diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
| commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
| tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/shell/testcases | |
| parent | Initial commit. (diff) | |
| download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip | |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/shell/testcases')
766 files changed, 19393 insertions, 0 deletions
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_0 b/tests/shell/testcases/bitwise/0040mark_binop_0 new file mode 100755 index 0000000..4ecc9d3 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c oif lo ct mark set (meta mark | 0x10) << 8 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_1 b/tests/shell/testcases/bitwise/0040mark_binop_1 new file mode 100755 index 0000000..bd9e028 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c iif lo ct mark & 0xff 0x10 meta mark set ct mark >> 8 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_2 b/tests/shell/testcases/bitwise/0040mark_binop_2 new file mode 100755 index 0000000..5e66a27 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_2 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_3 b/tests/shell/testcases/bitwise/0040mark_binop_3 new file mode 100755 index 0000000..21dda67 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_3 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_4 b/tests/shell/testcases/bitwise/0040mark_binop_4 new file mode 100755 index 0000000..e5c8a42 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_4 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_5 b/tests/shell/testcases/bitwise/0040mark_binop_5 new file mode 100755 index 0000000..184fbed --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_5 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_6 b/tests/shell/testcases/bitwise/0040mark_binop_6 new file mode 100755 index 0000000..129dd5c --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_6 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_7 b/tests/shell/testcases/bitwise/0040mark_binop_7 new file mode 100755 index 0000000..791a794 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_7 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_8 b/tests/shell/testcases/bitwise/0040mark_binop_8 new file mode 100755 index 0000000..5e7bd28 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_8 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_9 b/tests/shell/testcases/bitwise/0040mark_binop_9 new file mode 100755 index 0000000..a7b60fb --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_9 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft new file mode 100644 index 0000000..fc0a600 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + oif "lo" ct mark set (meta mark | 0x00000010) << 8 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft new file mode 100644 index 0000000..dbaacef --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + iif "lo" ct mark & 0x000000ff == 0x00000010 meta mark set ct mark >> 8 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft new file mode 100644 index 0000000..2b9be36 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft new file mode 100644 index 0000000..8206fec --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft new file mode 100644 index 0000000..91d9f56 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft new file mode 100644 index 0000000..f2b51eb --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft new file mode 100644 index 0000000..cf7be90 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft new file mode 100644 index 0000000..a9663e6 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft new file mode 100644 index 0000000..04b866a --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft new file mode 100644 index 0000000..d4745ea --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures new file mode 100755 index 0000000..7909942 --- /dev/null +++ b/tests/shell/testcases/bogons/assert_failures @@ -0,0 +1,12 @@ +#!/bin/bash + +dir=$(dirname $0)/nft-f/ + +for f in $dir/*; do + $NFT --check -f "$f" + + if [ $? -ne 1 ]; then + echo "Bogus input file $f did not cause expected error code" 1>&2 + exit 111 + fi +done diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.nft b/tests/shell/testcases/bogons/dumps/assert_failures.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.nft diff --git a/tests/shell/testcases/bogons/nft-f/include-device b/tests/shell/testcases/bogons/nft-f/include-device new file mode 100644 index 0000000..1eb7977 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/include-device @@ -0,0 +1 @@ +include "/dev/null" diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert new file mode 100644 index 0000000..18c7edd --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert @@ -0,0 +1,7 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 } + } +} + diff --git a/tests/shell/testcases/bogons/nft-f/scope_underflow_assert b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert new file mode 100644 index 0000000..aee1dcb --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert @@ -0,0 +1,6 @@ +table t { + chain c { + jump{ + jump { + jump + diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert new file mode 100644 index 0000000..84f3307 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert @@ -0,0 +1,5 @@ +table ip x { + chain Main_Ingress1 { + type filter hook ingress device""lo" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert new file mode 100644 index 0000000..2c3e6c3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert @@ -0,0 +1,5 @@ +table t { + flowtable f { + devices = { """"lo } + } +} diff --git a/tests/shell/testcases/cache/0001_cache_handling_0 b/tests/shell/testcases/cache/0001_cache_handling_0 new file mode 100755 index 0000000..0a68440 --- /dev/null +++ b/tests/shell/testcases/cache/0001_cache_handling_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +RULESET=' +table inet test { + set test { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3} + } + + chain test { + ip saddr @test counter accept + ip daddr { 2.2.2.2, 4.4.4.4} counter accept + } +}' + +set -e + +$NFT -f - <<< "$RULESET" +TMP=$(mktemp) +echo "$RULESET" >> "$TMP" +$NFT "flush ruleset;include \"$TMP\"" +rm -f "$TMP" +rule_handle=$($NFT -a list ruleset | awk '/saddr/{print $NF}') +$NFT delete rule inet test test handle $rule_handle +$NFT delete set inet test test +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/0002_interval_0 b/tests/shell/testcases/cache/0002_interval_0 new file mode 100755 index 0000000..506a6c8 --- /dev/null +++ b/tests/shell/testcases/cache/0002_interval_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +# This testcase checks that we can load a ruleset twice in a row. +# bug --> Error: interval overlaps with an existing one + +set -e + +RULESET="flush ruleset +table inet t { + set s { type ipv4_addr; flags interval; } +} + +add element inet t s { + 192.168.0.1/24, +}" + +$NFT -f - <<< "$RULESET" +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/0003_cache_update_0 b/tests/shell/testcases/cache/0003_cache_update_0 new file mode 100755 index 0000000..05edc9c --- /dev/null +++ b/tests/shell/testcases/cache/0003_cache_update_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e + +# Expose how naive cache update logic (i.e., drop cache and repopulate from +# kernel ruleset) may mess things up. The following input does: +# +# list ruleset -> populate the cache, cache->genid is non-zero +# add table ip t -> make kernel's genid increment (cache->genid remains +# unchanged) +# add table ip t2; -> first command of batch, new table t2 is added to the cache +# add chain ip t2 c -> second command of batch, triggers cache_update() which +# removes table t2 from it + +$NFT -i >/dev/null <<EOF +list ruleset +add table ip t +add table ip t2; add chain ip t2 c +EOF + +# The following test exposes a problem with simple locking of cache when local +# entries are added: +# +# add table ip t3 -> cache would be locked without previous update +# add chain ip t c -> table t is not found due to no cache update happening + +$NFT -i >/dev/null <<EOF +add table ip t3; add chain ip t c +EOF + +# The following test exposes a problem with incremental cache update when +# reading commands from a file that add a rule using the "index" keyword. +# +# add rule ip t4 c meta l4proto icmp accept -> rule to reference in next step +# add rule ip t4 c index 0 drop -> index 0 is not found due to rule cache not +# being updated +# add rule ip t4 c index 2 drop -> index 2 is not found due to igmp rule being +# in same transaction and therefore not having +# an allocated handle +$NFT -i >/dev/null <<EOF +add table ip t4; add chain ip t4 c +add rule ip t4 c meta l4proto icmp accept +EOF +$NFT -f - >/dev/null <<EOF +add rule ip t4 c index 0 drop +EOF +$NFT -f - >/dev/null <<EOF +add rule ip t4 c meta l4proto igmp accept +add rule ip t4 c index 2 drop +EOF diff --git a/tests/shell/testcases/cache/0004_cache_update_0 b/tests/shell/testcases/cache/0004_cache_update_0 new file mode 100755 index 0000000..697d9de --- /dev/null +++ b/tests/shell/testcases/cache/0004_cache_update_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +# Trigger a crash or rule restore error with nft 0.9.1 +$NFT -f - >/dev/null <<EOF +flush ruleset +table inet testfilter { +} +table inet testfilter { + chain test { + counter + } +} +EOF diff --git a/tests/shell/testcases/cache/0005_cache_chain_flush b/tests/shell/testcases/cache/0005_cache_chain_flush new file mode 100755 index 0000000..7dfe5c1 --- /dev/null +++ b/tests/shell/testcases/cache/0005_cache_chain_flush @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +RULESET="add table ip x +add chain x y +add chain x z +add map ip x mapping { type ipv4_addr : inet_service; flags dynamic,timeout; } +add rule x y counter +add rule x z counter" + +$NFT -f - <<< "$RULESET" 2>&1 + +RULESET="flush chain x y; add rule x y update @mapping { ip saddr : tcp sport }; flush chain x z" + +$NFT "$RULESET" 2>&1 diff --git a/tests/shell/testcases/cache/0006_cache_table_flush b/tests/shell/testcases/cache/0006_cache_table_flush new file mode 100755 index 0000000..fa4da97 --- /dev/null +++ b/tests/shell/testcases/cache/0006_cache_table_flush @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +RULESET="add table ip x +add chain x y +add chain x z +add map ip x mapping { type ipv4_addr : inet_service; flags dynamic,timeout; } +add rule x y counter +add rule x z counter" + +$NFT -f - <<< "$RULESET" 2>&1 + +RULESET="flush table x; add rule x y update @mapping { ip saddr : tcp sport }; flush chain x z" + +$NFT "$RULESET" 2>&1 diff --git a/tests/shell/testcases/cache/0007_echo_cache_init_0 b/tests/shell/testcases/cache/0007_echo_cache_init_0 new file mode 100755 index 0000000..280a0d0 --- /dev/null +++ b/tests/shell/testcases/cache/0007_echo_cache_init_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +$NFT -i >/dev/null <<EOF +add table inet t +add chain inet t c +add rule inet t c accept comment "first" +add rule inet t c accept comment "third" +EOF + +# make sure the rule cache gets initialized when using echo option +# +$NFT --echo add rule inet t c index 0 accept comment '"second"' >/dev/null diff --git a/tests/shell/testcases/cache/0008_delete_by_handle_0 b/tests/shell/testcases/cache/0008_delete_by_handle_0 new file mode 100755 index 0000000..0db4c69 --- /dev/null +++ b/tests/shell/testcases/cache/0008_delete_by_handle_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +$NFT add table t +HANDLE=`$NFT -a list ruleset | grep "table.*handle" | cut -d' ' -f7` +$NFT delete table handle $HANDLE + +$NFT add table t + +$NFT add chain t c +HANDLE=`$NFT -a list ruleset | grep "chain.*handle" | cut -d' ' -f6` +$NFT delete chain t handle $HANDLE + +$NFT add set t s { type ipv4_addr\; } +HANDLE=`$NFT -a list ruleset | grep "set.*handle" | cut -d' ' -f6` +$NFT delete set t handle $HANDLE + +$NFT add flowtable t f { hook ingress priority 0\; devices = { lo } \; } +HANDLE=`$NFT -a list ruleset | grep "flowtable.*handle" | cut -d' ' -f6` +$NFT delete flowtable t handle $HANDLE + +$NFT add counter t x +HANDLE=`$NFT -a list ruleset | grep "counter.*handle" | cut -d' ' -f6` +$NFT delete counter t handle $HANDLE diff --git a/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 new file mode 100755 index 0000000..f0bb02a --- /dev/null +++ b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +$NFT delete table handle 4000 && exit 1 +$NFT delete chain t handle 4000 && exit 1 +$NFT delete set t handle 4000 && exit 1 +$NFT delete flowtable t handle 4000 && exit 1 +$NFT delete counter t handle 4000 && exit 1 +exit 0 diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0 new file mode 100755 index 0000000..834dc6e --- /dev/null +++ b/tests/shell/testcases/cache/0010_implicit_chain_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +set -e + +EXPECTED="table ip f { + chain c { + jump { + accept + } + } +}" + +$NFT 'table ip f { chain c { jump { accept; }; }; }' +GET="$($NFT list chain ip f c)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0 new file mode 100755 index 0000000..c9eb868 --- /dev/null +++ b/tests/shell/testcases/cache/0011_index_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +RULESET="flush ruleset +add table inet t +add chain inet t c { type filter hook input priority 0 ; } +add rule inet t c tcp dport 1234 accept +add rule inet t c accept +insert rule inet t c index 1 udp dport 4321 accept" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft new file mode 100644 index 0000000..2099865 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft @@ -0,0 +1,12 @@ +table inet test { + set test { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3 } + } + + chain test { + ip daddr { 2.2.2.2, 4.4.4.4 } counter packets 0 bytes 0 accept + ip saddr @test counter packets 0 bytes 0 accept + ip daddr { 2.2.2.2, 4.4.4.4 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.nft b/tests/shell/testcases/cache/dumps/0002_interval_0.nft new file mode 100644 index 0000000..6a08132 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft new file mode 100644 index 0000000..43898d3 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft @@ -0,0 +1,18 @@ +table ip t { + chain c { + } +} +table ip t2 { + chain c { + } +} +table ip t3 { +} +table ip t4 { + chain c { + meta l4proto icmp accept + drop + meta l4proto igmp accept + drop + } +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft new file mode 100644 index 0000000..4f5761b --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft @@ -0,0 +1,5 @@ +table inet testfilter { + chain test { + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft new file mode 100644 index 0000000..8ab55a2 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft new file mode 100644 index 0000000..8ab55a2 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft new file mode 100644 index 0000000..c774ee7 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft @@ -0,0 +1,7 @@ +table inet t { + chain c { + accept comment "first" + accept comment "second" + accept comment "third" + } +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft diff --git a/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft new file mode 100644 index 0000000..aba92c0 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft @@ -0,0 +1,7 @@ +table ip f { + chain c { + jump { + accept + } + } +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.nft b/tests/shell/testcases/cache/dumps/0011_index_0.nft new file mode 100644 index 0000000..7e855eb --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.nft @@ -0,0 +1,8 @@ +table inet t { + chain c { + type filter hook input priority filter; policy accept; + tcp dport 1234 accept + udp dport 4321 accept + accept + } +} diff --git a/tests/shell/testcases/chains/0001jumps_0 b/tests/shell/testcases/chains/0001jumps_0 new file mode 100755 index 0000000..b39df38 --- /dev/null +++ b/tests/shell/testcases/chains/0001jumps_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +MAX_JUMPS=16 + +$NFT add table t + +for i in $(seq 1 $MAX_JUMPS) +do + $NFT add chain t c${i} +done + +for i in $(seq 1 $((MAX_JUMPS - 1))) +do + $NFT add rule t c${i} jump c$((i + 1)) +done diff --git a/tests/shell/testcases/chains/0002jumps_1 b/tests/shell/testcases/chains/0002jumps_1 new file mode 100755 index 0000000..aa70037 --- /dev/null +++ b/tests/shell/testcases/chains/0002jumps_1 @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +MAX_JUMPS=16 + +$NFT add table t + +$NFT add chain t c1 { type filter hook input priority 0\; } + +for i in $(seq 2 $MAX_JUMPS) +do + $NFT add chain t c${i} +done + +for i in $(seq 1 $((MAX_JUMPS - 1))) +do + $NFT add rule t c${i} jump c$((i + 1)) +done + +# this last jump should fail: too many links +$NFT add chain t c$((MAX_JUMPS + 1)) + +$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null || exit 0 +echo "E: max jumps ignored?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 new file mode 100755 index 0000000..80e243f --- /dev/null +++ b/tests/shell/testcases/chains/0003jump_loop_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +MAX_JUMPS=16 + +$NFT add table t + +for i in $(seq 1 $MAX_JUMPS) +do + $NFT add chain t c${i} +done + +for i in $(seq 1 $((MAX_JUMPS - 1))) +do + $NFT add rule t c${i} jump c$((i + 1)) +done + +# this last jump should fail: loop +$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null || exit 0 +echo "E: loop of jumps ignored?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0004busy_1 b/tests/shell/testcases/chains/0004busy_1 new file mode 100755 index 0000000..e68d1ba --- /dev/null +++ b/tests/shell/testcases/chains/0004busy_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 +$NFT add chain t c2 +$NFT add rule t c1 jump c2 + +# kernel should return EBUSY +$NFT delete chain t c2 2>/dev/null || exit 0 +echo "E: deleted a busy chain?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0005busy_map_1 b/tests/shell/testcases/chains/0005busy_map_1 new file mode 100755 index 0000000..c800f19 --- /dev/null +++ b/tests/shell/testcases/chains/0005busy_map_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 +$NFT add chain t c2 +$NFT add rule t c1 tcp dport vmap { 1 : jump c2 } + +# kernel should return EBUSY +$NFT delete chain t c2 2>/dev/null || exit 0 +echo "E: deleted a busy chain?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0006masquerade_0 b/tests/shell/testcases/chains/0006masquerade_0 new file mode 100755 index 0000000..7934998 --- /dev/null +++ b/tests/shell/testcases/chains/0006masquerade_0 @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 {type nat hook postrouting priority 0 \; } +$NFT add rule t c1 masquerade diff --git a/tests/shell/testcases/chains/0007masquerade_1 b/tests/shell/testcases/chains/0007masquerade_1 new file mode 100755 index 0000000..4434c89 --- /dev/null +++ b/tests/shell/testcases/chains/0007masquerade_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 {type filter hook output priority 0 \; } + +# wrong hook output, only postrouting is valid +$NFT add rule t c1 masquerade 2>/dev/null || exit 0 +echo "E: accepted masquerade in output hook" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0008masquerade_jump_1 b/tests/shell/testcases/chains/0008masquerade_jump_1 new file mode 100755 index 0000000..aee1475 --- /dev/null +++ b/tests/shell/testcases/chains/0008masquerade_jump_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t output {type nat hook output priority 0 \; } +$NFT add chain t c1 +$NFT add rule t c1 masquerade + +# kernel should return EOPNOTSUPP +$NFT add rule t output jump c1 2>/dev/null || exit 0 +echo "E: accepted masquerade in output hook" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0009masquerade_jump_1 b/tests/shell/testcases/chains/0009masquerade_jump_1 new file mode 100755 index 0000000..2b931ee --- /dev/null +++ b/tests/shell/testcases/chains/0009masquerade_jump_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t output {type nat hook output priority 0 \; } +$NFT add chain t c1 +$NFT add rule t c1 masquerade + +# kernel should return EOPNOTSUPP +$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null || exit 0 +echo "E: accepted masquerade in output hook in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1 new file mode 100755 index 0000000..5d3ef23 --- /dev/null +++ b/tests/shell/testcases/chains/0010endless_jump_loop_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c + +# kernel should return ELOOP +$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0 +echo "E: accepted endless jump loop in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1 new file mode 100755 index 0000000..d75932d --- /dev/null +++ b/tests/shell/testcases/chains/0011endless_jump_loop_1 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 +$NFT add chain t c2 +$NFT add map t m {type inet_service : verdict \;} +$NFT add element t m {2 : jump c2} +$NFT add rule t c1 tcp dport vmap @m + +# kernel should return ELOOP +$NFT add element t m {1 : jump c1} 2>/dev/null || exit 0 +echo "E: accepted endless jump loop in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0013rename_0 b/tests/shell/testcases/chains/0013rename_0 new file mode 100755 index 0000000..b9fe11a --- /dev/null +++ b/tests/shell/testcases/chains/0013rename_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 +# kernel should not return EEXIST +$NFT rename chain t c1 c2 diff --git a/tests/shell/testcases/chains/0014rename_0 b/tests/shell/testcases/chains/0014rename_0 new file mode 100755 index 0000000..bd84e95 --- /dev/null +++ b/tests/shell/testcases/chains/0014rename_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c1 || exit 1 +$NFT add chain t c2 || exit 1 +# kernel should return EEXIST +$NFT rename chain t c1 c2 + +if [ $? -eq 0 ] ; then + echo "E: Renamed with existing chain" >&2 + exit 1 +fi + +# same, should return EEXIST +$NFT 'rename chain t c1 c3;rename chain t c2 c3' +if [ $? -eq 0 ] ; then + echo "E: Renamed two chains to same name" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/chains/0015check_jump_loop_1 b/tests/shell/testcases/chains/0015check_jump_loop_1 new file mode 100755 index 0000000..a59bb3b --- /dev/null +++ b/tests/shell/testcases/chains/0015check_jump_loop_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t c1 +$NFT add chain t c2 +$NFT add t c1 jump c2 +# kernel should return ENOENT + +$NFT add t c2 ip daddr vmap { 1 : jump c3 } || exit 0 +echo "E: Jumped to non existing chain" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0016delete_handle_0 b/tests/shell/testcases/chains/0016delete_handle_0 new file mode 100755 index 0000000..8fd1ad8 --- /dev/null +++ b/tests/shell/testcases/chains/0016delete_handle_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add chain test-ip x +$NFT add chain test-ip y +$NFT add chain test-ip z +$NFT add table ip6 test-ip6 +$NFT add chain ip6 test-ip6 x +$NFT add chain ip6 test-ip6 y +$NFT add chain ip6 test-ip6 z + +chain_y_handle=$($NFT -a list ruleset | awk -v n=1 '/chain y/ && !--n {print $NF; exit}'); +chain_z_handle=$($NFT -a list ruleset | awk -v n=2 '/chain z/ && !--n {print $NF; exit}'); + +$NFT delete chain test-ip handle $chain_y_handle +$NFT delete chain ip6 test-ip6 handle $chain_z_handle diff --git a/tests/shell/testcases/chains/0017masquerade_jump_1 b/tests/shell/testcases/chains/0017masquerade_jump_1 new file mode 100755 index 0000000..209e6d4 --- /dev/null +++ b/tests/shell/testcases/chains/0017masquerade_jump_1 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t input {type filter hook input priority 4 \; } +$NFT add chain t c1 +$NFT add rule t input jump c1 + +# kernel should return EOPNOTSUPP +$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0 + +echo "E: Accepted masquerade rule in non-nat type base chain" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1 new file mode 100755 index 0000000..b87520f --- /dev/null +++ b/tests/shell/testcases/chains/0018check_jump_loop_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table ip filter +$NFT add chain ip filter ap1 +$NFT add chain ip filter ap2 +$NFT add rule ip filter ap1 jump ap2 + +# kernel should return EOPNOTSUPP +$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 || exit 0 +echo "E: Accepted jump-to-self" +exit 1 diff --git a/tests/shell/testcases/chains/0019masquerade_jump_1 b/tests/shell/testcases/chains/0019masquerade_jump_1 new file mode 100755 index 0000000..0ff1ac3 --- /dev/null +++ b/tests/shell/testcases/chains/0019masquerade_jump_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT add table t +$NFT add chain t input {type filter hook input priority 4 \; } +$NFT add chain t c1 +$NFT add rule t input ip saddr vmap { 1.1.1.1 : jump c1 } + +# kernel should return EOPNOTSUPP +$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0 +echo "E: accepted masquerade in chain from non-nat type basechain" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0020depth_1 b/tests/shell/testcases/chains/0020depth_1 new file mode 100755 index 0000000..23e1f82 --- /dev/null +++ b/tests/shell/testcases/chains/0020depth_1 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e +$NFT add table ip filter +$NFT add chain ip filter input { type filter hook input priority 0\; } + +for ((i=0;i<20;i++)); do + $NFT add chain ip filter a$i +done + +$NFT add rule ip filter input jump a1 + +for ((i=0;i<10;i++)); do + $NFT add rule ip filter a$i jump a$((i+1)) +done + +for ((i=11;i<19;i++)); do + $NFT add rule ip filter a$i jump a$((i+1)) +done + +$NFT add rule ip filter a10 jump a11 || exit 0 +echo "E: Expected 20th jump to fail due to jump stack exhaustion" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0 new file mode 100755 index 0000000..ceda155 --- /dev/null +++ b/tests/shell/testcases/chains/0021prio_0 @@ -0,0 +1,90 @@ +#!/bin/bash + +set -e + +format_offset () { + local i=$1 + if ((i == 0)) + then + echo "" + elif ((i > 0)) + then + echo "+$i" + else + echo "$i" + fi +} + +chainname () { + local hook=$1 + local prioname=$2 + local priooffset=$3 + + echo "${hook}${prioname}${priooffset}" | tr "\-+" "mp" +} + +gen_chains () { + local family=$1 + local hook=$2 + local prioname=$3 + local device=${4:+device $4} + + for i in -11 -10 0 10 11 + do + local offset=`format_offset $i` + local cmd="add chain $family x" + cmd+=" `chainname $hook $prioname $offset` {" + cmd+=" type filter hook $hook $device" + cmd+=" priority $prioname $offset; }" + echo "$cmd" + done +} + +tmpfile=$(mktemp) +trap "rm $tmpfile" EXIT + +( + +for family in ip ip6 inet +do + echo "add table $family x" + for hook in prerouting input forward output postrouting + do + for prioname in raw mangle filter security + do + gen_chains $family $hook $prioname + done + done + gen_chains $family prerouting dstnat + gen_chains $family postrouting srcnat +done + +family=arp +echo "add table $family x" +for hook in input output +do + gen_chains $family $hook filter +done + +family=netdev +echo "add table $family x" +gen_chains $family ingress filter lo +[ "$NFT_TEST_HAVE_netdev_egress" != n ] && gen_chains $family egress filter lo + +family=bridge +echo "add table $family x" +for hook in prerouting input forward output postrouting +do + gen_chains $family $hook filter +done +gen_chains $family prerouting dstnat +gen_chains $family output out +gen_chains $family postrouting srcnat + +) >$tmpfile +$NFT -f $tmpfile + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ]; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi diff --git a/tests/shell/testcases/chains/0022prio_dummy_1 b/tests/shell/testcases/chains/0022prio_dummy_1 new file mode 100755 index 0000000..66c4407 --- /dev/null +++ b/tests/shell/testcases/chains/0022prio_dummy_1 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +$NFT add table ip x + +$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null || exit 0 +echo "E: dummy should not be a valid priority." >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 new file mode 100755 index 0000000..e4a668e --- /dev/null +++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 @@ -0,0 +1,16 @@ +#!/bin/bash + +for family in ip ip6 inet +do + for hook in prerouting forward output + do + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority srcnat; }" &> /dev/null + if (($? == 0)) + then + echo "E: srcnat should not be a valid priority name in $family $hook chains." >&2 + exit 1 + fi + done +done +exit 0 diff --git a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 new file mode 100755 index 0000000..f1b802a --- /dev/null +++ b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 @@ -0,0 +1,16 @@ +#!/bin/bash + +for family in ip ip6 inet +do + for hook in input forward postrouting + do + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority dstnat; }" &> /dev/null + if (($? == 0)) + then + echo "E: dstnat should not be a valid priority name in $family $hook chains." >&2 + exit 1 + fi + done +done +exit 0 diff --git a/tests/shell/testcases/chains/0025prio_arp_1 b/tests/shell/testcases/chains/0025prio_arp_1 new file mode 100755 index 0000000..1a17262 --- /dev/null +++ b/tests/shell/testcases/chains/0025prio_arp_1 @@ -0,0 +1,17 @@ +#!/bin/bash + +family=arp + for hook in input output + do + for prioname in raw mangle dstnat security srcnat + do + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for arp family chains." >&2 + exit 1 + fi + done + done +exit 0 diff --git a/tests/shell/testcases/chains/0026prio_netdev_1 b/tests/shell/testcases/chains/0026prio_netdev_1 new file mode 100755 index 0000000..b6fa3db --- /dev/null +++ b/tests/shell/testcases/chains/0026prio_netdev_1 @@ -0,0 +1,17 @@ +#!/bin/bash + +family=netdev + for hook in ingress egress + do + for prioname in raw mangle dstnat security srcnat + do + $NFT add table $family x || exit 1 + $NFT add chain $family x y "{ type filter hook $hook device lo priority $prioname; }" &> /dev/null + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for netdev family chains." >&2 + exit 1 + fi + done + done +exit 0 diff --git a/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 new file mode 100755 index 0000000..52c73e6 --- /dev/null +++ b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 @@ -0,0 +1,15 @@ +#!/bin/bash + +family=bridge + for hook in input forward output postrouting + do + prioname=dstnat + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 + exit 1 + fi + done +exit 0 diff --git a/tests/shell/testcases/chains/0028prio_bridge_out_1 b/tests/shell/testcases/chains/0028prio_bridge_out_1 new file mode 100755 index 0000000..63aa296 --- /dev/null +++ b/tests/shell/testcases/chains/0028prio_bridge_out_1 @@ -0,0 +1,15 @@ +#!/bin/bash + +family=bridge + for hook in prerouting input forward postrouting + do + prioname=out + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 + exit 1 + fi + done +exit 0 diff --git a/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 new file mode 100755 index 0000000..3891711 --- /dev/null +++ b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 @@ -0,0 +1,15 @@ +#!/bin/bash + +family=bridge + for hook in prerouting input forward output + do + prioname=srcnat + $NFT add table $family x + $NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 + exit 1 + fi + done +exit 0 diff --git a/tests/shell/testcases/chains/0030create_0 b/tests/shell/testcases/chains/0030create_0 new file mode 100755 index 0000000..0b457f9 --- /dev/null +++ b/tests/shell/testcases/chains/0030create_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +$NFT add table ip x +$NFT create chain ip x y diff --git a/tests/shell/testcases/chains/0031priority_variable_0 b/tests/shell/testcases/chains/0031priority_variable_0 new file mode 100755 index 0000000..2b143db --- /dev/null +++ b/tests/shell/testcases/chains/0031priority_variable_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Tests use of variables in priority specification + +set -e + +RULESET=" +define pri = filter + +table inet global { + chain prerouting { + type filter hook prerouting priority \$pri + policy accept + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/chains/0032priority_variable_0 b/tests/shell/testcases/chains/0032priority_variable_0 new file mode 100755 index 0000000..8f2e57b --- /dev/null +++ b/tests/shell/testcases/chains/0032priority_variable_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# Tests use of variables in priority specification + +set -e + +RULESET=" +define pri = 10 +define post = -10 +define for = \"filter - 100\" + +table inet global { + chain prerouting { + type filter hook prerouting priority \$pri + policy accept + } + chain forward { + type filter hook prerouting priority \$for + policy accept + } + chain postrouting { + type filter hook postrouting priority \$post + policy accept + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/chains/0033priority_variable_1 b/tests/shell/testcases/chains/0033priority_variable_1 new file mode 100755 index 0000000..eddaf5b --- /dev/null +++ b/tests/shell/testcases/chains/0033priority_variable_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests use of variables in priority specification + +set -e + +RULESET=" +define pri = * + +table inet global { + chain prerouting { + type filter hook prerouting priority \$pri + policy accept + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0034priority_variable_1 b/tests/shell/testcases/chains/0034priority_variable_1 new file mode 100755 index 0000000..592cb56 --- /dev/null +++ b/tests/shell/testcases/chains/0034priority_variable_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests use of variables in priority specification + +set -e + +RULESET=" +define pri = { 127.0.0.1 } + +table inet global { + chain prerouting { + type filter hook prerouting priority \$pri + policy accept + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0035policy_variable_0 b/tests/shell/testcases/chains/0035policy_variable_0 new file mode 100755 index 0000000..b88e968 --- /dev/null +++ b/tests/shell/testcases/chains/0035policy_variable_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Tests use of variables in chain policy + +set -e + +RULESET=" +define default_policy = \"accept\" + +table inet global { + chain prerouting { + type filter hook prerouting priority filter + policy \$default_policy + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/chains/0036policy_variable_0 b/tests/shell/testcases/chains/0036policy_variable_0 new file mode 100755 index 0000000..d4d98ed --- /dev/null +++ b/tests/shell/testcases/chains/0036policy_variable_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Tests use of variables in chain policy + +set -e + +RULESET=" +define default_policy = \"drop\" + +table inet global { + chain prerouting { + type filter hook prerouting priority filter + policy \$default_policy + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/chains/0037policy_variable_1 b/tests/shell/testcases/chains/0037policy_variable_1 new file mode 100755 index 0000000..ae35516 --- /dev/null +++ b/tests/shell/testcases/chains/0037policy_variable_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests use of variables in chain policy + +set -e + +RULESET=" +define default_policy = { 127.0.0.1 } + +table inet global { + chain prerouting { + type filter hook prerouting priority filter + policy \$default_policy + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0038policy_variable_1 b/tests/shell/testcases/chains/0038policy_variable_1 new file mode 100755 index 0000000..027eb01 --- /dev/null +++ b/tests/shell/testcases/chains/0038policy_variable_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests use of variables in priority specification + +set -e + +RULESET=" +define default_policy = * + +table inet global { + chain prerouting { + type filter hook prerouting priority filter + policy \$default_policy + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0039negative_priority_0 b/tests/shell/testcases/chains/0039negative_priority_0 new file mode 100755 index 0000000..ba17b8c --- /dev/null +++ b/tests/shell/testcases/chains/0039negative_priority_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# Test parsing of negative priority values + +set -e + +$NFT add table t +$NFT add chain t c { type filter hook input priority -30\; } diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0 new file mode 100755 index 0000000..141a4b6 --- /dev/null +++ b/tests/shell/testcases/chains/0041chain_binding_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# no table x, caused segfault in earlier nft releases +$NFT insert rule inet x y handle 107 'goto { log prefix "MOO! "; }' +if [ $? -ne 1 ]; then + exit 1 +fi + +if [ $NFT_TEST_HAVE_chain_binding = "n" ] ; then + echo "Test partially skipped due to NFT_TEST_HAVE_chain_binding=n" + exit 77 +fi + +set -e + +EXPECTED="table inet x { + chain y { + type filter hook input priority 0; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept + ip6 saddr ::1/128 counter accept + } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule inet x y meta l4proto icmpv6 jump { counter accept\; } +$NFT add rule inet x y meta l4proto sctp jump { drop\; } +$NFT delete rule inet x y handle 13 diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0 new file mode 100755 index 0000000..1ea44e8 --- /dev/null +++ b/tests/shell/testcases/chains/0042chain_variable_0 @@ -0,0 +1,46 @@ +#!/bin/bash + +set -e + +ip link add name dummy0 type dummy + +EXPECTED="define if_main = \"lo\" + +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device \$if_main priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="define if_main = \"lo\" + +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \$if_main, dummy0 } priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ] ; then + echo "Skip parts of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi + +EXPECTED="define if_main = { lo, dummy0 } +define lan_interfaces = { lo } + +table netdev filter3 { + chain Main_Ingress3 { + type filter hook ingress devices = \$if_main priority -500; policy accept; + } + chain Main_Egress3 { + type filter hook egress devices = \$lan_interfaces priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + + diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0 new file mode 100755 index 0000000..a6973b9 --- /dev/null +++ b/tests/shell/testcases/chains/0043chain_ingress_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e +RULESET="table inet filter { + chain ingress { + type filter hook ingress device \"lo\" priority filter; policy accept; + } + chain input { + type filter hook input priority filter; policy accept; + } + chain forward { + type filter hook forward priority filter; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" && exit 0 +exit 1 diff --git a/tests/shell/testcases/chains/0044chain_destroy_0 b/tests/shell/testcases/chains/0044chain_destroy_0 new file mode 100755 index 0000000..5c5a10a --- /dev/null +++ b/tests/shell/testcases/chains/0044chain_destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t + +# pass for non-existent chain +$NFT destroy chain t c + +# successfully delete existing chain +$NFT add chain t c +$NFT destroy chain t c diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.nft b/tests/shell/testcases/chains/dumps/0001jumps_0.nft new file mode 100644 index 0000000..7054cde --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0001jumps_0.nft @@ -0,0 +1,64 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.nft b/tests/shell/testcases/chains/dumps/0002jumps_1.nft new file mode 100644 index 0000000..ed37ad0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0002jumps_1.nft @@ -0,0 +1,68 @@ +table ip t { + chain c1 { + type filter hook input priority filter; policy accept; + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } + + chain c17 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft new file mode 100644 index 0000000..7054cde --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft @@ -0,0 +1,64 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.nft b/tests/shell/testcases/chains/dumps/0004busy_1.nft new file mode 100644 index 0000000..429dd49 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0004busy_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft new file mode 100644 index 0000000..acf2318 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + tcp dport vmap { 1 : jump c2 } + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft new file mode 100644 index 0000000..90253a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft @@ -0,0 +1,6 @@ +table ip t { + chain c1 { + type nat hook postrouting priority filter; policy accept; + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft new file mode 100644 index 0000000..b25355f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft @@ -0,0 +1,5 @@ +table ip t { + chain c1 { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft new file mode 100644 index 0000000..4991071 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft new file mode 100644 index 0000000..4991071 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft new file mode 100644 index 0000000..ca0a737 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft @@ -0,0 +1,13 @@ +table ip t { + map m { + type inet_service : verdict + elements = { 2 : jump c2 } + } + + chain c1 { + tcp dport vmap @m + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.nft b/tests/shell/testcases/chains/dumps/0013rename_0.nft new file mode 100644 index 0000000..e4e0171 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0013rename_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.nft b/tests/shell/testcases/chains/dumps/0014rename_0.nft new file mode 100644 index 0000000..574c486 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0014rename_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c1 { + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft new file mode 100644 index 0000000..429dd49 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft new file mode 100644 index 0000000..c0adb1f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft @@ -0,0 +1,14 @@ +table ip test-ip { + chain x { + } + + chain z { + } +} +table ip6 test-ip6 { + chain x { + } + + chain y { + } +} diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft new file mode 100644 index 0000000..636e844 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + jump c1 + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft new file mode 100644 index 0000000..437900b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft @@ -0,0 +1,8 @@ +table ip filter { + chain ap1 { + jump ap2 + } + + chain ap2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft new file mode 100644 index 0000000..81cf9cc --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + ip saddr vmap { 1.1.1.1 : jump c1 } + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.nft b/tests/shell/testcases/chains/dumps/0020depth_1.nft new file mode 100644 index 0000000..422c395 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0020depth_1.nft @@ -0,0 +1,84 @@ +table ip filter { + chain input { + type filter hook input priority filter; policy accept; + jump a1 + } + + chain a0 { + jump a1 + } + + chain a1 { + jump a2 + } + + chain a2 { + jump a3 + } + + chain a3 { + jump a4 + } + + chain a4 { + jump a5 + } + + chain a5 { + jump a6 + } + + chain a6 { + jump a7 + } + + chain a7 { + jump a8 + } + + chain a8 { + jump a9 + } + + chain a9 { + jump a10 + } + + chain a10 { + } + + chain a11 { + jump a12 + } + + chain a12 { + jump a13 + } + + chain a13 { + jump a14 + } + + chain a14 { + jump a15 + } + + chain a15 { + jump a16 + } + + chain a16 { + jump a17 + } + + chain a17 { + jump a18 + } + + chain a18 { + jump a19 + } + + chain a19 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.nft b/tests/shell/testcases/chains/dumps/0021prio_0.nft new file mode 100644 index 0000000..4297d24 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0021prio_0.nft @@ -0,0 +1,1566 @@ +table ip x { + chain preroutingrawm11 { + type filter hook prerouting priority -311; policy accept; + } + + chain preroutingrawm10 { + type filter hook prerouting priority raw - 10; policy accept; + } + + chain preroutingraw { + type filter hook prerouting priority raw; policy accept; + } + + chain preroutingrawp10 { + type filter hook prerouting priority raw + 10; policy accept; + } + + chain preroutingrawp11 { + type filter hook prerouting priority -289; policy accept; + } + + chain preroutingmanglem11 { + type filter hook prerouting priority -161; policy accept; + } + + chain preroutingmanglem10 { + type filter hook prerouting priority mangle - 10; policy accept; + } + + chain preroutingmangle { + type filter hook prerouting priority mangle; policy accept; + } + + chain preroutingmanglep10 { + type filter hook prerouting priority mangle + 10; policy accept; + } + + chain preroutingmanglep11 { + type filter hook prerouting priority -139; policy accept; + } + + chain preroutingfilterm11 { + type filter hook prerouting priority -11; policy accept; + } + + chain preroutingfilterm10 { + type filter hook prerouting priority filter - 10; policy accept; + } + + chain preroutingfilter { + type filter hook prerouting priority filter; policy accept; + } + + chain preroutingfilterp10 { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain preroutingfilterp11 { + type filter hook prerouting priority 11; policy accept; + } + + chain preroutingsecuritym11 { + type filter hook prerouting priority 39; policy accept; + } + + chain preroutingsecuritym10 { + type filter hook prerouting priority security - 10; policy accept; + } + + chain preroutingsecurity { + type filter hook prerouting priority security; policy accept; + } + + chain preroutingsecurityp10 { + type filter hook prerouting priority security + 10; policy accept; + } + + chain preroutingsecurityp11 { + type filter hook prerouting priority 61; policy accept; + } + + chain inputrawm11 { + type filter hook input priority -311; policy accept; + } + + chain inputrawm10 { + type filter hook input priority raw - 10; policy accept; + } + + chain inputraw { + type filter hook input priority raw; policy accept; + } + + chain inputrawp10 { + type filter hook input priority raw + 10; policy accept; + } + + chain inputrawp11 { + type filter hook input priority -289; policy accept; + } + + chain inputmanglem11 { + type filter hook input priority -161; policy accept; + } + + chain inputmanglem10 { + type filter hook input priority mangle - 10; policy accept; + } + + chain inputmangle { + type filter hook input priority mangle; policy accept; + } + + chain inputmanglep10 { + type filter hook input priority mangle + 10; policy accept; + } + + chain inputmanglep11 { + type filter hook input priority -139; policy accept; + } + + chain inputfilterm11 { + type filter hook input priority -11; policy accept; + } + + chain inputfilterm10 { + type filter hook input priority filter - 10; policy accept; + } + + chain inputfilter { + type filter hook input priority filter; policy accept; + } + + chain inputfilterp10 { + type filter hook input priority filter + 10; policy accept; + } + + chain inputfilterp11 { + type filter hook input priority 11; policy accept; + } + + chain inputsecuritym11 { + type filter hook input priority 39; policy accept; + } + + chain inputsecuritym10 { + type filter hook input priority security - 10; policy accept; + } + + chain inputsecurity { + type filter hook input priority security; policy accept; + } + + chain inputsecurityp10 { + type filter hook input priority security + 10; policy accept; + } + + chain inputsecurityp11 { + type filter hook input priority 61; policy accept; + } + + chain forwardrawm11 { + type filter hook forward priority -311; policy accept; + } + + chain forwardrawm10 { + type filter hook forward priority raw - 10; policy accept; + } + + chain forwardraw { + type filter hook forward priority raw; policy accept; + } + + chain forwardrawp10 { + type filter hook forward priority raw + 10; policy accept; + } + + chain forwardrawp11 { + type filter hook forward priority -289; policy accept; + } + + chain forwardmanglem11 { + type filter hook forward priority -161; policy accept; + } + + chain forwardmanglem10 { + type filter hook forward priority mangle - 10; policy accept; + } + + chain forwardmangle { + type filter hook forward priority mangle; policy accept; + } + + chain forwardmanglep10 { + type filter hook forward priority mangle + 10; policy accept; + } + + chain forwardmanglep11 { + type filter hook forward priority -139; policy accept; + } + + chain forwardfilterm11 { + type filter hook forward priority -11; policy accept; + } + + chain forwardfilterm10 { + type filter hook forward priority filter - 10; policy accept; + } + + chain forwardfilter { + type filter hook forward priority filter; policy accept; + } + + chain forwardfilterp10 { + type filter hook forward priority filter + 10; policy accept; + } + + chain forwardfilterp11 { + type filter hook forward priority 11; policy accept; + } + + chain forwardsecuritym11 { + type filter hook forward priority 39; policy accept; + } + + chain forwardsecuritym10 { + type filter hook forward priority security - 10; policy accept; + } + + chain forwardsecurity { + type filter hook forward priority security; policy accept; + } + + chain forwardsecurityp10 { + type filter hook forward priority security + 10; policy accept; + } + + chain forwardsecurityp11 { + type filter hook forward priority 61; policy accept; + } + + chain outputrawm11 { + type filter hook output priority -311; policy accept; + } + + chain outputrawm10 { + type filter hook output priority raw - 10; policy accept; + } + + chain outputraw { + type filter hook output priority raw; policy accept; + } + + chain outputrawp10 { + type filter hook output priority raw + 10; policy accept; + } + + chain outputrawp11 { + type filter hook output priority -289; policy accept; + } + + chain outputmanglem11 { + type filter hook output priority -161; policy accept; + } + + chain outputmanglem10 { + type filter hook output priority mangle - 10; policy accept; + } + + chain outputmangle { + type filter hook output priority mangle; policy accept; + } + + chain outputmanglep10 { + type filter hook output priority mangle + 10; policy accept; + } + + chain outputmanglep11 { + type filter hook output priority -139; policy accept; + } + + chain outputfilterm11 { + type filter hook output priority -11; policy accept; + } + + chain outputfilterm10 { + type filter hook output priority filter - 10; policy accept; + } + + chain outputfilter { + type filter hook output priority filter; policy accept; + } + + chain outputfilterp10 { + type filter hook output priority filter + 10; policy accept; + } + + chain outputfilterp11 { + type filter hook output priority 11; policy accept; + } + + chain outputsecuritym11 { + type filter hook output priority 39; policy accept; + } + + chain outputsecuritym10 { + type filter hook output priority security - 10; policy accept; + } + + chain outputsecurity { + type filter hook output priority security; policy accept; + } + + chain outputsecurityp10 { + type filter hook output priority security + 10; policy accept; + } + + chain outputsecurityp11 { + type filter hook output priority 61; policy accept; + } + + chain postroutingrawm11 { + type filter hook postrouting priority -311; policy accept; + } + + chain postroutingrawm10 { + type filter hook postrouting priority raw - 10; policy accept; + } + + chain postroutingraw { + type filter hook postrouting priority raw; policy accept; + } + + chain postroutingrawp10 { + type filter hook postrouting priority raw + 10; policy accept; + } + + chain postroutingrawp11 { + type filter hook postrouting priority -289; policy accept; + } + + chain postroutingmanglem11 { + type filter hook postrouting priority -161; policy accept; + } + + chain postroutingmanglem10 { + type filter hook postrouting priority mangle - 10; policy accept; + } + + chain postroutingmangle { + type filter hook postrouting priority mangle; policy accept; + } + + chain postroutingmanglep10 { + type filter hook postrouting priority mangle + 10; policy accept; + } + + chain postroutingmanglep11 { + type filter hook postrouting priority -139; policy accept; + } + + chain postroutingfilterm11 { + type filter hook postrouting priority -11; policy accept; + } + + chain postroutingfilterm10 { + type filter hook postrouting priority filter - 10; policy accept; + } + + chain postroutingfilter { + type filter hook postrouting priority filter; policy accept; + } + + chain postroutingfilterp10 { + type filter hook postrouting priority filter + 10; policy accept; + } + + chain postroutingfilterp11 { + type filter hook postrouting priority 11; policy accept; + } + + chain postroutingsecuritym11 { + type filter hook postrouting priority 39; policy accept; + } + + chain postroutingsecuritym10 { + type filter hook postrouting priority security - 10; policy accept; + } + + chain postroutingsecurity { + type filter hook postrouting priority security; policy accept; + } + + chain postroutingsecurityp10 { + type filter hook postrouting priority security + 10; policy accept; + } + + chain postroutingsecurityp11 { + type filter hook postrouting priority 61; policy accept; + } + + chain preroutingdstnatm11 { + type filter hook prerouting priority -111; policy accept; + } + + chain preroutingdstnatm10 { + type filter hook prerouting