diff options
Diffstat (limited to 'tests/shell/testcases/sets/dumps')
150 files changed, 9593 insertions, 41 deletions
diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft new file mode 100644 index 00000000..b9c66a21 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft @@ -0,0 +1,261 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "10.0.0.0", + "11.0.0.0" + ] + }, + { + "prefix": { + "addr": "172.16.0.0", + "len": 16 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + }, + { + "range": [ + "fe11::", + "fe22::" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s3", + "table": "t", + "type": "inet_proto", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s4", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 0, + 1024 + ] + }, + { + "range": [ + 8080, + 8082 + ] + }, + { + "range": [ + 10000, + 40000 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@s4" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft new file mode 100644 index 00000000..4c0be670 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft new file mode 100644 index 00000000..c55858fa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft new file mode 100644 index 00000000..a75681f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 48 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft new file mode 100644 index 00000000..f5a9ac19 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft new file mode 100644 index 00000000..c6f5aa68 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft new file mode 100644 index 00000000..fa5dcb25 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "postrouting", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sourcemap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "100.123.10.2", + { + "jump": { + "target": "c" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@sourcemap" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft new file mode 100644 index 00000000..2418b39a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "timeout" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.json-nft b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft new file mode 100644 index 00000000..7ea3c602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "::1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft new file mode 100644 index 00000000..6268e216 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "blacklist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.json-nft b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft new file mode 100644 index 00000000..401a8f23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "elem": [ + { + "elem": { + "val": 22, + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft new file mode 100644 index 00000000..5ed089dc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "2.2.2.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "3.3.3.0", + "len": 24 + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft new file mode 100644 index 00000000..c6171392 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service" + } + }, + { + "set": { + "family": "ip", + "name": "f", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@f", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 5a6e3261..38987ded 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -7,7 +7,13 @@ table ip t { type ipv4_addr : inet_service } + set f { + type ipv4_addr + size 1024 + flags dynamic + } + chain c { - tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second } + tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets } } } diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..b4521333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft deleted file mode 100644 index 2ffa4f2f..00000000 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ /dev/null @@ -1,32 +0,0 @@ -table inet x { - counter user123 { - packets 12 bytes 1433 - } - - counter user321 { - packets 0 bytes 0 - } - - quota user123 { - over 2000 bytes - } - - quota user124 { - over 2000 bytes - } - - set y { - type ipv4_addr - } - - map test { - type ipv4_addr : quota - elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } - } - - chain y { - type filter hook input priority filter; policy accept; - counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } - quota name ip saddr map @test drop - } -} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft new file mode 100644 index 00000000..0af61333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft @@ -0,0 +1,131 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "synproxy": { + "family": "inet", + "name": "https-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 7, + "flags": [ + "timestamp", + "sack-perm" + ] + } + }, + { + "synproxy": { + "family": "inet", + "name": "other-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 5 + } + }, + { + "map": { + "family": "inet", + "name": "test2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "synproxy", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "synproxy": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft new file mode 100644 index 00000000..e0ee86db --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft @@ -0,0 +1,23 @@ +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft new file mode 100644 index 00000000..9d56d025 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "doesntexist" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 23 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft new file mode 100644 index 00000000..5d21f26c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "ip", + "name": "http-traffic", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + "http-traffic" + ], + [ + 443, + "http-traffic" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft new file mode 100644 index 00000000..b9251ffa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft new file mode 100644 index 00000000..5968b2e0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "inet_proto", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s3" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft new file mode 100644 index 00000000..0c604927 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft @@ -0,0 +1,26 @@ +table ip t { + set s1 { + type inet_proto + size 65535 + flags dynamic + } + + set s2 { + type ipv4_addr + size 65535 + flags dynamic + } + + set s3 { + type ipv4_addr + size 1024 + flags dynamic + } + + chain c { + type filter hook input priority filter; policy accept; + iifname "foobar" add @s1 { ip protocol } + iifname "foobar" add @s2 { ip daddr } + iifname "foobar" add @s3 { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft new file mode 100644 index 00000000..96314141 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "flags": [ + "timeout" + ], + "timeout": 10845 + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "constant", + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft new file mode 100644 index 00000000..0f25c763 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft @@ -0,0 +1,15 @@ +table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft index 23ff89bb..55cd4f26 100644 --- a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -1,17 +1,57 @@ table inet t { set s { type ifname - elements = { "eth0" } + elements = { "eth0", + "eth1", + "eth2", + "eth3", + "veth1" } } set sc { type inet_service . ifname - elements = { 22 . "eth0" } + elements = { 22 . "eth0", + 80 . "eth0", + 81 . "eth0", + 80 . "eth1" } + } + + set nv { + type ifname . mark + elements = { "eth0" . 0x00000001, + "eth0" . 0x00000002 } + } + + set z { + typeof ct zone + elements = { 1, 2, 3, 4, 5, + 6 } + } + + set m { + typeof meta mark + elements = { 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, + 0x00000006 } + } + + map cz { + typeof iifname : ct zone + elements = { "eth0" : 1, + "eth1" : 2, + "veth4" : 1 } + } + + map cm { + typeof iifname : ct mark + elements = { "eth0" : 0x00000001, + "eth1" : 0x00000002, + "veth4" : 0x00000001 } } chain c { iifname @s accept oifname @s accept tcp dport . iifname @sc accept + iifname . meta mark @nv accept } } diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft new file mode 100644 index 00000000..4d194bff --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft new file mode 100644 index 00000000..16684438 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft new file mode 100644 index 00000000..d6174c51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft @@ -0,0 +1,11 @@ +table ip x { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft new file mode 100644 index 00000000..bfc0e4a0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 10, + { + "range": [ + 20, + 30 + ] + }, + 40, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "ips", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "10.0.0.1", + { + "range": [ + "10.0.0.5", + "10.0.0.8" + ] + }, + { + "prefix": { + "addr": "10.0.0.128", + "len": 25 + } + }, + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + "10.0.2.3", + "10.0.2.12" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "cs", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.0.0.1", + 22 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.1.