summaryrefslogtreecommitdiffstats
path: root/tests/files
diff options
context:
space:
mode:
Diffstat (limited to 'tests/files')
-rw-r--r--tests/files/chain-rename.17
-rw-r--r--tests/files/chain-rename.24
-rw-r--r--tests/files/chain-rename.35
-rw-r--r--tests/files/dictionary52
-rw-r--r--tests/files/error.19
-rw-r--r--tests/files/error.218
-rw-r--r--tests/files/expr-concat19
-rw-r--r--tests/files/expr-ct26
-rw-r--r--tests/files/expr-meta40
-rw-r--r--tests/files/family-bridge13
-rw-r--r--tests/files/family-ipv414
-rw-r--r--tests/files/family-ipv613
-rw-r--r--tests/files/feat-adjancent-load-merging13
-rw-r--r--tests/files/loop-detect.18
-rw-r--r--tests/files/loop-detect.27
-rw-r--r--tests/files/loop-detect.37
-rw-r--r--tests/files/loop-detect.47
-rw-r--r--tests/files/obj-chain22
-rw-r--r--tests/files/obj-table9
-rw-r--r--tests/files/payload-ll15
-rw-r--r--tests/files/prefix5
-rw-r--r--tests/files/set14
-rw-r--r--tests/files/stmt-log6
-rw-r--r--tests/files/symbolic-define.17
-rw-r--r--tests/files/symbolic-define.27
-rw-r--r--tests/files/symbolic-define.36
-rw-r--r--tests/files/verdict-maps20
27 files changed, 373 insertions, 0 deletions
diff --git a/tests/files/chain-rename.1 b/tests/files/chain-rename.1
new file mode 100644
index 00000000..870416ca
--- /dev/null
+++ b/tests/files/chain-rename.1
@@ -0,0 +1,7 @@
+#! nft -f
+
+# Create table and empty chains for rename test
+add table filter
+
+add chain filter chain1
+add chain filter chain2
diff --git a/tests/files/chain-rename.2 b/tests/files/chain-rename.2
new file mode 100644
index 00000000..1250dab0
--- /dev/null
+++ b/tests/files/chain-rename.2
@@ -0,0 +1,4 @@
+#! nft -f
+
+# must fail: already exists
+rename chain filter chain1 chain2
diff --git a/tests/files/chain-rename.3 b/tests/files/chain-rename.3
new file mode 100644
index 00000000..796c1a13
--- /dev/null
+++ b/tests/files/chain-rename.3
@@ -0,0 +1,5 @@
+#! nft -f
+
+# must succeed
+rename chain filter chain1 chain3
+delete chain filter chain3
diff --git a/tests/files/dictionary b/tests/files/dictionary
new file mode 100644
index 00000000..b4e6c521
--- /dev/null
+++ b/tests/files/dictionary
@@ -0,0 +1,52 @@
+#! nft -f
+#
+add table ip filter
+add chain ip filter output { type filter hook output priority 0 ; }
+
+add chain ip filter chain1
+add rule ip filter chain1 counter
+
+add chain ip filter chain2
+add rule ip filter chain2 counter
+
+# must succeed: expr { expr, ... }
+add rule ip filter OUTPUT tcp dport { \
+ 22, \
+ 23, \
+}
+
+# must fail: expr { type1, type2, ... }
+add rule ip filter OUTPUT tcp dport { \
+ 22, \
+ 192.168.0.1, \
+}
+
+# must succeed: expr { expr : verdict, ... }
+add rule ip filter OUTPUT tcp dport vmap { \
+ 22 : jump chain1, \
+ 23 : jump chain2, \
+}
+
+# must fail: expr { expr : verdict, expr : expr, ... }
+add rule ip filter OUTPUT tcp dport vmap { \
+ 22 : jump chain1, \
+ 23 : 0x100, \
+}
+
+# must fail: expr { expr : expr, ...}
+add rule ip filter OUTPUT tcp dport vmap { \
+ 22 : 0x100, \
+ 23 : 0x200, \
+}
+
+# must succeed: expr MAP { expr : expr, ... } expr
+add rule ip filter OUTPUT meta mark set tcp dport map { \
+ 22 : 1, \
+ 23 : 2, \
+}
+
+# must fail: expr MAP { expr : type1, expr : type2, .. } expr
+add rule ip filter OUTPUT meta mark set tcp dport map { \
+ 22 : 1, \
+ 23 : 192.168.0.1, \
+}
diff --git a/tests/files/error.1 b/tests/files/error.1
new file mode 100644
index 00000000..bc3bf16a
--- /dev/null
+++ b/tests/files/error.1
@@ -0,0 +1,9 @@
+#! nft -f
+
+# mixed syntactical and non-syntactical errors
+filter {
+filter input
+filter input tcp
+filter input tcp dport
+filter input tcp dport tcp
+filter input tcp dport tcp dport
diff --git a/tests/files/error.2 b/tests/files/error.2
new file mode 100644
index 00000000..744a63d5
--- /dev/null
+++ b/tests/files/error.2
@@ -0,0 +1,18 @@
+#! nft -f
+
+# mixed syntactical and non-syntactical errors in blocks
+table filter {
+ # missing identifier
+ chain
+
+ # missing chain block
+ chain output
+
+ chain output {
+ tcp
+ tcp dport
+ tcp dport tcp
+ tcp dport tcp dport
+ tcp dport ssh
+ }
+}
diff --git a/tests/files/expr-concat b/tests/files/expr-concat
new file mode 100644
index 00000000..bb284cce
--- /dev/null
+++ b/tests/files/expr-concat
@@ -0,0 +1,19 @@
+#! nft -f
+
+# Concat element mismatch
+add rule ip filter output ip daddr . tcp sport . tcp dport { \
+ 192.168.0.1 . 22, \
+ 192.168.0.1 . 80, \
+}
+
+# Concat type mismatch
+add rule ip filter output ip daddr . tcp dport { \
+ 192.168.0.1 . 192.168.0.2, \
+ 192.168.0.1 . 192.168.0.3, \
+}
+
+# Concat expression
+add rule ip filter output ip daddr . tcp dport { \
+ 192.168.0.1 . 22, \
+ 192.168.0.1 . 80, \
+}
diff --git a/tests/files/expr-ct b/tests/files/expr-ct
new file mode 100644
index 00000000..1dfc7ac6
--- /dev/null
+++ b/tests/files/expr-ct
@@ -0,0 +1,26 @@
+#! nft -f
+
+add table ip filter
+add chain ip filter output { type filter hook output priority 0 ; }
+
+# ct: state
+add rule ip filter output ct state new,established counter
+
+# ct: direction original/reply
+add rule ip filter output ct direction original counter
+add rule ip filter output ct direction reply counter
+
+# ct: status
+add rule ip filter output ct status expected counter
+
+# ct: mark
+add rule ip filter output ct mark 0 counter
+
+# ct: secmark
+add rule ip filter output ct secmark 0 counter
+
+# ct: expiration
+add rule ip filter output ct expiration 30 counter
+
+# ct: helper ftp
+add rule ip filter output ct helper "ftp" counter
diff --git a/tests/files/expr-meta b/tests/files/expr-meta
new file mode 100644
index 00000000..360caa7d
--- /dev/null
+++ b/tests/files/expr-meta
@@ -0,0 +1,40 @@
+#! nft -f
+
+add table ip filter
+add chain ip filter output { type filter hook output priority 0 ; }
+
+# meta: skb len
+add rule ip filter output meta length 1000 counter
+
+# meta: skb protocol
+add rule ip filter output meta protocol 0x0800 counter
+
+# meta: skb mark
+add rule ip filter output meta mark 0 counter
+
+# meta: skb iif
+add rule ip filter output meta iif lo counter
+
+# meta: skb iifname
+add rule ip filter output meta iifname "eth0" counter
+
+# meta: skb oif
+add rule ip filter output meta oif lo counter
+
+# meta: skb oifname
+add rule ip filter output meta oifname "eth0" counter
+
+# meta: skb sk uid
+add rule ip filter output meta skuid 1000 counter
+
+# meta: skb sk gid
+add rule ip filter output meta skgid 1000 counter
+
+# meta: nftrace
+add rule ip filter output meta nftrace 1 counter
+
+# meta: rtclassid (see /etc/iproute2/rt_realms)
+add rule ip filter output meta rtclassid cosmos counter
+
+# meta: secmark
+add rule ip filter output meta secmark 0 counter
diff --git a/tests/files/family-bridge b/tests/files/family-bridge
new file mode 100644
index 00000000..c87c8320
--- /dev/null
+++ b/tests/files/family-bridge
@@ -0,0 +1,13 @@
+#! nft -f
+
+add table bridge filter
+add chain bridge filter output { type filter hook output priority 0 ; }
+
+# LL protocol
+add rule bridge filter output eth type 0x0800 counter
+
+# IP address
+add rule bridge filter output eth type 0x0800 ip daddr 20.0.0.2 counter
+
+# IPv6 address
+add rule bridge filter output eth type 0x86DD ip6 daddr 2001:6f8:974:3::2 counter
diff --git a/tests/files/family-ipv4 b/tests/files/family-ipv4
new file mode 100644
index 00000000..0700e16d
--- /dev/null
+++ b/tests/files/family-ipv4
@@ -0,0 +1,14 @@
+#! nft -f
+
+flush chain ip filter output
