diff options
author | Laura Garcia Liebana <nevola@gmail.com> | 2018-03-07 22:51:10 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-09 12:45:16 +0100 |
commit | 7d93e2c2fbc77f05fd7acb63a2acf9874c9ad58f (patch) | |
tree | 6773a61dcd261a25d525457bf8b6049787345424 /tests/shell/testcases | |
parent | 1870165e0241bd06f96da43edbee0e0e82bfa09d (diff) |
tests: shell: autogenerate dump verification
Complete the automated shell tests with the verification of
the test file dump, only for positive tests and if the test
execution was successful.
It's able to generate the dump file with the -g option.
Example:
# ./run-tests.sh -g testcases/chains/0001jumps_0
The dump files are generated in the same path in the folder named
dumps/ with .nft extension.
It has been avoided the dump verification code in every test
file.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
123 files changed, 668 insertions, 557 deletions
diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft new file mode 100644 index 00000000..f6dd6541 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft @@ -0,0 +1,12 @@ +table inet test { + set test { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain test { + ip daddr { 2.2.2.2 } counter packets 0 bytes 0 accept + ip saddr @test counter packets 0 bytes 0 accept + ip daddr { 2.2.2.2 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.nft b/tests/shell/testcases/cache/dumps/0002_interval_0.nft new file mode 100644 index 00000000..6a081320 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/chains/0016delete_handle_0 b/tests/shell/testcases/chains/0016delete_handle_0 index cf11da8a..677fba37 100755 --- a/tests/shell/testcases/chains/0016delete_handle_0 +++ b/tests/shell/testcases/chains/0016delete_handle_0 @@ -11,26 +11,3 @@ $NFT add chain ip6 test-ip6 y # should have handle 2 $NFT add chain ip6 test-ip6 z # should have handle 3 $NFT delete chain test-ip handle 2 $NFT delete chain ip6 test-ip6 handle 3 - -EXPECTED="table ip test-ip { - chain x { - } - - chain z { - } -} -table ip6 test-ip6 { - chain x { - } - - chain y { - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.nft b/tests/shell/testcases/chains/dumps/0001jumps_0.nft new file mode 100644 index 00000000..7054cde4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0001jumps_0.nft @@ -0,0 +1,64 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft new file mode 100644 index 00000000..e4b9872b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft @@ -0,0 +1,6 @@ +table ip t { + chain c1 { + type nat hook postrouting priority 0; policy accept; + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.nft b/tests/shell/testcases/chains/dumps/0013rename_0.nft new file mode 100644 index 00000000..e4e0171c --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0013rename_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft new file mode 100644 index 00000000..de6ee9c0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft @@ -0,0 +1,20 @@ +table ip test-ip { + chain x { + } + + chain y { + } + + chain z { + } +} +table ip6 test-ip6 { + chain x { + } + + chain y { + } + + chain z { + } +} diff --git a/tests/shell/testcases/flowtable/0001flowtable_0 b/tests/shell/testcases/flowtable/0001flowtable_0 index 307f06f6..6d08e254 100755 --- a/tests/shell/testcases/flowtable/0001flowtable_0 +++ b/tests/shell/testcases/flowtable/0001flowtable_0 @@ -23,11 +23,3 @@ EXPECTED='table inet t { echo "$EXPECTED" > $tmpfile set -e $NFT -f $tmpfile - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft new file mode 100755 index 00000000..5188b207 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft @@ -0,0 +1,10 @@ +table inet t { + flowtable f { + hook ingress priority 10 + devices = { eth0, wlan0 } + } + + chain c { + flow offload @f + } +} diff --git a/tests/shell/testcases/import/vm_json_import_0 b/tests/shell/testcases/import/vm_json_import_0 index dc367f64..e5ecbcc4 100755 --- a/tests/shell/testcases/import/vm_json_import_0 +++ b/tests/shell/testcases/import/vm_json_import_0 @@ -61,11 +61,3 @@ $NFT -f $tmpfile $NFT export vm json > $tmpfile $NFT flush ruleset cat $tmpfile | $NFT import vm json - -RESULT="$($NFT list ruleset)" - - -if [ "$RULESET" != "$RESULT" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT") -fi diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.nft b/tests/shell/testcases/include/dumps/0001absolute_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/include/dumps/0001absolute_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0002relative_0.nft b/tests/shell/testcases/include/dumps/0002relative_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/include/dumps/0002relative_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.nft b/tests/shell/testcases/include/dumps/0003includepath_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/include/dumps/0003includepath_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.nft b/tests/shell/testcases/include/dumps/0006glob_single_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/include/dumps/0006glob_single_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.nft