diff options
Diffstat (limited to 'tests/shell/testcases/cache')
23 files changed, 840 insertions, 1 deletions
diff --git a/tests/shell/testcases/cache/0001_cache_handling_0 b/tests/shell/testcases/cache/0001_cache_handling_0 index 431aada5..0a684404 100755 --- a/tests/shell/testcases/cache/0001_cache_handling_0 +++ b/tests/shell/testcases/cache/0001_cache_handling_0 @@ -20,7 +20,7 @@ TMP=$(mktemp) echo "$RULESET" >> "$TMP" $NFT "flush ruleset;include \"$TMP\"" rm -f "$TMP" -rule_handle=$($NFT list ruleset -a | awk '/saddr/{print $NF}') +rule_handle=$($NFT -a list ruleset | awk '/saddr/{print $NF}') $NFT delete rule inet test test handle $rule_handle $NFT delete set inet test test $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/0008_delete_by_handle_0 b/tests/shell/testcases/cache/0008_delete_by_handle_0 new file mode 100755 index 00000000..0db4c693 --- /dev/null +++ b/tests/shell/testcases/cache/0008_delete_by_handle_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +$NFT add table t +HANDLE=`$NFT -a list ruleset | grep "table.*handle" | cut -d' ' -f7` +$NFT delete table handle $HANDLE + +$NFT add table t + +$NFT add chain t c +HANDLE=`$NFT -a list ruleset | grep "chain.*handle" | cut -d' ' -f6` +$NFT delete chain t handle $HANDLE + +$NFT add set t s { type ipv4_addr\; } +HANDLE=`$NFT -a list ruleset | grep "set.*handle" | cut -d' ' -f6` +$NFT delete set t handle $HANDLE + +$NFT add flowtable t f { hook ingress priority 0\; devices = { lo } \; } +HANDLE=`$NFT -a list ruleset | grep "flowtable.*handle" | cut -d' ' -f6` +$NFT delete flowtable t handle $HANDLE + +$NFT add counter t x +HANDLE=`$NFT -a list ruleset | grep "counter.*handle" | cut -d' ' -f6` +$NFT delete counter t handle $HANDLE diff --git a/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 new file mode 100755 index 00000000..f0bb02a6 --- /dev/null +++ b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +$NFT delete table handle 4000 && exit 1 +$NFT delete chain t handle 4000 && exit 1 +$NFT delete set t handle 4000 && exit 1 +$NFT delete flowtable t handle 4000 && exit 1 +$NFT delete counter t handle 4000 && exit 1 +exit 0 diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0 new file mode 100755 index 00000000..834dc6e4 --- /dev/null +++ b/tests/shell/testcases/cache/0010_implicit_chain_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +set -e + +EXPECTED="table ip f { + chain c { + jump { + accept + } + } +}" + +$NFT 'table ip f { chain c { jump { accept; }; }; }' +GET="$($NFT list chain ip f c)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0 new file mode 100755 index 00000000..76f2615d --- /dev/null +++ b/tests/shell/testcases/cache/0011_index_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_position_id) + +set -e + +RULESET="flush ruleset +add table inet t +add chain inet t c { type filter hook input priority 0 ; } +add rule inet t c tcp dport 1234 accept +add rule inet t c accept +insert rule inet t c index 1 udp dport 4321 accept" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft new file mode 100644 index 00000000..7a2eacdd --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft @@ -0,0 +1,142 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "3.3.3.3" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@test" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft new file mode 100644 index 00000000..fa15d658 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft new file mode 100644 index 00000000..e09a694c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft @@ -0,0 +1,137 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t3", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t4", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "icmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "igmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft new file mode 100644 index 00000000..43898d33 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft @@ -0,0 +1,18 @@ +table ip t { + chain c { + } +} +table ip t2 { + chain c { + } +} +table ip t3 { +} +table ip t4 { + chain c { + meta l4proto icmp accept + drop + meta l4proto igmp accept + drop + } +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft new file mode 100644 index 00000000..d1864f00 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft @@ -0,0 +1,42 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testfilter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testfilter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "testfilter", + "chain": "test", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft new file mode 100644 index 00000000..4f5761bc --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft @@ -0,0 +1,5 @@ +table inet testfilter { + chain test { + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft new file mode 100644 index 00000000..0968d8a4 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "first", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "second", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "third", + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft diff --git a/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft new file mode 100644 index 00000000..aba92c0e --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft @@ -0,0 +1,7 @@ +table ip f { + chain c { + jump { + accept + } + } +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.json-nft b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft new file mode 100644 index 00000000..46b2909f --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft @@ -0,0 +1,93 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4321 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.nft b/tests/shell/testcases/cache/dumps/0011_index_0.nft new file mode 100644 index 00000000..7e855eb1 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.nft @@ -0,0 +1,8 @@ +table inet t { + chain c { + type filter hook input priority filter; policy accept; + tcp dport 1234 accept + udp dport 4321 accept + accept + } +} |