diff options
Diffstat (limited to 'tests')
1295 files changed, 76765 insertions, 9334 deletions
diff --git a/tests/build/run-tests.sh b/tests/build/run-tests.sh index ccb62af3..916df2e2 100755 --- a/tests/build/run-tests.sh +++ b/tests/build/run-tests.sh @@ -1,32 +1,36 @@ #!/bin/bash -log_file="`pwd`/tests.log" +log_file="$(pwd)/tests.log" dir=../.. -argument=( --without-cli --with-cli=linenoise --enable-debug --with-mini-gmp +argument=( --without-cli --with-cli=linenoise --with-cli=editline --enable-debug --with-mini-gmp --enable-man-doc --with-xtables --with-json) ok=0 failed=0 -[ -f $log_file ] && rm -rf $log_file +[ -f "$log_file" ] && rm -rf "$log_file" tmpdir=$(mktemp -d) -if [ ! -w $tmpdir ] ; then +if [ ! -w "$tmpdir" ] ; then echo "Failed to create tmp file" >&2 exit 0 fi -git clone $dir $tmpdir >/dev/null 2>>$log_file -cd $tmpdir +git clone "$dir" "$tmpdir" &>>"$log_file" +cd "$tmpdir" || exit -autoreconf -fi >/dev/null 2>>$log_file -./configure >/dev/null 2>>$log_file +if ! autoreconf -fi &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." + exit 1 +fi -echo "Testing build with distcheck" -make distcheck >/dev/null 2>>$log_file -rt=$? +if ! ./configure &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." + exit 1 +fi -if [ $rt != 0 ] ; then - echo "Something went wrong. Check the log for details." +echo "Testing build with distcheck" +if ! make distcheck &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." exit 1 fi @@ -35,8 +39,8 @@ echo "Build works. Now, testing compile options" for var in "${argument[@]}" ; do echo "[EXECUTING] Testing compile option $var" - ./configure $var >/dev/null 2>>$log_file - make -j 8 >/dev/null 2>>$log_file + ./configure "$var" &>>"$log_file" + make -j 8 &>>"$log_file" rt=$? echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line @@ -49,7 +53,7 @@ for var in "${argument[@]}" ; do fi done -rm -rf $tmpdir +rm -rf "$tmpdir" echo "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" -exit $failed +[ "$failed" -eq 0 ] diff --git a/tests/json_echo/run-test.py b/tests/json_echo/run-test.py index a636d5f2..a6bdfc61 100755 --- a/tests/json_echo/run-test.py +++ b/tests/json_echo/run-test.py @@ -4,6 +4,7 @@ from __future__ import print_function import sys import os import json +import argparse TESTS_PATH = os.path.dirname(os.path.abspath(__file__)) sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/')) @@ -13,12 +14,26 @@ from nftables import Nftables # Change working directory to repository root os.chdir(TESTS_PATH + "/../..") -if not os.path.exists('src/.libs/libnftables.so'): - print("The nftables library does not exist. " - "You need to build the project.") +parser = argparse.ArgumentParser(description='Run JSON echo tests') +parser.add_argument('-H', '--host', action='store_true', + help='Run tests against installed libnftables.so.1') +parser.add_argument('-l', '--library', default=None, + help='Path to libntables.so, overrides --host') +args = parser.parse_args() + +check_lib_path = True +if args.library is None: + if args.host: + args.library = 'libnftables.so.1' + check_lib_path = False + else: + args.library = 'src/.libs/libnftables.so.1' + +if check_lib_path and not os.path.exists(args.library): + print("Library not found at '%s'." % args.library) sys.exit(1) -nftables = Nftables(sofile = 'src/.libs/libnftables.so') +nftables = Nftables(sofile = args.library) nftables.set_echo_output(True) # various commands to work with @@ -80,25 +95,25 @@ add_quota = { "add": { # helper functions def exit_err(msg): - print("Error: %s" %msg) + print("Error: %s" %msg, file=sys.stderr) sys.exit(1) def exit_dump(e, obj): - print("FAIL: {}".format(e)) - print("Output was:") - json.dumps(out, sort_keys = True, indent = 4, separators = (',', ': ')) - sys.exit(1) + msg = "{}\n".format(e) + msg += "Output was:\n" + msg += json.dumps(obj, sort_keys = True, indent = 4, separators = (',', ': ')) + exit_err(msg) def do_flush(): rc, out, err = nftables.json_cmd({ "nftables": [flush_ruleset] }) - if not rc is 0: + if rc != 0: exit_err("flush ruleset failed: {}".format(err)) def do_command(cmd): if not type(cmd) is list: cmd = [cmd] rc, out, err = nftables.json_cmd({ "nftables": cmd }) - if not rc is 0: + if rc != 0: exit_err("command failed: {}".format(err)) return out @@ -119,7 +134,7 @@ def get_handle(output, search): else: data = item - k = search.keys()[0] + k = list(search.keys())[0] if not k in data: continue diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index efacdaaa..f1ac790a 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -1,7 +1,7 @@ #!/bin/bash cd $(dirname $0) -nft=../../src/nft +nft=${NFT:-../../src/nft} debug=false test_json=false @@ -9,17 +9,24 @@ mydiff() { diff -w -I '^# ' "$@" } -if [ "$(id -u)" != "0" ] ; then - echo "this requires root!" +err() { + echo "$*" >&2 +} + +die() { + err "$*" exit 1 +} + +if [ "$(id -u)" != "0" ] ; then + die "this requires root!" fi testdir=$(mktemp -d) if [ ! -d $testdir ]; then - echo "Failed to create test directory" >&2 - exit 1 + die "Failed to create test directory" fi -trap "rm -rf $testdir; $nft flush ruleset" EXIT +trap 'rm -rf $testdir; $nft flush ruleset' EXIT command_file=$(mktemp -p $testdir) output_file=$(mktemp -p $testdir) @@ -56,6 +63,7 @@ monitor_run_test() { monitor_output=$(mktemp -p $testdir) monitor_args="" $test_json && monitor_args="vm json" + local rc=0 $nft -nn monitor $monitor_args >$monitor_output & monitor_pid=$! @@ -66,46 +74,50 @@ monitor_run_test() { echo "command file:" cat $command_file } - $nft -f $command_file || { - echo "nft command failed!" - kill $monitor_pid - wait >/dev/null 2>&1 - exit 1 + $nft -f - <$command_file || { + err "nft command failed!" + rc=1 } sleep 0.5 kill $monitor_pid wait >/dev/null 2>&1 $test_json && json_output_filter $monitor_output - if ! mydiff -q $monitor_output $output_file >/dev/null 2>&1; then - echo "monitor output differs!" - mydiff -u $output_file $monitor_output - exit 1 + mydiff -q $monitor_output $output_file >/dev/null 2>&1 + if [[ $rc == 0 && $? != 0 ]]; then + err "monitor output differs!" + mydiff -u $output_file $monitor_output >&2 + rc=1 fi rm $command_file rm $output_file touch $command_file touch $output_file + return $rc } echo_run_test() { echo_output=$(mktemp -p $testdir) + local rc=0 + $debug && { echo "command file:" cat $command_file } - $nft -nn -e -f $command_file >$echo_output || { - echo "nft command failed!" - exit 1 + $nft -nn -e -f - <$command_file >$echo_output || { + err "nft command failed!" + rc=1 } - if ! mydiff -q $echo_output $output_file >/dev/null 2>&1; then - echo "echo output differs!" - mydiff -u $output_file $echo_output - exit 1 + mydiff -q $echo_output $output_file >/dev/null 2>&1 + if [[ $rc == 0 && $? != 0 ]]; then + err "echo output differs!" + mydiff -u $output_file $echo_output >&2 + rc=1 fi rm $command_file rm $output_file touch $command_file touch $output_file + return $rc } testcases="" @@ -119,6 +131,10 @@ while [ -n "$1" ]; do test_json=true shift ;; + -H|--host) + nft=nft + shift + ;; testcases/*.t) testcases+=" $1" shift @@ -139,12 +155,16 @@ else variants="monitor echo" fi +rc=0 for variant in $variants; do run_test=${variant}_run_test output_append=${variant}_output_append for testcase in ${testcases:-testcases/*.t}; do - echo "$variant: running tests from file $(basename $testcase)" + filename=$(basename $testcase) + echo "$variant: running tests from file $filename" + rc_start=$rc + # files are like this: # # I add table ip t @@ -158,7 +178,10 @@ for variant in $variants; do while read dir line; do case $dir in I) - $input_complete && $run_test + $input_complete && { + $run_test + let "rc += $?" + } input_complete=false cmd_append "$line" ;; @@ -175,6 +198,14 @@ for variant in $variants; do ;; esac done <$testcase - $input_complete && $run_test + $input_complete && { + $run_test + let "rc += $?" + } + + let "rc_diff = rc - rc_start" + [[ $rc_diff -ne 0 ]] && \ + echo "$variant: $rc_diff tests from file $filename failed" done done +exit $rc diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t new file mode 100644 index 00000000..8729c0b4 --- /dev/null +++ b/tests/monitor/testcases/map-expr.t @@ -0,0 +1,6 @@ +# first the setup +I add table ip t +I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; } +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t index 2afe33c8..53a9f8c5 100644 --- a/tests/monitor/testcases/object.t +++ b/tests/monitor/testcases/object.t @@ -37,7 +37,7 @@ I delete ct helper ip t cth O - J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}} -I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; } +I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15s, replied : 12s }; } O - J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} diff --git a/tests/monitor/testcases/set-concat-interval.t b/tests/monitor/testcases/set-concat-interval.t new file mode 100644 index 00000000..763dc319 --- /dev/null +++ b/tests/monitor/testcases/set-concat-interval.t @@ -0,0 +1,12 @@ +# setup first +I add table ip t +I add chain ip t c +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}} + +# add set with elements, monitor output expectedly differs +I add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop }; } +O add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; } +O add element ip t s { 20-80 . 0x14 : accept } +O add element ip t s { 1-10 . 0xa : drop } diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t index 1fbcfe22..5053c596 100644 --- a/tests/monitor/testcases/set-interval.t +++ b/tests/monitor/testcases/set-interval.t @@ -23,3 +23,8 @@ J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "ex I add rule ip t c tcp dport { 20, 30-40 } O - J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}} + +# ... and anon concat range +I add rule ip t c ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10-192.168.56.12 } +O - +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ether", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "saddr"}}]}, "right": {"set": [{"concat": ["08:00:27:40:f7:09", {"range": ["192.168.56.10", "192.168.56.12"]}]}]}}}]}}} diff --git a/tests/monitor/testcases/simple.t b/tests/monitor/testcases/simple.t index 78fd6616..67be5c85 100644 --- a/tests/monitor/testcases/simple.t +++ b/tests/monitor/testcases/simple.t @@ -14,14 +14,14 @@ O - J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [22, 80, 443]}}}, {"accept": null}]}}} I insert rule ip t c counter accept -O add rule ip t c counter packets 0 bytes 0 accept -J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}} +O insert rule ip t c counter packets 0 bytes 0 accept +J {"insert": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}} I replace rule ip t c handle 2 accept comment "foo bar" -O add rule ip t c accept comment "foo bar" O delete rule ip t c handle 2 -J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "comment": "foo bar", "expr": [{"accept": null}]}}} +O add rule ip t c handle 5 accept comment "foo bar" J {"delete": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"accept": null}]}}} +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "comment": "foo bar", "expr": [{"accept": null}]}}} I add counter ip t cnt O add counter ip t cnt { packets 0 bytes 0 } diff --git a/tests/py/README b/tests/py/README index ed5dc58b..864a966e 100644 --- a/tests/py/README +++ b/tests/py/README @@ -163,4 +163,35 @@ G) Acknowledgements Thanks to the Outreach Program for Women (OPW) for sponsoring this test infrastructure and my mentor Pablo Neira. +H) JSON (-j) Mode + +This mode is supposed to repeat the same tests using JSON syntax. For each test +file example.t, there is supposed to be a file example.t.json holding the JSON +equivalents of each rule in example.t. The file's syntax is similar to payload +files: An initial comment identifies the rule belonging to the following JSON +equivalent. Pairs of comment and JSON are separated by a single blank line. + +If the example.t.json file does not exist, the test script will warn and create +(or append to) example.t.json.got. The JSON equivalent written is generated by +applying the rule in standard syntax and listing the ruleset in JSON format. +After thorough review, it may be renamed to example.t.json. + +One common case for editing the content in example.t.json.got is expected +differences between input and output. The generated content will match the +output while it is supposed to match the input. + +If a rule is expected to differ in output, the expected output must be recorded +in example.t.json.output. Its syntax is identical to example.t.json, i.e. pairs +of comment identifying the rule (in standard syntax) and JSON (output) format +separated by blank lines. Note: the comment states the rule as in input, not +output. + +If the example.t.json.output file does not exist and output differs from input, +the file example.t.json.output.got is created with the actual output recorded. + +JSON mode will also check the payload created for the rule in JSON syntax by +comparing it to the recorded one in example.t.payload. Should it differ, it +will be recorded in example.t.json.payload.got. This is always a bug: A rule's +JSON equivalent must turn into the same bytecode as the rule itself. + -EOF- diff --git a/tests/py/any/counter.t b/tests/py/any/counter.t new file mode 100644 index 00000000..1c72742c --- /dev/null +++ b/tests/py/any/counter.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*arp;test-arp;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress + +counter;ok +counter packets 0 bytes 0;ok;counter +counter packets 2 bytes 1;ok;counter +counter bytes 1024 packets 1;ok;counter diff --git a/tests/py/any/counter.t.json b/tests/py/any/counter.t.json new file mode 100644 index 00000000..2d1eaa99 --- /dev/null +++ b/tests/py/any/counter.t.json @@ -0,0 +1,39 @@ +# counter +[ + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# counter packets 0 bytes 0 +[ + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# counter packets 2 bytes 1 +[ + { + "counter": { + "bytes": 1, + "packets": 2 + } + } +] + +# counter bytes 1024 packets 1 +[ + { + "counter": { + "bytes": 1024, + "packets": 1 + } + } +] diff --git a/tests/py/any/counter.t.json.output b/tests/py/any/counter.t.json.output new file mode 100644 index 00000000..6a62ffb0 --- /dev/null +++ b/tests/py/any/counter.t.json.output @@ -0,0 +1,28 @@ +# counter +[ + { + "counter": null + } +] + +# counter packets 0 bytes 0 +[ + { + "counter": null + } +] + +# counter packets 2 bytes 1 +[ + { + "counter": null + } +] + +# counter bytes 1024 packets 1 +[ + { + "counter": null + } +] + diff --git a/tests/py/any/counter.t.payload b/tests/py/any/counter.t.payload new file mode 100644 index 00000000..23e96bae --- /dev/null +++ b/tests/py/any/counter.t.payload @@ -0,0 +1,15 @@ +# counter +ip + [ counter pkts 0 bytes 0 ] + +# counter packets 0 bytes 0 +ip + [ counter pkts 0 bytes 0 ] + +# counter packets 2 bytes 1 +ip + [ counter pkts 2 bytes 1 ] + +# counter bytes 1024 packets 1 +ip + [ counter pkts 1 bytes 1024 ] diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index ebc08644..f73fa4e7 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -26,9 +26,11 @@ ct status != expected;ok ct status seen-reply;ok ct status != seen-reply;ok ct status {expected, seen-reply, assured, confirmed, dying};ok +ct status != {expected, seen-reply, assured, confirmed, dying};ok ct status expected,seen-reply,assured,confirmed,snat,dnat,dying;ok ct status snat;ok ct status dnat;ok +ct status ! dnat;ok ct status xxx;fail ct mark 0;ok;ct mark 0x00000000 @@ -57,6 +59,7 @@ ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011 ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013 ct mark set 0x11;ok;ct mark set 0x00000011 ct mark set mark;ok;ct mark set meta mark +ct mark set (meta mark | 0x10) << 8;ok;ct mark set (meta mark | 0x00000010) << 8 ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set meta mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a} ct mark set {0x11333, 0x11};fail @@ -66,7 +69,7 @@ ct event set {new, related, destroy, label};fail ct expiration 30s;ok ct expiration 30000ms;ok;ct expiration 30s -ct expiration 1m-1h;ok +ct expiration 1m-1h;ok;ct expiration 60s-3600s ct expiration 1d-1h;fail ct expiration > 4d23h59m59s;ok ct expiration != 233;ok;ct expiration != 3m53s @@ -74,8 +77,8 @@ ct expiration 33-45;ok;ct expiration 33s-45s ct expiration != 33-45;ok;ct expiration != 33s-45s ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s} ct expiration != {33, 55, 67, 88};ok;ct expiration != { 1m7s, 33s, 55s, 1m28s} -ct expiration {33-55, 66-88};ok;ct expiration { 33s-55s, 1m6s-1m28s} -ct expiration != {33-55, 66-88};ok;ct expiration != { 33s-55s, 1m6s-1m28s} +ct expiration {33-55, 66-88};ok;ct expiration { 33s-55s, 66s-88s} +ct expiration != {33-55, 66-88};ok;ct expiration != { 33s-55s, 66s-88s} ct helper "ftp";ok ct helper "12345678901234567";fail @@ -127,6 +130,8 @@ ct both zone 1;fail ct original zone 1;ok ct reply zone 1;ok +ct id 12345;ok + ct zone set 1;ok ct original zone set 1;ok ct reply zone set 1;ok @@ -139,3 +144,6 @@ ct set invalid original 42;fail ct set invalid 42;fail notrack;ok + +ct count 3;ok +ct count over 3;ok diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json index 7c16f9df..a2a06025 100644 --- a/tests/py/any/ct.t.json +++ b/tests/py/any/ct.t.json @@ -311,6 +311,29 @@ } ] +# ct status != {expected, seen-reply, assured, confirmed, dying} +[ + { + "match": { + "left": { + "ct": { + "key": "status" + } + }, + "op": "!=", + "right": { + "set": [ + "expected", + "seen-reply", + "assured", + "confirmed", + "dying" + ] + } + } + } +] + # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying [ { @@ -364,6 +387,21 @@ } ] +# ct status ! dnat +[ + { + "match": { + "left": { + "ct": { + "key": "status" + } + }, + "op": "!", + "right": "dnat" + } + } +] + # ct mark 0 [ { @@ -499,6 +537,29 @@ } ] +# ct mark set ct mark or 0x00000001 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + 1 + ] + } + } + } +] + # ct mark 0x00000032 [ { @@ -701,6 +762,34 @@ } ] +# ct mark set (meta mark | 0x10) << 8 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "<<": [ + { + "|": [ + { + "meta": { + "key": "mark" + } + }, + 16 + ] + }, + 8 + ] + } + } + } +] + # ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 } [ { @@ -938,39 +1027,6 @@ } ] -# ct state . ct mark { new . 0x12345678} -[ - { - "match": { - "left": { - "concat": [ - { - "ct": { - "key": "state" - } - }, - { - "ct": { - "key": "mark" - } - } - ] - }, - "op": "==", - "right": { - "set": [ - { - "concat": [ - "new", - "0x12345678" - ] - } - ] - } - } - } -] - # ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634} [ { @@ -1398,6 +1454,21 @@ } ] +# ct id 12345 +[ + { + "match": { + "left": { + "ct": { + "key": "id" + } + }, + "op": "==", + "right": 12345 + } + } +] + # ct zone set mark map { 1 : 1, 2 : 2 } [ { @@ -1431,3 +1502,22 @@ } ] +# ct count 3 +[ + { + "ct count": { + "val": 3 + } + } +] + +# ct count over 3 +[ + { + "ct count": { + "inv": true, + "val": 3 + } + } +] + diff --git a/tests/py/any/ct.t.json.output b/tests/py/any/ct.t.json.output index aced3817..70ade7e3 100644 --- a/tests/py/any/ct.t.json.output +++ b/tests/py/any/ct.t.json.output @@ -527,14 +527,14 @@ "set": [ { "concat": [ - "established", - 309876276 + "new", + 305419896 ] }, { "concat": [ - "new", - 305419896 + "established", + 309876276 ] }, { @@ -611,23 +611,23 @@ [ { "concat": [ - "established", - 2271560481 + "new", + 305419896 ] }, { - "accept": null + "drop": null } ], [ { "concat": [ - "new", - 305419896 + "established", + 2271560481 ] }, { - "drop": null + "accept": null } ] ] diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index bdc6a70e..ed868e53 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -1,7 +1,7 @@ # ct state new,established, related, untracked ip test-ip4 output [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000004e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct state != related @@ -28,21 +28,21 @@ ip test-ip4 output # ct state invalid drop ip test-ip4 output [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ immediate reg 0 drop ] # ct state established accept ip test-ip4 output [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ immediate reg 0 accept ] # ct state 8 ip test-ip4 output [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct direction original @@ -84,7 +84,7 @@ ip test-ip4 output # ct status expected ip test-ip4 output [ ct load status => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status != expected @@ -95,7 +95,7 @@ ip test-ip4 output # ct status seen-reply ip test-ip4 output [ ct load status => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status != seen-reply @@ -127,25 +127,25 @@ ip test-ip4 output # ct mark or 0x23 == 0x11 ip test-ip4 output [ ct load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xffffffdc ) ^ 0x00000023 ] + [ bitwise reg 1 = ( reg 1 & 0xffffffdc ) ^ 0x00000023 ] [ cmp eq reg 1 0x00000011 ] # ct mark or 0x3 != 0x1 ip test-ip4 output [ ct load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xfffffffc ) ^ 0x00000003 ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ] [ cmp neq reg 1 0x00000001 ] # ct mark and 0x23 == 0x11 ip test-ip4 output [ ct load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000023 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000023 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000011 ] # ct mark and 0x3 != 0x1 ip test-ip4 output [ ct load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000001 ] # ct mark xor 0x23 == 0x11 @@ -306,15 +306,6 @@ ip test-ip4 output [ ct load helper => reg 1 ] [ cmp eq reg 1 0x00707466 0x00000000 0x00000000 0x00000000 ] -# ct state . ct mark { new . 