diff options
Diffstat (limited to 'tests/files')
-rw-r--r-- | tests/files/chain-rename.1 | 7 | ||||
-rw-r--r-- | tests/files/chain-rename.2 | 4 | ||||
-rw-r--r-- | tests/files/chain-rename.3 | 5 | ||||
-rw-r--r-- | tests/files/dictionary | 52 | ||||
-rw-r--r-- | tests/files/error.1 | 9 | ||||
-rw-r--r-- | tests/files/error.2 | 18 | ||||
-rw-r--r-- | tests/files/expr-concat | 19 | ||||
-rw-r--r-- | tests/files/expr-ct | 26 | ||||
-rw-r--r-- | tests/files/expr-meta | 40 | ||||
-rw-r--r-- | tests/files/family-bridge | 13 | ||||
-rw-r--r-- | tests/files/family-ipv4 | 14 | ||||
-rw-r--r-- | tests/files/family-ipv6 | 13 | ||||
-rw-r--r-- | tests/files/feat-adjancent-load-merging | 13 | ||||
-rw-r--r-- | tests/files/loop-detect.1 | 8 | ||||
-rw-r--r-- | tests/files/loop-detect.2 | 7 | ||||
-rw-r--r-- | tests/files/loop-detect.3 | 7 | ||||
-rw-r--r-- | tests/files/loop-detect.4 | 7 | ||||
-rw-r--r-- | tests/files/obj-chain | 22 | ||||
-rw-r--r-- | tests/files/obj-table | 9 | ||||
-rw-r--r-- | tests/files/payload-ll | 15 | ||||
-rw-r--r-- | tests/files/prefix | 5 | ||||
-rw-r--r-- | tests/files/set | 14 | ||||
-rw-r--r-- | tests/files/stmt-log | 6 | ||||
-rw-r--r-- | tests/files/symbolic-define.1 | 7 | ||||
-rw-r--r-- | tests/files/symbolic-define.2 | 7 | ||||
-rw-r--r-- | tests/files/symbolic-define.3 | 6 | ||||
-rw-r--r-- | tests/files/verdict-maps | 20 |
27 files changed, 373 insertions, 0 deletions
diff --git a/tests/files/chain-rename.1 b/tests/files/chain-rename.1 new file mode 100644 index 00000000..870416ca --- /dev/null +++ b/tests/files/chain-rename.1 @@ -0,0 +1,7 @@ +#! nft -f + +# Create table and empty chains for rename test +add table filter + +add chain filter chain1 +add chain filter chain2 diff --git a/tests/files/chain-rename.2 b/tests/files/chain-rename.2 new file mode 100644 index 00000000..1250dab0 --- /dev/null +++ b/tests/files/chain-rename.2 @@ -0,0 +1,4 @@ +#! nft -f + +# must fail: already exists +rename chain filter chain1 chain2 diff --git a/tests/files/chain-rename.3 b/tests/files/chain-rename.3 new file mode 100644 index 00000000..796c1a13 --- /dev/null +++ b/tests/files/chain-rename.3 @@ -0,0 +1,5 @@ +#! nft -f + +# must succeed +rename chain filter chain1 chain3 +delete chain filter chain3 diff --git a/tests/files/dictionary b/tests/files/dictionary new file mode 100644 index 00000000..b4e6c521 --- /dev/null +++ b/tests/files/dictionary @@ -0,0 +1,52 @@ +#! nft -f +# +add table ip filter +add chain ip filter output { type filter hook output priority 0 ; } + +add chain ip filter chain1 +add rule ip filter chain1 counter + +add chain ip filter chain2 +add rule ip filter chain2 counter + +# must succeed: expr { expr, ... } +add rule ip filter OUTPUT tcp dport { \ + 22, \ + 23, \ +} + +# must fail: expr { type1, type2, ... } +add rule ip filter OUTPUT tcp dport { \ + 22, \ + 192.168.0.1, \ +} + +# must succeed: expr { expr : verdict, ... } +add rule ip filter OUTPUT tcp dport vmap { \ + 22 : jump chain1, \ + 23 : jump chain2, \ +} + +# must fail: expr { expr : verdict, expr : expr, ... } +add rule ip filter OUTPUT tcp dport vmap { \ + 22 : jump chain1, \ + 23 : 0x100, \ +} + +# must fail: expr { expr : expr, ...} +add rule ip filter OUTPUT tcp dport vmap { \ + 22 : 0x100, \ + 23 : 0x200, \ +} + +# must succeed: expr MAP { expr : expr, ... } expr +add rule ip filter OUTPUT meta mark set tcp dport map { \ + 22 : 1, \ + 23 : 2, \ +} + +# must fail: expr MAP { expr : type1, expr : type2, .. } expr +add rule ip filter OUTPUT meta mark set tcp dport map { \ + 22 : 1, \ + 23 : 192.168.0.1, \ +} diff --git a/tests/files/error.1 b/tests/files/error.1 new file mode 100644 index 00000000..bc3bf16a --- /dev/null +++ b/tests/files/error.1 @@ -0,0 +1,9 @@ +#! nft -f + +# mixed syntactical