diff options
Diffstat (limited to 'tests/shell/testcases/rule_management')
26 files changed, 949 insertions, 1 deletions
diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 index 329ccc20..c343d579 100755 --- a/tests/shell/testcases/rule_management/0003insert_0 +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -9,3 +9,7 @@ $NFT add chain t c $NFT insert rule t c accept $NFT insert rule t c drop $NFT insert rule t c masquerade + +# check 'evaluate: un-break rule insert with intervals' + +$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 } diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0 index 251cebb2..cd69a89d 100755 --- a/tests/shell/testcases/rule_management/0010replace_0 +++ b/tests/shell/testcases/rule_management/0010replace_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4 # ("netfilter: nf_tables: deactivate expressions in rule replecement routine") diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 new file mode 100755 index 00000000..33eadd9e --- /dev/null +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -0,0 +1,170 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule) + +set -e + +echo "loading ruleset" +$NFT -f - <<EOF +table ip t { + set s { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + chain c { + counter packets 1 bytes 11 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +} +EOF + +echo "resetting specific rule" +handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p') +$NFT reset rule t c handle $handle +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT list ruleset) + +echo "resetting specific chain" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2) + +echo "resetting specific table" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t) + +echo "resetting specific family" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip) + +echo "resetting whole ruleset" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules) diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0 new file mode 100755 index 00000000..a058150f --- /dev/null +++ b/tests/shell/testcases/rule_management/0012destroy_0 @@ -0,0 +1,14 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t +$NFT add chain t c + +# pass for non-existent rule +$NFT destroy rule t c handle 3333 + +# successfully delete existing rule +handle=$($NFT -a -e insert rule t c accept | \ + sed -n 's/.*handle \([0-9]*\)$/\1/p') +$NFT destroy rule t c handle "$handle" diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft new file mode 100644 index 00000000..83dfee0d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft new file mode 100644 index 00000000..527d79d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft new file mode 100644 index 00000000..b3808ce2 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft new file mode 100644 index 00000000..b76cd930 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft new file mode 100644 index 00000000..9216cabf --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "set": [ + { + "range": [ + 3478, + 3497 + ] + }, + { + "range": [ + 16384, + 16387 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft index 9421f4ae..b1875aba 100644 --- a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft @@ -1,5 +1,6 @@ table ip t { chain c { + tcp sport { 3478-3497, 16384-16387 } masquerade drop accept diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft new file mode 100644 index 00000000..bc242467 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft @@ -0,0 +1,257 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 1, + "bytes": 11 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft new file mode 100644 index 00000000..3b4f5a11 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft @@ -0,0 +1,31 @@ +table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} |