diff options
Diffstat (limited to 'tests')
9 files changed, 174 insertions, 0 deletions
diff --git a/tests/shell/testcases/rule_management/0001addposition_0 b/tests/shell/testcases/rule_management/0001addposition_0 new file mode 100755 index 00000000..e66bfff3 --- /dev/null +++ b/tests/shell/testcases/rule_management/0001addposition_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT add rule t c accept # should have handle 3 +$NFT add rule t c position 2 drop + +EXPECTED="table ip t { + chain c { + accept + drop + accept + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/rule_management/0002insertposition_0 b/tests/shell/testcases/rule_management/0002insertposition_0 new file mode 100755 index 00000000..cf8a568d --- /dev/null +++ b/tests/shell/testcases/rule_management/0002insertposition_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT add rule t c accept # should have handle 3 +$NFT insert rule t c position 2 drop + +EXPECTED="table ip t { + chain c { + drop + accept + accept + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 new file mode 100755 index 00000000..6691c166 --- /dev/null +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# tests for Netfilter bug #965 +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT insert rule t c accept +$NFT insert rule t c drop +$NFT insert rule t c masquerade + +EXPECTED="table ip t { + chain c { + masquerade + drop + accept + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 new file mode 100755 index 00000000..6a4b9495 --- /dev/null +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT replace rule t c handle 2 drop + +EXPECTED="table ip t { + chain c { + drop + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/rule_management/0005replace_1 b/tests/shell/testcases/rule_management/0005replace_1 new file mode 100755 index 00000000..e82995a5 --- /dev/null +++ b/tests/shell/testcases/rule_management/0005replace_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +# kernel should return ENOENT +$NFT replace rule t c handle 2 drop 2>/dev/null +echo "E: missing kernel ENOENT" >&2 diff --git a/tests/shell/testcases/rule_management/0006replace_1 b/tests/shell/testcases/rule_management/0006replace_1 new file mode 100755 index 00000000..5dfcba02 --- /dev/null +++ b/tests/shell/testcases/rule_management/0006replace_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +# position keyword with replace action is not allowed, this should fail +$NFT replace rule t c position 2 drop 2>/dev/null +echo "E: allowed replace with position specification" >&2 diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0 new file mode 100755 index 00000000..126fe5dd --- /dev/null +++ b/tests/shell/testcases/rule_management/0007delete_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +$NFT add rule t c accept # should have handle 2 +$NFT add rule t c drop # should have handle 3 +$NFT delete rule t c handle 2 + +EXPECTED="table ip t { + chain c { + drop + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/rule_management/0008delete_1 b/tests/shell/testcases/rule_management/0008delete_1 new file mode 100755 index 00000000..3dce2191 --- /dev/null +++ b/tests/shell/testcases/rule_management/0008delete_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +# this should fail, we don't allow delete with position +$NFT delete rule t c position 2 drop 2>/dev/null +echo "E: allowed position spec with delete action" >&2 diff --git a/tests/shell/testcases/rule_management/0009delete_1 b/tests/shell/testcases/rule_management/0009delete_1 new file mode 100755 index 00000000..87fec605 --- /dev/null +++ b/tests/shell/testcases/rule_management/0009delete_1 @@ -0,0 +1,11 @@ +#!/bin/bash + +# tests for Netfilter bug #965 and the related fix +# (regarding rule management with a given position/handle spec) + +set -e +$NFT add table t +$NFT add chain t c +# kernel ENOENT +$NFT delete rule t c handle 3333 2>/dev/null +echo "E: missing kernel ENOENT" >&2 |