diff options
Diffstat (limited to 'tests/shell')
28 files changed, 369 insertions, 132 deletions
diff --git a/tests/shell/features/reset_tcp_options.nft b/tests/shell/features/reset_tcp_options.nft new file mode 100644 index 00000000..47d1c7b8 --- /dev/null +++ b/tests/shell/features/reset_tcp_options.nft @@ -0,0 +1,5 @@ +table inet t { + chain c { + reset tcp option fastopen + } +} diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 86c83126..6a9b518c 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -860,7 +860,7 @@ job_start() { local testfile="$1" local testidx="$2" - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then print_test_header I "$testfile" "$testidx" "EXECUTING" fi @@ -873,7 +873,7 @@ job_start() { $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile" local rc_got=$? - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line fi diff --git a/tests/shell/testcases/chains/netdev_chain_dev_gone b/tests/shell/testcases/chains/netdev_chain_dev_gone index 77f828d5..99933a31 100755 --- a/tests/shell/testcases/chains/netdev_chain_dev_gone +++ b/tests/shell/testcases/chains/netdev_chain_dev_gone @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + set -e iface_cleanup() { diff --git a/tests/shell/testcases/chains/netdev_netns_gone b/tests/shell/testcases/chains/netdev_netns_gone index e6b65996..3a92c99e 100755 --- a/tests/shell/testcases/chains/netdev_netns_gone +++ b/tests/shell/testcases/chains/netdev_netns_gone @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + set -e rnd=$(mktemp -u XXXXXXXX) diff --git a/tests/shell/testcases/listing/dumps/meta_time.nft b/tests/shell/testcases/listing/dumps/meta_time.nft deleted file mode 100644 index 9121aef5..00000000 --- a/tests/shell/testcases/listing/dumps/meta_time.nft +++ /dev/null @@ -1,32 +0,0 @@ -table ip t { - chain c { - meta hour "01:00"-"01:59" - meta hour "02:00"-"02:59" - meta hour "03:00"-"03:59" - meta hour "04:00"-"04:59" - meta hour "05:00"-"05:59" - meta hour "06:00"-"06:59" - meta hour "07:00"-"07:59" - meta hour "08:00"-"08:59" - meta hour "09:00"-"09:59" - meta hour "10:00"-"10:59" - meta hour "11:00"-"11:59" - meta hour "12:00"-"12:59" - meta hour "13:00"-"13:59" - meta hour "14:00"-"14:59" - meta hour "15:00"-"15:59" - meta hour "16:00"-"16:59" - meta hour "17:00"-"17:59" - meta hour "18:00"-"18:59" - meta hour "19:00"-"19:59" - meta hour "20:00"-"20:59" - meta hour "21:00"-"21:59" - meta hour "22:00"-"22:59" - meta hour "23:00"-"23:59" - meta hour "00:00"-"00:59" - meta hour "04:00"-"15:00" - meta hour "05:00"-"16:00" - meta hour "06:00"-"17:00" - meta hour "07:00"-"18:00" - } -} diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/meta_time.nodump diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time index 39fa4387..96a9d557 100755 --- a/tests/shell/testcases/listing/meta_time +++ b/tests/shell/testcases/listing/meta_time @@ -53,7 +53,15 @@ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" check_decode UTC-1 +$NFT flush chain t c TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00" TZ=EADT $NFT add rule t c meta hour "04:00"-"15:00" TZ=EADT $NFT add rule t c meta hour "05:00"-"16:00" TZ=EADT $NFT add rule t c meta hour "06:00"-"17:00" + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 3 0 14 0 > "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 4 0 15 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1" + +check_decode EADT diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft index 8130c46c..b3204a28 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -231,7 +231,7 @@ "elem": { "elem": { "val": "10.2.3.4", - "timeout": 1 + "timeout": 2 } }, "data": 2, diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft index 9134673c..e80366b8 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -16,7 +16,7 @@ table ip dynset { chain input { type filter hook input priority filter; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + add @dynmark { 10.2.3.4 timeout 2s : 0x00000002 } comment "also check timeout-gc" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } } diff --git a/tests/shell/testcases/maps/named_limits b/tests/shell/testcases/maps/named_limits index 5604f6ca..ac8e434c 100755 --- a/tests/shell/testcases/maps/named_limits +++ b/tests/shell/testcases/maps/named_limits @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + dumpfile=$(dirname $0)/dumps/$(basename $0).nft $NFT -f "$dumpfile" || exit 1 diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete index d2ac9f1c..2d718c5f 100755 --- a/tests/shell/testcases/maps/typeof_maps_add_delete +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -30,7 +30,7 @@ EXPECTED="table ip dynset { chain input { type filter hook input priority 0; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + add @dynmark { 10.2.3.4 timeout 2s : 0x2 } comment \"also check timeout-gc\" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } }" @@ -45,7 +45,7 @@ ping -c 1 127.0.0.42 $NFT get element ip dynset dynmark { 10.2.3.4 } # wait so that 10.2.3.4 times out. -sleep 2 +sleep 3 set +e $NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 diff --git a/tests/shell/testcases/maps/vmap_unary b/tests/shell/testcases/maps/vmap_unary index 4038d1c1..f4e1f012 100755 --- a/tests/shell/testcases/maps/vmap_unary +++ b/tests/shell/testcases/maps/vmap_unary @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET="table ip filter { diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft index 