summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.am2
-rw-r--r--configure.ac2
-rw-r--r--examples/rule.xml85
-rwxr-xr-xtest/nft-chain-xml-add.sh123
-rwxr-xr-xtest/nft-rule-xml-add.sh125
-rwxr-xr-xtest/nft-table-xml-add.sh75
-rw-r--r--tests/Makefile.am6
-rw-r--r--tests/nft-parsing-test.c111
-rw-r--r--tests/xmlfiles/01-table.xml (renamed from examples/table.xml)2
-rw-r--r--tests/xmlfiles/02-table.xml6
-rw-r--r--tests/xmlfiles/10-chain.xml11
-rw-r--r--tests/xmlfiles/11-chain.xml (renamed from examples/chain.xml)10
-rw-r--r--tests/xmlfiles/12-chain.xml11
-rw-r--r--tests/xmlfiles/20-rule-bitwise.xml25
-rw-r--r--tests/xmlfiles/21-rule-byteorder.xml12
-rw-r--r--tests/xmlfiles/22-rule-cmp.xml13
-rw-r--r--tests/xmlfiles/23-rule-counter.xml8
-rw-r--r--tests/xmlfiles/24-rule-ct.xml10
-rw-r--r--tests/xmlfiles/25-rule-exthdr.xml9
-rw-r--r--tests/xmlfiles/26-rule-immediate.xml12
-rw-r--r--tests/xmlfiles/26-rule-limit.xml7
-rw-r--r--tests/xmlfiles/28-rule-log.xml9
-rw-r--r--tests/xmlfiles/29-rule-lookup.xml8
-rw-r--r--tests/xmlfiles/30-rule-match.xml6
-rw-r--r--tests/xmlfiles/31-rule-meta.xml7
-rw-r--r--tests/xmlfiles/32-rule-nat6.xml11
-rw-r--r--tests/xmlfiles/33-rule-nat4.xml11
-rw-r--r--tests/xmlfiles/34-rule-payload.xml9
-rw-r--r--tests/xmlfiles/35-rule-target.xml6
29 files changed, 316 insertions, 416 deletions
diff --git a/Makefile.am b/Makefile.am
index 6999f51..d5f6e40 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@ include $(top_srcdir)/Make_global.am
ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = src include examples
+SUBDIRS = src include examples tests
DIST_SUBDIRS = src include examples
pkgconfigdir = $(libdir)/pkgconfig
diff --git a/configure.ac b/configure.ac
index 0eec5bd..c8075e9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,5 +38,5 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
-Wformat=2 -pipe"
AC_SUBST([regular_CPPFLAGS])
AC_SUBST([regular_CFLAGS])
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/libnftables/Makefile include/linux/Makefile include/linux/netfilter/Makefile examples/Makefile libnftables.pc doxygen.cfg])
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/libnftables/Makefile include/linux/Makefile include/linux/netfilter/Makefile examples/Makefile tests/Makefile libnftables.pc doxygen.cfg])
AC_OUTPUT
diff --git a/examples/rule.xml b/examples/rule.xml
deleted file mode 100644
index b1de25a..0000000
--- a/examples/rule.xml
+++ /dev/null
@@ -1,85 +0,0 @@
-<?xml version="1.0"?>
-<rule family="2" table="filter" chain="INPUT" handle="100" version="0">
- <rule_flags>0</rule_flags>
- <flags>127</flags>
- <compat_flags>0</compat_flags>
- <compat_proto>0</compat_proto>
- <expr type="meta">
- <dreg>1</dreg>
- <key>4</key>
- </expr>
- <expr type="cmp">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type="value">
- <len>1</len>
- <data0>0x04000000</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type="payload">
- <dreg>1</dreg>
- <base>1</base>
- <offset>12</offset>
- <len>4</len>
- </expr>
- <expr type="cmp">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type="value">
- <len>1</len>
- <data0>0x96d60496</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type="payload">
- <dreg>1</dreg>
- <base>1</base>
- <offset>16</offset>
- <len>4</len>
- </expr>
- <expr type="cmp">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type="value">
- <len>1</len>
- <data0>0x96d60329</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type="payload">
- <dreg>1</dreg>
- <base>1</base>
- <offset>9</offset>
- <len>1</len>
- </expr>
- <expr type="cmp">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type="value">
- <len>1</len>
- <data0>0x06000000</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type="match">
- <name>state</name>
- <rev>0</rev>
- <info>
- </info>
- </expr>
- <expr type="counter">
- <pkts>123123</pkts>
- <bytes>321321</bytes>
- </expr>
- <expr type="target">
- <name>LOG</name>
- <rev>0</rev>
- <info>
- </info>
- </expr>
-</rule>
diff --git a/test/nft-chain-xml-add.sh b/test/nft-chain-xml-add.sh
deleted file mode 100755
index ed39d54..0000000
--- a/test/nft-chain-xml-add.sh
+++ /dev/null
@@ -1,123 +0,0 @@
-#!/bin/bash
-
-#
-# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-
-# This is a small testbench for adding nftables chains to kernel
-# in XML format.
-
-BINARY="../examples/nft-chain-xml-add"
-NFT=$( which nft )
-MKTEMP=$( which mktemp)
-TMPFILE=$( $MKTEMP )
-
-if [ ! -x "$BINARY" ] ; then
- echo "E: Binary not found $BINARY"
- exit 1
-fi
-
-if [ ! -x "$MKTEMP" ] ; then
- echo "E: mktemp not found and is neccesary"
- exit 1
-fi
-
-if [ ! -w "$TMPFILE" ] ; then
- echo "E: Unable to create temp file via mktemp"
- exit 1
-fi
-
-[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT"
-
-XML="<chain name=\"test1\" handle=\"100\" bytes=\"123\" packets=\"321\" version=\"0\">
- <properties>
- <type>filter</type>
- <table>filter</table>
- <prio>0</prio>
- <use>0</use>
- <hooknum>NF_INET_LOCAL_IN</hooknum>
- <policy>accept</policy>
- <family>ip</family>
- </properties>
-</chain>"
-
-$NFT delete chain ip filter test1 2>/dev/null >&2
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML:"
- echo "$XML"
- exit 1
-fi
-
-# This is valid (as long as the table exist)
-XML="<chain name=\"test2\" handle=\"101\" bytes=\"59\" packets=\"1\" version=\"0\">
- <properties>
- <type>filter</type>
- <table>filter</table>
- <prio>1</prio>
- <use>0</use>
- <hooknum>NF_INET_POST_ROUTING</hooknum>
- <policy>accept</policy>
- <family>ip6</family>
- </properties>
-</chain>"
-
-$NFT delete chain ip6 filter test2 2>/dev/null >&2
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML:"
- echo "$XML"
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-# This is valid (as long as the table exist)
-XML="<chain name=\"test3\" handle=\"102\" bytes=\"51231239\" packets=\"1123123123\" version=\"0\">
- <properties>
- <type>filter</type>
- <table>filter</table>
- <prio>0</prio>
- <use>0</use>
- <hooknum>NF_INET_FORWARD</hooknum>
- <policy>drop</policy>
- <family>ip</family>
- </properties>
-</chain>"
-
-$NFT delete chain ip6 filter test3 2>/dev/null >&2
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML:"
- echo "$XML"
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-# This is invalid
-XML="<chain name=\"XXXX\" handle=\"XXXX\" bytes=\"XXXXXXX\" packets=\"XXXXXXX\" >
- <properties>
- <flags>asdasd</flags>
- <type>filter</type>
- <table>filter</table>
- <prio>asdasd</prio>
- <use>asdasd</use>
- <hooknum>asdasd</hooknum>
- <policy>asdasd</policy>
- <family>asdasd</family>
- </properties>
- </chain>"
-
-if $BINARY "$XML" 2>/dev/null; then
- echo "E: Accepted invalid XML:"
- echo "$XML"
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-rm -rf $TMPFILE 2>/dev/null
-echo "I: Test OK"
diff --git a/test/nft-rule-xml-add.sh b/test/nft-rule-xml-add.sh
deleted file mode 100755
index 2a052b2..0000000
--- a/test/nft-rule-xml-add.sh
+++ /dev/null
@@ -1,125 +0,0 @@
-#!/bin/bash
-
-#
-# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-
-# This is a small testbench for adding nftables rules to kernel
-# in XML format.
-
-BINARY="../examples/nft-rule-xml-add"
-NFT="$( which nft )"
-MKTEMP="$( which mktemp )"
-TMPFILE="$( $MKTEMP )"
-
-if [ ! -x "$BINARY" ] ; then
- echo "E: Binary not found $BINARY"
- exit 1
-fi
-
-if [ ! -x "$MKTEMP" ] ; then
- echo "E: mktemp not found. Is mandatory."
- exit 1
-fi
-
-if [ ! -w "$TMPFILE" ] ; then
- echo "E: Unable to create tempfile with mktemp"
- exit 1
-fi
-
-[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT"
-
-XML="<rule family=\"ip\" table=\"filter\" chain=\"INPUT\" handle=\"100\" version=\"0\">
- <rule_flags>0</rule_flags>
- <compat_flags>0</compat_flags>
- <compat_proto>0</compat_proto>
- <expr type=\"meta\">
- <dreg>1</dreg>
- <key>iif</key>
- </expr>
- <expr type=\"cmp\">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type=\"value\">
- <len>4</len>
- <data0>0x04000000</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type=\"payload\">
- <dreg>1</dreg>
- <base>transport</base>
- <offset>12</offset>
- <len>4</len>
- </expr>
- <expr type=\"cmp\">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type=\"value\">
- <len>4</len>
- <data0>0x96d60496</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type=\"payload\">
- <dreg>1</dreg>
- <base>link</base>
- <offset>16</offset>
- <len>4</len>
- </expr>
- <expr type=\"cmp\">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type=\"value\">
- <len>4</len>
- <data0>0x96d60329</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type=\"payload\">
- <dreg>1</dreg>
- <base>network</base>
- <offset>9</offset>
- <len>1</len>
- </expr>
- <expr type=\"cmp\">
- <sreg>1</sreg>
- <op>eq</op>
- <cmpdata>
- <data_reg type=\"value\">
- <len>4</len>
- <data0>0x06000000</data0>
- </data_reg>
- </cmpdata>
- </expr>
- <expr type=\"match\">
- <name>state</name>
- </expr>
- <expr type=\"counter\">
- <pkts>123123</pkts>
- <bytes>321321</bytes>
- </expr>
- <expr type=\"target\">
- <name>LOG</name>
- </expr>
-</rule>"
-
-$NFT add table filter 2>/dev/null >&2
-$NFT add chain filter INPUT 2>/dev/null >&2
-
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML."
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-rm -rf $TMPFILE 2>/dev/null
-echo "I: Test OK"
diff --git a/test/nft-table-xml-add.sh b/test/nft-table-xml-add.sh
deleted file mode 100755
index 30b65e1..0000000
--- a/test/nft-table-xml-add.sh
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/bin/bash
-
-#
-# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-
-# This is a small testbench for adding nftables tables to kernel
-# in XML format.
-
-BINARY="../examples/nft-table-xml-add"
-NFT="$( which nft )"
-MKTEMP="$( which mktemp)"
-TMPFILE="$( $MKTEMP )"
-
-if [ ! -x "$BINARY" ] ; then
- echo "E: Binary not found $BINARY"
- exit 1
-fi
-
-if [ ! -x "$MKTEMP" ] ; then
- echo "E: mktemp not found and is neccesary"
- exit 1
-fi
-
-if [ ! -w "$TMPFILE" ] ; then
- echo "E: Unable to create temp file via mktemp"
- exit 1
-fi
-
-
-if [ ! -x "$NFT" ] ; then
- echo "W: nftables main binary not found but continuing anyway $NFT"
-fi
-
-# This is valid
-XML="<table name=\"filter_test\" version=\"0\">
- <properties>
- <family>ip</family>
- <table_flags>0</table_flags>
- </properties>
-</table>"
-
-$NFT delete table filter_test 2>/dev/null >&2
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML:"
- echo "$XML"
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-# This is valid
-XML="<table name=\"filter6_test\" version=\"0\">
- <properties>
- <family>ip6</family>
- <table_flags>0</table_flags>
- </properties>
-</table>"
-
-$NFT delete table filter6_test 2>/dev/null >&2
-echo $XML > $TMPFILE
-if ! $BINARY "$TMPFILE" ; then
- echo "E: Unable to add XML:"
- echo "$XML"
- rm -rf $TMPFILE 2>/dev/null
- exit 1
-fi
-
-rm -rf $TMPFILE 2>/dev/null
-echo "I: Test OK"
diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 0000000..6941c3c
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,6 @@
+include $(top_srcdir)/Make_global.am
+
+check_PROGRAMS = nft-parsing-test
+