priority dstnat - 10; policy accept; + } + + chain preroutingdstnat { + type filter hook prerouting priority dstnat; policy accept; + } + + chain preroutingdstnatp10 { + type filter hook prerouting priority dstnat + 10; policy accept; + } + + chain preroutingdstnatp11 { + type filter hook prerouting priority -89; policy accept; + } + + chain postroutingsrcnatm11 { + type filter hook postrouting priority 89; policy accept; + } + + chain postroutingsrcnatm10 { + type filter hook postrouting priority srcnat - 10; policy accept; + } + + chain postroutingsrcnat { + type filter hook postrouting priority srcnat; policy accept; + } + + chain postroutingsrcnatp10 { + type filter hook postrouting priority srcnat + 10; policy accept; + } + + chain postroutingsrcnatp11 { + type filter hook postrouting priority 111; policy accept; + } +} +table ip6 x { + chain preroutingrawm11 { + type filter hook prerouting priority -311; policy accept; + } + + chain preroutingrawm10 { + type filter hook prerouting priority raw - 10; policy accept; + } + + chain preroutingraw { + type filter hook prerouting priority raw; policy accept; + } + + chain preroutingrawp10 { + type filter hook prerouting priority raw + 10; policy accept; + } + + chain preroutingrawp11 { + type filter hook prerouting priority -289; policy accept; + } + + chain preroutingmanglem11 { + type filter hook prerouting priority -161; policy accept; + } + + chain preroutingmanglem10 { + type filter hook prerouting priority mangle - 10; policy accept; + } + + chain preroutingmangle { + type filter hook prerouting priority mangle; policy accept; + } + + chain preroutingmanglep10 { + type filter hook prerouting priority mangle + 10; policy accept; + } + + chain preroutingmanglep11 { + type filter hook prerouting priority -139; policy accept; + } + + chain preroutingfilterm11 { + type filter hook prerouting priority -11; policy accept; + } + + chain preroutingfilterm10 { + type filter hook prerouting priority filter - 10; policy accept; + } + + chain preroutingfilter { + type filter hook prerouting priority filter; policy accept; + } + + chain preroutingfilterp10 { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain preroutingfilterp11 { + type filter hook prerouting priority 11; policy accept; + } + + chain preroutingsecuritym11 { + type filter hook prerouting priority 39; policy accept; + } + + chain preroutingsecuritym10 { + type filter hook prerouting priority security - 10; policy accept; + } + + chain preroutingsecurity { + type filter hook prerouting priority security; policy accept; + } + + chain preroutingsecurityp10 { + type filter hook prerouting priority security + 10; policy accept; + } + + chain preroutingsecurityp11 { + type filter hook prerouting priority 61; policy accept; + } + + chain inputrawm11 { + type filter hook input priority -311; policy accept; + } + + chain inputrawm10 { + type filter hook input priority raw - 10; policy accept; + } + + chain inputraw { + type filter hook input priority raw; policy accept; + } + + chain inputrawp10 { + type filter hook input priority raw + 10; policy accept; + } + + chain inputrawp11 { + type filter hook input priority -289; policy accept; + } + + chain inputmanglem11 { + type filter hook input priority -161; policy accept; + } + + chain inputmanglem10 { + type filter hook input priority mangle - 10; policy accept; + } + + chain inputmangle { + type filter hook input priority mangle; policy accept; + } + + chain inputmanglep10 { + type filter hook input priority mangle + 10; policy accept; + } + + chain inputmanglep11 { + type filter hook input priority -139; policy accept; + } + + chain inputfilterm11 { + type filter hook input priority -11; policy accept; + } + + chain inputfilterm10 { + type filter hook input priority filter - 10; policy accept; + } + + chain inputfilter { + type filter hook input priority filter; policy accept; + } + + chain inputfilterp10 { + type filter hook input priority filter + 10; policy accept; + } + + chain inputfilterp11 { + type filter hook input priority 11; policy accept; + } + + chain inputsecuritym11 { + type filter hook input priority 39; policy accept; + } + + chain inputsecuritym10 { + type filter hook input priority security - 10; policy accept; + } + + chain inputsecurity { + type filter hook input priority security; policy accept; + } + + chain inputsecurityp10 { + type filter hook input priority security + 10; policy accept; + } + + chain inputsecurityp11 { + type filter hook input priority 61; policy accept; + } + + chain forwardrawm11 { + type filter hook forward priority -311; policy accept; + } + + chain forwardrawm10 { + type filter hook forward priority raw - 10; policy accept; + } + + chain forwardraw { + type filter hook forward priority raw; policy accept; + } + + chain forwardrawp10 { + type filter hook forward priority raw + 10; policy accept; + } + + chain forwardrawp11 { + type filter hook forward priority -289; policy accept; + } + + chain forwardmanglem11 { + type filter hook forward priority -161; policy accept; + } + + chain forwardmanglem10 { + type filter hook forward priority mangle - 10; policy accept; + } + + chain forwardmangle { + type filter hook forward priority mangle; policy accept; + } + + chain forwardmanglep10 { + type filter hook forward priority mangle + 10; policy accept; + } + + chain forwardmanglep11 { + type filter hook forward priority -139; policy accept; + } + + chain forwardfilterm11 { + type filter hook forward priority -11; policy accept; + } + + chain forwardfilterm10 { + type filter hook forward priority filter - 10; policy accept; + } + + chain forwardfilter { + type filter hook forward priority filter; policy accept; + } + + chain forwardfilterp10 { + type filter hook forward priority filter + 10; policy accept; + } + + chain forwardfilterp11 { + type filter hook forward priority 11; policy accept; + } + + chain forwardsecuritym11 { + type filter hook forward priority 39; policy accept; + } + + chain forwardsecuritym10 { + type filter hook forward priority security - 10; policy accept; + } + + chain forwardsecurity { + type filter hook forward priority security; policy accept; + } + + chain forwardsecurityp10 { + type filter hook forward priority security + 10; policy accept; + } + + chain forwardsecurityp11 { + type filter hook forward priority 61; policy accept; + } + + chain outputrawm11 { + type filter hook output priority -311; policy accept; + } + + chain outputrawm10 { + type filter hook output priority raw - 10; policy accept; + } + + chain outputraw { + type filter hook output priority raw; policy accept; + } + + chain outputrawp10 { + type filter hook output priority raw + 10; policy accept; + } + + chain outputrawp11 { + type filter hook output priority -289; policy accept; + } + + chain outputmanglem11 { + type filter hook output priority -161; policy accept; + } + + chain outputmanglem10 { + type filter hook output priority mangle - 10; policy accept; + } + + chain outputmangle { + type filter hook output priority mangle; policy accept; + } + + chain outputmanglep10 { + type filter hook output priority mangle + 10; policy accept; + } + + chain outputmanglep11 { + type filter hook output priority -139; policy accept; + } + + chain outputfilterm11 { + type filter hook output priority -11; policy accept; + } + + chain outputfilterm10 { + type filter hook output priority filter - 10; policy accept; + } + + chain outputfilter { + type filter hook output priority filter; policy accept; + } + + chain outputfilterp10 { + type filter hook output priority filter + 10; policy accept; + } + + chain outputfilterp11 { + type filter hook output priority 11; policy accept; + } + + chain outputsecuritym11 { + type filter hook output priority 39; policy accept; + } + + chain outputsecuritym10 { + type filter hook output priority security - 10; policy accept; + } + + chain outputsecurity { + type filter hook output priority security; policy accept; + } + + chain outputsecurityp10 { + type filter hook output priority security + 10; policy accept; + } + + chain outputsecurityp11 { + type filter hook output priority 61; policy accept; + } + + chain postroutingrawm11 { + type filter hook postrouting priority -311; policy accept; + } + + chain postroutingrawm10 { + type filter hook postrouting priority raw - 10; policy accept; + } + + chain postroutingraw { + type filter hook postrouting priority raw; policy accept; + } + + chain postroutingrawp10 { + type filter hook postrouting priority raw + 10; policy accept; + } + + chain postroutingrawp11 { + type filter hook postrouting priority -289; policy accept; + } + + chain postroutingmanglem11 { + type filter hook postrouting priority -161; policy accept; + } + + chain postroutingmanglem10 { + type filter hook postrouting priority mangle - 10; policy accept; + } + + chain postroutingmangle { + type filter hook postrouting priority mangle; policy accept; + } + + chain postroutingmanglep10 { + type filter hook postrouting priority mangle + 10; policy accept; + } + + chain postroutingmanglep11 { + type filter hook postrouting priority -139; policy accept; + } + + chain postroutingfilterm11 { + type filter hook postrouting priority -11; policy accept; + } + + chain postroutingfilterm10 { + type filter hook postrouting priority filter - 10; policy accept; + } + + chain postroutingfilter { + type filter hook postrouting priority filter; policy accept; + } + + chain postroutingfilterp10 { + type filter hook postrouting priority filter + 10; policy accept; + } + + chain postroutingfilterp11 { + type filter hook postrouting priority 11; policy accept; + } + + chain postroutingsecuritym11 { + type filter hook postrouting priority 39; policy accept; + } + + chain postroutingsecuritym10 { + type filter hook postrouting priority security - 10; policy accept; + } + + chain postroutingsecurity { + type filter hook postrouting priority security; policy accept; + } + + chain postroutingsecurityp10 { + type filter hook postrouting priority security + 10; policy accept; + } + + chain postroutingsecurityp11 { + type filter hook postrouting priority 61; policy accept; + } + + chain preroutingdstnatm11 { + type filter hook prerouting priority -111; policy accept; + } + + chain preroutingdstnatm10 { + type filter hook prerouting priority dstnat - 10; policy accept; + } + + chain preroutingdstnat { + type filter hook prerouting priority dstnat; policy accept; + } + + chain preroutingdstnatp10 { + type filter hook prerouting priority dstnat + 10; policy accept; + } + + chain preroutingdstnatp11 { + type filter hook prerouting priority -89; policy accept; + } + + chain postroutingsrcnatm11 { + type filter hook postrouting priority 89; policy accept; + } + + chain postroutingsrcnatm10 { + type filter hook postrouting priority srcnat - 10; policy accept; + } + + chain postroutingsrcnat { + type filter hook postrouting priority srcnat; policy accept; + } + + chain postroutingsrcnatp10 { + type filter hook postrouting priority srcnat + 10; policy accept; + } + + chain postroutingsrcnatp11 { + type filter hook postrouting priority 111; policy accept; + } +} +table inet x { + chain preroutingrawm11 { + type filter hook prerouting priority -311; policy accept; + } + + chain preroutingrawm10 { + type filter hook prerouting priority raw - 10; policy accept; + } + + chain preroutingraw { + type filter hook prerouting priority raw; policy accept; + } + + chain preroutingrawp10 { + type filter hook prerouting priority raw + 10; policy accept; + } + + chain preroutingrawp11 { + type filter hook prerouting priority -289; policy accept; + } + + chain preroutingmanglem11 { + type filter hook prerouting priority -161; policy accept; + } + + chain preroutingmanglem10 { + type filter hook prerouting priority mangle - 10; policy accept; + } + + chain preroutingmangle { + type filter hook prerouting priority mangle; policy accept; + } + + chain preroutingmanglep10 { + type filter hook prerouting priority mangle + 10; policy accept; + } + + chain preroutingmanglep11 { + type filter hook prerouting priority -139; policy accept; + } + + chain preroutingfilterm11 { + type filter hook prerouting priority -11; policy accept; + } + + chain preroutingfilterm10 { + type filter hook prerouting priority filter - 10; policy accept; + } + + chain preroutingfilter { + type filter hook prerouting priority filter; policy accept; + } + + chain preroutingfilterp10 { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain preroutingfilterp11 { + type filter hook prerouting priority 11; policy accept; + } + + chain preroutingsecuritym11 { + type filter hook prerouting priority 39; policy accept; + } + + chain preroutingsecuritym10 { + type filter hook prerouting priority security - 10; policy accept; + } + + chain preroutingsecurity { + type filter hook prerouting priority security; policy accept; + } + + chain preroutingsecurityp10 { + type filter hook prerouting priority security + 10; policy accept; + } + + chain preroutingsecurityp11 { + type filter hook prerouting priority 61; policy accept; + } + + chain inputrawm11 { + type filter hook input priority -311; policy accept; + } + + chain inputrawm10 { + type filter hook input priority raw - 10; policy accept; + } + + chain inputraw { + type filter hook input priority raw; policy accept; + } + + chain inputrawp10 { + type filter hook input priority raw + 10; policy accept; + } + + chain inputrawp11 { + type filter hook input priority -289; policy accept; + } + + chain inputmanglem11 { + type filter hook input priority -161; policy accept; + } + + chain inputmanglem10 { + type filter hook input priority mangle - 10; policy accept; + } + + chain inputmangle { + type filter hook input priority mangle; policy accept; + } + + chain inputmanglep10 { + type filter hook input priority mangle + 10; policy accept; + } + + chain inputmanglep11 { + type filter hook input priority -139; policy accept; + } + + chain inputfilterm11 { + type filter hook input priority -11; policy accept; + } + + chain inputfilterm10 { + type filter hook input priority filter - 10; policy accept; + } + + chain inputfilter { + type filter hook input priority filter; policy accept; + } + + chain inputfilterp10 { + type filter hook input priority filter + 10; policy accept; + } + + chain inputfilterp11 { + type filter hook input priority 11; policy accept; + } + + chain inputsecuritym11 { + type filter hook input priority 39; policy accept; + } + + chain inputsecuritym10 { + type filter hook input priority security - 10; policy accept; + } + + chain inputsecurity { + type filter hook input priority security; policy accept; + } + + chain inputsecurityp10 { + type filter hook input priority security + 10; policy accept; + } + + chain inputsecurityp11 { + type filter hook input priority 61; policy accept; + } + + chain forwardrawm11 { + type filter hook forward priority -311; policy accept; + } + + chain forwardrawm10 { + type filter hook forward priority raw - 10; policy accept; + } + + chain forwardraw { + type filter hook forward priority raw; policy accept; + } + + chain forwardrawp10 { + type filter hook forward priority raw + 10; policy accept; + } + + chain forwardrawp11 { + type filter hook forward priority -289; policy accept; + } + + chain forwardmanglem11 { + type filter hook forward priority -161; policy accept; + } + + chain forwardmanglem10 { + type filter hook forward priority mangle - 10; policy accept; + } + + chain forwardmangle { + type filter hook forward priority mangle; policy accept; + } + + chain forwardmanglep10 { + type filter hook forward priority mangle + 10; policy accept; + } + + chain forwardmanglep11 { + type filter hook forward priority -139; policy accept; + } + + chain forwardfilterm11 { + type filter hook forward priority -11; policy accept; + } + + chain forwardfilterm10 { + type filter hook forward priority filter - 10; policy accept; + } + + chain forwardfilter { + type filter hook forward priority filter; policy accept; + } + + chain forwardfilterp10 { + type filter hook forward priority filter + 10; policy accept; + } + + chain forwardfilterp11 { + type filter hook forward priority 11; policy accept; + } + + chain forwardsecuritym11 { + type filter hook forward priority 39; policy accept; + } + + chain forwardsecuritym10 { + type filter hook forward priority security - 10; policy accept; + } + + chain forwardsecurity { + type filter hook forward priority security; policy accept; + } + + chain forwardsecurityp10 { + type filter hook forward priority security + 10; policy accept; + } + + chain forwardsecurityp11 { + type filter hook forward priority 61; policy accept; + } + + chain outputrawm11 { + type filter hook output priority -311; policy accept; + } + + chain outputrawm10 { + type filter hook output priority raw - 10; policy accept; + } + + chain outputraw { + type filter hook output priority raw; policy accept; + } + + chain outputrawp10 { + type filter hook output priority raw + 10; policy accept; + } + + chain outputrawp11 { + type filter hook output priority -289; policy accept; + } + + chain outputmanglem11 { + type filter hook output priority -161; policy accept; + } + + chain outputmanglem10 { + type filter hook output priority mangle - 10; policy accept; + } + + chain outputmangle { + type filter hook output priority mangle; policy accept; + } + + chain outputmanglep10 { + type filter hook output priority mangle + 10; policy accept; + } + + chain outputmanglep11 { + type filter hook output priority -139; policy accept; + } + + chain outputfilterm11 { + type filter hook output priority -11; policy accept; + } + + chain outputfilterm10 { + type filter hook output priority filter - 10; policy accept; + } + + chain outputfilter { + type filter hook output priority filter; policy accept; + } + + chain outputfilterp10 { + type filter hook output priority filter + 10; policy accept; + } + + chain outputfilterp11 { + type filter hook output priority 11; policy accept; + } + + chain outputsecuritym11 { + type filter hook output priority 39; policy accept; + } + + chain outputsecuritym10 { + type filter hook output priority security - 10; policy accept; + } + + chain outputsecurity { + type filter hook output priority security; policy accept; + } + + chain outputsecurityp10 { + type filter hook output priority security + 10; policy accept; + } + + chain outputsecurityp11 { + type filter hook output priority 61; policy accept; + } + + chain postroutingrawm11 { + type filter hook postrouting priority -311; policy accept; + } + + chain postroutingrawm10 { + type filter hook postrouting priority raw - 10; policy accept; + } + + chain postroutingraw { + type filter hook postrouting priority raw; policy accept; + } + + chain postroutingrawp10 { + type filter hook postrouting priority raw + 10; policy accept; + } + + chain postroutingrawp11 { + type filter hook postrouting priority -289; policy accept; + } + + chain postroutingmanglem11 { + type filter hook postrouting priority -161; policy accept; + } + + chain postroutingmanglem10 { + type filter hook postrouting priority mangle - 10; policy accept; + } + + chain postroutingmangle { + type filter hook postrouting priority mangle; policy accept; + } + + chain postroutingmanglep10 { + type filter hook postrouting priority mangle + 10; policy accept; + } + + chain postroutingmanglep11 { + type filter hook postrouting priority -139; policy accept; + } + + chain postroutingfilterm11 { + type filter hook postrouting priority -11; policy accept; + } + + chain postroutingfilterm10 { + type filter hook postrouting priority filter - 10; policy accept; + } + + chain postroutingfilter { + type filter hook postrouting priority filter; policy accept; + } + + chain postroutingfilterp10 { + type filter hook postrouting priority filter + 10; policy accept; + } + + chain postroutingfilterp11 { + type filter hook postrouting priority 11; policy accept; + } + + chain postroutingsecuritym11 { + type filter hook postrouting priority 39; policy accept; + } + + chain postroutingsecuritym10 { + type filter hook postrouting priority security - 10; policy accept; + } + + chain postroutingsecurity { + type filter hook postrouting priority security; policy accept; + } + + chain postroutingsecurityp10 { + type filter hook postrouting priority security + 10; policy accept; + } + + chain postroutingsecurityp11 { + type filter hook postrouting priority 61; policy accept; + } + + chain preroutingdstnatm11 { + type filter hook prerouting priority -111; policy accept; + } + + chain preroutingdstnatm10 { + type filter hook prerouting priority dstnat - 10; policy accept; + } + + chain preroutingdstnat { + type filter hook prerouting priority dstnat; policy accept; + } + + chain preroutingdstnatp10 { + type filter hook prerouting priority dstnat + 10; policy accept; + } + + chain preroutingdstnatp11 { + type filter hook prerouting priority -89; policy accept; + } + + chain postroutingsrcnatm11 { + type filter hook postrouting priority 89; policy accept; + } + + chain postroutingsrcnatm10 { + type filter hook postrouting priority srcnat - 10; policy accept; + } + + chain postroutingsrcnat { + type filter hook postrouting priority srcnat; policy accept; + } + + chain postroutingsrcnatp10 { + type filter hook postrouting priority srcnat + 10; policy accept; + } + + chain postroutingsrcnatp11 { + type filter hook postrouting priority 111; policy accept; + } +} +table arp x { + chain inputfilterm11 { + type filter hook input priority -11; policy accept; + } + + chain inputfilterm10 { + type filter hook input priority filter - 10; policy accept; + } + + chain inputfilter { + type filter hook input priority filter; policy accept; + } + + chain inputfilterp10 { + type filter hook input priority filter + 10; policy accept; + } + + chain inputfilterp11 { + type filter hook input priority 11; policy accept; + } + + chain outputfilterm11 { + type filter hook output priority -11; policy accept; + } + + chain outputfilterm10 { + type filter hook output priority filter - 10; policy accept; + } + + chain outputfilter { + type filter hook output priority filter; policy accept; + } + + chain outputfilterp10 { + type filter hook output priority filter + 10; policy accept; + } + + chain outputfilterp11 { + type filter hook output priority 11; policy accept; + } +} +table netdev x { + chain ingressfilterm11 { + type filter hook ingress device "lo" priority -11; policy accept; + } + + chain ingressfilterm10 { + type filter hook ingress device "lo" priority filter - 10; policy accept; + } + + chain ingressfilter { + type filter hook ingress device "lo" priority filter; policy accept; + } + + chain ingressfilterp10 { + type filter hook ingress device "lo" priority filter + 10; policy accept; + } + + chain ingressfilterp11 { + type filter hook ingress device "lo" priority 11; policy accept; + } + + chain egressfilterm11 { + type filter hook egress device "lo" priority -11; policy accept; + } + + chain egressfilterm10 { + type filter hook egress device "lo" priority filter - 10; policy accept; + } + + chain egressfilter { + type filter hook egress device "lo" priority filter; policy accept; + } + + chain egressfilterp10 { + type filter hook egress device "lo" priority filter + 10; policy accept; + } + + chain egressfilterp11 { + type filter hook egress device "lo" priority 11; policy accept; + } +} +table bridge x { + chain preroutingfilterm11 { + type filter hook prerouting priority -211; policy accept; + } + + chain preroutingfilterm10 { + type filter hook prerouting priority filter - 10; policy accept; + } + + chain preroutingfilter { + type filter hook prerouting priority filter; policy accept; + } + + chain preroutingfilterp10 { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain preroutingfilterp11 { + type filter hook prerouting priority -189; policy accept; + } + + chain inputfilterm11 { + type filter hook input priority -211; policy accept; + } + + chain inputfilterm10 { + type filter hook input priority filter - 10; policy accept; + } + + chain inputfilter { + type filter hook input priority filter; policy accept; + } + + chain inputfilterp10 { + type filter hook input priority filter + 10; policy accept; + } + + chain inputfilterp11 { + type filter hook input priority -189; policy accept; + } + + chain forwardfilterm11 { + type filter hook forward priority -211; policy accept; + } + + chain forwardfilterm10 { + type filter hook forward priority filter - 10; policy accept; + } + + chain forwardfilter { + type filter hook forward priority filter; policy accept; + } + + chain forwardfilterp10 { + type filter hook forward priority filter + 10; policy accept; + } + + chain forwardfilterp11 { + type filter hook forward priority -189; policy accept; + } + + chain outputfilterm11 { + type filter hook output priority -211; policy accept; + } + + chain outputfilterm10 { + type filter hook output priority filter - 10; policy accept; + } + + chain outputfilter { + type filter hook output priority filter; policy accept; + } + + chain outputfilterp10 { + type filter hook output priority filter + 10; policy accept; + } + + chain outputfilterp11 { + type filter hook output priority -189; policy accept; + } + + chain postroutingfilterm11 { + type filter hook postrouting priority -211; policy accept; + } + + chain postroutingfilterm10 { + type filter hook postrouting priority filter - 10; policy accept; + } + + chain postroutingfilter { + type filter hook postrouting priority filter; policy accept; + } + + chain postroutingfilterp10 { + type filter hook postrouting priority filter + 10; policy accept; + } + + chain postroutingfilterp11 { + type filter hook postrouting priority -189; policy accept; + } + + chain preroutingdstnatm11 { + type filter hook prerouting priority -311; policy accept; + } + + chain preroutingdstnatm10 { + type filter hook prerouting priority dstnat - 10; policy accept; + } + + chain preroutingdstnat { + type filter hook prerouting priority dstnat; policy accept; + } + + chain preroutingdstnatp10 { + type filter hook prerouting priority dstnat + 10; policy accept; + } + + chain preroutingdstnatp11 { + type filter hook prerouting priority -289; policy accept; + } + + chain outputoutm11 { + type filter hook output priority 89; policy accept; + } + + chain outputoutm10 { + type filter hook output priority out - 10; policy accept; + } + + chain outputout { + type filter hook output priority out; policy accept; + } + + chain outputoutp10 { + type filter hook output priority out + 10; policy accept; + } + + chain outputoutp11 { + type filter hook output priority 111; policy accept; + } + + chain postroutingsrcnatm11 { + type filter hook postrouting priority 289; policy accept; + } + + chain postroutingsrcnatm10 { + type filter hook postrouting priority srcnat - 10; policy accept; + } + + chain postroutingsrcnat { + type filter hook postrouting priority srcnat; policy accept; + } + + chain postroutingsrcnatp10 { + type filter hook postrouting priority srcnat + 10; policy accept; + } + + chain postroutingsrcnatp11 { + type filter hook postrouting priority 311; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft new file mode 100644 index 0000000..46912ea --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft new file mode 100644 index 0000000..46912ea --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft new file mode 100644 index 0000000..7483cda --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft @@ -0,0 +1,2 @@ +table arp x { +} diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft new file mode 100644 index 0000000..aa571e0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft new file mode 100644 index 0000000..d17be81 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft new file mode 100644 index 0000000..d17be81 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft new file mode 100644 index 0000000..d17be81 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0030create_0.nft b/tests/shell/testcases/chains/dumps/0030create_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0030create_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft new file mode 100644 index 0000000..f409309 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft @@ -0,0 +1,5 @@ +table inet global { + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft new file mode 100644 index 0000000..1a1b079 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft @@ -0,0 +1,13 @@ +table inet global { + chain prerouting { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain forward { + type filter hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type filter hook postrouting priority filter - 10; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft new file mode 100644 index 0000000..f409309 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft @@ -0,0 +1,5 @@ +table inet global { + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft new file mode 100644 index 0000000..d729e1e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft @@ -0,0 +1,5 @@ +table inet global { + chain prerouting { + type filter hook prerouting priority filter; policy drop; + } +} diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft new file mode 100644 index 0000000..20f8272 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type filter hook input priority -30; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft new file mode 100644 index 0000000..520203d --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft @@ -0,0 +1,12 @@ +table inet x { + chain y { + type filter hook input priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter packets 0 bytes 0 accept + ip6 saddr ::1 counter packets 0 bytes 0 accept + } + meta l4proto ipv6-icmp jump { + counter packets 0 bytes 0 accept + } + } +} diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft new file mode 100644 index 0000000..5ec230d --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft @@ -0,0 +1,19 @@ +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device "lo" priority -500; policy accept; + } +} +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { dummy0, lo } priority -500; policy accept; + } +} +table netdev filter3 { + chain Main_Ingress3 { + type filter hook ingress devices = { dummy0, lo } priority -500; policy accept; + } + + chain Main_Egress3 { + type filter hook egress device "lo" priority -500; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft new file mode 100644 index 0000000..8483b26 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft @@ -0,0 +1,13 @@ +table inet filter { + chain ingress { + type filter hook ingress device "lo" priority filter; policy accept; + } + + chain input { + type filter hook input priority filter; policy accept; + } + + chain forward { + type filter hook forward priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft new file mode 100644 index 0000000..aa571e0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0 new file mode 100755 index 0000000..a323e6e --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : + ip link del d1 &>/dev/null || : + ip link del d2 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy +ip link add d1 type dummy +ip link add d2 type dummy + +RULESET="table netdev x { + chain y { + type filter hook ingress priority 0; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT add chain netdev x y '{ devices = { d0 }; }' +$NFT add chain netdev x y '{ devices = { d1, d2, lo }; }' +$NFT delete chain netdev x y '{ devices = { lo }; }' diff --git a/tests/shell/testcases/chains/netdev_chain_autoremove b/tests/shell/testcases/chains/netdev_chain_autoremove new file mode 100755 index 0000000..21f3ad2 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_autoremove @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Test auto-removal of chain hook on netns removal +unshare -n bash -e -c "ip link add br0 type bridge; \ + $NFT add table netdev test; \ + $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ +" diff --git a/tests/shell/testcases/comments/comments_0 b/tests/shell/testcases/comments/comments_0 new file mode 100755 index 0000000..a50387d --- /dev/null +++ b/tests/shell/testcases/comments/comments_0 @@ -0,0 +1,44 @@ +#!/bin/bash + +RULESET="table inet x { # comment + # comment 1 + # comment 2 + set y { # comment here + type ipv4_addr # comment + elements = { + # 1.1.1.1 + 2.2.2.2, # comment + # more comments + 3.3.3.3, # comment +# comment + } + # comment + } + + # comments are allowed here + chain y { + # comments are allowed here + icmpv6 type { + 1, # comments are allowed here + 2, + } accept + + icmp type { +# comment + 1, + # comments also allowed here + 2, + } accept + + tcp dport { + # normal FTP + 21, + # patched FTP + 2121 + } counter accept + } +} +" + +$NFT -f - <<< "$RULESET" + diff --git a/tests/shell/testcases/comments/dumps/comments_0.nft b/tests/shell/testcases/comments/dumps/comments_0.nft new file mode 100644 index 0000000..82ae510 --- /dev/null +++ b/tests/shell/testcases/comments/dumps/comments_0.nft @@ -0,0 +1,12 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + icmpv6 type { destination-unreachable, packet-too-big } accept + icmp type { 1, 2 } accept + tcp dport { 21, 2121 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/flowtable/0001flowtable_0 b/tests/shell/testcases/flowtable/0001flowtable_0 new file mode 100755 index 0000000..2e18099 --- /dev/null +++ b/tests/shell/testcases/flowtable/0001flowtable_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +EXPECTED='table inet t { + flowtable f { + hook ingress priority 10 + devices = { lo } + } + + chain c { + flow add @f + } +}' + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0 new file mode 100755 index 0000000..4c85c3f --- /dev/null +++ b/tests/shell/testcases/flowtable/0002create_flowtable_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e +$NFT add table t +$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } +if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then + echo "E: flowtable creation not failing on existing set" >&2 + exit 1 +fi +$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } + +exit 0 diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0 new file mode 100755 index 0000000..481c7ed --- /dev/null +++ b/tests/shell/testcases/flowtable/0003add_after_flush_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT flush ruleset +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0 new file mode 100755 index 0000000..8d9a842 --- /dev/null +++ b/tests/shell/testcases/flowtable/0004delete_after_add_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT delete flowtable x y diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1 new file mode 100755 index 0000000..ef52620 --- /dev/null +++ b/tests/shell/testcases/flowtable/0005delete_in_use_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x x +$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x x flow add @y + +$NFT delete flowtable x y || exit 0 +echo "E: delete flowtable in use" +exit 1 diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0 new file mode 100755 index 0000000..fb7c52f --- /dev/null +++ b/tests/shell/testcases/flowtable/0006segfault_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands. + +$NFT add table ip t + +$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } } +[[ $? -eq 1 ]] || exit 1 + +$NFT add flowtable ip t f { hook ingress\; priority 10\; } +[[ $? -eq 1 ]] || exit 1 diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0 new file mode 100755 index 0000000..49bbcac --- /dev/null +++ b/tests/shell/testcases/flowtable/0007prio_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +format_offset () { + i=$1 + if ((i == 0)) + then + echo "" + elif ((i > 0)) + then + echo "+$i" + else + echo "$i" + fi +} + +$NFT add table t +for offset in -11 -10 0 10 11 +do + $NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }" + $NFT delete flowtable t f +done + diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1 new file mode 100755 index 0000000..48953d7 --- /dev/null +++ b/tests/shell/testcases/flowtable/0008prio_1 @@ -0,0 +1,14 @@ +#!/bin/bash + +$NFT add table t +for prioname in raw mangle dstnar security srcnat out dummy +do + $NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; } + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for flowtables" >&2 + exit 1 + fi +done + +exit 0 diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0 new file mode 100755 index 0000000..2cda563 --- /dev/null +++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x y +$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x y flow add @f +$NFT flush chain x y +$NFT delete flowtable x f diff --git a/tests/shell/testcases/flowtable/0010delete_handle_0 b/tests/shell/testcases/flowtable/0010delete_handle_0 new file mode 100755 index 0000000..8dd8d9f --- /dev/null +++ b/tests/shell/testcases/flowtable/0010delete_handle_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# delete flowtable by handle + +set -e + +$NFT add table inet t +$NFT add flowtable inet t f { hook ingress priority filter\; devices = { lo }\; } + +FH=$($NFT -a list ruleset | awk '/flowtable f/ { print $NF }') + +$NFT delete flowtable inet t handle $FH + +EXPECTED="table inet t { +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/flowtable/0011deleteafterflush_0 b/tests/shell/testcases/flowtable/0011deleteafterflush_0 new file mode 100755 index 0000000..4f519a7 --- /dev/null +++ b/tests/shell/testcases/flowtable/0011deleteafterflush_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add chain x y +$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;} +$NFT add rule x y ip protocol tcp flow add @f +$NFT add rule x y ip protocol udp flow add @f +$NFT flush chain x y +$NFT delete flowtable x f diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0 new file mode 100755 index 0000000..080059d --- /dev/null +++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0 @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +iface_cleanup() { + ip link del dummy1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add name dummy1 type dummy + +EXPECTED="define if_main = { lo, dummy1 } + +table filter1 { + flowtable Main_ft1 { + hook ingress priority filter + counter + devices = \$if_main + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="define if_main = \"lo\" + +table filter2 { + flowtable Main_ft2 { + hook ingress priority filter + counter + devices = { \$if_main, dummy1 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/flowtable/0013addafterdelete_0 b/tests/shell/testcases/flowtable/0013addafterdelete_0 new file mode 100755 index 0000000..b23ab97 --- /dev/null +++ b/tests/shell/testcases/flowtable/0013addafterdelete_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete flowtable inet filter f + +table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0014addafterdelete_0 b/tests/shell/testcases/flowtable/0014addafterdelete_0 new file mode 100755 index 0000000..6a24c4b --- /dev/null +++ b/tests/shell/testcases/flowtable/0014addafterdelete_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete rule inet filter y handle 3 +delete flowtable inet filter f + +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0 new file mode 100755 index 0000000..d2a87da --- /dev/null +++ b/tests/shell/testcases/flowtable/0015destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t + +# pass for non-existent flowtable +$NFT destroy flowtable t f + +# successfully delete existing flowtable +$NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }' +$NFT destroy flowtable t f diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft new file mode 100644 index 0000000..629bfe8 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft @@ -0,0 +1,10 @@ +table inet t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } + + chain c { + flow add @f + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft new file mode 100644 index 0000000..aecfb2a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft @@ -0,0 +1,6 @@ +table ip t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft new file mode 100644 index 0000000..dd904f4 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft @@ -0,0 +1,6 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft new file mode 100644 index 0000000..c1d79e7 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft @@ -0,0 +1,10 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } + + chain x { + flow add @y + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft new file mode 100644 index 0000000..17838bd --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft @@ -0,0 +1,2 @@ +table inet t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft new file mode 100644 index 0000000..df1c51a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft @@ -0,0 +1,14 @@ +table ip filter1 { + flowtable Main_ft1 { + hook ingress priority filter + devices = { lo } + counter + } +} +table ip filter2 { + flowtable Main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft new file mode 100644 index 0000000..83fdd5d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft @@ -0,0 +1,7 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft new file mode 100644 index 0000000..145aa08 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft @@ -0,0 +1,12 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority filter; policy accept; + flow add @f counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/include/0001absolute_0 b/tests/shell/testcases/include/0001absolute_0 new file mode 100755 index 0000000..4ad874f --- /dev/null +++ b/tests/shell/testcases/include/0001absolute_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +set -e + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted + +RULESET1="add table x" +RULESET2="include \"$tmpfile1\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 + +$NFT -f $tmpfile2 +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0002relative_0 b/tests/shell/testcases/include/0002relative_0 new file mode 100755 index 0000000..a91cd8f --- /dev/null +++ b/tests/shell/testcases/include/0002relative_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +set -e + +tmpfile1=$(mktemp -p .) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp -p .) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted + +RULESET1="add table x" +RULESET2="include \"$tmpfile1\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 + +$NFT -f $tmpfile2 +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0003includepath_0 b/tests/shell/testcases/include/0003includepath_0 new file mode 100755 index 0000000..20037a8 --- /dev/null +++ b/tests/shell/testcases/include/0003includepath_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3="$(basename "$tmpfile1")" + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted + +RULESET1="add table x" +RULESET2="include \"$tmpfile3\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 + +$NFT -I "$(dirname "$tmpfile1")" -f $tmpfile2 +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0004endlessloop_1 b/tests/shell/testcases/include/0004endlessloop_1 new file mode 100755 index 0000000..3e6789d --- /dev/null +++ b/tests/shell/testcases/include/0004endlessloop_1 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="include \"$tmpfile\"" + +echo "$RULESET" > $tmpfile + +$NFT -f $tmpfile 2>/dev/null || exit 0 +echo "E: endless include loop" >&2 +exit 1 diff --git a/tests/shell/testcases/include/0005glob_empty_0 b/tests/shell/testcases/include/0005glob_empty_0 new file mode 100755 index 0000000..0743d0d --- /dev/null +++ b/tests/shell/testcases/include/0005glob_empty_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# Including files in an empty directory must not fail. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 && rmdir $tmpdir" EXIT + +RULESET1="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpfile1 + +$NFT -f $tmpfile1 + +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0006glob_single_0 b/tests/shell/testcases/include/0006glob_single_0 new file mode 100755 index 0000000..754db6f --- /dev/null +++ b/tests/shell/testcases/include/0006glob_single_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp -p $tmpdir) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 $tmpfile2 && rmdir $tmpdir" EXIT + +RULESET1="add table x" +RULESET2="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 + +$NFT -f $tmpfile2 +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0007glob_double_0 b/tests/shell/testcases/include/0007glob_double_0 new file mode 100755 index 0000000..00c3efc --- /dev/null +++ b/tests/shell/testcases/include/0007glob_double_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpdir $tmpfile" EXIT + +RULESET1="add table x" +RULESET2="add table y" +RULESET3="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpdir/table_x +echo "$RULESET2" > $tmpdir/table_y +echo "$RULESET3" > $tmpfile + +$NFT -f $tmpfile + +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0008glob_nofile_wildcard_0 b/tests/shell/testcases/include/0008glob_nofile_wildcard_0 new file mode 100755 index 0000000..f9c0aa1 --- /dev/null +++ b/tests/shell/testcases/include/0008glob_nofile_wildcard_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +# When using wildcards, not having any match is not an error. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +# remove the directory +rmdir $tmpdir + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1" EXIT + +RULESET1="include \"$tmpdir/non_existent_file*.nft\"" + +echo "$RULESET1" > $tmpfile1 + +$NFT -f $tmpfile1 +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0009glob_nofile_1 b/tests/shell/testcases/include/0009glob_nofile_1 new file mode 100755 index 0000000..d769155 --- /dev/null +++ b/tests/shell/testcases/include/0009glob_nofile_1 @@ -0,0 +1,31 @@ +#!/bin/bash + +# When not using wildcards, not having any match is an error. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +# remove the directory +rmdir $tmpdir + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1" EXIT + +RULESET1="include \"$tmpdir/non_existent_file.nft\"" + +echo "$RULESET1" > $tmpfile1 + +$NFT -f $tmpfile1 || exit 0 +echo "E: Failed to catch a missing include directory/file" >&2 +exit 1 diff --git a/tests/shell/testcases/include/0010glob_broken_file_1 b/tests/shell/testcases/include/0010glob_broken_file_1 new file mode 100755 index 0000000..a00babf --- /dev/null +++ b/tests/shell/testcases/include/0010glob_broken_file_1 @@ -0,0 +1,46 @@ +#!/bin/bash + +# Loading broken files must fail. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp -p $tmpdir) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp -p $tmpdir) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT + +RULESET1="add table x" + +# do an error in a file +RULESET2="intentionally broken file" +RULESET3="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 +echo "$RULESET3" > $tmpfile3 + +$NFT -f $tmpfile3 || exit 0 +echo "E: didn't catch a broken file in directory" >&2 +exit 1 diff --git a/tests/shell/testcases/include/0011glob_dependency_0 b/tests/shell/testcases/include/0011glob_dependency_0 new file mode 100755 index 0000000..8786850 --- /dev/null +++ b/tests/shell/testcases/include/0011glob_dependency_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +# Files are included in alphabetical order. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1="$tmpdir/01_file.nft" +touch $tmpfile1 +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2="$tmpdir/02_file.nft" +touch $tmpfile2 +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT + +# add interdependent rulesets +RULESET1="add table x" +RULESET2="add chain x y" +RULESET3="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 +echo "$RULESET3" > $tmpfile3 + +$NFT -f $tmpfile3 + +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0012glob_dependency_1 b/tests/shell/testcases/include/0012glob_dependency_1 new file mode 100755 index 0000000..e4e12e2 --- /dev/null +++ b/tests/shell/testcases/include/0012glob_dependency_1 @@ -0,0 +1,49 @@ +#!/bin/bash + +# Files are included in alphabetical order. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1="$tmpdir/01_file.nft" +touch $tmpfile1 +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2="$tmpdir/02_file.nft" +touch $tmpfile2 +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT + +# add interdependent rulesets +RULESET1="add table x" +RULESET2="add chain x y" +RULESET3="include \"$tmpdir/*\"" + +# Note different order when compared with 0011dir_dependency_0. The idea +# here is to introduce wrong order to get the loading fail. +echo "$RULESET1" > $tmpfile2 +echo "$RULESET2" > $tmpfile1 +echo "$RULESET3" > $tmpfile3 + +$NFT -f $tmpfile3 || exit 0 +echo "E: did not catch wrong file order in include directory" >&2 +exit 1 diff --git a/tests/shell/testcases/include/0013glob_dotfile_0 b/tests/shell/testcases/include/0013glob_dotfile_0 new file mode 100755 index 0000000..36cfe1c --- /dev/null +++ b/tests/shell/testcases/include/0013glob_dotfile_0 @@ -0,0 +1,49 @@ +#!/bin/bash + +# Must not load a dot file in globbed directory. + +set -e + +tmpdir=$(mktemp -d) +if [ ! -d $tmpdir ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp -p $tmpdir) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp -p $tmpdir ".XXXXXXXX") +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT + +RULESET1="add table x" + +# an error in a dot file +RULESET2="intentionally broken file" +RULESET3="include \"$tmpdir/*\"" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 +echo "$RULESET3" > $tmpfile3 + +$NFT -f $tmpfile3 + +if [ $? -ne 0 ] ; then + echo "E: tried to load a .dot file" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0013input_descriptors_included_files_0 b/tests/shell/testcases/include/0013input_descriptors_included_files_0 new file mode 100755 index 0000000..03de50b --- /dev/null +++ b/tests/shell/testcases/include/0013input_descriptors_included_files_0 @@ -0,0 +1,52 @@ +#!/bin/bash + +# This test the changes made in commit id "b14572f72aac". +# When the commit was not applied, nft pointed to wrong files name. +# As the commit only fixes the error messages and hence does not change the +# return value so, we need to compare the "file name" in the error message +# instead of return value of nft. + + +tmpfile1=$(mktemp -p .) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp -p .) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile3=$(mktemp -p .) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile4=$(mktemp -p .) +if [ ! -w $tmpfile4 ]; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4" EXIT # cleanup if aborted + +RULESET1="include \"$tmpfile2\"" +RULESET2="include \"$tmpfile3\"" +RULESET3="add rule x y anything everything" # wrong nft syntax + + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" >> $tmpfile1 +echo "$RULESET3" > $tmpfile2 + +$NFT -f $tmpfile1 2> $tmpfile4 + +var=$(awk -F: '$4==" Error"{print $1;exit;}' $tmpfile4) + +if [ $var == "$tmpfile3" ]; then + echo "E: Test failed" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0014glob_directory_0 b/tests/shell/testcases/include/0014glob_directory_0 new file mode 100755 index 0000000..9a2443a --- /dev/null +++ b/tests/shell/testcases/include/0014glob_directory_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +# Must not be confused in matched subdirectories. + +set -e + +tmpdir1=$(mktemp -d) +if [ ! -d $tmpdir1 ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp -p $tmpdir1) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpdir2=$(mktemp -p $tmpdir1 -d) +if [ ! -w $tmpdir2 ] ; then + echo "Failed to create the second tmp directory" >&2 + exit 0 +fi + +tmpdir3=$(mktemp -p $tmpdir2 -d) +if [ ! -w $tmpdir3 ] ; then + echo "Failed to create the third tmp directory" >&2 + exit 0 +fi + +# cleanup if aborted +trap "rm -rf $tmpfile1 && rmdir $tmpdir3 && rmdir $tmpdir2 && rmdir $tmpdir1" EXIT + +RULESET1="include \"$tmpdir2/*\"" + +echo "$RULESET1" > $tmpfile1 + +$NFT -f $tmpfile1 + +if [ $? -ne 0 ] ; then + echo "E: tried to include a matched directory" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0015doubleincludepath_0 b/tests/shell/testcases/include/0015doubleincludepath_0 new file mode 100755 index 0000000..db70346 --- /dev/null +++ b/tests/shell/testcases/include/0015doubleincludepath_0 @@ -0,0 +1,52 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpdir1=$(mktemp -d) +if [ ! -d $tmpdir1 ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpdir2=$(mktemp -d) +if [ ! -d $tmpdir2 ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfile1=$(mktemp -p $tmpdir1) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpfile2=$(mktemp -p $tmpdir2) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpdfile $tmpfile1 $tmpfile2 && rmdir $tmpdir1 && rmdir $tmpdir2" EXIT # cleanup if aborted + +RULESET1="add table x" +RULESET2="add chain x y" +RULESET3=" \ +include \"$(basename $tmpfile1)\" +include \"$(basename $tmpfile2)\" +" + +echo "$RULESET1" > $tmpfile1 +echo "$RULESET2" > $tmpfile2 +echo "$RULESET3" > $tmpfile + +$NFT -I $tmpdir1 -I $tmpdir2 -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0016maxdepth_0 b/tests/shell/testcases/include/0016maxdepth_0 new file mode 100755 index 0000000..89eb13c --- /dev/null +++ b/tests/shell/testcases/include/0016maxdepth_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) + +echo 'include "/tmp/rules.nft"' > $tmpfile +$NFT -f $tmpfile || exit 0 diff --git a/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 new file mode 100755 index 0000000..6499bcc --- /dev/null +++ b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 @@ -0,0 +1,39 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpdir1=$(mktemp -d) +if [ ! -d $tmpdir1 ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfiles="" +for i in `seq -w 1 32`; do + tmpfile2=$(mktemp -p $tmpdir1) + if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 + fi + tmpfiles="$tmpfiles $tmpfile2" +done + +trap "rm -rf $tmpfile $tmpfiles && rmdir $tmpdir1" EXIT # cleanup if aborted + +RULESET=" \ +include \"$tmpdir1/*\" +" + +echo "$RULESET" > $tmpfile + +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0018include_error_0 b/tests/shell/testcases/include/0018include_error_0 new file mode 100755 index 0000000..ae2dba3 --- /dev/null +++ b/tests/shell/testcases/include/0018include_error_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +touch $tmpfile1 + +RULESET="include \"$tmpfile1\" +) +" + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "/dev/stdin:2:1-1: Error: syntax error, unexpected ')' +) +^" > $tmpfile3 + +$NFT -I/tmp/ -f - <<< "$RULESET" 2> $tmpfile2 +$DIFF -u $tmpfile2 $tmpfile3 + +rm $tmpfile1 $tmpfile2 $tmpfile3 diff --git a/tests/shell/testcases/include/0019include_error_0 b/tests/shell/testcases/include/0019include_error_0 new file mode 100755 index 0000000..4b84a57 --- /dev/null +++ b/tests/shell/testcases/include/0019include_error_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "(" >> $tmpfile2 + +tmpdir=$(mktemp -d) + +echo "include \"$tmpfile2\" +include \"$tmpdir/*.nft\" +x" > $tmpfile1 + +echo "=" > $tmpdir/1.nft +echo ")" > $tmpdir/2.nft +echo "-" > $tmpdir/3.nft + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "In file included from $tmpfile1:1:1-30: +$tmpfile2:1:1-1: Error: syntax error, unexpected '(' +( +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/1.nft:1:1-1: Error: syntax error, unexpected '=' += +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/2.nft:1:1-1: Error: syntax error, unexpected ')' +) +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/3.nft:1:1-1: Error: syntax error, unexpected - +- +^ +$tmpfile1:3:2-2: Error: syntax error, unexpected newline, expecting string +x + ^" > $tmpfile3 + +tmpfile4=$(mktemp) +if [ ! -w $tmpfile4 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +$NFT -I/tmp/ -f $tmpfile1 2> $tmpfile4 +$DIFF -u $tmpfile3 $tmpfile4 + +rm $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4 +rm -r $tmpdir diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0 new file mode 100755 index 0000000..8f78e8c --- /dev/null +++ b/tests/shell/testcases/include/0020include_chain_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +tmpfile1=$(mktemp -p .) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1" EXIT # cleanup if aborted + +RULESET="table inet filter { } +include \"$tmpfile1\"" + +RULESET2="chain inet filter input2 { + type filter hook input priority filter; policy accept; + ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET2" > $tmpfile1 + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.nft b/tests/shell/testcases/include/dumps/0001absolute_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0001absolute_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0002relative_0.nft b/tests/shell/testcases/include/dumps/0002relative_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0002relative_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.nft b/tests/shell/testcases/include/dumps/0003includepath_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0003includepath_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.nft b/tests/shell/testcases/include/dumps/0006glob_single_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0006glob_single_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.nft b/tests/shell/testcases/include/dumps/0007glob_double_0.nft new file mode 100644 index 0000000..e4e5f9b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0007glob_double_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.nft b/tests/shell/testcases/include/dumps/0018include_error_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0018include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.nft b/tests/shell/testcases/include/dumps/0019include_error_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0019include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft new file mode 100644 index 0000000..3ad6db1 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft @@ -0,0 +1,6 @@ +table inet filter { + chain input2 { + type filter hook input priority filter; policy accept; + ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } +} diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0 new file mode 100755 index 0000000..fc4941f --- /dev/null +++ b/tests/shell/testcases/json/0001set_statements_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "testt", "handle": 3}}, {"set": {"family": "ip", "name": "ssh_meter", "table": "testt", "type": "ipv4_addr", "handle": 2, "size": 65535}}, {"chain": {"family": "ip", "table": "testt", "name": "testc", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"rule": {"family": "ip", "table": "testt", "chain": "testc", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 22}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"set": {"op": "add", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "stmt": [{"limit": {"rate": 10, "burst": 5, "per": "second"}}], "set": "@ssh_meter"}}, {"accept": null}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0 new file mode 100755 index 0000000..b375e99 --- /dev/null +++ b/tests/shell/testcases/json/0002table_map_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "t", "handle": 4}}, {"map": {"family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [{"counter": {"packets": 0, "bytes": 0}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0 new file mode 100755 index 0000000..43f387a --- /dev/null +++ b/tests/shell/testcases/json/0003json_schema_version_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1 new file mode 100755 index 0000000..0f8d586 --- /dev/null +++ b/tests/shell/testcases/json/0004json_schema_version_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}' + +$NFT -j -f - <<< $RULESET && exit 1 + +exit 0 diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 new file mode 100755 index 0000000..992d1b0 --- /dev/null +++ b/tests/shell/testcases/json/0005secmark_objref_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0006obj_comment_0 b/tests/shell/testcases/json/0006obj_comment_0 new file mode 100755 index 0000000..4c2a0e8 --- /dev/null +++ b/tests/shell/testcases/json/0006obj_comment_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "t", "handle": 9}}, {"counter": {"family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft new file mode 100644 index 0000000..d80a432 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft @@ -0,0 +1,12 @@ +table ip testt { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic + } + + chain testc { + type filter hook input priority filter; policy accept; + tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second burst 5 packets } accept + } +} diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.nft b/tests/shell/testcases/json/dumps/0002table_map_0.nft new file mode 100644 index 0000000..357e92c --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.nft @@ -0,0 +1,6 @@ +table ip t { + map m { + type ipv4_addr : mark + counter + } +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft new file mode 100644 index 0000000..4c218e9 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft @@ -0,0 +1,18 @@ +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } + + chain y { + type filter hook input priority -225; policy accept; + tcp dport 2222 ct state new meta secmark set "ssh_server" + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } + + chain z { + type filter hook output priority 225; policy accept; + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft new file mode 100644 index 0000000..e52b21b --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft @@ -0,0 +1,6 @@ +table inet t { + counter mycounter { + comment "my comment in counter" + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft new file mode 100644 index 0000000..3c568ed --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.nft @@ -0,0 +1,2 @@ +table netdev test_table { +} diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev new file mode 100755 index 0000000..8c16cf4 --- /dev/null +++ b/tests/shell/testcases/json/netdev @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy + +$NFT flush ruleset +$NFT add table inet test +$NFT add chain inet test c + +$NFT flush ruleset + +RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}' + +if [ "$NFT_TEST_HAVE_json" != n ]; then + $NFT -j -f - <<< $RULESET +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi diff --git a/tests/shell/testcases/listing/0001ruleset_0 b/tests/shell/testcases/listing/0001ruleset_0 new file mode 100755 index 0000000..19cb3b0 --- /dev/null +++ b/tests/shell/testcases/listing/0001ruleset_0 @@ -0,0 +1,7 @@ +#!/bin/bash + +# list ruleset shows a table + +set -e + +$NFT add table test diff --git a/tests/shell/testcases/listing/0002ruleset_0 b/tests/shell/testcases/listing/0002ruleset_0 new file mode 100755 index 0000000..b4a535c --- /dev/null +++ b/tests/shell/testcases/listing/0002ruleset_0 @@ -0,0 +1,7 @@ +#!/bin/bash + +# list ruleset show nothing if empty ruleset + +EXPECTED="" + +set -e diff --git a/tests/shell/testcases/listing/0003table_0 b/tests/shell/testcases/listing/0003table_0 new file mode 100755 index 0000000..5060be0 --- /dev/null +++ b/tests/shell/testcases/listing/0003table_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +# list table show what is expected + +EXPECTED="table ip test { +}" + +set -e + +$NFT add table test + +GET="$($NFT list table test)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +# also this way +GET="$($NFT list table ip test)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0004table_0 b/tests/shell/testcases/listing/0004table_0 new file mode 100755 index 0000000..1d69119 --- /dev/null +++ b/tests/shell/testcases/listing/0004table_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +# list table only show table asked for + +EXPECTED="table ip test { +}" + +set -e + +$NFT add table test +$NFT add table test2 + +GET="$($NFT list table test)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + diff --git a/tests/shell/testcases/listing/0005ruleset_ip_0 b/tests/shell/testcases/listing/0005ruleset_ip_0 new file mode 100755 index 0000000..39c0328 --- /dev/null +++ b/tests/shell/testcases/listing/0005ruleset_ip_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# listing ruleset per family + +EXPECTED="table ip test { +}" + +set -e + +$NFT add table ip test +$NFT add table ip6 test +$NFT add table inet test +$NFT add table arp test +$NFT add table bridge test + +GET="$($NFT list ruleset ip)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0006ruleset_ip6_0 b/tests/shell/testcases/listing/0006ruleset_ip6_0 new file mode 100755 index 0000000..1b67f50 --- /dev/null +++ b/tests/shell/testcases/listing/0006ruleset_ip6_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# listing ruleset per family + +EXPECTED="table ip6 test { +}" + +set -e + +$NFT add table ip test +$NFT add table ip6 test +$NFT add table inet test +$NFT add table arp test +$NFT add table bridge test + +GET="$($NFT list ruleset ip6)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0007ruleset_inet_0 b/tests/shell/testcases/listing/0007ruleset_inet_0 new file mode 100755 index 0000000..257c7a9 --- /dev/null +++ b/tests/shell/testcases/listing/0007ruleset_inet_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# listing ruleset per family + +EXPECTED="table inet test { +}" + +set -e + +$NFT add table ip test +$NFT add table ip6 test +$NFT add table inet test +$NFT add table arp test +$NFT add table bridge test + +GET="$($NFT list ruleset inet)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0008ruleset_arp_0 b/tests/shell/testcases/listing/0008ruleset_arp_0 new file mode 100755 index 0000000..be42c47 --- /dev/null +++ b/tests/shell/testcases/listing/0008ruleset_arp_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# listing ruleset per family + +EXPECTED="table arp test { +}" + +set -e + +$NFT add table ip test +$NFT add table ip6 test +$NFT add table inet test +$NFT add table arp test +$NFT add table bridge test + +GET="$($NFT list ruleset arp)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0009ruleset_bridge_0 b/tests/shell/testcases/listing/0009ruleset_bridge_0 new file mode 100755 index 0000000..c6a99f5 --- /dev/null +++ b/tests/shell/testcases/listing/0009ruleset_bridge_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# listing ruleset per family + +EXPECTED="table bridge test { +}" + +set -e + +$NFT add table ip test +$NFT add table ip6 test +$NFT add table inet test +$NFT add table arp test +$NFT add table bridge test + +GET="$($NFT list ruleset bridge)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0010sets_0 b/tests/shell/testcases/listing/0010sets_0 new file mode 100755 index 0000000..0f5f2bd --- /dev/null +++ b/tests/shell/testcases/listing/0010sets_0 @@ -0,0 +1,62 @@ +#!/bin/bash + +# listing all sets + +EXPECTED="table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + set set1 { + type inet_service + flags constant + } + set set2 { + type icmpv6_type + } +}" + +set -e + +$NFT add table ip nat +$NFT add set ip nat ssh { type ipv4_addr \; } +$NFT add table ip6 test +$NFT add set ip6 test testset { type ipv6_addr \; } +$NFT add table arp test_arp +$NFT add set arp test_arp test_set_arp00 { type inet_service \; } +$NFT add set arp test_arp test_set_arp01 { type inet_service \; flags constant \; } +$NFT add table bridge test_bridge +$NFT add set bridge test_bridge test_set_bridge { type inet_service \; } +$NFT add table inet filter +$NFT add set inet filter set0 { type inet_service \; } +$NFT add set inet filter set1 { type inet_service \; flags constant \; } +$NFT add set inet filter set2 { type icmpv6_type \; } + +GET="$($NFT list sets)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0011sets_0 b/tests/shell/testcases/listing/0011sets_0 new file mode 100755 index 0000000..b6f12b5 --- /dev/null +++ b/tests/shell/testcases/listing/0011sets_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +# listing all sets, no anonymous sets allowed + +EXPECTED="table ip nat { +} +table ip6 test { +} +table arp test_arp { +} +table bridge test_bridge { +} +table inet filter { +}" + +set -e + +$NFT add table ip nat +$NFT add chain ip nat test +$NFT add rule ip nat test tcp dport {123, 321} + +$NFT add table ip6 test +$NFT add chain ip6 test test +$NFT add rule ip6 test test udp sport {123, 321} + +$NFT add table arp test_arp +$NFT add chain arp test_arp test +$NFT add rule arp test_arp test meta mark {123, 321} + +$NFT add table bridge test_bridge +$NFT add chain bridge test_bridge test +$NFT add rule bridge test_bridge test ip daddr {1.1.1.1, 2.2.2.2} + +$NFT add table inet filter +$NFT add chain inet filter test +$NFT add rule inet filter test tcp dport {80, 443} + +GET="$($NFT list sets)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0012sets_0 b/tests/shell/testcases/listing/0012sets_0 new file mode 100755 index 0000000..6e4c959 --- /dev/null +++ b/tests/shell/testcases/listing/0012sets_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +# listing all sets, filtering by family + +EXPECTED="table inet filter { + set set0 { + type inet_service + } + set set1 { + type inet_service + flags constant + } + set set2 { + type icmpv6_type + } +}" + +set -e + +$NFT add table ip nat +$NFT add set ip nat ssh { type ipv4_addr \; } +$NFT add table ip6 test +$NFT add set ip6 test testset { type ipv6_addr \; } +$NFT add table arp test_arp +$NFT add set arp test_arp test_set_arp00 { type inet_service \; } +$NFT add set arp test_arp test_set_arp01 { type inet_service \; flags constant \; } +$NFT add table bridge test_bridge +$NFT add set bridge test_bridge test_set_bridge { type inet_service \; } +$NFT add table inet filter +$NFT add set inet filter set0 { type inet_service \; } +$NFT add set inet filter set1 { type inet_service \; flags constant \; } +$NFT add set inet filter set2 { type icmpv6_type \; } + +GET="$($NFT list sets inet)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 new file mode 100755 index 0000000..c78ada9 --- /dev/null +++ b/tests/shell/testcases/listing/0013objects_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +$NFT add table test +$NFT add chain test input +$NFT add quota test https-quota 25 mbytes +$NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } +if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then + $NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } +fi +if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then + $NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } +fi + +if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)" + exit 77 +fi +if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/listing/0014objects_0 b/tests/shell/testcases/listing/0014objects_0 new file mode 100755 index 0000000..31d94f8 --- /dev/null +++ b/tests/shell/testcases/listing/0014objects_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# list only the object asked for with table + +EXPECTED="table ip test { + quota https-quota { + 25 mbytes + } +}" + +set -e + +$NFT add table test +$NFT add quota test https-quota 25 mbytes +$NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } +$NFT add table test-ip + +GET="$($NFT list quotas)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +GET="$($NFT list quota test https-quota)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + diff --git a/tests/shell/testcases/listing/0015dynamic_0 b/tests/shell/testcases/listing/0015dynamic_0 new file mode 100755 index 0000000..65fbe62 --- /dev/null +++ b/tests/shell/testcases/listing/0015dynamic_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +# list only the object asked for with table + +EXPECTED="table ip filter { + set test_set { + type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto + size 100000 + flags dynamic,timeout + } +}" + +set -e + +$NFT -f - <<< "$EXPECTED" + +GET="$($NFT list set ip filter test_set)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +$NFT flush set ip filter test_set diff --git a/tests/shell/testcases/listing/0016anonymous_0 b/tests/shell/testcases/listing/0016anonymous_0 new file mode 100755 index 0000000..83acbcc --- /dev/null +++ b/tests/shell/testcases/listing/0016anonymous_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +$NFT add table x +$NFT add chain x y +$NFT add rule x y ip saddr { 1.1.1.1 } +$NFT add rule x y meta mark set ip saddr map { 1.1.1.1 : 2 } + +$NFT list set x __set0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT flush set x __set0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT list map x __map0 &>/dev/null +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT flush map x __map0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi diff --git a/tests/shell/testcases/listing/0017objects_0 b/tests/shell/testcases/listing/0017objects_0 new file mode 100755 index 0000000..c4e72db --- /dev/null +++ b/tests/shell/testcases/listing/0017objects_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table inet filter { + map countermap { + type ipv4_addr : counter + } +}" + +set -e + +$NFT -f - <<< "$EXPECTED" +$NFT flush map inet filter countermap + +GET="$($NFT list map inet filter countermap)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0018data_0 b/tests/shell/testcases/listing/0018data_0 new file mode 100755 index 0000000..4af253d --- /dev/null +++ b/tests/shell/testcases/listing/0018data_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table inet filter { + map ipmap { + type ipv4_addr : ipv4_addr + } +}" + +set -e + +$NFT -f - <<< "$EXPECTED" +$NFT flush map inet filter ipmap + +GET="$($NFT list map inet filter ipmap)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0019set_0 b/tests/shell/testcases/listing/0019set_0 new file mode 100755 index 0000000..6e8cb4d --- /dev/null +++ b/tests/shell/testcases/listing/0019set_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table inet filter { + set ipset { + type ipv4_addr + } +}" + +set -e + +$NFT -f - <<< "$EXPECTED" +$NFT flush set inet filter ipset + +GET="$($NFT list set inet filter ipset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 new file mode 100755 index 0000000..6eb82cf --- /dev/null +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +# list only the flowtable asked for with table + +set -e + +FLOWTABLES="flowtable f { + hook ingress priority filter + devices = { lo } +} +flowtable f2 { + hook ingress priority filter + devices = { d0 } +}" + +RULESET="table inet filter { + $FLOWTABLES +} +table ip filter { + $FLOWTABLES +}" + +EXPECTED="table inet filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } +}" +EXPECTED2="table ip filter { + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" +EXPECTED3="table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list flowtable inet filter f)" +$DIFF -u <(echo "$EXPECTED") <(echo "$GET") + +GET="$($NFT list flowtable ip filter f2)" +$DIFF -u <(echo "$EXPECTED2") <(echo "$GET") + +GET="$($NFT list flowtables ip)" +$DIFF -u <(echo "$EXPECTED3") <(echo "$GET") diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0 new file mode 100755 index 0000000..98a7ce8 --- /dev/null +++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +$NFT flush ruleset +$NFT add table ip test +$NFT add chain ip test c +$NFT add set ip test s { type ipv4_addr\; } +$NFT add element ip test s { 192.168.3.4, 192.168.3.5 } + +if [ "$NFT_TEST_HAVE_json" != n ]; then + if $NFT -j -t list ruleset | grep '192\.168' + then + exit 1 + fi +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0 new file mode 100755 index 0000000..4841771 --- /dev/null +++ b/tests/shell/testcases/listing/0022terse_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +set -e + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list ruleset)" +if [ "$RULESET" != "$GET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +GET="$($NFT -t list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } +}" + +GET="$($NFT list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } +}" + +GET="$($NFT -t list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft new file mode 100644 index 0000000..1c9f40c --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft diff --git a/tests/shell/testcases/listing/dumps/0003table_0.nft b/tests/shell/testcases/listing/dumps/0003table_0.nft new file mode 100644 index 0000000..1c9f40c --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.nft b/tests/shell/testcases/listing/dumps/0004table_0.nft new file mode 100644 index 0000000..56d035d --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.nft @@ -0,0 +1,4 @@ +table ip test { +} +table ip test2 { +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft new file mode 100644 index 0000000..c37261b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft new file mode 100644 index 0000000..c37261b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft new file mode 100644 index 0000000..c37261b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft new file mode 100644 index 0000000..c37261b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft new file mode 100644 index 0000000..c37261b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.nft b/tests/shell/testcases/listing/dumps/0010sets_0.nft new file mode 100644 index 0000000..7303c40 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.nft b/tests/shell/testcases/listing/dumps/0011sets_0.nft new file mode 100644 index 0000000..4d0aeaf --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.nft @@ -0,0 +1,25 @@ +table ip nat { + chain test { + tcp dport { 123, 321 } + } +} +table ip6 test { + chain test { + udp sport { 123, 321 } + } +} +table arp test_arp { + chain test { + meta mark { 0x0000007b, 0x00000141 } + } +} +table bridge test_bridge { + chain test { + ip daddr { 1.1.1.1, 2.2.2.2 } + } +} +table inet filter { + chain test { + tcp dport { 80, 443 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.nft b/tests/shell/testcases/listing/dumps/0012sets_0.nft new file mode 100644 index 0000000..7303c40 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft new file mode 100644 index 0000000..427db26 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft @@ -0,0 +1,27 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } + + ct timeout cttime { + protocol udp + l3proto ip + policy = { unreplied : 15s, replied : 12s } + } + + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + + chain input { + } +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.nft b/tests/shell/testcases/listing/dumps/0014objects_0.nft new file mode 100644 index 0000000..9281a1a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.nft @@ -0,0 +1,12 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } +} +table ip test-ip { +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft new file mode 100644 index 0000000..0f4244b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto + size 100000 + flags dynamic,timeout + } +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft new file mode 100644 index 0000000..cb08933 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr 1.1.1.1 + meta mark set ip saddr map { 1.1.1.1 : 0x00000002 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.nft b/tests/shell/testcases/listing/dumps/0017objects_0.nft new file mode 100644 index 0000000..e60e3af --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map countermap { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.nft b/tests/shell/testcases/listing/dumps/0018data_0.nft new file mode 100644 index 0000000..5d31855 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map ipmap { + type ipv4_addr : ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.nft b/tests/shell/testcases/listing/dumps/0019set_0.nft new file mode 100644 index 0000000..915922c --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.nft @@ -0,0 +1,5 @@ +table inet filter { + set ipset { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft new file mode 100644 index 0000000..4a64e53 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft @@ -0,0 +1,20 @@ +table inet filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} +table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft new file mode 100644 index 0000000..13c8ac6 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft @@ -0,0 +1,9 @@ +table ip test { + set s { + type ipv4_addr + elements = { 192.168.3.4, 192.168.3.5 } + } + + chain c { + } +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.nft b/tests/shell/testcases/listing/dumps/0022terse_0.nft new file mode 100644 index 0000000..40665cb --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +} diff --git a/tests/shell/testcases/maps/0003map_add_many_elements_0 b/tests/shell/testcases/maps/0003map_add_many_elements_0 new file mode 100755 index 0000000..2b254c5 --- /dev/null +++ b/tests/shell/testcases/maps/0003map_add_many_elements_0 @@ -0,0 +1,67 @@ +#!/bin/bash + +# test adding many map elements + +HOWMANY=31 + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=HOWMANY; i>=1; i--)) ; do + for ((j=HOWMANY; j>=1; j--)) ; do + [ "$i" == 1 ] && [ "$j" == 1 ] && break + echo -n "10.0.${i}.${j} : 10.0.${i}.${j}, " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.0.${i}.${j} : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +n=$HOWMANY +echo "add element x y { 10.0.1.1 : 10.0.1.1 }" > $tmpfile +$NFT -f $tmpfile + +EXPECTED="table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { "$(generate_test)" } + } +}" +GET=$($NFT list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + diff --git a/tests/shell/testcases/maps/0004interval_map_create_once_0 b/tests/shell/testcases/maps/0004interval_map_create_once_0 new file mode 100755 index 0000000..64f434a --- /dev/null +++ b/tests/shell/testcases/maps/0004interval_map_create_once_0 @@ -0,0 +1,74 @@ +#!/bin/bash + +# test adding many elements to an interval map +# this always works because nft is only called once + +HOWMANY=63 + +if [ "$NFT_TEST_SKIP_slow" = y ] ; then + HOWMANY=5 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +EXPECTED="table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { "$(generate_test)" } + } +}" +GET=$($NFT list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +if [ "$HOWMANY" != 63 ] ; then + echo "Run a partial test due to NFT_TEST_SKIP_slow=y. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 new file mode 100755 index 0000000..0714963 --- /dev/null +++ b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 @@ -0,0 +1,58 @@ +#!/bin/bash + +# test adding many elements to an interval map +# even with HOWMANY=2 there are memory allocation failures in the current +# master - the patch fixes that +# NOTE this is only an issue with two separate nft calls + +HOWMANY=2 + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate_add() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}, " + done + done + echo -n "}" +} + +generate_test() { + count=0 + elements="" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + ((count++)) + elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + if [ "$count" == "2" ] ; then + count=0 + elements="${elements},\\n\\t\\t\\t " + else + elements="${elements}, " + fi + done + done + echo -e "$elements" +} + +echo "add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y $(generate_add)" > $tmpfile + +set -e +$NFT -f $tmpfile + +n=$HOWMANY +echo "add element x y { 10.${n}.${n}.0/24 : 10.0.${n}.${n} }" > $tmpfile + +$NFT -f $tmpfile diff --git a/tests/shell/testcases/maps/0006interval_map_overlap_0 b/tests/shell/testcases/maps/0006interval_map_overlap_0 new file mode 100755 index 0000000..4606ce3 --- /dev/null +++ b/tests/shell/testcases/maps/0006interval_map_overlap_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +# test adding elements to an interval map +# shows how disjoint intervals are seen as overlaps +# NOTE this is only an issue with two separate nft calls + +n=1 +RULESET="add table x +add map x y { type ipv4_addr : ipv4_addr; flags interval; } +add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" + +set -e +$NFT -f - <<< "$RULESET" + +n=2 +$NFT "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" diff --git a/tests/shell/testcases/maps/0007named_ifname_dtype_0 b/tests/shell/testcases/maps/0007named_ifname_dtype_0 new file mode 100755 index 0000000..b5c5116 --- /dev/null +++ b/tests/shell/testcases/maps/0007named_ifname_dtype_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +# support for ifname in named maps + +EXPECTED="table inet t { + map m1 { + type ifname : ipv4_addr + elements = { \"eth0\" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +}" + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0008interval_map_delete_0 b/tests/shell/testcases/maps/0008interval_map_delete_0 new file mode 100755 index 0000000..39ea312 --- /dev/null +++ b/tests/shell/testcases/maps/0008interval_map_delete_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter accept + meta mark 0x00000003 counter accept + counter + } +}" + +$NFT -f - <<< "$EXPECTED" +$NFT delete element filter m { 127.0.0.2 } +$NFT delete element filter m { 127.0.0.3 } +$NFT add element filter m { 127.0.0.3 : 0x3 } +$NFT add element filter m { 127.0.0.2 : 0x2 } + +GET=$($NFT -s list ruleset) +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 new file mode 100755 index 0000000..d31e160 --- /dev/null +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" counter : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0 new file mode 100755 index 0000000..4848d97 --- /dev/null +++ b/tests/shell/testcases/maps/0010concat_map_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { + 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 + } + } + + chain y { + type nat hook prerouting priority dstnat; + dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0 new file mode 100755 index 0000000..3e6fa78 --- /dev/null +++ b/tests/shell/testcases/maps/0011vmap_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + map portmap { + type inet_service : verdict + counter + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" + +if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then + $NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }' +fi + +if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then + echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0 new file mode 100755 index 0000000..49e51b7 --- /dev/null +++ b/tests/shell/testcases/maps/0012map_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +EXPECTED="define interfaces = { eth0, eth1 } + +table ip x { + map z { + type ifname : verdict + elements = { \$interfaces : drop, lo : accept } + } + chain y { + iifname vmap { lo : accept, \$interfaces : drop } + } +}" + +$NFT -f - <<< "$EXPECTED" + +EXPECTED="table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, + } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x123434 + ip saddr . meta mark vmap @w + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 new file mode 100755 index 0000000..70d7fd3 --- /dev/null +++ b/tests/shell/testcases/maps/0013map_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET=" +flush ruleset + +add table ip filter +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; } +add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter +add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0 new file mode 100755 index 0000000..ee81e3c --- /dev/null +++ b/tests/shell/testcases/maps/0014destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent map +$NFT destroy map x y + +# successfully delete existing map +$NFT add map x y '{ type ipv4_addr : ipv4_addr; }' +$NFT destroy map x y diff --git a/tests/shell/testcases/maps/0016map_leak_0 b/tests/shell/testcases/maps/0016map_leak_0 new file mode 100755 index 0000000..e110ee4 --- /dev/null +++ b/tests/shell/testcases/maps/0016map_leak_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0 new file mode 100755 index 0000000..e01adb4 --- /dev/null +++ b/tests/shell/testcases/maps/0017_map_variable_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then + CATCHALL="* : 3," +else + CATCHALL="," +fi + +RULESET="define x = { + 1.1.1.1 : 2, + $CATCHALL +} + +table ip x { + map y { + typeof ip saddr : mark + elements = \$x + } + map z { + typeof ip saddr : mark + elements = \$x + } +}" + +$NFT -f - <<< "$RULESET" + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0018map_leak_timeout_0 b/tests/shell/testcases/maps/0018map_leak_timeout_0 new file mode 100755 index 0000000..09db315 --- /dev/null +++ b/tests/shell/testcases/maps/0018map_leak_timeout_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + timeout 3s + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" + +# wait for elements to expire +sleep 5 + +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + timeout 3s + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak + +# wait for elements to expire +sleep 5 + +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/anon_objmap_concat b/tests/shell/testcases/maps/anon_objmap_concat new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/maps/anon_objmap_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/anonymous_snat_map_0 b/tests/shell/testcases/maps/anonymous_snat_map_0 new file mode 100755 index 0000000..32aac8a --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# anonymous map can be added to a snat rule + +set -e +$NFT add table nat +$NFT add chain nat postrouting +$NFT add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2} diff --git a/tests/shell/testcases/maps/different_map_types_1 b/tests/shell/testcases/maps/different_map_types_1 new file mode 100755 index 0000000..a7e831f --- /dev/null +++ b/tests/shell/testcases/maps/different_map_types_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# must fail: expr MAP { expr : type1, expr : type2, .. } expr + +set -e + +$NFT add table ip filter +$NFT add chain ip filter output { type filter hook output priority 0 \; } + +$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 } || exit 0 + +echo "E: Added two different types of expression to map" +exit 1 diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft new file mode 100644 index 0000000..c651af0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft @@ -0,0 +1,486 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.0.1.1 : 10.0.1.1, 10.0.1.2 : 10.0.1.2, + 10.0.1.3 : 10.0.1.3, 10.0.1.4 : 10.0.1.4, + 10.0.1.5 : 10.0.1.5, 10.0.1.6 : 10.0.1.6, + 10.0.1.7 : 10.0.1.7, 10.0.1.8 : 10.0.1.8, + 10.0.1.9 : 10.0.1.9, 10.0.1.10 : 10.0.1.10, + 10.0.1.11 : 10.0.1.11, 10.0.1.12 : 10.0.1.12, + 10.0.1.13 : 10.0.1.13, 10.0.1.14 : 10.0.1.14, + 10.0.1.15 : 10.0.1.15, 10.0.1.16 : 10.0.1.16, + 10.0.1.17 : 10.0.1.17, 10.0.1.18 : 10.0.1.18, + 10.0.1.19 : 10.0.1.19, 10.0.1.20 : 10.0.1.20, + 10.0.1.21 : 10.0.1.21, 10.0.1.22 : 10.0.1.22, + 10.0.1.23 : 10.0.1.23, 10.0.1.24 : 10.0.1.24, + 10.0.1.25 : 10.0.1.25, 10.0.1.26 : 10.0.1.26, + 10.0.1.27 : 10.0.1.27, 10.0.1.28 : 10.0.1.28, + 10.0.1.29 : 10.0.1.29, 10.0.1.30 : 10.0.1.30, + 10.0.1.31 : 10.0.1.31, 10.0.2.1 : 10.0.2.1, + 10.0.2.2 : 10.0.2.2, 10.0.2.3 : 10.0.2.3, + 10.0.2.4 : 10.0.2.4, 10.0.2.5 : 10.0.2.5, + 10.0.2.6 : 10.0.2.6, 10.0.2.7 : 10.0.2.7, + 10.0.2.8 : 10.0.2.8, 10.0.2.9 : 10.0.2.9, + 10.0.2.10 : 10.0.2.10, 10.0.2.11 : 10.0.2.11, + 10.0.2.12 : 10.0.2.12, 10.0.2.13 : 10.0.2.13, + 10.0.2.14 : 10.0.2.14, 10.0.2.15 : 10.0.2.15, + 10.0.2.16 : 10.0.2.16, 10.0.2.17 : 10.0.2.17, + 10.0.2.18 : 10.0.2.18, 10.0.2.19 : 10.0.2.19, + 10.0.2.20 : 10.0.2.20, 10.0.2.21 : 10.0.2.21, + 10.0.2.22 : 10.0.2.22, 10.0.2.23 : 10.0.2.23, + 10.0.2.24 : 10.0.2.24, 10.0.2.25 : 10.0.2.25, + 10.0.2.26 : 10.0.2.26, 10.0.2.27 : 10.0.2.27, + 10.0.2.28 : 10.0.2.28, 10.0.2.29 : 10.0.2.29, + 10.0.2.30 : 10.0.2.30, 10.0.2.31 : 10.0.2.31, + 10.0.3.1 : 10.0.3.1, 10.0.3.2 : 10.0.3.2, + 10.0.3.3 : 10.0.3.3, 10.0.3.4 : 10.0.3.4, + 10.0.3.5 : 10.0.3.5, 10.0.3.6 : 10.0.3.6, + 10.0.3.7 : 10.0.3.7, 10.0.3.8 : 10.0.3.8, + 10.0.3.9 : 10.0.3.9, 10.0.3.10 : 10.0.3.10, + 10.0.3.11 : 10.0.3.11, 10.0.3.12 : 10.0.3.12, + 10.0.3.13 : 10.0.3.13, 10.0.3.14 : 10.0.3.14, + 10.0.3.15 : 10.0.3.15, 10.0.3.16 : 10.0.3.16, + 10.0.3.17 : 10.0.3.17, 10.0.3.18 : 10.0.3.18, + 10.0.3.19 : 10.0.3.19, 10.0.3.20 : 10.0.3.20, + 10.0.3.21 : 10.0.3.21, 10.0.3.22 : 10.0.3.22, + 10.0.3.23 : 10.0.3.23, 10.0.3.24 : 10.0.3.24, + 10.0.3.25 : 10.0.3.25, 10.0.3.26 : 10.0.3.26, + 10.0.3.27 : 10.0.3.27, 10.0.3.28 : 10.0.3.28, + 10.0.3.29 : 10.0.3.29, 10.0.3.30 : 10.0.3.30, + 10.0.3.31 : 10.0.3.31, 10.0.4.1 : 10.0.4.1, + 10.0.4.2 : 10.0.4.2, 10.0.4.3 : 10.0.4.3, + 10.0.4.4 : 10.0.4.4, 10.0.4.5 : 10.0.4.5, + 10.0.4.6 : 10.0.4.6, 10.0.4.7 : 10.0.4.7, + 10.0.4.8 : 10.0.4.8, 10.0.4.9 : 10.0.4.9, + 10.0.4.10 : 10.0.4.10, 10.0.4.11 : 10.0.4.11, + 10.0.4.12 : 10.0.4.12, 10.0.4.13 : 10.0.4.13, + 10.0.4.14 : 10.0.4.14, 10.0.4.15 : 10.0.4.15, + 10.0.4.16 : 10.0.4.16, 10.0.4.17 : 10.0.4.17, + 10.0.4.18 : 10.0.4.18, 10.0.4.19 : 10.0.4.19, + 10.0.4.20 : 10.0.4.20, 10.0.4.21 : 10.0.4.21, + 10.0.4.22 : 10.0.4.22, 10.0.4.23 : 10.0.4.23, + 10.0.4.24 : 10.0.4.24, 10.0.4.25 : 10.0.4.25, + 10.0.4.26 : 10.0.4.26, 10.0.4.27 : 10.0.4.27, + 10.0.4.28 : 10.0.4.28, 10.0.4.29 : 10.0.4.29, + 10.0.4.30 : 10.0.4.30, 10.0.4.31 : 10.0.4.31, + 10.0.5.1 : 10.0.5.1, 10.0.5.2 : 10.0.5.2, + 10.0.5.3 : 10.0.5.3, 10.0.5.4 : 10.0.5.4, + 10.0.5.5 : 10.0.5.5, 10.0.5.6 : 10.0.5.6, + 10.0.5.7 : 10.0.5.7, 10.0.5.8 : 10.0.5.8, + 10.0.5.9 : 10.0.5.9, 10.0.5.10 : 10.0.5.10, + 10.0.5.11 : 10.0.5.11, 10.0.5.12 : 10.0.5.12, + 10.0.5.13 : 10.0.5.13, 10.0.5.14 : 10.0.5.14, + 10.0.5.15 : 10.0.5.15, 10.0.5.16 : 10.0.5.16, + 10.0.5.17 : 10.0.5.17, 10.0.5.18 : 10.0.5.18, + 10.0.5.19 : 10.0.5.19, 10.0.5.20 : 10.0.5.20, + 10.0.5.21 : 10.0.5.21, 10.0.5.22 : 10.0.5.22, + 10.0.5.23 : 10.0.5.23, 10.0.5.24 : 10.0.5.24, + 10.0.5.25 : 10.0.5.25, 10.0.5.26 : 10.0.5.26, + 10.0.5.27 : 10.0.5.27, 10.0.5.28 : 10.0.5.28, + 10.0.5.29 : 10.0.5.29, 10.0.5.30 : 10.0.5.30, + 10.0.5.31 : 10.0.5.31, 10.0.6.1 : 10.0.6.1, + 10.0.6.2 : 10.0.6.2, 10.0.6.3 : 10.0.6.3, + 10.0.6.4 : 10.0.6.4, 10.0.6.5 : 10.0.6.5, + 10.0.6.6 : 10.0.6.6, 10.0.6.7 : 10.0.6.7, + 10.0.6.8 : 10.0.6.8, 10.0.6.9 : 10.0.6.9, + 10.0.6.10 : 10.0.6.10, 10.0.6.11 : 10.0.6.11, + 10.0.6.12 : 10.0.6.12, 10.0.6.13 : 10.0.6.13, + 10.0.6.14 : 10.0.6.14, 10.0.6.15 : 10.0.6.15, + 10.0.6.16 : 10.0.6.16, 10.0.6.17 : 10.0.6.17, + 10.0.6.18 : 10.0.6.18, 10.0.6.19 : 10.0.6.19, + 10.0.6.20 : 10.0.6.20, 10.0.6.21 : 10.0.6.21, + 10.0.6.22 : 10.0.6.22, 10.0.6.23 : 10.0.6.23, + 10.0.6.24 : 10.0.6.24, 10.0.6.25 : 10.0.6.25, + 10.0.6.26 : 10.0.6.26, 10.0.6.27 : 10.0.6.27, + 10.0.6.28 : 10.0.6.28, 10.0.6.29 : 10.0.6.29, + 10.0.6.30 : 10.0.6.30, 10.0.6.31 : 10.0.6.31, + 10.0.7.1 : 10.0.7.1, 10.0.7.2 : 10.0.7.2, + 10.0.7.3 : 10.0.7.3, 10.0.7.4 : 10.0.7.4, + 10.0.7.5 : 10.0.7.5, 10.0.7.6 : 10.0.7.6, + 10.0.7.7 : 10.0.7.7, 10.0.7.8 : 10.0.7.8, + 10.0.7.9 : 10.0.7.9, 10.0.7.10 : 10.0.7.10, + 10.0.7.11 : 10.0.7.11, 10.0.7.12 : 10.0.7.12, + 10.0.7.13 : 10.0.7.13, 10.0.7.14 : 10.0.7.14, + 10.0.7.15 : 10.0.7.15, 10.0.7.16 : 10.0.7.16, + 10.0.7.17 : 10.0.7.17, 10.0.7.18 : 10.0.7.18, + 10.0.7.19 : 10.0.7.19, 10.0.7.20 : 10.0.7.20, + 10.0.7.21 : 10.0.7.21, 10.0.7.22 : 10.0.7.22, + 10.0.7.23 : 10.0.7.23, 10.0.7.24 : 10.0.7.24, + 10.0.7.25 : 10.0.7.25, 10.0.7.26 : 10.0.7.26, + 10.0.7.27 : 10.0.7.27, 10.0.7.28 : 10.0.7.28, + 10.0.7.29 : 10.0.7.29, 10.0.7.30 : 10.0.7.30, + 10.0.7.31 : 10.0.7.31, 10.0.8.1 : 10.0.8.1, + 10.0.8.2 : 10.0.8.2, 10.0.8.3 : 10.0.8.3, + 10.0.8.4 : 10.0.8.4, 10.0.8.5 : 10.0.8.5, + 10.0.8.6 : 10.0.8.6, 10.0.8.7 : 10.0.8.7, + 10.0.8.8 : 10.0.8.8, 10.0.8.9 : 10.0.8.9, + 10.0.8.10 : 10.0.8.10, 10.0.8.11 : 10.0.8.11, + 10.0.8.12 : 10.0.8.12, 10.0.8.13 : 10.0.8.13, + 10.0.8.14 : 10.0.8.14, 10.0.8.15 : 10.0.8.15, + 10.0.8.16 : 10.0.8.16, 10.0.8.17 : 10.0.8.17, + 10.0.8.18 : 10.0.8.18, 10.0.8.19 : 10.0.8.19, + 10.0.8.20 : 10.0.8.20, 10.0.8.21 : 10.0.8.21, + 10.0.8.22 : 10.0.8.22, 10.0.8.23 : 10.0.8.23, + 10.0.8.24 : 10.0.8.24, 10.0.8.25 : 10.0.8.25, + 10.0.8.26 : 10.0.8.26, 10.0.8.27 : 10.0.8.27, + 10.0.8.28 : 10.0.8.28, 10.0.8.29 : 10.0.8.29, + 10.0.8.30 : 10.0.8.30, 10.0.8.31 : 10.0.8.31, + 10.0.9.1 : 10.0.9.1, 10.0.9.2 : 10.0.9.2, + 10.0.9.3 : 10.0.9.3, 10.0.9.4 : 10.0.9.4, + 10.0.9.5 : 10.0.9.5, 10.0.9.6 : 10.0.9.6, + 10.0.9.7 : 10.0.9.7, 10.0.9.8 : 10.0.9.8, + 10.0.9.9 : 10.0.9.9, 10.0.9.10 : 10.0.9.10, + 10.0.9.11 : 10.0.9.11, 10.0.9.12 : 10.0.9.12, + 10.0.9.13 : 10.0.9.13, 10.0.9.14 : 10.0.9.14, + 10.0.9.15 : 10.0.9.15, 10.0.9.16 : 10.0.9.16, + 10.0.9.17 : 10.0.9.17, 10.0.9.18 : 10.0.9.18, + 10.0.9.19 : 10.0.9.19, 10.0.9.20 : 10.0.9.20, + 10.0.9.21 : 10.0.9.21, 10.0.9.22 : 10.0.9.22, + 10.0.9.23 : 10.0.9.23, 10.0.9.24 : 10.0.9.24, + 10.0.9.25 : 10.0.9.25, 10.0.9.26 : 10.0.9.26, + 10.0.9.27 : 10.0.9.27, 10.0.9.28 : 10.0.9.28, + 10.0.9.29 : 10.0.9.29, 10.0.9.30 : 10.0.9.30, + 10.0.9.31 : 10.0.9.31, 10.0.10.1 : 10.0.10.1, + 10.0.10.2 : 10.0.10.2, 10.0.10.3 : 10.0.10.3, + 10.0.10.4 : 10.0.10.4, 10.0.10.5 : 10.0.10.5, + 10.0.10.6 : 10.0.10.6, 10.0.10.7 : 10.0.10.7, + 10.0.10.8 : 10.0.10.8, 10.0.10.9 : 10.0.10.9, + 10.0.10.10 : 10.0.10.10, 10.0.10.11 : 10.0.10.11, + 10.0.10.12 : 10.0.10.12, 10.0.10.13 : 10.0.10.13, + 10.0.10.14 : 10.0.10.14, 10.0.10.15 : 10.0.10.15, + 10.0.10.16 : 10.0.10.16, 10.0.10.17 : 10.0.10.17, + 10.0.10.18 : 10.0.10.18, 10.0.10.19 : 10.0.10.19, + 10.0.10.20 : 10.0.10.20, 10.0.10.21 : 10.0.10.21, + 10.0.10.22 : 10.0.10.22, 10.0.10.23 : 10.0.10.23, + 10.0.10.24 : 10.0.10.24, 10.0.10.25 : 10.0.10.25, + 10.0.10.26 : 10.0.10.26, 10.0.10.27 : 10.0.10.27, + 10.0.10.28 : 10.0.10.28, 10.0.10.29 : 10.0.10.29, + 10.0.10.30 : 10.0.10.30, 10.0.10.31 : 10.0.10.31, + 10.0.11.1 : 10.0.11.1, 10.0.11.2 : 10.0.11.2, + 10.0.11.3 : 10.0.11.3, 10.0.11.4 : 10.0.11.4, + 10.0.11.5 : 10.0.11.5, 10.0.11.6 : 10.0.11.6, + 10.0.11.7 : 10.0.11.7, 10.0.11.8 : 10.0.11.8, + 10.0.11.9 : 10.0.11.9, 10.0.11.10 : 10.0.11.10, + 10.0.11.11 : 10.0.11.11, 10.0.11.12 : 10.0.11.12, + 10.0.11.13 : 10.0.11.13, 10.0.11.14 : 10.0.11.14, + 10.0.11.15 : 10.0.11.15, 10.0.11.16 : 10.0.11.16, + 10.0.11.17 : 10.0.11.17, 10.0.11.18 : 10.0.11.18, + 10.0.11.19 : 10.0.11.19, 10.0.11.20 : 10.0.11.20, + 10.0.11.21 : 10.0.11.21, 10.0.11.22 : 10.0.11.22, + 10.0.11.23 : 10.0.11.23, 10.0.11.24 : 10.0.11.24, + 10.0.11.25 : 10.0.11.25, 10.0.11.26 : 10.0.11.26, + 10.0.11.27 : 10.0.11.27, 10.0.11.28 : 10.0.11.28, + 10.0.11.29 : 10.0.11.29, 10.0.11.30 : 10.0.11.30, + 10.0.11.31 : 10.0.11.31, 10.0.12.1 : 10.0.12.1, + 10.0.12.2 : 10.0.12.2, 10.0.12.3 : 10.0.12.3, + 10.0.12.4 : 10.0.12.4, 10.0.12.5 : 10.0.12.5, + 10.0.12.6 : 10.0.12.6, 10.0.12.7 : 10.0.12.7, + 10.0.12.8 : 10.0.12.8, 10.0.12.9 : 10.0.12.9, + 10.0.12.10 : 10.0.12.10, 10.0.12.11 : 10.0.12.11, + 10.0.12.12 : 10.0.12.12, 10.0.12.13 : 10.0.12.13, + 10.0.12.14 : 10.0.12.14, 10.0.12.15 : 10.0.12.15, + 10.0.12.16 : 10.0.12.16, 10.0.12.17 : 10.0.12.17, + 10.0.12.18 : 10.0.12.18, 10.0.12.19 : 10.0.12.19, + 10.0.12.20 : 10.0.12.20, 10.0.12.21 : 10.0.12.21, + 10.0.12.22 : 10.0.12.22, 10.0.12.23 : 10.0.12.23, + 10.0.12.24 : 10.0.12.24, 10.0.12.25 : 10.0.12.25, + 10.0.12.26 : 10.0.12.26, 10.0.12.27 : 10.0.12.27, + 10.0.12.28 : 10.0.12.28, 10.0.12.29 : 10.0.12.29, + 10.0.12.30 : 10.0.12.30, 10.0.12.31 : 10.0.12.31, + 10.0.13.1 : 10.0.13.1, 10.0.13.2 : 10.0.13.2, + 10.0.13.3 : 10.0.13.3, 10.0.13.4 : 10.0.13.4, + 10.0.13.5 : 10.0.13.5, 10.0.13.6 : 10.0.13.6, + 10.0.13.7 : 10.0.13.7, 10.0.13.8 : 10.0.13.8, + 10.0.13.9 : 10.0.13.9, 10.0.13.10 : 10.0.13.10, + 10.0.13.11 : 10.0.13.11, 10.0.13.12 : 10.0.13.12, + 10.0.13.13 : 10.0.13.13, 10.0.13.14 : 10.0.13.14, + 10.0.13.15 : 10.0.13.15, 10.0.13.16 : 10.0.13.16, + 10.0.13.17 : 10.0.13.17, 10.0.13.18 : 10.0.13.18, + 10.0.13.19 : 10.0.13.19, 10.0.13.20 : 10.0.13.20, + 10.0.13.21 : 10.0.13.21, 10.0.13.22 : 10.0.13.22, + 10.0.13.23 : 10.0.13.23, 10.0.13.24 : 10.0.13.24, + 10.0.13.25 : 10.0.13.25, 10.0.13.26 : 10.0.13.26, + 10.0.13.27 : 10.0.13.27, 10.0.13.28 : 10.0.13.28, + 10.0.13.29 : 10.0.13.29, 10.0.13.30 : 10.0.13.30, + 10.0.13.31 : 10.0.13.31, 10.0.14.1 : 10.0.14.1, + 10.0.14.2 : 10.0.14.2, 10.0.14.3 : 10.0.14.3, + 10.0.14.4 : 10.0.14.4, 10.0.14.5 : 10.0.14.5, + 10.0.14.6 : 10.0.14.6, 10.0.14.7 : 10.0.14.7, + 10.0.14.8 : 10.0.14.8, 10.0.14.9 : 10.0.14.9, + 10.0.14.10 : 10.0.14.10, 10.0.14.11 : 10.0.14.11, + 10.0.14.12 : 10.0.14.12, 10.0.14.13 : 10.0.14.13, + 10.0.14.14 : 10.0.14.14, 10.0.14.15 : 10.0.14.15, + 10.0.14.16 : 10.0.14.16, 10.0.14.17 : 10.0.14.17, + 10.0.14.18 : 10.0.14.18, 10.0.14.19 : 10.0.14.19, + 10.0.14.20 : 10.0.14.20, 10.0.14.21 : 10.0.14.21, + 10.0.14.22 : 10.0.14.22, 10.0.14.23 : 10.0.14.23, + 10.0.14.24 : 10.0.14.24, 10.0.14.25 : 10.0.14.25, + 10.0.14.26 : 10.0.14.26, 10.0.14.27 : 10.0.14.27, + 10.0.14.28 : 10.0.14.28, 10.0.14.29 : 10.0.14.29, + 10.0.14.30 : 10.0.14.30, 10.0.14.31 : 10.0.14.31, + 10.0.15.1 : 10.0.15.1, 10.0.15.2 : 10.0.15.2, + 10.0.15.3 : 10.0.15.3, 10.0.15.4 : 10.0.15.4, + 10.0.15.5 : 10.0.15.5, 10.0.15.6 : 10.0.15.6, + 10.0.15.7 : 10.0.15.7, 10.0.15.8 : 10.0.15.8, + 10.0.15.9 : 10.0.15.9, 10.0.15.10 : 10.0.15.10, + 10.0.15.11 : 10.0.15.11, 10.0.15.12 : 10.0.15.12, + 10.0.15.13 : 10.0.15.13, 10.0.15.14 : 10.0.15.14, + 10.0.15.15 : 10.0.15.15, 10.0.15.16 : 10.0.15.16, + 10.0.15.17 : 10.0.15.17, 10.0.15.18 : 10.0.15.18, + 10.0.15.19 : 10.0.15.19, 10.0.15.20 : 10.0.15.20, + 10.0.15.21 : 10.0.15.21, 10.0.15.22 : 10.0.15.22, + 10.0.15.23 : 10.0.15.23, 10.0.15.24 : 10.0.15.24, + 10.0.15.25 : 10.0.15.25, 10.0.15.26 : 10.0.15.26, + 10.0.15.27 : 10.0.15.27, 10.0.15.28 : 10.0.15.28, + 10.0.15.29 : 10.0.15.29, 10.0.15.30 : 10.0.15.30, + 10.0.15.31 : 10.0.15.31, 10.0.16.1 : 10.0.16.1, + 10.0.16.2 : 10.0.16.2, 10.0.16.3 : 10.0.16.3, + 10.0.16.4 : 10.0.16.4, 10.0.16.5 : 10.0.16.5, + 10.0.16.6 : 10.0.16.6, 10.0.16.7 : 10.0.16.7, + 10.0.16.8 : 10.0.16.8, 10.0.16.9 : 10.0.16.9, + 10.0.16.10 : 10.0.16.10, 10.0.16.11 : 10.0.16.11, + 10.0.16.12 : 10.0.16.12, 10.0.16.13 : 10.0.16.13, + 10.0.16.14 : 10.0.16.14, 10.0.16.15 : 10.0.16.15, + 10.0.16.16 : 10.0.16.16, 10.0.16.17 : 10.0.16.17, + 10.0.16.18 : 10.0.16.18, 10.0.16.19 : 10.0.16.19, + 10.0.16.20 : 10.0.16.20, 10.0.16.21 : 10.0.16.21, + 10.0.16.22 : 10.0.16.22, 10.0.16.23 : 10.0.16.23, + 10.0.16.24 : 10.0.16.24, 10.0.16.25 : 10.0.16.25, + 10.0.16.26 : 10.0.16.26, 10.0.16.27 : 10.0.16.27, + 10.0.16.28 : 10.0.16.28, 10.0.16.29 : 10.0.16.29, + 10.0.16.30 : 10.0.16.30, 10.0.16.31 : 10.0.16.31, + 10.0.17.1 : 10.0.17.1, 10.0.17.2 : 10.0.17.2, + 10.0.17.3 : 10.0.17.3, 10.0.17.4 : 10.0.17.4, + 10.0.17.5 : 10.0.17.5, 10.0.17.6 : 10.0.17.6, + 10.0.17.7 : 10.0.17.7, 10.0.17.8 : 10.0.17.8, + 10.0.17.9 : 10.0.17.9, 10.0.17.10 : 10.0.17.10, + 10.0.17.11 : 10.0.17.11, 10.0.17.12 : 10.0.17.12, + 10.0.17.13 : 10.0.17.13, 10.0.17.14 : 10.0.17.14, + 10.0.17.15 : 10.0.17.15, 10.0.17.16 : 10.0.17.16, + 10.0.17.17 : 10.0.17.17, 10.0.17.18 : 10.0.17.18, + 10.0.17.19 : 10.0.17.19, 10.0.17.20 : 10.0.17.20, + 10.0.17.21 : 10.0.17.21, 10.0.17.22 : 10.0.17.22, + 10.0.17.23 : 10.0.17.23, 10.0.17.24 : 10.0.17.24, + 10.0.17.25 : 10.0.17.25, 10.0.17.26 : 10.0.17.26, + 10.0.17.27 : 10.0.17.27, 10.0.17.28 : 10.0.17.28, + 10.0.17.29 : 10.0.17.29, 10.0.17.30 : 10.0.17.30, + 10.0.17.31 : 10.0.17.31, 10.0.18.1 : 10.0.18.1, + 10.0.18.2 : 10.0.18.2, 10.0.18.3 : 10.0.18.3, + 10.0.18.4 : 10.0.18.4, 10.0.18.5 : 10.0.18.5, + 10.0.18.6 : 10.0.18.6, 10.0.18.7 : 10.0.18.7, + 10.0.18.8 : 10.0.18.8, 10.0.18.9 : 10.0.18.9, + 10.0.18.10 : 10.0.18.10, 10.0.18.11 : 10.0.18.11, + 10.0.18.12 : 10.0.18.12, 10.0.18.13 : 10.0.18.13, + 10.0.18.14 : 10.0.18.14, 10.0.18.15 : 10.0.18.15, + 10.0.18.16 : 10.0.18.16, 10.0.18.17 : 10.0.18.17, + 10.0.18.18 : 10.0.18.18, 10.0.18.19 : 10.0.18.19, + 10.0.18.20 : 10.0.18.20, 10.0.18.21 : 10.0.18.21, + 10.0.18.22 : 10.0.18.22, 10.0.18.23 : 10.0.18.23, + 10.0.18.24 : 10.0.18.24, 10.0.18.25 : 10.0.18.25, + 10.0.18.26 : 10.0.18.26, 10.0.18.27 : 10.0.18.27, + 10.0.18.28 : 10.0.18.28, 10.0.18.29 : 10.0.18.29, + 10.0.18.30 : 10.0.18.30, 10.0.18.31 : 10.0.18.31, + 10.0.19.1 : 10.0.19.1, 10.0.19.2 : 10.0.19.2, + 10.0.19.3 : 10.0.19.3, 10.0.19.4 : 10.0.19.4, + 10.0.19.5 : 10.0.19.5, 10.0.19.6 : 10.0.19.6, + 10.0.19.7 : 10.0.19.7, 10.0.19.8 : 10.0.19.8, + 10.0.19.9 : 10.0.19.9, 10.0.19.10 : 10.0.19.10, + 10.0.19.11 : 10.0.19.11, 10.0.19.12 : 10.0.19.12, + 10.0.19.13 : 10.0.19.13, 10.0.19.14 : 10.0.19.14, + 10.0.19.15 : 10.0.19.15, 10.0.19.16 : 10.0.19.16, + 10.0.19.17 : 10.0.19.17, 10.0.19.18 : 10.0.19.18, + 10.0.19.19 : 10.0.19.19, 10.0.19.20 : 10.0.19.20, + 10.0.19.21 : 10.0.19.21, 10.0.19.22 : 10.0.19.22, + 10.0.19.23 : 10.0.19.23, 10.0.19.24 : 10.0.19.24, + 10.0.19.25 : 10.0.19.25, 10.0.19.26 : 10.0.19.26, + 10.0.19.27 : 10.0.19.27, 10.0.19.28 : 10.0.19.28, + 10.0.19.29 : 10.0.19.29, 10.0.19.30 : 10.0.19.30, + 10.0.19.31 : 10.0.19.31, 10.0.20.1 : 10.0.20.1, + 10.0.20.2 : 10.0.20.2, 10.0.20.3 : 10.0.20.3, + 10.0.20.4 : 10.0.20.4, 10.0.20.5 : 10.0.20.5, + 10.0.20.6 : 10.0.20.6, 10.0.20.7 : 10.0.20.7, + 10.0.20.8 : 10.0.20.8, 10.0.20.9 : 10.0.20.9, + 10.0.20.10 : 10.0.20.10, 10.0.20.11 : 10.0.20.11, + 10.0.20.12 : 10.0.20.12, 10.0.20.13 : 10.0.20.13, + 10.0.20.14 : 10.0.20.14, 10.0.20.15 : 10.0.20.15, + 10.0.20.16 : 10.0.20.16, 10.0.20.17 : 10.0.20.17, + 10.0.20.18 : 10.0.20.18, 10.0.20.19 : 10.0.20.19, + 10.0.20.20 : 10.0.20.20, 10.0.20.21 : 10.0.20.21, + 10.0.20.22 : 10.0.20.22, 10.0.20.23 : 10.0.20.23, + 10.0.20.24 : 10.0.20.24, 10.0.20.25 : 10.0.20.25, + 10.0.20.26 : 10.0.20.26, 10.0.20.27 : 10.0.20.27, + 10.0.20.28 : 10.0.20.28, 10.0.20.29 : 10.0.20.29, + 10.0.20.30 : 10.0.20.30, 10.0.20.31 : 10.0.20.31, + 10.0.21.1 : 10.0.21.1, 10.0.21.2 : 10.0.21.2, + 10.0.21.3 : 10.0.21.3, 10.0.21.4 : 10.0.21.4, + 10.0.21.5 : 10.0.21.5, 10.0.21.6 : 10.0.21.6, + 10.0.21.7 : 10.0.21.7, 10.0.21.8 : 10.0.21.8, + 10.0.21.9 : 10.0.21.9, 10.0.21.10 : 10.0.21.10, + 10.0.21.11 : 10.0.21.11, 10.0.21.12 : 10.0.21.12, + 10.0.21.13 : 10.0.21.13, 10.0.21.14 : 10.0.21.14, + 10.0.21.15 : 10.0.21.15, 10.0.21.16 : 10.0.21.16, + 10.0.21.17 : 10.0.21.17, 10.0.21.18 : 10.0.21.18, + 10.0.21.19 : 10.0.21.19, 10.0.21.20 : 10.0.21.20, + 10.0.21.21 : 10.0.21.21, 10.0.21.22 : 10.0.21.22, + 10.0.21.23 : 10.0.21.23, 10.0.21.24 : 10.0.21.24, + 10.0.21.25 : 10.0.21.25, 10.0.21.26 : 10.0.21.26, + 10.0.21.27 : 10.0.21.27, 10.0.21.28 : 10.0.21.28, + 10.0.21.29 : 10.0.21.29, 10.0.21.30 : 10.0.21.30, + 10.0.21.31 : 10.0.21.31, 10.0.22.1 : 10.0.22.1, + 10.0.22.2 : 10.0.22.2, 10.0.22.3 : 10.0.22.3, + 10.0.22.4 : 10.0.22.4, 10.0.22.5 : 10.0.22.5, + 10.0.22.6 : 10.0.22.6, 10.0.22.7 : 10.0.22.7, + 10.0.22.8 : 10.0.22.8, 10.0.22.9 : 10.0.22.9, + 10.0.22.10 : 10.0.22.10, 10.0.22.11 : 10.0.22.11, + 10.0.22.12 : 10.0.22.12, 10.0.22.13 : 10.0.22.13, + 10.0.22.14 : 10.0.22.14, 10.0.22.15 : 10.0.22.15, + 10.0.22.16 : 10.0.22.16, 10.0.22.17 : 10.0.22.17, + 10.0.22.18 : 10.0.22.18, 10.0.22.19 : 10.0.22.19, + 10.0.22.20 : 10.0.22.20, 10.0.22.21 : 10.0.22.21, + 10.0.22.22 : 10.0.22.22, 10.0.22.23 : 10.0.22.23, + 10.0.22.24 : 