and non-syntactical errors +filter { +filter input +filter input tcp +filter input tcp dport +filter input tcp dport tcp +filter input tcp dport tcp dport diff --git a/tests/files/error.2 b/tests/files/error.2 new file mode 100644 index 00000000..744a63d5 --- /dev/null +++ b/tests/files/error.2 @@ -0,0 +1,18 @@ +#! nft -f + +# mixed syntactical and non-syntactical errors in blocks +table filter { + # missing identifier + chain + + # missing chain block + chain output + + chain output { + tcp + tcp dport + tcp dport tcp + tcp dport tcp dport + tcp dport ssh + } +} diff --git a/tests/files/expr-concat b/tests/files/expr-concat new file mode 100644 index 00000000..bb284cce --- /dev/null +++ b/tests/files/expr-concat @@ -0,0 +1,19 @@ +#! nft -f + +# Concat element mismatch +add rule ip filter output ip daddr . tcp sport . tcp dport { \ + 192.168.0.1 . 22, \ + 192.168.0.1 . 80, \ +} + +# Concat type mismatch +add rule ip filter output ip daddr . tcp dport { \ + 192.168.0.1 . 192.168.0.2, \ + 192.168.0.1 . 192.168.0.3, \ +} + +# Concat expression +add rule ip filter output ip daddr . tcp dport { \ + 192.168.0.1 . 22, \ + 192.168.0.1 . 80, \ +} diff --git a/tests/files/expr-ct b/tests/files/expr-ct new file mode 100644 index 00000000..1dfc7ac6 --- /dev/null +++ b/tests/files/expr-ct @@ -0,0 +1,26 @@ +#! nft -f + +add table ip filter +add chain ip filter output { type filter hook output priority 0 ; } + +# ct: state +add rule ip filter output ct state new,established counter + +# ct: direction original/reply +add rule ip filter output ct direction original counter +add rule ip filter output ct direction reply counter + +# ct: status +add rule ip filter output ct status expected counter + +# ct: mark +add rule ip filter output ct mark 0 counter + +# ct: secmark +add rule ip filter output ct secmark 0 counter + +# ct: expiration +add rule ip filter output ct expiration 30 counter + +# ct: helper ftp +add rule ip filter output ct helper "ftp" counter diff --git a/tests/files/expr-meta b/tests/files/expr-meta new file mode 100644 index 00000000..360caa7d --- /dev/null +++ b/tests/files/expr-meta @@ -0,0 +1,40 @@ +#! nft -f + +add table ip filter +add chain ip filter output { type filter hook output priority 0 ; } + +# meta: skb len +add rule ip filter output meta length 1000 counter + +# meta: skb protocol +add rule ip filter output meta protocol 0x0800 counter + +# meta: skb mark +add rule ip filter output meta mark 0 counter + +# meta: skb iif +add rule ip filter output meta iif lo counter + +# meta: skb iifname +add rule ip filter output meta iifname "eth0" counter + +# meta: skb oif +add rule ip filter output meta oif lo counter + +# meta: skb oifname +add rule ip filter output meta oifname "eth0" counter + +# meta: skb sk uid +add rule ip filter output meta skuid 1000 counter + +# meta: skb sk gid +add rule ip filter output meta skgid 1000 counter + +# meta: nftrace +add rule ip filter output meta nftrace 1 counter + +# meta: rtclassid (see /etc/iproute2/rt_realms) +add rule ip filter output meta rtclassid cosmos counter + +# meta: secmark +add rule ip filter output meta secmark 0 counter diff --git a/tests/files/family-bridge b/tests/files/family-bridge new file mode 100644 index 00000000..c87c8320 --- /dev/null +++ b/tests/files/family-bridge @@ -0,0 +1,13 @@ +#! nft -f + +add table bridge filter +add chain bridge filter output { type filter hook output priority 0 ; } + +# LL protocol +add rule bridge filter output eth type 0x0800 counter + +# IP address +add rule bridge filter output eth type 0x0800 ip daddr 20.0.0.2 counter + +# IPv6 address +add rule bridge filter output eth type 0x86DD ip6 daddr 2001:6f8:974:3::2 counter diff --git a/tests/files/family-ipv4 b/tests/files/family-ipv4 new file