summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/rule_management
diff options
context:
space:
mode:
Diffstat (limited to 'tests/shell/testcases/rule_management')
-rwxr-xr-xtests/shell/testcases/rule_management/0001addinsertposition_085
-rwxr-xr-xtests/shell/testcases/rule_management/0002addinsertlocation_123
-rwxr-xr-xtests/shell/testcases/rule_management/0003insert_015
-rwxr-xr-xtests/shell/testcases/rule_management/0004replace_010
-rwxr-xr-xtests/shell/testcases/rule_management/0005replace_113
-rwxr-xr-xtests/shell/testcases/rule_management/0006replace_113
-rwxr-xr-xtests/shell/testcases/rule_management/0007delete_011
-rwxr-xr-xtests/shell/testcases/rule_management/0008delete_113
-rwxr-xr-xtests/shell/testcases/rule_management/0009delete_113
-rwxr-xr-xtests/shell/testcases/rule_management/0010replace_012
-rwxr-xr-xtests/shell/testcases/rule_management/0011reset_0170
-rwxr-xr-xtests/shell/testcases/rule_management/0012destroy_014
-rw-r--r--tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft7
-rw-r--r--tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft6
-rw-r--r--tests/shell/testcases/rule_management/dumps/0003insert_0.nft8
-rw-r--r--tests/shell/testcases/rule_management/dumps/0004replace_0.nft5
-rw-r--r--tests/shell/testcases/rule_management/dumps/0005replace_1.nft4
-rw-r--r--tests/shell/testcases/rule_management/dumps/0006replace_1.nft4
-rw-r--r--tests/shell/testcases/rule_management/dumps/0007delete_0.nft5
-rw-r--r--tests/shell/testcases/rule_management/dumps/0008delete_1.nft4
-rw-r--r--tests/shell/testcases/rule_management/dumps/0009delete_1.nft4
-rw-r--r--tests/shell/testcases/rule_management/dumps/0010replace_0.nft0
-rw-r--r--tests/shell/testcases/rule_management/dumps/0011reset_0.nft31
-rw-r--r--tests/shell/testcases/rule_management/dumps/0012destroy_0.nft4
24 files changed, 474 insertions, 0 deletions
diff --git a/tests/shell/testcases/rule_management/0001addinsertposition_0 b/tests/shell/testcases/rule_management/0001addinsertposition_0
new file mode 100755
index 0000000..237e9e3
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0001addinsertposition_0
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+
+RULESET="flush ruleset
+table ip t {
+ chain c {
+ accept
+ accept
+ }
+}"
+
+EXPECTED="table ip t {
+ chain c {
+ accept
+ drop
+ accept
+ }
+}"
+
+for arg in "position 2" "handle 2" "index 0"; do
+ $NFT -f - <<< "$RULESET"
+ $NFT add rule t c $arg drop || {
+ $NFT list ruleset
+ exit 1
+ }
+
+ GET="$($NFT list ruleset)"
+ if [ "$EXPECTED" != "$GET" ] ; then
+ $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+ fi
+done
+
+for arg in "position 3" "handle 3" "index 1"; do
+ $NFT -f - <<< "$RULESET"
+ $NFT insert rule t c $arg drop
+
+ GET="$($NFT list ruleset)"
+ if [ "$EXPECTED" != "$GET" ] ; then
+ $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+ fi
+done
+
+EXPECTED="table ip t {
+ chain c {
+ accept
+ accept
+ drop
+ }
+}"
+
+for arg in "position 3" "handle 3" "index 1"; do
+ $NFT -f - <<< "$RULESET"
+ $NFT add rule t c $arg drop
+
+ GET="$($NFT list ruleset)"
+ if [ "$EXPECTED" != "$GET" ] ; then
+ $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+ fi
+done
+
+EXPECTED="table ip t {
+ chain c {
+ drop
+ accept
+ accept
+ }
+}"
+
+for arg in "position 2" "handle 2" "index 0"; do
+ $NFT -f - <<< "$RULESET"
+ $NFT insert rule t c $arg drop
+
+ GET="$($NFT list ruleset)"
+ if [ "$EXPECTED" != "$GET" ] ; then
+ $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+ fi
+done
diff --git a/tests/shell/testcases/rule_management/0002addinsertlocation_1 b/tests/shell/testcases/rule_management/0002addinsertlocation_1
new file mode 100755
index 0000000..920032f
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0002addinsertlocation_1
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# test rule adding with invalid position/handle/index value
+
+RULESET="flush ruleset
+table ip t {
+ chain c {
+ accept
+ accept
+ }
+}"
+
+$NFT -f - <<< "$RULESET"
+
+for cmd in add insert; do
+ for keyword in position handle index; do
+ $NFT $cmd rule t c $keyword 5 drop 2>/dev/null || continue
+
+ echo "E: invalid $keyword value allowed in $cmd command" >&2
+ exit 1
+ done
+done
+exit 0
diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0
new file mode 100755
index 0000000..c343d57
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0003insert_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT insert rule t c accept
+$NFT insert rule t c drop
+$NFT insert rule t c masquerade
+
+# check 'evaluate: un-break rule insert with intervals'
+
+$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 }
diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0
new file mode 100755
index 0000000..c3329af
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0004replace_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT add rule t c accept # should have handle 2
+$NFT replace rule t c handle 2 drop
diff --git a/tests/shell/testcases/rule_management/0005replace_1 b/tests/shell/testcases/rule_management/0005replace_1
new file mode 100755
index 0000000..d8d6447
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0005replace_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+# kernel should return ENOENT
+
+$NFT replace rule t c handle 2 drop 2>/dev/null || exit 0
+echo "E: missing kernel ENOENT" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0006replace_1 b/tests/shell/testcases/rule_management/0006replace_1
new file mode 100755
index 0000000..b728310
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0006replace_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# position keyword with replace action is not allowed, this should fail
+$NFT replace rule t c position 2 drop 2>/dev/null || exit 0
+echo "E: allowed replace with position specification" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0
new file mode 100755
index 0000000..11376cc
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0007delete_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT add rule t c accept # should have handle 2
+$NFT add rule t c drop # should have handle 3
+$NFT delete rule t c handle 2
diff --git a/tests/shell/testcases/rule_management/0008delete_1 b/tests/shell/testcases/rule_management/0008delete_1
new file mode 100755
index 0000000..d1900d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0008delete_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# this should fail, we don't allow delete with position
+$NFT delete rule t c position 2 drop 2>/dev/null || exit 0
+echo "E: allowed position spec with delete action" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0009delete_1 b/tests/shell/testcases/rule_management/0009delete_1
new file mode 100755
index 0000000..8751fec
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0009delete_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# kernel ENOENT
+$NFT delete rule t c handle 3333 2>/dev/null || exit 0
+echo "E: missing kernel ENOENT" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0
new file mode 100755
index 0000000..cd69a89
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0010replace_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4
+# ("netfilter: nf_tables: deactivate expressions in rule replecement routine")
+
+set -e
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add rule ip t c1 jump c2
+$NFT replace rule ip t c1 handle 3 accept
+$NFT flush ruleset
diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0
new file mode 100755
index 0000000..33eadd9
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0011reset_0
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule)
+
+set -e
+
+echo "loading ruleset"
+$NFT -f - <<EOF
+table ip t {
+ set s {
+ type ipv4_addr
+ counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
+ }
+ chain c {
+ counter packets 1 bytes 11 update @s { ip saddr } accept
+ counter packets 2 bytes 12 drop
+ }
+
+ chain c2 {
+ counter packets 3 bytes 13 accept
+ counter packets 4 bytes 14 drop
+ }
+}
+table inet t {
+ chain c {
+ counter packets 5 bytes 15 accept
+ counter packets 6 bytes 16 drop
+ }
+}
+table ip t2 {
+ chain c2 {
+ counter packets 7 bytes 17 accept
+ counter packets 8 bytes 18 drop
+ }
+}
+EOF
+
+echo "resetting specific rule"
+handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p')
+$NFT reset rule t c handle $handle
+EXPECT='table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
+ }
+
+ chain c {
+ counter packets 0 bytes 0 update @s { ip saddr } accept
+ counter packets 2 bytes 12 drop
+ }
+
+ chain c2 {
+ counter packets 3 bytes 13 accept
+ counter packets 4 bytes 14 drop
+ }
+}
+table inet t {
+ chain c {
+ counter packets 5 bytes 15 accept
+ counter packets 6 bytes 16 drop
+ }
+}
+table ip t2 {
+ chain c2 {
+ counter packets 7 bytes 17 accept
+ counter packets 8 bytes 18 drop
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT list ruleset)
+
+echo "resetting specific chain"
+EXPECT='table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ }
+
+ chain c2 {
+ counter packets 3 bytes 13 accept
+ counter packets 4 bytes 14 drop
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2)
+
+echo "resetting specific table"
+EXPECT='table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ }
+
+ chain c {
+ counter packets 0 bytes 0 update @s { ip saddr } accept
+ counter packets 2 bytes 12 drop
+ }
+
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t)
+
+echo "resetting specific family"
+EXPECT='table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ }
+
+ chain c {
+ counter packets 0 bytes 0 update @s { ip saddr } accept
+ counter packets 0 bytes 0 drop
+ }
+
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}
+table ip t2 {
+ chain c2 {
+ counter packets 7 bytes 17 accept
+ counter packets 8 bytes 18 drop
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip)
+
+echo "resetting whole ruleset"
+EXPECT='table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ }
+
+ chain c {
+ counter packets 0 bytes 0 update @s { ip saddr } accept
+ counter packets 0 bytes 0 drop
+ }
+
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}
+table inet t {
+ chain c {
+ counter packets 5 bytes 15 accept
+ counter packets 6 bytes 16 drop
+ }
+}
+table ip t2 {
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules)
diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0
new file mode 100755
index 0000000..a058150
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0012destroy_0
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table t
+$NFT add chain t c
+
+# pass for non-existent rule
+$NFT destroy rule t c handle 3333
+
+# successfully delete existing rule
+handle=$($NFT -a -e insert rule t c accept | \
+ sed -n 's/.*handle \([0-9]*\)$/\1/p')
+$NFT destroy rule t c handle "$handle"
diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft
new file mode 100644
index 0000000..527d79d
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+ chain c {
+ drop
+ accept
+ accept
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft
new file mode 100644
index 0000000..b76cd93
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft
@@ -0,0 +1,6 @@
+table ip t {
+ chain c {
+ accept
+ accept
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft
new file mode 100644
index 0000000..b1875ab
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft
@@ -0,0 +1,8 @@
+table ip t {
+ chain c {
+ tcp sport { 3478-3497, 16384-16387 }
+ masquerade
+ drop
+ accept
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
new file mode 100644
index 0000000..e20952e
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+ chain c {
+ drop
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+ chain c {
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+ chain c {
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft
new file mode 100644
index 0000000..e20952e
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+ chain c {
+ drop
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+ chain c {
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+ chain c {
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft
diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
new file mode 100644
index 0000000..3b4f5a1
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
@@ -0,0 +1,31 @@
+table ip t {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
+ }
+
+ chain c {
+ counter packets 0 bytes 0 update @s { ip saddr } accept
+ counter packets 0 bytes 0 drop
+ }
+
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}
+table inet t {
+ chain c {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}
+table ip t2 {
+ chain c2 {
+ counter packets 0 bytes 0 accept
+ counter packets 0 bytes 0 drop
+ }
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft
@@ -0,0 +1,4 @@
+table ip t {
+ chain c {
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-16 20:35:10 +0000