8f3f3a81..1b2e3420 100644 --- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft @@ -169,12 +169,8 @@ }, "right": { "|": [ - { - "|": [ - "established", - "related" - ] - }, + "established", + "related", "new" ] } diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist new file mode 100755 index 00000000..cf4b8f13 --- /dev/null +++ b/tests/shell/testcases/owner/0002-persist @@ -0,0 +1,36 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist) + +die() { + echo "$@" + exit 1 +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "table add failed" +} + +$NFT list ruleset | grep -q 'table ip t' || { + die "table does not persist" +} +$NFT list ruleset | grep -q 'flags persist$' || { + die "unexpected flags in orphaned table" +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "retake ownership failed" +} + +exit 0 diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 00000000..26e8a052 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 00000000..e625ea6c --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables index 18a57a9b..ec7dfeb7 100755 --- a/tests/shell/testcases/packetpath/flowtables +++ b/tests/shell/testcases/packetpath/flowtables @@ -77,7 +77,7 @@ ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86 } # A trick to control the timing to send a packet -ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof & +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof & sleep 1 ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & sleep 1 diff --git a/tests/shell/testcases/packetpath/payload b/tests/shell/testcases/packetpath/payload index 9f4587d2..4c5c42da 100755 --- a/tests/shell/testcases/packetpath/payload +++ b/tests/shell/testcases/packetpath/payload @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + rnd=$(mktemp -u XXXXXXXX) ns1="nft1payload-$rnd" ns2="nft2payload-$rnd" diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 00000000..0bb42a54 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 diff --git a/tests/shell/testcases/packetpath/set_lookups b/tests/shell/testcases/packetpath/set_lookups index 84a0000a..85159858 100755 --- a/tests/shell/testcases/packetpath/set_lookups +++ b/tests/shell/testcases/packetpath/set_lookups @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e $NFT -f /dev/stdin <<"EOF" diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options index 88552226..57e228c5 100755 --- a/tests/shell/testcases/packetpath/tcp_options +++ b/tests/shell/testcases/packetpath/tcp_options @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_tcp_options) + have_socat="no" socat -h > /dev/null && have_socat="yes" diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft index cd39f090..e37139f3 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -27,146 +27,87 @@ "elem": [ { "|": [ - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, - "ack" - ] - }, - "urg" - ] - }, - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, + "fin", "ack" ] }, { "|": [ - { - "|": [ - "fin", - "ack" - ] - }, + "fin", + "ack", "urg" ] }, { "|": [ "fin", + "psh", "ack" ] }, { "|": [ - { - "|": [ - { - "|": [ - "syn", - "psh" - ] - }, - "ack" - ] - }, + "fin", + "psh", + "ack", "urg" ] }, + "syn", { "|": [ - { - "|": [ - "syn", - "psh" - ] - }, + "syn", "ack" ] }, { "|": [ - { - "|": [ - "syn", - "ack" - ] - }, + "syn", + "ack", "urg" ] }, { "|": [ "syn", + "psh", "ack" ] }, - "syn", { "|": [ - { - "|": [ - { - "|": [ - "rst", - "psh" - ] - }, - "ack" - ] - }, + "syn", + "psh", + "ack", "urg" ] }, + "rst", { "|": [ - { - "|": [ - "rst", - "psh" - ] - }, + "rst", "ack" ] }, { "|": [ - { - "|": [ - "rst", - "ack" - ] - }, + "rst", + "ack", "urg" ] }, { "|": [ "rst", + "psh", "ack" ] }, - "rst", { "|": [ - { - "|": [ - "psh", - "ack" - ] - }, + "rst", + "psh", + "ack", "urg" ] }, @@ -178,11 +119,18 @@ }, { "|": [ + "psh", "ack", "urg" ] }, - "ack" + "ack", + { + "|": [ + "ack", + "urg" + ] + } ] } } diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft index ffed5426..22bf5c46 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -2,9 +2,9 @@ table ip test { set tcp_good_flags { type tcp_flag flags constant - elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, - syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, - rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, - psh | ack, ack | urg, ack } + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } } } diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat index 07820b7c..34465f1d 100755 --- a/tests/shell/testcases/sets/typeof_sets_concat +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e dumpfile=$(dirname $0)/dumps/$(basename $0).nft diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort new file mode 100755 index 00000000..b2bbe37b --- /dev/null +++ b/tests/shell/testcases/transactions/concat_range_abort @@ -0,0 +1,28 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<EOF +table ip x { + map m { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo, + } + } + + chain foo { + accept + } +} +EOF + +$NFT -f /dev/stdin <<EOF +add chain ip x bar +add element ip x m { 1.2.3.4 . 42 : jump bar } +delete set ip x m +EOF diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft new file mode 100644 index 00000000..8db71894 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft new file mode 100644 index 00000000..06adca7a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft @@ -0,0 +1,8 @@ +table ip x { + chain foo { + accept + } + + chain bar { + } +} |