10.0.22.24, 10.0.22.25 : 10.0.22.25, + 10.0.22.26 : 10.0.22.26, 10.0.22.27 : 10.0.22.27, + 10.0.22.28 : 10.0.22.28, 10.0.22.29 : 10.0.22.29, + 10.0.22.30 : 10.0.22.30, 10.0.22.31 : 10.0.22.31, + 10.0.23.1 : 10.0.23.1, 10.0.23.2 : 10.0.23.2, + 10.0.23.3 : 10.0.23.3, 10.0.23.4 : 10.0.23.4, + 10.0.23.5 : 10.0.23.5, 10.0.23.6 : 10.0.23.6, + 10.0.23.7 : 10.0.23.7, 10.0.23.8 : 10.0.23.8, + 10.0.23.9 : 10.0.23.9, 10.0.23.10 : 10.0.23.10, + 10.0.23.11 : 10.0.23.11, 10.0.23.12 : 10.0.23.12, + 10.0.23.13 : 10.0.23.13, 10.0.23.14 : 10.0.23.14, + 10.0.23.15 : 10.0.23.15, 10.0.23.16 : 10.0.23.16, + 10.0.23.17 : 10.0.23.17, 10.0.23.18 : 10.0.23.18, + 10.0.23.19 : 10.0.23.19, 10.0.23.20 : 10.0.23.20, + 10.0.23.21 : 10.0.23.21, 10.0.23.22 : 10.0.23.22, + 10.0.23.23 : 10.0.23.23, 10.0.23.24 : 10.0.23.24, + 10.0.23.25 : 10.0.23.25, 10.0.23.26 : 10.0.23.26, + 10.0.23.27 : 10.0.23.27, 10.0.23.28 : 10.0.23.28, + 10.0.23.29 : 10.0.23.29, 10.0.23.30 : 10.0.23.30, + 10.0.23.31 : 10.0.23.31, 10.0.24.1 : 10.0.24.1, + 10.0.24.2 : 10.0.24.2, 10.0.24.3 : 10.0.24.3, + 10.0.24.4 : 10.0.24.4, 10.0.24.5 : 10.0.24.5, + 10.0.24.6 : 10.0.24.6, 10.0.24.7 : 10.0.24.7, + 10.0.24.8 : 10.0.24.8, 10.0.24.9 : 10.0.24.9, + 10.0.24.10 : 10.0.24.10, 10.0.24.11 : 10.0.24.11, + 10.0.24.12 : 10.0.24.12, 10.0.24.13 : 10.0.24.13, + 10.0.24.14 : 10.0.24.14, 10.0.24.15 : 10.0.24.15, + 10.0.24.16 : 10.0.24.16, 10.0.24.17 : 10.0.24.17, + 10.0.24.18 : 10.0.24.18, 10.0.24.19 : 10.0.24.19, + 10.0.24.20 : 10.0.24.20, 10.0.24.21 : 10.0.24.21, + 10.0.24.22 : 10.0.24.22, 10.0.24.23 : 10.0.24.23, + 10.0.24.24 : 10.0.24.24, 10.0.24.25 : 10.0.24.25, + 10.0.24.26 : 10.0.24.26, 10.0.24.27 : 10.0.24.27, + 10.0.24.28 : 10.0.24.28, 10.0.24.29 : 10.0.24.29, + 10.0.24.30 : 10.0.24.30, 10.0.24.31 : 10.0.24.31, + 10.0.25.1 : 10.0.25.1, 10.0.25.2 : 10.0.25.2, + 10.0.25.3 : 10.0.25.3, 10.0.25.4 : 10.0.25.4, + 10.0.25.5 : 10.0.25.5, 10.0.25.6 : 10.0.25.6, + 10.0.25.7 : 10.0.25.7, 10.0.25.8 : 10.0.25.8, + 10.0.25.9 : 10.0.25.9, 10.0.25.10 : 10.0.25.10, + 10.0.25.11 : 10.0.25.11, 10.0.25.12 : 10.0.25.12, + 10.0.25.13 : 10.0.25.13, 10.0.25.14 : 10.0.25.14, + 10.0.25.15 : 10.0.25.15, 10.0.25.16 : 10.0.25.16, + 10.0.25.17 : 10.0.25.17, 10.0.25.18 : 10.0.25.18, + 10.0.25.19 : 10.0.25.19, 10.0.25.20 : 10.0.25.20, + 10.0.25.21 : 10.0.25.21, 10.0.25.22 : 10.0.25.22, + 10.0.25.23 : 10.0.25.23, 10.0.25.24 : 10.0.25.24, + 10.0.25.25 : 10.0.25.25, 10.0.25.26 : 10.0.25.26, + 10.0.25.27 : 10.0.25.27, 10.0.25.28 : 10.0.25.28, + 10.0.25.29 : 10.0.25.29, 10.0.25.30 : 10.0.25.30, + 10.0.25.31 : 10.0.25.31, 10.0.26.1 : 10.0.26.1, + 10.0.26.2 : 10.0.26.2, 10.0.26.3 : 10.0.26.3, + 10.0.26.4 : 10.0.26.4, 10.0.26.5 : 10.0.26.5, + 10.0.26.6 : 10.0.26.6, 10.0.26.7 : 10.0.26.7, + 10.0.26.8 : 10.0.26.8, 10.0.26.9 : 10.0.26.9, + 10.0.26.10 : 10.0.26.10, 10.0.26.11 : 10.0.26.11, + 10.0.26.12 : 10.0.26.12, 10.0.26.13 : 10.0.26.13, + 10.0.26.14 : 10.0.26.14, 10.0.26.15 : 10.0.26.15, + 10.0.26.16 : 10.0.26.16, 10.0.26.17 : 10.0.26.17, + 10.0.26.18 : 10.0.26.18, 10.0.26.19 : 10.0.26.19, + 10.0.26.20 : 10.0.26.20, 10.0.26.21 : 10.0.26.21, + 10.0.26.22 : 10.0.26.22, 10.0.26.23 : 10.0.26.23, + 10.0.26.24 : 10.0.26.24, 10.0.26.25 : 10.0.26.25, + 10.0.26.26 : 10.0.26.26, 10.0.26.27 : 10.0.26.27, + 10.0.26.28 : 10.0.26.28, 10.0.26.29 : 10.0.26.29, + 10.0.26.30 : 10.0.26.30, 10.0.26.31 : 10.0.26.31, + 10.0.27.1 : 10.0.27.1, 10.0.27.2 : 10.0.27.2, + 10.0.27.3 : 10.0.27.3, 10.0.27.4 : 10.0.27.4, + 10.0.27.5 : 10.0.27.5, 10.0.27.6 : 10.0.27.6, + 10.0.27.7 : 10.0.27.7, 10.0.27.8 : 10.0.27.8, + 10.0.27.9 : 10.0.27.9, 10.0.27.10 : 10.0.27.10, + 10.0.27.11 : 10.0.27.11, 10.0.27.12 : 10.0.27.12, + 10.0.27.13 : 10.0.27.13, 10.0.27.14 : 10.0.27.14, + 10.0.27.15 : 10.0.27.15, 10.0.27.16 : 10.0.27.16, + 10.0.27.17 : 10.0.27.17, 10.0.27.18 : 10.0.27.18, + 10.0.27.19 : 10.0.27.19, 10.0.27.20 : 10.0.27.20, + 10.0.27.21 : 10.0.27.21, 10.0.27.22 : 10.0.27.22, + 10.0.27.23 : 10.0.27.23, 10.0.27.24 : 10.0.27.24, + 10.0.27.25 : 10.0.27.25, 10.0.27.26 : 10.0.27.26, + 10.0.27.27 : 10.0.27.27, 10.0.27.28 : 10.0.27.28, + 10.0.27.29 : 10.0.27.29, 10.0.27.30 : 10.0.27.30, + 10.0.27.31 : 10.0.27.31, 10.0.28.1 : 10.0.28.1, + 10.0.28.2 : 10.0.28.2, 10.0.28.3 : 10.0.28.3, + 10.0.28.4 : 10.0.28.4, 10.0.28.5 : 10.0.28.5, + 10.0.28.6 : 10.0.28.6, 10.0.28.7 : 10.0.28.7, + 10.0.28.8 : 10.0.28.8, 10.0.28.9 : 10.0.28.9, + 10.0.28.10 : 10.0.28.10, 10.0.28.11 : 10.0.28.11, + 10.0.28.12 : 10.0.28.12, 10.0.28.13 : 10.0.28.13, + 10.0.28.14 : 10.0.28.14, 10.0.28.15 : 10.0.28.15, + 10.0.28.16 : 10.0.28.16, 10.0.28.17 : 10.0.28.17, + 10.0.28.18 : 10.0.28.18, 10.0.28.19 : 10.0.28.19, + 10.0.28.20 : 10.0.28.20, 10.0.28.21 : 10.0.28.21, + 10.0.28.22 : 10.0.28.22, 10.0.28.23 : 10.0.28.23, + 10.0.28.24 : 10.0.28.24, 10.0.28.25 : 10.0.28.25, + 10.0.28.26 : 10.0.28.26, 10.0.28.27 : 10.0.28.27, + 10.0.28.28 : 10.0.28.28, 10.0.28.29 : 10.0.28.29, + 10.0.28.30 : 10.0.28.30, 10.0.28.31 : 10.0.28.31, + 10.0.29.1 : 10.0.29.1, 10.0.29.2 : 10.0.29.2, + 10.0.29.3 : 10.0.29.3, 10.0.29.4 : 10.0.29.4, + 10.0.29.5 : 10.0.29.5, 10.0.29.6 : 10.0.29.6, + 10.0.29.7 : 10.0.29.7, 10.0.29.8 : 10.0.29.8, + 10.0.29.9 : 10.0.29.9, 10.0.29.10 : 10.0.29.10, + 10.0.29.11 : 10.0.29.11, 10.0.29.12 : 10.0.29.12, + 10.0.29.13 : 10.0.29.13, 10.0.29.14 : 10.0.29.14, + 10.0.29.15 : 10.0.29.15, 10.0.29.16 : 10.0.29.16, + 10.0.29.17 : 10.0.29.17, 10.0.29.18 : 10.0.29.18, + 10.0.29.19 : 10.0.29.19, 10.0.29.20 : 10.0.29.20, + 10.0.29.21 : 10.0.29.21, 10.0.29.22 : 10.0.29.22, + 10.0.29.23 : 10.0.29.23, 10.0.29.24 : 10.0.29.24, + 10.0.29.25 : 10.0.29.25, 10.0.29.26 : 10.0.29.26, + 10.0.29.27 : 10.0.29.27, 10.0.29.28 : 10.0.29.28, + 10.0.29.29 : 10.0.29.29, 10.0.29.30 : 10.0.29.30, + 10.0.29.31 : 10.0.29.31, 10.0.30.1 : 10.0.30.1, + 10.0.30.2 : 10.0.30.2, 10.0.30.3 : 10.0.30.3, + 10.0.30.4 : 10.0.30.4, 10.0.30.5 : 10.0.30.5, + 10.0.30.6 : 10.0.30.6, 10.0.30.7 : 10.0.30.7, + 10.0.30.8 : 10.0.30.8, 10.0.30.9 : 10.0.30.9, + 10.0.30.10 : 10.0.30.10, 10.0.30.11 : 10.0.30.11, + 10.0.30.12 : 10.0.30.12, 10.0.30.13 : 10.0.30.13, + 10.0.30.14 : 10.0.30.14, 10.0.30.15 : 10.0.30.15, + 10.0.30.16 : 10.0.30.16, 10.0.30.17 : 10.0.30.17, + 10.0.30.18 : 10.0.30.18, 10.0.30.19 : 10.0.30.19, + 10.0.30.20 : 10.0.30.20, 10.0.30.21 : 10.0.30.21, + 10.0.30.22 : 10.0.30.22, 10.0.30.23 : 10.0.30.23, + 10.0.30.24 : 10.0.30.24, 10.0.30.25 : 10.0.30.25, + 10.0.30.26 : 10.0.30.26, 10.0.30.27 : 10.0.30.27, + 10.0.30.28 : 10.0.30.28, 10.0.30.29 : 10.0.30.29, + 10.0.30.30 : 10.0.30.30, 10.0.30.31 : 10.0.30.31, + 10.0.31.1 : 10.0.31.1, 10.0.31.2 : 10.0.31.2, + 10.0.31.3 : 10.0.31.3, 10.0.31.4 : 10.0.31.4, + 10.0.31.5 : 10.0.31.5, 10.0.31.6 : 10.0.31.6, + 10.0.31.7 : 10.0.31.7, 10.0.31.8 : 10.0.31.8, + 10.0.31.9 : 10.0.31.9, 10.0.31.10 : 10.0.31.10, + 10.0.31.11 : 10.0.31.11, 10.0.31.12 : 10.0.31.12, + 10.0.31.13 : 10.0.31.13, 10.0.31.14 : 10.0.31.14, + 10.0.31.15 : 10.0.31.15, 10.0.31.16 : 10.0.31.16, + 10.0.31.17 : 10.0.31.17, 10.0.31.18 : 10.0.31.18, + 10.0.31.19 : 10.0.31.19, 10.0.31.20 : 10.0.31.20, + 10.0.31.21 : 10.0.31.21, 10.0.31.22 : 10.0.31.22, + 10.0.31.23 : 10.0.31.23, 10.0.31.24 : 10.0.31.24, + 10.0.31.25 : 10.0.31.25, 10.0.31.26 : 10.0.31.26, + 10.0.31.27 : 10.0.31.27, 10.0.31.28 : 10.0.31.28, + 10.0.31.29 : 10.0.31.29, 10.0.31.30 : 10.0.31.30, + 10.0.31.31 : 10.0.31.31 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft new file mode 100644 index 0000000..ab992c4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft @@ -0,0 +1,8 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2, + 10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft new file mode 100644 index 0000000..1f5343f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft @@ -0,0 +1,7 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft new file mode 100644 index 0000000..878e7c0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + map m1 { + type ifname : ipv4_addr + elements = { "eth0" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft new file mode 100644 index 0000000..a470a34 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft @@ -0,0 +1,15 @@ +table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter packets 0 bytes 0 accept + meta mark 0x00000003 counter packets 0 bytes 0 accept + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft new file mode 100644 index 0000000..c37574a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft @@ -0,0 +1,13 @@ +table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft new file mode 100644 index 0000000..2f796b5 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft @@ -0,0 +1,11 @@ +table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 } + } + + chain y { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip saddr . ip protocol . tcp dport map @z + } +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft new file mode 100644 index 0000000..4a72b5e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft @@ -0,0 +1,19 @@ +table inet filter { + map portmap { + type inet_service : verdict + counter + elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft new file mode 100644 index 0000000..895490c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_0.nft @@ -0,0 +1,25 @@ +table ip x { + map z { + type ifname : verdict + elements = { "lo" : accept, + "eth0" : drop, + "eth1" : drop } + } + + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } + } + + chain y { + iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x00123434 + ip saddr . meta mark vmap @w + } +} diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft new file mode 100644 index 0000000..1455877 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.nft @@ -0,0 +1,13 @@ +table ip filter { + map forwport { + type ipv4_addr . inet_proto . inet_service : verdict + flags interval + counter + elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept } + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.nft b/tests/shell/testcases/maps/dumps/0014destroy_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft new file mode 100644 index 0000000..796dd72 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft @@ -0,0 +1,11 @@ +table ip x { + map y { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } + + map z { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft new file mode 100644 index 0000000..23aca0a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft @@ -0,0 +1,16 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + } + + ct helper sip-5060t { + type "sip" protocol tcp + l3proto ip + } + + chain input { + type filter hook input priority filter; policy accept; + ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft new file mode 100644 index 0000000..5009560 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.nft b/tests/shell/testcases/maps/dumps/different_map_types_1.nft new file mode 100644 index 0000000..3c18b5c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.nft @@ -0,0 +1,5 @@ +table ip filter { + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft new file mode 100644 index 0000000..37c48bf --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft @@ -0,0 +1,4 @@ +table ip test { + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft new file mode 100644 index 0000000..c96b1ed --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft @@ -0,0 +1,6 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags timeout + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft new file mode 100644 index 0000000..a7c5751 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft @@ -0,0 +1,10 @@ +table ip nat { + map m { + type ipv4_addr : ipv4_addr + elements = { 1.1.1.1 : 2.2.2.2 } + } + + chain postrouting { + snat to ip saddr map @m + } +} diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft new file mode 100644 index 0000000..c8493b3 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft @@ -0,0 +1,129 @@ +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y + dnat ip to ip saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2 + } +} +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + + map y { + type ipv6_addr : ipv6_addr . inet_service + } + + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y + dnat ip6 to ip6 saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2 + } +} +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + map x6 { + type ipv6_addr : ipv6_addr + } + + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat ip to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y4 + dnat ip to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat ip6 to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y6 + dnat ip6 to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6 + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft new file mode 100644 index 0000000..19c24fe --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft @@ -0,0 +1,20 @@ +table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, + 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 30 . 0x1e : drop, + 20 . 0x24 : accept } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft new file mode 100644 index 0000000..a5c0a60 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft @@ -0,0 +1,36 @@ +table inet t { + map m1 { + typeof osf name : ct mark + elements = { "Linux" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { "eth0" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . "eth0" : accept } + } + + chain c { + ct mark set osf name map @m1 + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft new file mode 100644 index 0000000..9134673 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -0,0 +1,22 @@ +table ip dynset { + map dynmark { + typeof ip daddr : meta mark + size 64 + counter + timeout 5m + } + + chain test_ping { + ip saddr @dynmark counter packets 0 bytes 0 comment "should not increment" + ip saddr != @dynmark add @dynmark { ip saddr : 0x00000001 } counter packets 1 bytes 84 + ip saddr @dynmark counter packets 1 bytes 84 comment "should increment" + ip saddr @dynmark delete @dynmark { ip saddr : 0x00000001 } + ip saddr @dynmark counter packets 0 bytes 0 comment "delete should be instant but might fail under memory pressure" + } + + chain input { + type filter hook input priority filter; policy accept; + add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft new file mode 100644 index 0000000..1ca98d8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft @@ -0,0 +1,11 @@ +table netdev t { + map m { + typeof ether saddr . vlan id : meta mark + size 1234 + flags dynamic,timeout + } + + chain c { + ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft new file mode 100644 index 0000000..f8b574f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft @@ -0,0 +1,13 @@ +table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft new file mode 100644 index 0000000..698219c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft @@ -0,0 +1,21 @@ +table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } + } + + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft new file mode 100644 index 0000000..476169f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft @@ -0,0 +1,13 @@ +table ip x { + map y { + typeof ip saddr . @ih,32,32 : verdict + elements = { 1.1.1.1 . 0x14 : accept, + 7.7.7.7 . 0x86 : accept, + 7.7.7.8 . 0x97 : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft new file mode 100644 index 0000000..beb5ffb --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft @@ -0,0 +1,26 @@ +table ip x { + counter c_o0_0 { + packets 0 bytes 0 + } + + map sctm_o0 { + type mark : verdict + elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 } + } + + map sctm_o1 { + type mark : counter + elements = { 0x00000000 : "c_o0_0" } + } + + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.nft b/tests/shell/testcases/maps/dumps/vmap_timeout.nft new file mode 100644 index 0000000..095f894 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.nft @@ -0,0 +1,36 @@ +table inet filter { + map portmap { + type inet_service : verdict + flags timeout + gc-interval 10s + elements = { 22 : jump ssh_input } + } + + map portaddrmap { + typeof ip daddr . th dport : verdict + flags timeout + gc-interval 10s + elements = { 1.2.3.4 . 22 : jump ssh_input } + } + + chain ssh_input { + } + + chain log_and_drop { + drop + } + + chain other_input { + goto log_and_drop + } + + chain wan_input { + ip daddr . tcp dport vmap @portaddrmap + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate new file mode 100755 index 0000000..651c08a --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_deactivate @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr : verdict; }; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap; delete map ip test testmap" 2>/dev/null && exit 1 +$NFT "flush map ip test testmap; delete map ip test testmap; delete element ip test testmap { * : jump testchain }" 2>/dev/null && exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap" || exit 1 diff --git a/tests/shell/testcases/maps/map_with_flags_0 b/tests/shell/testcases/maps/map_with_flags_0 new file mode 100755 index 0000000..68bd80d --- /dev/null +++ b/tests/shell/testcases/maps/map_with_flags_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +$NFT add table x +$NFT add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } diff --git a/tests/shell/testcases/maps/named_snat_map_0 b/tests/shell/testcases/maps/named_snat_map_0 new file mode 100755 index 0000000..addb9f7 --- /dev/null +++ b/tests/shell/testcases/maps/named_snat_map_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +# nameds map can be addedd to a snat rule + +set -e +$NFT add table nat +$NFT add chain nat postrouting +$NFT add map nat m { type ipv4_addr : ipv4_addr\; } +$NFT add element nat m {1.1.1.1: 2.2.2.2} +$NFT add rule nat postrouting snat ip saddr map @m diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port new file mode 100755 index 0000000..2804d48 --- /dev/null +++ b/tests/shell/testcases/maps/nat_addr_port @@ -0,0 +1,207 @@ +#!/bin/bash + +# skeleton +$NFT -f /dev/stdin <<EOF || exit 1 +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z + dnat ip to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1 + +# skeleton 6 +$NFT -f /dev/stdin <<EOF || exit 1 +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + map y { + type ipv6_addr : ipv6_addr . inet_service + } + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z + dnat ip6 to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1 + +# skeleton inet +$NFT -f /dev/stdin <<EOF || exit 1 +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport; + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + map x6 { + type ipv6_addr : ipv6_addr + } + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y4 + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6 + } +} +EOF + +# should fail: map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1 + +# should fail: map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1 + +# should fail: rule has no test for l4 protocol +$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1 + +# fail: inet_service, but expect ipv4_addr +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map a { + type ipv4_addr : inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: maps to inet_service . inet_service, not addr . service +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: only accept exactly two sub-expressions: 'addr . service' +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_addr . inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +exit 0 diff --git a/tests/shell/testcases/maps/typeof_integer_0 b/tests/shell/testcases/maps/typeof_integer_0 new file mode 100755 index 0000000..0deff5e --- /dev/null +++ b/tests/shell/testcases/maps/typeof_integer_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +EXPECTED="table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 20 . 0x24 : accept, 30 . 0x1e : drop } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +}" + +$NFT add element inet t m1 { 90-100 . 40 : drop } +$NFT delete element inet t m2 { 20 . 20 : accept } + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0 new file mode 100755 index 0000000..98517fd --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_0 @@ -0,0 +1,101 @@ +#!/bin/bash + +# support for strings and integers in named maps. +# without typeof, this is 'type string' and 'type integer', +# but neither could be used because it lacks size information. + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_CT=" + ct mark set osf name map @m1" +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + INPUT_OSF_CT= +fi + +INPUT="table inet t { + map m1 { + typeof osf name : ct mark + elements = { Linux : 0x00000001 } + } + + map m2 { + typeof vlan id : mark + elements = { 1 : 0x1, + 4095 : 0x4095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { eth0 . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . meta iifname : verdict + elements = { 23 . eth0 : accept } + } + + chain c {$INPUT_OSF_CT + ether type vlan meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . meta iifname vmap @m5 + } +}" + +EXPECTED="table inet t { + map m1 { + typeof osf name : ct mark + elements = { \"Linux\" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { \"eth0\" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . \"eth0\" : accept } + } + + chain c {$INPUT_OSF_CT + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +}" + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete new file mode 100755 index 0000000..5e2f8ec --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -0,0 +1,54 @@ +#!/bin/bash + +CONDMATCH="ip saddr @dynmark" +NCONDMATCH="ip saddr != @dynmark" + +# use reduced feature set +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + CONDMATCH="" + NCONDMATCH="" +fi + +EXPECTED="table ip dynset { + map dynmark { + typeof ip daddr : meta mark + counter + size 64 + timeout 5m + } + + chain test_ping { + $CONDMATCH counter comment \"should not increment\" + $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter + $CONDMATCH counter comment \"should increment\" + $CONDMATCH delete @dynmark { ip saddr : 0x1 } + $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\" + } + + chain input { + type filter hook input priority 0; policy accept; + + add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT list ruleset + +ip link set lo up +ping -c 1 127.0.0.42 + +$NFT get element ip dynset dynmark { 10.2.3.4 } + +# wait so that 10.2.3.4 times out. +sleep 2 + +set +e +$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 + +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped." + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0 new file mode 100755 index 0000000..2a52ea0 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# check update statement does print both concatentations (key and data). + +EXPECTED="table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/maps/typeof_maps_update_0 b/tests/shell/testcases/maps/typeof_maps_update_0 new file mode 100755 index 0000000..c233b13 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_update_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +# check update statement doesn't print "invalid dtype" on the data element. + +EXPECTED="table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2 } + } + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x3 } + } +}" + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0 new file mode 100755 index 0000000..bcd2c6d --- /dev/null +++ b/tests/shell/testcases/maps/typeof_raw_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table ip x { + map y { + typeof ip saddr . @ih,32,32: verdict + elements = { 1.1.1.1 . 0x14 : accept, 2.2.2.2 . 0x1e : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element ip x y { 7.7.7.7 . 0x86 : accept, 7.7.7.8 . 0x97 : drop } +$NFT delete element ip x y { 2.2.2.2 . 0x1e : drop } diff --git a/tests/shell/testcases/maps/vmap_mark_bitwise_0 b/tests/shell/testcases/maps/vmap_mark_bitwise_0 new file mode 100755 index 0000000..0d93355 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_mark_bitwise_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + map sctm_o0 { + type mark : verdict + elements = { + 0x0 : jump sctm_o0_0, + 0x1 : jump sctm_o0_1, + } + } + + counter c_o0_0 {} + + map sctm_o1 { + type mark : counter + elements = { + 0x0 : \"c_o0_0\", + } + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + } + + chain SET_ctmark_RPLYroute { + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout new file mode 100755 index 0000000..0cd965f --- /dev/null +++ b/tests/shell/testcases/maps/vmap_timeout @@ -0,0 +1,53 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f $dumpfile + +port=23 +for i in $(seq 1 100) ; do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + j=1 + + batched="{ $port timeout 3s : jump other_input " + batched_addr="{ 10.0.$((i%256)).$j . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + for j in $(seq 2 400); do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + + batched="$batched, $port timeout ${timeout}s : jump other_input " + batched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + done + + fail_addr="$batched_addr, 1.2.3.4 . 23 timeout 5m : jump other_input, + 1.2.3.4 . 23 timeout 3m : jump other_input }" + fail="$batched, 23 timeout 1m : jump other_input, 23 : jump other_input }" + + batched="$batched }" + batched_addr="$batched_addr }" + + if [ $i -gt 90 ]; then + # must fail, we create and $fail/$fail_addr contain one element twice. + $NFT create element inet filter portmap "$fail" && exit 111 + $NFT create element inet filter portaddrmap "$fail_addr" && exit 112 + fi + + $NFT add element inet filter portmap "$batched" + $NFT add element inet filter portaddrmap "$batched_addr" +done + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_catchall_element=n." +else + $NFT add element inet filter portaddrmap { "* timeout 2s : drop" } + $NFT add element inet filter portmap { "* timeout 3s : drop" } +fi + +# wait for elements to time out +sleep 5 diff --git a/tests/shell/testcases/netns/0001nft-f_0 b/tests/shell/testcases/netns/0001nft-f_0 new file mode 100755 index 0000000..a591f2c --- /dev/null +++ b/tests/shell/testcases/netns/0001nft-f_0 @@ -0,0 +1,99 @@ +#!/bin/bash + +# test a kernel netns loading a simple ruleset + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip saddr @s drop + jump other + } + + chain other { + } +} +table ip6 t { + set s { + type ipv6_addr + elements = { fe00::1 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table inet t { + set s { + type ipv6_addr + elements = { fe00::1 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table bridge t { + chain c { + jump other + } + + chain other { + accept + } +} +table arp t { + chain c { + jump other + } + + chain other { + accept + } +}" + +# netns +NETNS_NAME=$(basename "$0") +$IP netns add $NETNS_NAME +if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 +fi + +$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset in netns" >&2 + $IP netns del $NETNS_NAME + exit 1 +fi + +KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" +$IP netns del $NETNS_NAME +if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/netns/0002loosecommands_0 b/tests/shell/testcases/netns/0002loosecommands_0 new file mode 100755 index 0000000..231f1fb --- /dev/null +++ b/tests/shell/testcases/netns/0002loosecommands_0 @@ -0,0 +1,61 @@ +#!/bin/bash + +# test a kernel netns loading a simple ruleset + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +function netns_exec() +{ + # $1: netns_name $2: command + $IP netns exec $1 $2 + if [ $? -ne 0 ] ; then + echo "E: failed to execute command in netns $1: $2" >&2 + $IP netns del $1 + exit 1 + fi +} + +NETNS_NAME=$(basename "$0") +$IP netns add $NETNS_NAME +if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 +fi + +netns_exec $NETNS_NAME "$NFT add table ip t" +netns_exec $NETNS_NAME "$NFT add chain ip t c" +netns_exec $NETNS_NAME "$NFT add chain ip t other" +netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }" +netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }" +netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new" +netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345, 54321 }" +netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop" +netns_exec $NETNS_NAME "$NFT add rule ip t c jump other" + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip saddr @s drop + jump other + } + + chain other { + } +}" + +KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" +$IP netns del $NETNS_NAME +if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 +fi diff --git a/tests/shell/testcases/netns/0003many_0 b/tests/shell/testcases/netns/0003many_0 new file mode 100755 index 0000000..afe9117 --- /dev/null +++ b/tests/shell/testcases/netns/0003many_0 @@ -0,0 +1,113 @@ +#!/bin/bash + +# test using many netns + +# arbitry value of 'many' +HOWMANY=20 + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip saddr @s drop + jump other + } + + chain other { + } +} +table ip6 t { + set s { + type ipv6_addr + elements = { fe00::1 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table inet t { + set s { + type ipv6_addr + elements = { fe00::1 } + } + + chain c { + ct state new + udp dport { 12345, 54321 } + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table bridge t { + chain c { + jump other + } + + chain other { + accept + } +} +table arp t { + chain c { + jump other + } + + chain other { + accept + } +}" + +function test_netns() +{ + local NETNS_NAME=$1 + $IP netns add $NETNS_NAME + if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 + fi + + $IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET" + if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset in netns" >&2 + $IP netns del $NETNS_NAME + exit 1 + fi + + KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" + if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + echo "E: ruleset in netns $NETNS_NAME differs from the loaded" >&2 + $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + $IP netns del $NETNS_NAME + exit 1 + fi + + $IP netns del $NETNS_NAME +} + +for i in $(seq 1 $HOWMANY) ; do + NETNS_NAME="$netns${i}_$(basename "$0")" + test_netns $NETNS_NAME +done + +exit 0 diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft diff --git a/tests/shell/testcases/netns/dumps/0003many_0.nft b/tests/shell/testcases/netns/dumps/0003many_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0003many_0.nft diff --git a/tests/shell/testcases/nft-f/0001define_slash_0 b/tests/shell/testcases/nft-f/0001define_slash_0 new file mode 100755 index 0000000..93c4811 --- /dev/null +++ b/tests/shell/testcases/nft-f/0001define_slash_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for commit 85d6803 (parser_bison: initializer_expr must use rhs_expr) + +RULESET=" +define net = 1.1.1.1/24 +" + +set -e + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0002rollback_rule_0 b/tests/shell/testcases/nft-f/0002rollback_rule_0 new file mode 100755 index 0000000..8a9ca84 --- /dev/null +++ b/tests/shell/testcases/nft-f/0002rollback_rule_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +# test a kernel rollback operation +# fail reason: rule + +GOOD_RULESET="table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +}" + +BAD_RULESET="flush ruleset +table ip t2 { + chain c2 { + this is an invalid rule + } +}" + +$NFT -f - <<< "$GOOD_RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +$NFT -f - <<< "$BAD_RULESET" 2>/dev/null +if [ $? -eq 0 ] ; then + echo "E: bogus ruleset loaded?" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/nft-f/0003rollback_jump_0 b/tests/shell/testcases/nft-f/0003rollback_jump_0 new file mode 100755 index 0000000..6fb6f4e --- /dev/null +++ b/tests/shell/testcases/nft-f/0003rollback_jump_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +# test a kernel rollback operation +# fail reason: invalid jump + +GOOD_RULESET="table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +}" + +BAD_RULESET="flush ruleset +table ip t2 { + chain c2 { + jump other + } +}" + +$NFT -f - <<< "$GOOD_RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +$NFT -f - <<< "$BAD_RULESET" 2>/dev/null +if [ $? -eq 0 ] ; then + echo "E: bogus ruleset loaded?" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/nft-f/0004rollback_set_0 b/tests/shell/testcases/nft-f/0004rollback_set_0 new file mode 100755 index 0000000..bcc55df --- /dev/null +++ b/tests/shell/testcases/nft-f/0004rollback_set_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +# test a kernel rollback operation +# fail reason: invalid set + +GOOD_RULESET="table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +}" + +BAD_RULESET="flush ruleset +table ip t2 { + set s2 { + type invalid + } +}" + +$NFT -f - <<< "$GOOD_RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +$NFT -f - <<< "$BAD_RULESET" 2>/dev/null +if [ $? -eq 0 ] ; then + echo "E: bogus ruleset loaded?" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/nft-f/0005rollback_map_0 b/tests/shell/testcases/nft-f/0005rollback_map_0 new file mode 100755 index 0000000..913595d --- /dev/null +++ b/tests/shell/testcases/nft-f/0005rollback_map_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +# test a kernel rollback operation +# fail reason: invalid map + +GOOD_RULESET="table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +}" + +BAD_RULESET="flush ruleset +table ip t2 { + chain c2 { + tcp dport map { 22222: jump other, 11111: jump invalid } + } + + chain other { + } +}" + +$NFT -f - <<< "$GOOD_RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +$NFT -f - <<< "$BAD_RULESET" 2>/dev/null +if [ $? -eq 0 ] ; then + echo "E: bogus ruleset loaded?" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/nft-f/0006action_object_0 b/tests/shell/testcases/nft-f/0006action_object_0 new file mode 100755 index 0000000..ddee661 --- /dev/null +++ b/tests/shell/testcases/nft-f/0006action_object_0 @@ -0,0 +1,59 @@ +#!/bin/bash + +# test loading a ruleset with the 'action object' pattern + +set -e + +FAMILIES="ip ip6 inet arp bridge" + +generate1() +{ + local family=$1 + echo " + add table $family t + add chain $family t c + add rule $family t c accept + add set $family t s {type inet_service;} + add element $family t s {8080} + insert rule $family t c meta l4proto tcp tcp dport @s accept + add rule $family t c meta l4proto tcp tcp dport {9090, 8080} + add map $family t m {type inet_service:verdict;} + add element $family t m {10080:drop} + insert rule $family t c meta l4proto tcp tcp dport vmap @m + add rule $family t c meta l4proto udp udp sport vmap {1111:accept, 2222:drop} + " +} + +generate2() +{ + local family=$1 + echo " + flush chain $family t c + delete element $family t m {10080:drop} + delete element $family t s {8080} + delete chain $family t c + delete table $family t + " +} + +RULESET=$(for family in $FAMILIES ; do + generate1 $family +done) + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset 1" >&2 + exit 1 +fi + +RULESET=$(for family in $FAMILIES ; do + generate2 $family +done) + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset 2" >&2 + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/nft-f/0007action_object_set_segfault_1 b/tests/shell/testcases/nft-f/0007action_object_set_segfault_1 new file mode 100755 index 0000000..6cbd386 --- /dev/null +++ b/tests/shell/testcases/nft-f/0007action_object_set_segfault_1 @@ -0,0 +1,14 @@ +#!/bin/bash + +# test for a segfault if bad syntax was used in set declaration +# and the set is referenced in the same batch + +RULESET=" +add table t +add chain t c +add set t s {type ipv4_addr\;} +add rule t c ip saddr @s +" + +$NFT -f - <<< "$RULESET" 2>/dev/null && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0 new file mode 100755 index 0000000..2631aed --- /dev/null +++ b/tests/shell/testcases/nft-f/0008split_tables_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + chain ssh { + type filter hook input priority 0; policy accept; + tcp dport 22 accept; + } +} + +table inet filter { + chain input { + type filter hook input priority 1; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/nft-f/0009variable_0 b/tests/shell/testcases/nft-f/0009variable_0 new file mode 100755 index 0000000..e073d86 --- /dev/null +++ b/tests/shell/testcases/nft-f/0009variable_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="define concat-set-variable = { 10.10.10.10 . 25, 10.10.10.10 . 143 } + +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = \$concat-set-variable + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0010variable_0 b/tests/shell/testcases/nft-f/0010variable_0 new file mode 100755 index 0000000..69c80c7 --- /dev/null +++ b/tests/shell/testcases/nft-f/0010variable_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="define whitelist_v4 = { 1.1.1.1 } + +table inet filter { + set whitelist_v4 { type ipv4_addr; } +} +add element inet filter whitelist_v4 \$whitelist_v4 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0011manydefines_0 b/tests/shell/testcases/nft-f/0011manydefines_0 new file mode 100755 index 0000000..aac0670 --- /dev/null +++ b/tests/shell/testcases/nft-f/0011manydefines_0 @@ -0,0 +1,53 @@ +#!/bin/bash + +# tests many defines in a single nft -f run + +HOWMANY=20000 + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=2000 +fi + + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate1() +{ + for ((i=0; i<=HOWMANY; i++)) ; do + echo "define data_${i} = ${i}" + done +} + +generate2() +{ + for ((i=0; i<=HOWMANY; i++)) ; do + echo "iifname \$data_${i}" + done +} + +echo " $(generate1) +table t { + chain c { + $(generate2) + } +}" > $tmpfile + +set -e +$NFT -f $tmpfile + +if [ "$HOWMANY" != 20000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0012different_defines_0 b/tests/shell/testcases/nft-f/0012different_defines_0 new file mode 100755 index 0000000..fe22858 --- /dev/null +++ b/tests/shell/testcases/nft-f/0012different_defines_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +# tests different spots, datatypes and usages for nft defines + +RULESET=" +define d_iifname = whatever +define d_oifname = \$d_iifname +define d_iif = lo +define d_oif = \$d_iif +define d_mark = 123 +define d_state = new,established,related +define d_ipv4 = 10.0.0.0 +define d_ipv4_2 = 10.0.0.2 +define d_ipv6 = fe0::1 +define d_ipv6_2 = fe0::2 +define d_ports = 100-222 +define d_qnum = 0 +define d_qnumr = 1-42 + +table inet t { + chain c { + iifname \$d_iifname oifname \$d_oifname iif \$d_iif oif \$d_oif + iifname { \$d_iifname , \$d_oifname } iif { \$d_iif , \$d_oif } meta mark \$d_mark + ct state \$d_state + ct state != \$d_state + ip saddr \$d_ipv4 ip daddr \$d_ipv4_2 ip saddr \$d_ipv4 + ip6 daddr \$d_ipv6 ip6 saddr \$d_ipv6_2 + ip saddr vmap { \$d_ipv4 : drop , \$d_ipv4_2 : accept } + ip6 daddr vmap { \$d_ipv6 : drop , \$d_ipv6_2 : accept } + ip6 saddr . ip6 nexthdr { \$d_ipv6 . udp, \$d_ipv6_2 . tcp } + ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept } + tcp dport \$d_ports + udp dport vmap { \$d_ports : accept } + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2 + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4 + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0013defines_1 b/tests/shell/testcases/nft-f/0013defines_1 new file mode 100755 index 0000000..b633088 --- /dev/null +++ b/tests/shell/testcases/nft-f/0013defines_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests use of variable before definition. + +set -e + +RULESET=" +define var2 = \$var1 +define var1 = lo + +table ip t { + chain c { + iif \$var2 + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0014defines_1 b/tests/shell/testcases/nft-f/0014defines_1 new file mode 100755 index 0000000..35f2536 --- /dev/null +++ b/tests/shell/testcases/nft-f/0014defines_1 @@ -0,0 +1,18 @@ +#!/bin/bash + +# Tests redefinition of an existing variable. + +set -e + +RULESET=" +define var1 = lo +define var1 = lo + +table ip t { + chain c { + iif \$var1 + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0015defines_1 b/tests/shell/testcases/nft-f/0015defines_1 new file mode 100755 index 0000000..935cb45 --- /dev/null +++ b/tests/shell/testcases/nft-f/0015defines_1 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Tests recursive definition of a variable. + +set -e + +RULESET=" +define var1 = \$var1 + +table ip t { + chain c { + iif \$var1 + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0016redefines_1 b/tests/shell/testcases/nft-f/0016redefines_1 new file mode 100755 index 0000000..1f59f6b --- /dev/null +++ b/tests/shell/testcases/nft-f/0016redefines_1 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +RULESET=" +table ip x { + chain y { + define unused = 4.4.4.4 + define address = { 1.1.1.1, 2.2.2.2 } + ip saddr \$address + redefine address = { 3.3.3.3, 4.4.4.4 } + ip saddr \$address + undefine unused + } +}" + +EXPECTED="table ip x { + chain y { + ip saddr { 1.1.1.1, 2.2.2.2 } + ip saddr { 3.3.3.3, 4.4.4.4 } + } +}" + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 new file mode 100755 index 0000000..cfb7895 --- /dev/null +++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) + +EXPECTED='table ip filter { + ct timeout cttime{ + protocol tcp + l3proto ip + policy = { established : 123, close : 12 } + } + + chain c { + ct timeout set "cttime" + } +}' + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 new file mode 100755 index 0000000..4f9872f --- /dev/null +++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED='table ip filter { + ct expectation ctexpect{ + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +}' + +set -e +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/nft-f/0018jump_variable_0 b/tests/shell/testcases/nft-f/0018jump_variable_0 new file mode 100755 index 0000000..003a1bd --- /dev/null +++ b/tests/shell/testcases/nft-f/0018jump_variable_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET=" +define dest = ber + +table ip foo { + chain bar { + jump \$dest + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0019jump_variable_1 b/tests/shell/testcases/nft-f/0019jump_variable_1 new file mode 100755 index 0000000..bda861c --- /dev/null +++ b/tests/shell/testcases/nft-f/0019jump_variable_1 @@ -0,0 +1,20 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET=" +define dest = { 1024 } + +table ip foo { + chain bar { + jump \$dest + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0020jump_variable_1 b/tests/shell/testcases/nft-f/0020jump_variable_1 new file mode 100755 index 0000000..f753058 --- /dev/null +++ b/tests/shell/testcases/nft-f/0020jump_variable_1 @@ -0,0 +1,20 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET=" +define dest = * + +table ip foo { + chain bar { + jump \$dest + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0021list_ruleset_0 b/tests/shell/testcases/nft-f/0021list_ruleset_0 new file mode 100755 index 0000000..37729b4 --- /dev/null +++ b/tests/shell/testcases/nft-f/0021list_ruleset_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET="table filter { + chain prerouting { + type filter hook prerouting priority -50 + } +} +list ruleset +" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0022variables_0 b/tests/shell/testcases/nft-f/0022variables_0 new file mode 100755 index 0000000..ee17a62 --- /dev/null +++ b/tests/shell/testcases/nft-f/0022variables_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +RULESET="define test1 = @y + +table ip x { + set y { + type ipv4_addr + flags dynamic,timeout + } + + chain z { + type filter hook input priority filter; policy accept; + add \$test1 { ip saddr } + update \$test1 { ip saddr timeout 30s } + ip saddr \$test1 + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0023check_1 b/tests/shell/testcases/nft-f/0023check_1 new file mode 100755 index 0000000..42793b6 --- /dev/null +++ b/tests/shell/testcases/nft-f/0023check_1 @@ -0,0 +1,12 @@ +#!/bin/bash + +RULESET="table ip foo { + chain bar { + type filter hook prerouting priority 0; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT -c add rule foo bar fib saddr . oif type local && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0024priority_0 b/tests/shell/testcases/nft-f/0024priority_0 new file mode 100755 index 0000000..586f5c3 --- /dev/null +++ b/tests/shell/testcases/nft-f/0024priority_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +RULESET=" +table inet statelessnat { + chain prerouting { + type filter hook prerouting priority -100; + ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8- 15 : 10.0.1.2 } + } + chain postrouting { + type filter hook postrouting priority 100 + } +}" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0 new file mode 100755 index 0000000..fbdb579 --- /dev/null +++ b/tests/shell/testcases/nft-f/0025empty_dynset_0 @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e + +RULESET="table ip foo { + set inflows { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 counter packets 0 bytes 0 } + } + + set inflows6 { + type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service + flags dynamic + } + + set inflows_ratelimit { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 limit rate 1/second counter packets 0 bytes 0 } + } +}" + +$NFT -f - <<< "$RULESET" + +# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels. +if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then + echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0026listing_0 b/tests/shell/testcases/nft-f/0026listing_0 new file mode 100755 index 0000000..0f2f27c --- /dev/null +++ b/tests/shell/testcases/nft-f/0026listing_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# This is like "flush ruleset" except only flushes THIS ruleset, not ALL rulesets. +# In particular, it leaves the dynamic sshguard/fail2ban deny lists untouched. +RULESET="add table A +delete table A +table A { + chain B { + tcp dport {1,2} accept + } +} +list ruleset" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0027split_chains_0 b/tests/shell/testcases/nft-f/0027split_chains_0 new file mode 100755 index 0000000..de1e5a0 --- /dev/null +++ b/tests/shell/testcases/nft-f/0027split_chains_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + chain x { + } +} +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + jump x + } +}" + +$NFT -f - <<< "$RULESET" && exit 0 +exit 1 diff --git a/tests/shell/testcases/nft-f/0028variable_cmdline_0 b/tests/shell/testcases/nft-f/0028variable_cmdline_0 new file mode 100755 index 0000000..a2bbd5d --- /dev/null +++ b/tests/shell/testcases/nft-f/0028variable_cmdline_0 @@ -0,0 +1,17 @@ +#!/bin/bash + + +RULESET="table inet filter { + set whitelist_v4 { type ipv4_addr; } +} +add element inet filter whitelist_v4 \$whitelist_v4 +" + +# this is intentional: exercise error path +$NFT --define whitelist_v4="{ wrong }" -f - <<< "$RULESET" +$NFT --define whitelist_v4="{ 1.1.1.1, \$wrong }" -f - <<< "$RULESET" + +set -e + +$NFT --define whitelist_v4="{ 1.1.1.1, 2.2.2.2 }" -f - <<< "$RULESET" +$NFT --define x={5.5.5.5} --define whitelist_v4="{ 3.3.3.3, 4.4.4.4, \$x }" -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0029split_file_0 b/tests/shell/testcases/nft-f/0029split_file_0 new file mode 100755 index 0000000..0cc547a --- /dev/null +++ b/tests/shell/testcases/nft-f/0029split_file_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set whitelist_v4 { + type ipv4_addr; + } + + chain prerouting { + type filter hook prerouting priority filter; + } +} +" + +$NFT -f - <<< "$RULESET" + +RULESET="table inet filter { + chain prerouting { + ip daddr @whitelist_v4 + } +} +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0030variable_reuse_0 b/tests/shell/testcases/nft-f/0030variable_reuse_0 new file mode 100755 index 0000000..8afc54a --- /dev/null +++ b/tests/shell/testcases/nft-f/0030variable_reuse_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="define test = { 1.1.1.1 } + +table ip x { + set y { + type ipv4_addr + elements = { 2.2.2.2, \$test } + } + + set z { + type ipv4_addr + elements = { 3.3.3.3, \$test } + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0031vmap_string_0 b/tests/shell/testcases/nft-f/0031vmap_string_0 new file mode 100755 index 0000000..2af846a --- /dev/null +++ b/tests/shell/testcases/nft-f/0031vmap_string_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# Tests parse of corrupted verdicts + +set -e + +RULESET=" +table ip foo { + map bar { + type ipv4_addr : verdict + elements = { + 192.168.0.1 : ber + } + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0032pknock_0 b/tests/shell/testcases/nft-f/0032pknock_0 new file mode 100755 index 0000000..94fc840 --- /dev/null +++ b/tests/shell/testcases/nft-f/0032pknock_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="define guarded_ports = {ssh} + +table inet portknock { + set clients_ipv4 { + type ipv4_addr + flags timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + flags timeout + } + + chain input { + type filter hook input priority -10; policy accept; + + tcp dport 10001 add @candidates_ipv4 {ip saddr . 10002 timeout 1s} + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10003 timeout 1s} + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10004 timeout 1s} + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10005 timeout 1s} + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 600s} log prefix \"Successful portknock: \" + + tcp dport \$guarded_ports ip saddr @clients_ipv4 counter accept + tcp dport \$guarded_ports ct state established,related counter accept + + tcp dport \$guarded_ports reject with tcp reset + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft new file mode 100644 index 0000000..d7e7808 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -0,0 +1,10 @@ +table inet filter { + chain ssh { + type filter hook input priority filter; policy accept; + tcp dport 22 accept + } + + chain input { + type filter hook input priority filter + 1; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft new file mode 100644 index 0000000..7f59a27 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -0,0 +1,7 @@ +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = { 10.10.10.10 . 25, + 10.10.10.10 . 143 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft new file mode 100644 index 0000000..1f3d05e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft @@ -0,0 +1,6 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft new file mode 100644 index 0000000..4734b2f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -0,0 +1,21 @@ +table inet t { + chain c { + iifname "whatever" oifname "whatever" iif "lo" oif "lo" + iifname { "whatever" } iif { "lo" } meta mark 0x0000007b + ct state established,related,new + ct state != established | related | new + ip saddr 10.0.0.0 ip daddr 10.0.0.2 ip saddr 10.0.0.0 + ip6 daddr fe0::1 ip6 saddr fe0::2 + ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } + ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } + ip6 saddr . ip6 nexthdr { fe0::2 . tcp, fe0::1 . udp } + ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } + tcp dport 100-222 + udp dport vmap { 100-222 : accept } + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to 0 + tcp sport 1 tcp dport 1 oifname "foobar" queue to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft new file mode 100644 index 0000000..65b7f49 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1, 2.2.2.2 } + ip saddr { 3.3.3.3, 4.4.4.4 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft new file mode 100644 index 0000000..c5d9649 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft @@ -0,0 +1,11 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { established : 2m3s, close : 12s } + } + + chain c { + ct timeout set "cttime" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft new file mode 100644 index 0000000..396185e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft @@ -0,0 +1,13 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft new file mode 100644 index 0000000..0ddaf07 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft @@ -0,0 +1,8 @@ +table ip foo { + chain bar { + jump ber + } + + chain ber { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft new file mode 100644 index 0000000..b2cd401 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft @@ -0,0 +1,5 @@ +table ip filter { + chain prerouting { + type filter hook prerouting priority -50; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft new file mode 100644 index 0000000..d30f4d5 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + chain z { + type filter hook input priority filter; policy accept; + add @y { ip saddr } + update @y { ip saddr timeout 30s } + ip saddr @y + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.nft b/tests/shell/testcases/nft-f/dumps/0023check_1.nft new file mode 100644 index 0000000..04b9e70 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.nft @@ -0,0 +1,5 @@ +table ip foo { + chain bar { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft new file mode 100644 index 0000000..cd7fc50 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft @@ -0,0 +1,10 @@ +table inet statelessnat { + chain prerouting { + type filter hook prerouting priority dstnat; policy accept; + ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8-15 : 10.0.1.2 } + } + + chain postrouting { + type filter hook postrouting priority srcnat; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft new file mode 100644 index 0000000..33b9e4f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft @@ -0,0 +1,18 @@ +table ip foo { + set inflows { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 counter packets 0 bytes 0 } + } + + set inflows6 { + type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service + flags dynamic + } + + set inflows_ratelimit { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft new file mode 100644 index 0000000..fd0bb68 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft @@ -0,0 +1,5 @@ +table ip A { + chain B { + tcp dport { 1, 2 } accept + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft new file mode 100644 index 0000000..39198be --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft @@ -0,0 +1,9 @@ +table inet filter { + chain x { + } + + chain input { + type filter hook input priority filter; policy accept; + jump x + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft new file mode 100644 index 0000000..aa08112 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft @@ -0,0 +1,8 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2, + 3.3.3.3, 4.4.4.4, + 5.5.5.5 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft new file mode 100644 index 0000000..32d5c0e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft @@ -0,0 +1,10 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + ip daddr @whitelist_v4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft new file mode 100644 index 0000000..635901f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft @@ -0,0 +1,11 @@ +table ip x { + set y { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2 } + } + + set z { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft new file mode 100644 index 0000000..f29dfb2 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft @@ -0,0 +1,25 @@ +table inet portknock { + set clients_ipv4 { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + type filter hook input priority filter - 10; policy accept; + tcp dport 10001 add @candidates_ipv4 { ip saddr . 