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "10.2.0.1", + "10.2.0.8" + ] + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft new file mode 100644 index 00000000..1c1dd977 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft @@ -0,0 +1,23 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 10, 20-30, 40, 50-60 } + } + + set ips { + type ipv4_addr + flags interval + elements = { 10.0.0.1, 10.0.0.5-10.0.0.8, + 10.0.0.128/25, 10.0.1.0/24, + 10.0.2.3-10.0.2.12 } + } + + set cs { + type ipv4_addr . inet_service + flags interval + elements = { 10.0.0.1 . 22, + 10.1.0.0/16 . 1-1024, + 10.2.0.1-10.2.0.8 . 1024-65535 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft new file mode 100644 index 00000000..e4c77147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft new file mode 100644 index 00000000..ca69cee2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft new file mode 100644 index 00000000..1c3b559d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft @@ -0,0 +1,159 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "myset", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "192.168.0.113", + "tcp", + 22 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "udp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 80 + ] + }, + { + "concat": [ + "192.168.0.13", + "tcp", + 80 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": "@myset" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft new file mode 100644 index 00000000..5b13f59a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -0,0 +1,96 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 256, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 128, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@m", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft new file mode 100644 index 00000000..8037dfa5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -0,0 +1,17 @@ +table ip t { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + + set m { + type ipv4_addr + size 128 + flags dynamic + } + + chain c { + tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft new file mode 100644 index 00000000..d6e46aad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "192.168.1.0", + "192.168.1.254" + ] + }, + "192.168.1.255" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft new file mode 100644 index 00000000..1fc76572 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft new file mode 100644 index 00000000..4b6cf03c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "mark", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 35, + 66 + ] + }, + 4919 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft new file mode 100644 index 00000000..f580c381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type mark + flags interval + elements = { 0x00000023-0x00000042, 0x00001337 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.json-nft b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft new file mode 100644 index 00000000..14a39330 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "192.168.2.196" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft new file mode 100644 index 00000000..222d4d74 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.196 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft new file mode 100644 index 00000000..bc1d4cc2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft @@ -0,0 +1,87 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set1", + "table": "t", + "type": "ether_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set2", + "table": "t", + "type": "ether_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "right": "@set1" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "set": "@set2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft new file mode 100644 index 00000000..56cc875e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft @@ -0,0 +1,15 @@ +table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft new file mode 100644 index 00000000..ffb76e2f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft @@ -0,0 +1,98 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "filter", + "type": [ + "mark", + "inet_service", + "inet_proto" + ], + "handle": 0, + "map": "mark", + "flags": [ + "interval", + "timeout" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "data": "@test" + } + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft new file mode 100644 index 00000000..f2077b91 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft @@ -0,0 +1,11 @@ +table inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type filter hook output priority filter; policy accept; + meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft new file mode 100644 index 00000000..92b59c86 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft @@ -0,0 +1,1723 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "s", + "table": "t", + "type": [ + "ipv6_addr", + "ipv6_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 32 + } + }, + { + "range": [ + "2001:db8:20::", + "2001:db8:20::20:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 33 + } + }, + { + "range": [ + "2001:db8:21::", + "2001:db8:21::21:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 34 + } + }, + { + "range": [ + "2001:db8:22::", + "2001:db8:22::22:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 35 + } + }, + { + "range": [ + "2001:db8:23::", + "2001:db8:23::23:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 36 + } + }, + { + "range": [ + "2001:db8:24::", + "2001:db8:24::24:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 37 + } + }, + { + "range": [ + "2001:db8:25::", + "2001:db8:25::25:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 38 + } + }, + { + "range": [ + "2001:db8:26::", + "2001:db8:26::26:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 39 + } + }, + { + "range": [ + "2001:db8:27::", + "2001:db8:27::27:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 40 + } + }, + { + "range": [ + "2001:db8:28::", + "2001:db8:28::28:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 41 + } + }, + { + "range": [ + "2001:db8:29::", + "2001:db8:29::29:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 42 + } + }, + { + "range": [ + "2001:db8:2a::", + "2001:db8:2a::2a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 43 + } + }, + { + "range": [ + "2001:db8:2b::", + "2001:db8:2b::2b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 44 + } + }, + { + "range": [ + "2001:db8:2c::", + "2001:db8:2c::2c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 45 + } + }, + { + "range": [ + "2001:db8:2d::", + "2001:db8:2d::2d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 46 + } + }, + { + "range": [ + "2001:db8:2e::", + "2001:db8:2e::2e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 47 + } + }, + { + "range": [ + "2001:db8:2f::", + "2001:db8:2f::2f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 48 + } + }, + { + "range": [ + "2001:db8:30::", + "2001:db8:30::30:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 49 + } + }, + { + "range": [ + "2001:db8:31::", + "2001:db8:31::31:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 50 + } + }, + { + "range": [ + "2001:db8:32::", + "2001:db8:32::32:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 51 + } + }, + { + "range": [ + "2001:db8:33::", + "2001:db8:33::33:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 52 + } + }, + { + "range": [ + "2001:db8:34::", + "2001:db8:34::34:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 53 + } + }, + { + "range": [ + "2001:db8:35::", + "2001:db8:35::35:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 54 + } + }, + { + "range": [ + "2001:db8:36::", + "2001:db8:36::36:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 55 + } + }, + { + "range": [ + "2001:db8:37::", + "2001:db8:37::37:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 56 + } + }, + { + "range": [ + "2001:db8:38::", + "2001:db8:38::38:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 57 + } + }, + { + "range": [ + "2001:db8:39::", + "2001:db8:39::39:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 58 + } + }, + { + "range": [ + "2001:db8:3a::", + "2001:db8:3a::3a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 59 + } + }, + { + "range": [ + "2001:db8:3b::", + "2001:db8:3b::3b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 60 + } + }, + { + "range": [ + "2001:db8:3c::", + "2001:db8:3c::3c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 61 + } + }, + { + "range": [ + "2001:db8:3d::", + "2001:db8:3d::3d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 62 + } + }, + { + "range": [ + "2001:db8:3e::", + "2001:db8:3e::3e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 63 + } + }, + { + "range": [ + "2001:db8:3f::", + "2001:db8:3f::3f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 64 + } + }, + { + "range": [ + "2001:db8:40::", + "2001:db8:40::40:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 65 + } + }, + { + "range": [ + "2001:db8:41::", + "2001:db8:41::41:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 66 + } + }, + { + "range": [ + "2001:db8:42::", + "2001:db8:42::42:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 67 + } + }, + { + "range": [ + "2001:db8:43::", + "2001:db8:43::43:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 68 + } + }, + { + "range": [ + "2001:db8:44::", + "2001:db8:44::44:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 69 + } + }, + { + "range": [ + "2001:db8:45::", + "2001:db8:45::45:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 70 + } + }, + { + "range": [ + "2001:db8:46::", + "2001:db8:46::46:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 71 + } + }, + { + "range": [ + "2001:db8:47::", + "2001:db8:47::47:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 72 + } + }, + { + "range": [ + "2001:db8:48::", + "2001:db8:48::48:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 73 + } + }, + { + "range": [ + "2001:db8:49::", + "2001:db8:49::49:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 74 + } + }, + { + "range": [ + "2001:db8:4a::", + "2001:db8:4a::4a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 75 + } + }, + { + "range": [ + "2001:db8:4b::", + "2001:db8:4b::4b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 76 + } + }, + { + "range": [ + "2001:db8:4c::", + "2001:db8:4c::4c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 77 + } + }, + { + "range": [ + "2001:db8:4d::", + "2001:db8:4d::4d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 78 + } + }, + { + "range": [ + "2001:db8:4e::", + "2001:db8:4e::4e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 79 + } + }, + { + "range": [ + "2001:db8:4f::", + "2001:db8:4f::4f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 80 + } + }, + { + "range": [ + "2001:db8:50::", + "2001:db8:50::50:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 81 + } + }, + { + "range": [ + "2001:db8:51::", + "2001:db8:51::51:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 82 + } + }, + { + "range": [ + "2001:db8:52::", + "2001:db8:52::52:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 83 + } + }, + { + "range": [ + "2001:db8:53::", + "2001:db8:53::53:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 84 + } + }, + { + "range": [ + "2001:db8:54::", + "2001:db8:54::54:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 85 + } + }, + { + "range": [ + "2001:db8:55::", + "2001:db8:55::55:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 86 + } + }, + { + "range": [ + "2001:db8:56::", + "2001:db8:56::56:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 87 + } + }, + { + "range": [ + "2001:db8:57::", + "2001:db8:57::57:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 88 + } + }, + { + "range": [ + "2001:db8:58::", + "2001:db8:58::58:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 89 + } + }, + { + "range": [ + "2001:db8:59::", + "2001:db8:59::59:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 90 + } + }, + { + "range": [ + "2001:db8:5a::", + "2001:db8:5a::5a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 91 + } + }, + { + "range": [ + "2001:db8:5b::", + "2001:db8:5b::5b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 92 + } + }, + { + "range": [ + "2001:db8:5c::", + "2001:db8:5c::5c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 93 + } + }, + { + "range": [ + "2001:db8:5d::", + "2001:db8:5d::5d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 94 + } + }, + { + "range": [ + "2001:db8:5e::", + "2001:db8:5e::5e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 95 + } + }, + { + "range": [ + "2001:db8:5f::", + "2001:db8:5f::5f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 96 + } + }, + { + "range": [ + "2001:db8:60::", + "2001:db8:60::60:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 97 + } + }, + { + "range": [ + "2001:db8:61::", + "2001:db8:61::61:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 98 + } + }, + { + "range": [ + "2001:db8:62::", + "2001:db8:62::62:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 99 + } + }, + { + "range": [ + "2001:db8:63::", + "2001:db8:63::63:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 100 + } + }, + { + "range": [ + "2001:db8:64::", + "2001:db8:64::64:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 101 + } + }, + { + "range": [ + "2001:db8:65::", + "2001:db8:65::65:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 102 + } + }, + { + "range": [ + "2001:db8:66::", + "2001:db8:66::66:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 103 + } + }, + { + "range": [ + "2001:db8:67::", + "2001:db8:67::67:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 104 + } + }, + { + "range": [ + "2001:db8:68::", + "2001:db8:68::68:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 105 + } + }, + { + "range": [ + "2001:db8:69::", + "2001:db8:69::69:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 106 + } + }, + { + "range": [ + "2001:db8:6a::", + "2001:db8:6a::6a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 107 + } + }, + { + "range": [ + "2001:db8:6b::", + "2001:db8:6b::6b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 108 + } + }, + { + "range": [ + "2001:db8:6c::", + "2001:db8:6c::6c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 109 + } + }, + { + "range": [ + "2001:db8:6d::", + "2001:db8:6d::6d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 110 + } + }, + { + "range": [ + "2001:db8:6e::", + "2001:db8:6e::6e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 111 + } + }, + { + "range": [ + "2001:db8:6f::", + "2001:db8:6f::6f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 112 + } + }, + { + "range": [ + "2001:db8:70::", + "2001:db8:70::70:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 113 + } + }, + { + "range": [ + "2001:db8:71::", + "2001:db8:71::71:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 114 + } + }, + { + "range": [ + "2001:db8:72::", + "2001:db8:72::72:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 115 + } + }, + { + "range": [ + "2001:db8:73::", + "2001:db8:73::73:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 116 + } + }, + { + "range": [ + "2001:db8:74::", + "2001:db8:74::74:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 117 + } + }, + { + "range": [ + "2001:db8:75::", + "2001:db8:75::75:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 118 + } + }, + { + "range": [ + "2001:db8:76::", + "2001:db8:76::76:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 119 + } + }, + { + "range": [ + "2001:db8:77::", + "2001:db8:77::77:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 120 + } + }, + { + "range": [ + "2001:db8:78::", + "2001:db8:78::78:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 121 + } + }, + { + "range": [ + "2001:db8:79::", + "2001:db8:79::79:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 122 + } + }, + { + "range": [ + "2001:db8:7a::", + "2001:db8:7a::7a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 123 + } + }, + { + "range": [ + "2001:db8:7b::", + "2001:db8:7b::7b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 124 + } + }, + { + "range": [ + "2001:db8:7c::", + "2001:db8:7c::7c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 125 + } + }, + { + "range": [ + "2001:db8:7d::", + "2001:db8:7d::7d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 126 + } + }, + { + "range": [ + "2001:db8:7e::", + "2001:db8:7e::7e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 127 + } + }, + { + "range": [ + "2001:db8:7f::", + "2001:db8:7f::7f:1" + ] + } + ] + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 24 + } + }, + { + "range": [ + "192.0.2.72", + "192.0.2.74" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 25 + } + }, + { + "range": [ + "192.0.2.75", + "192.0.2.77" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 26 + } + }, + { + "range": [ + "192.0.2.78", + "192.0.2.80" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 27 + } + }, + { + "range": [ + "192.0.2.81", + "192.0.2.83" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 28 + } + }, + { + "range": [ + "192.0.2.84", + "192.0.2.86" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 29 + } + }, + { + "range": [ + "192.0.2.87", + "192.0.2.89" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 30 + } + }, + { + "range": [ + "192.0.2.90", + "192.0.2.92" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 31 + } + }, + { + "range": [ + "192.0.2.93", + "192.0.2.95" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft new file mode 100644 index 00000000..19d08d3d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft @@ -0,0 +1,116 @@ +table ip6 t { + set s { + type ipv6_addr . ipv6_addr + flags interval + elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1, + 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1, + 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1, + 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1, + 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1, + 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1, + 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1, + 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1, + 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1, + 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1, + 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1, + 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1, + 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1, + 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1, + 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1, + 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1, + 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1, + 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1, + 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1, + 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1, + 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1, + 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1, + 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1, + 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1, + 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1, + 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1, + 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1, + 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1, + 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1, + 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1, + 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1, + 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1, + 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1, + 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1, + 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1, + 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1, + 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1, + 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1, + 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1, + 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1, + 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1, + 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1, + 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1, + 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1, + 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1, + 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1, + 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1, + 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1, + 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1, + 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1, + 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1, + 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1, + 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1, + 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1, + 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1, + 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1, + 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1, + 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1, + 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1, + 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1, + 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1, + 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1, + 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1, + 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1, + 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1, + 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1, + 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1, + 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1, + 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1, + 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1, + 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1, + 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1, + 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1, + 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1, + 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1, + 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1, + 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1, + 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1, + 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1, + 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1, + 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1, + 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1, + 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1, + 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1, + 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1, + 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1, + 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1, + 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1, + 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1, + 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1, + 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1, + 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1, + 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1, + 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1, + 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1, + 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 } + } +} +table ip t { + set s { + type ipv4_addr . ipv4_addr + flags interval + elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74, + 192.0.2.0/25 . 192.0.2.75-192.0.2.77, + 192.0.2.0/26 . 192.0.2.78-192.0.2.80, + 192.0.2.0/27 . 192.0.2.81-192.0.2.83, + 192.0.2.0/28 . 192.0.2.84-192.0.2.86, + 192.0.2.0/29 . 192.0.2.87-192.0.2.89, + 192.0.2.0/30 . 192.0.2.90-192.0.2.92, + 192.0.2.0/31 . 192.0.2.93-192.0.2.95 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft new file mode 100644 index 00000000..f4aae383 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft @@ -0,0 +1,529 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 25, + 30, + 82, + 119, + 349, + 745, + 748, + 1165, + 1233, + 1476, + 1550, + 1562, + 1743, + 1745, + 1882, + 2070, + 2194, + 2238, + 2450, + 2455, + 2642, + 2671, + 2906, + 3093, + 3203, + 3287, + 3348, + 3411, + 3540, + 3892, + 3943, + 4133, + 4205, + 4317, + 4733, + 5095, + 5156, + 5223, + 5230, + 5432, + 5826, + 5828, + 6044, + 6377, + 6388, + 6491, + 6952, + 6986, + 7012, + 7187, + 7300, + 7305, + 7549, + 7664, + 8111, + 8206, + 8396, + 8782, + 8920, + 8981, + 9067, + 9216, + 9245, + 9315, + 9432, + 9587, + 9689, + 9844, + 9991, + 10045, + 10252, + 10328, + 10670, + 10907, + 11021, + 11337, + 11427, + 11497, + 11502, + 11523, + 11552, + 11577, + 11721, + 11943, + 12474, + 12718, + 12764, + 12794, + 12922, + 13186, + 13232, + 13383, + 13431, + 13551, + 13676, + 13685, + 13747, + 13925, + 13935, + 14015, + 14090, + 14320, + 14392, + 14515, + 14647, + 14911, + 15096, + 15105, + 15154, + 15440, + 15583, + 15623, + 15677, + 15710, + 15926, + 15934, + 15960, + 16068, + 16166, + 16486, + 16489, + 16528, + 16646, + 16650, + 16770, + 16882, + 17052, + 17237, + 17387, + 17431, + 17886, + 17939, + 17999, + 18092, + 18123, + 18238, + 18562, + 18698, + 19004, + 19229, + 19237, + 19585, + 19879, + 19938, + 19950, + 19958, + 20031, + 20138, + 20157, + 20205, + 20368, + 20682, + 20687, + 20873, + 20910, + 20919, + 21019, + 21068, + 21115, + 21188, + 21236, + 21319, + 21563, + 21734, + 21806, + 21810, + 21959, + 21982, + 22078, + 22181, + 22308, + 22480, + 22643, + 22854, + 22879, + 22961, + 23397, + 23534, + 23845, + 23893, + 24130, + 24406, + 24794, + 24997, + 25019, + 25143, + 25179, + 25439, + 25603, + 25718, + 25859, + 25949, + 26006, + 26022, + 26047, + 26170, + 26193, + 26725, + 26747, + 26924, + 27023, + 27040, + 27233, + 27344, + 27478, + 27593, + 27600, + 27664, + 27678, + 27818, + 27822, + 28003, + 28038, + 28709, + 28808, + 29010, + 29057, + 29228, + 29485, + 30132, + 30160, + 30415, + 30469, + 30673, + 30736, + 30776, + 30780, + 31450, + 31537, + 31669, + 31839, + 31873, + 32019, + 32229, + 32685, + 32879, + 33318, + 33337, + 33404, + 33517, + 33906, + 34214, + 34346, + 34416, + 34727, + 34848, + 35325, + 35400, + 35451, + 35501, + 35637, + 35653, + 35710, + 35761, + 35767, + 36238, + 36258, + 36279, + 36464, + 36586, + 36603, + 36770, + 36774, + 36805, + 36851, + 37079, + 37189, + 37209, + 37565, + 37570, + 37585, + 37832, + 37931, + 37954, + 38006, + 38015, + 38045, + 38109, + 38114, + 38200, + 38209, + 38214, + 38277, + 38306, + 38402, + 38606, + 38697, + 38960, + 39004, + 39006, + 39197, + 39217, + 39265, + 39319, + 39460, + 39550, + 39615, + 39871, + 39886, + 40088, + 40135, + 40244, + 40323, + 40339, + 40355, + 40385, + 40428, + 40538, + 40791, + 40848, + 40959, + 41003, + 41131, + 41349, + 41643, + 41710, + 41826, + 41904, + 42027, + 42148, + 42235, + 42255, + 42498, + 42680, + 42973, + 43118, + 43135, + 43233, + 43349, + 43411, + 43487, + 43840, + 43843, + 43870, + 44040, + 44204, + 44817, + 44883, + 44894, + 44958, + 45201, + 45259, + 45283, + 45357, + 45423, + 45473, + 45498, + 45519, + 45561, + 45611, + 45627, + 45831, + 46043, + 46105, + 46116, + 46147, + 46169, + 46349, + 47147, + 47252, + 47314, + 47335, + 47360, + 47546, + 47617, + 47648, + 47772, + 47793, + 47846, + 47913, + 47952, + 48095, + 48325, + 48334, + 48412, + 48419, + 48540, + 48569, + 48628, + 48751, + 48944, + 48971, + 49008, + 49025, + 49503, + 49505, + 49613, + 49767, + 49839, + 49925, + 50022, + 50028, + 50238, + 51057, + 51477, + 51617, + 51910, + 52044, + 52482, + 52550, + 52643, + 52832, + 53382, + 53690, + 53809, + 53858, + 54001, + 54198, + 54280, + 54327, + 54376, + 54609, + 54776, + 54983, + 54984, + 55019, + 55038, + 55094, + 55368, + 55737, + 55793, + 55904, + 55941, + 55960, + 55978, + 56063, + 56121, + 56314, + 56505, + 56548, + 56568, + 56696, + 56798, + 56855, + 57102, + 57236, + 57333, + 57334, + 57441, + 57574, + 57659, + 57987, + 58325, + 58404, + 58509, + 58782, + 58876, + 59116, + 59544, + 59685, + 59700, + 59750, + 59799, + 59866, + 59870, + 59894, + 59984, + 60343, + 60481, + 60564, + 60731, + 61075, + 61087, + 61148, + 61174, + 61655, + 61679, + 61691, + 61723, + 61730, + 61758, + 61824, + 62035, + 62056, + 62661, + 62768, + 62946, + 63059, + 63116, + 63338, + 63387, + 63672, + 63719, + 63881, + 63995, + 64197, + 64374, + 64377, + 64472, + 64606, + 64662, + 64777, + 64795, + 64906, + 65049, + 65122, + 65318 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft new file mode 100644 index 00000000..5b249a3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft @@ -0,0 +1,106 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 25, 30, 82, 119, 349, + 745, 748, 1165, 1233, 1476, + 1550, 1562, 1743, 1745, 1882, + 2070, 2194, 2238, 2450, 2455, + 2642, 2671, 2906, 3093, 3203, + 3287, 3348, 3411, 3540, 3892, + 3943, 4133, 4205, 4317, 4733, + 5095, 5156, 5223, 5230, 5432, + 5826, 5828, 6044, 6377, 6388, + 6491, 6952, 6986, 7012, 7187, + 7300, 7305, 7549, 7664, 8111, + 8206, 8396, 8782, 8920, 8981, + 9067, 9216, 9245, 9315, 9432, + 9587, 9689, 9844, 9991, 10045, + 10252, 10328, 10670, 10907, 11021, + 11337, 11427, 11497, 11502, 11523, + 11552, 11577, 11721, 11943, 12474, + 12718, 12764, 12794, 12922, 13186, + 13232, 13383, 13431, 13551, 13676, + 13685, 13747, 13925, 13935, 14015, + 14090, 14320, 14392, 14515, 14647, + 14911, 15096, 15105, 15154, 15440, + 15583, 15623, 15677, 15710, 15926, + 15934, 15960, 16068, 16166, 16486, + 16489, 16528, 16646, 16650, 16770, + 16882, 17052, 17237, 17387, 17431, + 17886, 17939, 17999, 18092, 18123, + 18238, 18562, 18698, 19004, 19229, + 19237, 19585, 19879, 19938, 19950, + 19958, 20031, 20138, 20157, 20205, + 20368, 20682, 20687, 20873, 20910, + 20919, 21019, 21068, 21115, 21188, + 21236, 21319, 21563, 21734, 21806, + 21810, 21959, 21982, 22078, 22181, + 22308, 22480, 22643, 22854, 22879, + 22961, 23397, 23534, 23845, 23893, + 24130, 24406, 24794, 24997, 25019, + 25143, 25179, 25439, 25603, 25718, + 25859, 25949, 26006, 26022, 26047, + 26170, 26193, 26725, 26747, 26924, + 27023, 27040, 27233, 27344, 27478, + 27593, 27600, 27664, 27678, 27818, + 27822, 28003, 28038, 28709, 28808, + 29010, 29057, 29228, 29485, 30132, + 30160, 30415, 30469, 30673, 30736, + 30776, 30780, 31450, 31537, 31669, + 31839, 31873, 32019, 32229, 32685, + 32879, 33318, 33337, 33404, 33517, + 33906, 34214, 34346, 34416, 34727, + 34848, 35325, 35400, 35451, 35501, + 35637, 35653, 35710, 35761, 35767, + 36238, 36258, 36279, 36464, 36586, + 36603, 36770, 36774, 36805, 36851, + 37079, 37189, 37209, 37565, 37570, + 37585, 37832, 37931, 37954, 38006, + 38015, 38045, 38109, 38114, 38200, + 38209, 38214, 38277, 38306, 38402, + 38606, 38697, 38960, 39004, 39006, + 39197, 39217, 39265, 39319, 39460, + 39550, 39615, 39871, 39886, 40088, + 40135, 40244, 40323, 40339, 40355, + 40385, 40428, 40538, 40791, 40848, + 40959, 41003, 41131, 41349, 41643, + 41710, 41826, 41904, 42027, 42148, + 42235, 42255, 42498, 42680, 42973, + 43118, 43135, 43233, 43349, 43411, + 43487, 43840, 43843, 43870, 44040, + 44204, 44817, 44883, 44894, 44958, + 45201, 45259, 45283, 45357, 45423, + 45473, 45498, 45519, 45561, 45611, + 45627, 45831, 46043, 46105, 46116, + 46147, 46169, 46349, 47147, 47252, + 47314, 47335, 47360, 47546, 47617, + 47648, 47772, 47793, 47846, 47913, + 47952, 48095, 48325, 48334, 48412, + 48419, 48540, 48569, 48628, 48751, + 48944, 48971, 49008, 49025, 49503, + 49505, 49613, 49767, 49839, 49925, + 50022, 50028, 50238, 51057, 51477, + 51617, 51910, 52044, 52482, 52550, + 52643, 52832, 53382, 53690, 53809, + 53858, 54001, 54198, 54280, 54327, + 54376, 54609, 54776, 54983, 54984, + 55019, 55038, 55094, 55368, 55737, + 55793, 55904, 55941, 55960, 55978, + 56063, 56121, 56314, 56505, 56548, + 56568, 56696, 56798, 56855, 57102, + 57236, 57333, 57334, 57441, 57574, + 57659, 57987, 58325, 58404, 58509, + 58782, 58876, 59116, 59544, 59685, + 59700, 59750, 59799, 59866, 59870, + 59894, 59984, 60343, 60481, 60564, + 60731, 61075, 61087, 61148, 61174, + 61655, 61679, 61691, 61723, 61730, + 61758, 61824, 62035, 62056, 62661, + 62768, 62946, 63059, 63116, 63338, + 63387, 63672, 63719, 63881, 63995, + 64197, 64374, 64377, 64472, 64606, + 64662, 64777, 64795, 64906, 65049, + 65122, 65318 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft new file mode 100644 index 00000000..8473c333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65536, + "flags": [ + "timeout", + "dynamic" + ], + "elem": [ + { + "concat": [ + "192.168.7.1", + 22 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 22 + ] + }, + "timeout": 60 + } + }, + "set": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft new file mode 100644 index 00000000..e548a17a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft @@ -0,0 +1,12 @@ +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 1m } + } +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft new file mode 100644 index 00000000..55f1a2ad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.12.