0x12345678} -__set%d test 3 -__set%d test 0 - element 00000008 12345678 : 0 [end] -ip test-ip4 output - [ ct load state => reg 1 ] - [ ct load mark => reg 9 ] - [ lookup reg 1 set __set%d ] - # ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634} __set%d test-ip4 3 __set%d test-ip4 0 @@ -329,6 +320,13 @@ ip test-ip4 output [ meta load mark => reg 1 ] [ ct set mark with reg 1 ] +# ct mark set (meta mark | 0x10) << 8 +inet test-inet output + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ bitwise reg 1 = ( reg 1 << 0x00000008 ) ] + [ ct set mark with reg 1 ] + # ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 } __map%d test-ip4 b __map%d test-ip4 0 @@ -371,19 +369,19 @@ ip test-ip4 output # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000023f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000023f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status snat ip test-ip4 output [ ct load status => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status dnat ip test-ip4 output [ ct load status => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000020 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct event set new @@ -419,7 +417,7 @@ ip test-ip4 output # ct label 127 ip test-ip4 output [ ct load label => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000000 0x00000000 0x00000000 0x80000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000000 0x00000000 0x00000000 0x80000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp neq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] # ct label set 127 @@ -487,7 +485,7 @@ ip test-ip4 output # ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept} __map%d test-ip4 b size 2 __map%d test-ip4 0 - element 00000008 12345678 : 0 [end] element 00000002 87654321 : 0 [end] + element 00000008 12345678 : drop 0 [end] element 00000002 87654321 : accept 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ ct load mark => reg 9 ] @@ -496,6 +494,25 @@ ip test-ip4 output # ct mark set ct mark or 0x00000001 ip test-ip4 output [ ct load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xfffffffe ) ^ 0x00000001 ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffe ) ^ 0x00000001 ] [ ct set mark with reg 1 ] +# ct id 12345 +ip test-ip4 output + [ ct load unknown => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + +# ct status ! dnat +ip6 + [ ct load status => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# ct count 3 +ip test-ip4 output + [ connlimit count 3 flags 0 ] + +# ct count over 3 +ip test-ip4 output + [ connlimit count 3 flags 1 ] + diff --git a/tests/py/any/icmpX.t.netdev b/tests/py/any/icmpX.t.netdev index a327ce6a..cf402428 100644 --- a/tests/py/any/icmpX.t.netdev +++ b/tests/py/any/icmpX.t.netdev @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip protocol icmp icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok diff --git a/tests/py/any/last.t b/tests/py/any/last.t new file mode 100644 index 00000000..5c530461 --- /dev/null +++ b/tests/py/any/last.t @@ -0,0 +1,13 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*arp;test-arp;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress + +last;ok +last used 300s;ok;last +last used foo;fail diff --git a/tests/py/any/last.t.json b/tests/py/any/last.t.json new file mode 100644 index 00000000..2a2b9e72 --- /dev/null +++ b/tests/py/any/last.t.json @@ -0,0 +1,16 @@ +# last +[ + { + "last": null + } +] + +# last used 300s +[ + { + "last": { + "used": 300000 + } + } +] + diff --git a/tests/py/any/last.t.json.output b/tests/py/any/last.t.json.output new file mode 100644 index 00000000..e8ec4f47 --- /dev/null +++ b/tests/py/any/last.t.json.output @@ -0,0 +1,7 @@ +# last used 300s +[ + { + "last": null + } +] + diff --git a/tests/py/any/last.t.payload b/tests/py/any/last.t.payload new file mode 100644 index 00000000..ed47d0f3 --- /dev/null +++ b/tests/py/any/last.t.payload @@ -0,0 +1,8 @@ +# last +ip + [ last never ] + +# last used 300s +ip + [ last 300000 ] + diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t index ef7f9313..2a84e3f5 100644 --- a/tests/py/any/limit.t +++ b/tests/py/any/limit.t @@ -1,18 +1,19 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress -limit rate 400/minute;ok -limit rate 20/second;ok -limit rate 400/hour;ok -limit rate 40/day;ok -limit rate 400/week;ok +limit rate 400/minute;ok;limit rate 400/minute burst 5 packets +limit rate 20/second;ok;limit rate 20/second burst 5 packets +limit rate 400/hour;ok;limit rate 400/hour burst 5 packets +limit rate 40/day;ok;limit rate 40/day burst 5 packets +limit rate 400/week;ok;limit rate 400/week burst 5 packets limit rate 1023/second burst 10 packets;ok limit rate 1023/second burst 10 bytes;fail @@ -21,19 +22,22 @@ limit rate 2 kbytes/second;ok limit rate 1025 kbytes/second;ok limit rate 1023 mbytes/second;ok limit rate 10230 mbytes/second;ok -limit rate 1023000 mbytes/second;ok limit rate 512 kbytes/second burst 5 packets;fail +limit rate 1 bytes / second;ok;limit rate 1 bytes/second +limit rate 1 kbytes / second;ok;limit rate 1 kbytes/second +limit rate 1 mbytes / second;ok;limit rate 1 mbytes/second +limit rate 1 gbytes / second;fail + limit rate 1025 bytes/second burst 512 bytes;ok limit rate 1025 kbytes/second burst 1023 kbytes;ok limit rate 1025 mbytes/second burst 1025 kbytes;ok -limit rate 1025000 mbytes/second burst 1023 mbytes;ok -limit rate over 400/minute;ok -limit rate over 20/second;ok -limit rate over 400/hour;ok -limit rate over 40/day;ok -limit rate over 400/week;ok +limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets +limit rate over 20/second;ok;limit rate over 20/second burst 5 packets +limit rate over 400/hour;ok;limit rate over 400/hour burst 5 packets +limit rate over 40/day;ok;limit rate over 40/day burst 5 packets +limit rate over 400/week;ok;limit rate over 400/week burst 5 packets limit rate over 1023/second burst 10 packets;ok limit rate over 1 kbytes/second;ok @@ -41,9 +45,7 @@ limit rate over 2 kbytes/second;ok limit rate over 1025 kbytes/second;ok limit rate over 1023 mbytes/second;ok limit rate over 10230 mbytes/second;ok -limit rate over 1023000 mbytes/second;ok limit rate over 1025 bytes/second burst 512 bytes;ok limit rate over 1025 kbytes/second burst 1023 kbytes;ok limit rate over 1025 mbytes/second burst 1025 kbytes;ok -limit rate over 1025000 mbytes/second burst 1023 mbytes;ok diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json index 8bab7e3d..73160b27 100644 --- a/tests/py/any/limit.t.json +++ b/tests/py/any/limit.t.json @@ -114,12 +114,40 @@ } ] -# limit rate 1023000 mbytes/second +# limit rate 1 bytes / second [ { "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1, + "rate_unit": "bytes" + } + } +] + +# limit rate 1 kbytes / second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1, + "rate_unit": "kbytes" + } + } +] + +# limit rate 1 mbytes / second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", "per": "second", - "rate": 1023000, + "rate": 1, "rate_unit": "mbytes" } } @@ -164,19 +192,6 @@ } ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 400/minute [ { @@ -304,18 +319,6 @@ } ] -# limit rate over 1023000 mbytes/second -[ - { - "limit": { - "inv": true, - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 1025 bytes/second burst 512 bytes [ { @@ -357,18 +360,3 @@ } } ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "inv": true, - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output new file mode 100644 index 00000000..2c94d2de --- /dev/null +++ b/tests/py/any/limit.t.json.output @@ -0,0 +1,249 @@ +# limit rate 400/minute +[ + { + "limit": { + "burst": 5, + "per": "minute", + "rate": 400 + } + } +] + +# limit rate 20/second +[ + { + "limit": { + "burst": 5, + "per": "second", + "rate": 20 + } + } +] + +# limit rate 400/hour +[ + { + "limit": { + "burst": 5, + "per": "hour", + "rate": 400 + } + } +] + +# limit rate 40/day +[ + { + "limit": { + "burst": 5, + "per": "day", + "rate": 40 + } + } +] + +# limit rate 400/week +[ + { + "limit": { + "burst": 5, + "per": "week", + "rate": 400 + } + } +] + +# limit rate 1 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1, + "rate_unit": "kbytes" + } + } +] + +# limit rate 2 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 2, + "rate_unit": "kbytes" + } + } +] + +# limit rate 1025 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1025, + "rate_unit": "kbytes" + } + } +] + +# limit rate 1023 mbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1023, + "rate_unit": "mbytes" + } + } +] + +# limit rate 10230 mbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 10230, + "rate_unit": "mbytes" + } + } +] + +# limit rate over 400/minute +[ + { + "limit": { + "burst": 5, + "inv": true, + "per": "minute", + "rate": 400 + } + } +] + +# limit rate over 20/second +[ + { + "limit": { + "burst": 5, + "inv": true, + "per": "second", + "rate": 20 + } + } +] + +# limit rate over 400/hour +[ + { + "limit": { + "burst": 5, + "inv": true, + "per": "hour", + "rate": 400 + } + } +] + +# limit rate over 40/day +[ + { + "limit": { + "burst": 5, + "inv": true, + "per": "day", + "rate": 40 + } + } +] + +# limit rate over 400/week +[ + { + "limit": { + "burst": 5, + "inv": true, + "per": "week", + "rate": 400 + } + } +] + +# limit rate over 1 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "inv": true, + "per": "second", + "rate": 1, + "rate_unit": "kbytes" + } + } +] + +# limit rate over 2 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "inv": true, + "per": "second", + "rate": 2, + "rate_unit": "kbytes" + } + } +] + +# limit rate over 1025 kbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "inv": true, + "per": "second", + "rate": 1025, + "rate_unit": "kbytes" + } + } +] + +# limit rate over 1023 mbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "inv": true, + "per": "second", + "rate": 1023, + "rate_unit": "mbytes" + } + } +] + +# limit rate over 10230 mbytes/second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "inv": true, + "per": "second", + "rate": 10230, + "rate_unit": "mbytes" + } + } +] diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload index b0cc84b4..dc6701b3 100644 --- a/tests/py/any/limit.t.payload +++ b/tests/py/any/limit.t.payload @@ -1,22 +1,22 @@ # limit rate 400/minute ip test-ip4 output - [ limit rate 400/minute burst 0 type packets flags 0x0 ] + [ limit rate 400/minute burst 5 type packets flags 0x0 ] # limit rate 20/second ip test-ip4 output - [ limit rate 20/second burst 0 type packets flags 0x0 ] + [ limit rate 20/second burst 5 type packets flags 0x0 ] # limit rate 400/hour ip test-ip4 output - [ limit rate 400/hour burst 0 type packets flags 0x0 ] + [ limit rate 400/hour burst 5 type packets flags 0x0 ] # limit rate 400/week ip test-ip4 output - [ limit rate 400/week burst 0 type packets flags 0x0 ] + [ limit rate 400/week burst 5 type packets flags 0x0 ] # limit rate 40/day ip test-ip4 output - [ limit rate 40/day burst 0 type packets flags 0x0 ] + [ limit rate 40/day burst 5 type packets flags 0x0 ] # limit rate 1023/second burst 10 packets ip test-ip4 output @@ -42,9 +42,18 @@ ip test-ip4 output ip test-ip4 output [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ] -# limit rate 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ] +# limit rate 1 bytes / second +ip + [ limit rate 1/second burst 0 type bytes flags 0x0 ] + +# limit rate 1 kbytes / second +ip + [ limit rate 1024/second burst 0 type bytes flags 0x0 ] + +# limit rate 1 mbytes / second +ip + [ limit rate 1048576/second burst 0 type bytes flags 0x0 ] + # limit rate 1025 bytes/second burst 512 bytes ip test-ip4 output @@ -58,29 +67,25 @@ ip test-ip4 output ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ] - # limit rate over 400/minute ip test-ip4 output - [ limit rate 400/minute burst 0 type packets flags 0x1 ] + [ limit rate 400/minute burst 5 type packets flags 0x1 ] # limit rate over 20/second ip test-ip4 output - [ limit rate 20/second burst 0 type packets flags 0x1 ] + [ limit rate 20/second burst 5 type packets flags 0x1 ] # limit rate over 400/hour ip test-ip4 output - [ limit rate 400/hour burst 0 type packets flags 0x1 ] + [ limit rate 400/hour burst 5 type packets flags 0x1 ] # limit rate over 400/week ip test-ip4 output - [ limit rate 400/week burst 0 type packets flags 0x1 ] + [ limit rate 400/week burst 5 type packets flags 0x1 ] # limit rate over 40/day ip test-ip4 output - [ limit rate 40/day burst 0 type packets flags 0x1 ] + [ limit rate 40/day burst 5 type packets flags 0x1 ] # limit rate over 1023/second burst 10 packets ip test-ip4 output @@ -106,10 +111,6 @@ ip test-ip4 output ip test-ip4 output [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ] -# limit rate over 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ] - # limit rate over 1025 bytes/second burst 512 bytes ip test-ip4 output [ limit rate 1025/second burst 512 type bytes flags 0x1 ] @@ -121,8 +122,3 @@ ip test-ip4 output # limit rate over 1025 mbytes/second burst 1025 kbytes ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ] - diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index 327f973f..bd10c56d 100644 --- a/tests/py/any/meta.t +++ b/tests/py/any/meta.t @@ -1,12 +1,13 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *arp;test-arp;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress meta length 1000;ok meta length 22;ok @@ -20,8 +21,8 @@ meta length != { 33, 55, 67, 88};ok meta length { 33-55, 66-88};ok meta length != { 33-55, 66-88};ok -meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp} -meta protocol != {ip, arp, ip6, vlan};ok +meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, 8021q, arp} +meta protocol != {ip, arp, ip6, 8021q};ok meta protocol ip;ok meta protocol != ip;ok @@ -29,7 +30,7 @@ meta l4proto 22;ok meta l4proto != 233;ok meta l4proto 33-45;ok meta l4proto != 33-45;ok -meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88} +meta l4proto { 33, 55, 67, 88};ok meta l4proto != { 33, 55, 67, 88};ok meta l4proto { 33-55, 66-88};ok meta l4proto != { 33-55, 66-88};ok @@ -55,6 +56,7 @@ meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001 meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001 meta mark 0x10;ok;meta mark 0x00000010 meta mark != 0x10;ok;meta mark != 0x00000010 +meta mark 0xffffff00/24;ok;meta mark & 0xffffff00 == 0xffffff00 meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001 meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001 @@ -101,10 +103,10 @@ meta skuid != "root";ok;meta skuid != 0 meta skuid lt 3000 accept;ok;meta skuid < 3000 accept meta skuid gt 3000 accept;ok;meta skuid > 3000 accept meta skuid eq 3000 accept;ok;meta skuid 3000 accept -meta skuid 3001-3005 accept;ok;meta skuid 3001-3005 accept -meta skuid != 2001-2005 accept;ok;meta skuid != 2001-2005 accept -meta skuid { 2001-2005, 3001-3005} accept;ok;meta skuid { 2001-2005, 3001-3005} accept -meta skuid != { 2001-2005, 3001-3005} accept;ok;meta skuid != { 2001-2005, 3001-3005} accept +meta skuid 3001-3005 accept;ok +meta skuid != 2001-2005 accept;ok +meta skuid { 2001-2005, 3001-3005} accept;ok +meta skuid != { 2001-2005, 3001-3005} accept;ok meta skgid {"bin", "root", "daemon"} accept;ok;meta skgid { 0, 1, 2} accept meta skgid != {"bin", "root", "daemon"} accept;ok;meta skgid != { 1, 0, 2} accept @@ -113,10 +115,8 @@ meta skgid != "root";ok;meta skgid != 0 meta skgid lt 3000 accept;ok;meta skgid < 3000 accept meta skgid gt 3000 accept;ok;meta skgid > 3000 accept meta skgid eq 3000 accept;ok;meta skgid 3000 accept -meta skgid 2001-2005 accept;ok;meta skgid 2001-2005 accept -meta skgid != 2001-2005 accept;ok;meta skgid != 2001-2005 accept -meta skgid { 2001-2005} accept;ok;meta skgid { 2001-2005} accept -meta skgid != { 2001-2005} accept;ok;meta skgid != { 2001-2005} accept +meta skgid 2001-2005 accept;ok +meta skgid != 2001-2005 accept;ok # BUG: meta nftrace 2 and meta nftrace 1 # $ sudo nft add rule ip test input meta nftrace 2 @@ -188,14 +188,12 @@ meta oifgroup {11-33, 44-55};ok;oifgroup {11-33, 44-55} meta oifgroup != { 11,33};ok;oifgroup != { 11,33} meta oifgroup != {11-33, 44-55};ok;oifgroup != {11-33, 44-55} -meta cgroup 1048577;ok;meta cgroup 1048577 -meta cgroup != 1048577;ok;meta cgroup != 1048577 -meta cgroup { 1048577, 1048578 };ok;meta cgroup { 1048577, 1048578} -meta cgroup != { 1048577, 1048578};ok;meta cgroup != { 1048577, 1048578} -meta cgroup 1048577-1048578;ok;meta cgroup 1048577-1048578 -meta cgroup != 1048577-1048578;ok;meta cgroup != 1048577-1048578 -meta cgroup {1048577-1048578};ok;meta cgroup { 1048577-1048578} -meta cgroup != { 1048577-1048578};ok;meta cgroup != { 1048577-1048578} +meta cgroup 1048577;ok +meta cgroup != 1048577;ok +meta cgroup { 1048577, 1048578 };ok +meta cgroup != { 1048577, 1048578};ok +meta cgroup 1048577-1048578;ok +meta cgroup != 1048577-1048578;ok meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" } meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a } @@ -210,6 +208,8 @@ meta time "2019-06-21 17:00:00" drop;ok meta time "2019-07-01 00:00:00" drop;ok meta time "2019-07-01 00:01:00" drop;ok meta time "2019-07-01 00:00:01" drop;ok +meta time < "2022-07-01 11:00:00" accept;ok +meta time > "2022-07-01 11:00:00" accept;ok meta day "Saturday" drop;ok meta day 6 drop;ok;meta day "Saturday" drop meta day "Satturday" drop;fail @@ -218,7 +218,13 @@ meta hour "17:00:00" drop;ok;meta hour "17:00" drop meta hour "17:00:01" drop;ok meta hour "00:00" drop;ok meta hour "00:01" drop;ok +time < "2022-07-01 11:00:00" accept;ok;meta time < "2022-07-01 11:00:00" accept +time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept meta time "meh";fail meta hour "24:00" drop;fail meta day 7 drop;fail + +meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 };ok +!map1 typeof vlan id : meta mark;ok +meta mark set vlan id map @map1;ok diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json index 47dc0724..676affea 100644 --- a/tests/py/any/meta.t.json +++ b/tests/py/any/meta.t.json @@ -199,7 +199,7 @@ } ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} [ { "match": { @@ -212,7 +212,7 @@ "ip", "arp", "ip6", - "vlan" + "8021q" ] } } @@ -662,6 +662,26 @@ } ] +# meta mark 0xffffff00/24 +[ + { + "match": { + "left": { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 4294967040 + ] + }, + "op": "==", + "right": 4294967040 + } + } +] + # meta mark or 0x03 == 0x01 [ { @@ -1476,46 +1496,6 @@ } ] -# meta skgid { 2001-2005} accept -[ - { - "match": { - "left": { - "meta": { "key": "skgid" } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 2001, 2005 ] } - ] - } - } - }, - { - "accept": null - } -] - -# meta skgid != { 2001-2005} accept -[ - { - "match": { - "left": { - "meta": { "key": "skgid" } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 2001, 2005 ] } - ] - } - } - }, - { - "accept": null - } -] - # meta mark set 0xffffffc8 xor 0x16 [ { @@ -2581,6 +2561,42 @@ } ] +# meta time < "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": "<", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# meta time > "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": ">", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + # meta day "Saturday" drop [ { @@ -2645,7 +2661,7 @@ } }, "op": "==", - "right": "17:00" + "right": "17:00:00" } }, { @@ -2706,3 +2722,99 @@ "drop": null } ] + +# time < "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": "<", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# time > "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": ">", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + 1, + 1 + ], + [ + 4095, + 16533 + ] + ] + }, + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + +# meta mark set vlan id map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output index 037f6718..d46935de 100644 --- a/tests/py/any/meta.t.json.output +++ b/tests/py/any/meta.t.json.output @@ -10,7 +10,7 @@ "set": [ "ip", "arp", - "vlan", + "8021q", "ip6" ] } @@ -18,7 +18,7 @@ } ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} [ { "match": { @@ -30,7 +30,7 @@ "set": [ "ip", "arp", - "vlan", + "8021q", "ip6" ] } @@ -592,24 +592,6 @@ } ] -# meta time "1970-05-23 21:07:14" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "1970-05-23 21:07:14" - } - }, - { - "drop": null - } -] - # meta time 12341234 drop [ { @@ -620,97 +602,7 @@ } }, "op": "==", - "right": "1970-05-23 21:07:14" - } - }, - { - "drop": null - } -] - -# meta time "2019-06-21 17:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-06-21 17:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:01:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:01:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:01" - } - }, - { - "drop": null - } -] - -# meta day "Saturday" drop -[ - { - "match": { - "left": { - "meta": { - "key": "day" - } - }, - "op": "==", - "right": "Saturday" + "right": "1970-05-23 22:07:14" } }, { @@ -736,24 +628,6 @@ } ] -# meta hour "17:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00" - } - }, - { - "drop": null - } -] - # meta hour "17:00:00" drop [ { @@ -772,57 +646,3 @@ } ] -# meta hour "17:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00:01" - } - }, - { - "drop": null - } -] - -# meta hour "00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:00" - } - }, - { - "drop": null - } -] - -# meta hour "00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:01" - } - }, - { - "drop": null - } -] - diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload index 486d7aa5..49dd729b 100644 --- a/tests/py/any/meta.t.payload +++ b/tests/py/any/meta.t.payload @@ -68,7 +68,7 @@ ip test-ip4 input [ meta load protocol => reg 1 ] [ lookup reg 1 set __set%d ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} __set%d test-ip4 3 __set%d test-ip4 0 element 00000008 : 0 [end] element 00000608 : 0 [end] element 0000dd86 : 0 [end] element 00000081 : 0 [end] @@ -99,14 +99,12 @@ ip test-ip4 input # meta l4proto 33-45 ip test-ip4 input [ meta load l4proto => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 2, 1) ] [ cmp gte reg 1 0x00000021 ] [ cmp lte reg 1 0x0000002d ] # meta l4proto != 33-45 ip test-ip4 input [ meta load l4proto => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 2, 1) ] [ range neq reg 1 0x00000021 0x0000002d ] # meta l4proto { 33, 55, 67, 88} @@ -138,13 +136,13 @@ ip test-ip4 input # meta mark and 0x03 == 0x01 ip test-ip4 input [ meta load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000001 ] # meta mark and 0x03 != 0x01 ip test-ip4 input [ meta load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000001 ] # meta mark 0x10 @@ -157,16 +155,22 @@ ip test-ip4 input [ meta load mark => reg 1 ] [ cmp neq reg 1 0x00000010 ] +# meta mark 0xffffff00/24 +ip test-ip4 input + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffff00 ) ^ 0x00000000 ] + [ cmp eq reg 1 0xffffff00 ] + # meta mark or 0x03 == 0x01 ip test-ip4 input [ meta load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xfffffffc ) ^ 0x00000003 ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ] [ cmp eq reg 1 0x00000001 ] # meta mark or 0x03 != 0x01 ip test-ip4 input [ meta load mark => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xfffffffc ) ^ 0x00000003 ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ] [ cmp neq reg 1 0x00000001 ] # meta mark xor 0x03 == 0x01 @@ -633,22 +637,6 @@ ip test-ip4 input [ meta load iifgroup => reg 1 ] [ cmp neq reg 1 0x00000000 ] -# meta iifgroup {"default"} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000000 : 0 [end] -ip test-ip4 input - [ meta load iifgroup => reg 1 ] - [ lookup reg 1 set __set%d ] - -# meta iifgroup != {"default"} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000000 : 0 [end] -ip test-ip4 input - [ meta load iifgroup => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # meta iifgroup { 11,33} __set%d test-ip4 3 __set%d test-ip4 0 @@ -746,7 +734,7 @@ ip test-ip4 output # meta iif . meta oif vmap { "lo" . "lo" : drop } __map%d test-ip4 b __map%d test-ip4 0 - element 00000001 00000001 : 0 [end] + element 00000001 00000001 : drop 0 [end] ip test-ip4 output [ meta load iif => reg 1 ] [ meta load oif => reg 9 ] @@ -865,7 +853,6 @@ __set%d test-ip4 0 element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] element 00000042 : 0 [end] element 00000059 : 1 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 2, 1) ] [ lookup reg 1 set __set%d ] # meta l4proto != { 33-55, 66-88} @@ -874,7 +861,6 @@ __set%d test-ip4 0 element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] element 00000042 : 0 [end] element 00000059 : 1 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 2, 1) ] [ lookup reg 1 set __set%d 0x1 ] # meta skuid { 2001-2005, 3001-3005} accept @@ -981,72 +967,6 @@ ip test-ip4 input [ meta load oifgroup => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# meta iif . meta oif { "lo" . "lo" , "dummy0" . "dummy0" } -__set%d test-ip4 3 size 2 -__set%d test-ip4 0 - element 00000001 00000001 : 0 [end] element 00000005 00000005 : 0 [end] -ip test-ip4 input - [ meta load iif => reg 1 ] - [ meta load oif => reg 9 ] - [ lookup reg 1 set __set%d ] - -# meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a, "dummy0" . "dummy0" . 