diff options
Diffstat (limited to 'tests/shell/features')
35 files changed, 322 insertions, 0 deletions
diff --git a/tests/shell/features/bitshift.nft b/tests/shell/features/bitshift.nft new file mode 100644 index 00000000..7f9ccb64 --- /dev/null +++ b/tests/shell/features/bitshift.nft @@ -0,0 +1,7 @@ +# 567d746b55bc ("netfilter: bitwise: add support for shifts.") +# v5.6-rc1~151^2~73^2 +table ip t { + chain c { + meta mark set meta mark << 2 + } +} diff --git a/tests/shell/features/catchall_element.nft b/tests/shell/features/catchall_element.nft new file mode 100644 index 00000000..1a02fd61 --- /dev/null +++ b/tests/shell/features/catchall_element.nft @@ -0,0 +1,8 @@ +# aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +# v5.13-rc1~94^2~10^2~2 +table t { + map m { + type inet_service : inet_service + elements = { * : 42 } + } +} diff --git a/tests/shell/features/chain_binding.nft b/tests/shell/features/chain_binding.nft new file mode 100644 index 00000000..b381ec54 --- /dev/null +++ b/tests/shell/features/chain_binding.nft @@ -0,0 +1,7 @@ +# d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +# v5.9-rc1~133^2~302^2~1 +table ip t { + chain c { + jump { counter; } + } +} diff --git a/tests/shell/features/comment.sh b/tests/shell/features/comment.sh new file mode 100755 index 00000000..0ad24d04 --- /dev/null +++ b/tests/shell/features/comment.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# 002f21765320 ("netfilter: nf_tables: add userdata attributes to nft_chain") +# v5.10-rc1~107^2~60^2~5 + +EXPECTED="table ip x { + chain y { + comment \"test\" + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/ctexpect.nft b/tests/shell/features/ctexpect.nft new file mode 100644 index 00000000..02c3dfd7 --- /dev/null +++ b/tests/shell/features/ctexpect.nft @@ -0,0 +1,10 @@ +# 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +# v5.3-rc1~140^2~153^2~19 +table t { + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12; + } +} diff --git a/tests/shell/features/cttimeout.nft b/tests/shell/features/cttimeout.nft new file mode 100644 index 00000000..4be58cd3 --- /dev/null +++ b/tests/shell/features/cttimeout.nft @@ -0,0 +1,8 @@ +# 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +# v4.19-rc1~140^2~64^2~3 +table t { + ct timeout cttime { + protocol tcp; + policy = {established: 120 } + } +} diff --git a/tests/shell/features/destroy.nft b/tests/shell/features/destroy.nft new file mode 100644 index 00000000..b97242e4 --- /dev/null +++ b/tests/shell/features/destroy.nft @@ -0,0 +1,3 @@ +# f80a612dd77c ("netfilter: nf_tables: add support to destroy operation") +# v6.3-rc1~162^2~264^2 +destroy table t diff --git a/tests/shell/features/dynset_op_delete.nft b/tests/shell/features/dynset_op_delete.nft new file mode 100644 index 00000000..125b4526 --- /dev/null +++ b/tests/shell/features/dynset_op_delete.nft @@ -0,0 +1,12 @@ +# d0a8d877da97 ("netfilter: nft_dynset: support for element deletion") +# v5.4-rc1~131^2~59^2~4 +table ip x { + set s { + flags dynamic; + type inet_service; + } + + chain y { + delete @s { tcp dport } + } +} diff --git a/tests/shell/features/flowtable_counter.sh b/tests/shell/features/flowtable_counter.sh new file mode 100755 index 00000000..a4c4c621 --- /dev/null +++ b/tests/shell/features/flowtable_counter.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# 53c2b2899af7 ("netfilter: flowtable: add counter support") +# v5.7-rc1~146^2~12^2~16 + +EXPECTED="table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/flowtable_no_devices.nft b/tests/shell/features/flowtable_no_devices.nft new file mode 100755 index 00000000..30dd3db8 --- /dev/null +++ b/tests/shell/features/flowtable_no_devices.nft @@ -0,0 +1,8 @@ +# 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices") +# v5.8-rc1~165^2~27^2~1 +table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + counter + } +} diff --git a/tests/shell/features/inet_ingress.nft b/tests/shell/features/inet_ingress.nft new file mode 100644 index 00000000..944a5c77 --- /dev/null +++ b/tests/shell/features/inet_ingress.nft @@ -0,0 +1,7 @@ +# d3519cb89f6d ("netfilter: nf_tables: add inet ingress support") +# v5.10-rc1~107^2~17^2~1 +table inet t { + chain c { + type filter hook ingress device "lo" priority filter; policy accept; + } +} diff --git a/tests/shell/features/inet_nat.nft b/tests/shell/features/inet_nat.nft new file mode 100644 index 00000000..189ea1d0 --- /dev/null +++ b/tests/shell/features/inet_nat.nft @@ -0,0 +1,7 @@ +# v5.2-rc1~133^2~174^2~15 +# d164385ec572 ("netfilter: nat: add inet family nat support") +table inet x { + chain y { + type nat hook prerouting priority dstnat; + } +} diff --git a/tests/shell/features/inner_matching.nft b/tests/shell/features/inner_matching.nft new file mode 100644 index 00000000..6c86fd35 --- /dev/null +++ b/tests/shell/features/inner_matching.nft @@ -0,0 +1,7 @@ +# 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") +# v6.2-rc1~99^2~350^2~4 +table ip t { + chain c { + udp dport 4789 vxlan ip saddr 1.2.3.4 + } +} diff --git a/tests/shell/features/json.sh b/tests/shell/features/json.sh new file mode 100755 index 00000000..d8115702 --- /dev/null +++ b/tests/shell/features/json.