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "2001:db8:1111::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2001:db8:2222::", + "len": 64 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.nft b/tests/shell/testcases/sets/dumps/0046netmap_0.nft index e14c3395..5ac6b346 100644 --- a/tests/shell/testcases/sets/dumps/0046netmap_0.nft +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.nft @@ -4,3 +4,9 @@ table ip x { snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.0/24 : 192.168.3.0/24, 10.141.13.0/24 : 192.168.4.0/24 } } } +table ip6 x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft index 70730ef3..9fa9fc74 100644 --- a/tests/shell/testcases/sets/dumps/0047nat_0.nft +++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft @@ -6,8 +6,25 @@ table ip x { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } } + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map @y + } +} +table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + chain y { type nat hook postrouting priority srcnat; policy accept; - snat ip interval to ip saddr map @y + snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 } } } diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft new file mode 100644 index 00000000..62a6a177 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "192.168.10.35", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.101", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.135", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft new file mode 100644 index 00000000..f8495bab --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "ip-block-4-test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 80, + 443 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft index 998b387a..d654420c 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -1,4 +1,11 @@ table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + chain input { type filter hook input priority filter; policy drop; tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft new file mode 100644 index 00000000..b468b5f9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft new file mode 100644 index 00000000..96d5fbcc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "w_all", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "10.10.10.10", + "10.10.10.253" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.json-nft b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft new file mode 100644 index 00000000..12a5c4b4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "192.168.100.62" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2001 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft index 6a816636..bb7c5513 100644 --- a/tests/shell/testcases/sets/dumps/0053echo_0.nft +++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft @@ -1,6 +1,6 @@ table inet filter { chain input { type filter hook input priority filter; policy drop; - iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept + iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept } } diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft new file mode 100644 index 00000000..3fd6d37e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft @@ -0,0 +1,45 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "test", + "flags": [ + "interval" + ] + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "another test", + "map": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft new file mode 100644 index 00000000..e37139f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -0,0 +1,138 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "tcp_good_flags", + "table": "test", + "type": "tcp_flag", + "handle": 0, + "flags": [ + "constant" + ], + "elem": [ + { + "|": [ + "fin", + "ack" + ] + }, + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "fin", + "psh", + "ack", + "urg" + ] + }, + "syn", + { + "|": [ + "syn", + "ack" + ] + }, + { + "|": [ + "syn", + "ack", + "urg" + ] + }, + { + "|": [ + "syn", + "psh", + "ack" + ] + }, + { + "|": [ + "syn", + "psh", + "ack", + "urg" + ] + }, + "rst", + { + "|": [ + "rst", + "ack" + ] + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + }, + { + "|": [ + "rst", + "psh", + "ack" + ] + }, + { + "|": [ + "rst", + "psh", + "ack", + "urg" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack", + "urg" + ] + }, + "ack", + { + "|": [ + "ack", + "urg" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft index ffed5426..22bf5c46 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -2,9 +2,9 @@ table ip test { set tcp_good_flags { type tcp_flag flags constant - elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, - syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, - rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, - psh | ack, ack | urg, ack } + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } } } diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft new file mode 100644 index 00000000..79d7257e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft new file mode 100644 index 00000000..de43d565 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft @@ -0,0 +1,7 @@ +table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft new file mode 100644 index 00000000..ac8d8bef --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ssh_meter", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 2592000 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 2592000 + } + }, + "set": "@ssh_meter" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft new file mode 100644 index 00000000..873adc63 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + } + + chain test { + add @ssh_meter { ip saddr timeout 30d } + } +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft new file mode 100644 index 00000000..16ecdb2a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft @@ -0,0 +1,79 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 3600 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y", + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft new file mode 100644 index 00000000..c1cc3b51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + + chain z { + type filter hook output priority filter; policy accept; + update @y { ip daddr limit rate 1/second burst 5 packets counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft new file mode 100644 index 00000000..1aede147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "4.4.4.4", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "5.5.5.5", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft new file mode 100644 index 00000000..df68fcdf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + limit rate 1/second burst 5 packets counter + elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft new file mode 100644 index 00000000..6098dc56 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "1.2.3.4", + "counter": { + "packets": 9, + "bytes": 756 + } + } + }, + { + "elem": { + "val": "2.2.2.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + }, + { + "quota": { + "val": 500, + "val_unit": "bytes" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft new file mode 100644 index 00000000..ac1bd26b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft @@ -0,0 +1,15 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, + 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes } + } + + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft new file mode 100644 index 00000000..c5591505 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "range": [ + "1.1.1.1", + "1.1.1.2" + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft new file mode 100644 index 00000000..04361f4c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1-1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft new file mode 100644 index 00000000..c5e60e36 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "est-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "new-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "stmt": [ + { + "ct count": { + "val": 20, + "inv": true + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft new file mode 100644 index 00000000..13bbb953 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft @@ -0,0 +1,14 @@ +table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + } + + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + } +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft new file mode 100644 index 00000000..3006f75a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft new file mode 100644 index 00000000..f0d42cc2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } + + set z { + type ipv4_addr + flags interval + counter + elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft new file mode 100644 index 00000000..64dd2667 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.141.0.1", + "192.168.0.2" + ], + [ + "*", + "192.168.0.4" + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + ] + }, + "192.168.0.2" + ], + [ + { + "concat": [ + { + "prefix": { + "addr": "192.168.