b/tests/shell/testcases/include/dumps/0007glob_double_0.nft new file mode 100644 index 00000000..f9cb080f --- /dev/null +++ b/tests/shell/testcases/include/dumps/0007glob_double_0.nft @@ -0,0 +1,4 @@ +table ip y { +} +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/listing/0001ruleset_0 b/tests/shell/testcases/listing/0001ruleset_0 index 1a3a73b1..19cb3b04 100755 --- a/tests/shell/testcases/listing/0001ruleset_0 +++ b/tests/shell/testcases/listing/0001ruleset_0 @@ -2,17 +2,6 @@ # list ruleset shows a table -EXPECTED="table ip test { -}" - set -e $NFT add table test -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/listing/0002ruleset_0 b/tests/shell/testcases/listing/0002ruleset_0 index 45121fb7..b4a535c4 100755 --- a/tests/shell/testcases/listing/0002ruleset_0 +++ b/tests/shell/testcases/listing/0002ruleset_0 @@ -5,12 +5,3 @@ EXPECTED="" set -e - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft new file mode 100644 index 00000000..1c9f40c5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 index 55f90555..0714963d 100755 --- a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 +++ b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 @@ -56,18 +56,3 @@ n=$HOWMANY echo "add element x y { 10.${n}.${n}.0/24 : 10.0.${n}.${n} }" > $tmpfile $NFT -f $tmpfile - -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags interval - elements = { "$(generate_test)" } - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/0006interval_map_overlap_0 b/tests/shell/testcases/maps/0006interval_map_overlap_0 index 8597639e..682ac65b 100755 --- a/tests/shell/testcases/maps/0006interval_map_overlap_0 +++ b/tests/shell/testcases/maps/0006interval_map_overlap_0 @@ -25,17 +25,3 @@ echo "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" > $tmpfile $NFT -f $tmpfile -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags interval - elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/0007named_ifname_dtype_0 b/tests/shell/testcases/maps/0007named_ifname_dtype_0 index dcbcf2f0..5e51a605 100755 --- a/tests/shell/testcases/maps/0007named_ifname_dtype_0 +++ b/tests/shell/testcases/maps/0007named_ifname_dtype_0 @@ -26,10 +26,3 @@ set -e echo "$EXPECTED" > $tmpfile $NFT -f $tmpfile -GET="$($NFT list ruleset)" -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft new file mode 100644 index 00000000..ab992c4a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft @@ -0,0 +1,8 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2, + 10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft new file mode 100644 index 00000000..1f5343f4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft @@ -0,0 +1,7 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft new file mode 100644 index 00000000..878e7c06 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + map m1 { + type ifname : ipv4_addr + elements = { "eth0" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft new file mode 100644 index 00000000..5009560c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft new file mode 100644 index 00000000..c96b1ed2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft @@ -0,0 +1,6 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags timeout + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft new file mode 100644 index 00000000..a7c57518 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft @@ -0,0 +1,10 @@ +table ip nat { + map m { + type ipv4_addr : ipv4_addr + elements = { 1.1.1.1 : 2.2.2.2 } + } + + chain postrouting { + snat to ip saddr map @m + } +} diff --git a/tests/shell/testcases/maps/map_with_flags_0 b/tests/shell/testcases/maps/map_with_flags_0 index 8774eb51..68bd80d2 100755 --- a/tests/shell/testcases/maps/map_with_flags_0 +++ b/tests/shell/testcases/maps/map_with_flags_0 @@ -4,18 +4,3 @@ set -e $NFT add table x $NFT add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } - -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags timeout - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/nft-f/0002rollback_rule_0 b/tests/shell/testcases/nft-f/0002rollback_rule_0 index ddeb5423..19690544 100755 --- a/tests/shell/testcases/nft-f/0002rollback_rule_0 +++ b/tests/shell/testcases/nft-f/0002rollback_rule_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0003rollback_jump_0 b/tests/shell/testcases/nft-f/0003rollback_jump_0 index 6c43df9d..f53fd238 100755 --- a/tests/shell/testcases/nft-f/0003rollback_jump_0 +++ b/tests/shell/testcases/nft-f/0003rollback_jump_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0004rollback_set_0 b/tests/shell/testcases/nft-f/0004rollback_set_0 index 1dea85ec..7674106f 100755 --- a/tests/shell/testcases/nft-f/0004rollback_set_0 +++ b/tests/shell/testcases/nft-f/0004rollback_set_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0005rollback_map_0 b/tests/shell/testcases/nft-f/0005rollback_map_0 index 777cc717..ba1fcc59 100755 --- a/tests/shell/testcases/nft-f/0005rollback_map_0 +++ b/tests/shell/testcases/nft-f/0005rollback_map_0 @@ -51,13 +51,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0 