10002 timeout 1s } + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10003 timeout 1s } + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10004 timeout 1s } + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10005 timeout 1s } + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10m } log prefix "Successful portknock: " + tcp dport 22 ip saddr @clients_ipv4 counter packets 0 bytes 0 accept + tcp dport 22 ct state established,related counter packets 0 bytes 0 accept + tcp dport 22 reject with tcp reset + } +} diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft new file mode 100644 index 0000000..480b694 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -0,0 +1,239 @@ +table inet filter { + map if_input { + type ifname : verdict + elements = { "eth0" : jump public_input, + "eth1" : jump home_input, + "eth2.10" : jump home_input, + "eth2.20" : jump home_input } + } + + map if_forward { + type ifname : verdict + elements = { "eth0" : jump public_forward, + "eth1" : jump trusted_forward, + "eth2.10" : jump voip_forward, + "eth2.20" : jump guest_forward } + } + + map if_output { + type ifname : verdict + elements = { "eth0" : jump public_output, + "eth1" : jump home_output, + "eth2.10" : jump home_output, + "eth2.20" : jump home_output } + } + + set ipv4_blacklist { + type ipv4_addr + flags interval + auto-merge + } + + set ipv6_blacklist { + type ipv6_addr + flags interval + auto-merge + } + + set limit_src_ip { + type ipv4_addr + size 1024 + flags dynamic,timeout + } + + set limit_src_ip6 { + type ipv6_addr + size 1024 + flags dynamic,timeout + } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; policy accept; + meta l4proto != { icmp, tcp, udp, ipv6-icmp } counter packets 0 bytes 0 drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter packets 0 bytes 0 drop + tcp sport 0 counter packets 0 bytes 0 drop + } + rt type 0 counter packets 0 bytes 0 drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; policy accept; + ct state vmap { invalid : jump ct_invalid_pre, related : jump rpfilter, new : jump ct_new_pre, untracked : jump ct_untracked_pre } + } + + chain ct_invalid_pre { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_pre { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain ct_new_pre { + jump rpfilter + tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop + iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 return + ip6 saddr :: ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + fib saddr . iif oif 0 counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv4 { + ip saddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } counter packets 0 bytes 0 drop + ip saddr @ipv4_blacklist counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv6 { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport 547 ip6 saddr fe80::/64 return + ip6 saddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } counter packets 0 bytes 0 drop + ip6 saddr @ipv6_blacklist counter packets 0 bytes 0 drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + iif "lo" accept + ct state established,related accept + iifname vmap @if_input + log prefix "NFT REJECT IN " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + counter packets 0 bytes 0 drop + } + + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 68 udp dport 67 accept + udp sport 546 udp dport 547 iifname { "eth1", "eth2.10", "eth2.20" } accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + icmp type echo-request accept + icmpv6 type echo-request accept + tcp dport 22 iifname "eth1" accept + meta l4proto { tcp, udp } th dport 53 jump { + ip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable + accept + } + udp dport 123 accept + tcp dport 8443 accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; policy accept; + oifname "eth0" jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags syn / syn,rst tcp option maxseg size set rt mtu + } + } + + chain blacklist_output_ipv4 { + ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16 } return + udp dport 547 ip6 daddr ff02::1:2 return + ip6 daddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ip options flags ether limit rate 5/minute burst 10 packets drop + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + iifname vmap @if_forward + log prefix "NFT REJECT FWD " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_forward { + udp dport { 5060, 7078-7097 } oifname "eth2.10" jump { + ip6 saddr { 2001:db8::1-2001:db8::2 } accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ip options flags ether limit rate 5/second burst 10 packets drop + } + counter packets 0 bytes 0 drop + } + + chain trusted_forward { + oifname "eth0" accept + icmp type echo-request accept + icmpv6 type echo-request accept + ip daddr { 192.168.3.30, 192.168.4.40 } tcp dport vmap { 22 : accept, 80 : drop, 443 : accept } + ip daddr 192.168.2.20 jump { + tcp dport { 80, 443, 515, 631, 9100 } accept + udp dport 161 accept + } + } + + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname "eth0" accept + ip6 daddr { 2001:db8::1-2001:db8::2 } jump { + udp dport { 3478, 5060 } accept + udp sport 7078-7097 accept + tcp dport 5061 accept + } + tcp dport 587 ip daddr 10.0.0.1 accept + tcp dport 80 oifname "eth0" counter packets 0 bytes 0 reject + } + + chain guest_forward { + oifname "eth0" accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + oif "lo" accept + ct state vmap { invalid : jump ct_invalid_out, established : accept, related : accept, untracked : jump ct_untracked_out } + oifname vmap @if_output + log prefix "NFT REJECT OUT " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain ct_invalid_out { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_out { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp dport 547 ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + udp dport { 53, 123 } accept + tcp dport { 443, 587, 853 } accept + } + + chain home_output { + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 oifname { "eth1", "eth2.10", "eth2.20" } accept + udp sport 67 udp dport 68 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept + tcp dport 22 ip daddr 192.168.1.10 accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.1.0-192.168.4.255 } oifname "eth0" masquerade + } +} diff --git a/tests/shell/testcases/nft-f/sample-ruleset b/tests/shell/testcases/nft-f/sample-ruleset new file mode 100755 index 0000000..763e41a --- /dev/null +++ b/tests/shell/testcases/nft-f/sample-ruleset @@ -0,0 +1,262 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +$NFT -f /dev/stdin <<"EOF" +define public_if = eth0 +define trusted_if = eth1 +define voip_if = eth2.10 +define guest_if = eth2.20 +define home_if = { $trusted_if, $voip_if, $guest_if } +define home_ipv6_if = { $trusted_if, $voip_if, $guest_if } + +define masq_ip = { 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 } +define masq_if = $public_if + +define host1_ip = 192.168.1.10 +define host2_ip = 192.168.2.20 +define host3_ip = 192.168.3.30 +define host4_ip = 192.168.4.40 + +define proxy_port = 8443 + +define private_ip = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } +define private_ip6 = { fe80::/64, fd00::/8 } +define bogons_ip = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } +define bogons_ip6 = { ::/3, 2001:0002::/48, 2001:0003::/32, 2001:10::/28, 2001:20::/28, 2001::/32, 2001:db8::/32, 2002::/16, 3000::/4, 4000::/2, 8000::/1 } + +define sip_whitelist_ip6 = { 2001:db8::1/128, 2001:db8::2/128 } +define smtps_whitelist_ip = 10.0.0.1 +define protocol_whitelist = { tcp, udp, icmp, ipv6-icmp } + +table inet filter { + map if_input { + type ifname : verdict; + elements = { $public_if : jump public_input, $trusted_if : jump home_input, $voip_if : jump home_input, $guest_if : jump home_input } + } + map if_forward { + type ifname : verdict; + elements = { $public_if : jump public_forward, $trusted_if : jump trusted_forward, $voip_if : jump voip_forward, $guest_if : jump guest_forward } + } + map if_output { + type ifname : verdict; + elements = { $public_if : jump public_output, $trusted_if : jump home_output, $voip_if : jump home_output, $guest_if : jump home_output } + } + + set ipv4_blacklist { type ipv4_addr; flags interval; auto-merge; } + set ipv6_blacklist { type ipv6_addr; flags interval; auto-merge; } + set limit_src_ip { type ipv4_addr; flags dynamic, timeout; size 1024; } + set limit_src_ip6 { type ipv6_addr; flags dynamic, timeout; size 1024; } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; + + meta l4proto != $protocol_whitelist counter drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter drop + tcp sport 0 counter drop + } + rt type 0 counter drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; + + ct state vmap { invalid : jump ct_invalid_pre, untracked : jump ct_untracked_pre, new : jump ct_new_pre, related : jump rpfilter } + } + chain ct_invalid_pre { + counter drop + } + chain ct_untracked_pre { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain ct_new_pre { + jump rpfilter + + tcp flags & (fin|syn|rst|ack) != syn counter drop + + iifname $public_if meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp dport bootps return + ip6 saddr ::/128 ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + + fib saddr . iif oif eq 0 counter drop + } + chain blacklist_input_ipv4{ + ip saddr $bogons_ip counter drop + ip saddr @ipv4_blacklist counter drop + } + chain blacklist_input_ipv6{ + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport dhcpv6-server ip6 saddr fe80::/64 return + + ip6 saddr $bogons_ip6 counter drop + ip6 saddr @ipv6_blacklist counter drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + + iif lo accept + + ct state established,related accept + + iifname vmap @if_input + + log prefix "NFT REJECT IN " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 accept + fib daddr type { broadcast, multicast, anycast } counter drop + + counter drop + } + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport bootpc udp dport bootps accept + udp sport dhcpv6-client udp dport dhcpv6-server iifname $home_ipv6_if accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + icmp type echo-request accept + icmpv6 type echo-request accept + + tcp dport ssh iifname $trusted_if accept + + meta l4proto { tcp, udp } th dport domain jump { + ip6 saddr != $private_ip6 counter reject + accept + } + + udp dport ntp accept + + tcp dport $proxy_port accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; + + oifname $public_if jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu + } + } + chain blacklist_output_ipv4 { + ip daddr $bogons_ip goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2/128, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1/128, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16/128 } return + udp dport dhcpv6-server ip6 daddr ff02::1:2 return + + ip6 daddr $bogons_ip6 goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ether flags ip options limit rate 5/minute burst 10 packets drop + counter drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + + ct state established,related accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + iifname vmap @if_forward + + log prefix "NFT REJECT FWD " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_forward { + udp dport { 5060, 7078-7097 } oifname $voip_if jump { + ip6 saddr $sip_whitelist_ip6 accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ether flags ip options limit rate 5/second burst 10 packets drop + } + + counter drop + } + chain trusted_forward { + oifname $public_if accept + + icmp type echo-request accept + icmpv6 type echo-request accept + + ip daddr { $host3_ip, $host4_ip } tcp dport vmap { ssh : accept, https : accept, http : drop } + + ip daddr $host2_ip jump { + tcp dport { http, https, printer, ipp, 9100 } accept + udp dport snmp accept + } + } + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname $public_if accept + + ip6 daddr $sip_whitelist_ip6 jump { + udp dport { 3478, 5060 } accept + udp sport { 7078-7097 } accept + tcp dport 5061 accept + } + + tcp dport 587 ip daddr $smtps_whitelist_ip accept + tcp dport http oifname $public_if counter reject + } + chain guest_forward { + oifname $public_if accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + + oif lo accept + + ct state vmap { established : accept, related : accept, invalid : jump ct_invalid_out, untracked : jump ct_untracked_out } + + oifname vmap @if_output + + log prefix "NFT REJECT OUT " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain ct_invalid_out { + counter drop + } + chain ct_untracked_out { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp dport dhcpv6-server ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + + udp dport { domain, ntp } accept + tcp dport { https, 587, domain-s } accept + } + chain home_output { + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 oifname $home_ipv6_if accept + udp sport bootps udp dport bootpc ip saddr $private_ip accept + tcp dport ssh ip daddr $host1_ip accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; + + meta nfproto ipv4 ip saddr $masq_ip oifname $masq_if masquerade + } +} +EOF diff --git a/tests/shell/testcases/nft-i/0001define_0 b/tests/shell/testcases/nft-i/0001define_0 new file mode 100755 index 0000000..62e1b6d --- /dev/null +++ b/tests/shell/testcases/nft-i/0001define_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +# test if using defines in interactive nft sessions works + +$NFT -i >/dev/null <<EOF +add table inet t +add chain inet t c +define ports = { 22, 443 } +add rule inet t c tcp dport \$ports accept +add rule inet t c udp dport \$ports accept +EOF + +$NFT -i >/dev/null <<EOF +define port = 22 +flush chain inet t c +redefine port = 443 +delete chain inet t c +undefine port +delete table inet t +EOF diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.nft b/tests/shell/testcases/nft-i/dumps/0001define_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/0001define_0.nft diff --git a/tests/shell/testcases/optimizations/dependency_kill b/tests/shell/testcases/optimizations/dependency_kill new file mode 100755 index 0000000..904eecf --- /dev/null +++ b/tests/shell/testcases/optimizations/dependency_kill @@ -0,0 +1,48 @@ +#!/bin/bash + +set -e + +RULESET="table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft new file mode 100644 index 0000000..1781f7b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft @@ -0,0 +1,42 @@ +table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + udp dport 67 + meta protocol ip6 udp dport 67 + udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + udp dport 67 + ether type ip udp dport 67 + udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft new file mode 100644 index 0000000..48d18a6 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -0,0 +1,40 @@ +table ip test1 { + chain y { + oif "lo" accept + dnat to ip saddr map { 4.4.4.4 : 1.1.1.1, 5.5.5.5 : 2.2.2.2 } + } +} +table ip test2 { + chain y { + oif "lo" accept + dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } + ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade + } +} +table ip test3 { + chain y { + oif "lo" accept + snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } + oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport { 8888, 9999 } redirect + } +} +table ip test4 { + chain y { + oif "lo" accept + dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } + redirect to :tcp dport map { 83 : 8083, 84 : 8084 } + tcp dport 85 redirect + } +} +table inet nat { + chain prerouting { + oif "lo" accept + dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 } + } + + chain postrouting { + oif "lo" accept + snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.nft b/tests/shell/testcases/optimizations/dumps/merge_reject.nft new file mode 100644 index 0000000..c29ad6d --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop + meta l4proto . ip daddr . tcp dport { tcp . 172.30.238.117 . 8080, tcp . 172.30.33.71 . 3306, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject + ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} +table ip6 x { + chain y { + meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject + ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft new file mode 100644 index 0000000..b56ea3e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft new file mode 100644 index 0000000..f56cea1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -0,0 +1,18 @@ +table ip x { + chain y { + iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept + ip protocol . th dport { tcp . 22, udp . 67 } + } + + chain c1 { + udp dport . iifname { 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c2 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c3 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar", 100 . "test", 51820 . "test" } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft new file mode 100644 index 0000000..780aa09 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft @@ -0,0 +1,9 @@ +table ip x { + chain x { + meta pkttype . udp dport vmap { broadcast . 547 : accept, broadcast . 67 : accept, multicast . 1900 : drop } + } + + chain y { + ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop, 4.4.4.4 . 5.5.5.5 : accept } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft new file mode 100644 index 0000000..8ecbd92 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ct state vmap { invalid : drop, established : accept, related : accept } + } + + chain z { + tcp dport vmap { 1 : accept, 2-3 : drop, 4 : accept } + } + + chain w { + ip saddr vmap { 1.1.1.1 counter packets 0 bytes 0 : accept, 1.1.1.2 counter packets 0 bytes 0 : drop } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft new file mode 100644 index 0000000..1884711 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft @@ -0,0 +1,31 @@ +table inet x { + chain nat_dns_dnstc { + meta l4proto udp redirect to :5300 + drop + } + + chain nat_dns_this_5301 { + meta l4proto udp redirect to :5301 + drop + } + + chain nat_dns_saturn_5301 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5301 + drop + } + + chain nat_dns_saturn_5302 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5302 + drop + } + + chain nat_dns_saturn_5303 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5303 + drop + } + + chain nat_dns_acme { + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0xe31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0xe31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0xe32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0xe38353439353637323038363633390e : goto nat_dns_saturn_5303 } + drop + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft new file mode 100644 index 0000000..c981acf --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft @@ -0,0 +1,20 @@ +table ip x { + set s { + type ipv4_addr + size 65535 + flags dynamic + } + + chain filter_in_tcp { + } + + chain filter_in_udp { + } + + chain y { + update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } + meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } + log + } +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft new file mode 100644 index 0000000..02b8920 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft @@ -0,0 +1,19 @@ +table ip x { + chain t1 { + } + + chain t2 { + } + + chain t3 { + } + + chain t4 { + } + + chain y { + counter packets 0 bytes 0 jump t1 + counter packets 0 bytes 0 jump t2 + ip version vmap { 4 : jump t3, 6 : jump t4 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.nft b/tests/shell/testcases/optimizations/dumps/ruleset.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.nft diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft new file mode 100644 index 0000000..3f70303 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft @@ -0,0 +1,16 @@ +table ip test { + chain test { + ip saddr 127.0.0.1 accept + iif "lo" accept + tcp dport != 22 drop + ip saddr 127.0.0.0/8 accept + ip saddr 127.0.0.1-192.168.7.3 accept + tcp sport 1-1023 drop + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + meta mark set ip daddr map { 192.168.0.1 : 0x00000001 } + ct state { established, related } accept + meta mark { 0x0000000a counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input new file mode 100644 index 0000000..ecc5691 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input @@ -0,0 +1,38 @@ +table ip test { + chain test { + # Test cases where anon set can be removed: + ip saddr { 127.0.0.1 } accept + iif { "lo" } accept + + # negation, can change to != 22. + tcp dport != { 22 } drop + + # single prefix, can remove anon set. + ip saddr { 127.0.0.0/8 } accept + + # range, can remove anon set. + ip saddr { 127.0.0.1-192.168.7.3 } accept + tcp sport { 1-1023 } drop + + # Test cases where anon set must be kept. + + # 2 elements, cannot remove the anon set. + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + + # single element, but concatenation which is not + # supported outside of set/map context at this time. + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + + # single element, but a map. + meta mark set ip daddr map { 192.168.0.1 : 1 } + + # 2 elements. This could be converted because + # ct state cannot be both established and related + # at the same time, but this needs extra work. + ct state { established, related } accept + + # with stateful statement + meta mark { 0x0000000a counter } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.nft b/tests/shell/testcases/optimizations/dumps/skip_merge.nft new file mode 100644 index 0000000..9c10b74 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.nft @@ -0,0 +1,23 @@ +table inet filter { + set udp_accepted { + type inet_service + elements = { 500, 4500 } + } + + set tcp_accepted { + type inet_service + elements = { 80, 443 } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport 53 accept + } + + chain tcp_input { + tcp dport { 1-128, 8888-9999 } accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft new file mode 100644 index 0000000..6df3865 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft @@ -0,0 +1,6 @@ +table inet x { + chain y { + iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept + iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft new file mode 100644 index 0000000..f24855e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft @@ -0,0 +1,18 @@ +table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + + chain y { + ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept + ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept + ip saddr . tcp dport { 1.2.3.5 . 81, 1.2.3.5 . 82 } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.nft b/tests/shell/testcases/optimizations/dumps/variables.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.nft diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat new file mode 100755 index 0000000..3a57d94 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat @@ -0,0 +1,67 @@ +#!/bin/bash + +set -e + +RULESET="table ip test1 { + chain y { + oif lo accept + ip saddr 4.4.4.4 dnat to 1.1.1.1 + ip saddr 5.5.5.5 dnat to 2.2.2.2 + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test2 { + chain y { + oif lo accept + tcp dport 80 dnat to 1.1.1.1:8001 + tcp dport 81 dnat to 2.2.2.2:9001 + ip saddr 10.141.11.0/24 masquerade + ip saddr 10.141.13.0/24 masquerade + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test3 { + chain y { + oif lo accept + ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 + ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 + oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport 8888 redirect + tcp dport 9999 redirect + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test4 { + chain y { + oif lo accept + ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000 + ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000 + tcp dport 83 redirect to :8083 + tcp dport 84 redirect to :8084 + tcp dport 85 redirect + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table inet nat { + chain prerouting { + oif lo accept + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22 + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443 + iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80 + } + chain postrouting { + oif lo accept + ip daddr 72.2.3.66 snat to 10.2.2.2 + ip daddr 72.2.3.67 snat to 10.2.3.3 + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_reject b/tests/shell/testcases/optimizations/merge_reject new file mode 100755 index 0000000..c0ef9ca --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_reject @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + meta l4proto tcp ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop + meta l4proto tcp ip daddr 172.30.33.71 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.238.117 tcp dport 8080 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.254.251 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip6 x { + chain y { + meta l4proto tcp ip6 daddr aaaa::2 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::3 tcp dport 8080 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::4 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts b/tests/shell/testcases/optimizations/merge_stmts new file mode 100755 index 0000000..ec7a9dd --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + ip daddr 192.168.0.1 counter accept comment "test1" + ip daddr 192.168.0.2 counter accept comment "test2" + ip daddr 192.168.0.3 counter accept comment "test3" + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat new file mode 100755 index 0000000..9679d86 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept + meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept + ip protocol . th dport { tcp . 22, udp . 67 } + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip x { + chain c1 { + udp dport 51820 iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c2 { + udp dport { 51820, 100 } iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c3 { + udp dport { 51820, 100 } iifname { "foo", "test" } accept + udp dport { 67, 514 } iifname "bar" accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap new file mode 100755 index 0000000..657d0ae --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain x { + meta pkttype broadcast udp dport { 67, 547 } accept + meta pkttype multicast udp dport 1900 drop + } + chain y { + ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept + ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept + ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_vmap b/tests/shell/testcases/optimizations/merge_stmts_vmap new file mode 100755 index 0000000..6e0f076 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_vmap @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + ct state invalid drop + ct state established,related accept + } + chain z { + tcp dport { 1 } accept + tcp dport 2-3 drop + tcp dport 4 accept + } + chain w { + ip saddr 1.1.1.1 counter accept + ip saddr 1.1.1.2 counter drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_vmap_raw b/tests/shell/testcases/optimizations/merge_vmap_raw new file mode 100755 index 0000000..f3dc072 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_vmap_raw @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +RULESET="table inet x { + chain nat_dns_dnstc { meta l4proto udp redirect to :5300 ; drop ; } + chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; } + chain nat_dns_saturn_5301 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; } + chain nat_dns_saturn_5302 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; } + chain nat_dns_saturn_5303 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; } + + chain nat_dns_acme { + udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \ + goto nat_dns_dnstc + + udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \ + goto nat_dns_this_5301 + + udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \ + goto nat_dns_saturn_5301 + + udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \ + goto nat_dns_saturn_5302 + + udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \ + goto nat_dns_saturn_5303 + + drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_vmaps b/tests/shell/testcases/optimizations/merge_vmaps new file mode 100755 index 0000000..e2e4be1 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_vmaps @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + set s { + type ipv4_addr + flags dynamic + } + chain filter_in_tcp { + } + chain filter_in_udp { + } + chain y { + update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { + 80 : accept, + 81 : accept, + 443 : accept, + } + tcp dport vmap { + 8000-8100 : accept, + 24000-25000 : accept, + } + meta l4proto tcp goto filter_in_tcp + meta l4proto udp goto filter_in_udp + log + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/not_mergeable b/tests/shell/testcases/optimizations/not_mergeable new file mode 100755 index 0000000..ddb2f0f --- /dev/null +++ b/tests/shell/testcases/optimizations/not_mergeable @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain t1 { + } + chain t2 { + } + chain t3 { + } + chain t4 { + } + chain y { + counter jump t1 + counter jump t2 + ip version 4 jump t3 + ip version 6 jump t4 + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/ruleset b/tests/shell/testcases/optimizations/ruleset new file mode 100755 index 0000000..ef2652d --- /dev/null +++ b/tests/shell/testcases/optimizations/ruleset @@ -0,0 +1,168 @@ +#!/bin/bash + +RULESET="table inet uni { + chain gtfo { + reject with icmpx type host-unreachable + drop + } + + chain filter_in_tcp { + tcp dport vmap { + 80 : accept, + 81 : accept, + 443 : accept, + 931 : accept, + 5001 : accept, + 5201 : accept, + } + tcp dport vmap { + 6800-6999 : accept, + 33434-33499 : accept, + } + + drop + } + + chain filter_in_udp { + udp dport vmap { + 53 : accept, + 123 : accept, + 846 : accept, + 849 : accept, + 5001 : accept, + 5201 : accept, + } + udp dport vmap { + 5300-5399 : accept, + 6800-6999 : accept, + 33434-33499 : accept, + } + + drop + } + + chain filter_in { + type filter hook input priority 0; policy drop; + + ct state vmap { + invalid : drop, + established : accept, + related : accept, + untracked : accept, + } + + ct status vmap { + dnat : accept, + snat : accept, + } + + iif lo accept + + meta iifgroup {100-199} accept + + meta l4proto tcp goto filter_in_tcp + meta l4proto udp goto filter_in_udp + + icmp type vmap { + echo-request : accept, + } + ip6 nexthdr icmpv6 icmpv6 type vmap { + echo-request : accept, + } + } + + chain filter_fwd_ifgroup { + meta iifgroup . oifgroup vmap { + 100 . 10 : accept, + 100 . 100 : accept, + 100 . 101 : accept, + 101 . 101 : accept, + } + goto gtfo + } + + chain filter_fwd { + type filter hook forward priority 0; policy drop; + + fib daddr type broadcast drop + + ct state vmap { + invalid : drop, + established : accept, + related : accept, + untracked : accept, + } + + ct status vmap { + dnat : accept, + snat : accept, + } + + meta iifgroup {100-199} goto filter_fwd_ifgroup + } + + chain nat_fwd_tun { + meta l4proto tcp redirect to :15 + udp dport 53 redirect to :13 + goto gtfo + } + + chain nat_dns_dnstc { meta l4proto udp redirect to :5300 ; drop ; } + chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; } + chain nat_dns_moon_5301 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; } + chain nat_dns_moon_5302 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; } + chain nat_dns_moon_5303 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; } + + chain nat_dns_acme { + udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \ + goto nat_dns_dnstc + + udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \ + goto nat_dns_this_5301 + + udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \ + goto nat_dns_moon_5301 + + udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \ + goto nat_dns_moon_5302 + + udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \ + goto nat_dns_moon_5303 + + drop + } + + chain nat_prerouting { + type nat hook prerouting priority -100; policy accept; + + iifgroup 10 udp dport 53 goto nat_dns_acme + iifgroup 10 accept + + ip daddr 198.19.0.0/16 goto nat_fwd_tun + ip6 daddr fc00::/8 goto nat_fwd_tun + + tcp dport 53 redirect to :25302 + udp dport 53 redirect to :25302 + } + + chain nat_output { + type nat hook output priority -100; policy accept; + + ip daddr 198.19.0.0/16 goto nat_fwd_tun + ip6 daddr fc00::/8 goto nat_fwd_tun + } + + chain nat_postrouting { + type nat hook postrouting priority 100; policy accept; + + oif != lo masquerade + } + + chain mangle_forward { + type filter hook forward priority -150; policy accept; + + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu + } +}" + +$NFT -o -c -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set new file mode 100755 index 0000000..7275e36 --- /dev/null +++ b/tests/shell/testcases/optimizations/single_anon_set @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +# Input file contains rules with anon sets that contain +# one element, plus extra rule with two elements (that should be +# left alone). + +# Dump file has the simplified rules where anon sets have been +# replaced by equality tests where possible. +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile".input diff --git a/tests/shell/testcases/optimizations/skip_merge b/tests/shell/testcases/optimizations/skip_merge new file mode 100755 index 0000000..8af976c --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_merge @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set udp_accepted { + type inet_service; + elements = { + isakmp, ipsec-nat-t + } + } + + set tcp_accepted { + type inet_service; + elements = { + http, https + } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport domain accept + } + + chain tcp_input { + tcp dport 1-128 accept + tcp dport 8888-9999 accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/skip_non_eq b/tests/shell/testcases/optimizations/skip_non_eq new file mode 100755 index 0000000..431ed0a --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_non_eq @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +RULESET="table inet x { + chain y { + iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept + iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported new file mode 100755 index 0000000..6baa828 --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_unsupported @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + + chain y { + ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept + ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept + ip saddr 1.2.3.5 tcp dport 81 accept comment \"test\" + ip saddr 1.2.3.5 tcp dport 82 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables new file mode 100755 index 0000000..fa98606 --- /dev/null +++ b/tests/shell/testcases/optimizations/variables @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="define addrv4_vpnnet = 10.1.0.0/16 + +table ip nat { + chain postrouting { + type nat hook postrouting priority 0; policy accept; + + ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\" + } +}" + +$NFT -c -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optionals/comments_0 b/tests/shell/testcases/optionals/comments_0 new file mode 100755 index 0000000..ab85936 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# comments are shown + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept comment test_comment +$NFT -a list table test | grep 'accept comment \"test_comment\"' >/dev/null diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0 new file mode 100755 index 0000000..fba961c --- /dev/null +++ b/tests/shell/testcases/optionals/comments_chain_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +EXPECTED='table ip test_table { + chain test_chain { + comment "test" + } +} +' + +set -e + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/optionals/comments_handles_0 b/tests/shell/testcases/optionals/comments_handles_0 new file mode 100755 index 0000000..a01df1d --- /dev/null +++ b/tests/shell/testcases/optionals/comments_handles_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +# handles and comments mix well + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept comment test_comment +set -e +$NFT -a list table test | grep 'accept comment \"test_comment\" # handle '[[:digit:]]$ >/dev/null +$NFT list table test | grep 'accept comment \"test_comment\"' | grep -v '# handle '[[:digit:]]$ >/dev/null diff --git a/tests/shell/testcases/optionals/comments_objects_0 b/tests/shell/testcases/optionals/comments_objects_0 new file mode 100755 index 0000000..7437c77 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_0 @@ -0,0 +1,44 @@ +#!/bin/bash + +EXPECTED='table ip filter { + quota q { + over 1200 bytes + comment "test1" + } + + counter c { + packets 0 bytes 0 + comment "test2" + } + + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + } + + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + } + + limit l { + rate 400/hour + comment "test5" + } + + synproxy s { + mss 1460 + wscale 2 + comment "test6" + } +} +' + +set -e + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/optionals/comments_objects_dup_0 b/tests/shell/testcases/optionals/comments_objects_dup_0 new file mode 100755 index 0000000..79d975a --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_dup_0 @@ -0,0 +1,97 @@ +#!/bin/bash + +EXPECTED='table ip filter { + quota q { + over 1200 bytes + comment "test1" + comment "test1" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + counter c { + packets 0 bytes 0 + comment "test2" + comment "test2" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + comment "test3" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + comment "test4" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + limit l { + rate 400/hour + comment "test5" + comment "test5" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + synproxy s { + mss 1460 + wscale 2 + comment "test6" + comment "test6" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi diff --git a/tests/shell/testcases/optionals/comments_table_0 b/tests/shell/testcases/optionals/comments_table_0 new file mode 100755 index 0000000..a0dfd74 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_table_0 @@ -0,0 +1,5 @@ +#!/bin/bash + +# comments are shown + +$NFT add table test { comment \"test_comment\"\; } diff --git a/tests/shell/testcases/optionals/delete_object_handles_0 b/tests/shell/testcases/optionals/delete_object_handles_0 new file mode 100755 index 0000000..9b65e67 --- /dev/null +++ b/tests/shell/testcases/optionals/delete_object_handles_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add counter test-ip https-traffic +$NFT add quota test-ip https-quota 25 mbytes +$NFT add map test-ip ports { type inet_service : quota \; } +$NFT add table ip6 test-ip6 +$NFT add quota ip6 test-ip6 http-quota over 25 mbytes +$NFT add counter ip6 test-ip6 http-traffic +$NFT add quota ip6 test-ip6 ssh-quota 10 mbytes + +counter_handle=$($NFT -a list ruleset | awk '/https-traffic/{print $NF}') +quota_handle=$($NFT -a list ruleset | awk '/ssh-quota/{print $NF}') +$NFT delete counter test-ip handle $counter_handle +$NFT delete quota ip6 test-ip6 handle $quota_handle + +EXPECTED="table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft new file mode 100644 index 0000000..f47e0d5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft new file mode 100644 index 0000000..be3d8f3 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft @@ -0,0 +1,5 @@ +table ip test_table { + chain test_chain { + comment "test" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft new file mode 100644 index 0000000..f47e0d5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft new file mode 100644 index 0000000..b760ced --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft @@ -0,0 +1,37 @@ +table ip filter { + quota q { + comment "test1" + over 1200 bytes + } + + counter c { + comment "test2" + packets 0 bytes 0 + } + + ct helper h { + comment "test3" + type "sip" protocol tcp + l3proto ip + } + + ct expectation e { + comment "test4" + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + } + + limit l { + comment "test5" + rate 400/hour + } + + synproxy s { + comment "test6" + mss 1460 + wscale 2 + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.nft b/tests/shell/testcases/optionals/dumps/comments_table_0.nft new file mode 100644 index 0000000..32ae3c2 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_table_0.nft @@ -0,0 +1,3 @@ +table ip test { + comment "test_comment" +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft new file mode 100644 index 0000000..aac03cc --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft @@ -0,0 +1,18 @@ +table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft new file mode 100644 index 0000000..085c6cf --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.nft b/tests/shell/testcases/optionals/dumps/handles_1.nft new file mode 100644 index 0000000..085c6cf --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft new file mode 100644 index 0000000..8c11d69 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ct state invalid log prefix "invalid state match, logging:" + } +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft new file mode 100644 index 0000000..f391b63 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft @@ -0,0 +1,9 @@ +table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +} diff --git a/tests/shell/testcases/optionals/handles_0 b/tests/shell/testcases/optionals/handles_0 new file mode 100755 index 0000000..80f3c5b --- /dev/null +++ b/tests/shell/testcases/optionals/handles_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +# handles are shown last + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept +$NFT -a list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null diff --git a/tests/shell/testcases/optionals/handles_1 b/tests/shell/testcases/optionals/handles_1 new file mode 100755 index 0000000..c00abfe --- /dev/null +++ b/tests/shell/testcases/optionals/handles_1 @@ -0,0 +1,10 @@ +#!/bin/bash + +# handles are not shown if not asked for them + +$NFT add table test +$NFT add chain test test +$NFT add rule test test tcp dport 22 counter accept +( $NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null ) && exit 1 + +exit 0 diff --git a/tests/shell/testcases/optionals/log_prefix_0 b/tests/shell/testcases/optionals/log_prefix_0 new file mode 100755 index 0000000..513a9e7 --- /dev/null +++ b/tests/shell/testcases/optionals/log_prefix_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +TMP=$(mktemp) + +RULESET='define test = "state" +define foo = "match, logging" + +table x { + chain y { + ct state invalid log prefix "invalid $test $foo:" + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 new file mode 100755 index 0000000..8b12b8c --- /dev/null +++ b/tests/shell/testcases/optionals/update_object_handles_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add counter test-ip traffic-counter +$NFT add counter test-ip traffic-counter +$NFT add quota test-ip traffic-quota 25 mbytes +$NFT add quota test-ip traffic-quota 50 mbytes + +EXPECTED="table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf new file mode 100755 index 0000000..c07e8d6 --- /dev/null +++ b/tests/shell/testcases/owner/0001-flowtable-uaf @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) + +set -e + +$NFT -f - <<EOF +table t { + flags owner + flowtable f { + hook ingress priority 0 + devices = { lo } + } +} +EOF + +# trigger uaf. +$NFT -f - <<EOF +table t { + flags owner + flowtable f { + hook ingress priority 0 + devices = { lo } + } +} +EOF diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft diff --git a/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump diff --git a/tests/shell/testcases/packetpath/vlan_8021ad_tag b/tests/shell/testcases/packetpath/vlan_8021ad_tag new file mode 100755 index 0000000..379a571 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_8021ad_tag @@ -0,0 +1,50 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 proto 802.1ad +ip -net "$ns2" link add vlan123 link veth0 type vlan id 123 proto 802.1ad + + +for dev in veth0 vlan123; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan123 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 ether type 8021ad vlan id 123 ip daddr 10.1.1.2 icmp type echo-request counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list chain netdev t c | grep 'counter packets 1 bytes 84' diff --git a/tests/shell/testcases/parsing/describe b/tests/shell/testcases/parsing/describe new file mode 100755 index 0000000..2ee072e --- /dev/null +++ b/tests/shell/testcases/parsing/describe @@ -0,0 +1,7 @@ +#!/bin/bash + +errmsg='Error: unknown ip option type/field' + +str=$($NFT describe ip option rr value 2>&1 | head -n 1) + +[ "$str" = "$errmsg" ] && exit 0 diff --git a/tests/shell/testcases/parsing/dumps/describe.nft b/tests/shell/testcases/parsing/dumps/describe.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.nft diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft new file mode 100644 index 0000000..1583275 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft @@ -0,0 +1,561 @@ +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport 137 ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + tcp dport 139 ct state new,untracked accept + tcp dport 445 ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +} diff --git a/tests/shell/testcases/parsing/dumps/log.nft b/tests/shell/testcases/parsing/dumps/log.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.nft diff --git a/tests/shell/testcases/parsing/dumps/octal.nft b/tests/shell/testcases/parsing/dumps/octal.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.nft diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe new file mode 100755 index 0000000..fac0afa --- /dev/null +++ b/tests/shell/testcases/parsing/large_rule_pipe @@ -0,0 +1,571 @@ +#!/bin/bash + +set -e + +RULESET="#!/sbin/nft -f +flush ruleset; +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority -290; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority -140; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport netbios-ns ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport ssh ct state new,untracked accept + ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept + ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + udp dport netbios-ns ct state new,untracked accept + udp dport netbios-dgm ct state new,untracked accept + tcp dport netbios-ssn ct state new,untracked accept + tcp dport microsoft-ds ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +}" + +( echo "flush ruleset;"; echo "${RULESET}" ) | nft -f - + +exit 0 diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log new file mode 100755 index 0000000..0b89d58 --- /dev/null +++ b/tests/shell/testcases/parsing/log @@ -0,0 +1,10 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 +$NFT delete table t || exit 1 + +exit 0 + diff --git a/tests/shell/testcases/parsing/octal b/tests/shell/testcases/parsing/octal new file mode 100755 index 0000000..09ac26e --- /dev/null +++ b/tests/shell/testcases/parsing/octal @@ -0,0 +1,13 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'ip saddr 01 continue comment "0.0.0.1"' || exit 1 +$NFT add rule t c 'ip saddr 08 continue comment "error"' && { + echo "'"ip saddr 08"'" not rejected 1>&2 + exit 1 +} +$NFT delete table t || exit 1 + +exit 0 + diff --git a/tests/shell/testcases/rule_management/0001addinsertposition_0 b/tests/shell/testcases/rule_management/0001addinsertposition_0 new file mode 100755 index 0000000..237e9e3 --- /dev/null +++ b/tests/shell/testcases/rule_management/0001addinsertposition_0 @@ -0,0 +1,85 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e + +RULESET="flush ruleset +table ip t { + chain c { + accept + accept + } +}" + +EXPECTED="table ip t { + chain c { + accept + drop + accept + } +}" + +for arg in "position 2" "handle 2" "index 0"; do + $NFT -f - <<< "$RULESET" + $NFT add rule t c $arg drop || { + $NFT list ruleset + exit 1 + } + + GET="$($NFT list ruleset)" + if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 + fi +done + +for arg in "position 3" "handle 3" "index 1"; do + $NFT -f - <<< "$RULESET" + $NFT insert rule t c $arg drop + + GET="$($NFT list ruleset)" + if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 + fi +done + +EXPECTED="table ip t { + chain c { + accept + accept + drop + } +}" + +for arg in "position 3" "handle 3" "index 1"; do + $NFT -f - <<< "$RULESET" + $NFT add rule t c $arg drop + + GET="$($NFT list ruleset)" + if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 + fi +done + +EXPECTED="table ip t { + chain c { + drop + accept + accept + } +}" + +for arg in "position 2" "handle 2" "index 0"; do + $NFT -f - <<< "$RULESET" + $NFT insert rule t c $arg drop + + GET="$($NFT list ruleset)" + if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 + fi +done diff --git a/tests/shell/testcases/rule_management/0002addinsertlocation_1 b/tests/shell/testcases/rule_management/0002addinsertlocation_1 new file mode 100755 index 0000000..920032f --- /dev/null +++ b/tests/shell/testcases/rule_management/0002addinsertlocation_1 @@ -0,0 +1,23 @@ +#!