diff options
Diffstat (limited to 'tests/shell/testcases/rule_management')
4 files changed, 88 insertions, 11 deletions
diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index c3329af5..18dc4a9f 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -6,5 +6,9 @@ set -e $NFT add table t $NFT add chain t c -$NFT add rule t c accept # should have handle 2 -$NFT replace rule t c handle 2 drop +$NFT 'add set t s1 { type ipv4_addr; }' +$NFT 'add set t s2 { type ipv4_addr; flags interval; }' +$NFT add rule t c accept # should have handle 4 +$NFT replace rule t c handle 4 drop +$NFT replace rule t c handle 4 ip saddr { 1.1.1.1, 2.2.2.2 } +$NFT replace rule t c handle 4 ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 index 33eadd9e..2004b17d 100755 --- a/tests/shell/testcases/rule_management/0011reset_0 +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -4,6 +4,27 @@ set -e +echo "loading ruleset with anonymous set" +$NFT -f - <<EOF +table t { + chain dns-nat-pre { + type nat hook prerouting priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 1000 bytes 1000 dnat to 10.25.0.1 + } +} +EOF + +echo "resetting ruleset with anonymous set" +$NFT reset rules +EXPECT='table ip t { + chain dns-nat-pre { + type nat hook prerouting priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 0 bytes 0 dnat to 10.25.0.1 + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT list ruleset) +$NFT flush ruleset + echo "loading ruleset" $NFT -f - <<EOF table ip t { @@ -74,13 +95,6 @@ $DIFF -u <(echo "$EXPECT") <($NFT list ruleset) echo "resetting specific chain" EXPECT='table ip t { - set s { - type ipv4_addr - size 65535 - flags dynamic - counter - } - chain c2 { counter packets 3 bytes 13 accept counter packets 4 bytes 14 drop @@ -95,6 +109,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { @@ -116,6 +131,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { @@ -143,6 +159,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft index 5d0b7d06..767e80f1 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -23,6 +23,27 @@ } }, { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, + { "rule": { "family": "ip", "table": "t", @@ -30,7 +51,33 @@ "handle": 0, "expr": [ { - "drop": null + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } } ] } diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft index e20952ef..803c0deb 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -1,5 +1,14 @@ table ip t { + set s1 { + type ipv4_addr + } + + set s2 { + type ipv4_addr + flags interval + } + chain c { - drop + ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } } } |