diff options
Diffstat (limited to 'tests/shell/testcases/listing')
49 files changed, 1769 insertions, 46 deletions
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 index 4d39143d..c78ada94 100755 --- a/tests/shell/testcases/listing/0013objects_0 +++ b/tests/shell/testcases/listing/0013objects_0 @@ -1,47 +1,23 @@ #!/bin/bash -# list table with all objects and chains - -EXPECTED="table ip test { - quota https-quota { - 25 mbytes - } - - ct helper cthelp { - type \"sip\" protocol tcp - l3proto ip - } - - ct timeout cttime { - protocol udp - l3proto ip - policy = { unreplied : 15, replied : 12 } - } - - ct expectation ctexpect { - protocol tcp - dport 5432 - timeout 1h - size 12 - l3proto ip - } - - chain input { - } -}" - set -e $NFT add table test $NFT add chain test input $NFT add quota test https-quota 25 mbytes $NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } -$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } -$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } -$NFT add table test-ip +if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then + $NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } +fi +if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then + $NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } +fi -GET="$($NFT list table test)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 +if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)" + exit 77 +fi +if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)" + exit 77 fi diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 index 2f0a98d1..0e89f5dd 100755 --- a/tests/shell/testcases/listing/0020flowtable_0 +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -1,20 +1,65 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_no_devices) + # list only the flowtable asked for with table +set -e + +FLOWTABLES="flowtable f { + hook ingress priority filter + devices = { lo } +} +flowtable f2 { + hook ingress priority filter + devices = { d0 } +}" + +RULESET="table inet filter { + $FLOWTABLES +} +table ip filter { + $FLOWTABLES +}" + EXPECTED="table inet filter { flowtable f { hook ingress priority filter devices = { lo } } }" +EXPECTED2="table ip filter { + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" +EXPECTED3="table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" -set -e +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy -$NFT -f - <<< "$EXPECTED" +$NFT -f - <<< "$RULESET" GET="$($NFT list flowtable inet filter f)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi +$DIFF -u <(echo "$EXPECTED") <(echo "$GET") + +GET="$($NFT list flowtable ip filter f2)" +$DIFF -u <(echo "$EXPECTED2") <(echo "$GET") + +GET="$($NFT list flowtables ip)" +$DIFF -u <(echo "$EXPECTED3") <(echo "$GET") diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0 index c739ac3f..98a7ce8a 100755 --- a/tests/shell/testcases/listing/0021ruleset_json_terse_0 +++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0 @@ -6,7 +6,14 @@ $NFT add chain ip test c $NFT add set ip test s { type ipv4_addr\; } $NFT add element ip test s { 192.168.3.4, 192.168.3.5 } -if $NFT -j -t list ruleset | grep '192' -then - exit 1 +if [ "$NFT_TEST_HAVE_json" != n ]; then + if $NFT -j -t list ruleset | grep '192\.168' + then + exit 1 + fi +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 fi diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0 new file mode 100755 index 00000000..4841771c --- /dev/null +++ b/tests/shell/testcases/listing/0022terse_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +set -e + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list ruleset)" +if [ "$RULESET" != "$GET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +GET="$($NFT -t list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } +}" + +GET="$($NFT list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } +}" + +GET="$($NFT -t list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft diff --git a/tests/shell/testcases/listing/dumps/0003table_0.json-nft b/tests/shell/testcases/listing/dumps/0003table_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0003table_0.nft b/tests/shell/testcases/listing/dumps/0003table_0.nft new file mode 100644 index 00000000..1c9f40c5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.json-nft b/tests/shell/testcases/listing/dumps/0004table_0.json-nft new file mode 100644 index 00000000..85e9b287 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.nft b/tests/shell/testcases/listing/dumps/0004table_0.nft new file mode 100644 index 00000000..56d035d1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.nft @@ -0,0 +1,4 @@ +table ip test { +} +table ip test2 { +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.json-nft b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft new file mode 100644 index 00000000..efca892e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft @@ -0,0 +1,124 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.nft b/tests/shell/testcases/listing/dumps/0010sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.json-nft b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft new file mode 100644 index 00000000..a742fa45 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "sport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "chain": { + "family": "arp", + "table": "test_arp", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "arp", + "table": "test_arp", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "test_bridge", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "test_bridge", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "1.1.1.1", + "2.2.2.2" + ] + } + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.nft b/tests/shell/testcases/listing/dumps/0011sets_0.nft new file mode 100644 index 00000000..4d0aeaf3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.nft @@ -0,0 +1,25 @@ +table ip nat { + chain test { + tcp dport { 123, 321 } + } +} +table ip6 test { + chain test { + udp sport { 123, 321 } + } +} +table arp test_arp { + chain test { + meta mark { 0x0000007b, 0x00000141 } + } +} +table bridge test_bridge { + chain test { + ip daddr { 1.1.1.1, 2.2.2.2 } + } +} +table inet filter { + chain test { + tcp dport { 80, 443 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.json-nft b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft new file mode 100644 index 00000000..efca892e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft @@ -0,0 +1,124 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.nft b/tests/shell/testcases/listing/dumps/0012sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft new file mode 100644 index 00000000..830aad85 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "input", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "test", + "handle": 