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.10.0", + "len": 24 + } + } + ] + }, + "192.168.0.4" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft new file mode 100644 index 00000000..890ed2aa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft @@ -0,0 +1,18 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 } + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + } + + chain y { + snat to ip saddr map @z + snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft new file mode 100644 index 00000000..f470adf3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "id" + } + }, + "right": 42 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft new file mode 100644 index 00000000..461c7a73 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft @@ -0,0 +1,6 @@ +table ip x { + chain foo { + accept + icmp type { echo-reply, echo-request } icmp id 42 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft new file mode 100644 index 00000000..9ac3774a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -0,0 +1,35 @@ +table ip nat { + map ipportmap2 { + type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 } + } + + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } + + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th + dnat ip to iifname . ip saddr map @ipportmap4 + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft new file mode 100644 index 00000000..b6d07fcd --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft @@ -0,0 +1,12 @@ +table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +} diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft new file mode 100644 index 00000000..d7b32f8c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + { + "range": [ + "1.2.3.0", + "1.2.4.255" + ] + }, + { + "range": [ + "3.3.3.3", + "3.3.3.6" + ] + }, + { + "range": [ + "4.4.4.0", + "4.4.5.0" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft new file mode 100644 index 00000000..2d4e1706 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft @@ -0,0 +1,9 @@ +table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, + 4.4.4.0-4.4.5.0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft new file mode 100644 index 00000000..0057e9c6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft @@ -0,0 +1,28 @@ +table netdev nt { + set vlanidset { + typeof vlan id + size 1024 + flags dynamic,timeout + } + + set macset { + typeof ether saddr . vlan id + size 1024 + flags dynamic,timeout + } + + set ipset { + typeof vlan id . ip saddr + size 1024 + flags dynamic,timeout + } + + chain nc { + update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 + ether saddr . vlan id @macset + vlan pcp 1 + ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 + update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0 + update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft new file mode 100644 index 00000000..6b579a2e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "prefix": { + "addr": "192.0.0.0", + "len": 2 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + }, + { + "prefix": { + "addr": "ff00::", + "len": 8 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft new file mode 100644 index 00000000..4eed94c2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft @@ -0,0 +1,19 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0/8, 192.0.0.0/2 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe80::/10, + ff00::/8 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft new file mode 100644 index 00000000..c8ff4347 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 1, + 2, + 3, + 4, + 5 + ] + } + }, + { + "table": { + "family": "ip6", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 2 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft new file mode 100644 index 00000000..775f0ab1 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -0,0 +1,12 @@ +table ip a { + set x { + type inet_service + elements = { 1, 2, 3, 4, 5 } + } +} +table ip6 a { + set x { + type inet_service + elements = { 2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft new file mode 100644 index 00000000..d65065e4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": [ + "ipv4_addr", + "mark" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.10.10.10", + 256 + ] + }, + { + "concat": [ + "20.20.20.20", + 512 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft new file mode 100644 index 00000000..61547c5e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft @@ -0,0 +1,14 @@ +table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + } + + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft new file mode 100644 index 00000000..ad8a7cc0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft @@ -0,0 +1,83 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "dlist", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "output", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@dlist" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft new file mode 100644 index 00000000..6c8ed323 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft @@ -0,0 +1,12 @@ +table ip test { + set dlist { + type ipv4_addr + size 65535 + flags dynamic + } + + chain output { + type filter hook output priority filter; policy accept; + udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/elem_limit_0.nft b/tests/shell/testcases/sets/dumps/elem_limit_0.nft new file mode 100644 index 00000000..ca5b2b54 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_limit_0.nft @@ -0,0 +1,7 @@ +table netdev filter { + set test123 { + typeof ip saddr + limit rate over 1 mbytes/second + elements = { 1.2.3.4 limit rate over 1 mbytes/second } + } +} diff --git a/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump diff --git a/tests/shell/testcases/sets/dumps/errors_0.json-nft b/tests/shell/testcases/sets/dumps/errors_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.nft diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft new file mode 100644 index 00000000..958d1e5c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft @@ -0,0 +1,110 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.0.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.0.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.0.8.0", + "len": 21 + } + }, + { + "prefix": { + "addr": "1.0.32.0", + "len": 19 + } + }, + { + "prefix": { + "addr": "1.1.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.4.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.8.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.10.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.12.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.16.0", + "len": 20 + } + }, + { + "prefix": { + "addr": "1.1.32.0", + "len": 19 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft new file mode 100644 index 00000000..c903e3fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.0.1.0/24, 1.0.2.0/23, + 1.0.8.0/21, 1.0.32.0/19, + 1.1.0.0/24, 1.1.2.0/23, + 1.1.4.0/22, 1.1.8.0/24, + 1.1.9.0/24, 1.1.10.0/23, + 1.1.12.0/22, 1.1.16.0/20, + 1.1.32.0/19 } + } +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft new file mode 100644 index 00000000..8d84e1cc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -0,0 +1,207 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "x", + "table": "x", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "3.3.3.3", + "4.4.4.4" + ] + } + ] + } + }, + { + "set": { + "family": "netdev", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": "@x" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft new file mode 100644 index 00000000..925ca777 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.nft @@ -0,0 +1,18 @@ +table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { 3.3.3.3 . 