0x0000000b } -__set%d test-ip4 3 size 2 -__set%d test-ip4 0 - element 00000001 00000001 0000000a : 0 [end] element 00000005 00000005 0000000b : 0 [end] -ip test-ip4 input - [ meta load iif => reg 1 ] - [ meta load oif => reg 9 ] - [ meta load mark => reg 10 ] - [ lookup reg 1 set __set%d ] - -# meta iif . meta oif vmap { "lo" . "lo" : drop, "dummy0" . "dummy0" : accept } -__map%d test-ip4 b size 2 -__map%d test-ip4 0 - element 00000001 00000001 : 0 [end] element 00000005 00000005 : 0 [end] -ip test-ip4 input - [ meta load iif => reg 1 ] - [ meta load oif => reg 9 ] - [ lookup reg 1 set __map%d dreg 0 ] - -# meta skgid { 2001-2005} accept -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end] -ip test-ip4 input - [ meta load skgid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# meta skgid != { 2001-2005} accept -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end] -ip test-ip4 input - [ meta load skgid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# meta cgroup {1048577-1048578} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end] -ip test-ip4 input - [ meta load cgroup => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d ] - -# meta cgroup != { 1048577-1048578} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end] -ip test-ip4 input - [ meta load cgroup => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d 0x1 ] - # meta time "1970-05-23 21:07:14" drop ip meta-test input [ meta load time => reg 1 ] @@ -1083,6 +1003,20 @@ ip meta-test input [ cmp eq reg 1 0x22eb8a00 0x15ad18e1 ] [ immediate reg 0 drop ] +# meta time < "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# meta time > "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + # meta day "Saturday" drop ip test-ip4 input [ meta load day => reg 1 ] @@ -1124,3 +1058,42 @@ ip meta-test input [ meta load hour => reg 1 ] [ cmp eq reg 1 0x0001359c ] [ immediate reg 0 drop ] + +# time < "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# time > "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/meta.t.payload.bridge b/tests/py/any/meta.t.payload.bridge new file mode 100644 index 00000000..5997ccc7 --- /dev/null +++ b/tests/py/any/meta.t.payload.bridge @@ -0,0 +1,20 @@ +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-bridge b size 2 +__map%d test-bridge 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/objects.t b/tests/py/any/objects.t index 89a9545f..7b51f918 100644 --- a/tests/py/any/objects.t +++ b/tests/py/any/objects.t @@ -1,12 +1,13 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress %cnt1 type counter;ok %qt1 type quota 25 mbytes;ok diff --git a/tests/py/any/queue.t b/tests/py/any/queue.t index 75c071dd..2e511362 100644 --- a/tests/py/any/queue.t +++ b/tests/py/any/queue.t @@ -3,16 +3,31 @@ *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output -*arp;test-arp;output *bridge;test-bridge;output -queue;ok;queue num 0 -queue num 2;ok -queue num 65535;ok +queue;ok;queue to 0 +queue num 2;ok;queue to 2 +queue num 65535;ok;queue to 65535 queue num 65536;fail -queue num 2-3;ok -queue num 1-65535;ok -- queue num {3, 4, 6};ok -queue num 4-5 fanout bypass;ok;queue num 4-5 bypass,fanout -queue num 4-5 fanout;ok -queue num 4-5 bypass;ok +queue num 2-3;ok;queue to 2-3 +queue num 1-65535;ok;queue to 1-65535 +queue num 4-5 fanout bypass;ok;queue flags bypass,fanout to 4-5 +queue num 4-5 fanout;ok;queue flags fanout to 4-5 +queue num 4-5 bypass;ok;queue flags bypass to 4-5 + +queue to symhash mod 2 offset 65536;fail +queue num symhash mod 65536;fail +queue to symhash mod 65536;ok +queue flags fanout to symhash mod 65536;fail +queue flags bypass,fanout to symhash mod 65536;fail +queue flags bypass to numgen inc mod 65536;ok +queue to jhash oif . meta mark mod 32;ok +queue to 2;ok +queue to 65535;ok +queue flags bypass to 65535;ok +queue flags bypass to 1-65535;ok +queue flags bypass,fanout to 1-65535;ok +queue to 1-65535;ok +queue to oif;fail +queue num oif;fail +queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 };ok diff --git a/tests/py/any/queue.t.json b/tests/py/any/queue.t.json index 48e86727..5f7f9014 100644 --- a/tests/py/any/queue.t.json +++ b/tests/py/any/queue.t.json @@ -84,3 +84,168 @@ } ] +# queue to symhash mod 65536 +[ + { + "queue": { + "num": { + "symhash": { + "mod": 65536 + } + } + } + } +] + +# queue flags bypass to numgen inc mod 65536 +[ + { + "queue": { + "flags": "bypass", + "num": { + "numgen": { + "mod": 65536, + "mode": "inc", + "offset": 0 + } + } + } + } +] + +# queue to jhash oif . meta mark mod 32 +[ + { + "queue": { + "num": { + "jhash": { + "expr": { + "concat": [ + { + "meta": { + "key": "oif" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "mod": 32 + } + } + } + } +] + +# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 } +[ + { + "queue": { + "flags": "bypass", + "num": { + "map": { + "data": { + "set": [ + [ + "eth0", + 0 + ], + [ + "ppp0", + 2 + ], + [ + "eth1", + 2 + ] + ] + }, + "key": { + "meta": { + "key": "oifname" + } + } + } + } + } + } +] + +# queue to 2 +[ + { + "queue": { + "num": 2 + } + } +] + +# queue to 65535 +[ + { + "queue": { + "num": 65535 + } + } +] + +# queue flags bypass to 65535 +[ + { + "queue": { + "flags": "bypass", + "num": 65535 + } + } +] + +# queue flags bypass to 1-65535 +[ + { + "queue": { + "flags": "bypass", + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + +# queue flags bypass,fanout to 1-65535 +[ + { + "queue": { + "flags": [ + "bypass", + "fanout" + ], + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + +# queue to 1-65535 +[ + { + "queue": { + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + diff --git a/tests/py/any/queue.t.payload b/tests/py/any/queue.t.payload index 78d939c6..2f221930 100644 --- a/tests/py/any/queue.t.payload +++ b/tests/py/any/queue.t.payload @@ -30,3 +30,52 @@ ip test-ip4 output ip test-ip4 output [ queue num 4-5 bypass ] +# queue to symhash mod 65536 +ip + [ hash reg 1 = symhash() % mod 65536 ] + [ queue sreg_qnum 1 ] + +# queue to jhash oif . meta mark mod 32 +ip + [ meta load oif => reg 2 ] + [ meta load mark => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 32 ] + [ queue sreg_qnum 1 ] + +# queue flags bypass to numgen inc mod 65536 +ip + [ numgen reg 1 = inc mod 65536 ] + [ queue sreg_qnum 1 bypass ] + +# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 } +__map%d test-ip4 b size 3 +__map%d test-ip4 0 + element 30687465 00000000 00000000 00000000 : 00000000 0 [end] element 30707070 00000000 00000000 00000000 : 00000002 0 [end] element 31687465 00000000 00000000 00000000 : 00000002 0 [end] +ip + [ meta load oifname => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ queue sreg_qnum 1 bypass ] + +# queue to 2 +ip + [ queue num 2 ] + +# queue to 65535 +ip + [ queue num 65535 ] + +# queue flags bypass to 65535 +ip + [ queue num 65535 bypass ] + +# queue flags bypass to 1-65535 +ip + [ queue num 1-65535 bypass ] + +# queue flags bypass,fanout to 1-65535 +ip + [ queue num 1-65535 bypass fanout ] + +# queue to 1-65535 +ip + [ queue num 1-65535 ] diff --git a/tests/py/any/quota.t b/tests/py/any/quota.t index 9a8db114..79dd7654 100644 --- a/tests/py/any/quota.t +++ b/tests/py/any/quota.t @@ -1,12 +1,13 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress quota 1025 bytes;ok quota 1 kbytes;ok diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t index c3382a96..5bc9d35f 100644 --- a/tests/py/any/rawpayload.t +++ b/tests/py/any/rawpayload.t @@ -1,19 +1,24 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} th dport { 22, 23, 80} meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80} -@nh,8,8 255;ok -@nh,8,16 0;ok +@nh,8,8 0xff;ok +@nh,8,16 0x0;ok # out of range (0-1) @th,16,1 2;fail @ll,0,0 2;fail @ll,0,1;fail -@ll,0,1 1;ok;@ll,0,8 & 128 == 128 -@ll,0,8 and 0x80 eq 0x80;ok;@ll,0,8 & 128 == 128 -@ll,0,128 0xfedcba987654321001234567890abcde;ok;@ll,0,128 338770000845734292516042252062074518750 +@ll,0,1 1;ok;@ll,0,8 & 0x80 == 0x80 +@ll,0,8 & 0x80 == 0x80;ok +@ll,0,128 0xfedcba987654321001234567890abcde;ok + +meta l4proto 91 @th,400,16 0x0 accept;ok + +@ih,32,32 0x14000000;ok diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json index 22028ad8..4cae4d49 100644 --- a/tests/py/any/rawpayload.t.json +++ b/tests/py/any/rawpayload.t.json @@ -66,7 +66,7 @@ } ] -# @nh,8,8 255 +# @nh,8,8 0xff [ { "match": { @@ -78,12 +78,12 @@ } }, "op": "==", - "right": 255 + "right": "0xff" } } ] -# @nh,8,16 0 +# @nh,8,16 0x0 [ { "match": { @@ -117,7 +117,7 @@ } ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 [ { "match": { @@ -156,3 +156,51 @@ } ] +# meta l4proto 91 @th,400,16 0x0 accept +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 91 + } + }, + { + "match": { + "left": { + "payload": { + "base": "th", + "len": 16, + "offset": 400 + } + }, + "op": "==", + "right": 0 + } + }, + { + "accept": null + } +] + +# @ih,32,32 0x14000000 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + }, + "op": "==", + "right": 335544320 + } + } +] + diff --git a/tests/py/any/rawpayload.t.json.output b/tests/py/any/rawpayload.t.json.output index ccadbc57..291b237a 100644 --- a/tests/py/any/rawpayload.t.json.output +++ b/tests/py/any/rawpayload.t.json.output @@ -79,7 +79,7 @@ } ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 [ { "match": { @@ -101,3 +101,19 @@ } ] +# @nh,8,8 0xff +[ + { + "match": { + "left": { + "payload": { + "base": "nh", + "len": 8, + "offset": 8 + } + }, + "op": "==", + "right": 255 + } + } +] diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload index a2cc6635..fe2377e6 100644 --- a/tests/py/any/rawpayload.t.payload +++ b/tests/py/any/rawpayload.t.payload @@ -21,12 +21,12 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] -# @nh,8,8 255 +# @nh,8,8 0xff inet test-inet input [ payload load 1b @ network header + 1 => reg 1 ] [ cmp eq reg 1 0x000000ff ] -# @nh,8,16 0 +# @nh,8,16 0x0 inet test-inet input [ payload load 2b @ network header + 1 => reg 1 ] [ cmp eq reg 1 0x00000000 ] @@ -34,16 +34,30 @@ inet test-inet input # @ll,0,1 1 inet test-inet input [ payload load 1b @ link header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000080 ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 inet test-inet input [ payload load 1b @ link header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000080 ] # @ll,0,128 0xfedcba987654321001234567890abcde inet test-inet input [ payload load 16b @ link header + 0 => reg 1 ] [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ] + +# meta l4proto 91 @th,400,16 0x0 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000005b ] + [ payload load 2b @ transport header + 50 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 accept ] + +# @ih,32,32 0x14000000 +inet test-inet input + [ payload load 4b @ inner header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000014 ] + diff --git a/tests/py/inet/tcpopt.t b/tests/py/any/tcpopt.t index b457691f..177f01c4 100644 --- a/tests/py/inet/tcpopt.t +++ b/tests/py/any/tcpopt.t @@ -1,42 +1,62 @@ :input;type filter hook input priority 0 +*ip;test-ip4;input +*ip6;test-ip6;input *inet;test-inet;input -tcp option eol kind 1;ok -tcp option noop kind 1;ok -tcp option maxseg kind 1;ok +tcp option eol exists;ok +tcp option nop exists;ok +tcp option maxseg exists;ok tcp option maxseg length 1;ok tcp option maxseg size 1;ok -tcp option window kind 1;ok tcp option window length 1;ok tcp option window count 1;ok -tcp option sack-permitted kind 1;ok -tcp option sack-permitted length 1;ok -tcp option sack kind 1;ok +tcp option sack-perm exists;ok +tcp option sack-perm length 1;ok +tcp option sack exists;ok tcp option sack length 1;ok tcp option sack left 1;ok tcp option sack0 left 1;ok;tcp option sack left 1 tcp option sack1 left 1;ok tcp option sack2 left 1;ok tcp option sack3 left 1;ok +tcp option sack right 1;ok tcp option sack0 right 1;ok;tcp option sack right 1 tcp option sack1 right 1;ok tcp option sack2 right 1;ok tcp option sack3 right 1;ok -tcp option timestamp kind 1;ok +tcp option timestamp exists;ok tcp option timestamp length 1;ok tcp option timestamp tsval 1;ok tcp option timestamp tsecr 1;ok +tcp option 255 missing;ok +tcp option 6 exists;ok +tcp option @255,8,8 255;ok tcp option foobar;fail tcp option foo bar;fail tcp option eol left;fail tcp option eol left 1;fail -tcp option eol left 1;fail tcp option sack window;fail tcp option sack window 1;fail +tcp option 256 exists;fail +tcp option @255,8,8 256;fail tcp option window exists;ok tcp option window missing;ok tcp option maxseg size set 1360;ok + +tcp option md5sig exists;ok +tcp option fastopen exists;ok +tcp option mptcp exists;ok + +tcp option mptcp subtype 0;ok +tcp option mptcp subtype 1;ok +tcp option mptcp subtype { 0, 2};ok + +reset tcp option mptcp;ok +reset tcp option 2;ok;reset tcp option maxseg +reset tcp option 123;ok +reset tcp option meh;fail +reset tcp option 256;fail diff --git a/tests/py/inet/tcpopt.t.json b/tests/py/any/tcpopt.t.json index 45e9c293..87074b9d 100644 --- a/tests/py/inet/tcpopt.t.json +++ b/tests/py/any/tcpopt.t.json @@ -1,47 +1,44 @@ -# tcp option eol kind 1 +# tcp option eol exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "eol" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] -# tcp option noop kind 1 +# tcp option nop exists [ { "match": { "left": { "tcp option": { - "field": "kind", - "name": "noop" + "name": "nop" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] -# tcp option maxseg kind 1 +# tcp option maxseg exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "maxseg" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] @@ -56,7 +53,7 @@ "name": "maxseg" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -72,23 +69,7 @@ "name": "maxseg" } }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "window" - } - }, - "op": "==", + "op": "==", "right": 1 } } @@ -104,7 +85,7 @@ "name": "window" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -120,56 +101,54 @@ "name": "window" } }, - "op": "==", + "op": "==", "right": 1 } } ] -# tcp option sack-permitted kind 1 +# tcp option sack-perm exists [ { "match": { "left": { "tcp option": { - "field": "kind", - "name": "sack-permitted" + "name": "sack-perm" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] -# tcp option sack-permitted length 1 +# tcp option sack-perm length 1 [ { "match": { "left": { "tcp option": { "field": "length", - "name": "sack-permitted" + "name": "sack-perm" } }, - "op": "==", + "op": "==", "right": 1 } } ] -# tcp option sack kind 1 +# tcp option sack exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "sack" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] @@ -184,7 +163,7 @@ "name": "sack" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -200,7 +179,7 @@ "name": "sack" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -216,7 +195,7 @@ "name": "sack0" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -232,7 +211,7 @@ "name": "sack1" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -248,7 +227,7 @@ "name": "sack2" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -264,7 +243,23 @@ "name": "sack3" } }, - "op": "==", + "op": "==", + "right": 1 + } + } +] + +# tcp option sack right 1 +[ + { + "match": { + "left": { + "tcp option": { + "field": "right", + "name": "sack" + } + }, + "op": "==", "right": 1 } } @@ -280,7 +275,7 @@ "name": "sack0" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -296,7 +291,7 @@ "name": "sack1" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -312,7 +307,7 @@ "name": "sack2" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -328,24 +323,23 @@ "name": "sack3" } }, - "op": "==", + "op": "==", "right": 1 } } ] -# tcp option timestamp kind 1 +# tcp option timestamp exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "timestamp" } }, - "op": "==", - "right": 1 + "op": "==", + "right": true } } ] @@ -360,7 +354,7 @@ "name": "timestamp" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -376,7 +370,7 @@ "name": "timestamp" } }, - "op": "==", + "op": "==", "right": 1 } } @@ -392,12 +386,63 @@ "name": "timestamp" } }, - "op": "==", + "op": "==", "right": 1 } } ] +# tcp option 255 missing +[ + { + "match": { + "left": { + "tcp option": { + "base": 255, + "len": 8, + "offset": 0 + } + }, + "op": "==", + "right": false + } + } +] + +# tcp option 6 exists +[ + { + "match": { + "left": { + "tcp option": { + "base": 6, + "len": 8, + "offset": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option @255,8,8 255 +[ + { + "match": { + "left": { + "tcp option": { + "base": 255, + "len": 8, + "offset": 8 + } + }, + "op": "==", + "right": 255 + } + } +] + # tcp option window exists [ { @@ -407,7 +452,7 @@ "name": "window" } }, - "op": "==", + "op": "==", "right": true } } @@ -422,7 +467,7 @@ "name": "window" } }, - "op": "==", + "op": "==", "right": false } } @@ -443,3 +488,135 @@ } ] +# tcp option md5sig exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "md5sig" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option fastopen exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "fastopen" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option mptcp exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "mptcp" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option mptcp subtype 0 +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": 0 + } + } +] + +# tcp option mptcp subtype 1 +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": 1 + } + } +] + +# tcp option mptcp subtype { 0, 2} +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": { + "set": [ + 0, + 2 + ] + } + } + } +] + +# reset tcp option mptcp +[ + { + "reset": { + "tcp option": { + "name": "mptcp" + } + } + } +] + +# reset tcp option 2 +[ + { + "reset": { + "tcp option": { + "name": "maxseg" + } + } + } +] + +# reset tcp option 123 +[ + { + "reset": { + "tcp option": { + "base": 123, + "len": 0, + "offset": 0 + } + } + } +] diff --git a/tests/py/inet/tcpopt.t.json.output b/tests/py/any/tcpopt.t.json.output index ad0d25f4..ad0d25f4 100644 --- a/tests/py/inet/tcpopt.t.json.output +++ b/tests/py/any/tcpopt.t.json.output diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload new file mode 100644 index 00000000..99b8985f --- /dev/null +++ b/tests/py/any/tcpopt.t.payload @@ -0,0 +1,202 @@ +# tcp option eol exists +inet + [ exthdr load tcpopt 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option nop exists +inet + [ exthdr load tcpopt 1b @ 1 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option maxseg exists +inet + [ exthdr load tcpopt 1b @ 2 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option maxseg length 1 +inet + [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option maxseg size 1 +inet + [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + +# tcp option window length 1 +inet + [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option window count 1 +inet + [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option sack-perm exists +inet + [ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option sack-perm length 1 +inet + [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option sack exists +inet + [ exthdr load tcpopt 1b @ 5 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option sack length 1 +inet + [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option sack left 1 +inet + [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack0 left 1 +inet + [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack1 left 1 +inet + [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack2 left 1 +inet + [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack3 left 1 +inet + [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack right 1 +inet + [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack0 right 1 +inet + [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack1 right 1 +inet + [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack2 right 1 +inet + [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option sack3 right 1 +inet + [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option timestamp exists +inet + [ exthdr load tcpopt 1b @ 8 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option timestamp length 1 +inet + [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option timestamp tsval 1 +inet + [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option timestamp tsecr 1 +inet + [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# tcp option 255 missing +inet + [ exthdr load tcpopt 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp option 6 exists +inet + [ exthdr load tcpopt 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option @255,8,8 255 +inet + [ exthdr load tcpopt 1b @ 255 + 1 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# tcp option window exists +inet + [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option window missing +inet + [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp option maxseg size set 1360 +inet + [ immediate reg 1 0x00005005 ] + [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ] + +# tcp option md5sig exists +inet + [ exthdr load tcpopt 1b @ 19 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option fastopen exists +inet + [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option mptcp exists +inet + [ exthdr load tcpopt 1b @ 30 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option mptcp subtype 0 +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp option mptcp subtype 1 +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# tcp option mptcp subtype { 0, 2} +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 00000000 : 0 [end] element 00000020 : 0 [end] +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# reset tcp option mptcp +ip test-ip4 input + [ exthdr reset tcpopt 30 ] + +# reset tcp option 2 +ip test-ip4 input + [ exthdr reset tcpopt 2 ] + +# reset tcp option 123 +ip test-ip4 input + [ exthdr reset tcpopt 123 ] diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t index 2540c0a7..222b91cf 100644 --- a/tests/py/arp/arp.t +++ b/tests/py/arp/arp.t @@ -1,9 +1,10 @@ # filter chains available are: input, output, forward :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *arp;test-arp;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress arp htype 1;ok arp htype != 1;ok @@ -13,8 +14,6 @@ arp htype 33-45;ok arp htype != 33-45;ok arp htype { 33, 55, 67, 88};ok arp htype != { 33, 55, 67, 88};ok -arp htype { 33-55};ok -arp htype != { 33-55};ok arp ptype 0x0800;ok;arp ptype ip @@ -24,8 +23,6 @@ arp hlen 33-45;ok arp hlen != 33-45;ok arp hlen { 33, 55, 67, 88};ok arp hlen != { 33, 55, 67, 88};ok -arp hlen { 33-55};ok -arp hlen != { 33-55};ok arp plen 22;ok arp plen != 233;ok @@ -33,8 +30,6 @@ arp plen 33-45;ok arp plen != 33-45;ok arp plen { 33, 55, 67, 88};ok arp plen != { 33, 55, 67, 88};ok -arp plen { 33-55};ok -arp plen != {33-55};ok arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok @@ -46,7 +41,6 @@ arp operation rreply;ok arp operation inrequest;ok arp operation inreply;ok arp operation nak;ok -arp operation reply;ok arp operation != request;ok arp operation != reply;ok arp operation != rrequest;ok @@ -54,11 +48,13 @@ arp operation != rreply;ok arp operation != inrequest;ok arp operation != inreply;ok arp operation != nak;ok -arp operation != reply;ok arp saddr ip 1.2.3.4;ok arp daddr ip 4.3.2.1;ok arp saddr ether aa:bb:cc:aa:bb:cc;ok arp daddr ether aa:bb:cc:aa:bb:cc;ok +arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee;ok +arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1;ok;arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee + meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 arp daddr ip 192.168.143.16 arp daddr ether set 11:22:33:44:55:66 diff --git a/tests/py/arp/arp.t.json b/tests/py/arp/arp.t.json index 5f2f6cd8..7ce76095 100644 --- a/tests/py/arp/arp.t.json +++ b/tests/py/arp/arp.t.json @@ -144,46 +144,6 @@ } ] -# arp htype { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "htype", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp htype != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "htype", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp ptype 0x0800 [ { @@ -314,46 +274,6 @@ } ] -# arp hlen { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hlen", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp hlen != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hlen", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp plen 22 [ { @@ -468,46 +388,6 @@ } ] -# arp plen { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "plen", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp plen != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "plen", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} [ { @@ -693,22 +573,6 @@ } ] -# arp operation reply -[ - { - "match": { - "left": { - "payload": { - "field": "operation", - "protocol": "arp" - } - }, - "op": "==", - "right": "reply" - } - } -] - # arp operation != request [ { @@ -821,61 +685,61 @@ } ] -# arp operation != reply +# arp saddr ip 1.2.3.4 [ { "match": { "left": { "payload": { - "field": "operation", + "field": "saddr ip", "protocol": "arp" } }, - "op": "!=", - "right": "reply" + "op": "==", + "right": "1.2.3.4" } } ] -# arp saddr ip 1.2.3.4 +# arp daddr ip 4.3.2.1 [ { "match": { "left": { "payload": { - "field": "saddr ip", + "field": "daddr ip", "protocol": "arp" } }, "op": "==", - "right": "1.2.3.4" + "right": "4.3.2.1" } } ] -# arp daddr ip 4.3.2.1 +# arp saddr ether aa:bb:cc:aa:bb:cc [ { "match": { "left": { "payload": { - "field": "daddr ip", + "field": "saddr ether", "protocol": "arp" } }, "op": "==", - "right": "4.3.2.1" + "right": "aa:bb:cc:aa:bb:cc" } } ] -# arp saddr ether aa:bb:cc:aa:bb:cc +# arp daddr ether aa:bb:cc:aa:bb:cc [ { "match": { "left": { "payload": { - "field": "saddr ether", + "field": "daddr ether", "protocol": "arp" } }, @@ -885,18 +749,58 @@ } ] -# arp daddr ether aa:bb:cc:aa:bb:cc +# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee [ { "match": { "left": { "payload": { + "field": "saddr ip", + "protocol": "arp" + } + }, + "op": "==", + "right": "192.168.1.1" + } + }, + { + "match": { + "left": { + "payload": { "field": "daddr ether", "protocol": "arp" } }, "op": "==", - "right": "aa:bb:cc:aa:bb:cc" + "right": "fe:ed:00:c0:ff:ee" + } + } +] + +# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr ether", + "protocol": "arp" + } + }, + "op": "==", + "right": "fe:ed:00:c0:ff:ee" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr ip", + "protocol": "arp" + } + }, + "op": "==", + "right": "192.168.1.1" } } ] diff --git a/tests/py/arp/arp.t.json.output b/tests/py/arp/arp.t.json.output index b8507bff..afa75b2e 100644 --- a/tests/py/arp/arp.t.json.output +++ b/tests/py/arp/arp.t.json.output @@ -66,6 +66,34 @@ } ] +# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr ip", + "protocol": "arp" + } + }, + "op": "==", + "right": "192.168.1.1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr ether", + "protocol": "arp" + } + }, + "op": "==", + "right": "fe:ed:00:c0:ff:ee" + } + } +] + # meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 [ { diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload index 52c99329..d56927b5 100644 --- a/tests/py/arp/arp.t.payload +++ b/tests/py/arp/arp.t.payload @@ -45,22 +45,6 @@ arp test-arp input [ payload load 2b @ network header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp htype { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -arp test-arp input - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp htype != { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -arp test-arp input - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp ptype 0x0800 arp test-arp input [ payload load 2b @ network header + 2 => reg 1 ] @@ -103,22 +87,6 @@ arp test-arp input [ payload load 1b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp hlen { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp hlen != { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp plen 22 arp test-arp input [ payload load 1b @ network header + 5 => reg 1 ] @@ -156,22 +124,6 @@ arp test-arp input [ payload load 1b @ network header + 5 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp plen { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp plen != {33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} __set%d test-arp 3 __set%d test-arp 0 @@ -229,11 +181,6 @@ arp test-arp input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x00000a00 ] -# arp operation reply -arp test-arp input - [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000200 ] - # arp operation != request arp test-arp input [ payload load 2b @ network header + 6 => reg 1 ] @@ -269,11 +216,6 @@ arp test-arp input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000a00 ] -# arp operation != reply -arp test-arp input - [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp neq reg 1 0x00000200 ] - # meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 arp test-arp input [ meta load iifname => reg 1 ] @@ -307,3 +249,13 @@ arp test-arp input [ payload load 6b @ network header + 18 => reg 1 ] [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] +# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee +arp + [ payload load 10b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + +# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1 +arp + [ payload load 10b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev index 667691ff..92df2400 100644 --- a/tests/py/arp/arp.t.payload.netdev +++ b/tests/py/arp/arp.t.payload.netdev @@ -61,26 +61,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp htype { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp htype != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp ptype 0x0800 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -137,26 +117,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp hlen { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp hlen != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp plen 22 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -206,26 +166,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 5 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp plen { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp plen != {33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} __set%d test-netdev 3 __set%d test-netdev 0 @@ -303,13 +243,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x00000a00 ] -# arp operation reply -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp eq reg 1 0x00000200 ] - # arp operation != request netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -359,13 +292,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000a00 ] -# arp operation != reply -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp neq reg 1 0x00000200 ] - # meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 netdev test-netdev ingress [ meta load iifname => reg 1 ] @@ -409,3 +335,17 @@ netdev test-netdev ingress [ payload load 6b @ network header + 18 => reg 1 ] [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] +# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 10b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + +# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1 +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 10b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + diff --git a/tests/py/bridge/chains.t b/tests/py/bridge/chains.t index 85dde73e..e071d9a3 100644 --- a/tests/py/bridge/chains.t +++ b/tests/py/bridge/chains.t @@ -1,8 +1,8 @@ # filter chains available are: prerouting, input, output, forward, postrouting -:filter-pre;type filter hook input priority 0 +:filter-pre;type filter hook prerouting priority 0 :filter-output;type filter hook output priority 0 :filter-forward;type filter hook forward priority 0 :filter-input;type filter hook input priority 0 -:filter-post;type filter hook input priority 0 +:filter-post;type filter hook postrouting priority 0 *bridge;test-bridge;filter-pre,filter-output,filter-forward,filter-input,filter-post diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index 94525f29..171aa610 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -4,5 +4,10 @@ meta obrname "br0";ok meta ibrname "br0";ok -meta ibrvproto vlan;ok +meta ibrvproto vlan;ok;meta ibrvproto 8021q meta ibrpvid 100;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + +meta broute set 1;fail diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json index a7a180c2..d7dc9d7b 100644 --- a/tests/py/bridge/meta.t.json +++ b/tests/py/bridge/meta.t.json @@ -32,7 +32,7 @@ "meta": { "key": "ibrvproto" } }, "op": "==", - "right": "vlan" + "right": "8021q" } } ] @@ -49,3 +49,57 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/bridge/meta.t.payload b/tests/py/bridge/meta.t.payload index aa8c994b..0a39842a 100644 --- a/tests/py/bridge/meta.t.payload +++ b/tests/py/bridge/meta.t.payload @@ -17,3 +17,21 @@ bridge test-bridge input bridge test-bridge input [ meta load bri_iifpvid => reg 1 ] [ cmp eq reg 1 0x00000064 ] + +# meta protocol ip udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t new file mode 100644 index 00000000..5181e799 --- /dev/null +++ b/tests/py/bridge/redirect.t @@ -0,0 +1,5 @@ +:prerouting;type filter hook prerouting priority 0 + +*bridge;test-bridge;prerouting + +meta broute set 1;ok diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json new file mode 100644 index 00000000..7e32b329 --- /dev/null +++ b/tests/py/bridge/redirect.t.json @@ -0,0 +1,12 @@ +# meta broute set 1 +[ + { + "mangle": { + "key": { + "meta": { "key": "broute" } + }, + "value": 1 + } + } +] + diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload new file mode 100644 index 00000000..1fcfa5f1 --- /dev/null +++ b/tests/py/bridge/redirect.t.payload @@ -0,0 +1,4 @@ +# meta broute set 1 +bridge test-bridge prerouting + [ immediate reg 1 0x00000001 ] + [ meta set broute with reg 1 ] diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index ee7e93c8..336b51bb 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -3,42 +3,40 @@ *bridge;test-bridge;input # The output is specific for bridge family -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok - -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok -ether type ip reject;ok;reject with icmp type port-unreachable -ether type ip6 reject;ok;reject with icmpv6 type port-unreachable - -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject - -ether type ipv6 reject with icmp type host-unreachable;fail -ether type ip6 reject with icmp type host-unreachable;fail -ether type ip reject with icmpv6 type no-route;fail -ether type vlan reject;fail +ether type ip reject;ok;reject with icmp port-unreachable +ether type ip6 reject;ok;reject with icmpv6 port-unreachable + +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject + +ether type ipv6 reject with icmp host-unreachable;fail +ether type ip6 reject with icmp host-unreachable;fail +ether type ip reject with icmpv6 no-route;fail +ether type vlan reject;ok;ether type 8021q reject ether type arp reject;fail -ether type vlan reject;fail -ether type arp reject;fail -ether type vlan reject with tcp reset;fail +ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset ether type arp reject with tcp reset;fail ip protocol udp reject with tcp reset;fail -ether type ip reject with icmpx type admin-prohibited;ok -ether type ip6 reject with icmpx type admin-prohibited;ok -ether type vlan reject with icmpx type admin-prohibited;fail -ether type arp reject with icmpx type admin-prohibited;fail +ether type ip reject with icmpx admin-prohibited;ok +ether type ip6 reject with icmpx admin-prohibited;ok +ether type 8021q reject with icmpx admin-prohibited;ok +ether type arp reject with icmpx admin-prohibited;fail diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json index d20a1d8b..9f9e6c1e 100644 --- a/tests/py/bridge/reject.t.json +++ b/tests/py/bridge/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -183,7 +183,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -193,7 +193,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -203,7 +203,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -213,7 +213,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -223,7 +223,7 @@ } ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited [ { "match": { @@ -245,7 +245,7 @@ } ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited [ { "match": { @@ -267,3 +267,75 @@ } ] +# ether type vlan reject with tcp reset +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# ether type vlan reject +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "vlan" + } + }, + { + "reject": null + } +] + +# ether type 8021q reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output index 4f83f803..b8a44f0e 100644 --- a/tests/py/bridge/reject.t.json.output +++ b/tests/py/bridge/reject.t.json.output @@ -1,103 +1,3 @@ -# reject with icmp type host-unreachable -[ - { - "reject": { - "expr": "host-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type net-unreachable -[ - { - "reject": { - "expr": "net-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type prot-unreachable -[ - { - "reject": { - "expr": "prot-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type net-prohibited -[ - { - "reject": { - "expr": "net-prohibited", - "type": "icmp" - } - } -] - -# reject with icmp type host-prohibited -[ - { - "reject": { - "expr": "host-prohibited", - "type": "icmp" - } - } -] - -# reject with icmp type admin-prohibited -[ - { - "reject": { - "expr": "admin-prohibited", - "type": "icmp" - } - } -] - -# reject with icmpv6 type no-route -[ - { - "reject": { - "expr": "no-route", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type admin-prohibited -[ - { - "reject": { - "expr": "admin-prohibited", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type addr-unreachable -[ - { - "reject": { - "expr": "addr-unreachable", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type port-unreachable -[ - { - "reject": { - "expr": "port-unreachable", - "type": "icmpv6" - } - } -] - # mark 12345 ip protocol tcp reject with tcp reset [ { @@ -130,10 +30,13 @@ } ] -# reject with icmpx type port-unreachable +# reject [ { - "reject": null + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } } ] @@ -156,3 +59,25 @@ } } ] + +# ether type vlan reject +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload index 0d10547b..bad9adc0 100644 --- a/tests/py/bridge/reject.t.payload +++ b/tests/py/bridge/reject.t.payload @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -90,31 +90,51 @@ bridge test-bridge input [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable bridge test-bridge input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route bridge test-bridge input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited bridge test-bridge input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable bridge test-bridge input [ reject type 2 code 1 ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 2 code 3 ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 2 code 3 ] +# ether type vlan reject +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 2 code 1 ] + +# ether type vlan reject with tcp reset +bridge + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 1 code 0 ] + +# ether type 8021q reject with icmpx admin-prohibited +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ reject type 2 code 3 ] + diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t index 7a52a502..8fa90dac 100644 --- a/tests/py/bridge/vlan.t +++ b/tests/py/bridge/vlan.t @@ -1,27 +1,29 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress vlan id 4094;ok vlan id 0;ok # bad vlan id vlan id 4096;fail -vlan id 4094 vlan cfi 0;ok -vlan id 4094 vlan cfi != 1;ok -vlan id 4094 vlan cfi 1;ok -# bad cfi -vlan id 4094 vlan cfi 2;fail -vlan id 4094 vlan cfi 1 vlan pcp 8;fail -vlan id 4094 vlan cfi 1 vlan pcp 7;ok -vlan id 4094 vlan cfi 1 vlan pcp 3;ok +vlan id 4094 vlan dei 0;ok +vlan id 4094 vlan dei 1;ok +vlan id 4094 vlan dei != 1;ok +vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan dei 1 +# bad dei +vlan id 4094 vlan dei 2;fail +vlan id 4094 vlan dei 1 vlan pcp 8;fail +vlan id 4094 vlan dei 1 vlan pcp 7;ok +vlan id 4094 vlan dei 1 vlan pcp 3;ok ether type vlan vlan id 4094;ok;vlan id 4094 ether type vlan vlan id 0;ok;vlan id 0 -ether type vlan vlan id 4094 vlan cfi 0;ok;vlan id 4094 vlan cfi 0 -ether type vlan vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan cfi 1 -ether type vlan vlan id 4094 vlan cfi 2;fail +ether type vlan vlan id 4094 vlan dei 0;ok;vlan id 4094 vlan dei 0 +ether type vlan vlan id 4094 vlan dei 1;ok;vlan id 4094 vlan dei 1 +ether type vlan vlan id 4094 vlan dei 2;fail vlan id 4094 tcp dport 22;ok vlan id 1 ip saddr 10.0.0.1;ok @@ -32,8 +34,23 @@ ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok;vlan id 1 ip sadd vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3;ok vlan id { 1, 2, 4, 100, 4096 };fail -ether type vlan ip protocol 1 accept;ok +ether type vlan ip protocol 1 accept;ok;ether type 8021q ip protocol 1 accept + +# IEEE 802.1AD +ether type 8021ad vlan id 1 ip protocol 6 accept;ok +ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter;ok +ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 ip protocol 6 # illegal dependencies ether type ip vlan id 1;fail ether type ip vlan id 1 ip saddr 10.0.0.1;fail + +# mangling +vlan id 1 vlan id set 2;ok + +ether saddr 00:01:02:03:04:05 vlan id 1;ok +vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 + +ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok + +ether saddr 00:11:22:33:44:55 counter ether type 8021q;ok diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json index 3fb2e4f7..7dfcdb4b 100644 --- a/tests/py/bridge/vlan.t.json +++ b/tests/py/bridge/vlan.t.json @@ -30,7 +30,7 @@ } ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan dei 0 [ { "match": { @@ -48,7 +48,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -58,7 +58,7 @@ } ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei 1 [ { "match": { @@ -76,7 +76,35 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# vlan id 4094 vlan dei != 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dei", "protocol": "vlan" } }, @@ -104,7 +132,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -114,7 +142,7 @@ } ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 [ { "match": { @@ -132,7 +160,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -154,7 +182,7 @@ } ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 [ { "match": { @@ -172,7 +200,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -226,7 +254,7 @@ } ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 [ { "match": { @@ -244,7 +272,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -254,7 +282,7 @@ } ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 [ { "match": { @@ -272,7 +300,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -530,3 +558,337 @@ } ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "accept": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + } +] + +# vlan id 1 vlan id set 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "value": 2 + } + } +] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:01:02:03:04:05" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:01:02:03:04:06" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "0a:0b:0c:0d:0e:0f", + 42 + ] + }, + { + "concat": [ + "0a:0b:0c:0d:0e:0f", + 4095 + ] + } + ] + } + } + } +] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output index 8f27ec0e..eea2d411 100644 --- a/tests/py/bridge/vlan.t.json.output +++ b/tests/py/bridge/vlan.t.json.output @@ -9,7 +9,7 @@ } }, "op": "==", - "right": "vlan" + "right": "8021q" } }, { @@ -29,3 +29,207 @@ } ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "accept": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "counter": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + } +] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload index bb8925e3..2592bb96 100644 --- a/tests/py/bridge/vlan.t.payload +++ b/tests/py/bridge/vlan.t.payload @@ -3,7 +3,7 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] # vlan id 0 @@ -11,40 +11,51 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan cfi 1 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000fe0f ] + [ payload load 1b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# vlan id 4094 vlan dei 0 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei != 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000010 ] -# vlan id 4094 vlan cfi 1 +# vlan id 4094 vlan dei 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] # ether type vlan vlan id 4094 @@ -52,7 +63,7 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] # ether type vlan vlan id 0 @@ -60,29 +71,29 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] # vlan id 4094 tcp dport 22 @@ -90,7 +101,7 