/bin/bash + +# test rule adding with invalid position/handle/index value + +RULESET="flush ruleset +table ip t { + chain c { + accept + accept + } +}" + +$NFT -f - <<< "$RULESET" + +for cmd in add insert; do + for keyword in position handle index; do + $NFT $cmd rule t c $keyword 5 drop 2>/dev/null || continue + + echo "E: invalid $keyword value allowed in $cmd command" >&2 + exit 1 + done +done +exit 0 diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 new file mode 100755 index 0000000..c343d57 --- /dev/null +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +# tests for Netfilter bug #965 +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT insert rule t c accept +$NFT insert rule t c drop +$NFT insert rule t c masquerade + +# check 'evaluate: un-break rule insert with intervals' + +$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 } diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 new file mode 100755 index 0000000..c3329af --- /dev/null +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT replace rule t c handle 2 drop diff --git a/tests/shell/testcases/rule_management/0005replace_1 b/tests/shell/testcases/rule_management/0005replace_1 new file mode 100755 index 0000000..d8d6447 --- /dev/null +++ b/tests/shell/testcases/rule_management/0005replace_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +# kernel should return ENOENT + +$NFT replace rule t c handle 2 drop 2>/dev/null || exit 0 +echo "E: missing kernel ENOENT" >&2 +exit 1 diff --git a/tests/shell/testcases/rule_management/0006replace_1 b/tests/shell/testcases/rule_management/0006replace_1 new file mode 100755 index 0000000..b728310 --- /dev/null +++ b/tests/shell/testcases/rule_management/0006replace_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c + +# position keyword with replace action is not allowed, this should fail +$NFT replace rule t c position 2 drop 2>/dev/null || exit 0 +echo "E: allowed replace with position specification" >&2 +exit 1 diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0 new file mode 100755 index 0000000..11376cc --- /dev/null +++ b/tests/shell/testcases/rule_management/0007delete_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT add rule t c drop # should have handle 3 +$NFT delete rule t c handle 2 diff --git a/tests/shell/testcases/rule_management/0008delete_1 b/tests/shell/testcases/rule_management/0008delete_1 new file mode 100755 index 0000000..d1900d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/0008delete_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c + +# this should fail, we don't allow delete with position +$NFT delete rule t c position 2 drop 2>/dev/null || exit 0 +echo "E: allowed position spec with delete action" >&2 +exit 1 diff --git a/tests/shell/testcases/rule_management/0009delete_1 b/tests/shell/testcases/rule_management/0009delete_1 new file mode 100755 index 0000000..8751fec --- /dev/null +++ b/tests/shell/testcases/rule_management/0009delete_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c + +# kernel ENOENT +$NFT delete rule t c handle 3333 2>/dev/null || exit 0 +echo "E: missing kernel ENOENT" >&2 +exit 1 diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0 new file mode 100755 index 0000000..cd69a89 --- /dev/null +++ b/tests/shell/testcases/rule_management/0010replace_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4 +# ("netfilter: nf_tables: deactivate expressions in rule replecement routine") + +set -e +$NFT add table t +$NFT add chain t c1 +$NFT add chain t c2 +$NFT add rule ip t c1 jump c2 +$NFT replace rule ip t c1 handle 3 accept +$NFT flush ruleset diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 new file mode 100755 index 0000000..33eadd9 --- /dev/null +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -0,0 +1,170 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule) + +set -e + +echo "loading ruleset" +$NFT -f - <<EOF +table ip t { + set s { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + chain c { + counter packets 1 bytes 11 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +} +EOF + +echo "resetting specific rule" +handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p') +$NFT reset rule t c handle $handle +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT list ruleset) + +echo "resetting specific chain" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2) + +echo "resetting specific table" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t) + +echo "resetting specific family" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip) + +echo "resetting whole ruleset" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules) diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0 new file mode 100755 index 0000000..a058150 --- /dev/null +++ b/tests/shell/testcases/rule_management/0012destroy_0 @@ -0,0 +1,14 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t +$NFT add chain t c + +# pass for non-existent rule +$NFT destroy rule t c handle 3333 + +# successfully delete existing rule +handle=$($NFT -a -e insert rule t c accept | \ + sed -n 's/.*handle \([0-9]*\)$/\1/p') +$NFT destroy rule t c handle "$handle" diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft new file mode 100644 index 0000000..527d79d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft new file mode 100644 index 0000000..b76cd93 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft new file mode 100644 index 0000000..b1875ab --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft @@ -0,0 +1,8 @@ +table ip t { + chain c { + tcp sport { 3478-3497, 16384-16387 } + masquerade + drop + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft new file mode 100644 index 0000000..e20952e --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft new file mode 100644 index 0000000..e20952e --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft new file mode 100644 index 0000000..3b4f5a1 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft @@ -0,0 +1,31 @@ +table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft new file mode 100644 index 0000000..1e0d1d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/sets/0001named_interval_0 b/tests/shell/testcases/sets/0001named_interval_0 new file mode 100755 index 0000000..612eee0 --- /dev/null +++ b/tests/shell/testcases/sets/0001named_interval_0 @@ -0,0 +1,39 @@ +#!/bin/bash + +# This is the most basic testscase: +# * creating a valid interval set +# * referencing it from a valid rule + +RULESET=" +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, fe11::-fe22::} + } + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60} + } + set s4 { + type inet_service + flags interval + elements = {8080-8082, 0-1024, 10000-40000} + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0002named_interval_automerging_0 b/tests/shell/testcases/sets/0002named_interval_automerging_0 new file mode 100755 index 0000000..6889863 --- /dev/null +++ b/tests/shell/testcases/sets/0002named_interval_automerging_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the automerging of adjacent intervals + +set -e + +$NFT add table t +$NFT add set t s { type ipv4_addr \; flags interval \; } +$NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } +$NFT list ruleset | grep "192.168.0.0/23" >/dev/null || exit 0 +echo "E: automerging of adjacent intervals happened unexpectedly." >&2 +exit 1 diff --git a/tests/shell/testcases/sets/0003named_interval_missing_flag_0 b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 new file mode 100755 index 0000000..e0b7f74 --- /dev/null +++ b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the nft checking of flags in named intervals + +set -e +$NFT add table t +$NFT add set t s { type ipv4_addr \; } +if $NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } 2>/dev/null ; then + echo "E: accepted interval in named set without proper flags" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0004named_interval_shadow_0 b/tests/shell/testcases/sets/0004named_interval_shadow_0 new file mode 100755 index 0000000..827423d --- /dev/null +++ b/tests/shell/testcases/sets/0004named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/64 } +if $NFT add element inet t s { fe00::/48 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0005named_interval_shadow_0 b/tests/shell/testcases/sets/0005named_interval_shadow_0 new file mode 100755 index 0000000..14fcbdc --- /dev/null +++ b/tests/shell/testcases/sets/0005named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/48 } +if $NFT add element inet t s { fe00::/64 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0006create_set_0 b/tests/shell/testcases/sets/0006create_set_0 new file mode 100755 index 0000000..ca36cf7 --- /dev/null +++ b/tests/shell/testcases/sets/0006create_set_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# This testscase checks for add and create set commands. + +set -e +$NFT add table t +$NFT add set t s { type ipv4_addr \; } +if $NFT create set t s { type ipv4_addr \; } 2>/dev/null ; then + echo "E: accepted set creation that already exists" >&2 + exit 1 +fi +$NFT add set t s { type ipv4_addr \; } + +exit 0 diff --git a/tests/shell/testcases/sets/0007create_element_0 b/tests/shell/testcases/sets/0007create_element_0 new file mode 100755 index 0000000..47b3559 --- /dev/null +++ b/tests/shell/testcases/sets/0007create_element_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +# This testcase checks for add and create element commands. + +set -e +$NFT add table t +$NFT add set t s { type ipv4_addr \; } +$NFT add element t s { 1.1.1.1 } +if $NFT create element t s { 1.1.1.1 } 2>/dev/null ; then + echo "E: accepted element creation that already exists" >&2 + exit 1 +fi +$NFT add element t s { 1.1.1.1 } + +exit 0 diff --git a/tests/shell/testcases/sets/0008comments_interval_0 b/tests/shell/testcases/sets/0008comments_interval_0 new file mode 100755 index 0000000..98c709c --- /dev/null +++ b/tests/shell/testcases/sets/0008comments_interval_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This test netfilter bug #1090 +# https://bugzilla.netfilter.org/show_bug.cgi?id=1090 + +$NFT add table t +$NFT add set t s {type ipv4_addr \; flags interval \;} +$NFT add element t s { 1.1.1.1 comment "test" } +if ! $NFT list ruleset | grep test >/dev/null ; then + echo "E: missing comment in set element" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0008create_verdict_map_0 b/tests/shell/testcases/sets/0008create_verdict_map_0 new file mode 100755 index 0000000..e501049 --- /dev/null +++ b/tests/shell/testcases/sets/0008create_verdict_map_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET=" +table ip t { + map sourcemap { + type ipv4_addr : verdict; + } + chain postrouting { + ip saddr vmap @sourcemap accept + } +} +add chain t c +add element t sourcemap { 100.123.10.2 : jump c } +" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0009comments_timeout_0 b/tests/shell/testcases/sets/0009comments_timeout_0 new file mode 100755 index 0000000..4e3f80c --- /dev/null +++ b/tests/shell/testcases/sets/0009comments_timeout_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# Test that comments are added to set elements in timemout sets. + +$NFT flush ruleset +$NFT add table t +$NFT add set t s {type ipv4_addr \; flags timeout \;} +$NFT add element t s { 1.1.1.1 comment "test" } +if ! $NFT list ruleset | grep test >/dev/null ; then + echo "E: missing comment in set element" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0010comments_0 b/tests/shell/testcases/sets/0010comments_0 new file mode 100755 index 0000000..4467a3b --- /dev/null +++ b/tests/shell/testcases/sets/0010comments_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# Test that comments are added to set elements in standard sets. + +$NFT add table inet t +$NFT add set inet t s {type ipv6_addr \; } +$NFT add element inet t s { ::1 comment "test" } +if ! $NFT list ruleset | grep test >/dev/null ; then + echo "E: missing comment in set element" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0 new file mode 100755 index 0000000..c37b2f0 --- /dev/null +++ b/tests/shell/testcases/sets/0011add_many_elements_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +# test adding many sets elements + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +echo "add table x +add set x y { type ipv4_addr; } +add element x y $(generate)" > $tmpfile + +set -e +$NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 new file mode 100755 index 0000000..6445160 --- /dev/null +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +# test adding and deleting many sets elements + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +echo "add table x +add set x y { type ipv4_addr; } +add element x y $(generate) +delete element x y $(generate)" > $tmpfile + +set -e +$NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 new file mode 100755 index 0000000..c0925dd --- /dev/null +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -0,0 +1,48 @@ +#!/bin/bash + +# test adding and deleting many sets elements in two nft -f runs. + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.0.${i}.${j}" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +set -e + +echo "add table x +add set x y { type ipv4_addr; } +add element x y $(generate)" > $tmpfile +$NFT -f $tmpfile +echo "delete element x y $(generate)" > $tmpfile +$NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0 b/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0 new file mode 100755 index 0000000..b34d71f --- /dev/null +++ b/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +# This tests for the bug corrected in commit 5afa5a164ff1c066af1ec56d875b91562882bd50. +# Sets were added to the table before checking for errors, and not removed from +# the table on error, leading to an uninitialized set in the table, causing a +# segfault for rules that tried to use it. +# In this case, nft should error out because the set doesn't exist instead of +# segfaulting + +RULESET=" +add table t +add chain t c +add set t s {type ipv4_addr\;} +add rule t c ip saddr @s +" + +$NFT -f - <<< "$RULESET" +ret=$? + +trap - EXIT +if [[ $ret -eq 1 ]]; then + exit 0 +else + exit 1 +fi diff --git a/tests/shell/testcases/sets/0015rulesetflush_0 b/tests/shell/testcases/sets/0015rulesetflush_0 new file mode 100755 index 0000000..855d289 --- /dev/null +++ b/tests/shell/testcases/sets/0015rulesetflush_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +RULESET="flush ruleset +add table t +add chain t c + +table inet filter { + set blacklist_v4 { type ipv4_addr; flags interval; } +} + +add element inet filter blacklist_v4 { +192.168.0.1/24, +}" + +$NFT -f - <<< "$RULESET" + +# make sure flush ruleset works right +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0016element_leak_0 b/tests/shell/testcases/sets/0016element_leak_0 new file mode 100755 index 0000000..5675db3 --- /dev/null +++ b/tests/shell/testcases/sets/0016element_leak_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# This tests for a bug where a repeated element is added and the set +# elements counter is incorrectly increased. + +set -e +$NFT add table x +$NFT add set x s {type ipv4_addr\; size 2\;} +$NFT add element x s {1.1.1.1} +$NFT add element x s {1.1.1.1} +$NFT add element x s {1.1.1.1} diff --git a/tests/shell/testcases/sets/0017add_after_flush_0 b/tests/shell/testcases/sets/0017add_after_flush_0 new file mode 100755 index 0000000..0390b03 --- /dev/null +++ b/tests/shell/testcases/sets/0017add_after_flush_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This tests for a bug where elements can't be added after flushing a +# full set with the flag NFTNL_SET_DESC_SIZE set + +set -e +$NFT add table x +$NFT add set x s {type ipv4_addr\; size 2\;} +$NFT add element x s {1.1.1.1} +$NFT add element x s {1.1.1.2} +$NFT flush set x s +$NFT add element x s {1.1.1.1} diff --git a/tests/shell/testcases/sets/0018set_check_size_1 b/tests/shell/testcases/sets/0018set_check_size_1 new file mode 100755 index 0000000..bc70560 --- /dev/null +++ b/tests/shell/testcases/sets/0018set_check_size_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e +$NFT add table x +$NFT add set x s {type ipv4_addr\; size 2\;} +$NFT add element x s {1.1.1.1} +$NFT add element x s {1.1.1.2} + +$NFT add element x s {1.1.1.3} || exit 0 +echo "E: Accepted 3rd element in a table with max size of 2" 1>&2 +exit 1 diff --git a/tests/shell/testcases/sets/0019set_check_size_0 b/tests/shell/testcases/sets/0019set_check_size_0 new file mode 100755 index 0000000..c209708 --- /dev/null +++ b/tests/shell/testcases/sets/0019set_check_size_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +$NFT add table x +$NFT add set x s {type ipv4_addr\; size 2\;} +$NFT add element x s {1.1.1.1} +$NFT add element x s {1.1.1.2} + +$NFT add element x s { 1.1.1.3 } 2>/dev/null +if [ $? -eq 0 ]; then + echo "E: set is full, but element was added" >&2 + exit 1 +fi +# +# Try again, this helps us catch incorrect set->nelems decrement from abort path +# +$NFT add element x s { 1.1.1.3 } 2>/dev/null +if [ $? -eq 0 ]; then + echo "E: set is full, but element was added" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0 new file mode 100755 index 0000000..44d451a --- /dev/null +++ b/tests/shell/testcases/sets/0020comments_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# Test that comments are added to set elements in standard sets. +# Explicitly test bitmap backend set implementation. + +$NFT add table inet t +$NFT add set inet t s {type inet_service \; } +$NFT add element inet t s { 22 comment "test" } +if ! $NFT list ruleset | grep test >/dev/null ; then + echo "E: missing comment in set element" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0 new file mode 100755 index 0000000..0b90dc7 --- /dev/null +++ b/tests/shell/testcases/sets/0021nesting_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +RULESET=' +define set1 = { + 2.2.2.0/24, + 3.3.3.0/24, +} +define set2 = { + $set1, + 1.1.1.0/24 +} +table ip x { + chain y { + ip saddr { 3.3.3.0/24, $set2 } + } +}' + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0 new file mode 100755 index 0000000..6062913 --- /dev/null +++ b/tests/shell/testcases/sets/0022type_selective_flush_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +# This tests the selectiveness of flush command on structures that use the +# generic set infrastructure (sets, maps and meters). + +RULESET=" +add table t +add chain t c +add set t s {type ipv4_addr;} +add map t m {type ipv4_addr : inet_service;} +add rule t c tcp dport 80 meter f size 1024 {ip saddr limit rate 10/second} +" + +$NFT -f - <<< "$RULESET" + +# Commands that should be invalid + +declare -a cmds=( + "flush set t m" "flush set t f" + "flush map t s" "flush map t f" + "flush meter t s" "flush meter t m" + ) + +for i in "${cmds[@]}" +do + $NFT "$i" &>/dev/null + ret=$? + + if [ $ret -eq 0 ]; then + exit 1 + fi +done diff --git a/tests/shell/testcases/sets/0023incomplete_add_set_command_0 b/tests/shell/testcases/sets/0023incomplete_add_set_command_0 new file mode 100755 index 0000000..b7535f7 --- /dev/null +++ b/tests/shell/testcases/sets/0023incomplete_add_set_command_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +# This testscase checks bug identified and fixed in the commit Id "c6cd7c22548a" +# Before the commit c6cd7c22548a, nft returns 139 (i.e, segmentation fault) which +# indicates the bug but after the commit it returns 1. + +$NFT add table t +$NFT add set t c + +ret=$? +if [ $ret -ne 1 ] ; +then + echo "E: returned $ret instead of 1" >&2 + exit 1 +fi + diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0 new file mode 100755 index 0000000..6d21e38 --- /dev/null +++ b/tests/shell/testcases/sets/0024named_objects_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +# This is the testscase: +# * creating valid named objects +# * referencing them from a valid rule + +RULESET=" +table inet x { + counter user123 { + packets 12 bytes 1433 + } + counter user321 { + packets 12 bytes 1433 + } + quota user123 { + over 2000 bytes + } + quota user124 { + over 2000 bytes + } + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + synproxy other-synproxy { + mss 1460 + wscale 5 + } + set y { + type ipv4_addr + } + map test { + type ipv4_addr : quota + elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"} + } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"} + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + quota name ip saddr map @test drop + } +}" + +set -e +$NFT -f - <<< "$RULESET" + +EXPECTED="table inet x { + counter user321 { + packets 12 bytes 1433 + } +}" + +GET="$($NFT reset counter inet x user321)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/sets/0025anonymous_set_0 b/tests/shell/testcases/sets/0025anonymous_set_0 new file mode 100755 index 0000000..74777d8 --- /dev/null +++ b/tests/shell/testcases/sets/0025anonymous_set_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Adding anonymous sets + +set -e + +$NFT add table t +$NFT add chain t c { type filter hook output priority 0 \; } +# set: IP addresses +$NFT add rule t c ip daddr { \ + 192.168.0.1, \ + 192.168.0.2, \ + 192.168.0.3, \ +} + +#set : tcp ports +$NFT add rule t c meta oifname \"doesntexist\" tcp dport { 22, 23 } counter diff --git a/tests/shell/testcases/sets/0026named_limit_0 b/tests/shell/testcases/sets/0026named_limit_0 new file mode 100755 index 0000000..11f1f5d --- /dev/null +++ b/tests/shell/testcases/sets/0026named_limit_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# This is the testscase: +# * creating valid named limits +# * referencing them from a valid rule + +RULESET=" +table ip filter { + limit http-traffic { + rate 1/second + } + chain input { + type filter hook input priority 0; policy accept; + limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"} + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0 b/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0 new file mode 100755 index 0000000..87603c5 --- /dev/null +++ b/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Tests IPv4 Mapped IPv6 addresses. + +set -e + +RULESET=" +table inet t { + set s { + type ipv6_addr + flags interval + elements = { ::ffff:0.0.0.0/96 } + } +} +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0028autoselect_0 b/tests/shell/testcases/sets/0028autoselect_0 new file mode 100755 index 0000000..23f43a2 --- /dev/null +++ b/tests/shell/testcases/sets/0028autoselect_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# This testscase checks kernel picks a suitable set backends. +# Ruleset attempts to update from packet path, so set backend +# needs an ->update() implementation. + +set -e + +$NFT add table t +$NFT add set t s1 { type inet_proto \; flags dynamic \; } +$NFT add set t s2 { type ipv4_addr \; flags dynamic \; } +$NFT add set t s3 { type ipv4_addr \; size 1024\; flags dynamic \; } +$NFT add chain t c {type filter hook input priority 0 \; } + +$NFT add rule t c meta iifname foobar add @s1 { ip protocol } +$NFT add rule t c meta iifname foobar add @s2 { ip daddr } +$NFT add rule t c meta iifname foobar add @s3 { ip daddr } diff --git a/tests/shell/testcases/sets/0028delete_handle_0 b/tests/shell/testcases/sets/0028delete_handle_0 new file mode 100755 index 0000000..c6d1253 --- /dev/null +++ b/tests/shell/testcases/sets/0028delete_handle_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e +$NFT add table test-ip +$NFT add set test-ip x { type ipv4_addr\; } +$NFT add set test-ip y { type inet_service \; timeout 3h45s \;} +$NFT add set test-ip z { type ipv4_addr\; flags constant , interval\;} +$NFT add set test-ip c {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;} + +set_handle=$($NFT -a list ruleset | awk '/set c/{print $NF}') +$NFT delete set test-ip handle $set_handle + +EXPECTED="table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 new file mode 100755 index 0000000..2dbcd22 --- /dev/null +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -0,0 +1,65 @@ +#!/bin/bash + +# support for ifname in named sets + +EXPECTED="table inet t { + set s { + type ifname + elements = { \"eth0\" } + } + + set sc { + type inet_service . ifname + elements = { \"ssh\" . \"eth0\" } + } + + set nv { + type ifname . mark + } + + set z { + typeof ct zone + elements = { 1 } + } + + set m { + typeof meta mark + elements = { 1 } + } + + map cz { + typeof meta iifname : ct zone + elements = { \"veth4\" : 1 } + } + + map cm { + typeof meta iifname : ct mark + elements = { \"veth4\" : 1 } + } + + chain c { + iifname @s accept + oifname @s accept + tcp dport . meta iifname @sc accept + meta iifname . meta mark @nv accept + } +}" + +set -e +$NFT -f - <<< "$EXPECTED" +$NFT add element inet t s '{ "eth1" }' +$NFT add element inet t s '{ "eth2", "eth3", "veth1" }' + +$NFT add element inet t sc '{ 80 . "eth0" }' +$NFT add element inet t sc '{ 80 . "eth0" }' || true +$NFT add element inet t sc '{ 80 . "eth1" }' +$NFT add element inet t sc '{ 81 . "eth0" }' + +$NFT add element inet t nv '{ "eth0" . 1 }' +$NFT add element inet t nv '{ "eth0" . 2 }' + +$NFT add element inet t z '{ 2, 3, 4, 5, 6 }' +$NFT add element inet t cz '{ "eth0" : 1, "eth1" : 2 }' + +$NFT add element inet t m '{ 2, 3, 4, 5, 6 }' +$NFT add element inet t cm '{ "eth0" : 1, "eth1" : 2 }' diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0 new file mode 100755 index 0000000..32a705b --- /dev/null +++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0 @@ -0,0 +1,44 @@ +#!/bin/bash + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +generate() { + echo -n "{" + for ((i=1; i<=HOWMANY; i++)) ; do + for ((j=1; j<=HOWMANY; j++)) ; do + echo -n "10.${i}.${j}.0/24" + [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break + echo -n ", " + done + done + echo -n "}" +} + +echo "add table x +add set x y { type ipv4_addr; flags interval; } +add element x y $(generate)" > $tmpfile + +set -e +$NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0 new file mode 100755 index 0000000..9a4a27f --- /dev/null +++ b/tests/shell/testcases/sets/0031set_timeout_size_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +RULESET="add table x +add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; } +add chain x test +add rule x test set update ip saddr timeout 1d2h3m4s10ms @y +add rule x test set update ip daddr timeout 100ms @y" + +set -e +$NFT -f - <<< "$RULESET" +$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s\(10\|8\)ms }' +$NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }' diff --git a/tests/shell/testcases/sets/0032restore_set_simple_0 b/tests/shell/testcases/sets/0032restore_set_simple_0 new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/sets/0032restore_set_simple_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/0033add_set_simple_flat_0 b/tests/shell/testcases/sets/0033add_set_simple_flat_0 new file mode 100755 index 0000000..86be0c9 --- /dev/null +++ b/tests/shell/testcases/sets/0033add_set_simple_flat_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +RULESET="add table ip x +add set x setA {type ipv4_addr . inet_service . ipv4_addr; flags timeout;} +add set x setB {type ipv4_addr . inet_service; flags timeout;} +" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 new file mode 100755 index 0000000..3343529 --- /dev/null +++ b/tests/shell/testcases/sets/0034get_element_0 @@ -0,0 +1,70 @@ +#!/bin/bash + +RC=0 + +check() { # (set, elems, expected) + out=$($NFT get element ip t $1 "{ $2 }") + out=$(grep "elements =" <<< "$out") + out="${out#* \{ }" + out="${out% \}}" + [[ "$out" == "$3" ]] && return + echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'" + ((RC++)) +} + +RULESET="add table ip t +add set ip t s { type inet_service; flags interval; } +add element ip t s { 10, 20-30, 40, 50-60 } +add set ip t ips { type ipv4_addr; flags interval; } +add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 } +add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 } +add set ip t cs { type ipv4_addr . inet_service; flags interval; } +add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 } +add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 } +" + +$NFT -f - <<< "$RULESET" + +# simple cases, (non-)existing values and ranges +check s 10 10 +check s 11 "" +check s 20-30 20-30 +check s 15-18 "" + +# multiple single elements, ranges smaller than present +check s "10, 40" "10, 40" +check s "22-24, 26-28" "20-30, 20-30" +check s 21-29 20-30 + +# mixed single elements and ranges +check s "10, 20" "10, 20-30" +check s "10, 22" "10, 20-30" +check s "10, 22-24" "10, 20-30" + +# non-existing ranges matching elements +check s 10-40 "" +check s 10-20 "" +check s 10-25 "" +check s 25-55 "" + +# playing with IPs, ranges and prefixes +check ips 10.0.0.1 10.0.0.1 +check ips 10.0.0.2 "" +check ips 10.0.1.0/24 10.0.1.0/24 +check ips 10.0.1.2/31 10.0.1.0/24 +check ips 10.0.1.0 10.0.1.0/24 +check ips 10.0.1.3 10.0.1.0/24 +check ips 10.0.1.255 10.0.1.0/24 +check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12 +check ips 10.0.2.10 10.0.2.3-10.0.2.12 +check ips 10.0.2.12 10.0.2.3-10.0.2.12 + +# test concatenated ranges, i.e. Pi, Pa and Po +check cs "10.0.0.1 . 22" "10.0.0.1 . 22" +check cs "10.0.0.1 . 23" "" +check cs "10.0.0.2 . 22" "" +check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024" +check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024" +check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535" + +exit $RC diff --git a/tests/shell/testcases/sets/0035add_set_elements_flat_0 b/tests/shell/testcases/sets/0035add_set_elements_flat_0 new file mode 100755 index 0000000..d914ba9 --- /dev/null +++ b/tests/shell/testcases/sets/0035add_set_elements_flat_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +RULESET="add table ip x +add set x y {type ipv4_addr; flags interval;} +add element x y { 10.0.24.0/24 } +" + +set -e +$NFT -f - <<< "$RULESET" +$NFT delete element x y { 10.0.24.0/24 } diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0 new file mode 100755 index 0000000..0fd016e --- /dev/null +++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +drop_seconds() { + sed -E 's/m[0-9]*s([0-9]*ms)?/m/g' +} + +RULESET="add table ip x +add set ip x y { type ipv4_addr; flags dynamic,timeout; } +add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }" + +EXPECTED="add table ip x +add set ip x y { type ipv4_addr; flags dynamic,timeout; } +add element ip x y { 1.1.1.1 timeout 30m expires 15m }" + +test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds) + +if [ "$test_output" != "$EXPECTED" ] ; then + $DIFF -u <(echo "$test_output") <(echo "$EXPECTED") + exit 1 +fi + +$NFT "add chain ip x c; add rule ip x c ip saddr @y" diff --git a/tests/shell/testcases/sets/0037_set_with_inet_service_0 b/tests/shell/testcases/sets/0037_set_with_inet_service_0 new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/sets/0037_set_with_inet_service_0 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0 new file mode 100755 index 0000000..e9e0f6f --- /dev/null +++ b/tests/shell/testcases/sets/0038meter_list_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# +# Listing meters should not include dynamic sets in the output +# + +set -e + +RULESET=" + add table t + add set t s { type ipv4_addr; size 256; flags dynamic,timeout; } + add chain t c + add rule t c tcp dport 80 meter m size 128 { ip saddr limit rate 10/second } +" + +expected_output="table ip t { + meter m { + type ipv4_addr + size 128 + flags dynamic + } +}" + +$NFT -f - <<< "$RULESET" + +test_output=$($NFT list meters) + +test "$test_output" = "$expected_output" + diff --git a/tests/shell/testcases/sets/0039delete_interval_0 b/tests/shell/testcases/sets/0039delete_interval_0 new file mode 100755 index 0000000..19df16e --- /dev/null +++ b/tests/shell/testcases/sets/0039delete_interval_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +# Make sure nft allows to delete existing ranges only + +RULESET=" +table t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +}" + +$NFT -f - <<< "$RULESET" || { echo "E: Can't load basic ruleset" 1>&2; exit 1; } + +$NFT delete element t s '{ 192.168.1.0/24 }' 2>/dev/null || exit 0 +echo "E: Deletion of non-existing range allowed" 1>&2 diff --git a/tests/shell/testcases/sets/0040get_host_endian_elements_0 b/tests/shell/testcases/sets/0040get_host_endian_elements_0 new file mode 100755 index 0000000..caf6a4a --- /dev/null +++ b/tests/shell/testcases/sets/0040get_host_endian_elements_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +RULESET="table ip t { + set s { + type mark + flags interval + elements = { + 0x23-0x42, 0x1337 + } + } +}" + +$NFT -f - <<< "$RULESET" || { echo "can't apply basic ruleset"; exit 1; } + +$NFT get element ip t s '{ 0x23-0x42 }' || { + echo "can't find existing range 0x23-0x42" + exit 1 +} + +$NFT get element ip t s '{ 0x26-0x28 }' || { + echo "can't find existing sub-range 0x26-0x28" + exit 1 +} + +$NFT get element ip t s '{ 0x26-0x99 }' && { + echo "found non-existing range 0x26-0x99" + exit 1 +} + +$NFT get element ip t s '{ 0x55-0x99 }' && { + echo "found non-existing range 0x55-0x99" + exit 1 +} + +$NFT get element ip t s '{ 0x55 }' && { + echo "found non-existing element 0x55" + exit 1 +} + +$NFT get element ip t s '{ 0x1337 }' || { + echo "can't find existing element 0x1337" + exit 1 +} diff --git a/tests/shell/testcases/sets/0041interval_0 b/tests/shell/testcases/sets/0041interval_0 new file mode 100755 index 0000000..42fc6cc --- /dev/null +++ b/tests/shell/testcases/sets/0041interval_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET=" +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.195, 192.168.2.196, + 192.168.2.197, 192.168.2.198 } + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT 'delete element t s { 192.168.2.195, 192.168.2.196 }; add element t s { 192.168.2.196 }' 2>/dev/null +$NFT get element t s { 192.168.2.196, 192.168.2.197, 192.168.2.198 } 1>/dev/null +$NFT 'delete element t s { 192.168.2.196, 192.168.2.197 }; add element t s { 192.168.2.197 }' 2>/dev/null +$NFT get element t s { 192.168.2.197, 192.168.2.198 } 1>/dev/null +$NFT 'delete element t s { 192.168.2.198, 192.168.2.197 }; add element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 }' 1>/dev/null +$NFT get element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 } 1>/dev/null +$NFT delete element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 } 2>/dev/null +$NFT create element t s { 192.168.2.196} 2>/dev/null +$NFT get element t s { 192.168.2.196 } 1>/dev/null diff --git a/tests/shell/testcases/sets/0042update_set_0 b/tests/shell/testcases/sets/0042update_set_0 new file mode 100755 index 0000000..a8e9e05 --- /dev/null +++ b/tests/shell/testcases/sets/0042update_set_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +}" + +$NFT -f - <<< "$RULESET" || { echo "can't apply basic ruleset"; exit 1; } diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0 new file mode 100755 index 0000000..83d7435 --- /dev/null +++ b/tests/shell/testcases/sets/0043concatenated_ranges_0 @@ -0,0 +1,194 @@ +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges +# +# Cycle over supported data types, forming concatenations of three fields, for +# all possible permutations, and: +# - add entries to set +# - list them +# - get entries by specifying a value matching ranges for all fields +# - delete them +# - check that they can't be deleted again +# - add them with 1s timeout +# - check that they are not listed after 1s, just once, for the first entry +# - delete them +# - make sure they can't be deleted again + +TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" + +RULESPEC_ipv4_addr="ip saddr" +ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129" +ADD_ipv4_addr="192.0.2.252/31" +GET_ipv4_addr="198.51.100.127 198.51.100.0/25" + +RULESPEC_ipv6_addr="ip6 daddr" +ELEMS_ipv6_addr="2001:db8:c0c:c0de::1-2001:db8:cacc::a 2001:db8::1 2001:db8:dada:da::/64" +ADD_ipv6_addr="2001:db8::d1ca:d1ca" +GET_ipv6_addr="2001:db8::1 2001:db8::1" + +RULESPEC_ether_addr="ether saddr" +ELEMS_ether_addr="00:0a:c1:d1:f1:ed-00:0a:c1:dd:ec:af 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 f0:ca:cc:1a:b0:1a" +ADD_ether_addr="00:be:1d:ed:ab:e1" +GET_ether_addr="ac:c1:ac:c0:ce:c0 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00" + +RULESPEC_inet_proto="meta l4proto" +ELEMS_inet_proto="tcp udp icmp" +ADD_inet_proto="sctp" +GET_inet_proto="udp udp" + +RULESPEC_inet_service="tcp dport" +ELEMS_inet_service="22-23 1024-32768 31337" +ADD_inet_service="32769-65535" +GET_inet_service="32768 1024-32768" + +RULESPEC_mark="mark" +ELEMS_mark="0x00000064-0x000000c8 0x0000006f 0x0000fffd-0x0000ffff" +ADD_mark="0x0000002a" +GET_mark="0x0000006f 0x0000006f" + +tmp="$(mktemp)" +trap "rm -f ${tmp}" EXIT + +render() { + eval "echo \"$(cat ${1})\"" +} + +cat <<'EOF' > "${tmp}" +flush ruleset + +table inet filter { + ${setmap} test { + type ${ta} . ${tb} . ${tc} ${mapt} + flags interval,timeout + elements = { ${a1} . ${b1} . ${c1} ${mapv}, + ${a2} . ${b2} . ${c2} ${mapv}, + ${a3} . ${b3} . ${c3} ${mapv}, } + } + + chain output { + type filter hook output priority 0; policy accept; + ${rule} @test counter + } +} +EOF + +timeout_tested=0 +run_test() +{ +setmap="$1" +for ta in ${TYPES}; do + eval a=\$ELEMS_${ta} + a1=${a%% *}; a2=$(expr "$a" : ".* \(.*\) .*"); a3=${a##* } + eval sa=\$RULESPEC_${ta} + + mark=0 + for tb in ${TYPES}; do + [ "${tb}" = "${ta}" ] && continue + if [ "${tb}" = "ipv6_addr" ]; then + [ "${ta}" = "ipv4_addr" ] && continue + elif [ "${tb}" = "ipv4_addr" ]; then + [ "${ta}" = "ipv6_addr" ] && continue + fi + + eval b=\$ELEMS_${tb} + b1=${b%% *}; b2=$(expr "$b" : ".* \(.*\) .*"); b3=${b##* } + eval sb=\$RULESPEC_${tb} + + for tc in ${TYPES}; do + [ "${tc}" = "${ta}" ] && continue + [ "${tc}" = "${tb}" ] && continue + if [ "${tc}" = "ipv6_addr" ]; then + [ "${ta}" = "ipv4_addr" ] && continue + [ "${tb}" = "ipv4_addr" ] && continue + elif [ "${tc}" = "ipv4_addr" ]; then + [ "${ta}" = "ipv6_addr" ] && continue + [ "${tb}" = "ipv6_addr" ] && continue + fi + + echo "$setmap TYPE: ${ta} ${tb} ${tc}" + + eval c=\$ELEMS_${tc} + c1=${c%% *}; c2=$(expr "$c" : ".* \(.*\) .*"); c3=${c##* } + eval sc=\$RULESPEC_${tc} + + case "${setmap}" in + "set") + mapt="" + mapv="" + rule="${sa} . ${sb} . ${sc}" + ;; + "map") + mapt=": mark" + mark=42 + mapv=$(printf " : 0x%08x" ${mark}) + rule="meta mark set ${sa} . ${sb} . ${sc} map" + ;; + esac + + render ${tmp} | ${NFT} -f - + + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c -e "${a1} . ${b1} . ${c1}${mapv}" \ + -e "${a2} . ${b2} . ${c2}${mapv}" \ + -e "${a3} . ${b3} . ${c3}${mapv}") -eq 3 ] + + ${NFT} delete element inet filter test \ + "{ ${a1} . ${b1} . ${c1}${mapv} }" + ${NFT} delete element inet filter test \ + "{ ${a1} . ${b1} . ${c1}${mapv} }" \ + 2>/dev/null && exit 1 + + eval add_a=\$ADD_${ta} + eval add_b=\$ADD_${tb} + eval add_c=\$ADD_${tc} + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}" + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ] + + eval get_a=\$GET_${ta} + eval get_b=\$GET_${tb} + eval get_c=\$GET_${tc} + exp_a=${get_a##* }; get_a=${get_a%% *} + exp_b=${get_b##* }; get_b=${get_b%% *} + exp_c=${get_c##* }; get_c=${get_c%% *} + [ $(${NFT} get element inet filter test \ + "{ ${get_a} . ${get_b} . ${get_c}${mapv} }" | \ + grep -c "${exp_a} . ${exp_b} . ${exp_c}") -eq 1 ] + + ${NFT} "delete element inet filter test \ + { ${a2} . ${b2} . ${c2}${mapv} }; + delete element inet filter test \ + { ${a3} . ${b3} . ${c3}${mapv} }" + ${NFT} "delete element inet filter test \ + { ${a2} . ${b2} . ${c2}${mapv} }; + delete element inet filter test \ + { ${a3} . ${b3} . ${c3} ${mapv} }" \ + 2>/dev/null && exit 1 + + if [ ${timeout_tested} -eq 1 ]; then + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv} }" + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv} }" \ + 2>/dev/null && exit 1 + continue + fi + + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv}}" + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" + sleep 1 + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ] + timeout_tested=1 + done + done +done +} + +run_test "set" +run_test "map" diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1 new file mode 100755 index 0000000..1be2889 --- /dev/null +++ b/tests/shell/testcases/sets/0043concatenated_ranges_1 @@ -0,0 +1,23 @@ +#!/bin/bash -e +# +# 0043concatenated_ranges_1 - Insert and list subnets of different sizes + +check() { + $NFT add element "${1}" t s "{ ${2} . ${3} }" + [ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ] +} + +$NFT add table ip6 t +$NFT add table ip t + +$NFT add set ip6 t s '{ type ipv6_addr . ipv6_addr ; flags interval ; }' +$NFT add set ip t s '{ type ipv4_addr . ipv4_addr ; flags interval ; }' + +for n in $(seq 32 127); do + h="$(printf %x "${n}")" + check ip6 "2001:db8::/${n}" "2001:db8:${h}::-2001:db8:${h}::${h}:1" +done + +for n in $(seq 24 31); do + check ip "192.0.2.0/${n}" "192.0.2.$((n * 3))-192.0.2.$((n * 3 + 2))" +done diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0 new file mode 100755 index 0000000..71bf334 --- /dev/null +++ b/tests/shell/testcases/sets/0044interval_overlap_0 @@ -0,0 +1,166 @@ +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0044interval_overlap_0 - Add overlapping and non-overlapping intervals +# +# Check that adding overlapping intervals to a set returns an error, unless: +# - the inserted element overlaps entirely, that is, it's identical to an +# existing one +# - for concatenated ranges, the new element is less specific than any existing +# overlapping element, as elements are evaluated in order of insertion +# +# Then, repeat the test with a set configured with a timeout, checking that: +# - we can insert all the elements as described above +# - once the timeout has expired, we can insert all the elements again, and old +# elements are not present +# - before the timeout expires again, we can re-add elements that are not +# expected to fail, but old elements might be present +# +# If $NFT points to a libtool wrapper, and we're running on a slow machine or +# kernel (e.g. KASan enabled), it might not be possible to execute hundreds of +# commands within an otherwise reasonable 1 second timeout. Estimate a usable +# timeout first, by counting commands and measuring against one nft rule timeout +# itself, so that we can keep this fast for a binary $NFT on a reasonably fast +# kernel. + +# Accept Interval List +intervals_simple=" + y 0 - 2 0-2 + y 0 - 2 0-2 + n 0 - 1 0-2 + n 0 - 3 0-2 + y 3 - 10 0-2, 3-10 + n 3 - 9 0-2, 3-10 + n 4 - 10 0-2, 3-10 + n 4 - 9 0-2, 3-10 + y 20 - 30 0-2, 3-10, 20-30 + y 11 - 12 0-2, 3-10, 11-12, 20-30 + y 13 - 19 0-2, 3-10, 11-12, 13-19, 20-30 + n 25 - 40 0-2, 3-10, 11-12, 13-19, 20-30 + y 50 - 60 0-2, 3-10, 11-12, 13-19, 20-30, 50-60 + y 31 - 49 0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60 + n 59 - 60 0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60 +" + +intervals_concat=" + y 0-2 . 0-3 0-2 . 0-3 + y 0-2 . 0-3 0-2 . 0-3 + n 0-1 . 0-2 0-2 . 0-3 + y 10-20 . 30-40 0-2 . 0-3, 10-20 . 30-40 + y 15-20 . 50-60 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60 + y 3-9 . 4-29 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + y 3-9 . 4-29 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + n 11-19 . 30-40 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + y 15-20 . 49-61 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29, 15-20 . 49-61 +" + +count_elements() { + pass= + interval= + elements=0 + for t in ${intervals_simple} ${intervals_concat}; do + [ -z "${pass}" ] && pass="${t}" && continue + [ -z "${interval}" ] && interval="${t}" && continue + unset IFS + + elements=$((elements + 1)) + + IFS=' +' + done + unset IFS +} + +match_elements() { + skip=0 + n=0 + out= + for a in $($NFT list set t ${1})}; do + [ ${n} -eq 0 ] && { [ "${a}" = "elements" ] && n=1; continue; } + [ ${n} -eq 1 ] && { [ "${a}" = "=" ] && n=2; continue; } + [ ${n} -eq 2 ] && { [ "${a}" = "{" ] && n=3; continue; } + + [ "${a}" = "}" ] && break + + [ ${skip} -eq 1 ] && skip=0 && out="${out}," && continue + [ "${a}" = "expires" ] && skip=1 && continue + + [ -n "${out}" ] && out="${out} ${a}" || out="${a}" + + done + + if [ "${out%,}" != "${2}" ]; then + echo "Expected: ${2}, got: ${out%,}" + return 1 + fi +} + +estimate_timeout() { + count_elements + + $NFT add table t + $NFT add set t s '{ type inet_service ; flags timeout; timeout 1s; gc-interval 1s; }' + execs_1s=1 + $NFT add element t s "{ 0 }" + while match_elements s "0" >/dev/null; do + execs_1s=$((execs_1s + 1)) + done + + timeout="$((elements / execs_1s * 3 / 2 + 1))" +} + +add_elements() { + set="s" + pass= + interval= + IFS=' +' + for t in ${intervals_simple} switch ${intervals_concat}; do + [ "${t}" = "switch" ] && set="c" && continue + [ -z "${pass}" ] && pass="${t}" && continue + [ -z "${interval}" ] && interval="${t}" && continue + unset IFS + + if [ "${pass}" = "y" ]; then + if ! $NFT add element t ${set} "{ ${interval} }"; then + echo "Failed to insert ${interval} given:" + $NFT list ruleset + exit 1 + fi + else + if $NFT add element t ${set} "{ ${interval} }" 2>/dev/null; then + echo "Could insert ${interval} given:" + $NFT list ruleset + exit 1 + fi + fi + + [ "${1}" != "nomatch" ] && match_elements "${set}" "${t}" + + pass= + interval= + IFS=' +' + done + unset IFS +} + +$NFT add table t +$NFT add set t s '{ type inet_service ; flags interval ; }' +$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +add_elements + +$NFT flush ruleset +estimate_timeout + +$NFT flush ruleset +$NFT add table t +$NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }" +$NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +add_elements + +sleep $((timeout * 3 / 2)) +add_elements + +add_elements nomatch diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1 new file mode 100755 index 0000000..cdd0c84 --- /dev/null +++ b/tests/shell/testcases/sets/0044interval_overlap_1 @@ -0,0 +1,38 @@ +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0044interval_overlap_1 - Single-sized intervals can never overlap partially +# +# Check that inserting, deleting, and inserting single-sized intervals again +# never leads to a partial overlap. Specifically trigger rbtree rebalancing in +# the process, to ensure different tree shapes of equivalent sets don't lead to +# false positives, by deleting every second inserted item. + +xorshift() { + # Adaptation of Xorshift algorithm from: + # Marsaglia, G. (2003). Xorshift RNGs. + # Journal of Statistical Software, 8(14), 1 - 6. + # doi:http://dx.doi.org/10.18637/jss.v008.i14 + # with triplet (5, 3, 1), suitable for 16-bit ranges. + + : $((port ^= port << 5)) + : $((port ^= port >> 3)) + : $((port ^= port << 1)) +} + +$NFT add table t +$NFT add set t s '{ type inet_service ; flags interval ; }' + +for op in add delete add; do + port=1 + skip=0 + for i in $(seq 1 500); do + xorshift + if [ "${op}" = "delete" ]; then + [ ${skip} -eq 0 ] && skip=1 && continue + skip=0 + fi + $NFT ${op} element t s "{ { $((port % 32768 + 32768)) } }" + done +done diff --git a/tests/shell/testcases/sets/0045concat_ipv4_service b/tests/shell/testcases/sets/0045concat_ipv4_service new file mode 100755 index 0000000..5b40f97 --- /dev/null +++ b/tests/shell/testcases/sets/0045concat_ipv4_service @@ -0,0 +1,16 @@ +#!/bin/bash + +$NFT -f - <<EOF +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 60s } + } +} +EOF diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0 new file mode 100755 index 0000000..60bda40 --- /dev/null +++ b/tests/shell/testcases/sets/0046netmap_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +EXPECTED="table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, + 10.141.12.0/24 : 192.168.3.0/24, + 10.141.13.0/24 : 192.168.4.0/24 } + } + } + table ip6 x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 } + } + } +" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0 new file mode 100755 index 0000000..4e53b7b --- /dev/null +++ b/tests/shell/testcases/sets/0047nat_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +EXPECTED="table ip x { + map y { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, + 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } + } + + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat to ip saddr map @y + } + } +" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element x y { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } + +EXPECTED="table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0 new file mode 100755 index 0000000..e62d25d --- /dev/null +++ b/tests/shell/testcases/sets/0048set_counters_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip x { + set y { + typeof ip saddr + counter + elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } + } + + chain z { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 new file mode 100755 index 0000000..1d512f7 --- /dev/null +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} +define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS, \$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept + } +} +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0050set_define_1 b/tests/shell/testcases/sets/0050set_define_1 new file mode 100755 index 0000000..c12de17 --- /dev/null +++ b/tests/shell/testcases/sets/0050set_define_1 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {} + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept + } +} +" + +$NFT -f - <<< "$EXPECTED" &> /dev/null || exit 0 +echo "E: Accepted empty set" 1>&2 +exit 1 diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0 new file mode 100755 index 0000000..ea90e26 --- /dev/null +++ b/tests/shell/testcases/sets/0051set_interval_counter_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip x { + set s { + type ipv4_addr + flags interval + counter + elements = { 192.168.2.0/24 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @s + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0052overlap_0 b/tests/shell/testcases/sets/0052overlap_0 new file mode 100755 index 0000000..c296094 --- /dev/null +++ b/tests/shell/testcases/sets/0052overlap_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="add table ip filter +add set ip filter w_all {type ipv4_addr; flags interval; auto-merge} +add element ip filter w_all {10.10.10.10, 10.10.10.11} +" + +$NFT -f - <<< "$EXPECTED" + +EXPECTED="flush set ip filter w_all +add element ip filter w_all {10.10.10.10, 10.10.10.253} +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0 new file mode 100755 index 0000000..6bb03c2 --- /dev/null +++ b/tests/shell/testcases/sets/0053echo_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="add table inet filter +delete table inet filter + +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept + } +} +" + +$NFT -ef - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0054comments_set_0 b/tests/shell/testcases/sets/0054comments_set_0 new file mode 100755 index 0000000..9c8f787 --- /dev/null +++ b/tests/shell/testcases/sets/0054comments_set_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Test that comments are added to sets + +$NFT add table t +$NFT add set t s {type ipv4_addr \; flags interval \; comment "test" \;} +$NFT add map t m {type ipv4_addr : ipv4_addr \; flags interval \; comment \"another test\" \;} diff --git a/tests/shell/testcases/sets/0055tcpflags_0 b/tests/shell/testcases/sets/0055tcpflags_0 new file mode 100755 index 0000000..a2b24eb --- /dev/null +++ b/tests/shell/testcases/sets/0055tcpflags_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +EXPECTED="add table ip test + +add set ip test tcp_good_flags { type tcp_flag ; flags constant ; elements = { + ( 0 | 0 | 0 |ack| 0 | 0 ), \ + ( 0 | 0 | 0 |ack| 0 |urg), \ + ( 0 | 0 | 0 |ack|psh| 0 ), \ + ( 0 | 0 | 0 |ack|psh|urg), \ + ( 0 | 0 |rst| 0 | 0 | 0 ), \ + ( 0 | 0 |rst|ack| 0 | 0 ), \ + ( 0 | 0 |rst|ack| 0 |urg), \ + ( 0 | 0 |rst|ack|psh| 0 ), \ + ( 0 | 0 |rst|ack|psh|urg), \ + ( 0 |syn| 0 | 0 | 0 | 0 ), \ + ( 0 |syn| 0 |ack| 0 | 0 ), \ + ( 0 |syn| 0 |ack| 0 |urg), \ + ( 0 |syn| 0 |ack|psh| 0 ), \ + ( 0 |syn| 0 |ack|psh|urg), \ + (fin| 0 | 0 |ack| 0 | 0 ), \ + (fin| 0 | 0 |ack| 0 |urg), \ + (fin| 0 | 0 |ack|psh| 0 ), \ + (fin| 0 | 0 |ack|psh|urg) \ +} ; }" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0056dynamic_limit_0 b/tests/shell/testcases/sets/0056dynamic_limit_0 new file mode 100755 index 0000000..21fa0bf --- /dev/null +++ b/tests/shell/testcases/sets/0056dynamic_limit_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +RULESET="table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1m + elements = { 127.0.0.1 expires 52s44ms limit rate over 1/minute } + } + + chain output { + type filter hook output priority filter; policy accept; + ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit rate over 1/minute } + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0057set_create_fails_0 b/tests/shell/testcases/sets/0057set_create_fails_0 new file mode 100755 index 0000000..5f0149a --- /dev/null +++ b/tests/shell/testcases/sets/0057set_create_fails_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +RULESET="table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +}" + +$NFT -f - <<< $RULESET + +CMD="create element inet filter test { 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 1.1.1.9, 1.1.1.10, 1.1.1.11, 1.1.1.12, 1.1.1.13, 1.1.1.14, 1.1.1.15, 1.1.1.16, 1.1.1.17, 1.1.1.18, 1.1.1.19, 1.1.1.20, 1.1.1.21, 1.1.1.22, 1.1.1.23, 1.1.1.24, 1.1.1.25, 1.1.1.26, 1.1.1.27, 1.1.1.28, 1.1.1.29, 1.1.1.30, 1.1.1.31, 1.1.1.32, 1.1.1.33, 1.1.1.34, 1.1.1.35, 1.1.1.36, 1.1.1.37, 1.1.1.38, 1.1.1.39, 1.1.1.40, 1.1.1.41, 1.1.1.42, 1.1.1.43, 1.1.1.44, 1.1.1.45, 1.1.1.46, 1.1.1.47, 1.1.1.48, 1.1.1.49, 1.1.1.50, 1.1.1.51, 1.1.1.52, 1.1.1.53, 1.1.1.54, 1.1.1.55, 1.1.1.56, 1.1.1.57, 1.1.1.58, 1.1.1.59, 1.1.1.60, 1.1.1.61, 1.1.1.62, 1.1.1.63, 1.1.1.64, 1.1.1.65, 1.1.1.66, 1.1.1.67, 1.1.1.68, 1.1.1.69, 1.1.1.70, 1.1.1.71, 1.1.1.72, 1.1.1.73, 1.1.1.74, 1.1.1.75, 1.1.1.76, 1.1.1.77, 1.1.1.78, 1.1.1.79, 1.1.1.80, 1.1.1.81, 1.1.1.82, 1.1.1.83, 1.1.1.84, 1.1.1.85, 1.1.1.86, 1.1.1.87, 1.1.1.88, 1.1.1.89, 1.1.1.90, 1.1.1.91, 1.1.1.92, 1.1.1.93, 1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.1.98, 1.1.1.99, 1.1.1.100, 1.1.1.101, 1.1.1.102, 1.1.1.103, 1.1.1.104, 1.1.1.105, 1.1.1.106, 1.1.1.107, 1.1.1.108, 1.1.1.109, 1.1.1.110, 1.1.1.111, 1.1.1.112, 1.1.1.113, 1.1.1.114, 1.1.1.115, 1.1.1.116, 1.1.1.117, 1.1.1.118, 1.1.1.119, 1.1.1.120, 1.1.1.121, 1.1.1.122, 1.1.1.123, 1.1.1.124, 1.1.1.125, 1.1.1.126, 1.1.1.127, 1.1.1.128, 1.1.1.129, 1.1.1.130, 1.1.1.131, 1.1.1.132, 1.1.1.133, 1.1.1.134, 1.1.1.135, 1.1.1.136, 1.1.1.137, 1.1.1.138, 1.1.1.139, 1.1.1.140, 1.1.1.141, 1.1.1.142, 1.1.1.143, 1.1.1.144, 1.1.1.145, 1.1.1.146, 1.1.1.147, 1.1.1.148, 1.1.1.149, 1.1.1.150, 1.1.1.151, 1.1.1.152, 1.1.1.153, 1.1.1.154, 1.1.1.155, 1.1.1.156, 1.1.1.157, 1.1.1.158, 1.1.1.159, 1.1.1.160, 1.1.1.161, 1.1.1.162, 1.1.1.163, 1.1.1.164, 1.1.1.165, 1.1.1.166, 1.1.1.167, 1.1.1.168, 1.1.1.169, 1.1.1.170, 1.1.1.171, 1.1.1.172, 1.1.1.173, 1.1.1.174, 1.1.1.175, 1.1.1.176, 1.1.1.177, 1.1.1.178, 1.1.1.179, 1.1.1.180, 1.1.1.181, 1.1.1.182, 1.1.1.183, 1.1.1.184, 1.1.1.185, 1.1.1.186, 1.1.1.187, 1.1.1.188, 1.1.1.189, 1.1.1.190, 1.1.1.191, 1.1.1.192, 1.1.1.193, 1.1.1.194, 1.1.1.195, 1.1.1.196, 1.1.1.197, 1.1.1.198, 1.1.1.199, 1.1.1.200, 1.1.1.201, 1.1.1.202, 1.1.1.203, 1.1.1.204, 1.1.1.205, 1.1.1.206, 1.1.1.207, 1.1.1.208, 1.1.1.209, 1.1.1.210, 1.1.1.211, 1.1.1.212, 1.1.1.213, 1.1.1.214, 1.1.1.215, 1.1.1.216, 1.1.1.217, 1.1.1.218, 1.1.1.219, 1.1.1.220, 1.1.1.221, 1.1.1.222, 1.1.1.223, 1.1.1.224, 1.1.1.225, 1.1.1.226, 1.1.1.227, 1.1.1.228, 1.1.1.229, 1.1.1.230, 1.1.1.231, 1.1.1.232, 1.1.1.233, 1.1.1.234, 1.1.1.235, 1.1.1.236, 1.1.1.237, 1.1.1.238, 1.1.1.239, 1.1.1.240, 1.1.1.241, 1.1.1.242, 1.1.1.243, 1.1.1.244, 1.1.1.245, 1.1.1.246, 1.1.1.247, 1.1.1.248, 1.1.1.249, 1.1.1.250, 1.1.1.251, 1.1.1.252, 1.1.1.253 }" + +# If this returns ENOSPC, then nft is sending a netlink message that is larger +# than NFT_MNL_ACK_MAXSIZE. Make sure this returns EEXIST. +$NFT -f - <<< $CMD 2>&1 >/dev/null | grep "File exists" +[ "$?" -eq 0 ] && exit 0 diff --git a/tests/shell/testcases/sets/0058_setupdate_timeout_0 b/tests/shell/testcases/sets/0058_setupdate_timeout_0 new file mode 100755 index 0000000..52a658e --- /dev/null +++ b/tests/shell/testcases/sets/0058_setupdate_timeout_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + } + + chain test { + add @ssh_meter { ip saddr timeout 30d } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 new file mode 100755 index 0000000..2aeba2c --- /dev/null +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + chain z { + type filter hook output priority 0; + update @y { ip daddr limit rate 1/second counter } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 new file mode 100755 index 0000000..8e17444 --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -0,0 +1,52 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 limit rate 1/second counter } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 2.2.2.2 limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 3.3.3.3 counter limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 4.4.4.4 } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1 new file mode 100755 index 0000000..04ef047 --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_1 @@ -0,0 +1,40 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes } + } + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 2.2.2.2 counter quota 1000 bytes } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/0061anonymous_automerge_0 b/tests/shell/testcases/sets/0061anonymous_automerge_0 new file mode 100755 index 0000000..2dfb800 --- /dev/null +++ b/tests/shell/testcases/sets/0061anonymous_automerge_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0 new file mode 100755 index 0000000..48d589f --- /dev/null +++ b/tests/shell/testcases/sets/0062set_connlimit_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + elements = { 84.245.120.167 ct count over 20 } + } +}" + +$NFT -f - <<< $RULESET + +RULESET="table ip x { + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + elements = { 84.245.120.167 } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0 new file mode 100755 index 0000000..edd015d --- /dev/null +++ b/tests/shell/testcases/sets/0063set_catchall_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +set -e + +RULESET="table ip x { + set y { + type ipv4_addr + counter + elements = { 1.1.1.1, * } + } + set z { + type ipv4_addr + flags interval + counter + elements = { 1.1.1.0/24 , * } + } +}" + +$NFT -f - <<< $RULESET +$NFT delete element x y { \* } +$NFT add element x y { \* } diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0 new file mode 100755 index 0000000..fd28937 --- /dev/null +++ b/tests/shell/testcases/sets/0064map_catchall_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +set -e + +RULESET="table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.3 } + } + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + } +}" + +$NFT -f - <<< $RULESET +$NFT delete element x y { \* : 192.168.0.3 } +$NFT add element x y { \* : 192.168.0.4 } + +$NFT add chain x y +$NFT add rule x y snat to ip saddr map @z +$NFT 'add rule x y snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }' +$NFT 'add rule x y snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 }' diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing new file mode 100755 index 0000000..f838c3e --- /dev/null +++ b/tests/shell/testcases/sets/0065_icmp_postprocessing @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain foo { + icmp id 42 + } +}" + +$NFT -f - <<< $RULESET + +$NFT insert rule ip x foo index 0 accept diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 new file mode 100755 index 0000000..55cc0d4 --- /dev/null +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -0,0 +1,71 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + +EXPECTED="table ip nat { + map ipportmap2 { + type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.1/8 . 