diff options
Diffstat (limited to 'tests/shell/testcases/optimizations/dumps')
38 files changed, 4769 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft new file mode 100644 index 00000000..712182e9 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft @@ -0,0 +1,776 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "netdev", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft new file mode 100644 index 00000000..1781f7be --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft @@ -0,0 +1,42 @@ +table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + udp dport 67 + meta protocol ip6 udp dport 67 + udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + udp dport 67 + ether type ip udp dport 67 + udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft new file mode 100644 index 00000000..a6cf1bfc --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft @@ -0,0 +1,379 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test1", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "4.4.4.4", + "1.1.1.1" + ], + [ + "5.5.5.5", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test2", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "concat": [ + "1.1.1.1", + 8001 + ] + } + ], + [ + 81, + { + "concat": [ + "2.2.2.2", + 9001 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + } + ] + } + } + }, + { + "masquerade": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test4", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 80 + ] + }, + { + "concat": [ + "4.4.4.4", + 8000 + ] + } + ], + [ + { + "concat": [ + "2.2.2.2", + 81 + ] + }, + { + "concat": [ + "3.3.3.3", + 9000 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "redirect": { + "port": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 83, + 8083 + ], + [ + 84, + 8084 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 85 + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft new file mode 100644 index 00000000..f6c119ec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -0,0 +1,21 @@ +table ip test1 { + chain y { + oif "lo" accept + dnat to ip saddr map { 4.4.4.4 : 1.1.1.1, 5.5.5.5 : 2.2.2.2 } + } +} +table ip test2 { + chain y { + oif "lo" accept + dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } + ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade + } +} +table ip test4 { + chain y { + oif "lo" accept + dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } + redirect to :tcp dport map { 83 : 8083, 84 : 8084 } + tcp dport 85 redirect + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft new file mode 100644 index 00000000..dc67feec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft @@ -0,0 +1,200 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test3", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "3.3.3.3" + ], + [ + { + "concat": [ + "2.2.2.2", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "4.4.4.4" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp2s0" + } + }, + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + { + "range": [ + "72.2.3.66", + "72.2.3.78" + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 8888, + 9999 + ] + } + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft new file mode 100644 index 00000000..0faddfd1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft @@ -0,0 +1,8 @@ +table ip test3 { + chain y { + oif "lo" accept + snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } + oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport { 8888, 9999 } redirect + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft new file mode 100644 index 00000000..99930f11 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft @@ -0,0 +1,208 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "prerouting", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "72.2.3.70", + 80 + ] + }, + { + "concat": [ + "10.1.1.52", + 80 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 53122 + ] + }, + { + "concat": [ + "10.1.1.10", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 443 + ] + }, + { + "concat": [ + "10.1.1.52", + 443 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "72.2.3.66", + "10.2.2.2" + ], + [ + "72.2.3.67", + "10.2.3.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft new file mode 100644 index 00000000..a1a11354 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft @@ -0,0 +1,11 @@ +table inet nat { + chain prerouting { + oif "lo" accept + dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 } + } + + chain postrouting { + oif "lo" accept + snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft new file mode 100644 index 00000000..46ed0677 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft @@ -0,0 +1,320 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.33.70" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "172.30.238.117", + 8080 + ] + }, + { + "concat": [ + "tcp", + "172.30.33.71", + 3306 + ] + }, + { + "concat": [ + "tcp", + "172.30.254.251", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmp", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.254.252" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "aaaa::3", + 8080 + ] + }, + { + "concat": [ + "tcp", + "aaaa::2", + 3306 + ] + }, + { + "concat": [ + "tcp", + "aaaa::4", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "aaaa::5" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.nft b/tests/shell/testcases/optimizations/dumps/merge_reject.nft new file mode 100644 index 00000000..c29ad6d5 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop + meta l4proto . ip daddr . tcp dport { tcp . 172.30.238.117 . 8080, tcp . 172.30.33.71 . 3306, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject + ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} +table ip6 x { + chain y { + meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject + ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft new file mode 100644 index 00000000..c392b76a --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft @@ -0,0 +1,63 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft new file mode 100644 index 00000000..b56ea3ed --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft new file mode 100644 index 00000000..267d84ef --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -0,0 +1,374 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c3", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "eth1", + "1.1.1.1", + "2.2.2.3" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + "2.2.2.4" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "prefix": { + "addr": "2.2.3.0", + "len": 24 + } + } + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "range": [ + "2.2.4.0", + "2.2.4.10" + ] + } + ] + }, + { + "concat": [ + "eth2", + "1.1.1.3", + "2.2.2.5" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + 22 + ] + }, + { + "concat": [ + "udp", + 67 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c3", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + }, + { + "concat": [ + 100, + "test" + ] + }, + { + "concat": [ + 51820, + "test" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft new file mode 100644 index 00000000..f56cea1c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -0,0 +1,18 @@ +table ip x { + chain y { + iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept + ip protocol . th dport { tcp . 