index dd03545b..b244d14e 100755 --- a/tests/shell/testcases/nft-f/0008split_tables_0 +++ b/tests/shell/testcases/nft-f/0008split_tables_0 @@ -29,22 +29,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table inet filter { - chain ssh { - type filter hook input priority 0; policy accept; - tcp dport ssh accept - } - - chain input { - type filter hook input priority 1; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft new file mode 100644 index 00000000..1211411f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -0,0 +1,10 @@ +table inet filter { + chain ssh { + type filter hook input priority 0; policy accept; + tcp dport ssh accept + } + + chain input { + type filter hook input priority 1; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft new file mode 100644 index 00000000..a793751b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -0,0 +1,7 @@ +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = { 10.10.10.10 . smtp, + 10.10.10.10 . imap2 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft new file mode 100644 index 00000000..1f3d05e8 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft @@ -0,0 +1,6 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft new file mode 100644 index 00000000..e9eef4b1 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -0,0 +1,16 @@ +table inet t { + chain c { + iifname "whatever" oifname "whatever" iif "lo" oif "lo" + iifname { "whatever" } iif { "lo" } mark 0x0000007b + ct state established,related,new + ct state != established | related | new + ip saddr 10.0.0.0 ip saddr 10.0.0.0 ip daddr 10.0.0.2 + ip6 daddr fe0::1 ip6 saddr fe0::2 + ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } + ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } + ip6 saddr . ip6 nexthdr { fe0::1 . udp, fe0::2 . tcp } + ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } + tcp dport 100-222 + udp dport vmap { 100-222 : accept } + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft new file mode 100644 index 00000000..416a07e0 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft new file mode 100644 index 00000000..416a07e0 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft new file mode 100644 index 00000000..eb0af811 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/rule_management/0001addposition_0 b/tests/shell/testcases/rule_management/0001addposition_0 index e66bfff3..ee90d923 100755 --- a/tests/shell/testcases/rule_management/0001addposition_0 +++ b/tests/shell/testcases/rule_management/0001addposition_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c accept # should have handle 3 $NFT add rule t c position 2 drop - -EXPECTED="table ip t { - chain c { - accept - drop - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0002insertposition_0 b/tests/shell/testcases/rule_management/0002insertposition_0 index cf8a568d..e9f886fb 100755 --- a/tests/shell/testcases/rule_management/0002insertposition_0 +++ b/tests/shell/testcases/rule_management/0002insertposition_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c accept # should have handle 3 $NFT insert rule t c position 2 drop - -EXPECTED="table ip t { - chain c { - drop - accept - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 index 6691c166..329ccc20 100755 --- a/tests/shell/testcases/rule_management/0003insert_0 +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT insert rule t c accept $NFT insert rule t c drop $NFT insert rule t c masquerade - -EXPECTED="table ip t { - chain c { - masquerade - drop - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index 6a4b9495..c3329af5 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -8,17 +8,3 @@ $NFT add table t $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT replace rule t c handle 2 drop - -EXPECTED="table ip t { - chain c { - drop - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0 index 126fe5dd..11376cc3 100755 --- a/tests/shell/testcases/rule_management/0007delete_0 +++ b/tests/shell/testcases/rule_management/0007delete_0 @@ -9,17 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c drop # should have handle 3 $NFT delete rule t c handle 2 - -EXPECTED="table ip t { - chain c { - drop - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft new file mode 100644 index 00000000..e282e13b --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + accept + drop + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft new file mode 100644 index 00000000..527d79d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft new file mode 100644 index 00000000..9421f4ae --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + masquerade + drop + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft new file mode 100644 index 00000000..e20952ef --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft new file mode 100644 index 00000000..e20952ef --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7a5f8c69..7e7beebd 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -31,16 +31,3 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 265a5540..5774317b 