diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-17 17:20:26 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-23 19:00:02 +0200 |
commit | 3ac932e90b23402b3b18952123fbed97d8d50920 (patch) | |
tree | bb1daf2cd9ad892ccbd0a43129d8eb016175b0d3 /tests/shell/testcases/optimizations | |
parent | 64ebb03a8c87af4f664f8b7e190dee4cbbefb962 (diff) |
optimize: do not merge rules with set reference in rhs
Otherwise set reference ends up included in an anonymous set, as an
element, which is not supported.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/optimizations')
-rw-r--r-- | tests/shell/testcases/optimizations/dumps/skip_merge.nft | 23 | ||||
-rwxr-xr-x | tests/shell/testcases/optimizations/skip_merge | 34 |
2 files changed, 57 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.nft b/tests/shell/testcases/optimizations/dumps/skip_merge.nft new file mode 100644 index 00000000..9c10b74b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.nft @@ -0,0 +1,23 @@ +table inet filter { + set udp_accepted { + type inet_service + elements = { 500, 4500 } + } + + set tcp_accepted { + type inet_service + elements = { 80, 443 } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport 53 accept + } + + chain tcp_input { + tcp dport { 1-128, 8888-9999 } accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +} diff --git a/tests/shell/testcases/optimizations/skip_merge b/tests/shell/testcases/optimizations/skip_merge new file mode 100755 index 00000000..8af976ca --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_merge @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set udp_accepted { + type inet_service; + elements = { + isakmp, ipsec-nat-t + } + } + + set tcp_accepted { + type inet_service; + elements = { + http, https + } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport domain accept + } + + chain tcp_input { + tcp dport 1-128 accept + tcp dport 8888-9999 accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +}" + +$NFT -o -f - <<< $RULESET |