+delete chain ip filter output
+delete table filter
+
+add table ip filter
+add chain ip filter output { type filter hook input priority 0; }
+
+# IP address
+add rule ip filter output ip daddr 192.168.0.1 counter
+
+# TCP ports
+add rule ip filter output tcp dport 22 counter
diff --git a/tests/files/family-ipv6 b/tests/files/family-ipv6
new file mode 100644
index 00000000..cfc740c1
--- /dev/null
+++ b/tests/files/family-ipv6
@@ -0,0 +1,13 @@
+#! nft -f
+
+add table ip6 filter
+add chain ip6 filter output { type filter hook output priority 0 ; }
+
+# IP address
+add rule ip6 filter output ip6 daddr 2001:6f8:974::1 counter
+
+# Next protocol
+add rule ip6 filter output ip6 nexthdr tcp
+
+# TCP ports
+add rule ip6 filter output tcp dport 22 counter
diff --git a/tests/files/feat-adjancent-load-merging b/tests/files/feat-adjancent-load-merging
new file mode 100644
index 00000000..11771746
--- /dev/null
+++ b/tests/files/feat-adjancent-load-merging
@@ -0,0 +1,13 @@
+#! nft -f
+
+# adjacent payload expressions: 4 bytes in order
+add rule filter output tcp sport 1024 tcp dport 22 counter
+
+# adjacent payload expressions: 8 bytes in order
+add rule filter output ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter
+
+# adjacent payload expressions: 8 bytes in order
+add rule filter output tcp sequence 0 tcp sport 1024 tcp dport 22
+
+# adjacent payload expressions: 8 bytes in reverse order
+add rule filter output tcp sport 1024 tcp dport 22 tcp sequence 0
diff --git a/tests/files/loop-detect.1 b/tests/files/loop-detect.1
new file mode 100644
index 00000000..e55864c8
--- /dev/null
+++ b/tests/files/loop-detect.1
@@ -0,0 +1,8 @@
+#! nft -f
+
+# Create table and empty chains for loop detection tests
+add table filter
+
+add chain filter chain1
+add chain filter chain2
+add chain filter chain3
diff --git a/tests/files/loop-detect.2 b/tests/files/loop-detect.2
new file mode 100644
index 00000000..88a95e0b
--- /dev/null
+++ b/tests/files/loop-detect.2
@@ -0,0 +1,7 @@
+#! nft -f
+
+# Circular regular jumps: chain1 -> chain2 -> chain3 -> chain1
+flush table filter
+add filter chain1 jump chain2
+add filter chain2 jump chain3
+add filter chain3 jump chain1
diff --git a/tests/files/loop-detect.3 b/tests/files/loop-detect.3
new file mode 100644
index 00000000..80f7fc5a
--- /dev/null
+++ b/tests/files/loop-detect.3
@@ -0,0 +1,7 @@
+#! nft -f
+
+# Circular jump when creating an anonymous verdict map: chain1 -> chain2 -> chain3 -> chain1
+flush table filter
+add filter chain1 jump chain2
+add filter chain2 jump chain3
+add filter chain3 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain1 }
diff --git a/tests/files/loop-detect.4 b/tests/files/loop-detect.4
new file mode 100644
index 00000000..acd9a342
--- /dev/null
+++ b/tests/files/loop-detect.4
@@ -0,0 +1,7 @@
+#! nft -f
+
+# Circular jump with an intermediate anonymous verdict map: chain1 -> chain2 -> chain3 -> chain1
+flush table filter
+add filter chain1 jump chain2
+add filter chain2 ip daddr vmap { 10.0.0.1 : continue, 192.168.0.1 : jump chain3 }
+add filter chain3 jump chain1
diff --git a/tests/files/obj-chain b/tests/files/obj-chain
new file mode 100644
index 00000000..2bce0268
--- /dev/null
+++ b/tests/files/obj-chain
@@ -0,0 +1,22 @@
+#! nft -f
+
+add table filter
+
+# chains: add and delete chain
+add chain filter testchain
+delete chain filter testchain
+
+# chains: add and delete base chain
+add chain filter input { type filter hook input priority 0 ; }
+delete chain filter input
+
+# chains: can not delete chain while referenced
+add chain filter testchain
+add chain filter testchain2
+
+add rule filter testchain handle 1 jump testchain2
+delete chain filter testchain2