22, udp . 67 } + } + + chain c1 { + udp dport . iifname { 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c2 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c3 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar", 100 . "test", 51820 . "test" } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft new file mode 100644 index 00000000..5dfa40a8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "meta": { + "key": "pkttype" + } + }, + { + "payload": { + "protocol": "udp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "broadcast", + 547 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "broadcast", + 67 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "multicast", + 1900 + ] + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + { + "drop": null + } + ], + [ + { + "concat": [ + "4.4.4.4", + "5.5.5.5" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft new file mode 100644 index 00000000..780aa09a --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft @@ -0,0 +1,9 @@ +table ip x { + chain x { + meta pkttype . udp dport vmap { broadcast . 547 : accept, broadcast . 67 : accept, multicast . 1900 : drop } + } + + chain y { + ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop, 4.4.4.4 . 5.5.5.5 : accept } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft new file mode 100644 index 00000000..17d57b8f --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft @@ -0,0 +1,182 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "w", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + "invalid", + { + "drop": null + } + ], + [ + "established", + { + "accept": null + } + ], + [ + "related", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "accept": null + } + ], + [ + { + "range": [ + 2, + 3 + ] + }, + { + "drop": null + } + ], + [ + 4, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "w", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "1.1.1.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft new file mode 100644 index 00000000..8ecbd927 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ct state vmap { invalid : drop, established : accept, related : accept } + } + + chain z { + tcp dport vmap { 1 : accept, 2-3 : drop, 4 : accept } + } + + chain w { + ip saddr vmap { 1.1.1.1 counter packets 0 bytes 0 : accept, 1.1.1.2 counter packets 0 bytes 0 : drop } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft new file mode 100644 index 00000000..b8ad126c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft @@ -0,0 +1,438 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_dnstc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_this_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5302", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5303", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_acme", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5300 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5302 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5303 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "th", + "offset": 160, + "len": 128 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "goto": { + "target": "nat_dns_dnstc" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31393032383939353831343037320e" + ] + }, + { + "goto": { + "target": "nat_dns_this_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31363436323733373931323934300e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe32393535373539353636383732310e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5302" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe38353439353637323038363633390e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5303" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft new file mode 100644 index 00000000..18847116 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft @@ -0,0 +1,31 @@ +table inet x { + chain nat_dns_dnstc { + meta l4proto udp redirect to :5300 + drop + } + + chain nat_dns_this_5301 { + meta l4proto udp redirect to :5301 + drop + } + + chain nat_dns_saturn_5301 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5301 + drop + } + + chain nat_dns_saturn_5302 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5302 + drop + } + + chain nat_dns_saturn_5303 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5303 + drop + } + + chain nat_dns_acme { + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0xe31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0xe31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0xe32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0xe38353439353637323038363633390e : goto nat_dns_saturn_5303 } + drop + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft new file mode 100644 index 00000000..e87f1c4c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft @@ -0,0 +1,205 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_tcp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_udp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s", + "stmt": [ + { + "limit": { + "rate": 12, + "burst": 30, + "per": "minute" + } + } + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "accept": null + } + ], + [ + 81, + { + "accept": null + } + ], + [ + 443, + { + "accept": null + } + ], + [ + { + "range": [ + 8000, + 8100 + ] + }, + { + "accept": null + } + ], + [ + { + "range": [ + 24000, + 25000 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "l4proto" + } + }, + "data": { + "set": [ + [ + "tcp", + { + "goto": { + "target": "filter_in_tcp" + } + } + ], + [ + "udp", + { + "goto": { + "target": "filter_in_udp" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft new file mode 100644 index 00000000..c981acf0 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft @@ -0,0 +1,20 @@ +table ip x { + set s { + type ipv4_addr + size 65535 + flags dynamic + } + + chain filter_in_tcp { + } + + chain filter_in_udp { + } + + chain y { + update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } + meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } + log + } +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft new file mode 100644 index 00000000..8e64ba1e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "version" + } + }, + "data": { + "set": [ + [ + 4, + { + "jump": { + "target": "t3" + } + } + ], + [ + 6, + { + "jump": { + "target": "t4" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft new file mode 100644 index 00000000..02b89207 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft @@ -0,0 +1,19 @@ +table ip x { + chain t1 { + } + + chain t2 { + } + + chain t3 { + } + + chain t4 { + } + + chain y { + counter packets 0 bytes 0 jump t1 + counter packets 0 bytes 0 jump t2 + ip version vmap { 4 : jump t3, 6 : jump t4 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.json-nft b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.nft b/tests/shell/testcases/optimizations/dumps/ruleset.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.nft diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft new file mode 100644 index 00000000..26634134 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft @@ -0,0 +1,360 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "127.0.0.0", + "len": 8 + } + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "range": [ + "127.0.0.1", + "192.168.7.3" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "range": [ + 1, + 1023 + ] + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.7.1", + "192.168.7.5" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "192.168.0.1", + 22 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "192.168.0.1", + 1 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft new file mode 100644 index 00000000..35e3f36e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft @@ -0,0 +1,15 @@ +table ip test { + chain test { + ip saddr 127.0.0.1 accept + iif "lo" accept + tcp dport != 22 drop + ip saddr 127.0.0.0/8 accept + ip saddr 127.0.0.1-192.168.7.3 accept + tcp sport 1-1023 drop + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + meta mark set ip daddr map { 192.168.0.1 : 0x00000001 } + ct state { established, related } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft new file mode 100644 index 00000000..c8adddb1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft @@ -0,0 +1,59 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + { + "elem": { + "val": 10, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft new file mode 100644 index 00000000..54880b92 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + meta mark { 0x0000000a counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft new file mode 100644 index 00000000..7bb6c656 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft @@ -0,0 +1,235 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "udp_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tcp_input", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "udp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 500, + 4500 + ] + } + }, + { + "set": { + "family": "inet", + "name": "tcp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 80, + 443 + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1, + 128 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": "@udp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + { + "range": [ + 1, + 128 + ] + }, + { + "range": [ + 8888, + 9999 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@tcp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1024, + 65535 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.nft b/tests/shell/testcases/optimizations/dumps/skip_merge.nft new file mode 100644 index 00000000..9c10b74b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.nft @@ -0,0 +1,23 @@ +table inet filter { + set udp_accepted { + type inet_service + elements = { 500, 4500 } + } + + set tcp_accepted { + type inet_service + elements = { 80, 443 } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport 53 accept + } + + chain tcp_input { + tcp dport { 1-128, 8888-9999 } accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft new file mode 100644 index 00000000..19296d02 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft @@ -0,0 +1,108 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft new file mode 100644 index 00000000..6df38655 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft @@ -0,0 +1,6 @@ +table inet x { + chain y { + iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept + iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft new file mode 100644 index 00000000..d6347b1e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft @@ -0,0 +1,256 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "GEOIP_CC_wan-lan_120", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.32.128.0", + "len": 18 + } + }, + { + "range": [ + "1.32.200.0", + "1.32.204.128" + ] + }, + { + "prefix": { + "addr": "1.32.207.0", + "len": 24 + } + }, + { + "range": [ + "1.32.216.118", + "1.32.216.255" + ] + }, + { + "range": [ + "1.32.219.0", + "1.32.222.255" + ] + }, + { + "prefix": { + "addr": "1.32.226.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.231.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.233.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.238.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.240.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "223.223.220.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "223.255.254.0", + "len": 24 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 10 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 81 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 11 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.2.3.5", + 81 + ] + }, + { + "concat": [ + "1.2.3.5", + 82 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft new file mode 100644 index 00000000..f24855e7 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft @@ -0,0 +1,18 @@ +table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + + chain y { + ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept + ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept + ip saddr . tcp dport { 1.2.3.5 . 81, 1.2.3.5 . 82 } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.json-nft b/tests/shell/testcases/optimizations/dumps/variables.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.nft b/tests/shell/testcases/optimizations/dumps/variables.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.nft |