42 - 43 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="table ip nat { + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th + +EXPECTED="table ip nat { + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + dnat to iifname . ip saddr map @ipportmap4 + } +}" + +$NFT -f - <<< $EXPECTED +EXPECTED="table ip nat { + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 new file mode 100755 index 0000000..e61010c --- /dev/null +++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 @@ -0,0 +1,45 @@ +#!/bin/bash + +set -e + +ruleset_file=$(mktemp) + +trap 'rm -f "$ruleset_file"' EXIT + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + +{ + echo 'define big_set = {' + for ((i = 1; i < $HOWMANY; i++)); do + for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done + echo '10.1.0.0/24 }' +} >"$ruleset_file" + +cat >>"$ruleset_file" <<\EOF +table inet test68_table { + set test68_set { + type ipv4_addr + flags interval + elements = { $big_set } + } +} +EOF + +( ulimit -s 400 && $NFT -f "$ruleset_file" ) + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0069interval_merge_0 b/tests/shell/testcases/sets/0069interval_merge_0 new file mode 100755 index 0000000..edb6422 --- /dev/null +++ b/tests/shell/testcases/sets/0069interval_merge_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8, 3.3.3.4, 3.3.3.5 } + } +}" + +$NFT -f - <<< $RULESET + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.4.0, 3.3.3.6, 4.4.4.0/24 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.4.1 } +$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.5.0 } diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/sets/0070stacked_l2_headers @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 new file mode 100755 index 0000000..79e3ca7 --- /dev/null +++ b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +RULESET=" +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 192.0.0.0/2, 10.0.0.0/8 } + } + set s2 { + type ipv6_addr + flags interval + elements = { ff00::/8, fe80::/10 } + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0 new file mode 100755 index 0000000..9886a9b --- /dev/null +++ b/tests/shell/testcases/sets/0072destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent set +$NFT destroy set x s + +# successfully delete existing set +$NFT add set x s '{type ipv4_addr; size 2;}' +$NFT destroy set x s diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set new file mode 100755 index 0000000..0630595 --- /dev/null +++ b/tests/shell/testcases/sets/0073flat_interval_set @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +EXPECTED="flush ruleset +add table inet filter +add map inet filter testmap { type ipv4_addr : counter; flags interval;} +add counter inet filter TEST +add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set new file mode 100755 index 0000000..e7f65fc --- /dev/null +++ b/tests/shell/testcases/sets/0074nested_interval_set @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 new file mode 100755 index 0000000..1dbac0b --- /dev/null +++ b/tests/shell/testcases/sets/automerge_0 @@ -0,0 +1,131 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table inet x { + set y { + type inet_service + flags interval + auto-merge + } +}" + +HOWMANY=65535 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=5000 +fi + +$NFT -f - <<< $RULESET + +tmpfile=$(mktemp) +echo -n "add element inet x y { " > $tmpfile +for ((i=0;i<$HOWMANY;i+=2)) +do + echo -n "$i, " >> $tmpfile + if [ $i -eq $((HOWMANY-1)) ] + then + echo -n "$i" >> $tmpfile + fi +done +echo "}" >> $tmpfile + +$NFT -f $tmpfile + +tmpfile2=$(mktemp) +for ((i=1;i<$HOWMANY;i+=2)) +do + echo "$i" >> $tmpfile2 +done + +tmpfile3=$(mktemp) +shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3" +i=0 +cat $tmpfile3 | while read line && [ $i -lt 10 ] +do + $NFT add element inet x y { $line } + if [ $? -ne 0 ] + then + echo "failed to add $line" + exit 1 + fi + i=$((i+1)) +done + +for ((i=0;i<10;i++)) +do + from=$(($RANDOM%$HOWMANY)) + to=$(($from+100)) + $NFT add element inet x y { $from-$to } + if [ $? -ne 0 ] + then + echo "failed to add $from-$to" + exit 1 + fi + + $NFT get element inet x y { $from-$to } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from-$to" + exit 1 + fi + + # partial removals in the previous random range + from2=$(($from+10)) + to2=$(($to-10)) + $NFT delete element inet x y { $from, $to, $from2-$to2 } + if [ $? -ne 0 ] + then + echo "failed to delete $from, $to, $from2-$to2" + exit 1 + fi + + # check deletions are correct + from=$(($from+1)) + $NFT get element inet x y { $from } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from" + exit 1 + fi + + to=$(($to-1)) + $NFT get element inet x y { $to } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to" + exit 1 + fi + + from2=$(($from2-1)) + $NFT get element inet x y { $from2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from2" + exit 1 + fi + to2=$(($to2+1)) + + $NFT get element inet x y { $to2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to2" + exit 1 + fi +done + +rm -f $tmpfile +rm -f $tmpfile2 +rm -f $tmpfile3 + +if [ "$HOWMANY" != 65535 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 new file mode 100755 index 0000000..7699e9d --- /dev/null +++ b/tests/shell/testcases/sets/collapse_elem_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="table ip a { + set x { + type inet_service; + } +} +table ip6 a { + set x { + type inet_service; + } +} +add element ip a x { 1 } +add element ip a x { 2 } +add element ip6 a x { 2 }" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0 new file mode 100755 index 0000000..4d90af9 --- /dev/null +++ b/tests/shell/testcases/sets/concat_interval_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + elements = { 1.0.0.1 . udp . 53 } + } + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT delete element t s { 1.0.0.1 . udp . 53} + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft new file mode 100644 index 0000000..3049aa8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft @@ -0,0 +1,34 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, + fe11::-fe22:: } + } + + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60 } + } + + set s4 { + type inet_service + flags interval + elements = { 0-1024, 8080-8082, 10000-40000 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft new file mode 100644 index 0000000..452ee23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24, 192.168.1.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft new file mode 100644 index 0000000..70c32a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft new file mode 100644 index 0000000..940030a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft new file mode 100644 index 0000000..4224d9d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/48 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.nft b/tests/shell/testcases/sets/dumps/0006create_set_0.nft new file mode 100644 index 0000000..70c32a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.nft b/tests/shell/testcases/sets/dumps/0007create_element_0.nft new file mode 100644 index 0000000..169be11 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.nft @@ -0,0 +1,6 @@ +table ip t { + set s { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft new file mode 100644 index 0000000..5e7a768 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft new file mode 100644 index 0000000..ab0fe80 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft @@ -0,0 +1,13 @@ +table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain postrouting { + ip saddr vmap @sourcemap accept + } + + chain c { + } +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft new file mode 100644 index 0000000..455ebe3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags timeout + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.nft b/tests/shell/testcases/sets/dumps/0010comments_0.nft new file mode 100644 index 0000000..6e42ec4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type ipv6_addr + elements = { ::1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft new file mode 100644 index 0000000..f6eddbf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft @@ -0,0 +1,11 @@ +table ip t { + chain c { + } +} +table inet filter { + set blacklist_v4 { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft new file mode 100644 index 0000000..9d2b0af --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft new file mode 100644 index 0000000..9d2b0af --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft new file mode 100644 index 0000000..8cd3707 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft new file mode 100644 index 0000000..8cd3707 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft new file mode 100644 index 0000000..8b7d60a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type inet_service + elements = { 22 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.nft b/tests/shell/testcases/sets/dumps/0021nesting_0.nft new file mode 100644 index 0000000..6fd2a44 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft new file mode 100644 index 0000000..0a4cb0a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + } + + map m { + type ipv4_addr : inet_service + } + + chain c { + tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft new file mode 100644 index 0000000..52d1bf6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -0,0 +1,50 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + counter user321 { + packets 0 bytes 0 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + + set y { + type ipv4_addr + } + + map test { + type ipv4_addr : quota + elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + } + + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + + chain y { + type filter hook input priority filter; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + quota name ip saddr map @test drop + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft new file mode 100644 index 0000000..5963699 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } + oifname "doesntexist" tcp dport { 22, 23 } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft new file mode 100644 index 0000000..e4daa28 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -0,0 +1,10 @@ +table ip filter { + limit http-traffic { + rate 1/second + } + + chain input { + type filter hook input priority filter; policy accept; + limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft new file mode 100644 index 0000000..c49eefa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { ::ffff:0.0.0.0/96 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft new file mode 100644 index 0000000..0c60492 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft @@ -0,0 +1,26 @@ +table ip t { + set s1 { + type inet_proto + size 65535 + flags dynamic + } + + set s2 { + type ipv4_addr + size 65535 + flags dynamic + } + + set s3 { + type ipv4_addr + size 1024 + flags dynamic + } + + chain c { + type filter hook input priority filter; policy accept; + iifname "foobar" add @s1 { ip protocol } + iifname "foobar" add @s2 { ip daddr } + iifname "foobar" add @s3 { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft new file mode 100644 index 0000000..0f25c76 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft @@ -0,0 +1,15 @@ +table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft new file mode 100644 index 0000000..55cd4f2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -0,0 +1,57 @@ +table inet t { + set s { + type ifname + elements = { "eth0", + "eth1", + "eth2", + "eth3", + "veth1" } + } + + set sc { + type inet_service . ifname + elements = { 22 . "eth0", + 80 . "eth0", + 81 . "eth0", + 80 . "eth1" } + } + + set nv { + type ifname . mark + elements = { "eth0" . 0x00000001, + "eth0" . 0x00000002 } + } + + set z { + typeof ct zone + elements = { 1, 2, 3, 4, 5, + 6 } + } + + set m { + typeof meta mark + elements = { 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, + 0x00000006 } + } + + map cz { + typeof iifname : ct zone + elements = { "eth0" : 1, + "eth1" : 2, + "veth4" : 1 } + } + + map cm { + typeof iifname : ct mark + elements = { "eth0" : 0x00000001, + "eth1" : 0x00000002, + "veth4" : 0x00000001 } + } + + chain c { + iifname @s accept + oifname @s accept + tcp dport . iifname @sc accept + iifname . meta mark @nv accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft new file mode 100644 index 0000000..86c5549 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft @@ -0,0 +1,11 @@ +table ip filter { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft new file mode 100644 index 0000000..d6174c5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft @@ -0,0 +1,11 @@ +table ip x { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft new file mode 100644 index 0000000..1c1dd97 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft @@ -0,0 +1,23 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 10, 20-30, 40, 50-60 } + } + + set ips { + type ipv4_addr + flags interval + elements = { 10.0.0.1, 10.0.0.5-10.0.0.8, + 10.0.0.128/25, 10.0.1.0/24, + 10.0.2.3-10.0.2.12 } + } + + set cs { + type ipv4_addr . inet_service + flags interval + elements = { 10.0.0.1 . 22, + 10.1.0.0/16 . 1-1024, + 10.2.0.1-10.2.0.8 . 1024-65535 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft new file mode 100644 index 0000000..ca69cee --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft new file mode 100644 index 0000000..68b1f7b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft @@ -0,0 +1,16 @@ +table inet filter { + set myset { + type ipv4_addr . inet_proto . inet_service + elements = { 192.168.0.113 . tcp . 22, + 192.168.0.12 . tcp . 53, + 192.168.0.12 . udp . 53, + 192.168.0.12 . tcp . 80, + 192.168.0.13 . tcp . 80 } + } + + chain forward { + type filter hook forward priority filter; policy drop; + ct state established,related accept + ct state new ip daddr . ip protocol . th dport @myset accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft new file mode 100644 index 0000000..f274086 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -0,0 +1,11 @@ +table ip t { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + + chain c { + tcp dport 80 meter m size 128 { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft new file mode 100644 index 0000000..1fc7657 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft new file mode 100644 index 0000000..f580c38 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type mark + flags interval + elements = { 0x00000023-0x00000042, 0x00001337 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft new file mode 100644 index 0000000..222d4d7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.196 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft new file mode 100644 index 0000000..56cc875 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft @@ -0,0 +1,15 @@ +table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft new file mode 100644 index 0000000..f2077b9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft @@ -0,0 +1,11 @@ +table inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type filter hook output priority filter; policy accept; + meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft new file mode 100644 index 0000000..19d08d3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft @@ -0,0 +1,116 @@ +table ip6 t { + set s { + type ipv6_addr . ipv6_addr + flags interval + elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1, + 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1, + 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1, + 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1, + 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1, + 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1, + 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1, + 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1, + 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1, + 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1, + 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1, + 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1, + 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1, + 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1, + 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1, + 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1, + 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1, + 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1, + 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1, + 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1, + 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1, + 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1, + 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1, + 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1, + 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1, + 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1, + 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1, + 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1, + 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1, + 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1, + 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1, + 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1, + 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1, + 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1, + 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1, + 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1, + 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1, + 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1, + 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1, + 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1, + 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1, + 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1, + 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1, + 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1, + 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1, + 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1, + 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1, + 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1, + 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1, + 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1, + 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1, + 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1, + 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1, + 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1, + 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1, + 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1, + 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1, + 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1, + 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1, + 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1, + 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1, + 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1, + 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1, + 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1, + 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1, + 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1, + 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1, + 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1, + 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1, + 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1, + 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1, + 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1, + 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1, + 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1, + 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1, + 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1, + 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1, + 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1, + 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1, + 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1, + 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1, + 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1, + 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1, + 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1, + 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1, + 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1, + 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1, + 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1, + 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1, + 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1, + 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1, + 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1, + 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1, + 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1, + 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1, + 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 } + } +} +table ip t { + set s { + type ipv4_addr . ipv4_addr + flags interval + elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74, + 192.0.2.0/25 . 192.0.2.75-192.0.2.77, + 192.0.2.0/26 . 192.0.2.78-192.0.2.80, + 192.0.2.0/27 . 192.0.2.81-192.0.2.83, + 192.0.2.0/28 . 192.0.2.84-192.0.2.86, + 192.0.2.0/29 . 192.0.2.87-192.0.2.89, + 192.0.2.0/30 . 192.0.2.90-192.0.2.92, + 192.0.2.0/31 . 192.0.2.93-192.0.2.95 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft new file mode 100644 index 0000000..5b249a3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft @@ -0,0 +1,106 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 25, 30, 82, 119, 349, + 745, 748, 1165, 1233, 1476, + 1550, 1562, 1743, 1745, 1882, + 2070, 2194, 2238, 2450, 2455, + 2642, 2671, 2906, 3093, 3203, + 3287, 3348, 3411, 3540, 3892, + 3943, 4133, 4205, 4317, 4733, + 5095, 5156, 5223, 5230, 5432, + 5826, 5828, 6044, 6377, 6388, + 6491, 6952, 6986, 7012, 7187, + 7300, 7305, 7549, 7664, 8111, + 8206, 8396, 8782, 8920, 8981, + 9067, 9216, 9245, 9315, 9432, + 9587, 9689, 9844, 9991, 10045, + 10252, 10328, 10670, 10907, 11021, + 11337, 11427, 11497, 11502, 11523, + 11552, 11577, 11721, 11943, 12474, + 12718, 12764, 12794, 12922, 13186, + 13232, 13383, 13431, 13551, 13676, + 13685, 13747, 13925, 13935, 14015, + 14090, 14320, 14392, 14515, 14647, + 14911, 15096, 15105, 15154, 15440, + 15583, 15623, 15677, 15710, 15926, + 15934, 15960, 16068, 16166, 16486, + 16489, 16528, 16646, 16650, 16770, + 16882, 17052, 17237, 17387, 17431, + 17886, 17939, 17999, 18092, 18123, + 18238, 18562, 18698, 19004, 19229, + 19237, 19585, 19879, 19938, 19950, + 19958, 20031, 20138, 20157, 20205, + 20368, 20682, 20687, 20873, 20910, + 20919, 21019, 21068, 21115, 21188, + 21236, 21319, 21563, 21734, 21806, + 21810, 21959, 21982, 22078, 22181, + 22308, 22480, 22643, 22854, 22879, + 22961, 23397, 23534, 23845, 23893, + 24130, 24406, 24794, 24997, 25019, + 25143, 25179, 25439, 25603, 25718, + 25859, 25949, 26006, 26022, 26047, + 26170, 26193, 26725, 26747, 26924, + 27023, 27040, 27233, 27344, 27478, + 27593, 27600, 27664, 27678, 27818, + 27822, 28003, 28038, 28709, 28808, + 29010, 29057, 29228, 29485, 30132, + 30160, 30415, 30469, 30673, 30736, + 30776, 30780, 31450, 31537, 31669, + 31839, 31873, 32019, 32229, 32685, + 32879, 33318, 33337, 33404, 33517, + 33906, 34214, 34346, 34416, 34727, + 34848, 35325, 35400, 35451, 35501, + 35637, 35653, 35710, 35761, 35767, + 36238, 36258, 36279, 36464, 36586, + 36603, 36770, 36774, 36805, 36851, + 37079, 37189, 37209, 37565, 37570, + 37585, 37832, 37931, 37954, 38006, + 38015, 38045, 38109, 38114, 38200, + 38209, 38214, 38277, 38306, 38402, + 38606, 38697, 38960, 39004, 39006, + 39197, 39217, 39265, 39319, 39460, + 39550, 39615, 39871, 39886, 40088, + 40135, 40244, 40323, 40339, 40355, + 40385, 40428, 40538, 40791, 40848, + 40959, 41003, 41131, 41349, 41643, + 41710, 41826, 41904, 42027, 42148, + 42235, 42255, 42498, 42680, 42973, + 43118, 43135, 43233, 43349, 43411, + 43487, 43840, 43843, 43870, 44040, + 44204, 44817, 44883, 44894, 44958, + 45201, 45259, 45283, 45357, 45423, + 45473, 45498, 45519, 45561, 45611, + 45627, 45831, 46043, 46105, 46116, + 46147, 46169, 46349, 47147, 47252, + 47314, 47335, 47360, 47546, 47617, + 47648, 47772, 47793, 47846, 47913, + 47952, 48095, 48325, 48334, 48412, + 48419, 48540, 48569, 48628, 48751, + 48944, 48971, 49008, 49025, 49503, + 49505, 49613, 49767, 49839, 49925, + 50022, 50028, 50238, 51057, 51477, + 51617, 51910, 52044, 52482, 52550, + 52643, 52832, 53382, 53690, 53809, + 53858, 54001, 54198, 54280, 54327, + 54376, 54609, 54776, 54983, 54984, + 55019, 55038, 55094, 55368, 55737, + 55793, 55904, 55941, 55960, 55978, + 56063, 56121, 56314, 56505, 56548, + 56568, 56696, 56798, 56855, 57102, + 57236, 57333, 57334, 57441, 57574, + 57659, 57987, 58325, 58404, 58509, + 58782, 58876, 59116, 59544, 59685, + 59700, 59750, 59799, 59866, 59870, + 59894, 59984, 60343, 60481, 60564, + 60731, 61075, 61087, 61148, 61174, + 61655, 61679, 61691, 61723, 61730, + 61758, 61824, 62035, 62056, 62661, + 62768, 62946, 63059, 63116, 63338, + 63387, 63672, 63719, 63881, 63995, + 64197, 64374, 64377, 64472, 64606, + 64662, 64777, 64795, 64906, 65049, + 65122, 65318 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft new file mode 100644 index 0000000..e548a17 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft @@ -0,0 +1,12 @@ +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 1m } + } +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.nft b/tests/shell/testcases/sets/dumps/0046netmap_0.nft new file mode 100644 index 0000000..5ac6b34 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.nft @@ -0,0 +1,12 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.0/24 : 192.168.3.0/24, 10.141.13.0/24 : 192.168.4.0/24 } + } +} +table ip6 x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft new file mode 100644 index 0000000..9fa9fc7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft @@ -0,0 +1,30 @@ +table ip x { + map y { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31, + 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } + } + + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map @y + } +} +table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft new file mode 100644 index 0000000..2145f6b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + typeof ip saddr + counter + elements = { 192.168.10.35 counter packets 0 bytes 0, 192.168.10.101 counter packets 0 bytes 0, + 192.168.10.135 counter packets 0 bytes 0 } + } + + chain z { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft new file mode 100644 index 0000000..998b387 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -0,0 +1,6 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft new file mode 100644 index 0000000..fd488a7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft @@ -0,0 +1,13 @@ +table ip x { + set s { + type ipv4_addr + flags interval + counter + elements = { 192.168.2.0/24 counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @s + } +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.nft b/tests/shell/testcases/sets/dumps/0052overlap_0.nft new file mode 100644 index 0000000..1cc02ad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.nft @@ -0,0 +1,8 @@ +table ip filter { + set w_all { + type ipv4_addr + flags interval + auto-merge + elements = { 10.10.10.10, 10.10.10.253 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft new file mode 100644 index 0000000..bb7c551 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft @@ -0,0 +1,6 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft new file mode 100644 index 0000000..7929924 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + comment "test" + } + + map m { + type ipv4_addr : ipv4_addr + flags interval + comment "another test" + } +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft new file mode 100644 index 0000000..ffed542 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -0,0 +1,10 @@ +table ip test { + set tcp_good_flags { + type tcp_flag + flags constant + elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, + syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, + rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, + psh | ack, ack | urg, ack } + } +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft new file mode 100644 index 0000000..de43d56 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft @@ -0,0 +1,7 @@ +table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft new file mode 100644 index 0000000..873adc6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + } + + chain test { + add @ssh_meter { ip saddr timeout 30d } + } +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft new file mode 100644 index 0000000..c1cc3b5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + + chain z { + type filter hook output priority filter; policy accept; + update @y { ip daddr limit rate 1/second burst 5 packets counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft new file mode 100644 index 0000000..df68fcd --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + limit rate 1/second burst 5 packets counter + elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft new file mode 100644 index 0000000..ac1bd26 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft @@ -0,0 +1,15 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, + 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes } + } + + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft new file mode 100644 index 0000000..04361f4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1-1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft new file mode 100644 index 0000000..080d675 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft @@ -0,0 +1,16 @@ +table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + elements = { 84.245.120.167 ct count over 20 } + } + + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + elements = { 84.245.120.167 ct count over 20 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft new file mode 100644 index 0000000..f0d42cc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } + + set z { + type ipv4_addr + flags interval + counter + elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft new file mode 100644 index 0000000..890ed2a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft @@ -0,0 +1,18 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 } + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + } + + chain y { + snat to ip saddr map @z + snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft new file mode 100644 index 0000000..461c7a7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft @@ -0,0 +1,6 @@ +table ip x { + chain foo { + accept + icmp type { echo-reply, echo-request } icmp id 42 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft new file mode 100644 index 0000000..0215691 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -0,0 +1,42 @@ +table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + } + + map ipportmap2 { + type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 } + } + + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } + + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th + dnat ip to iifname . ip saddr map @ipportmap4 + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +} diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft new file mode 100644 index 0000000..2d4e170 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft @@ -0,0 +1,9 @@ +table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, + 4.4.4.0-4.4.5.0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft new file mode 100644 index 0000000..0057e9c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft @@ -0,0 +1,28 @@ +table netdev nt { + set vlanidset { + typeof vlan id + size 1024 + flags dynamic,timeout + } + + set macset { + typeof ether saddr . vlan id + size 1024 + flags dynamic,timeout + } + + set ipset { + typeof vlan id . ip saddr + size 1024 + flags dynamic,timeout + } + + chain nc { + update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 + ether saddr . vlan id @macset + vlan pcp 1 + ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 + update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0 + update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft new file mode 100644 index 0000000..4eed94c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft @@ -0,0 +1,19 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0/8, 192.0.0.0/2 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe80::/10, + ff00::/8 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 0000000..20f5374 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 0000000..20f5374 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft new file mode 100644 index 0000000..a3244fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -0,0 +1,12 @@ +table ip a { + set x { + type inet_service + elements = { 1, 2 } + } +} +table ip6 a { + set x { + type inet_service + elements = { 2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft new file mode 100644 index 0000000..61547c5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft @@ -0,0 +1,14 @@ +table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + } + + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft new file mode 100644 index 0000000..6c8ed32 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft @@ -0,0 +1,12 @@ +table ip test { + set dlist { + type ipv4_addr + size 65535 + flags dynamic + } + + chain output { + type filter hook output priority filter; policy accept; + udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.nft diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft new file mode 100644 index 0000000..c903e3f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.0.1.0/24, 1.0.2.0/23, + 1.0.8.0/21, 1.0.32.0/19, + 1.1.0.0/24, 1.1.2.0/23, + 1.1.4.0/22, 1.1.8.0/24, + 1.1.9.0/24, 1.1.10.0/23, + 1.1.12.0/22, 1.1.16.0/20, + 1.1.32.0/19 } + } +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft new file mode 100644 index 0000000..925ca77 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.nft @@ -0,0 +1,18 @@ +table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { 3.3.3.3 . 4.4.4.4 } + } + + set y { + typeof vxlan ip saddr + size 65535 + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0 + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0 + udp dport 4789 update @y { vxlan ip saddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft new file mode 100644 index 0000000..a45462b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft @@ -0,0 +1,11 @@ +table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft new file mode 100644 index 0000000..77a8baf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft @@ -0,0 +1,62 @@ +table inet testifsets { + set simple { + type ifname + elements = { "abcdef0", + "abcdef1", + "othername" } + } + + set simple_wild { + type ifname + flags interval + elements = { "abcdef*", + "othername", + "ppp0" } + } + + set concat { + type ipv4_addr . ifname + elements = { 10.1.2.2 . "abcdef0", + 10.1.2.2 . "abcdef1" } + } + + set concat_wild { + type ipv4_addr . ifname + flags interval + elements = { 10.1.2.2 . "abcdef*", + 10.1.2.1 . "bar", + 1.1.2.0/24 . "abcdef0", + 12.2.2.0/24 . "abcdef*" } + } + + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdef*" : jump do_nothing, + "eth0" : jump do_nothing } + } + + chain v4icmp { + iifname @simple counter packets 0 bytes 0 + iifname @simple_wild counter packets 0 bytes 0 + iifname { "eth0", "abcdef0" } counter packets 0 bytes 0 + iifname { "abcdef*", "eth0" } counter packets 0 bytes 0 + iifname vmap @map_wild + } + + chain v4icmpc { + ip saddr . iifname @concat counter packets 0 bytes 0 + ip saddr . iifname @concat_wild counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef0" } counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef*" } counter packets 0 bytes 0 + } + + chain input { + type filter hook input priority filter; policy accept; + ip protocol icmp jump v4icmp + ip protocol icmp goto v4icmpc + } + + chain do_nothing { + } +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft new file mode 100644 index 0000000..21209f6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft @@ -0,0 +1,16 @@ +table ip t { + set s1 { + type ipv4_addr . ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + timeout 3h + } + + chain c1 { + update @s1 { ip saddr . 10.180.0.4 . 80 } + } + + chain c2 { + ip saddr . 1.2.3.4 . 80 @s1 goto c1 + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft new file mode 100644 index 0000000..4d6abaa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -0,0 +1,12 @@ +table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, + 2.2.2.2 . 0x20 } + } + + chain y { + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft new file mode 100644 index 0000000..6f5b83a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -0,0 +1,97 @@ +table inet t { + set s1 { + typeof osf name + elements = { "Linux" } + } + + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } + + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + + set s8 { + typeof ip version + elements = { 4, 6 } + } + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { "eth0" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + chain c1 { + osf name @s1 accept + } + + chain c2 { + vlan id @s2 accept + } + + chain c4 { + frag frag-off @s4 accept + } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } + + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } + + chain c8 { + ip version @s8 accept + } + + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + vlan id . ip saddr @s11 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft new file mode 100644 index 0000000..89cbc83 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft @@ -0,0 +1,15 @@ +table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft new file mode 100644 index 0000000..dbaf7cd --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft @@ -0,0 +1,12 @@ +table netdev t { + set s { + typeof ether saddr . vlan id + size 2048 + flags dynamic,timeout + } + + chain c { + ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return + ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return + } +} diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing new file mode 100755 index 0000000..fdf5f49 --- /dev/null +++ b/tests/shell/testcases/sets/dynset_missing @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +$NFT -f /dev/stdin <<EOF +table ip test { + chain output { type filter hook output priority 0; + } +} +EOF + +# misses 'flags dynamic' +$NFT 'add set ip test dlist {type ipv4_addr; }' + +# picks rhash backend because 'size' was also missing. +$NFT 'add rule ip test output udp dport 1234 update @dlist { ip daddr } counter' + +tmpfile=$(mktemp) + +trap "rm -rf $tmpfile" EXIT + +# kernel has forced an 64k upper size, i.e. this restore file +# has 'size 65536' but no 'flags dynamic'. +$NFT list ruleset > $tmpfile + +# this restore works, because set is still the rhash backend. +$NFT -f $tmpfile # success +$NFT flush ruleset + +# fails without commit 'attempt to set_eval flag if dynamic updates requested', +# because set in $tmpfile has 'size x' but no 'flags dynamic'. +$NFT -f $tmpfile diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 new file mode 100755 index 0000000..27f65df --- /dev/null +++ b/tests/shell/testcases/sets/errors_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + } +} + +delete element ip x y { 2.3.4.5 }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + } +} + +add element x y { 1.1.1.1/24 } +delete element x y { 1.1.1.1/24 } +add element x y { 1.1.1.1/24 } +delete element x y { 2.2.2.2/24 }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="flush ruleset +create table inet filter +set inet filter foo {} +add element inet filter foo { foobar }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="table ip x { + map x { + type ifname . ipv4_addr : verdict + elements = { if2 . 10.0.0.2 : jump chain2, + if2 . 192.168.0.0/24 : jump chain2 } + } + + chain chain2 {} +}" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="add set inet filter myset { type ipv4_addr; flags interval; auto-merge } +add element inet filter myset { 192.168.0.0/24 } +add element inet filter myset { 192.168.0.2 } +add element inet filter myset { 192.168.1.0/24 } +add element inet filter myset { 192.168.1.100 }" + +$NFT -f - <<< $RULESET || exit 0 diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0 new file mode 100755 index 0000000..1ce9304 --- /dev/null +++ b/tests/shell/testcases/sets/exact_overlap_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +RULESET="add table t +add set t s { type ipv4_addr; flags interval; } +add element t s { 1.0.1.0/24 } +add element t s { 1.0.2.0/23 } +add element t s { 1.0.8.0/21 } +add element t s { 1.0.32.0/19 } +add element t s { 1.1.0.0/24 } +add element t s { 1.1.2.0/23 } +add element t s { 1.1.4.0/22 } +add element t s { 1.1.8.0/24 } +add element t s { 1.1.9.0/24 } +add element t s { 1.1.10.0/23 } +add element t s { 1.1.12.0/22 } +add element t s { 1.1.16.0/20 } +add element t s { 1.1.32.0/19 } +add element t s { 1.0.1.0/24 }" + +$NFT -f - <<< $RULESET || exit 1 + +$NFT add element t s { 1.0.1.0/24 } diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0 new file mode 100755 index 0000000..39d91bd --- /dev/null +++ b/tests/shell/testcases/sets/inner_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching) + +set -e + +RULESET="table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { + 3.3.3.3 . 4.4.4.4, + } + } + + set y { + typeof vxlan ip saddr + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter + udp dport 4789 update @y { vxlan ip saddr } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 new file mode 100755 index 0000000..e663dac --- /dev/null +++ b/tests/shell/testcases/sets/reset_command_0 @@ -0,0 +1,93 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set) + +set -e + +trap '[[ $? -eq 0 ]] || echo FAIL' EXIT + +RULESET="table t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + map m { + type ipv4_addr : ipv4_addr + quota 50 bytes + elements = { + 1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4, + 5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8 + } + } +}" + +echo -n "applying test ruleset: " +$NFT -f - <<< "$RULESET" +echo OK + +drop_seconds() { + sed 's/[0-9]\+m\?s//g' +} +expires_minutes() { + sed -n 's/.*expires \([0-9]*\)m.*/\1/p' +} + +echo -n "get set elem matches reset set elem: " +elem='element t s { 1.0.0.1 . udp . 53 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] +echo OK + +echo -n "counters and expiry are reset: " +NEW=$($NFT "get $elem") +grep -q 'counter packets 0 bytes 0' <<< "$NEW" +[[ $(expires_minutes <<< "$NEW") -gt 20 ]] +echo OK + +echo -n "get map elem matches reset map elem: " +elem='element t m { 1.2.3.4 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | uniq | wc -l) == 1 ]] +echo OK + +echo -n "quota value is reset: " +$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4' +echo OK + +echo -n "other elements remain the same: " +OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }') +grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT" +VAL=$(expires_minutes <<< "$OUT") +[[ $val -lt 10 ]] +$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes' +echo OK + +echo -n "list set matches reset set: " +EXP=$($NFT list set t s | drop_seconds) +OUT=$($NFT reset set t s | drop_seconds) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "list map matches reset map: " +EXP=$($NFT list map t m) +OUT=$($NFT reset map t m) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "reset command respects per-element timeout: " +VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) +[[ $VAL -lt 15 ]] # custom timeout applies +[[ $VAL -gt 10 ]] # expires was reset +echo OK + +echo -n "remaining elements are reset: " +OUT=$($NFT list ruleset) +grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT" +echo OK diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0 new file mode 100755 index 0000000..82b6d3b --- /dev/null +++ b/tests/shell/testcases/sets/set_eval_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames new file mode 100755 index 0000000..9531c85 --- /dev/null +++ b/tests/shell/testcases/sets/sets_with_ifnames @@ -0,0 +1,150 @@ +#!/bin/bash + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +[ -z "$NFT" ] && exit 111 + +$NFT -f "$dumpfile" || exit 1 + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +# check a given element is (not) present in the set. +lookup_elem() +{ + local setname=$1 + local value=$2 + local fail=$3 + local expect_result=$4 + local msg=$5 + + result=$(ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" } 2>/dev/null | grep "$expect_result" ) + + if [ -z "$result" ] && [ $fail -ne 1 ] ; then + echo "empty result, expected $expect_result $msg" + ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" } + exit 1 + fi +} + +check_elem_get() +{ + local setname=$1 + local value=$2 + local fail=$3 + local expect_result=$4 + + # when query is 'abcde', and set has 'abc*', result is + # 'abc*', not 'abcde', so returned element can be different. + if [ -z "$expect_result" ]; then + expect_result=$ifname + fi + + lookup_elem "$setname" "$value" "$fail" "$expect_result" "" +} + +# same, but also delete and re-add the element. +check_elem() +{ + local setname=$1 + local value=$2 + + lookup_elem "$setname" "$value" "0" "$value" "initial check" + + ip netns exec "$ns1" $NFT delete element inet testifsets $setname { "$value" } + if [ $? -ne 0 ]; then + ip netns exec "$ns1" $NFT list ruleset + echo "delete element $setname { $value } failed" + exit 1 + fi + + ip netns exec "$ns1" $NFT add element inet testifsets $setname { "$value" } + + lookup_elem "$setname" "$value" "0" "$value" "check after add/del" +} + +# send pings, check all rules with sets that contain abcdef1 match. +# there are 4 rules in this chain, 4 should match. +check_matching_icmp_ppp() +{ + pkt=$((RANDOM%10)) + pkt=$((pkt+1)) + ip netns exec "$ns1" ping -f -c $pkt 10.1.2.2 + + # replies should arrive via 'abcdeg', so, should NOT increment any counters. + ip netns exec "$ns1" ping -f -c 100 10.2.2.2 + + matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmp | grep "counter packets $pkt " | wc -l) + want=3 + + if [ "$matches" -ne $want ] ;then + ip netns exec "$ns1" $NFT list ruleset + echo "Expected $want matching rules, got $matches, packets $pkt in v4icmp" + exit 1 + fi + + # same, for concat set type. + + matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmpc | grep "counter packets $pkt " | wc -l) + + if [ "$matches" -ne $want ] ;then + ip netns exec "$ns1" $NFT list ruleset + echo "Expected $want matching rules, got $matches, packets $pkt in v4icmpc" + exit 1 + fi +} + +ip netns add "$ns1" || exit 111 +ip netns add "$ns2" || exit 111 +ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3 + +for n in abcdef0 abcdef1 othername;do + check_elem simple $n +done + +check_elem_get simple foo 1 + +for n in ppp0 othername;do + check_elem simple_wild $n +done + +check_elem_get simple_wild enoent 1 +check_elem simple_wild ppp0 +check_elem_get simple_wild abcdefghijk 0 'abcdef\*' + +check_elem_get concat '1.2.3.4 . "enoent"' 1 +check_elem_get concat '10.1.2.2 . "abcdef"' 1 +check_elem_get concat '10.1.2.1 . "abcdef1"' 1 + +check_elem concat '10.1.2.2 . "abcdef0"' +check_elem concat '10.1.2.2 . "abcdef1"' + +set -e +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up +ip netns exec "$ns1" ping -f -c 10 127.0.0.1 + +ip link add abcdef1 netns $ns1 type veth peer name veth0 netns $ns2 +ip link add abcdeg netns $ns1 type veth peer name veth1 netns $ns2 + +ip -net "$ns1" link set abcdef1 up +ip -net "$ns2" link set veth0 up +ip -net "$ns1" link set abcdeg up +ip -net "$ns2" link set veth1 up + +ip -net "$ns1" addr add 10.1.2.1/24 dev abcdef1 +ip -net "$ns1" addr add 10.2.2.1/24 dev abcdeg + +ip -net "$ns2" addr add 10.1.2.2/24 dev veth0 +ip -net "$ns2" addr add 10.2.2.2/24 dev veth1 + +check_matching_icmp_ppp diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/sets/type_set_symbol @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0 new file mode 100755 index 0000000..66042eb --- /dev/null +++ b/tests/shell/testcases/sets/typeof_raw_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +EXPECTED="table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, 2.2.2.2 . 0x20} + } + + chain y { + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y + } +}" + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 new file mode 100755 index 0000000..35c572c --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -0,0 +1,226 @@ +#!/bin/bash + +# support for strings/typeof in named sets. +# s1 and s2 are identical, they just use different +# ways for declaration. + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_SET=" + set s1 { + typeof osf name + elements = { \"Linux\" } + } +" +INPUT_OSF_CHAIN=" + chain c1 { + osf name @s1 accept + } +" + +INPUT_SCTP_CHAIN=" + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } +" + +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + INPUT_SCTP_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + if [ "$((RANDOM % 2))" -eq 1 ] ; then + # Regardless of $NFT_TEST_HAVE_osf, we can define the set. + # Randomly do so. + INPUT_OSF_SET= + fi + INPUT_OSF_CHAIN= +fi + +INPUT="table inet t {$INPUT_OSF_SET + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } + + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + + set s8 { + typeof ip version + elements = { 4, 6 } + } + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, 15 } + } + + set s10 { + typeof meta iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } +$INPUT_OSF_CHAIN + chain c2 { + ether type vlan vlan id @s2 accept + } + + chain c4 { + frag frag-off @s4 accept + } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN + chain c8 { + ip version @s8 accept + } + + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + meta iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + ether type vlan vlan id . ip saddr @s11 accept + } +}" + +EXPECTED="table inet t {$INPUT_OSF_SET + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } + + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + + set s8 { + typeof ip version + elements = { 4, 6 } + } + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } +$INPUT_OSF_CHAIN + chain c2 { + vlan id @s2 accept + } + + chain c4 { + frag frag-off @s4 accept + } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN + chain c8 { + ip version @s8 accept + } + + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + vlan id . ip saddr @s11 accept + } +}" + + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1 new file mode 100755 index 0000000..e520270 --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +# regression test for corner case in netlink_delinearize + +EXPECTED="table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat new file mode 100755 index 0000000..07820b7 --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/transactions/0001table_0 b/tests/shell/testcases/transactions/0001table_0 new file mode 100755 index 0000000..9929824 --- /dev/null +++ b/tests/shell/testcases/transactions/0001table_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +delete table x +add table x +add table y" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0 new file mode 100755 index 0000000..c5f31a6 --- /dev/null +++ b/tests/shell/testcases/transactions/0002table_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="add table x +delete table x +add table x +add chain x y { type nat hook prerouting priority 0; policy accept; } +add table x { flags dormant; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0 new file mode 100755 index 0000000..91186de --- /dev/null +++ b/tests/shell/testcases/transactions/0003table_0 @@ -0,0 +1,46 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add table y +flush ruleset" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +KERNEL_RULESET="$($NFT list ruleset)" +if [ "" != "$KERNEL_RULESET" ] ; then + echo "Got a ruleset, but expected empty: " + echo "$KERNEL_RULESET" + exit 1 +fi + +RULESET="table ip x { +} +table ip y { +}" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +RULESETFAIL="flush ruleset +create table ip nat +create table inet filter +create chain ip nat testchain +delete table ip testtable" + +# testtable doesn't exist, batch expected to fail +$NFT -f - <<< "$RULESETFAIL" && exit 2 + +KERNEL_RULESET="$($NFT list ruleset)" +if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0010chain_0 b/tests/shell/testcases/transactions/0010chain_0 new file mode 100755 index 0000000..ce66bd6 --- /dev/null +++ b/tests/shell/testcases/transactions/0010chain_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +flush ruleset +add table w +add chain w y" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0011chain_0 b/tests/shell/testcases/transactions/0011chain_0 new file mode 100755 index 0000000..3bed16d --- /dev/null +++ b/tests/shell/testcases/transactions/0011chain_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +delete chain x y +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0012chain_0 b/tests/shell/testcases/transactions/0012chain_0 new file mode 100755 index 0000000..0d80ef4 --- /dev/null +++ b/tests/shell/testcases/transactions/0012chain_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +flush ruleset +add table x +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; } +flush ruleset +add table w +add chain w y { type filter hook output priority 0; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0013chain_0 b/tests/shell/testcases/transactions/0013chain_0 new file mode 100755 index 0000000..2756dd6 --- /dev/null +++ b/tests/shell/testcases/transactions/0013chain_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +delete chain x y +delete table x +add table x +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; } +flush ruleset +add table w +add chain w y { type filter hook output priority 0; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0014chain_1 b/tests/shell/testcases/transactions/0014chain_1 new file mode 100755 index 0000000..cddc8a2 --- /dev/null +++ b/tests/shell/testcases/transactions/0014chain_1 @@ -0,0 +1,10 @@ +#!/bin/bash + +RULESET="add table x +add chain x y +delete chain x y +delete chain x y" + +$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0 +echo "E: allowing double-removal of chain" >&2 +exit 1 diff --git a/tests/shell/testcases/transactions/0015chain_0 b/tests/shell/testcases/transactions/0015chain_0 new file mode 100755 index 0000000..42950b3 --- /dev/null +++ b/tests/shell/testcases/transactions/0015chain_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +add chain x z +add rule x z jump y" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +RULESET="delete rule x z handle 3 +delete chain x z +delete chain x y +delete table x" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0020rule_0 b/tests/shell/testcases/transactions/0020rule_0 new file mode 100755 index 0000000..f8d2d37 --- /dev/null +++ b/tests/shell/testcases/transactions/0020rule_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +add rule x y ip saddr 1.1.1.1 counter +flush ruleset" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0021rule_0 b/tests/shell/testcases/transactions/0021rule_0 new file mode 100755 index 0000000..ee265ab --- /dev/null +++ b/tests/shell/testcases/transactions/0021rule_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add chain x y +add rule x y ip saddr 1.1.1.1 counter +flush ruleset +add table x +add chain x y +add rule x y ip saddr 2.2.2.2 counter" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0022rule_1 b/tests/shell/testcases/transactions/0022rule_1 new file mode 100755 index 0000000..07be53f --- /dev/null +++ b/tests/shell/testcases/transactions/0022rule_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +RULESET="add table x +add chain x y +delete chain x y +add rule x y jump y" + +# kernel must return ENOENT +$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0 +echo "E: allowing jump loop to unexisting chain" +exit 1 diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1 new file mode 100755 index 0000000..e58c088 --- /dev/null +++ b/tests/shell/testcases/transactions/0023rule_1 @@ -0,0 +1,10 @@ +#!/bin/bash + +RULESET="add table x +add chain x y +add rule x y jump y" + +# kernel must return ELOOP +$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0 +echo "E: allowing jump to chain loop" +exit 1 diff --git a/tests/shell/testcases/transactions/0024rule_0 b/tests/shell/testcases/transactions/0024rule_0 new file mode 100755 index 0000000..4c1ac41 --- /dev/null +++ b/tests/shell/testcases/transactions/0024rule_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="flush ruleset +add table x +add chain x y +add rule x y accept comment rule1 +add rule x y accept comment rule4 +add rule x y index 0 accept comment rule2 +insert rule x y index 2 accept comment rule3" + +$NFT -f - <<< "$RULESET" && \ + $NFT -f - <<< "$RULESET" && \ + echo "$RULESET" | tr '\n' ';' | $NFT -i >/dev/null && \ + exit 0 +echo "E: intra-transaction rule reference failed" +exit 1 + diff --git a/tests/shell/testcases/transactions/0025rule_0 b/tests/shell/testcases/transactions/0025rule_0 new file mode 100755 index 0000000..d72d5cf --- /dev/null +++ b/tests/shell/testcases/transactions/0025rule_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# make sure stored delete/replace rule commands are correctly applied + +set -e + +$NFT -f - <<EOF +flush ruleset +table x { + chain y { + accept + log + } +} +EOF + +$NFT -f - <<EOF +replace rule x y handle 2 log +delete rule x y handle 3 +add rule x y index 0 drop +EOF diff --git a/tests/shell/testcases/transactions/0030set_0 b/tests/shell/testcases/transactions/0030set_0 new file mode 100755 index 0000000..e17b42f --- /dev/null +++ b/tests/shell/testcases/transactions/0030set_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +flush ruleset +add table x" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0031set_0 b/tests/shell/testcases/transactions/0031set_0 new file mode 100755 index 0000000..b2133cf --- /dev/null +++ b/tests/shell/testcases/transactions/0031set_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +delete set x y +add set x y { type ipv4_addr; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0032set_0 b/tests/shell/testcases/transactions/0032set_0 new file mode 100755 index 0000000..5882518 --- /dev/null +++ b/tests/shell/testcases/transactions/0032set_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +flush ruleset +add table w +add set w y { type ipv4_addr; }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0033set_0 b/tests/shell/testcases/transactions/0033set_0 new file mode 100755 index 0000000..6bd5893 --- /dev/null +++ b/tests/shell/testcases/transactions/0033set_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +delete set x y" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0034set_0 b/tests/shell/testcases/transactions/0034set_0 new file mode 100755 index 0000000..1580c32 --- /dev/null +++ b/tests/shell/testcases/transactions/0034set_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1 } +delete element x y { 1.1.1.1 }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0035set_0 b/tests/shell/testcases/transactions/0035set_0 new file mode 100755 index 0000000..0967fd4 --- /dev/null +++ b/tests/shell/testcases/transactions/0035set_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1, 2.2.2.2 } +delete element x y { 1.1.1.1 } +delete element x y { 2.2.2.2 } +add element x y { 3.3.3.3 }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0036set_1 b/tests/shell/testcases/transactions/0036set_1 new file mode 100755 index 0000000..45d922e --- /dev/null +++ b/tests/shell/testcases/transactions/0036set_1 @@ -0,0 +1,12 @@ +#!/bin/bash + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1, 2.2.2.2 } +delete element x y { 1.1.1.1 } +delete element x y { 1.1.1.1 }" + +$NFT -f - <<< "$RULESET" 2> /dev/null || exit 0 +# Kernel must return ENOENT +echo "E: allowing double-removal of element" +exit 1 diff --git a/tests/shell/testcases/transactions/0037set_0 b/tests/shell/testcases/transactions/0037set_0 new file mode 100755 index 0000000..2882863 --- /dev/null +++ b/tests/shell/testcases/transactions/0037set_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 1.1.1.0/24 } +delete element x y { 1.1.1.0/24 }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0038set_0 b/tests/shell/testcases/transactions/0038set_0 new file mode 100755 index 0000000..d7c2ba3 --- /dev/null +++ b/tests/shell/testcases/transactions/0038set_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 192.168.0.0/24, 192.168.2.0/24 } +delete element x y { 192.168.0.0/24 } +delete element x y { 192.168.2.0/24 } +add element x y { 192.168.4.0/24 }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0039set_0 b/tests/shell/testcases/transactions/0039set_0 new file mode 100755 index 0000000..d7c2ba3 --- /dev/null +++ b/tests/shell/testcases/transactions/0039set_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 192.168.0.0/24, 192.168.2.0/24 } +delete element x y { 192.168.0.0/24 } +delete element x y { 192.168.2.0/24 } +add element x y { 192.168.4.0/24 }" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0040set_0 b/tests/shell/testcases/transactions/0040set_0 new file mode 100755 index 0000000..468816b --- /dev/null +++ b/tests/shell/testcases/transactions/0040set_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e + +RULESET="table ip filter { + map client_to_any { + type ipv4_addr : verdict + elements = { 1.2.3.4 : goto CIn_1 } + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + goto client_to_any + } + + chain client_to_any { + ip saddr vmap @client_to_any + } + + chain CIn_1 { + } +}" +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +GET="$($NFT list ruleset)" + +if [ "$RULESET" != "$GET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$GET") + exit 1 +fi + +RULESET="delete element ip filter client_to_any { 1.2.3.4 : goto CIn_1 } +delete chain ip filter CIn_1" +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0041nat_restore_0 b/tests/shell/testcases/transactions/0041nat_restore_0 new file mode 100755 index 0000000..9e1d6c9 --- /dev/null +++ b/tests/shell/testcases/transactions/0041nat_restore_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET=" +add table ip t +add chain ip t c { type nat hook postrouting priority 0; } +" + +$NFT -f - <<< "$RULESET" + +RULESET=" +flush ruleset +$RULESET +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0042_stateful_expr_0 b/tests/shell/testcases/transactions/0042_stateful_expr_0 new file mode 100755 index 0000000..918e721 --- /dev/null +++ b/tests/shell/testcases/transactions/0042_stateful_expr_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET=" +add table ip filter +add counter ip filter c1 +add map ip filter m1 { type ipv4_addr : counter ;} +add element ip filter m1 { 1 : c1 } +add element ip filter m1 { 1 : c1 } +delete element ip filter m1 { 1 } +delete counter ip filter c1" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0043set_1 b/tests/shell/testcases/transactions/0043set_1 new file mode 100755 index 0000000..a9135c1 --- /dev/null +++ b/tests/shell/testcases/transactions/0043set_1 @@ -0,0 +1,14 @@ +#!/bin/bash + +RULESET="add table ip test +add set ip test foo { type ipv4_addr; } +add chain ip test tc +add element ip test foo { 1.2.3.4 } +add rule ip test tc ip saddr { 1.2.3.4, 5.6.7.8 } accept +delete table ip test +add element ip test foo { 1.2.3.6 }" + +# kernel must return ENOENT +$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0 +echo "E: allowing element insertion on unexisting set" +exit 1 diff --git a/tests/shell/testcases/transactions/0044rule_0 b/tests/shell/testcases/transactions/0044rule_0 new file mode 100755 index 0000000..a4da480 --- /dev/null +++ b/tests/shell/testcases/transactions/0044rule_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +RULESET="add table ip test +add chain ip test tc +add rule ip test tc counter" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +RULESET="delete rule ip test tc handle 2 +flush ruleset" + +$NFT -f - <<< "$RULESET" +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0045anon-unbind_0 b/tests/shell/testcases/transactions/0045anon-unbind_0 new file mode 100755 index 0000000..1e16af1 --- /dev/null +++ b/tests/shell/testcases/transactions/0045anon-unbind_0 @@ -0,0 +1,10 @@ +#!/bin/bash + +RULESET='table inet filter { + chain antileak { + udp dport { 137, 138 } drop comment "NetBT" + } +}' + +set -e +$NFT -c -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0046set_0 b/tests/shell/testcases/transactions/0046set_0 new file mode 100755 index 0000000..172e24d --- /dev/null +++ b/tests/shell/testcases/transactions/0046set_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +RULESET='add table ip filter +add chain ip filter group_7933 +add map ip filter group_7933 { type ipv4_addr : classid; flags interval; } +add rule ip filter group_7933 meta priority 0 meta priority set ip saddr map @group_7933 counter +add element ip filter group_7933 { 10.4.22.0/24 : "1:0xc7cb" } +' + +set -e +$NFT -f - <<< "$RULESET" + +RULESET='delete element ip filter group_7933 { 10.4.22.0/24 } +flush chain ip filter group_7933 +delete chain ip filter group_7933 +delete map ip filter group_7933' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0047set_0 b/tests/shell/testcases/transactions/0047set_0 new file mode 100755 index 0000000..0a27231 --- /dev/null +++ b/tests/shell/testcases/transactions/0047set_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +RULESET='add table ip filter +add map ip filter group_10060 { type ipv4_addr : classid; flags interval; } +add element ip filter group_10060 { 10.1.26.2/32 : "1:0xbbf8" } +add element ip filter group_10060 { 10.1.26.3/32 : "1:0xc1ad" } +add element ip filter group_10060 { 10.1.26.4/32 : "1:0xb2d7" } +add element ip filter group_10060 { 10.1.26.5/32 : "1:0xf705" } +add element ip filter group_10060 { 10.1.26.6/32 : "1:0xb895" } +add element ip filter group_10060 { 10.1.26.7/32 : "1:0xec4c" } +add element ip filter group_10060 { 10.1.26.8/32 : "1:0xde78" } +add element ip filter group_10060 { 10.1.26.9/32 : "1:0xb4f3" } +add element ip filter group_10060 { 10.1.26.10/32 : "1:0xdec6" } +add element ip filter group_10060 { 10.1.26.11/32 : "1:0xb4c0" } +add element ip filter group_10060 { 10.1.26.12/32 : "1:0xb4a2" } +add element ip filter group_10060 { 10.1.26.13/32 : "1:0xa8ab" } +add element ip filter group_10060 { 10.1.26.14/32 : "1:0xb3c1" }' + +set -e +$NFT -f - <<< "$RULESET" + +RULESET='delete element ip filter group_10060 { 10.1.26.13/32 } +delete element ip filter group_10060 { 10.1.26.14/32 } +delete element ip filter group_10060 { 10.1.26.12/32 }' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0048helpers_0 b/tests/shell/testcases/transactions/0048helpers_0 new file mode 100755 index 0000000..675a977 --- /dev/null +++ b/tests/shell/testcases/transactions/0048helpers_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +RULESET='add table ip filter +add chain ip filter filter { type filter hook prerouting priority mangle; policy accept; } +add ct helper ip filter ftp { type "ftp" protocol tcp; }; +add rule ip filter filter tcp dport 33 ct helper set "ftp"' + +set -e +$NFT -f - <<< "$RULESET" + +RULESET='flush chain ip filter filter +delete chain filter filter +delete ct helper ip filter ftp' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0049huge_0 b/tests/shell/testcases/transactions/0049huge_0 new file mode 100755 index 0000000..f66953c --- /dev/null +++ b/tests/shell/testcases/transactions/0049huge_0 @@ -0,0 +1,67 @@ +#!/bin/bash + +# let's try to exceed transaction buffer space + +$NFT flush ruleset +$NFT add table inet test +$NFT add chain inet test c + +RULE_COUNT=3000 + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/rmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + RULE_COUNT=500 +fi + +RULESET=$( +for ((i = 0; i < ${RULE_COUNT}; i++)); do + echo "add rule inet test c accept comment rule$i" +done +) +test $($NFT -e -a -f - <<< "$RULESET" |grep "#[ ]\+handle[ ]\+[0-9]\+" |wc -l) -eq ${RULE_COUNT} || exit 1 + +# same thing, but with JSON rules +# +$NFT flush ruleset +$NFT add table inet test +$NFT add chain inet test c + +RULESET=$( +echo '{"nftables": [' +for ((i = 0; i < $((${RULE_COUNT} - 1)); i++)); do + echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$i'"}}},' +done + echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$((${RULE_COUNT} - 1))'"}}}' +echo ']}' +) + +if [ "$NFT_TEST_HAVE_json" != n ]; then + test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 +fi + +# Now an example from firewalld's testsuite +# +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": {"family": "ip6", "name": "firewalld"}}}, +{"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -290}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"jump": {"target": "raw_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -140}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT", "type": "filter", "hook": "input", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD", "type": "filter", "hook": "forward", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT", "type": "filter", "hook": "output", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_IN_ZONES"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_OUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_IN_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_OUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"fib": {"flags": ["saddr", "iif"], "result": "oif"}}, "op": "==", "right": false}}, {"drop": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}}, {"accept": null}]}}}, +{"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "index": 0, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "index": 2, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"goto": {"target": "filter_IN_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"goto": {"target": "filter_FWDO_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "raw_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "raw_PRE_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "mangle_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_IN_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDI_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDO_work"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}]}' + +if [ "$NFT_TEST_HAVE_json" != n ]; then + test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')" +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi + +if [ "$RULE_COUNT" != 3000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/rmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/transactions/0050rule_1 b/tests/shell/testcases/transactions/0050rule_1 new file mode 100755 index 0000000..89e5f42 --- /dev/null +++ b/tests/shell/testcases/transactions/0050rule_1 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + flowtable ftable { + hook ingress priority 0; devices = { eno1, eno0, x }; + } + +chain forward { + type filter hook forward priority 0; policy drop; + + ip protocol { tcp, udp } ct mark and 1 == 1 counter flow add @ftable + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter flow add @ftable + ct mark and 30 == 30 ct state established,related log prefix \"nftables accept: \" level info accept + } +}" + +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 diff --git a/tests/shell/testcases/transactions/0051map_0 b/tests/shell/testcases/transactions/0051map_0 new file mode 100755 index 0000000..9ea5cd4 --- /dev/null +++ b/tests/shell/testcases/transactions/0051map_0 @@ -0,0 +1,122 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1trans-$rnd" + +# +# dependency tracking for implicit set +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + ip saddr vmap { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for map in implicit chain +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + meta iifname \"eno1\" jump { + ip saddr vmap { 1.1.1.1 : jump w, 3.3.3.3 : goto m } + } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for explicit map +# +RULESET="table ip x { + chain w {} + chain m {} + + map y { + type ipv4_addr : verdict + elements = { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="delete set ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } ip saddr vmap { 1.1.1.1 : jump z } counter flow add @nonexisting + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } jump { + ip saddr vmap { 1.1.1.1 : jump z } + } + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT flush table inet filter || exit 0 diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress new file mode 100755 index 0000000..4c3c6a2 --- /dev/null +++ b/tests/shell/testcases/transactions/30s-stress @@ -0,0 +1,637 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +runtime=30 + +# allow stand-alone execution as well, e.g. '$0 3600' +if [ x"$1" != "x" ] ;then + if [ $1 -ge 0 ]; then + runtime="$1" + else + echo "Invalid runtime $1" + exit 1 + fi +fi + +if [ x = x"$NFT" ] ; then + NFT=nft +fi + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Skip it. You may ensure that the limits are suitable and rerun + # with NFT_TEST_HAS_SOCKET_LIMITS=n. + exit 77 +fi + +if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then + NFT_TEST_HAVE_chain_binding=n + mydir="$(dirname "$0")" + $NFT --check -f "$mydir/../../features/chain_binding.nft" + if [ $? -eq 0 ];then + NFT_TEST_HAVE_chain_binding=y + else + echo "Assuming anonymous chains are not supported" + fi +fi + +testns=testns-$(mktemp -u "XXXXXXXX") +tmp="" + +faultname="/proc/self/make-it-fail" +tables="foo bar" + +failslab_defaults() { + test -w $faultname || return + + # Disable fault injection unless process has 'make-it-fail' set + echo Y > /sys/kernel/debug/failslab/task-filter + + # allow all slabs to fail (if process is tagged). + find /sys/kernel/slab/ -wholename '*/kmalloc-[0-9]*/failslab' -type f -exec sh -c 'echo 1 > {}' \; + + # no limit on the number of failures, or clause works around old kernels that reject negative integer. + echo -1 > /sys/kernel/debug/failslab/times 2>/dev/null || printf '%#x -1' > /sys/kernel/debug/failslab/times + + # Set to 2 for full dmesg traces for each injected error + echo 0 > /sys/kernel/debug/failslab/verbose +} + +failslab_random() +{ + r=$((RANDOM%2)) + + if [ $r -eq 0 ]; then + echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait + else + echo N > /sys/kernel/debug/failslab/ignore-gfp-wait + fi + + r=$((RANDOM%5)) + echo $r > /sys/kernel/debug/failslab/probability + r=$((RANDOM%100)) + echo $r > /sys/kernel/debug/failslab/interval + + # allow a small initial 'success budget'. + # failures only appear after this many allocated bytes. + r=$((RANDOM%16384)) + echo $r > /sys/kernel/debug/$FAILTYPE/space +} + +netns_del() { + ip netns pids "$testns" | xargs kill 2>/dev/null + ip netns del "$testns" +} + +netns_add() +{ + ip netns add "$testns" + ip -netns "$testns" link set lo up +} + +cleanup() { + [ "$tmp" = "" ] || rm -f "$tmp" + netns_del +} + +nft_with_fault_inject() +{ + file="$1" + + if [ -w "$faultname" ]; then + failslab_random + + ip netns exec "$testns" bash -c "echo 1 > $faultname ; exec $NFT -f $file" + fi + + ip netns exec "$testns" $NFT -f "$file" +} + +trap cleanup EXIT +tmp=$(mktemp) + +jump_or_goto() +{ + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo -n "jump" + else + echo -n "goto" + fi +} + +random_verdict() +{ + max="$1" + + if [ $max -eq 0 ]; then + max=1 + fi + + rnd=$((RANDOM%max)) + + if [ $rnd -gt 0 ];then + jump_or_goto + printf " chain%03u" "$((rnd+1))" + return + fi + + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo "accept" + else + echo "drop" + fi +} + +randsleep() +{ + local s=$((RANDOM%1)) + local ms=$((RANDOM%1000)) + sleep $s.$ms +} + +randlist() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT list ruleset > /dev/null + done +} + +randflush() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT flush ruleset > /dev/null + done +} + +randdeltable() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete table inet $t + randsleep + fi + done + done +} + +randdelset() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + s=$((RANDOM%10)) + + case $r in + 0) + setname=set_$s + ;; + 1) + setname=sett${s} + ;; + 2) + setname=dmap_${s} + ;; + 3) + setname=dmapt${s} + ;; + 4) + setname=vmap_${s} + ;; + 5) + setname=vmapt${s} + ;; + *) + continue + ;; + esac + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete set inet $t $setname + fi + done + done +} + +randdelchain() +{ + while [ -r $tmp ]; do + for t in $tables; do + local c=$((RANDOM%100)) + randsleep + chain=$(printf "chain%03u" "$c") + + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + # chain can be invalid/unknown. + ip netns exec $testns $NFT delete chain inet $t $chain + fi + done + done +} + +randdisable() +{ + while [ -r $tmp ]; do + for t in $tables; do + randsleep + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + ip netns exec $testns $NFT add table inet $t '{flags dormant; }' + randsleep + ip netns exec $testns $NFT add table inet $t '{ }' + fi + done + done +} + +randdelns() +{ + while [ -r $tmp ]; do + randsleep + netns_del + netns_add + randsleep + done +} + +random_element_string="" + +# create a random element. Could cause any of the following: +# 1. Invalid set/map +# 2. Element already exists in set/map w. create +# 3. Element is new but wants to jump to unknown chain +# 4. Element already exsists in set/map w. add, but verdict (map data) differs +# 5. Element is created/added/deleted from 'flags constant' set. +random_elem() +{ + tr=$((RANDOM%2)) + t=0 + + for table in $tables; do + if [ $t -ne $tr ]; then + t=$((t+1)) + continue + fi + + kr=$((RANDOM%2)) + k=0 + cnt=0 + for key in "single" "concat"; do + if [ $k -ne $kr ] ;then + cnt=$((cnt+2)) + k=$((k+1)) + continue + fi + + fr=$((RANDOM%2)) + f=0 + for flags in "" "interval" ; do + cnt=$((cnt+1)) + if [ $f -ne fkr ] ;then + f=$((f+1)) + continue + fi + + want="${key}${flags}" + + e=$((RANDOM%256)) + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) echo "bogus key $want" + exit 111 + ;; + esac + + # This may result in invalid jump, but thats what we want. + count=$(($RANDOM%100)) + + r=$((RANDOM%7)) + case "$r" in + 0) + random_element_string=" inet $table set_${cnt} { $element }" + ;; + 1) random_element_string="inet $table sett${cnt} { $element timeout $((RANDOM%60))s }" + ;; + 2) random_element_string="inet $table dmap_${cnt} { $element : $RANDOM }" + ;; + 3) random_element_string="inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }" + ;; + 4) random_element_string="inet $table vmap_${cnt} { $element : `random_verdict $count` }" + ;; + 5) random_element_string="inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }" + ;; + 6) random_element_string="inet $table setc${cnt} { $element }" + ;; + esac + + return + done + done + done +} + +randload() +{ + while [ -r $tmp ]; do + random_element_string="" + r=$((RANDOM%10)) + + what="" + case $r in + 1) + (echo "flush ruleset"; cat "$tmp" + echo "insert rule inet foo INPUT meta nftrace set 1" + echo "insert rule inet foo OUTPUT meta nftrace set 1" + ) | nft_with_fault_inject "/dev/stdin" + ;; + 2) what="add" + ;; + 3) what="create" + ;; + 4) what="delete" + ;; + 5) what="destroy" + ;; + 6) what="get" + ;; + *) + randsleep + ;; + esac + + if [ x"$what" = "x" ]; then + nft_with_fault_inject "$tmp" + else + # This can trigger abort path, for various reasons: + # invalid set name + # key mismatches set specification (concat vs. single value) + # attempt to delete non-existent key + # attempt to create dupliacte key + # attempt to add duplicate key with non-matching value (data) + # attempt to add new uniqeue key with a jump to an unknown chain + random_elem + ( cat "$tmp"; echo "$what element $random_element_string") | nft_with_fault_inject "/dev/stdin" + fi + done +} + +randmonitor() +{ + while [ -r $tmp ]; do + randsleep + timeout=$((RANDOM%16)) + timeout $((timeout+1)) $NFT monitor > /dev/null + done +} + +floodping() { + cpunum=$(grep -c processor /proc/cpuinfo) + cpunum=$((cpunum+1)) + + while [ -r $tmp ]; do + spawn=$((RANDOM%$cpunum)) + + # spawn at most $cpunum processes. Or maybe none at all. + i=0 + while [ $i -lt $spawn ]; do + mask=$(printf 0x%x $((1<<$i))) + timeout 3 ip netns exec "$testns" taskset $mask ping -4 -fq 127.0.0.1 > /dev/null & + timeout 3 ip netns exec "$testns" taskset $mask ping -6 -fq ::1 > /dev/null & + i=$((i+1)) + done + + wait + randsleep + done +} + +stress_all() +{ + # if fault injection is enabled, first a quick test to trigger + # abort paths without any parallel deletes/flushes. + if [ -w $faultname ] ;then + for i in $(seq 1 10);do + nft_with_fault_inject "$tmp" + done + fi + + randlist & + randflush & + randdeltable & + randdisable & + randdelchain & + randdelset & + randdelns & + randload & + randmonitor & +} + +gen_anon_chain_jump() +{ + echo -n "insert rule inet $@ " + jump_or_goto + + if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo " defaultchain" + return + fi + + echo -n " { " + jump_or_goto + echo " defaultchain; counter; }" +} + +gen_ruleset() { +echo > "$tmp" +for table in $tables; do + count=$((RANDOM % 100)) + if [ $count -lt 1 ];then + count=1 + fi + + echo add table inet "$table" >> "$tmp" + echo flush table inet "$table" >> "$tmp" + + echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" + echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + echo "add chain inet $table $chain" >> "$tmp" + done + + echo "add chain inet $table defaultchain" >> "$tmp" + + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + for BASE in INPUT OUTPUT; do + echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" + done + if [ $((RANDOM%10)) -eq 1 ];then + echo "add rule inet $table $chain counter jump defaultchain" >> "$tmp" + else + echo "add rule inet $table $chain counter return" >> "$tmp" + fi + done + + cnt=0 + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + + # add constant/immutable sets + size=$((RANDOM%5120000)) + size=$((size+2)) + echo "add set inet $table setc1 { typeof tcp dport; size $size; flags constant; elements = { 22, 44 } }" >> "$tmp" + echo "add set inet $table setc2 { typeof ip saddr; size $size; flags constant; elements = { 1.2.3.4, 5.6.7.8 } }" >> "$tmp" + echo "add set inet $table setc3 { typeof ip6 daddr; size $size; flags constant; elements = { ::1, dead::1 } }" >> "$tmp" + echo "add set inet $table setc4 { typeof tcp dport; size $size; flags interval,constant; elements = { 22-44, 55-66 } }" >> "$tmp" + echo "add set inet $table setc5 { typeof ip saddr; size $size; flags interval,constant; elements = { 1.2.3.4-5.6.7.8, 10.1.1.1 } }" >> "$tmp" + echo "add set inet $table setc6 { typeof ip6 daddr; size $size; flags interval,constant; elements = { ::1, dead::1-dead::3 } }" >> "$tmp" + + # add named sets with various combinations (plain value, range, concatenated values, concatenated ranges, with timeouts, with data ...) + for key in "ip saddr" "ip saddr . tcp dport"; do + for flags in "" "flags interval;" ; do + timeout=$((RANDOM%10)) + timeout=$((timeout+1)) + timeout="timeout ${timeout}s" + + cnt=$((cnt+1)) + echo "add set inet $table set_${cnt} { typeof ${key} ; ${flags} }" >> "$tmp" + echo "add set inet $table sett${cnt} { typeof ${key} ; $timeout; ${flags} }" >> "$tmp" + echo "add map inet $table dmap_${cnt} { typeof ${key} : meta mark ; ${flags} }" >> "$tmp" + echo "add map inet $table dmapt${cnt} { typeof ${key} : meta mark ; $timeout ; ${flags} }" >> "$tmp" + echo "add map inet $table vmap_${cnt} { typeof ${key} : verdict ; ${flags} }" >> "$tmp" + echo "add map inet $table vmapt${cnt} { typeof ${key} : verdict; $timeout ; ${flags} }" >> "$tmp" + done + done + + cnt=0 + for key in "single" "concat"; do + for flags in "" "interval" ; do + want="${key}${flags}" + cnt=$((cnt+1)) + maxip=$((RANDOM%256)) + + if [ $maxip -eq 0 ];then + maxip=1 + fi + + for e in $(seq 1 $maxip);do + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") + element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") + element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") + element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) + echo "bogus key $want" + exit 111 + ;; + esac + + echo "add element inet $table set_${cnt} { $element }" >> "$tmp" + echo "add element inet $table sett${cnt} { $element timeout $((RANDOM%60))s }" >> "$tmp" + echo "add element inet $table dmap_${cnt} { $element : $RANDOM }" >> "$tmp" + echo "add element inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }" >> "$tmp" + echo "add element inet $table vmap_${cnt} { $element : `random_verdict $count` }" >> "$tmp" + echo "add element inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }" >> "$tmp" + done + done + done +done +} + +run_test() +{ + local time_now=$(date +%s) + local time_stop=$((time_now + $runtime)) + local regen=30 + + while [ $time_now -lt $time_stop ]; do + if [ $regen -gt 0 ];then + sleep 1 + time_now=$(date +%s) + regen=$((regen-1)) + continue + fi + + # This clobbers the previously generated ruleset, this is intentional. + gen_ruleset + regen=$((RANDOM%60)) + regen=$((regen+2)) + time_now=$(date +%s) + done +} + +netns_add + +gen_ruleset +ip netns exec "$testns" $NFT -f "$tmp" || exit 1 + +failslab_defaults + +stress_all 2>/dev/null & + +randsleep + +floodping 2> /dev/null & + +run_test + +# this stops stress_all +rm -f "$tmp" +tmp="" +sleep 4 + +if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_chain_binding=n" +fi diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop new file mode 100755 index 0000000..2fd6181 --- /dev/null +++ b/tests/shell/testcases/transactions/anon_chain_loop @@ -0,0 +1,19 @@ +#!/bin/bash + +# anon chains with c1 -> c2 recursive jump, expect failure +$NFT -f - <<EOF +table ip t { + chain c2 { } + chain c1 { } +} + +add t c1 ip saddr 127.0.0.1 jump { jump c2; } +add t c2 ip saddr 127.0.0.1 jump { jump c1; } +EOF + +if [ $? -eq 0 ] ; then + echo "E: able to load bad ruleset" >&2 + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/transactions/bad_expression b/tests/shell/testcases/transactions/bad_expression new file mode 100755 index 0000000..794b625 --- /dev/null +++ b/tests/shell/testcases/transactions/bad_expression @@ -0,0 +1,38 @@ +#!/bin/bash + +# table with invalid expression (masquerade called from filter table). +# nft must return an error. Also catch nfnetlink retry loops that +# cause nft or kernel to spin. +timeout 3 $NFT -f - <<EOF +table ip t0 { + chain c { } + chain input { + type filter hook input priority 0; + jump c + } +} + +table ip t1 { + chain a { + masquerade + } + chain input { + type filter hook input priority 1; + jump a + } +} +EOF + +rc=$? +if [ $rc -eq 0 ]; then + echo "Ruleset should have failed" 1>&2 + exit 111 +fi + +# 124 means 'command timed out', fail if this +# happens. Else, pass, failure is wanted here. +if [ $rc -ne 124 ]; then + exit 0 +fi + +exit $rc diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.nft b/tests/shell/testcases/transactions/dumps/0001table_0.nft new file mode 100644 index 0000000..e4e5f9b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0001table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.nft b/tests/shell/testcases/transactions/dumps/0002table_0.nft new file mode 100644 index 0000000..429cbc3 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0002table_0.nft @@ -0,0 +1,7 @@ +table ip x { + flags dormant + + chain y { + type nat hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.nft b/tests/shell/testcases/transactions/dumps/0003table_0.nft new file mode 100644 index 0000000..e4e5f9b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0003table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.nft b/tests/shell/testcases/transactions/dumps/0010chain_0.nft new file mode 100644 index 0000000..aa4a521 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0010chain_0.nft @@ -0,0 +1,4 @@ +table ip w { + chain y { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.nft b/tests/shell/testcases/transactions/dumps/0011chain_0.nft new file mode 100644 index 0000000..df88ad4 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + type filter hook input priority filter; policy drop; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.nft b/tests/shell/testcases/transactions/dumps/0012chain_0.nft new file mode 100644 index 0000000..b9f5e43 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.nft b/tests/shell/testcases/transactions/dumps/0013chain_0.nft new file mode 100644 index 0000000..b9f5e43 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.nft b/tests/shell/testcases/transactions/dumps/0014chain_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0014chain_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.nft b/tests/shell/testcases/transactions/dumps/0015chain_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0015chain_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.nft b/tests/shell/testcases/transactions/dumps/0020rule_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0020rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.nft b/tests/shell/testcases/transactions/dumps/0021rule_0.nft new file mode 100644 index 0000000..a6c4130 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0021rule_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr 2.2.2.2 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.nft b/tests/shell/testcases/transactions/dumps/0022rule_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0022rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.nft b/tests/shell/testcases/transactions/dumps/0023rule_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0023rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0024rule_0.nft b/tests/shell/testcases/transactions/dumps/0024rule_0.nft new file mode 100644 index 0000000..7860ff6 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0024rule_0.nft @@ -0,0 +1,8 @@ +table ip x { + chain y { + accept comment "rule1" + accept comment "rule2" + accept comment "rule3" + accept comment "rule4" + } +} diff --git a/tests/shell/testcases/transactions/dumps/0025rule_0.nft b/tests/shell/testcases/transactions/dumps/0025rule_0.nft new file mode 100644 index 0000000..dcb61ae --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0025rule_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + log + drop + } +} diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.nft b/tests/shell/testcases/transactions/dumps/0030set_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0030set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.nft b/tests/shell/testcases/transactions/dumps/0031set_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0031set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.nft b/tests/shell/testcases/transactions/dumps/0032set_0.nft new file mode 100644 index 0000000..7d11892 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0032set_0.nft @@ -0,0 +1,5 @@ +table ip w { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.nft b/tests/shell/testcases/transactions/dumps/0033set_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0033set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.nft b/tests/shell/testcases/transactions/dumps/0034set_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0034set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.nft b/tests/shell/testcases/transactions/dumps/0035set_0.nft new file mode 100644 index 0000000..e111494 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0035set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + elements = { 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.nft b/tests/shell/testcases/transactions/dumps/0036set_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0036set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.nft b/tests/shell/testcases/transactions/dumps/0037set_0.nft new file mode 100644 index 0000000..ca69cee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0037set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.nft b/tests/shell/testcases/transactions/dumps/0038set_0.nft new file mode 100644 index 0000000..651a11b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0038set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.nft b/tests/shell/testcases/transactions/dumps/0039set_0.nft new file mode 100644 index 0000000..651a11b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0039set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.nft b/tests/shell/testcases/transactions/dumps/0040set_0.nft new file mode 100644 index 0000000..a29232b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0040set_0.nft @@ -0,0 +1,14 @@ +table ip filter { + map client_to_any { + type ipv4_addr : verdict + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + goto client_to_any + } + + chain client_to_any { + ip saddr vmap @client_to_any + } +} diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft new file mode 100644 index 0000000..b718001 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type nat hook postrouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft new file mode 100644 index 0000000..e5cc63f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft @@ -0,0 +1,5 @@ +table ip filter { + map m1 { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.nft b/tests/shell/testcases/transactions/dumps/0043set_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0043set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.nft b/tests/shell/testcases/transactions/dumps/0044rule_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0044rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.nft b/tests/shell/testcases/transactions/dumps/0046set_0.nft new file mode 100644 index 0000000..eb39c44 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0046set_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.nft b/tests/shell/testcases/transactions/dumps/0047set_0.nft new file mode 100644 index 0000000..4da397b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0047set_0.nft @@ -0,0 +1,11 @@ +table ip filter { + map group_10060 { + type ipv4_addr : classid + flags interval + elements = { 10.1.26.2 : 1:bbf8, 10.1.26.3 : 1:c1ad, + 10.1.26.4 : 1:b2d7, 10.1.26.5 : 1:f705, + 10.1.26.6 : 1:b895, 10.1.26.7 : 1:ec4c, + 10.1.26.8 : 1:de78, 10.1.26.9 : 1:b4f3, + 10.1.26.10 : 1:dec6, 10.1.26.11 : 1:b4c0 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft new file mode 100644 index 0000000..eb39c44 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.nft b/tests/shell/testcases/transactions/dumps/0049huge_0.nft new file mode 100644 index 0000000..96f5a38 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0049huge_0.nft @@ -0,0 +1,749 @@ +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES { + iifname "perm_dummy" goto raw_PRE_work + iifname "perm_dummy2" goto raw_PRE_trusted + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES { + iifname "perm_dummy" goto mangle_PRE_work + iifname "perm_dummy2" goto mangle_PRE_trusted + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_OUTPUT { + type filter hook output priority filter + 10; policy accept; + oifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + } + + chain filter_INPUT_ZONES { + iifname "perm_dummy" goto filter_IN_work + iifname "perm_dummy2" goto filter_IN_trusted + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES { + iifname "perm_dummy" goto filter_FWDI_work + iifname "perm_dummy2" goto filter_FWDI_trusted + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES { + oifname "perm_dummy" goto filter_FWDO_work + oifname "perm_dummy2" goto filter_FWDO_trusted + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_pre + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + jump raw_PRE_public_post + } + + chain raw_PRE_public_pre { + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain raw_PRE_public_post { + } + + chain filter_IN_public { + jump filter_IN_public_pre + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + jump filter_IN_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_pre { + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_public_post { + } + + chain filter_FWDI_public { + jump filter_FWDI_public_pre + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + jump filter_FWDI_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_pre { + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain filter_FWDI_public_post { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_pre + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + jump mangle_PRE_public_post + } + + chain mangle_PRE_public_pre { + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain mangle_PRE_public_post { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_pre + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + jump filter_FWDO_public_post + } + + chain filter_FWDO_public_pre { + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain filter_FWDO_public_post { + } + + chain raw_PRE_trusted { + jump raw_PRE_trusted_pre + jump raw_PRE_trusted_log + jump raw_PRE_trusted_deny + jump raw_PRE_trusted_allow + jump raw_PRE_trusted_post + } + + chain raw_PRE_trusted_pre { + } + + chain raw_PRE_trusted_log { + } + + chain raw_PRE_trusted_deny { + } + + chain raw_PRE_trusted_allow { + } + + chain raw_PRE_trusted_post { + } + + chain mangle_PRE_trusted { + jump mangle_PRE_trusted_pre + jump mangle_PRE_trusted_log + jump mangle_PRE_trusted_deny + jump mangle_PRE_trusted_allow + jump mangle_PRE_trusted_post + } + + chain mangle_PRE_trusted_pre { + } + + chain mangle_PRE_trusted_log { + } + + chain mangle_PRE_trusted_deny { + } + + chain mangle_PRE_trusted_allow { + } + + chain mangle_PRE_trusted_post { + } + + chain filter_IN_trusted { + jump filter_IN_trusted_pre + jump filter_IN_trusted_log + jump filter_IN_trusted_deny + jump filter_IN_trusted_allow + jump filter_IN_trusted_post + accept + } + + chain filter_IN_trusted_pre { + } + + chain filter_IN_trusted_log { + } + + chain filter_IN_trusted_deny { + } + + chain filter_IN_trusted_allow { + } + + chain filter_IN_trusted_post { + } + + chain filter_FWDI_trusted { + jump filter_FWDI_trusted_pre + jump filter_FWDI_trusted_log + jump filter_FWDI_trusted_deny + jump filter_FWDI_trusted_allow + jump filter_FWDI_trusted_post + accept + } + + chain filter_FWDI_trusted_pre { + } + + chain filter_FWDI_trusted_log { + } + + chain filter_FWDI_trusted_deny { + } + + chain filter_FWDI_trusted_allow { + } + + chain filter_FWDI_trusted_post { + } + + chain filter_FWDO_trusted { + jump filter_FWDO_trusted_pre + jump filter_FWDO_trusted_log + jump filter_FWDO_trusted_deny + jump filter_FWDO_trusted_allow + jump filter_FWDO_trusted_post + accept + } + + chain filter_FWDO_trusted_pre { + } + + chain filter_FWDO_trusted_log { + } + + chain filter_FWDO_trusted_deny { + } + + chain filter_FWDO_trusted_allow { + } + + chain filter_FWDO_trusted_post { + } + + chain raw_PRE_work { + jump raw_PRE_work_pre + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + jump raw_PRE_work_post + } + + chain raw_PRE_work_pre { + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain raw_PRE_work_post { + } + + chain filter_IN_work { + jump filter_IN_work_pre + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + jump filter_IN_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_pre { + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_work_post { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_pre + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + jump mangle_PRE_work_post + } + + chain mangle_PRE_work_pre { + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain mangle_PRE_work_post { + } + + chain filter_FWDI_work { + jump filter_FWDI_work_pre + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + jump filter_FWDI_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_pre { + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain filter_FWDI_work_post { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_pre + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + jump filter_FWDO_work_post + } + + chain filter_FWDO_work_pre { + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } + + chain filter_FWDO_work_post { + } +} +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.nft b/tests/shell/testcases/transactions/dumps/0050rule_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0050rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0051map_0.nodump b/tests/shell/testcases/transactions/dumps/0051map_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0051map_0.nodump diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.nft b/tests/shell/testcases/transactions/dumps/30s-stress.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/30s-stress.nft diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.nft b/tests/shell/testcases/transactions/dumps/bad_expression.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_expression.nft diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.nft b/tests/shell/testcases/transactions/dumps/table_onoff.nft new file mode 100644 index 0000000..038be1c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/table_onoff.nft @@ -0,0 +1,8 @@ +table ip t { + flags dormant + + chain c { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.42 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/table_onoff b/tests/shell/testcases/transactions/table_onoff new file mode 100755 index 0000000..831d461 --- /dev/null +++ b/tests/shell/testcases/transactions/table_onoff @@ -0,0 +1,44 @@ +#!/bin/bash + +# attempt to re-awaken a table that is flagged dormant within +# same transaction +$NFT -f - <<EOF +add table ip t +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add table ip t +delete table ip t +EOF + +if [ $? -eq 0 ]; then + exit 1 +fi + +set -e + +ip link set lo up + +# add a dormant table, then wake it up in same +# transaction. +$NFT -f - <<EOF +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t +EOF + +# check table is indeed active. +ping -c 1 127.0.0.42 +$NFT list chain ip t c | grep "counter packets 1" +$NFT delete table ip t + +# allow to flag table dormant. +$NFT -f - <<EOF +add table ip t +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t { flags dormant; } +EOF + +ping -c 1 127.0.0.42 +# expect run-tests.sh to complain if counter isn't 0. |