summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases
diff options
context:
space:
mode:
Diffstat (limited to 'tests/shell/testcases')
-rwxr-xr-xtests/shell/testcases/chains/netdev_chain_dormant_autoremove9
-rw-r--r--tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft2
-rw-r--r--tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft2
-rwxr-xr-xtests/shell/testcases/maps/typeof_maps_add_delete4
-rwxr-xr-xtests/shell/testcases/owner/0002-persist36
-rw-r--r--tests/shell/testcases/packetpath/dumps/policy.json-nft121
-rw-r--r--tests/shell/testcases/packetpath/dumps/policy.nft11
-rwxr-xr-xtests/shell/testcases/packetpath/policy42
8 files changed, 223 insertions, 4 deletions
diff --git a/tests/shell/testcases/chains/netdev_chain_dormant_autoremove b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove
new file mode 100755
index 00000000..0a684e56
--- /dev/null
+++ b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+ip link add dummy0 type dummy
+ip link add dummy1 type dummy
+$NFT add table netdev test { flags dormant\; }
+$NFT add chain netdev test ingress { type filter hook ingress devices = { "dummy0", "dummy1" } priority 0\; policy drop\; }
+ip link del dummy0
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
index 8130c46c..b3204a28 100644
--- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft
@@ -231,7 +231,7 @@
"elem": {
"elem": {
"val": "10.2.3.4",
- "timeout": 1
+ "timeout": 2
}
},
"data": 2,
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft
index 9134673c..e80366b8 100644
--- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft
@@ -16,7 +16,7 @@ table ip dynset {
chain input {
type filter hook input priority filter; policy accept;
- add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc"
+ add @dynmark { 10.2.3.4 timeout 2s : 0x00000002 } comment "also check timeout-gc"
meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
}
}
diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
index d2ac9f1c..2d718c5f 100755
--- a/tests/shell/testcases/maps/typeof_maps_add_delete
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -30,7 +30,7 @@ EXPECTED="table ip dynset {
chain input {
type filter hook input priority 0; policy accept;
- add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
+ add @dynmark { 10.2.3.4 timeout 2s : 0x2 } comment \"also check timeout-gc\"
meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
}
}"
@@ -45,7 +45,7 @@ ping -c 1 127.0.0.42
$NFT get element ip dynset dynmark { 10.2.3.4 }
# wait so that 10.2.3.4 times out.
-sleep 2
+sleep 3
set +e
$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist
new file mode 100755
index 00000000..cf4b8f13
--- /dev/null
+++ b/tests/shell/testcases/owner/0002-persist
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner)
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist)
+
+die() {
+ echo "$@"
+ exit 1
+}
+
+$NFT -f - <<EOF
+table ip t {
+ flags owner, persist
+}
+EOF
+[[ $? -eq 0 ]] || {
+ die "table add failed"
+}
+
+$NFT list ruleset | grep -q 'table ip t' || {
+ die "table does not persist"
+}
+$NFT list ruleset | grep -q 'flags persist$' || {
+ die "unexpected flags in orphaned table"
+}
+
+$NFT -f - <<EOF
+table ip t {
+ flags owner, persist
+}
+EOF
+[[ $? -eq 0 ]] || {
+ die "retake ownership failed"
+}
+
+exit 0
diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft
new file mode 100644
index 00000000..26e8a052
--- /dev/null
+++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft
@@ -0,0 +1,121 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "underflow",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmp",
+ "field": "type"
+ }
+ },
+ "right": "echo-reply"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "127.0.0.1"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "127.0.0.2"
+ }
+ },
+ {
+ "counter": {
+ "packets": 3,
+ "bytes": 252
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "goto": {
+ "target": "underflow"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft
new file mode 100644
index 00000000..e625ea6c
--- /dev/null
+++ b/tests/shell/testcases/packetpath/dumps/policy.nft
@@ -0,0 +1,11 @@
+table inet filter {
+ chain underflow {
+ }
+
+ chain input {
+ type filter hook input priority filter; policy drop;
+ icmp type echo-reply accept
+ ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept
+ goto underflow
+ }
+}
diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy
new file mode 100755
index 00000000..0bb42a54
--- /dev/null
+++ b/tests/shell/testcases/packetpath/policy
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+ip link set lo up
+
+$NFT -f - <<EOF
+table inet filter {
+ chain underflow { }
+
+ chain input {
+ type filter hook input priority filter; policy accept;
+ icmp type echo-reply accept
+ ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept
+ goto underflow
+ }
+}
+EOF
+[ $? -ne 0 ] && exit 1
+
+ping -q -c 1 127.0.0.2 >/dev/null || exit 2
+
+# should work, polict is accept.
+ping -q -c 1 127.0.0.1 >/dev/null || exit 1
+
+$NFT -f - <<EOF
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+ }
+}
+EOF
+[ $? -ne 0 ] && exit 1
+
+$NFT list ruleset
+
+ping -W 1 -q -c 1 127.0.0.2
+
+ping -q -c 1 127.0.0.2 >/dev/null || exit 2
+
+# should fail, policy is set to drop
+ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1
+
+exit 0