mode 100644 index 00000000..0700e16d --- /dev/null +++ b/tests/files/family-ipv4 @@ -0,0 +1,14 @@ +#! nft -f + +flush chain ip filter output +delete chain ip filter output +delete table filter + +add table ip filter +add chain ip filter output { type filter hook input priority 0; } + +# IP address +add rule ip filter output ip daddr 192.168.0.1 counter + +# TCP ports +add rule ip filter output tcp dport 22 counter diff --git a/tests/files/family-ipv6 b/tests/files/family-ipv6 new file mode 100644 index 00000000..cfc740c1 --- /dev/null +++ b/tests/files/family-ipv6 @@ -0,0 +1,13 @@ +#! nft -f + +add table ip6 filter +add chain ip6 filter output { type filter hook output priority 0 ; } + +# IP address +add rule ip6 filter output ip6 daddr 2001:6f8:974::1 counter + +# Next protocol +add rule ip6 filter output ip6 nexthdr tcp + +# TCP ports +add rule ip6 filter output tcp dport 22 counter diff --git a/tests/files/feat-adjancent-load-merging b/tests/files/feat-adjancent-load-merging new file mode 100644 index 00000000..11771746 --- /dev/null +++ b/tests/files/feat-adjancent-load-merging @@ -0,0 +1,13 @@ +#! nft -f + +# adjacent payload expressions: 4 bytes in order +add rule filter output tcp sport 1024 tcp dport 22 counter + +# adjacent payload expressions: 8 bytes in order +add rule filter output ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter + +# adjacent payload expressions: 8 bytes in order +add rule filter output tcp sequence 0 tcp sport 1024 tcp dport 22 + +# adjacent payload expressions: 8 bytes in reverse order +add rule filter output tcp sport 1024 tcp dport 22 tcp sequence 0 diff --git a/tests/files/loop-detect.1 b/tests/files/loop-detect.1 new file mode 100644 index 00000000..e55864c8 --- /dev/null +++ b/tests/files/loop-detect.1 @@ -0,0 +1,8 @@ +#! nft -f + +# Create table and empty chains for loop detection tests +add table filter + +add chain filter chain1 +add chain filter chain2 +add chain filter chain3 diff --git a/tests/files/loop-detect.2 b/tests/files/loop-detect.2 new file mode 100644 index 00000000..88a95e0b --- /dev/null +++ b/tests/files/loop-detect.2 @@ -0,0 +1,7 @@ +#! nft -f + +# Circular regular jumps: chain1 -> chain2 -> chain3 -> chain1 +flush table filter +add filter chain1 jump chain2 +add filter chain2 jump chain3 +add filter chain3 jump chain1 diff --git a/tests/files/loop-detect.3 b/tests/files/loop-detect.3 new file mode 100644 index 00000000..80f7fc5a --- /dev/null +++ b/tests/files/loop-detect.3 @@ -0,0 +1,7 @@ +#! nft -f + +# Circular jump when creating an anonymous verdict map: chain1 -> chain2 -> chain3 -> chain1 +flush table filter +add filter chain1 jump chain2 +add filter chain2 jump chain3 +add filter chain3 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain1 } diff --git a/tests/files/loop-detect.4 b/tests/files/loop-detect.4 new file mode 100644 index 00000000..acd9a342 --- /dev/null +++ b/tests/files/loop-detect.4 @@ -0,0 +1,7 @@ +#! nft -f + +# Circular jump with an intermediate anonymous verdict map: chain1 -> chain2 -> chain3 -> chain1 +flush table filter +add filter chain1 jump chain2 +add filter chain2 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain3 } +add filter chain3 jump chain1 diff --git a/tests/files/obj-chain b/tests/files/obj-chain new file mode 100644 index 00000000..2bce0268 --- /dev/null +++ b/tests/files/obj-chain @@ -0,0 +1,22 @@ +#! nft -f + +add table filter + +# chains: add and delete chain +add chain filter testchain +delete chain filter testchain + +# chains: add and delete base chain +add chain filter input { type filter hook input priority 0 ; } +delete chain filter input + +# chains: can not delete chain while referenced +add chain filter testchain +add chain filter testchain2 + +add rule filter testchain handle 1 jump testchain2 +delete chain filter testchain2 +delete rule filter testchain handle 1 + +delete chain filter testchain2 +delete chain filter testchain diff --git a/tests/files/obj-table b/tests/files/obj-table new file mode 100644 index 00000000..8b264cf5 --- /dev/null +++ b/tests/files/obj-table @@ -0,0 +1,9 @@ +#! nft -f + +# table: add and delete table +add table filter +table delete filter + +# table: deleting table with chain must fail +add chain filter output +table delete filter diff --git a/tests/files/payload-ll b/tests/files/payload-ll new file mode 100644 index 00000000..7f5660b1 --- /dev/null +++ b/tests/files/payload-ll @@ -0,0 +1,15 @@ +#! nft -f + +add table ip filter +add chain ip filter input { type filter hook input priority 0; } + +# mac source +add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter + +# mac dest +add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad counter + +# mac source and mac dest +add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad \ + @ll,48,48 00:15:e9:f0:10:f8 \ + counter diff --git a/tests/files/prefix b/tests/files/prefix new file mode 100644 index 00000000..bada8503 --- /dev/null +++ b/tests/files/prefix @@ -0,0 +1,5 @@ +add rule filter OUTPUT meta mark 123/0x000000ff +add rule filter OUTPUT ip daddr 192.168.0.0/24 +add rule filter OUTPUT ip daddr 192.168.0.0/255.255.255.0 +add rule filter OUTPUT ip saddr . ip daddr 192.168.0.0/24 . 192.168.0.0/24 +add rule filter OUTPUT ip daddr { 192.168.0.0/24, 192.168.1.0/24} diff --git a/tests/files/set b/tests/files/set new file mode 100644 index 00000000..3c040b0a --- /dev/null +++ b/tests/files/set @@ -0,0 +1,14 @@ +#! nft -f + +add table filter +add chain filter output { type filter hook output priority 0 ; } + +# set: IP addresses +add rule filter output ip daddr { \ + 192.168.0.1, \ + 192.168.0.2, \ + 192.168.0.3, \ +} + +# set: tcp ports +add rule filter output tcp dport { 22, 23 } counter diff --git a/tests/files/stmt-log b/tests/files/stmt-log new file mode 100644 index 00000000..2ae7aae6 --- /dev/null +++ b/tests/files/stmt-log @@ -0,0 +1,6 @@ +#! nft -f + +add table ip filter +add chain ip filter output { type filter hook output priority 0; } + +add rule ip filter output log saddr "prefix" group 0 counter diff --git a/tests/files/symbolic-define.1 b/tests/files/symbolic-define.1 new file mode 100644 index 00000000..712ef715 --- /dev/null +++ b/tests/files/symbolic-define.1 @@ -0,0 +1,7 @@ +#! nft -f + +# error: variable use before definition +define var2 = $var1 +define var1 = eth0 + +filter input iif $var2 diff --git a/tests/files/symbolic-define.2 b/tests/files/symbolic-define.2 new file mode 100644 index 00000000..cd3c23c3 --- /dev/null +++ b/tests/files/symbolic-define.2 @@ -0,0 +1,7 @@ +#! nft -f + +# error: redefinition of an existing variable +define var1 = eth0 +define var1 = eth0 + +filter input iif $var1 diff --git a/tests/files/symbolic-define.3 b/tests/files/symbolic-define.3 new file mode 100644 index 00000000..ba224df7 --- /dev/null +++ b/tests/files/symbolic-define.3 @@ -0,0 +1,6 @@ +#! nft -f + +# error: recursive definition of a variable +define var1 = $var1 + +filter input iif $var1 diff --git a/tests/files/verdict-maps b/tests/files/verdict-maps new file mode 100644 index 00000000..c1630ce3 --- /dev/null +++ b/tests/files/verdict-maps @@ -0,0 +1,20 @@ +#! nft -f +# + +add table ip filter +add chain ip filter input { type filter hook input priority 0; } + +add chain ip filter chain1 +add filter chain1 counter + +add chain ip filter chain2 +add filter chain2 counter + +add chain ip filter chain3 +add filter chain3 counter + +add filter input ip saddr vmap { \ + 10.0.0.0/24 : jump chain1, \ + 10.0.0.0/8 : jump chain2, \ + 8.8.8.8 : jump chain3 \ +} |