diff options
author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2016-04-25 12:20:57 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-04-27 12:31:58 +0200 |
commit | 7e20026fc7192c9a3fa764840d193c7f638cf274 (patch) | |
tree | 87186d81216d83246eef31243a0df35b08db5e5e /tests/shell/testcases | |
parent | 8d6628ce724e1d01f03b788f60455cce2a4f77aa (diff) |
tests: shell: add testcases for named sets with intervals
Let's add some testcases for named sets with intervals and ranges.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
5 files changed, 97 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0001named_interval_0 b/tests/shell/testcases/sets/0001named_interval_0 new file mode 100755 index 00000000..8d08b755 --- /dev/null +++ b/tests/shell/testcases/sets/0001named_interval_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +# This is the most basic testscase: +# * creating a valid interval set +# * referencing it from a valid rule + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +echo " +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, fe11::-fe22::} + } + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60} + } + set s4 { + type inet_service + flags interval + elements = {8080-8082, 0-1024, 10000-40000} + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +}" > $tmpfile + +set -e +$NFT -f $tmpfile diff --git a/tests/shell/testcases/sets/0002named_interval_automerging_0 b/tests/shell/testcases/sets/0002named_interval_automerging_0 new file mode 100755 index 00000000..b07e0b09 --- /dev/null +++ b/tests/shell/testcases/sets/0002named_interval_automerging_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the automerging of adjacent intervals + +set -e + +$NFT add table t +$NFT add set t s { type ipv4_addr \; flags interval \; } +$NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } +$NFT list ruleset | grep "192.168.0.0/23" >/dev/null && exit 0 +echo "E: automerging of adjavect intervals failed in named set" >&2 +exit 1 diff --git a/tests/shell/testcases/sets/0003named_interval_missing_flag_0 b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 new file mode 100755 index 00000000..e0b7f74c --- /dev/null +++ b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the nft checking of flags in named intervals + +set -e +$NFT add table t +$NFT add set t s { type ipv4_addr \; } +if $NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } 2>/dev/null ; then + echo "E: accepted interval in named set without proper flags" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0004named_interval_shadow_0 b/tests/shell/testcases/sets/0004named_interval_shadow_0 new file mode 100755 index 00000000..827423d5 --- /dev/null +++ b/tests/shell/testcases/sets/0004named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/64 } +if $NFT add element inet t s { fe00::/48 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0005named_interval_shadow_0 b/tests/shell/testcases/sets/0005named_interval_shadow_0 new file mode 100755 index 00000000..14fcbdca --- /dev/null +++ b/tests/shell/testcases/sets/0005named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/48 } +if $NFT add element inet t s { fe00::/64 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 |