summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/rule_management
diff options
context:
space:
mode:
Diffstat (limited to 'tests/shell/testcases/rule_management')
-rwxr-xr-xtests/shell/testcases/rule_management/0004replace_08
-rwxr-xr-xtests/shell/testcases/rule_management/0011reset_061
-rw-r--r--tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft47
-rw-r--r--tests/shell/testcases/rule_management/dumps/0004replace_0.nft11
-rw-r--r--tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft4
-rw-r--r--tests/shell/testcases/rule_management/dumps/0011reset_0.nft2
6 files changed, 106 insertions, 27 deletions
diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0
index c3329af5..18dc4a9f 100755
--- a/tests/shell/testcases/rule_management/0004replace_0
+++ b/tests/shell/testcases/rule_management/0004replace_0
@@ -6,5 +6,9 @@
set -e
$NFT add table t
$NFT add chain t c
-$NFT add rule t c accept # should have handle 2
-$NFT replace rule t c handle 2 drop
+$NFT 'add set t s1 { type ipv4_addr; }'
+$NFT 'add set t s2 { type ipv4_addr; flags interval; }'
+$NFT add rule t c accept # should have handle 4
+$NFT replace rule t c handle 4 drop
+$NFT replace rule t c handle 4 ip saddr { 1.1.1.1, 2.2.2.2 }
+$NFT replace rule t c handle 4 ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 }
diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0
index 33eadd9e..5e65ced9 100755
--- a/tests/shell/testcases/rule_management/0011reset_0
+++ b/tests/shell/testcases/rule_management/0011reset_0
@@ -4,6 +4,33 @@
set -e
+if [ $NFT_TEST_HAVE_setcount = y ]; then
+ size="size 65535 # count 1"
+else
+ size="size 65535"
+fi
+
+echo "loading ruleset with anonymous set"
+$NFT -f - <<EOF
+table t {
+ chain dns-nat-pre {
+ type nat hook prerouting priority filter; policy accept;
+ meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 1000 bytes 1000 dnat to 10.25.0.1
+ }
+}
+EOF
+
+echo "resetting ruleset with anonymous set"
+$NFT reset rules
+EXPECT='table ip t {
+ chain dns-nat-pre {
+ type nat hook prerouting priority filter; policy accept;
+ meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 0 bytes 0 dnat to 10.25.0.1
+ }
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT list ruleset)
+$NFT flush ruleset
+
echo "loading ruleset"
$NFT -f - <<EOF
table ip t {
@@ -39,10 +66,10 @@ EOF
echo "resetting specific rule"
handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p')
$NFT reset rule t c handle $handle
-EXPECT='table ip t {
+EXPECT="table ip t {
set s {
type ipv4_addr
- size 65535
+ $size
flags dynamic
counter
elements = { 1.1.1.1 counter packets 1 bytes 11 }
@@ -69,18 +96,11 @@ table ip t2 {
counter packets 7 bytes 17 accept
counter packets 8 bytes 18 drop
}
-}'
+}"
$DIFF -u <(echo "$EXPECT") <($NFT list ruleset)
echo "resetting specific chain"
EXPECT='table ip t {
- set s {
- type ipv4_addr
- size 65535
- flags dynamic
- counter
- }
-
chain c2 {
counter packets 3 bytes 13 accept
counter packets 4 bytes 14 drop
@@ -89,12 +109,13 @@ EXPECT='table ip t {
$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2)
echo "resetting specific table"
-EXPECT='table ip t {
+EXPECT="table ip t {
set s {
type ipv4_addr
- size 65535
+ $size
flags dynamic
counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
}
chain c {
@@ -106,16 +127,17 @@ EXPECT='table ip t {
counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
-}'
+}"
$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t)
echo "resetting specific family"
-EXPECT='table ip t {
+EXPECT="table ip t {
set s {
type ipv4_addr
- size 65535
+ $size
flags dynamic
counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
}
chain c {
@@ -133,16 +155,17 @@ table ip t2 {
counter packets 7 bytes 17 accept
counter packets 8 bytes 18 drop
}
-}'
+}"
$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip)
echo "resetting whole ruleset"
-EXPECT='table ip t {
+EXPECT="table ip t {
set s {
type ipv4_addr
- size 65535
+ $size
flags dynamic
counter
+ elements = { 1.1.1.1 counter packets 1 bytes 11 }
}
chain c {
@@ -166,5 +189,5 @@ table ip t2 {
counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
-}'
+}"
$DIFF -u <(echo "$EXPECT") <($NFT reset rules)
diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft
index 5d0b7d06..811cb738 100644
--- a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft
+++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft
@@ -23,6 +23,25 @@
}
},
{
+ "set": {
+ "family": "ip",
+ "name": "s1",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s2",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": "interval"
+ }
+ },
+ {
"rule": {
"family": "ip",
"table": "t",
@@ -30,7 +49,33 @@
"handle": 0,
"expr": [
{
- "drop": null
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@s2"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": {
+ "set": [
+ "3.3.3.3",
+ "4.4.4.4"
+ ]
+ }
+ }
}
]
}
diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
index e20952ef..803c0deb 100644
--- a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
+++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
@@ -1,5 +1,14 @@
table ip t {
+ set s1 {
+ type ipv4_addr
+ }
+
+ set s2 {
+ type ipv4_addr
+ flags interval
+ }
+
chain c {
- drop
+ ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 }
}
}
diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
index bc242467..e57dee79 100644
--- a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
+++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft
@@ -38,9 +38,7 @@
"type": "ipv4_addr",
"handle": 0,
"size": 65535,
- "flags": [
- "dynamic"
- ],
+ "flags": "dynamic",
"elem": [
{
"elem": {
diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
index 3b4f5a11..3c29b582 100644
--- a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
+++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
@@ -1,7 +1,7 @@
table ip t {
set s {
type ipv4_addr
- size 65535
+ size 65535 # count 1
flags dynamic
counter
elements = { 1.1.1.1 counter packets 1 bytes 11 }
generated by cgit v1.2.3 (git 2.25.0) at 2025-07-01 07:27:05 +0000