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -32,17 +32,3 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile - - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0 index 763d9ae1..4779f264 100755 --- a/tests/shell/testcases/sets/0021nesting_0 +++ b/tests/shell/testcases/sets/0021nesting_0 @@ -30,17 +30,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 8b7ab982..92f4a4ad 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -25,11 +25,3 @@ EXPECTED="table inet t { set -e echo "$EXPECTED" > $tmpfile $NFT -f $tmpfile - -GET="$($NFT list ruleset)" -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft new file mode 100644 index 00000000..3049aa84 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft @@ -0,0 +1,34 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, + fe11::-fe22:: } + } + + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60 } + } + + set s4 { + type inet_service + flags interval + elements = { 0-1024, 8080-8082, 10000-40000 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft new file mode 100644 index 00000000..452ee23e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24, 192.168.1.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft new file mode 100644 index 00000000..70c32a85 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft new file mode 100644 index 00000000..940030a1 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft new file mode 100644 index 00000000..4224d9da --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/48 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.nft b/tests/shell/testcases/sets/dumps/0006create_set_0.nft new file mode 100644 index 00000000..70c32a85 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.nft b/tests/shell/testcases/sets/dumps/0007create_element_0.nft new file mode 100644 index 00000000..169be117 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.nft @@ -0,0 +1,6 @@ +table ip t { + set s { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft new file mode 100644 index 00000000..5e7a7680 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft new file mode 100644 index 00000000..ab0fe80d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft @@ -0,0 +1,13 @@ +table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain postrouting { + ip saddr vmap @sourcemap accept + } + + chain c { + } +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft new file mode 100644 index 00000000..455ebe3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags timeout + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.nft b/tests/shell/testcases/sets/dumps/0010comments_0.nft new file mode 100644 index 00000000..6e42ec4b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type ipv6_addr + elements = { ::1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft new file mode 100644 index 00000000..f6eddbf8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft @@ -0,0 +1,11 @@ +table ip t { + chain c { + } +} +table inet filter { + set blacklist_v4 { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft new file mode 100644 index 00000000..9d2b0afe --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft new file mode 100644 index 00000000..9d2b0afe --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft new file mode 100644 index 00000000..d5330848 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type inet_service + elements = { ssh comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.nft b/tests/shell/testcases/sets/dumps/0021nesting_0.nft new file mode 100644 index 00000000..6fd2a441 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft new file mode 100644 index 00000000..3dd97602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + } + + map m { + type ipv4_addr : inet_service + } + + chain c { + tcp dport http meter f { ip saddr limit rate 10/second} + } +} diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft new file mode 100644 index 00000000..929c5d93 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -0,0 +1,28 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + set y { + type ipv4_addr + } + + map test { + type ipv4_addr : quota + elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + } + + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + quota name ip saddr map @test drop + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft new file mode 100644 index 00000000..c823ae9d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + type filter hook output priority 0; policy accept; + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } + tcp dport { ssh, telnet } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft new file mode 100644 index 00000000..0d1f1254 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -0,0 +1,10 @@ +table ip filter { + limit http-traffic { + rate 1/second + } + + chain input { + type filter hook input priority 0; policy accept; + limit name tcp dport map { http : "http-traffic", https : "http-traffic" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft new file mode 100644 index 00000000..c49eefae --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { ::ffff:0.0.0.0/96 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft new file mode 100644 index 00000000..2c82e57d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + set s { + type ifname + elements = { "eth0" } + } + + chain c { + iifname @s accept + oifname @s accept + } +} diff --git a/tests/shell/testcases/transactions/0001table_0 b/tests/shell/testcases/transactions/0001table_0 index 0bde1018..83f9fd0d 100755 --- a/tests/shell/testcases/transactions/0001table_0 +++ b/tests/shell/testcases/transactions/0001table_0 @@ -21,16 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -} -table ip y { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0 index c5f319e4..dbd2f4ab 100755 --- a/tests/shell/testcases/transactions/0002table_0 +++ b/tests/shell/testcases/transactions/0002table_0 @@ -21,15 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - flags dormant -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0 index f17285e5..004ce513 100755 --- a/tests/shell/testcases/transactions/0003table_0 +++ b/tests/shell/testcases/transactions/0003table_0 @@ -20,13 +20,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0010chain_0 b/tests/shell/testcases/transactions/0010chain_0 index f4c1fbd1..d1918680 100755 --- a/tests/shell/testcases/transactions/0010chain_0 +++ b/tests/shell/testcases/transactions/0010chain_0 @@ -22,16 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0011chain_0 b/tests/shell/testcases/transactions/0011chain_0 index 71afa6ed..aac33d56 100755 --- a/tests/shell/testcases/transactions/0011chain_0 +++ b/tests/shell/testcases/transactions/0011chain_0 @@ -22,17 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - type filter hook input priority 0; policy drop; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0012chain_0 b/tests/shell/testcases/transactions/0012chain_0 index 757bc750..c3bfe130 100755 --- a/tests/shell/testcases/transactions/0012chain_0 +++ b/tests/shell/testcases/transactions/0012chain_0 @@ -26,17 +26,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - type filter hook output priority 0; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0013chain_0 b/tests/shell/testcases/transactions/0013chain_0 index 2c75bd4f..67c31c8a 100755 --- a/tests/shell/testcases/transactions/0013chain_0 +++ b/tests/shell/testcases/transactions/0013chain_0 @@ -27,17 +27,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - type filter hook output priority 0; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0020rule_0 b/tests/shell/testcases/transactions/0020rule_0 index 1ad43625..e38634d3 100755 --- a/tests/shell/testcases/transactions/0020rule_0 +++ b/tests/shell/testcases/transactions/0020rule_0 @@ -21,13 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0021rule_0 b/tests/shell/testcases/transactions/0021rule_0 index 2467124f..284a9e71 100755 --- a/tests/shell/testcases/transactions/0021rule_0 +++ b/tests/shell/testcases/transactions/0021rule_0 @@ -24,17 +24,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - ip saddr 2.2.2.2 counter packets 0 bytes 0 - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0030set_0 b/tests/shell/testcases/transactions/0030set_0 index 1fefb944..ad08b7e5 100755 --- a/tests/shell/testcases/transactions/0030set_0 +++ b/tests/shell/testcases/transactions/0030set_0 @@ -21,14 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0031set_0 b/tests/shell/testcases/transactions/0031set_0 index 87848b4b..6c5757cc 100755 --- a/tests/shell/testcases/transactions/0031set_0 +++ b/tests/shell/testcases/transactions/0031set_0 @@ -21,17 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0032set_0 b/tests/shell/testcases/transactions/0032set_0 index d4d7e7ed..1b41cf09 100755 --- a/tests/shell/testcases/transactions/0032set_0 +++ b/tests/shell/testcases/transactions/0032set_0 @@ -22,17 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0033set_0 b/tests/shell/testcases/transactions/0033set_0 index b73b6fc8..19543b3c 100755 --- a/tests/shell/testcases/transactions/0033set_0 +++ b/tests/shell/testcases/transactions/0033set_0 @@ -20,14 +20,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0034set_0 b/tests/shell/testcases/transactions/0034set_0 index 25e65007..4cddb94d 100755 --- a/tests/shell/testcases/transactions/0034set_0 +++ b/tests/shell/testcases/transactions/0034set_0 @@ -21,17 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0035set_0 b/tests/shell/testcases/transactions/0035set_0 index 0788e2fe..9b20746b 100755 --- a/tests/shell/testcases/transactions/0035set_0 +++ b/tests/shell/testcases/transactions/0035set_0 @@ -23,18 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - elements = { 3.3.3.3 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0037set_0 b/tests/shell/testcases/transactions/0037set_0 index 3e48c801..75b1d453 100755 --- a/tests/shell/testcases/transactions/0037set_0 +++ b/tests/shell/testcases/transactions/0037set_0 @@ -21,18 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0038set_0 b/tests/shell/testcases/transactions/0038set_0 index 76550755..3120e916 100755 --- a/tests/shell/testcases/transactions/0038set_0 +++ b/tests/shell/testcases/transactions/0038set_0 @@ -23,19 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - elements = { 192.168.4.