6 files changed, 273 insertions, 0 deletions

diff --git a/tests/shell/testcases/netns/0001nft-f_0 b/tests/shell/testcases/netns/0001nft-f_0
new file mode 100755
index 0000000..a591f2c
--- /dev/null
+++ b/tests/shell/testcases/netns/0001nft-f_0
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table ip6 t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table inet t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table bridge t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}
+table arp t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}"
+
+# netns
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+	echo "E: unable to create netns" >&2
+	exit 1
+fi
+
+$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load ruleset in netns" >&2
+	$IP netns del $NETNS_NAME
+	exit 1
+fi
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+        exit 1
+fi
+exit 0
diff --git a/tests/shell/testcases/netns/0002loosecommands_0 b/tests/shell/testcases/netns/0002loosecommands_0
new file mode 100755
index 0000000..231f1fb
--- /dev/null
+++ b/tests/shell/testcases/netns/0002loosecommands_0
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+function netns_exec()
+{
+	# $1: netns_name $2: command
+	$IP netns exec $1 $2
+	if [ $? -ne 0 ] ; then
+		echo "E: failed to execute command in netns $1: $2" >&2
+		$IP netns del $1
+		exit 1
+	fi
+}
+
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+	echo "E: unable to create netns" >&2
+	exit 1
+fi
+
+netns_exec $NETNS_NAME "$NFT add table ip t"
+netns_exec $NETNS_NAME "$NFT add chain ip t c"
+netns_exec $NETNS_NAME "$NFT add chain ip t other"
+netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }"
+netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new"
+netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345, 54321 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop"
+netns_exec $NETNS_NAME "$NFT add rule ip t c jump other"
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+        exit 1
+fi
diff --git a/tests/shell/testcases/netns/0003many_0 b/tests/shell/testcases/netns/0003many_0
new file mode 100755
index 0000000..afe9117
--- /dev/null
+++ b/tests/shell/testcases/netns/0003many_0
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# test using many netns
+
+# arbitry value of 'many'
+HOWMANY=20
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table ip6 t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table inet t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table bridge t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}
+table arp t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}"
+
+function test_netns()
+{
+	local NETNS_NAME=$1
+	$IP netns add $NETNS_NAME
+	if [ $? -ne 0 ] ; then
+		echo "E: unable to create netns" >&2
+		exit 1
+	fi
+
+	$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
+	if [ $? -ne 0 ] ; then
+		echo "E: unable to load ruleset in netns" >&2
+		$IP netns del $NETNS_NAME
+		exit 1
+	fi
+
+	KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+	if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+		echo "E: ruleset in netns $NETNS_NAME differs from the loaded" >&2
+	        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+		$IP netns del $NETNS_NAME
+	        exit 1
+	fi
+
+	$IP netns del $NETNS_NAME
+}
+
+for i in $(seq 1 $HOWMANY) ; do
+	NETNS_NAME="$netns${i}_$(basename "$0")"
+	test_netns $NETNS_NAME
+done
+
+exit 0
diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft
diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft
diff --git a/tests/shell/testcases/netns/dumps/0003many_0.nft b/tests/shell/testcases/netns/dumps/0003many_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0003many_0.nft