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# Detect JSON support. Note that $NFT may not be the binary from our build +# tree, hence we detect it by running the binary (instead of asking the build +# configuration). +$NFT -j list ruleset diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft new file mode 100644 index 00000000..06c4c9d9 --- /dev/null +++ b/tests/shell/features/map_lookup.nft @@ -0,0 +1,11 @@ +# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks") +# v6.5-rc1~163^2~256^2~8 +table ip t { + map m { + typeof ip daddr : meta mark + } + + chain c { + ip saddr @m + } +} diff --git a/tests/shell/features/meta_time.nft b/tests/shell/features/meta_time.nft new file mode 100644 index 00000000..34550de4 --- /dev/null +++ b/tests/shell/features/meta_time.nft @@ -0,0 +1,7 @@ +# 63d10e12b00d ("netfilter: nft_meta: support for time matching") +# v5.4-rc1~131^2~59^2~6 +table ip t { + chain c { + meta time "1970-05-23 21:07:14" + } +} diff --git a/tests/shell/features/netdev_chain_multidevice.sh b/tests/shell/features/netdev_chain_multidevice.sh new file mode 100755 index 00000000..d2a56d6d --- /dev/null +++ b/tests/shell/features/netdev_chain_multidevice.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") +# v5.5-rc1~174^2~312^2~4 + +trap "ip link del d0; ip link del d1" EXIT + +ip link add d0 type dummy +ip link add d1 type dummy + +EXPECTED="table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \"d0\", \"d1\" } priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/features/netdev_chain_without_device.nft b/tests/shell/features/netdev_chain_without_device.nft new file mode 100644 index 00000000..25eb200f --- /dev/null +++ b/tests/shell/features/netdev_chain_without_device.nft @@ -0,0 +1,7 @@ +# 207296f1a03b ("netfilter: nf_tables: allow to create netdev chain without device") +# v6.4-rc1~132^2~14^2 +table netdev t { + chain c { + type filter hook ingress priority 0; policy accept; + } +} diff --git a/tests/shell/features/netdev_egress.nft b/tests/shell/features/netdev_egress.nft new file mode 100644 index 00000000..67d706d8 --- /dev/null +++ b/tests/shell/features/netdev_egress.nft @@ -0,0 +1,7 @@ +# 42df6e1d221d ("netfilter: Introduce egress hook") +# v5.16-rc1~159^2~167^2~10 +table netdev t { + chain c { + type filter hook egress devices = { lo } priority 0; policy accept; + } +} diff --git a/tests/shell/features/netmap.nft b/tests/shell/features/netmap.nft new file mode 100644 index 00000000..2580a8dc --- /dev/null +++ b/tests/shell/features/netmap.nft @@ -0,0 +1,8 @@ +# 3ff7ddb1353d ("netfilter: nft_nat: add netmap support") +# v5.8-rc1~165^2~393^2 +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } + } +} diff --git a/tests/shell/features/osf.nft b/tests/shell/features/osf.nft new file mode 100644 index 00000000..dbb6b4c3 --- /dev/null +++ b/tests/shell/features/osf.nft @@ -0,0 +1,7 @@ +# b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +# v4.19-rc1~140^2~135^2~15 +table t { + chain c { + osf name "Linux" + } +} diff --git a/tests/shell/features/pipapo.nft b/tests/shell/features/pipapo.nft new file mode 100644 index 00000000..3557721e --- /dev/null +++ b/tests/shell/features/pipapo.nft @@ -0,0 +1,9 @@ +# 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +# v5.6-rc1~151^2~28^2~1 +table t { + set s { + type ipv4_addr . inet_service + flags interval + elements = { 1.1.1.1-2.2.2.2 . 80-90 } + } +} diff --git a/tests/shell/features/prerouting_reject.nft b/tests/shell/features/prerouting_reject.nft new file mode 100644 index 00000000..3dcfb40e --- /dev/null +++ b/tests/shell/features/prerouting_reject.nft @@ -0,0 +1,8 @@ +# f53b9b0bdc59 netfilter: introduce support for reject at prerouting stage +# v5.9-rc1~133^2~302^2~11 +table inet t { + chain nat_filter { + type filter hook prerouting priority 0; policy accept; + reject with icmpx type host-unreachable + } +} diff --git a/tests/shell/features/reset_rule.sh b/tests/shell/features/reset_rule.sh new file mode 100755 index 00000000..567ee2f1 --- /dev/null +++ b/tests/shell/features/reset_rule.