0, + "protocol": "udp", + "l3proto": "ip", + "policy": { + "unreplied": 15, + "replied": 12 + } + } + }, + { + "ct expectation": { + "family": "ip", + "name": "ctexpect", + "table": "test", + "handle": 0, + "protocol": "tcp", + "dport": 5432, + "timeout": 3600000, + "size": 12, + "l3proto": "ip" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft new file mode 100644 index 00000000..427db268 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft @@ -0,0 +1,27 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } + + ct timeout cttime { + protocol udp + l3proto ip + policy = { unreplied : 15s, replied : 12s } + } + + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + + chain input { + } +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.json-nft b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft new file mode 100644 index 00000000..83f72d40 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.nft b/tests/shell/testcases/listing/dumps/0014objects_0.nft new file mode 100644 index 00000000..9281a1a0 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.nft @@ -0,0 +1,12 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } +} +table ip test-ip { +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft new file mode 100644 index 00000000..a94a1b04 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "test_set", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr", + "inet_service", + "inet_proto" + ], + "handle": 0, + "size": 100000, + "flags": [ + "timeout", + "dynamic" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft new file mode 100644 index 00000000..0f4244bf --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto + size 100000 + flags dynamic,timeout + } +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft new file mode 100644 index 00000000..e47ccb8e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.1.1.1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + 2 + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft new file mode 100644 index 00000000..cb089337 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr 1.1.1.1 + meta mark set ip saddr map { 1.1.1.1 : 0x00000002 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.json-nft b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft new file mode 100644 index 00000000..d735f7a1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "countermap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.nft b/tests/shell/testcases/listing/dumps/0017objects_0.nft new file mode 100644 index 00000000..e60e3afa --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map countermap { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.json-nft b/tests/shell/testcases/listing/dumps/0018data_0.json-nft new file mode 100644 index 00000000..211dcd30 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "ipmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.nft b/tests/shell/testcases/listing/dumps/0018data_0.nft new file mode 100644 index 00000000..5d318550 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map ipmap { + type ipv4_addr : ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.json-nft b/tests/shell/testcases/listing/dumps/0019set_0.json-nft new file mode 100644 index 00000000..3bb7cb8a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ipset", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.nft b/tests/shell/testcases/listing/dumps/0019set_0.nft new file mode 100644 index 00000000..915922ca --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.nft @@ -0,0 +1,5 @@ +table inet filter { + set ipset { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft new file mode 100644 index 00000000..d511739a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "inet", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "ip", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft new file mode 100644 index 00000000..4a64e531 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft @@ -0,0 +1,20 @@ +table inet filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} +table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft new file mode 100644 index 00000000..d1131bb4 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "192.168.3.4", + "192.168.3.5" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft new file mode 100644 index 00000000..13c8ac63 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft @@ -0,0 +1,9 @@ +table ip test { + set s { + type ipv4_addr + elements = { 192.168.3.4, 192.168.3.5 } + } + + chain c { + } +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft new file mode 100644 index 00000000..bd6383da --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft @@ -0,0 +1,88 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "example", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "10.10.10.10", + "10.10.11.11" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "10.10.10.100", + "10.10.10.111" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@example" + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.nft b/tests/shell/testcases/listing/dumps/0022terse_0.nft new file mode 100644 index 00000000..40665cb7 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +} diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/meta_time.nodump diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time new file mode 100755 index 00000000..96a9d557 --- /dev/null +++ b/tests/shell/testcases/listing/meta_time @@ -0,0 +1,67 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_meta_time) + +set -e + +TMP1=$(mktemp) +TMP2=$(mktemp) + +cleanup() +{ + rm -f "$TMP1" + rm -f "$TMP2" +} + +check_decode() +{ + TZ=$1 $NFT list chain t c | grep meta > "$TMP2" + diff -u "$TMP1" "$TMP2" +} + +trap cleanup EXIT + +$NFT -f - <<EOF +table t { + chain c { + } +} +EOF + +for i in $(seq -w 0 23); do + TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59" +done + +# Check decoding in UTC, this mirrors 1:1 what should have been added. +for i in $(seq 0 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done + +check_decode UTC + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1" +for i in $(seq 0 22); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +check_decode UTC+1 + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1" +for i in $(seq 2 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" + +check_decode UTC-1 + +$NFT flush chain t c +TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00" +TZ=EADT $NFT add rule t c meta hour "04:00"-"15:00" +TZ=EADT $NFT add rule t c meta hour "05:00"-"16:00" +TZ=EADT $NFT add rule t c meta hour "06:00"-"17:00" + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 3 0 14 0 > "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 4 0 15 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1" + +check_decode EADT |