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0039set_0 b/tests/shell/testcases/transactions/0039set_0 index 76550755..3120e916 100755 --- a/tests/shell/testcases/transactions/0039set_0 +++ b/tests/shell/testcases/transactions/0039set_0 @@ -23,19 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - elements = { 192.168.4.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0040set_0 b/tests/shell/testcases/transactions/0040set_0 index 241703d9..0ffc4416 100755 --- a/tests/shell/testcases/transactions/0040set_0 +++ b/tests/shell/testcases/transactions/0040set_0 @@ -51,26 +51,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -GET="$($NFT list ruleset)" - -EXPECTED="table ip filter { - map client_to_any { - type ipv4_addr : verdict - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - goto client_to_any - } - - chain client_to_any { - ip saddr vmap @client_to_any - } -}" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.nft b/tests/shell/testcases/transactions/dumps/0001table_0.nft new file mode 100644 index 00000000..e4e5f9b1 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0001table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.nft b/tests/shell/testcases/transactions/dumps/0002table_0.nft new file mode 100644 index 00000000..6eb70726 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0002table_0.nft @@ -0,0 +1,3 @@ +table ip x { + flags dormant +} diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.nft b/tests/shell/testcases/transactions/dumps/0010chain_0.nft new file mode 100644 index 00000000..aa4a521f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0010chain_0.nft @@ -0,0 +1,4 @@ +table ip w { + chain y { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.nft b/tests/shell/testcases/transactions/dumps/0011chain_0.nft new file mode 100644 index 00000000..02cdb238 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + type filter hook input priority 0; policy drop; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.nft b/tests/shell/testcases/transactions/dumps/0012chain_0.nft new file mode 100644 index 00000000..1fddecbb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.nft b/tests/shell/testcases/transactions/dumps/0013chain_0.nft new file mode 100644 index 00000000..1fddecbb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.nft b/tests/shell/testcases/transactions/dumps/0021rule_0.nft new file mode 100644 index 00000000..a6c41309 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0021rule_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr 2.2.2.2 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.nft b/tests/shell/testcases/transactions/dumps/0030set_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0030set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.nft b/tests/shell/testcases/transactions/dumps/0031set_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0031set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.nft b/tests/shell/testcases/transactions/dumps/0032set_0.nft new file mode 100644 index 00000000..7d11892a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0032set_0.nft @@ -0,0 +1,5 @@ +table ip w { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.nft b/tests/shell/testcases/transactions/dumps/0033set_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0033set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.nft b/tests/shell/testcases/transactions/dumps/0034set_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0034set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.nft b/tests/shell/testcases/transactions/dumps/0035set_0.nft new file mode 100644 index 00000000..e1114947 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0035set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + elements = { 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.nft b/tests/shell/testcases/transactions/dumps/0037set_0.nft new file mode 100644 index 00000000..ca69cee2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0037set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.nft b/tests/shell/testcases/transactions/dumps/0038set_0.nft new file mode 100644 index 00000000..651a11bf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0038set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.nft b/tests/shell/testcases/transactions/dumps/0039set_0.nft new file mode 100644 index 00000000..651a11bf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0039set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.nft b/tests/shell/testcases/transactions/dumps/0040set_0.nft new file mode 100644 index 00000000..fe864058 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0040set_0.nft @@ -0,0 +1,14 @@ +table ip filter { + map client_to_any { + type ipv4_addr : verdict + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + goto client_to_any + } + + chain client_to_any { + ip saddr vmap @client_to_any + } +} |