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# 8daa8fde3fc3 ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET") +# v6.2-rc1~99^2~210^2~2 + +unshare -n bash -c "$NFT \"add table t; add chain t c ; add rule t c counter packets 1 bytes 42\"; \ +$NFT reset rules chain t c ; \ +$NFT reset rules chain t c |grep counter\ packets\ 0\ bytes\ 0" diff --git a/tests/shell/features/reset_set.sh b/tests/shell/features/reset_set.sh new file mode 100755 index 00000000..3d034175 --- /dev/null +++ b/tests/shell/features/reset_set.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET") +# v6.5-rc1~163^2~9^2~1 + +unshare -n bash -c "$NFT add table t; \ + $NFT add set t s { type ipv4_addr\; counter\; elements = { 127.0.0.1 counter packets 1 bytes 2 } } ; \ + $NFT reset set t s ; \ + $NFT reset set t s | grep counter\ packets\ 0\ bytes\ 0 +" diff --git a/tests/shell/features/reset_tcp_options.nft b/tests/shell/features/reset_tcp_options.nft new file mode 100644 index 00000000..47d1c7b8 --- /dev/null +++ b/tests/shell/features/reset_tcp_options.nft @@ -0,0 +1,5 @@ +table inet t { + chain c { + reset tcp option fastopen + } +} diff --git a/tests/shell/features/sctp_chunks.nft b/tests/shell/features/sctp_chunks.nft new file mode 100644 index 00000000..520afd64 --- /dev/null +++ b/tests/shell/features/sctp_chunks.nft @@ -0,0 +1,7 @@ +# 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") +# v5.14-rc1~119^2~373^2~15 +table ip t { + chain c { + sctp chunk init 0 + } +} diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft new file mode 100644 index 00000000..ccbb572f --- /dev/null +++ b/tests/shell/features/secmark.nft @@ -0,0 +1,7 @@ +# fb961945457f ("netfilter: nf_tables: add SECMARK support") +# v4.20-rc1~14^2~125^2~5 +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } +} diff --git a/tests/shell/features/set_expr.sh b/tests/shell/features/set_expr.sh new file mode 100755 index 00000000..fbdfc228 --- /dev/null +++ b/tests/shell/features/set_expr.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") +# v5.7-rc1~146^2~12^2~25 + +# NFT_SET_EXPR to detect kernel feature only available since +# b4e70d8dd9ea ("netfilter: nftables: add set expression flags") +# v5.11-rc3~39^2^2 + +EXPECTED="table ip x { + set y { + typeof ip saddr + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft new file mode 100644 index 00000000..97632a7a --- /dev/null +++ b/tests/shell/features/set_with_two_expressions.nft @@ -0,0 +1,9 @@ +# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") +# v5.11-rc1~169^2~25^2 +table x { + set y { + type ipv4_addr + size 65535 + counter quota 500 bytes + } +} diff --git a/tests/shell/features/setelem_expiration.sh b/tests/shell/features/setelem_expiration.sh new file mode 100755 index 00000000..c539ceba --- /dev/null +++ b/tests/shell/features/setelem_expiration.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# v5.3-rc1~140^2~153^2~8 +# 79ebb5bb4e38 ("netfilter: nf_tables: enable set expiration time for set elements") + +RULESET="table ip x { + set y { + type ipv4_addr + flags dynamic + timeout 1h + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element ip x y { 1.1.1.1 timeout 1h expires 15m59s } + +$NFT list ruleset | grep "expires 15m" diff --git a/tests/shell/features/stateful_object_update.sh b/tests/shell/features/stateful_object_update.sh new file mode 100755 index 00000000..62fbf7e3 --- /dev/null +++ b/tests/shell/features/stateful_object_update.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation") +# v5.4-rc1~131^2~59^2~2 + +set -e +$NFT add table test-ip +$NFT add quota test-ip traffic-quota 25 mbytes +$NFT add quota test-ip traffic-quota 50 mbytes + +EXPECTED="table ip test-ip { + quota traffic-quota { + 50 mbytes + } +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + diff -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/features/synproxy.nft b/tests/shell/features/synproxy.nft new file mode 100644 index 00000000..bea4f920 --- /dev/null +++ b/tests/shell/features/synproxy.nft @@ -0,0 +1,9 @@ +# v5.3-rc1~140^2~44^2~10 +# ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } +} diff --git a/tests/shell/features/table_flag_owner.nft b/tests/shell/features/table_flag_owner.nft new file mode 100644 index 00000000..aef122a0 --- /dev/null +++ b/tests/shell/features/table_flag_owner.nft @@ -0,0 +1,5 @@ +# 6001a930ce03 ("netfilter: nftables: introduce table ownership") +# v5.12-rc1~200^2~6^2 +table t { + flags owner; +} diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} |