+delete rule filter testchain handle 1
+
+delete chain filter testchain2
+delete chain filter testchain
diff --git a/tests/files/obj-table b/tests/files/obj-table
new file mode 100644
index 00000000..8b264cf5
--- /dev/null
+++ b/tests/files/obj-table
@@ -0,0 +1,9 @@
+#! nft -f
+
+# table: add and delete table
+add table filter
+table delete filter
+
+# table: deleting table with chain must fail
+add chain filter output
+table delete filter
diff --git a/tests/files/payload-ll b/tests/files/payload-ll
new file mode 100644
index 00000000..7f5660b1
--- /dev/null
+++ b/tests/files/payload-ll
@@ -0,0 +1,15 @@
+#! nft -f
+
+add table ip filter
+add chain ip filter input { type filter hook input priority 0; }
+
+# mac source
+add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter
+
+# mac dest
+add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad counter
+
+# mac source and mac dest
+add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad \
+ @ll,48,48 00:15:e9:f0:10:f8 \
+ counter
diff --git a/tests/files/prefix b/tests/files/prefix
new file mode 100644
index 00000000..bada8503
--- /dev/null
+++ b/tests/files/prefix
@@ -0,0 +1,5 @@
+add rule filter OUTPUT meta mark 123/0x000000ff
+add rule filter OUTPUT ip daddr 192.168.0.0/24
+add rule filter OUTPUT ip daddr 192.168.0.0/255.255.255.0
+add rule filter OUTPUT ip saddr . ip daddr 192.168.0.0/24 . 192.168.0.0/24
+add rule filter OUTPUT ip daddr { 192.168.0.0/24, 192.168.1.0/24}
diff --git a/tests/files/set b/tests/files/set
new file mode 100644
index 00000000..3c040b0a
--- /dev/null
+++ b/tests/files/set
@@ -0,0 +1,14 @@
+#! nft -f
+
+add table filter
+add chain filter output { type filter hook output priority 0 ; }
+
+# set: IP addresses
+add rule filter output ip daddr { \
+ 192.168.0.1, \
+ 192.168.0.2, \
+ 192.168.0.3, \
+}
+
+# set: tcp ports
+add rule filter output tcp dport { 22, 23 } counter
diff --git a/tests/files/stmt-log b/tests/files/stmt-log
new file mode 100644
index 00000000..2ae7aae6
--- /dev/null
+++ b/tests/files/stmt-log
@@ -0,0 +1,6 @@
+#! nft -f
+
+add table ip filter
+add chain ip filter output { type filter hook output priority 0; }
+
+add rule ip filter output log saddr "prefix" group 0 counter
diff --git a/tests/files/symbolic-define.1 b/tests/files/symbolic-define.1
new file mode 100644
index 00000000..712ef715
--- /dev/null
+++ b/tests/files/symbolic-define.1
@@ -0,0 +1,7 @@
+#! nft -f
+
+# error: variable use before definition
+define var2 = $var1
+define var1 = eth0
+
+filter input iif $var2
diff --git a/tests/files/symbolic-define.2 b/tests/files/symbolic-define.2
new file mode 100644
index 00000000..cd3c23c3
--- /dev/null
+++ b/tests/files/symbolic-define.2
@@ -0,0 +1,7 @@
+#! nft -f
+
+# error: redefinition of an existing variable
+define var1 = eth0
+define var1 = eth0
+
+filter input iif $var1
diff --git a/tests/files/symbolic-define.3 b/tests/files/symbolic-define.3
new file mode 100644
index 00000000..ba224df7
--- /dev/null
+++ b/tests/files/symbolic-define.3
@@ -0,0 +1,6 @@
+#! nft -f
+
+# error: recursive definition of a variable
+define var1 = $var1
+
+filter input iif $var1
diff --git a/tests/files/verdict-maps b/tests/files/verdict-maps
new file mode 100644
index 00000000..c1630ce3
--- /dev/null
+++ b/tests/files/verdict-maps
@@ -0,0 +1,20 @@
+#! nft -f
+#
+
+add table ip filter
+add chain ip filter input { type filter hook input priority 0; }
+
+add chain ip filter chain1
+add filter chain1 counter
+
+add chain ip filter chain2
+add filter chain2 counter
+
+add chain ip filter chain3
+add filter chain3 counter
+
+add filter input ip saddr vmap { \
+ 10.0.0.0/24 : jump chain1, \
+ 10.0.0.0/8 : jump chain2, \
+ 8.8.8.8 : jump chain3 \
+}