counter +$NFT add quota test-ip traffic-quota 25 mbytes +$NFT add quota test-ip traffic-quota 50 mbytes + +EXPECTED="table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi |