diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-12-18 11:13:57 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-12-18 12:38:49 +0100 |
| commit | 38a110874c006cc42b1a1e97f3cb082a33169c35 (patch) | |
| tree | 3c8ba5b5e9d50fcee4dcf60378fa21f43bdec2eb /tests/shell/testcases | |
| parent | 285baccfea46aa61e4ed4777da23105ccf19218b (diff) | |
tests: shell: set element multi-statement support
This patch adds two tests to add multistatement support:
- Dynamic set updates from packet path.
- Set that is updated from the control plane.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
4 files changed, 93 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 new file mode 100755 index 00000000..107bfb87 --- /dev/null +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + chain z { + type filter hook output priority 0; + update @y { ip daddr limit rate 1/second counter } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 new file mode 100755 index 00000000..6bd147c3 --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +RULESET="table x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 limit rate 1/second counter } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 2.2.2.2 limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 3.3.3.3 counter limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 4.4.4.4 } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft new file mode 100644 index 00000000..1b0ffae4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + + chain z { + type filter hook output priority filter; policy accept; + update @y { ip daddr limit rate 1/second counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft new file mode 100644 index 00000000..f23db534 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} |