4.4.4.4 } + } + + set y { + typeof vxlan ip saddr + size 65535 + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0 + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0 + udp dport 4789 update @y { vxlan ip saddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.json-nft b/tests/shell/testcases/sets/dumps/meter_0.json-nft new file mode 100644 index 00000000..c318e4f2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out", + "table": "test", + "type": [ + "iface_index", + "ipv6_addr" + ], + "handle": 0, + "size": 4096, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out2", + "table": "test", + "type": [ + "ipv6_addr", + "iface_index" + ], + "handle": 0, + "size": 12345, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "meta": { + "key": "iif" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "xyz", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 8192, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@xyz", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.nft b/tests/shell/testcases/sets/dumps/meter_0.nft new file mode 100644 index 00000000..3843f9a9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.nft @@ -0,0 +1,29 @@ +table ip6 test { + set acct_out { + type iface_index . ipv6_addr + size 4096 + flags dynamic,timeout + } + + set acct_out2 { + type ipv6_addr . iface_index + size 12345 + flags dynamic,timeout + } + + chain test { + update @acct_out { iif . ip6 saddr timeout 10m counter } + update @acct_out2 { ip6 saddr . iif timeout 10m counter } + } +} +table ip test { + set xyz { + type ipv4_addr + size 8192 + flags dynamic,timeout + } + + chain test { + update @xyz { ip saddr timeout 30s counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft new file mode 100644 index 00000000..aa908297 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft @@ -0,0 +1,43 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "base", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "timeout" + ], + "timeout": 60 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft new file mode 100644 index 00000000..1edd2ec7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft @@ -0,0 +1,10 @@ +table ip t { + set s { + typeof ip saddr + timeout 1m + } + + chain base { + type filter hook input priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft new file mode 100644 index 00000000..6f692381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "prerouting", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "set_with_interval", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 443 + } + }, + { + "dnat": { + "addr": "10.0.0.1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft new file mode 100644 index 00000000..a45462b8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft @@ -0,0 +1,11 @@ +table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft new file mode 100644 index 00000000..ac428429 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft @@ -0,0 +1,551 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testifsets", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmp", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmpc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "do_nothing", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "simple", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "elem": [ + "abcdef0", + "abcdef1", + "othername" + ] + } + }, + { + "set": { + "family": "inet", + "name": "simple_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "abcdef*", + "othername", + "ppp0" + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + }, + { + "concat": [ + "10.1.2.2", + "abcdef1" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat_wild", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + }, + { + "concat": [ + "10.1.2.1", + "bar" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "1.1.2.0", + "len": 24 + } + }, + "abcdef0" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "12.2.2.0", + "len": 24 + } + }, + "abcdef*" + ] + } + ] + } + }, + { + "map": { + "family": "inet", + "name": "map_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + "abcdef*", + { + "jump": { + "target": "do_nothing" + } + } + ], + [ + "eth0", + { + "jump": { + "target": "do_nothing" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "eth0", + "abcdef0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "abcdef*", + "eth0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@map_wild" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "jump": { + "target": "v4icmp" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "goto": { + "target": "v4icmpc" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft new file mode 100644 index 00000000..77a8baf5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft @@ -0,0 +1,62 @@ +table inet testifsets { + set simple { + type ifname + elements = { "abcdef0", + "abcdef1", + "othername" } + } + + set simple_wild { + type ifname + flags interval + elements = { "abcdef*", + "othername", + "ppp0" } + } + + set concat { + type ipv4_addr . ifname + elements = { 10.1.2.2 . "abcdef0", + 10.1.2.2 . "abcdef1" } + } + + set concat_wild { + type ipv4_addr . ifname + flags interval + elements = { 10.1.2.2 . "abcdef*", + 10.1.2.1 . "bar", + 1.1.2.0/24 . "abcdef0", + 12.2.2.0/24 . "abcdef*" } + } + + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdef*" : jump do_nothing, + "eth0" : jump do_nothing } + } + + chain v4icmp { + iifname @simple counter packets 0 bytes 0 + iifname @simple_wild counter packets 0 bytes 0 + iifname { "eth0", "abcdef0" } counter packets 0 bytes 0 + iifname { "abcdef*", "eth0" } counter packets 0 bytes 0 + iifname vmap @map_wild + } + + chain v4icmpc { + ip saddr . iifname @concat counter packets 0 bytes 0 + ip saddr . iifname @concat_wild counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef0" } counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef*" } counter packets 0 bytes 0 + } + + chain input { + type filter hook input priority filter; policy accept; + ip protocol icmp jump v4icmp + ip protocol icmp goto v4icmpc + } + + chain do_nothing { + } +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft new file mode 100644 index 00000000..e22213ea --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft @@ -0,0 +1,114 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 10800 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "10.180.0.4", + 80 + ] + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "1.2.3.4", + 80 + ] + }, + "right": "@s1" + } + }, + { + "goto": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft new file mode 100644 index 00000000..21209f6d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft @@ -0,0 +1,16 @@ +table ip t { + set s1 { + type ipv4_addr . ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + timeout 3h + } + + chain c1 { + update @s1 { ip saddr . 10.180.0.4 . 80 } + } + + chain c2 { + ip saddr . 1.2.3.4 . 80 @s1 goto c1 + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft new file mode 100644 index 00000000..4d6abaaa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -0,0 +1,12 @@ +table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, + 2.2.2.2 . 0x20 } + } + + chain y { + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft index 565369fb..63fc5b14 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -14,6 +14,52 @@ table inet t { elements = { 2, 3, 103 } } + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + + set s8 { + typeof ip version + elements = { 4, 6 } + } + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { "eth0" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { "eth0" . 10.1.1.2 . exists } + } + chain c1 { osf name @s1 accept } @@ -21,4 +67,40 @@ table inet t { chain c2 { vlan id @s2 accept } + + chain c4 { + frag frag-off @s4 accept + } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } + + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } + + chain c8 { + ip version @s8 accept + } + + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + vlan id . ip saddr @s11 accept + } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft new file mode 100644 index 00000000..89cbc835 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft @@ -0,0 +1,15 @@ +table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft new file mode 100644 index 00000000..348b5848 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft @@ -0,0 +1,23 @@ +table netdev t { + set s { + typeof ether saddr . vlan id + size 2048 + flags dynamic,timeout + } + + chain c { + ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return + ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return + } +} +table ip t { + set s { + typeof ipsec in reqid . iif + size 16 + flags interval + } + + chain c2 { + ipsec in reqid . "lo" @s + } +} |