+nft_parsing_test_SOURCES = nft-parsing-test.c
+nft_parsing_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
new file mode 100644
index 0000000..55bb9ec
--- /dev/null
+++ b/tests/nft-parsing-test.c
@@ -0,0 +1,111 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dirent.h>
+#include <limits.h>
+#include <errno.h>
+
+#include <libmnl/libmnl.h> /*nlmsghdr*/
+#include <libnftables/table.h>
+#include <libnftables/chain.h>
+#include <libnftables/rule.h>
+
+#ifdef XML_PARSING
+#include <mxml.h>
+#endif
+
+static int test_xml(const char *filename)
+{
+#ifdef XML_PARSING
+ int ret = -1;
+ struct nft_table *t = NULL;
+ struct nft_chain *c = NULL;
+ struct nft_rule *r = NULL;
+ FILE *fp;
+ mxml_node_t *tree = NULL;;
+ char *xml = NULL;
+
+ fp = fopen(filename, "r");
+ tree = mxmlLoadFile(NULL, fp, MXML_NO_CALLBACK);
+ fclose(fp);
+
+ if (tree == NULL)
+ return -1;
+
+ xml = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
+ if (xml == NULL)
+ return -1;
+
+ /* Check what parsing should be done */
+ if (strcmp(tree->value.opaque, "table") == 0) {
+ t = nft_table_alloc();
+ if (t != NULL) {
+ if (nft_table_parse(t, NFT_TABLE_PARSE_XML, xml) == 0)
+ ret = 0;
+
+ nft_table_free(t);
+ }
+ } else if (strcmp(tree->value.opaque, "chain") == 0) {
+ c = nft_chain_alloc();
+ if (c != NULL) {
+ if (nft_chain_parse(c, NFT_CHAIN_PARSE_XML, xml) == 0)
+ ret = 0;
+
+ nft_chain_free(c);
+ }
+ } else if (strcmp(tree->value.opaque, "rule") == 0) {
+ r = nft_rule_alloc();
+ if (r != NULL) {
+ if (nft_rule_parse(r, NFT_RULE_PARSE_XML, xml) == 0)
+ ret = 0;
+
+ nft_rule_free(r);
+ }
+ }
+
+ return ret;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif
+}
+
+int main(int argc, char *argv[])
+{
+ DIR *d;
+ struct dirent *dent;
+ char path[PATH_MAX];
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s <directory>\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
+ d = opendir(argv[1]);
+ if (d == NULL) {
+ perror("opendir");
+ exit(EXIT_FAILURE);
+ }
+
+ while ((dent = readdir(d)) != NULL) {
+ int len = strlen(dent->d_name);
+
+ if (strcmp(dent->d_name, ".") == 0 ||
+ strcmp(dent->d_name, "..") == 0)
+ continue;
+
+ snprintf(path, sizeof(path), "%s/%s", argv[1], dent->d_name);
+
+ if (strcmp(&dent->d_name[len-4], ".xml") == 0) {
+ printf("parsing %s: ", path);
+ if (test_xml(path) < 0)
+ printf("\033[31mFAILED\033[37m (%s)\n",
+ strerror(errno));
+ else
+ printf("\033[32mOK\033[37m \n");
+ }
+ }
+
+ closedir(d);
+ return 0;
+}
diff --git a/examples/table.xml b/tests/xmlfiles/01-table.xml
index a397d52..d1f4692 100644
--- a/examples/table.xml
+++ b/tests/xmlfiles/01-table.xml
@@ -1,6 +1,6 @@
<table name="filter" version="0">
<properties>
- <family>2</family>
+ <family>ip</family>
<table_flags>0</table_flags>
</properties>
</table>
diff --git a/tests/xmlfiles/02-table.xml b/tests/xmlfiles/02-table.xml
new file mode 100644
index 0000000..55e5c2d
--- /dev/null
+++ b/tests/xmlfiles/02-table.xml
@@ -0,0 +1,6 @@
+<table name="nat" version="0">
+ <properties>
+ <family>ip6</family>
+ <table_flags>0</table_flags>
+ </properties>
+</table>
diff --git a/tests/xmlfiles/10-chain.xml b/tests/xmlfiles/10-chain.xml
new file mode 100644
index 0000000..04b050d
--- /dev/null
+++ b/tests/xmlfiles/10-chain.xml
@@ -0,0 +1,11 @@
+<chain name="test" handle="0" bytes="0" packets="0" version="0">
+ <properties>
+ <type>filter</type>
+ <table>filter</table>
+ <prio>0</prio>
+ <use>1</use>
+ <hooknum>NF_INET_LOCAL_IN</hooknum>
+ <policy>accept</policy>
+ <family>ip</family>
+ </properties>
+</chain>
diff --git a/examples/chain.xml b/tests/xmlfiles/11-chain.xml
index 01ccb85..7baa88f 100644
--- a/examples/chain.xml
+++ b/tests/xmlfiles/11-chain.xml
@@ -2,10 +2,10 @@
<properties>
<type>filter</type>
<table>filter</table>
- <prio>1</prio>
- <use>0</use>
- <hooknum>4</hooknum>
- <policy>1</policy>
- <family>10</family>
+ <prio>0</prio>
+ <use>1</use>
+ <hooknum>NF_INET_FORWARD</hooknum>
+ <policy>drop</policy>
+ <family>ip6</family>
</properties>
</chain>
diff --git a/tests/xmlfiles/12-chain.xml b/tests/xmlfiles/12-chain.xml
new file mode 100644
index 0000000..1480659
--- /dev/null
+++ b/tests/xmlfiles/12-chain.xml
@@ -0,0 +1,11 @@
+<chain name="foo" handle="100" bytes="59264154979" packets="2548796325" version="0">
+ <properties>
+ <type>nat</type>
+ <table>nat</table>
+ <prio>0</prio>
+ <use>1</use>
+ <hooknum>NF_INET_POST_ROUTING</hooknum>
+ <policy>accept</policy>
+ <family>ip</family>
+ </properties>
+</chain>
diff --git a/tests/xmlfiles/20-rule-bitwise.xml b/tests/xmlfiles/20-rule-bitwise.xml
new file mode 100644
index 0000000..411e28f
--- /dev/null
+++ b/tests/xmlfiles/20-rule-bitwise.xml
@@ -0,0 +1,25 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="bitwise">
+ <sreg>2</sreg>
+ <dreg>2</dreg>
+ <mask>
+ <data_reg type="value">
+ <len>16</len>
+ <data0>0xffffffff</data0>
+ <data1>0xffffffff</data1>
+ <data2>0xffffffff</data2>
+ <data3>0x000000ff</data3>
+ </data_reg>
+ </mask>
+ <xor>
+ <data_reg type="value">
+ <len>16</len>
+ <data0>0xfaceb00c</data0>
+ <data1>0xc1cac1ca</data1>
+ <data2>0xcafecafe</data2>
+ <data3>0xdeadbeef</data3>
+ </data_reg>
+ </xor>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/21-rule-byteorder.xml b/tests/xmlfiles/21-rule-byteorder.xml
new file mode 100644
index 0000000..44f9b78
--- /dev/null
+++ b/tests/xmlfiles/21-rule-byteorder.xml
@@ -0,0 +1,12 @@
+<rule family="ip" table="test" chain="test" handle="1000" version="0">
+ <rule_flags>123</rule_flags>
+ <compat_flags>123</compat_flags>
+ <compat_proto>123</compat_proto>
+ <expr type="byteorder">
+ <sreg>3</sreg>
+ <dreg>4</dreg>
+ <op>hton</op>
+ <len>4</len>
+ <size>4</size>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/22-rule-cmp.xml b/tests/xmlfiles/22-rule-cmp.xml
new file mode 100644
index 0000000..c135bcd
--- /dev/null
+++ b/tests/xmlfiles/22-rule-cmp.xml
@@ -0,0 +1,13 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="cmp">
+ <sreg>1</sreg>
+ <op>eq</op>
+ <cmpdata>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0x01010101</data0>
+ </data_reg>
+ </cmpdata>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/23-rule-counter.xml b/tests/xmlfiles/23-rule-counter.xml
new file mode 100644
index 0000000..e6ff78a
--- /dev/null
+++ b/tests/xmlfiles/23-rule-counter.xml
@@ -0,0 +1,8 @@
+<rule family="ip6" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <flags>127</flags>
+ <expr type="counter">
+ <pkts>123123</pkts>
+ <bytes>321321</bytes>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/24-rule-ct.xml b/tests/xmlfiles/24-rule-ct.xml
new file mode 100644
index 0000000..8fff41a
--- /dev/null
+++ b/tests/xmlfiles/24-rule-ct.xml
@@ -0,0 +1,10 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <compat_flags>0</compat_flags>
+ <compat_proto>0</compat_proto>
+ <expr type="ct">
+ <dreg>4</dreg>
+ <dir>1</dir>
+ <key>state</key>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/25-rule-exthdr.xml b/tests/xmlfiles/25-rule-exthdr.xml
new file mode 100644
index 0000000..48abd57
--- /dev/null
+++ b/tests/xmlfiles/25-rule-exthdr.xml
@@ -0,0 +1,9 @@
+<rule family="ip6" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="exthdr">
+ <dreg>1</dreg>
+ <exthdr_type>mh</exthdr_type>
+ <offset>2</offset>
+ <len>16</len>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/26-rule-immediate.xml b/tests/xmlfiles/26-rule-immediate.xml
new file mode 100644
index 0000000..d58a13d
--- /dev/null
+++ b/tests/xmlfiles/26-rule-immediate.xml
@@ -0,0 +1,12 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="immediate">
+ <dreg>1</dreg>
+ <immdata>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0xaabbccdd</data0>
+ </data_reg>
+ </immdata>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/26-rule-limit.xml b/tests/xmlfiles/26-rule-limit.xml
new file mode 100644
index 0000000..92a2bd9
--- /dev/null
+++ b/tests/xmlfiles/26-rule-limit.xml
@@ -0,0 +1,7 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="limit">
+ <rate>123123</rate>
+ <depth>321321</depth>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/28-rule-log.xml b/tests/xmlfiles/28-rule-log.xml
new file mode 100644
index 0000000..e33ff25
--- /dev/null
+++ b/tests/xmlfiles/28-rule-log.xml
@@ -0,0 +1,9 @@
+<rule family="ip6" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="log">
+ <group>10</group>
+ <snaplen>4000000</snaplen>
+ <qthreshold>1222222</qthreshold>
+ <prefix>prefixtest</prefix>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/29-rule-lookup.xml b/tests/xmlfiles/29-rule-lookup.xml
new file mode 100644
index 0000000..f67ecb9
--- /dev/null
+++ b/tests/xmlfiles/29-rule-lookup.xml
@@ -0,0 +1,8 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="lookup">
+ <sreg>2</sreg>
+ <dreg>1</dreg>
+ <set>set_name_test</set>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/30-rule-match.xml b/tests/xmlfiles/30-rule-match.xml
new file mode 100644
index 0000000..1738aa1
--- /dev/null
+++ b/tests/xmlfiles/30-rule-match.xml
@@ -0,0 +1,6 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="match">
+ <name>state</name>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/31-rule-meta.xml b/tests/xmlfiles/31-rule-meta.xml
new file mode 100644
index 0000000..7e2f57a
--- /dev/null
+++ b/tests/xmlfiles/31-rule-meta.xml
@@ -0,0 +1,7 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="meta">
+ <dreg>1</dreg>
+ <key>oifname</key>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/32-rule-nat6.xml b/tests/xmlfiles/32-rule-nat6.xml
new file mode 100644
index 0000000..e84bf1c
--- /dev/null
+++ b/tests/xmlfiles/32-rule-nat6.xml
@@ -0,0 +1,11 @@
+<rule family="ip6" table="nat" chain="OUTPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="nat">
+ <family>ip6</family>
+ <nat_type>snat</nat_type>
+ <sreg_addr_min>1</sreg_addr_min>
+ <sreg_addr_max>2</sreg_addr_max>
+ <sreg_proto_min>3</sreg_proto_min>
+ <sreg_proto_max>4</sreg_proto_max>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/33-rule-nat4.xml b/tests/xmlfiles/33-rule-nat4.xml
new file mode 100644
index 0000000..0dc213e
--- /dev/null
+++ b/tests/xmlfiles/33-rule-nat4.xml
@@ -0,0 +1,11 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="nat">
+ <sreg_addr_min>1</sreg_addr_min>
+ <sreg_addr_max>2</sreg_addr_max>
+ <sreg_proto_min>3</sreg_proto_min>
+ <sreg_proto_max>4</sreg_proto_max>
+ <family>ip</family>
+ <nat_type>dnat</nat_type>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/34-rule-payload.xml b/tests/xmlfiles/34-rule-payload.xml
new file mode 100644
index 0000000..a7846d6
--- /dev/null
+++ b/tests/xmlfiles/34-rule-payload.xml
@@ -0,0 +1,9 @@
+<rule family="ip6" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="payload">
+ <dreg>1</dreg>
+ <base>transport</base>
+ <offset>12</offset>
+ <len>4</len>
+ </expr>
+</rule>
diff --git a/tests/xmlfiles/35-rule-target.xml b/tests/xmlfiles/35-rule-target.xml
new file mode 100644
index 0000000..2a4f5e9
--- /dev/null
+++ b/tests/xmlfiles/35-rule-target.xml
@@ -0,0 +1,6 @@
+<rule family="ip" table="filter" chain="INPUT" handle="100" version="0">
+ <rule_flags>0</rule_flags>
+ <expr type="target">
+ <name>LOG</name>
+ </expr>
+</rule>