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -102,7 +113,7 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -114,12 +125,12 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] # vlan id 1 ip saddr 10.0.0.0/23 udp dport 53 @@ -127,12 +138,12 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] @@ -144,44 +155,44 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00003500 ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000060 ] # vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3 @@ -192,10 +203,10 @@ bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp gte reg 1 0x00000020 ] [ cmp lte reg 1 0x00000060 ] @@ -209,3 +220,95 @@ bridge test-bridge input [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 0 accept ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ counter pkts 0 bytes 0 ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# vlan id 1 vlan id set 2 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +bridge test-bridge input + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810504 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +bridge test-bridge input + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810604 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +__set%d test-bridge 3 size 2 +__set%d test-bridge 0 + element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ payload load 2b @ link header + 14 => reg 10 ] + [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev index 0a3f90a5..f3341947 100644 --- a/tests/py/bridge/vlan.t.payload.netdev +++ b/tests/py/bridge/vlan.t.payload.netdev @@ -5,7 +5,7 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] # vlan id 0 @@ -15,46 +15,59 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan dei 0 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei != 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000010 ] # vlan id 4094 vlan cfi 1 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000fe0f ] + [ payload load 1b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# vlan id 4094 vlan dei 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] # ether type vlan vlan id 4094 @@ -64,7 +77,7 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] # ether type vlan vlan id 0 @@ -74,33 +87,33 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] # vlan id 4094 tcp dport 22 @@ -110,7 +123,7 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -124,7 +137,7 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -138,12 +151,12 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] # vlan id 1 ip saddr 10.0.0.0/23 udp dport 53 @@ -153,12 +166,12 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] @@ -172,48 +185,48 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000100 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00003500 ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000060 ] # vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3 @@ -226,10 +239,10 @@ netdev test-netdev ingress [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] [ payload load 1b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000e0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp gte reg 1 0x00000020 ] [ cmp lte reg 1 0x00000060 ] @@ -245,3 +258,111 @@ netdev test-netdev ingress [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 0 accept ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ counter pkts 0 bytes 0 ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# vlan id 1 vlan id set 2 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810604 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810504 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ payload load 2b @ link header + 14 => reg 10 ] + [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t index 8544d9dd..83b6202b 100644 --- a/tests/py/inet/ah.t +++ b/tests/py/inet/ah.t @@ -1,12 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress - -# nexthdr Bug to list table. +*netdev;test-netdev;ingress,egress - ah nexthdr esp;ok - ah nexthdr ah;ok @@ -22,8 +21,6 @@ ah hdrlength 11-23;ok ah hdrlength != 11-23;ok -ah hdrlength { 11-23};ok -ah hdrlength != { 11-23};ok ah hdrlength {11, 23, 44 };ok ah hdrlength != {11, 23, 44 };ok @@ -33,8 +30,6 @@ ah reserved 33-45;ok ah reserved != 33-45;ok ah reserved {23, 100};ok ah reserved != {23, 100};ok -ah reserved { 33-55};ok -ah reserved != { 33-55};ok ah spi 111;ok ah spi != 111;ok @@ -42,15 +37,11 @@ ah spi 111-222;ok ah spi != 111-222;ok ah spi {111, 122};ok ah spi != {111, 122};ok -ah spi { 111-122};ok -ah spi != { 111-122};ok # sequence ah sequence 123;ok ah sequence != 123;ok ah sequence {23, 25, 33};ok ah sequence != {23, 25, 33};ok -ah sequence { 23-33};ok -ah sequence != { 23-33};ok ah sequence 23-33;ok ah sequence != 23-33;ok diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json index 4efdb0dd..217280b6 100644 --- a/tests/py/inet/ah.t.json +++ b/tests/py/inet/ah.t.json @@ -34,46 +34,6 @@ } ] -# ah hdrlength { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - -# ah hdrlength != { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - # ah hdrlength {11, 23, 44 } [ { @@ -228,46 +188,6 @@ } ] -# ah reserved { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ah reserved != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ah spi 111 [ { @@ -378,46 +298,6 @@ } ] -# ah spi { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - -# ah spi != { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - # ah sequence 123 [ { @@ -494,46 +374,6 @@ } ] -# ah sequence { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - -# ah sequence != { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - # ah sequence 23-33 [ { diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload index 5ec5fba1..7ddd72d5 100644 --- a/tests/py/inet/ah.t.payload +++ b/tests/py/inet/ah.t.payload @@ -13,26 +13,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ range neq reg 1 0x0000000b 0x00000017 ] -# ah hdrlength { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah hdrlength != { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah hdrlength {11, 23, 44 } __set%d test-inet 3 __set%d test-inet 0 @@ -102,26 +82,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah spi 111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -171,26 +131,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah spi { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah spi != { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 123 inet test-inet input [ meta load l4proto => reg 1 ] @@ -225,26 +165,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah sequence { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah sequence != { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 23-33 inet test-inet input [ meta load l4proto => reg 1 ] diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t index 0df18139..2ef53820 100644 --- a/tests/py/inet/comp.t +++ b/tests/py/inet/comp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. - comp nexthdr esp;ok;comp nexthdr 50 @@ -20,8 +21,6 @@ comp flags 0x33-0x45;ok comp flags != 0x33-0x45;ok comp flags {0x33, 0x55, 0x67, 0x88};ok comp flags != {0x33, 0x55, 0x67, 0x88};ok -comp flags { 0x33-0x55};ok -comp flags != { 0x33-0x55};ok comp cpi 22;ok comp cpi != 233;ok @@ -29,5 +28,3 @@ comp cpi 33-45;ok comp cpi != 33-45;ok comp cpi {33, 55, 67, 88};ok comp cpi != {33, 55, 67, 88};ok -comp cpi { 33-55};ok -comp cpi != { 33-55};ok diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json index b9b24f98..c9f6fcac 100644 --- a/tests/py/inet/comp.t.json +++ b/tests/py/inet/comp.t.json @@ -128,46 +128,6 @@ } ] -# comp flags { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - -# comp flags != { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - # comp cpi 22 [ { @@ -282,43 +242,3 @@ } ] -# comp cpi { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# comp cpi != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload index dec38aea..024e47cd 100644 --- a/tests/py/inet/comp.t.payload +++ b/tests/py/inet/comp.t.payload @@ -54,26 +54,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp flags { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp flags != { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # comp cpi 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -123,23 +103,3 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp cpi { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp cpi != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t index 3d0dffad..5312b328 100644 --- a/tests/py/inet/ct.t +++ b/tests/py/inet/ct.t @@ -6,7 +6,7 @@ meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 ct original ip6 saddr ::1;ok -ct original ip daddr {1.2.3.4} accept;ok +ct original ip daddr 1.2.3.4 accept;ok # missing protocol context ct original saddr ::1;fail diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json index e7f928ca..223ac9e7 100644 --- a/tests/py/inet/ct.t.json +++ b/tests/py/inet/ct.t.json @@ -39,7 +39,7 @@ } ] -# ct original ip daddr {1.2.3.4} accept +# ct original ip daddr 1.2.3.4 accept [ { "match": { @@ -50,11 +50,7 @@ } }, "op": "==", - "right": { - "set": [ - "1.2.3.4" - ] - } + "right": "1.2.3.4" } }, { diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload index 3b274f8c..f7a2ef27 100644 --- a/tests/py/inet/ct.t.payload +++ b/tests/py/inet/ct.t.payload @@ -10,11 +10,8 @@ inet test-inet input [ ct load src_ip6 => reg 1 , dir original ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] -# ct original ip daddr {1.2.3.4} accept -__set%d test-inet 3 size 1 -__set%d test-inet 0 - element 04030201 : 0 [end] +# ct original ip daddr 1.2.3.4 accept inet test-inet input [ ct load dst_ip => reg 1 , dir original ] - [ lookup reg 1 set __set%d ] + [ cmp eq reg 1 0x04030201 ] [ immediate reg 0 accept ] diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t index f0dd788b..99cddbe7 100644 --- a/tests/py/inet/dccp.t +++ b/tests/py/inet/dccp.t @@ -1,30 +1,30 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dccp sport 21-35;ok dccp sport != 21-35;ok dccp sport {23, 24, 25};ok dccp sport != {23, 24, 25};ok -dccp sport { 20-50 };ok -dccp sport ftp-data - re-mail-ck;ok;dccp sport 20-50 dccp sport 20-50;ok -dccp sport { 20-50};ok -dccp sport != { 20-50};ok # dccp dport 21-35;ok # dccp dport != 21-35;ok dccp dport {23, 24, 25};ok dccp dport != {23, 24, 25};ok -dccp dport { 20-50};ok -dccp dport != { 20-50};ok dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type request;ok dccp type != request;ok + +dccp option 0 exists;ok +dccp option 43 missing;ok +dccp option 255 exists;ok +dccp option 256 exists;fail diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json index 9260fbc5..9f47e97b 100644 --- a/tests/py/inet/dccp.t.json +++ b/tests/py/inet/dccp.t.json @@ -78,44 +78,6 @@ } ] -# dccp sport { 20-50 } -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp sport ftp-data - re-mail-ck -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "range": [ "ftp-data", "re-mail-ck" ] - } - } - } -] - # dccp sport 20-50 [ { @@ -134,46 +96,6 @@ } ] -# dccp sport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp sport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp dport {23, 24, 25} [ { @@ -218,46 +140,6 @@ } ] -# dccp dport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp dport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} [ { @@ -348,3 +230,47 @@ } ] +# dccp option 0 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# dccp option 43 missing +[ + { + "match": { + "left": { + "dccp option": { + "type": 43 + } + }, + "op": "==", + "right": false + } + } +] + +# dccp option 255 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 255 + } + }, + "op": "==", + "right": true + } + } +] diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload index b5a48f40..c0b87be1 100644 --- a/tests/py/inet/dccp.t.payload +++ b/tests/py/inet/dccp.t.payload @@ -33,24 +33,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp sport { 20-50 } -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp sport ftp-data - re-mail-ck -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00001400 ] - [ cmp lte reg 1 0x00003200 ] - # dccp sport 20-50 inet test-inet input [ meta load l4proto => reg 1 ] @@ -59,26 +41,6 @@ inet test-inet input [ cmp gte reg 1 0x00001400 ] [ cmp lte reg 1 0x00003200 ] -# dccp sport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp sport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp dport {23, 24, 25} __set%d test-ip4 3 __set%d test-ip4 0 @@ -99,26 +61,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp dport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp dport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} __set%d test-inet 3 __set%d test-inet 0 @@ -127,7 +69,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} @@ -138,7 +80,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # dccp type request @@ -146,7 +88,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # dccp type != request @@ -154,6 +96,20 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] +# dccp option 0 exists +ip test-inet input + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# dccp option 43 missing +ip test-inet input + [ exthdr load 1b @ 43 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp option 255 exists +ip test-inet input + [ exthdr load 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t index fcdf9436..e4e169f2 100644 --- a/tests/py/inet/dnat.t +++ b/tests/py/inet/dnat.t @@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok +meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80 dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok @@ -14,3 +15,8 @@ dnat ip6 to 1.2.3.4;fail dnat to 1.2.3.4;fail dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail ip6 daddr dead::beef dnat to 10.1.2.3;fail + +meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip to 1.1.1.1:80 +ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80 +meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail +ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json index ac6dac62..c341a045 100644 --- a/tests/py/inet/dnat.t.json +++ b/tests/py/inet/dnat.t.json @@ -164,3 +164,78 @@ } ] +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# meta l4proto tcp dnat to :80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "port": 80 + } + } +] + diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload index b81caf7b..ce1601ab 100644 --- a/tests/py/inet/dnat.t.payload +++ b/tests/py/inet/dnat.t.payload @@ -7,7 +7,7 @@ inet test-inet prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005000 ] [ immediate reg 1 0x0000901f ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2 inet test-inet prerouting @@ -18,7 +18,7 @@ inet test-inet prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443 inet test-inet prerouting @@ -30,7 +30,7 @@ inet test-inet prerouting [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] [ immediate reg 2 0x00005b11 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat ip to ct mark map { 0x00000014 : 1.2.3.4} __map%d test-inet b size 1 @@ -39,7 +39,7 @@ __map%d test-inet 0 inet test-inet prerouting [ ct load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} __map%d test-inet b size 1 @@ -51,4 +51,36 @@ inet test-inet prerouting [ ct load mark => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] + +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# meta l4proto tcp dnat to :80 +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00005000 ] + [ nat dnat inet proto_min reg 1 flags 0x2 ] + diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t index e79eeada..536260cf 100644 --- a/tests/py/inet/esp.t +++ b/tests/py/inet/esp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress esp spi 100;ok esp spi != 100;ok @@ -12,13 +13,9 @@ esp spi 111-222;ok esp spi != 111-222;ok esp spi { 100, 102};ok esp spi != { 100, 102};ok -esp spi { 100-102};ok -- esp spi {100-102};ok esp sequence 22;ok esp sequence 22-24;ok esp sequence != 22-24;ok esp sequence { 22, 24};ok esp sequence != { 22, 24};ok -esp sequence { 22-25};ok -esp sequence != { 22-25};ok diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json index 84ea9eea..a9dedd6f 100644 --- a/tests/py/inet/esp.t.json +++ b/tests/py/inet/esp.t.json @@ -108,26 +108,6 @@ } ] -# esp spi { 100-102} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 100, 102 ] } - ] - } - } - } -] - # esp sequence 22 [ { @@ -222,43 +202,3 @@ } ] -# esp sequence { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - -# esp sequence != { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload index ad68530b..0353b056 100644 --- a/tests/py/inet/esp.t.payload +++ b/tests/py/inet/esp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 4b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp spi { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp spi != { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # esp sequence 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -109,23 +89,3 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp sequence { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp sequence != { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t index 0c8c7f9d..759124de 100644 --- a/tests/py/inet/ether-ip.t +++ b/tests/py/inet/ether-ip.t @@ -1,8 +1,9 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok diff --git a/tests/py/inet/ether-ip.t.payload.netdev b/tests/py/inet/ether-ip.t.payload.netdev index 16b09212..b0fa6d84 100644 --- a/tests/py/inet/ether-ip.t.payload.netdev +++ b/tests/py/inet/ether-ip.t.payload.netdev @@ -13,21 +13,6 @@ netdev test-netdev ingress [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] -# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 -netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x04030201 ] - [ meta load iiftype => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - # tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept netdev test-netdev ingress [ meta load l4proto => reg 1 ] diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t index afdf8b89..8625f70b 100644 --- a/tests/py/inet/ether.t +++ b/tests/py/inet/ether.t @@ -1,13 +1,20 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok ether saddr 00:0f:54:0c:11:04 accept;ok + +vlan id 1;ok +ether type vlan vlan id 2;ok;vlan id 2 + +# invalid dependency +ether type ip vlan id 1;fail diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json index 84b184c7..c7a7f886 100644 --- a/tests/py/inet/ether.t.json +++ b/tests/py/inet/ether.t.json @@ -88,3 +88,35 @@ } ] +# vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# ether type vlan vlan id 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload index 53648413..8b74a781 100644 --- a/tests/py/inet/ether.t.payload +++ b/tests/py/inet/ether.t.payload @@ -30,3 +30,23 @@ inet test-inet input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] +# vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge index 4a6bccbe..0128d5f0 100644 --- a/tests/py/inet/ether.t.payload.bridge +++ b/tests/py/inet/ether.t.payload.bridge @@ -1,17 +1,3 @@ -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 meta nfproto ipv4 accept -bridge test-bridge input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - [ meta load iiftype => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ immediate reg 0 accept ] - # tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept bridge test-bridge input [ meta load l4proto => reg 1 ] @@ -40,10 +26,19 @@ bridge test-bridge input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# ether saddr 00:0f:54:0c:11:04 meta nfproto ipv4 +# vlan id 1 bridge test-bridge input - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip index 196930fd..7c91f412 100644 --- a/tests/py/inet/ether.t.payload.ip +++ b/tests/py/inet/ether.t.payload.ip @@ -1,4 +1,4 @@ -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 meta nfproto ipv4 accept +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -8,11 +8,9 @@ ip test-ip4 input [ cmp eq reg 1 0x00000001 ] [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] [ immediate reg 0 accept ] -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -24,32 +22,31 @@ ip test-ip4 input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +# ether saddr 00:0f:54:0c:11:04 accept ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# ether saddr 00:0f:54:0c:11:04 accept +# vlan id 1 ip test-ip4 input [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ immediate reg 0 accept ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] -# ether saddr 00:0f:54:0c:11:04 meta nfproto ipv4 +# ether type vlan vlan id 2 ip test-ip4 input [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload index 1d4c3d94..050857d9 100644 --- a/tests/py/inet/fib.t.payload +++ b/tests/py/inet/fib.t.payload @@ -16,7 +16,7 @@ ip test-ip prerouting # fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } __map%d test-ip b __map%d test-ip 0 - element 00000006 : 0 [end] element 00000008 : 0 [end] element 00000001 : 0 [end] + element 00000006 : drop 0 [end] element 00000008 : drop 0 [end] element 00000001 : accept 0 [end] ip test-ip prerouting [ fib daddr . iif type => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t new file mode 100644 index 00000000..101f6dfc --- /dev/null +++ b/tests/py/inet/geneve.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +geneve vni 10;fail +udp dport 6081 geneve vni 10;ok +udp dport 6081 geneve ip saddr 10.141.11.2;ok +udp dport 6081 geneve ip saddr 10.141.11.0/24;ok +udp dport 6081 geneve ip protocol 1;ok +udp dport 6081 geneve udp sport 8888;ok +udp dport 6081 geneve icmp type echo-reply;ok +udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok +udp dport 6081 geneve vlan id 10;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 6081 geneve ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json new file mode 100644 index 00000000..a299fcd2 --- /dev/null +++ b/tests/py/inet/geneve.t.json @@ -0,0 +1,344 @@ +# udp dport 6081 geneve vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "geneve", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 6081 geneve ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 6081 geneve udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 6081 geneve icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 6081 geneve vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "geneve" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload new file mode 100644 index 00000000..1ce54de6 --- /dev/null +++ b/tests/py/inet/geneve.t.payload @@ -0,0 +1,114 @@ +# udp dport 6081 geneve vni 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 6081 geneve ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 6081 geneve udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 6081 geneve icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 6081 geneve vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 6081 geneve ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t new file mode 100644 index 00000000..a3e046a1 --- /dev/null +++ b/tests/py/inet/gre.t @@ -0,0 +1,22 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gre version 0;ok +gre ip saddr 10.141.11.2;ok +gre ip saddr 10.141.11.0/24;ok +gre ip protocol 1;ok +gre udp sport 8888;ok +gre icmp type echo-reply;ok +gre ether saddr 62:87:4d:d6:19:05;fail +gre vlan id 10;fail +gre ip dscp 0x02;ok +gre ip dscp 0x02;ok +gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gre ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json new file mode 100644 index 00000000..c4431764 --- /dev/null +++ b/tests/py/inet/gre.t.json @@ -0,0 +1,177 @@ +# gre version 0 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "gre" + } + }, + "op": "==", + "right": 0 + } + } +] + +# gre ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gre ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gre ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gre udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gre" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gre icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gre" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gre" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload new file mode 100644 index 00000000..333133ed --- /dev/null +++ b/tests/py/inet/gre.t.payload @@ -0,0 +1,78 @@ +# gre version 0 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gre ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gre ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gre udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gre icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t new file mode 100644 index 00000000..cd7ee215 --- /dev/null +++ b/tests/py/inet/gretap.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gretap ip saddr 10.141.11.2;ok +gretap ip saddr 10.141.11.0/24;ok +gretap ip protocol 1;ok +gretap udp sport 8888;ok +gretap icmp type echo-reply;ok +gretap ether saddr 62:87:4d:d6:19:05;ok +gretap vlan id 10;ok +gretap ip dscp 0x02;ok +gretap ip dscp 0x02;ok +gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gretap ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json new file mode 100644 index 00000000..36fa9782 --- /dev/null +++ b/tests/py/inet/gretap.t.json @@ -0,0 +1,195 @@ +# gretap ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gretap ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gretap ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gretap udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gretap icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gretap ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# gretap vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 10 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gretap" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload new file mode 100644 index 00000000..654c71e4 --- /dev/null +++ b/tests/py/inet/gretap.t.payload @@ -0,0 +1,87 @@ +# gretap ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gretap ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gretap ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gretap udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gretap icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gretap ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# gretap vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# gretap ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t index 97ff96d0..9430b3d3 100644 --- a/tests/py/inet/icmpX.t +++ b/tests/py/inet/icmpX.t @@ -7,4 +7,4 @@ icmp type echo-request;ok ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request icmpv6 type echo-request;ok # must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4. -ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 meta l4proto 58 icmpv6 type destination-unreachable +ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output index 9b0bf9f7..7765cd90 100644 --- a/tests/py/inet/icmpX.t.json.output +++ b/tests/py/inet/icmpX.t.json.output @@ -71,15 +71,6 @@ { "match": { "left": { - "meta": { "key": "l4proto" } - }, - "op": "==", - "right": 58 - } - }, - { - "match": { - "left": { "payload": { "field": "type", "protocol": "icmpv6" diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t index 4eb69d73..bdb3330c 100644 --- a/tests/py/inet/ip.t +++ b/tests/py/inet/ip.t @@ -1,9 +1,12 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok +ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail +ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge index a422ed76..57dbc9eb 100644 --- a/tests/py/inet/ip.t.payload.bridge +++ b/tests/py/inet/ip.t.payload.bridge @@ -3,7 +3,7 @@ __set%d test-bridge 3 __set%d test-bridge 0 element 01010101 02020202 fecafeca 0000feca : 0 [end] bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t index f2a28ebd..03bafc09 100644 --- a/tests/py/inet/ip_tcp.t +++ b/tests/py/inet/ip_tcp.t @@ -1,15 +1,16 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # must not remove ip dependency -- ONLY ipv4 packets should be matched ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 -# can remove it here, ip protocol is implied via saddr. -ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip saddr 1.2.3.4 tcp dport 22 +# could in principle remove it here since ipv4 is implied via saddr. +ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22 # but not here. ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22 diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output index 4a6a05d7..acad8b1f 100644 --- a/tests/py/inet/ip_tcp.t.json.output +++ b/tests/py/inet/ip_tcp.t.json.output @@ -32,6 +32,18 @@ "match": { "left": { "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { "field": "saddr", "protocol": "ip" } diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t index e924e9bc..b18df395 100644 --- a/tests/py/inet/ipsec.t +++ b/tests/py/inet/ipsec.t @@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok ipsec out ip6 saddr dead::feed;ok ipsec in spnum 256 reqid 1;fail + +counter ipsec out ip daddr 192.168.1.2;ok diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json index d7d3a03c..18a64f35 100644 --- a/tests/py/inet/ipsec.t.json +++ b/tests/py/inet/ipsec.t.json @@ -134,3 +134,24 @@ } } ] + +# counter ipsec out ip daddr 192.168.1.2 +[ + { + "counter": null + }, + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "family": "ip", + "key": "daddr", + "spnum": 0 + } + }, + "op": "==", + "right": "192.168.1.2" + } + } +] diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload index c46a2263..9648255d 100644 --- a/tests/py/inet/ipsec.t.payload +++ b/tests/py/inet/ipsec.t.payload @@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw [ xfrm load out 0 saddr6 => reg 1 ] [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] +# counter ipsec out ip daddr 192.168.1.2 +ip ipsec-ip4 ipsec-forw + [ counter pkts 0 bytes 0 ] + [ xfrm load out 0 daddr4 => reg 1 ] + [ cmp eq reg 1 0x0201a8c0 ] + diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t index e83490a8..5a7161b7 100644 --- a/tests/py/inet/map.t +++ b/tests/py/inet/map.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/map.t.payload b/tests/py/inet/map.t.payload index 16225cbd..50344ada 100644 --- a/tests/py/inet/map.t.payload +++ b/tests/py/inet/map.t.payload @@ -17,7 +17,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/map.t.payload.ip b/tests/py/inet/map.t.payload.ip index 59575749..3e456675 100644 --- a/tests/py/inet/map.t.payload.ip +++ b/tests/py/inet/map.t.payload.ip @@ -13,7 +13,7 @@ __map%d test-ip4 0 element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end] ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/map.t.payload.netdev b/tests/py/inet/map.t.payload.netdev index 501fb8ee..2e60f09d 100644 --- a/tests/py/inet/map.t.payload.netdev +++ b/tests/py/inet/map.t.payload.netdev @@ -17,7 +17,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index df32332f..7d2515c9 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -12,7 +12,22 @@ meta nfproto ipv4 tcp dport 22;ok meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 meta nfproto ipv4 counter ip saddr 1.2.3.4;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + meta ipsec exists;ok meta secpath missing;ok;meta ipsec missing meta ibrname "br0";fail meta obrname "br0";fail +meta mark set ct mark >> 8;ok + +meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok +ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 };ok + +meta mark set ip dscp;ok +meta mark set ip dscp | 0x40;ok +meta mark set ip6 dscp;ok +meta mark set ip6 dscp | 0x40;ok diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json index 5501f0be..0fee165f 100644 --- a/tests/py/inet/meta.t.json +++ b/tests/py/inet/meta.t.json @@ -213,3 +213,357 @@ } ] +# meta mark set ct mark >> 8 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + ">>": [ + { + "ct": { + "key": "mark" + } + }, + 8 + ] + } + } + } +] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +[ + { + "match": { + "left": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 80, + 90 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + 1048576, + 1048867 + ] + }, + { + "range": [ + 100, + 120 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + { + "range": [ + "1.2.3.6", + "1.2.3.8" + ] + }, + { + "range": [ + 512, + 768 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + "5.6.7.8", + 512 + ] + } + ] + } + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + "tcp" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output index 3e7dd214..8697d5a2 100644 --- a/tests/py/inet/meta.t.json.output +++ b/tests/py/inet/meta.t.json.output @@ -51,3 +51,44 @@ } ] +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + 6 + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index d7ff7e2d..7184fa0c 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -73,3 +73,117 @@ inet test-inet input inet test-inet input [ meta load secpath => reg 1 ] [ cmp eq reg 1 0x00000000 ] + +# meta mark set ct mark >> 8 +inet test-inet input + [ ct load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] + [ meta set mark with reg 1 ] + +# meta protocol ip udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 0a000000 00005000 - 14000000 00005a00 : 0 [end] element 00001000 00006400 - 23011000 00007800 : 0 [end] +ip test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +__set%d test-inet 87 size 2 +__set%d test-inet 0 + element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ byteorder reg 9 = hton(reg 9, 4, 4) ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 04030201 00000100 : 0 [end] element 08070605 00000200 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +__set%d test-inet 3 size 1 +__set%d test-inet 0 + element 04030201 ddccbbaa 0000ffee 00000006 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 6b @ link header + 6 => reg 9 ] + [ meta load l4proto => reg 11 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload index 6f5fba34..6ddab976 100644 --- a/tests/py/inet/osf.t.payload +++ b/tests/py/inet/osf.t.payload @@ -1,80 +1,24 @@ # osf name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl loose name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl loose name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl loose name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl skip name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl skip name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl skip name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl skip version "Linux:3.0" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] - -# osf ttl skip version "Linux:3.0" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] - -# osf ttl skip version "Linux:3.0" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] # osf name { "Windows", "MacOs" } -__set%d osfip 3 size 2 -__set%d osfip 0 - element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf name { "Windows", "MacOs" } -__set%d osfip6 3 size 2 -__set%d osfip6 0 - element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf name { "Windows", "MacOs" } __set%d osfinet 3 size 2 __set%d osfinet 0 element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] @@ -83,22 +27,6 @@ inet osfinet osfchain [ lookup reg 1 set __set%d ] # osf version { "Windows:XP", "MacOs:Sierra" } -__set%d osfip 3 size 2 -__set%d osfip 0 - element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf version { "Windows:XP", "MacOs:Sierra" } -__set%d osfip6 3 size 2 -__set%d osfip6 0 - element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf version { "Windows:XP", "MacOs:Sierra" } __set%d osfinet 3 size 2 __set%d osfinet 0 element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] @@ -107,24 +35,6 @@ inet osfinet osfchain [ lookup reg 1 set __set%d ] # ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } -__map%d osfip b size 2 -__map%d osfip 0 - element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } -__map%d osfip6 b size 2 -__map%d osfip6 0 - element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } __map%d osfinet b size 2 __map%d osfinet 0 element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] @@ -134,24 +44,6 @@ inet osfinet osfchain [ ct set mark with reg 1 ] # ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } -__map%d osfip b size 2 -__map%d osfip 0 - element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } -__map%d osfip6 b size 2 -__map%d osfip6 0 - element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } __map%d osfinet b size 2 __map%d osfinet 0 element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] diff --git a/tests/py/inet/payloadmerge.t b/tests/py/inet/payloadmerge.t new file mode 100644 index 00000000..04ba1ce6 --- /dev/null +++ b/tests/py/inet/payloadmerge.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input + +tcp sport 1 tcp dport 2;ok +tcp sport != 1 tcp dport != 2;ok +tcp sport 1 tcp dport != 2;ok +tcp sport != 1 tcp dport 2;ok +meta l4proto != 6 th dport 2;ok +meta l4proto 6 tcp dport 22;ok;tcp dport 22 +tcp sport > 1 tcp dport > 2;ok +tcp sport 1 tcp dport > 2;ok diff --git a/tests/py/inet/payloadmerge.t.json b/tests/py/inet/payloadmerge.t.json new file mode 100644 index 00000000..e5b66cf9 --- /dev/null +++ b/tests/py/inet/payloadmerge.t.json @@ -0,0 +1,211 @@ +# tcp sport 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto != 6 th dport 2 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "!=", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "th" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto 6 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport > 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + diff --git a/tests/py/inet/payloadmerge.t.payload b/tests/py/inet/payloadmerge.t.payload new file mode 100644 index 00000000..a0465cdd --- /dev/null +++ b/tests/py/inet/payloadmerge.t.payload @@ -0,0 +1,66 @@ +# tcp sport 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# tcp sport != 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport != 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto != 6 th dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto 6 tcp dport 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sport > 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gt reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + +# tcp sport 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index 0e8966c9..61a6d556 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -2,38 +2,40 @@ *inet;test-inet;input -# The output is specific for inet family -reject with icmp type host-unreachable;ok;meta nfproto ipv4 reject with icmp type host-unreachable -reject with icmp type net-unreachable;ok;meta nfproto ipv4 reject with icmp type net-unreachable -reject with icmp type prot-unreachable;ok;meta nfproto ipv4 reject with icmp type prot-unreachable -reject with icmp type port-unreachable;ok;meta nfproto ipv4 reject -reject with icmp type net-prohibited;ok;meta nfproto ipv4 reject with icmp type net-prohibited -reject with icmp type host-prohibited;ok;meta nfproto ipv4 reject with icmp type host-prohibited -reject with icmp type admin-prohibited;ok;meta nfproto ipv4 reject with icmp type admin-prohibited - -reject with icmpv6 type no-route;ok;meta nfproto ipv6 reject with icmpv6 type no-route -reject with icmpv6 type admin-prohibited;ok;meta nfproto ipv6 reject with icmpv6 type admin-prohibited -reject with icmpv6 type addr-unreachable;ok;meta nfproto ipv6 reject with icmpv6 type addr-unreachable -reject with icmpv6 type port-unreachable;ok;meta nfproto ipv6 reject +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset reject;ok -meta nfproto ipv4 reject;ok -meta nfproto ipv6 reject;ok +meta nfproto ipv4 reject;ok;reject with icmp port-unreachable +meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject +reject with icmpx 3;ok;reject with icmpx admin-prohibited -meta nfproto ipv4 reject with icmp type host-unreachable;ok -meta nfproto ipv6 reject with icmpv6 type no-route;ok +meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route -meta nfproto ipv6 reject with icmp type host-unreachable;fail -meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail -meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail +meta nfproto ipv6 reject with icmp host-unreachable;fail +meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail +meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail meta l4proto udp reject with tcp reset;fail -meta nfproto ipv4 reject with icmpx type admin-prohibited;ok -meta nfproto ipv6 reject with icmpx type admin-prohibited;ok +meta nfproto ipv4 reject with icmpx admin-prohibited;ok +meta nfproto ipv6 reject with icmpx admin-prohibited;ok + +ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json index bfa94f84..02ac9007 100644 --- a/tests/py/inet/reject.t.json +++ b/tests/py/inet/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -165,7 +165,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -175,7 +175,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -185,7 +185,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -195,7 +195,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -205,7 +205,17 @@ } ] -# meta nfproto ipv4 reject with icmp type host-unreachable +# reject with icmpx 3 +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta nfproto ipv4 reject with icmp host-unreachable [ { "match": { @@ -224,7 +234,7 @@ } ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { "match": { @@ -243,7 +253,7 @@ } ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited [ { "match": { @@ -264,7 +274,7 @@ } ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited [ { "match": { @@ -285,3 +295,37 @@ } ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output index 73846fb0..496ce557 100644 --- a/tests/py/inet/reject.t.json.output +++ b/tests/py/inet/reject.t.json.output @@ -1,145 +1,73 @@ -# reject with icmp type host-unreachable +# mark 12345 reject with tcp reset [ { "match": { "left": { - "meta": { "key": "nfproto" } + "meta": { "key": "l4proto" } }, "op": "==", - "right": "ipv4" + "right": 6 } }, { - "reject": { - "expr": "host-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type net-unreachable -[ - { "match": { "left": { - "meta": { "key": "nfproto" } + "meta": { "key": "mark" } }, "op": "==", - "right": "ipv4" + "right": 12345 } }, { "reject": { - "expr": "net-unreachable", - "type": "icmp" + "type": "tcp reset" } } ] -# reject with icmp type prot-unreachable +# reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "prot-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type port-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" + "expr": "port-unreachable", + "type": "icmpx" } - }, - { - "reject": null } ] -# reject with icmp type net-prohibited +# meta nfproto ipv4 reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "net-prohibited", + "expr": "port-unreachable", "type": "icmp" } } ] -# reject with icmp type host-prohibited +# meta nfproto ipv6 reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "host-prohibited", - "type": "icmp" + "expr": "port-unreachable", + "type": "icmpv6" } } ] -# reject with icmp type admin-prohibited +# meta nfproto ipv4 reject with icmp host-unreachable [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "admin-prohibited", + "expr": "host-unreachable", "type": "icmp" } } ] -# reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { "reject": { "expr": "no-route", "type": "icmpv6" @@ -147,91 +75,3 @@ } ] -# reject with icmpv6 type admin-prohibited -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": { - "expr": "admin-prohibited", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type addr-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": { - "expr": "addr-unreachable", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type port-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": null - } -] - -# mark 12345 reject with tcp reset -[ - { - "match": { - "left": { - "meta": { "key": "l4proto" } - }, - "op": "==", - "right": 6 - } - }, - { - "match": { - "left": { - "meta": { "key": "mark" } - }, - "op": "==", - "right": 12345 - } - }, - { - "reject": { - "type": "tcp reset" - } - } -] - -# reject with icmpx type port-unreachable -[ - { - "reject": null - } -] - diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet index ee1aae02..828cb839 100644 --- a/tests/py/inet/reject.t.payload.inet +++ b/tests/py/inet/reject.t.payload.inet @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -88,147 +88,57 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable inet test-inet input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route inet test-inet input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited inet test-inet input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable inet test-inet input [ reject type 2 code 1 ] -# meta nfproto ipv4 reject with icmp type host-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 1 ] - -# meta nfproto ipv6 reject with icmpv6 type no-route -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 0 ] - -# reject with icmp type prot-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 2 ] - -# reject with icmp type port-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 3 ] - -# reject with icmp type net-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 9 ] - -# reject with icmp type host-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 10 ] - -# reject with icmp type admin-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 13 ] - -# reject with icmpv6 type no-route -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 0 ] - -# reject with icmpv6 type admin-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 1 ] - -# reject with icmpv6 type addr-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 3 ] - -# reject with icmpv6 type port-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 4 ] - -# reject with tcp reset -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ reject type 1 code 0 ] - -# reject -inet test-inet input - [ reject type 2 code 1 ] - -# meta nfproto ipv4 reject -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 3 ] - -# meta nfproto ipv6 reject -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 4 ] - -# reject with icmpx type host-unreachable -inet test-inet input - [ reject type 2 code 2 ] - -# reject with icmpx type no-route -inet test-inet input - [ reject type 2 code 0 ] - -# reject with icmpx type admin-prohibited +# reject with icmpx 3 inet test-inet input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable -inet test-inet input - [ reject type 2 code 1 ] - -# meta nfproto ipv4 reject with icmp type host-unreachable +# meta nfproto ipv4 reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 2 code 3 ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 2 code 3 ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0xddccbbaa 0x0008ffee ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ reject type 0 code 3 ] + diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t index 23608ab2..a0e0d003 100644 --- a/tests/py/inet/rt.t +++ b/tests/py/inet/rt.t @@ -2,14 +2,13 @@ *inet;test-inet;output -rt nexthop 192.168.0.1;fail -rt nexthop fd00::1;fail - meta nfproto ipv4 rt nexthop 192.168.0.1;ok;meta nfproto ipv4 rt ip nexthop 192.168.0.1 rt ip6 nexthop fd00::1;ok # missing context +rt nexthop 192.168.0.1;fail rt nexthop fd00::1;fail + # wrong context rt ip nexthop fd00::1;fail diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t index 5188b57e..016173b9 100644 --- a/tests/py/inet/sctp.t +++ b/tests/py/inet/sctp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress sctp sport 23;ok sctp sport != 23;ok @@ -12,8 +13,6 @@ sctp sport 23-44;ok sctp sport != 23-44;ok sctp sport { 23, 24, 25};ok sctp sport != { 23, 24, 25};ok -sctp sport { 23-44};ok -sctp sport != { 23-44};ok sctp dport 23;ok sctp dport != 23;ok @@ -21,8 +20,6 @@ sctp dport 23-44;ok sctp dport != 23-44;ok sctp dport { 23, 24, 25};ok sctp dport != { 23, 24, 25};ok -sctp dport { 23-44};ok -sctp dport != { 23-44};ok sctp checksum 1111;ok sctp checksum != 11;ok @@ -30,8 +27,6 @@ sctp checksum 21-333;ok sctp checksum != 32-111;ok sctp checksum { 22, 33, 44};ok sctp checksum != { 22, 33, 44};ok -sctp checksum { 22-44};ok -sctp checksum != { 22-44};ok sctp vtag 22;ok sctp vtag != 233;ok @@ -39,5 +34,40 @@ sctp vtag 33-45;ok sctp vtag != 33-45;ok sctp vtag {33, 55, 67, 88};ok sctp vtag != {33, 55, 67, 88};ok -sctp vtag { 33-55};ok -sctp vtag != { 33-55};ok + +# assert all chunk types are recognized +sctp chunk data exists;ok +sctp chunk init exists;ok +sctp chunk init-ack exists;ok +sctp chunk sack exists;ok +sctp chunk heartbeat exists;ok +sctp chunk heartbeat-ack exists;ok +sctp chunk abort exists;ok +sctp chunk shutdown exists;ok +sctp chunk shutdown-ack exists;ok +sctp chunk error exists;ok +sctp chunk cookie-echo exists;ok +sctp chunk cookie-ack exists;ok +sctp chunk ecne exists;ok +sctp chunk cwr exists;ok +sctp chunk shutdown-complete exists;ok +sctp chunk asconf-ack exists;ok +sctp chunk forward-tsn exists;ok +sctp chunk asconf exists;ok + +# test common header fields in random chunk types +sctp chunk data type 0;ok +sctp chunk init flags 23;ok +sctp chunk init-ack length 42;ok + +# test one custom field in every applicable chunk type +sctp chunk data stream 1337;ok +sctp chunk init initial-tsn 5;ok +sctp chunk init-ack num-outbound-streams 3;ok +sctp chunk sack a-rwnd 1;ok +sctp chunk shutdown cum-tsn-ack 65535;ok +sctp chunk ecne lowest-tsn 5;ok +sctp chunk cwr lowest-tsn 8;ok +sctp chunk asconf-ack seqno 12345;ok +sctp chunk forward-tsn new-cum-tsn 31337;ok +sctp chunk asconf seqno 12345;ok diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json index 2684b034..75a9b01c 100644 --- a/tests/py/inet/sctp.t.json +++ b/tests/py/inet/sctp.t.json @@ -110,46 +110,6 @@ } ] -# sctp sport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp sport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp dport 23 [ { @@ -262,46 +222,6 @@ } ] -# sctp dport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp dport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp checksum 1111 [ { @@ -414,46 +334,6 @@ } ] -# sctp checksum { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - -# sctp checksum != { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - # sctp vtag 22 [ { @@ -568,42 +448,480 @@ } ] -# sctp vtag { 33-55} +# sctp chunk data exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "data" } }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true } } ] -# sctp vtag != { 33-55} +# sctp chunk init exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "init" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true + } + } +] + +# sctp chunk init-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "init-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk sack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "sack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk abort exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "abort" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk error exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "error" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-echo exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-echo" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk ecne exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "ecne" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cwr exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cwr" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-complete exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-complete" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk forward-tsn exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "forward-tsn" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk data type 0 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "type", + "name": "data" + } + }, + "op": "==", + "right": 0 + } + } +] + +# sctp chunk init flags 23 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "flags", + "name": "init" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp chunk init-ack length 42 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "length", + "name": "init-ack" + } + }, + "op": "==", + "right": 42 + } + } +] + +# sctp chunk data stream 1337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "stream", + "name": "data" + } + }, + "op": "==", + "right": 1337 + } + } +] + +# sctp chunk init initial-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "initial-tsn", + "name": "init" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk init-ack num-outbound-streams 3 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "num-outbound-streams", + "name": "init-ack" + } + }, + "op": "==", + "right": 3 + } + } +] + +# sctp chunk sack a-rwnd 1 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "a-rwnd", + "name": "sack" + } + }, + "op": "==", + "right": 1 + } + } +] + +# sctp chunk shutdown cum-tsn-ack 65535 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "cum-tsn-ack", + "name": "shutdown" + } + }, + "op": "==", + "right": 65535 + } + } +] + +# sctp chunk ecne lowest-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "ecne" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk cwr lowest-tsn 8 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "cwr" + } + }, + "op": "==", + "right": 8 + } + } +] + +# sctp chunk asconf-ack seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf-ack" + } + }, + "op": "==", + "right": 12345 + } + } +] + +# sctp chunk forward-tsn new-cum-tsn 31337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "new-cum-tsn", + "name": "forward-tsn" + } + }, + "op": "==", + "right": 31337 + } + } +] + +# sctp chunk asconf seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf" + } + }, + "op": "==", + "right": 12345 } } ] diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload index ecfcc725..7337e2ea 100644 --- a/tests/py/inet/sctp.t.payload +++ b/tests/py/inet/sctp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp sport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp sport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp dport 23 inet test-inet input [ meta load l4proto => reg 1 ] @@ -116,26 +96,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp dport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp dport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp checksum 1111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -185,26 +145,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp checksum { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp checksum != { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp vtag 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -254,23 +194,158 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp vtag { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp vtag != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] +# sctp chunk data exists +ip + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init exists +ip + [ exthdr load 1b @ 1 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init-ack exists +ip + [ exthdr load 1b @ 2 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk sack exists +ip + [ exthdr load 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat exists +ip + [ exthdr load 1b @ 4 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat-ack exists +ip + [ exthdr load 1b @ 5 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk abort exists +ip + [ exthdr load 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown exists +ip + [ exthdr load 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-ack exists +ip + [ exthdr load 1b @ 8 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk error exists +ip + [ exthdr load 1b @ 9 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-echo exists +ip + [ exthdr load 1b @ 10 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-ack exists +ip + [ exthdr load 1b @ 11 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk ecne exists +ip + [ exthdr load 1b @ 12 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cwr exists +ip + [ exthdr load 1b @ 13 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-complete exists +ip + [ exthdr load 1b @ 14 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf-ack exists +ip + [ exthdr load 1b @ 128 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk forward-tsn exists +ip + [ exthdr load 1b @ 192 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf exists +ip + [ exthdr load 1b @ 193 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk data type 0 +ip + [ exthdr load 1b @ 0 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# sctp chunk init flags 23 +ip + [ exthdr load 1b @ 1 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000017 ] + +# sctp chunk init-ack length 42 +ip + [ exthdr load 2b @ 2 + 2 => reg 1 ] + [ cmp eq reg 1 0x00002a00 ] + +# sctp chunk data stream 1337 +ip + [ exthdr load 2b @ 0 + 8 => reg 1 ] + [ cmp eq reg 1 0x00003905 ] + +# sctp chunk init initial-tsn 5 +ip + [ exthdr load 4b @ 1 + 16 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk init-ack num-outbound-streams 3 +ip + [ exthdr load 2b @ 2 + 12 => reg 1 ] + [ cmp eq reg 1 0x00000300 ] + +# sctp chunk sack a-rwnd 1 +ip + [ exthdr load 4b @ 3 + 8 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# sctp chunk shutdown cum-tsn-ack 65535 +ip + [ exthdr load 4b @ 7 + 4 => reg 1 ] + [ cmp eq reg 1 0xffff0000 ] + +# sctp chunk ecne lowest-tsn 5 +ip + [ exthdr load 4b @ 12 + 4 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk cwr lowest-tsn 8 +ip + [ exthdr load 4b @ 13 + 4 => reg 1 ] + [ cmp eq reg 1 0x08000000 ] + +# sctp chunk asconf-ack seqno 12345 +ip + [ exthdr load 4b @ 128 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + +# sctp chunk forward-tsn new-cum-tsn 31337 +ip + [ exthdr load 4b @ 192 + 4 => reg 1 ] + [ cmp eq reg 1 0x697a0000 ] + +# sctp chunk asconf seqno 12345 +ip + [ exthdr load 4b @ 193 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t index daf8f2d6..5b22e1fe 100644 --- a/tests/py/inet/sets.t +++ b/tests/py/inet/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !set1 type ipv4_addr timeout 60s;ok ?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok @@ -16,3 +17,9 @@ ip saddr != @set2 drop;fail ip6 daddr != @set2 accept;ok ip6 daddr @set1 drop;fail + +!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok +?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok + +ip saddr . ip daddr . tcp dport @set3 accept;ok +ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json index bcb638f2..b44ffc20 100644 --- a/tests/py/inet/sets.t.json +++ b/tests/py/inet/sets.t.json @@ -36,3 +36,101 @@ } ] +# ip saddr . ip daddr . tcp dport @set3 accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": "@set3" + } + }, + { + "accept": null + } +] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "range": [ + 10, + 23 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "192.168.1.1", + "192.168.3.8" + ] + }, + { + "range": [ + 80, + 443 + ] + } + ] + } + ] + } + } + }, + { + "accept": null + } +] diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge index f5aaab1d..3dd9d57b 100644 --- a/tests/py/inet/sets.t.payload.bridge +++ b/tests/py/inet/sets.t.payload.bridge @@ -13,3 +13,30 @@ bridge test-inet input [ payload load 16b @ network header + 24 => reg 1 ] [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] + +# ip saddr . ip daddr . tcp dport @set3 accept +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet index 1584fc07..53c6b182 100644 --- a/tests/py/inet/sets.t.payload.inet +++ b/tests/py/inet/sets.t.payload.inet @@ -14,4 +14,28 @@ inet test-inet input [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] +# ip saddr . ip daddr . tcp dport @set3 accept +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev index 9c94e384..e31aeb92 100644 --- a/tests/py/inet/sets.t.payload.netdev +++ b/tests/py/inet/sets.t.payload.netdev @@ -14,3 +14,28 @@ netdev test-netdev ingress [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] +# ip saddr . ip daddr . tcp dport @set3 accept +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-netdev 87 +__set%d test-netdev 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload index 00bb937f..50519c6b 100644 --- a/tests/py/inet/snat.t.payload +++ b/tests/py/inet/snat.t.payload @@ -7,7 +7,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2 inet test-inet postrouting @@ -22,7 +22,7 @@ inet test-inet postrouting [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0101010a ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 snat ip6 to dead::beef inet test-inet postrouting @@ -33,7 +33,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 0 ] + [ nat snat ip6 addr_min reg 1 ] # iifname "foo" masquerade random inet test-inet postrouting diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t index 91846e8e..05e9ebb4 100644 --- a/tests/py/inet/socket.t +++ b/tests/py/inet/socket.t @@ -9,3 +9,7 @@ socket transparent 1;ok socket transparent 2;fail socket mark 0x00000005;ok + +socket wildcard 0;ok +socket wildcard 1;ok +socket wildcard 2;fail diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json index 99d6e248..fa48e79d 100644 --- a/tests/py/inet/socket.t.json +++ b/tests/py/inet/socket.t.json @@ -43,3 +43,32 @@ } ] +# socket wildcard 0 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 0 + } + } +] + +# socket wildcard 1 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 1 + } + } +] diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload index 687b7a45..e66ccbf7 100644 --- a/tests/py/inet/socket.t.payload +++ b/tests/py/inet/socket.t.payload @@ -1,45 +1,24 @@ # socket transparent 0 -ip sockip4 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# socket transparent 0 -ip6 sockip6 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# socket transparent 0 inet sockin sockchain [ socket load transparent => reg 1 ] [ cmp eq reg 1 0x00000000 ] # socket transparent 1 -ip sockip4 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# socket transparent 1 -ip6 sockip6 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# socket transparent 1 inet sockin sockchain [ socket load transparent => reg 1 ] [ cmp eq reg 1 0x00000001 ] # socket mark 0x00000005 -ip sockip4 sockchain - [ socket load mark => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - -# socket mark 0x00000005 -ip6 sockip6 sockchain - [ socket load mark => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - -# socket mark 0x00000005 inet sockin sockchain [ socket load mark => reg 1 ] [ cmp eq reg 1 0x00000005 ] +# socket wildcard 0 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# socket wildcard 1 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/synproxy.t.json b/tests/py/inet/synproxy.t.json index 92c69d75..1dd85a61 100644 --- a/tests/py/inet/synproxy.t.json +++ b/tests/py/inet/synproxy.t.json @@ -5,24 +5,6 @@ } ] -# synproxy mss 1460 -[ - { - "synproxy": { - "mss": 1460 - } - } -] - -# synproxy wscale 7 -[ - { - "synproxy": { - "wscale": 7 - } - } -] - # synproxy mss 1460 wscale 7 [ { @@ -56,20 +38,6 @@ } ] -# synproxy mss 1460 wscale 7 timestamp sack-perm -[ - { - "synproxy": { - "mss": 1460, - "wscale": 7, - "flags": [ - "timestamp", - "sack-perm" - ] - } - } -] - # synproxy mss 1460 wscale 5 timestamp sack-perm [ { diff --git a/tests/py/inet/synproxy.t.payload b/tests/py/inet/synproxy.t.payload index 2e6feaaf..dd318b9a 100644 --- a/tests/py/inet/synproxy.t.payload +++ b/tests/py/inet/synproxy.t.payload @@ -1,72 +1,24 @@ # synproxy -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy mss 1460 wscale 7 -ip synproxyip synproxychain - [ synproxy mss 1460 wscale 7 ] - -# synproxy mss 1460 wscale 7 -ip6 synproxyip6 synproxychain - [ synproxy mss 1460 wscale 7 ] - -# synproxy mss 1460 wscale 7 inet synproxyinet synproxychain [ synproxy mss 1460 wscale 7 ] # synproxy mss 1460 wscale 5 timestamp sack-perm -ip synproxyip synproxychain - [ synproxy mss 1460 wscale 5 ] - -# synproxy mss 1460 wscale 5 timestamp sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 1460 wscale 5 ] - -# synproxy mss 1460 wscale 5 timestamp sack-perm inet synproxyinet synproxychain [ synproxy mss 1460 wscale 5 ] # synproxy timestamp sack-perm -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp sack-perm inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy timestamp -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy sack-perm -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy sack-perm inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index e0a83e2b..f4bdac17 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport set {1, 2, 3};fail @@ -14,8 +15,6 @@ tcp dport 33-45;ok tcp dport != 33-45;ok tcp dport { 33, 55, 67, 88};ok tcp dport != { 33, 55, 67, 88};ok -tcp dport { 33-55};ok -tcp dport != { 33-55};ok tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept tcp dport vmap { 22 : accept, 23 : drop };ok tcp dport vmap { 25:accept, 28:drop };ok @@ -30,8 +29,6 @@ tcp sport 33-45;ok tcp sport != 33-45;ok tcp sport { 33, 55, 67, 88};ok tcp sport != { 33, 55, 67, 88};ok -tcp sport { 33-55};ok -tcp sport != { 33-55};ok tcp sport vmap { 25:accept, 28:drop };ok tcp sport 8080 drop;ok @@ -47,8 +44,6 @@ tcp sequence 33-45;ok tcp sequence != 33-45;ok tcp sequence { 33, 55, 67, 88};ok tcp sequence != { 33, 55, 67, 88};ok -tcp sequence { 33-55};ok -tcp sequence != { 33-55};ok tcp ackseq 42949672 drop;ok tcp ackseq 22;ok @@ -57,8 +52,6 @@ tcp ackseq 33-45;ok tcp ackseq != 33-45;ok tcp ackseq { 33, 55, 67, 88};ok tcp ackseq != { 33, 55, 67, 88};ok -tcp ackseq { 33-55};ok -tcp ackseq != { 33-55};ok - tcp doff 22;ok - tcp doff != 233;ok @@ -66,8 +59,6 @@ tcp ackseq != { 33-55};ok - tcp doff != 33-45;ok - tcp doff { 33, 55, 67, 88};ok - tcp doff != { 33, 55, 67, 88};ok -- tcp doff { 33-55};ok -- tcp doff != { 33-55};ok # BUG reserved # BUG: It is accepted but it is not shown then. tcp reserver @@ -77,8 +68,26 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok tcp flags cwr;ok tcp flags != cwr;ok tcp flags == syn;ok -tcp flags & (syn|fin) == (syn|fin);ok;tcp flags & (fin | syn) == fin | syn +tcp flags fin,syn / fin,syn;ok;tcp flags & (fin | syn) == fin | syn +tcp flags != syn / fin,syn;ok;tcp flags & (fin | syn) != syn +tcp flags & syn != 0;ok;tcp flags syn +tcp flags & syn == 0;ok;tcp flags ! syn +tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack +tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack +# it should be possible to transform this to: tcp flags syn +tcp flags & syn == syn;ok +tcp flags & syn != syn;ok +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags & (fin | syn | rst | ack) == syn +tcp flags & (fin | syn | rst | ack) == syn;ok +tcp flags & (fin | syn | rst | ack) != syn;ok +tcp flags & (fin | syn | rst | ack) == syn | ack;ok +tcp flags & (fin | syn | rst | ack) != syn | ack;ok +tcp flags & (syn | ack) == syn | ack;ok tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff +tcp flags { syn, syn | ack };ok +tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok +tcp flags ! fin,rst;ok +tcp flags & (fin | syn | rst | ack) ! syn;fail tcp window 22222;ok tcp window 22;ok @@ -87,8 +96,6 @@ tcp window 33-45;ok tcp window != 33-45;ok tcp window { 33, 55, 67, 88};ok tcp window != { 33, 55, 67, 88};ok -tcp window { 33-55};ok -tcp window != { 33-55};ok tcp checksum 22;ok tcp checksum != 233;ok @@ -96,8 +103,6 @@ tcp checksum 33-45;ok tcp checksum != 33-45;ok tcp checksum { 33, 55, 67, 88};ok tcp checksum != { 33, 55, 67, 88};ok -tcp checksum { 33-55};ok -tcp checksum != { 33-55};ok tcp urgptr 1234 accept;ok tcp urgptr 22;ok @@ -106,7 +111,5 @@ tcp urgptr 33-45;ok tcp urgptr != 33-45;ok tcp urgptr { 33, 55, 67, 88};ok tcp urgptr != { 33, 55, 67, 88};ok -tcp urgptr { 33-55};ok -tcp urgptr != { 33-55};ok tcp doff 8;ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index babe5920..28dd4341 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -112,46 +112,6 @@ } ] -# tcp dport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp dport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp dport {telnet, http, https} accept [ { @@ -397,46 +357,6 @@ } ] -# tcp sport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp sport vmap { 25:accept, 28:drop } [ { @@ -753,46 +673,6 @@ } ] -# tcp sequence { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sequence != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp ackseq 42949672 drop [ { @@ -926,46 +806,6 @@ } ] -# tcp ackseq { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp ackseq != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop [ { @@ -1114,12 +954,12 @@ } }, { - "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } ] }, "op": "==", - "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + "right": { "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } } } ] @@ -1254,46 +1094,6 @@ } ] -# tcp window { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp window != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp checksum 22 [ { @@ -1408,46 +1208,6 @@ } ] -# tcp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp urgptr 1234 accept [ { @@ -1581,58 +1341,435 @@ } ] -# tcp urgptr { 33-55} +# tcp doff 8 [ { "match": { "left": { "payload": { - "field": "urgptr", + "field": "doff", "protocol": "tcp" } }, "op": "==", + "right": 8 + } + } +] + +# tcp flags { syn, syn | ack } +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "syn", + { + "|": [ + "syn", + "ack" + ] + } ] } } } ] -# tcp urgptr != { 33-55} +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { "match": { "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { "|": [ "fin", "syn", "rst", "psh", "ack", "urg" ] } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + "ack", + { "|": [ "psh", "ack" ] }, + { "|": [ "fin", "psh", "ack" ] } + ] + } + } + } +] + +# tcp flags ! fin,rst +[ + { + "match": { + "op": "!", + "left": { "payload": { - "field": "urgptr", - "protocol": "tcp" + "protocol": "tcp", + "field": "flags" } }, - "op": "!=", + "right": [ + "fin", + "rst" + ] + } + } +] + +# tcp flags fin,syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "==", "right": { - "set": [ - { "range": [ 33, 55 ] } + "|": [ + "fin", + "syn" ] } } } ] -# tcp doff 8 +# tcp flags != syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & syn == 0 [ { "match": { "left": { "payload": { - "field": "doff", + "field": "flags", "protocol": "tcp" } }, - "op": "==", - "right": 8 + "op": "!", + "right": "syn" + } + } +] + +# tcp flags & syn != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": "syn" + } + } +] + +# tcp flags & (syn | ack) != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (syn | ack) == 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & syn == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & syn != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + + +# tcp flags & (fin | syn | rst | ack) != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (syn | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { "|": [ "fin", "syn", "rst", "ack" ] } + ] + }, + "op": "!=", + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index 0f7a593b..d487a8f1 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -115,3 +115,50 @@ } ] +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "psh", + "ack", + "urg" + ] + } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + "ack" + ] + } + } + } +] diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload index 55f1bc2e..bc6bb989 100644 --- a/tests/py/inet/tcp.t.payload +++ b/tests/py/inet/tcp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp dport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp dport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp dport {telnet, http, https} accept __set%d test-inet 3 __set%d test-inet 0 @@ -81,7 +61,7 @@ inet test-inet input # tcp dport vmap { 22 : accept, 23 : drop } __map%d test-inet b __map%d test-inet 0 - element 00001600 : 0 [end] element 00001700 : 0 [end] + element 00001600 : accept 0 [end] element 00001700 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -91,7 +71,7 @@ inet test-inet input # tcp dport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -167,30 +147,10 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp sport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -293,26 +253,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sequence { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sequence != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp ackseq 42949672 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -370,26 +310,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp ackseq { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp ackseq != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop __set%d test-inet 3 __set%d test-inet 0 @@ -417,7 +337,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # tcp flags != cwr @@ -434,20 +354,124 @@ inet test-inet input [ payload load 1b @ transport header + 13 => reg 1 ] [ cmp eq reg 1 0x00000002 ] -# tcp flags & (syn|fin) == (syn|fin) +# tcp flags fin,syn / fin,syn inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] +# tcp flags != syn / fin,syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & syn != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & syn == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & syn == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & syn != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000012 ] + +# tcp flags & (syn | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + # tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000ff ] # tcp window 22222 @@ -506,26 +530,6 @@ inet test-inet input [ payload load 2b @ transport header + 14 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp window { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp window != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp checksum 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -575,26 +579,6 @@ inet test-inet input [ payload load 2b @ transport header + 16 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp urgptr 1234 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -652,31 +636,39 @@ inet test-inet input [ payload load 2b @ transport header + 18 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp urgptr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# tcp doff 8 inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ payload load 1b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000080 ] -# tcp urgptr != { 33-55} -__set%d test-inet 7 +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +__set%d test-inet 3 __set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input + element 00000001 : 0 [end] element 00000010 : 0 [end] element 00000018 : 0 [end] element 00000019 : 0 [end] +ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] -# tcp doff 8 -inet test-inet input +# tcp flags { syn, syn | ack } +__set%d test-inet 3 +__set%d test-inet 0 + element 00000002 : 0 [end] element 00000012 : 0 [end] +inet [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 1b @ transport header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000080 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ lookup reg 1 set __set%d ] +# tcp flags ! fin,rst +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] diff --git a/tests/py/inet/tcpopt.t.payload b/tests/py/inet/tcpopt.t.payload deleted file mode 100644 index 7e254ed3..00000000 --- a/tests/py/inet/tcpopt.t.payload +++ /dev/null @@ -1,200 +0,0 @@ -# tcp option eol kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 0 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option noop kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 1 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg length 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg size 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000100 ] - -# tcp option window kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window length 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window count 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted length 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack length 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack left 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 left 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 left 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 left 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 left 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack right 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 right 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 right 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 right 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 right 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp kind 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp length 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp tsval 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp tsecr 1 -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option window exists -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window missing -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# tcp option maxseg size set 1360 -inet test-inet input - [ immediate reg 1 0x00005005 ] - [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ] diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t index d23bbcb5..9901df75 100644 --- a/tests/py/inet/tproxy.t +++ b/tests/py/inet/tproxy.t @@ -19,3 +19,5 @@ meta l4proto 17 tproxy ip to :50080;ok meta l4proto 17 tproxy ip6 to :50080;ok meta l4proto 17 tproxy to :50080;ok ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok + +meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 };ok diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json index 7b3b11c4..71b6fd2f 100644 --- a/tests/py/inet/tproxy.t.json +++ b/tests/py/inet/tproxy.t.json @@ -183,3 +183,38 @@ } } ] + +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "127.0.0.1", + "family": "ip", + "port": { + "map": { + "data": { + "set": [ + [ 0, 23 ], + [ 1, 42 ] + ] + }, + "key": { + "symhash": { "mod": 2 } + } + } + } + } + } +] + diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload index 82ff928d..2f419042 100644 --- a/tests/py/inet/tproxy.t.payload +++ b/tests/py/inet/tproxy.t.payload @@ -54,10 +54,22 @@ inet x y [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x0000d007 ] [ tproxy ip port reg 1 ] +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +__map%d x b size 2 +__map%d x 0 + element 00000000 : 00001700 0 [end] element 00000001 : 00002a00 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0100007f ] + [ hash reg 2 = symhash() % mod 2 ] + [ lookup reg 2 set __map%d dreg 2 ] + [ tproxy ip addr reg 1 port reg 2 ] + diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t index 4e3eaa51..7f21c8ed 100644 --- a/tests/py/inet/udp.t +++ b/tests/py/inet/udp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udp sport 80 accept;ok udp sport != 60 accept;ok @@ -12,8 +13,6 @@ udp sport 50-70 accept;ok udp sport != 50-60 accept;ok udp sport { 49, 50} drop;ok udp sport != { 50, 60} accept;ok -udp sport { 12-40};ok -udp sport != { 13-24};ok udp dport set {1, 2, 3};fail @@ -23,8 +22,6 @@ udp dport 70-75 accept;ok udp dport != 50-60 accept;ok udp dport { 49, 50} drop;ok udp dport != { 50, 60} accept;ok -udp dport { 70-75} accept;ok -udp dport != { 50-60} accept;ok udp length 6666;ok udp length != 6666;ok @@ -32,8 +29,6 @@ udp length 50-65 accept;ok udp length != 50-65 accept;ok udp length { 50, 65} accept;ok udp length != { 50, 65} accept;ok -udp length { 35-50};ok -udp length != { 35-50};ok udp checksum 6666 drop;ok udp checksum != { 444, 555} accept;ok @@ -44,8 +39,6 @@ udp checksum 33-45;ok udp checksum != 33-45;ok udp checksum { 33, 55, 67, 88};ok udp checksum != { 33, 55, 67, 88};ok -udp checksum { 33-55};ok -udp checksum != { 33-55};ok # limit impact to lo iif "lo" udp checksum set 0;ok diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json index f8826640..665998ec 100644 --- a/tests/py/inet/udp.t.json +++ b/tests/py/inet/udp.t.json @@ -126,46 +126,6 @@ } ] -# udp sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udp sport != { 13-24} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 13, 24 ] } - ] - } - } - } -] - # udp dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udp dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udp dport != { 50-60} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 50, 60 ] } - ] - } - } - }, - { - "accept": null - } -] - # udp length 6666 [ { @@ -462,46 +376,6 @@ } ] -# udp length { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - -# udp length != { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - # udp checksum 6666 drop [ { @@ -659,46 +533,6 @@ } ] -# udp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # iif "lo" udp checksum set 0 [ { diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload index d91eb784..e6beda7f 100644 --- a/tests/py/inet/udp.t.payload +++ b/tests/py/inet/udp.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp sport { 12-40} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp sport != { 13-24} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp dport { 70-75} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udp dport != { 50-60} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udp length 6666 inet test-inet input [ meta load l4proto => reg 1 ] @@ -203,26 +161,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp length { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp length != { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -291,26 +229,6 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # iif "lo" udp checksum set 0 inet test-inet input [ meta load iif => reg 1 ] diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t index 7c22acb9..6a54709c 100644 --- a/tests/py/inet/udplite.t +++ b/tests/py/inet/udplite.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udplite sport 80 accept;ok udplite sport != 60 accept;ok @@ -12,8 +13,6 @@ udplite sport 50-70 accept;ok udplite sport != 50-60 accept;ok udplite sport { 49, 50} drop;ok udplite sport != { 49, 50} accept;ok -udplite sport { 12-40};ok -udplite sport != { 12-40};ok udplite dport 80 accept;ok udplite dport != 60 accept;ok @@ -21,8 +20,6 @@ udplite dport 70-75 accept;ok udplite dport != 50-60 accept;ok udplite dport { 49, 50} drop;ok udplite dport != { 49, 50} accept;ok -udplite dport { 70-75} accept;ok -udplite dport != { 70-75} accept;ok - udplite csumcov 6666;ok - udplite csumcov != 6666;ok @@ -30,8 +27,6 @@ udplite dport != { 70-75} accept;ok - udplite csumcov != 50-65 accept;ok - udplite csumcov { 50, 65} accept;ok - udplite csumcov != { 50, 65} accept;ok -- udplite csumcov { 35-50};ok -- udplite csumcov != { 35-50};ok udplite checksum 6666 drop;ok udplite checksum != { 444, 555} accept;ok @@ -41,5 +36,3 @@ udplite checksum 33-45;ok udplite checksum != 33-45;ok udplite checksum { 33, 55, 67, 88};ok udplite checksum != { 33, 55, 67, 88};ok -udplite checksum { 33-55};ok -udplite checksum != { 33-55};ok diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json index f56bee47..713a534f 100644 --- a/tests/py/inet/udplite.t.json +++ b/tests/py/inet/udplite.t.json @@ -126,46 +126,6 @@ } ] -# udplite sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udplite sport != { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - # udplite dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udplite dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udplite dport != { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - # udplite checksum 6666 drop [ { @@ -497,43 +411,3 @@ } ] -# udplite checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udplite checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload index eb3dc075..de9d09ed 100644 --- a/tests/py/inet/udplite.t.payload +++ b/tests/py/inet/udplite.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite sport { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite sport != { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udplite dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite dport { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udplite dport != { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udplite checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -218,23 +176,3 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udplite checksum { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite checksum != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t new file mode 100644 index 00000000..0ac6e561 --- /dev/null +++ b/tests/py/inet/vmap.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop } +ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok +udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json new file mode 100644 index 00000000..37472cc6 --- /dev/null +++ b/tests/py/inet/vmap.t.json @@ -0,0 +1,144 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + "eth0", + 6, + 22 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "eth1", + 17, + 67 + ] + }, + { + "drop": null + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + } +] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + } + } + } +] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + { + "payload": { + "base": "th", + "len": 128, + "offset": 160 + } + } + ] + } + } + } +] + diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload new file mode 100644 index 00000000..29ec846d --- /dev/null +++ b/tests/py/inet/vmap.t.payload @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-inet b size 2 +__map%d test-inet 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d x 8f size 1 +__map%d x 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev new file mode 100644 index 00000000..3f51bb33 --- /dev/null +++ b/tests/py/inet/vmap.t.payload.netdev @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-netdev b size 2 +__map%d test-netdev 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t new file mode 100644 index 00000000..10cdb7a4 --- /dev/null +++ b/tests/py/inet/vxlan.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +vxlan vni 10;fail +udp dport 4789 vxlan vni 10;ok +udp dport 4789 vxlan ip saddr 10.141.11.2;ok +udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok +udp dport 4789 vxlan ip protocol 1;ok +udp dport 4789 vxlan udp sport 8888;ok +udp dport 4789 vxlan icmp type echo-reply;ok +udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok +udp dport 4789 vxlan vlan id 10;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 4789 vxlan ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json new file mode 100644 index 00000000..91b3d294 --- /dev/null +++ b/tests/py/inet/vxlan.t.json @@ -0,0 +1,344 @@ +# udp dport 4789 vxlan vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "vxlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 4789 vxlan ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 4789 vxlan udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 4789 vxlan icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 4789 vxlan vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "vxlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload new file mode 100644 index 00000000..cde8e56f --- /dev/null +++ b/tests/py/inet/vxlan.t.payload @@ -0,0 +1,114 @@ +# udp dport 4789 vxlan vni 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 4789 vxlan ip protocol 1 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 4789 vxlan udp sport 8888 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 4789 vxlan icmp type echo-reply +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 4789 vxlan vlan id 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 4789 vxlan ip dscp 0x02 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-netdev 3 size 1 +__set%d test-netdev 0 + element 04030201 01020304 : 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t index d3247f79..a0a22289 100644 --- a/tests/py/ip/ct.t +++ b/tests/py/ip/ct.t @@ -21,3 +21,16 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s # wrong address family ct reply ip daddr dead::beef;fail + +meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail +meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok +meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail +meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok +ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail +ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok +ct mark set ip dscp << 2 | 0x10;ok +ct mark set ip dscp << 26 | 0x10;ok +ct mark set ip dscp & 0x0f << 1;ok;ct mark set ip dscp & af33 +ct mark set ip dscp & 0x0f << 2;ok;ct mark set ip dscp & 0x3c +ct mark set ip dscp | 0x04;ok +ct mark set ip dscp | 1 << 20;ok;ct mark set ip dscp | 0x100000 diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json index 881cd4c9..915632ae 100644 --- a/tests/py/ip/ct.t.json +++ b/tests/py/ip/ct.t.json @@ -216,3 +216,266 @@ } ] +# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "1.1.1.1", + 17 + ] + ] + }, + "key": { + "ct": { + "dir": "original", + "key": "ip daddr" + } + } + } + } + } + } +] + +# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + 30 + ] + ] + }, + "key": { + "concat": [ + { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + } + } + } + } + } +] + +# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 } +[ + { + "match": { + "left": { + "concat": [ + { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + } + ] + } + } + } +] + +# ct mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 1 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "af33" + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 60 + ] + } + } + } +] + +# ct mark set ip dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip dscp | 1 << 20 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 1048576 + ] + } + } + } +] diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index d5faed4c..692011d0 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -21,25 +21,21 @@ ip test-ip4 output # ct original ip saddr 192.168.1.0/24 ip test-ip4 output [ ct load src_ip => reg 1 , dir original ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip saddr 192.168.1.0/24 ip test-ip4 output [ ct load src_ip => reg 1 , dir reply ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct original ip daddr 192.168.1.0/24 ip test-ip4 output [ ct load dst_ip => reg 1 , dir original ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct reply ip daddr 192.168.1.0/24 ip test-ip4 output [ ct load dst_ip => reg 1 , dir reply ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0001a8c0 ] # ct l3proto ipv4 @@ -60,3 +56,81 @@ ip test-ip4 output [ cmp eq reg 1 0x00000011 ] [ ct load proto_src => reg 1 , dir reply ] [ cmp eq reg 1 0x00003500 ] + +# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000011 0 [end] +ip + [ ct load dst_ip => reg 1 , dir original ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 00000014 : 0000001e 0 [end] +ip + [ ct load src_ip => reg 1 , dir original ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 01010101 00000014 : 0 [end] +ip + [ ct load src_ip => reg 1 , dir original ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ct mark set ip dscp << 2 | 0x10 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 1 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 2 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 0x04 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 1 << 20 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffefffff ) ^ 0x00100000 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t index 089017c8..881571db 100644 --- a/tests/py/ip/dnat.t +++ b/tests/py/ip/dnat.t @@ -8,6 +8,16 @@ iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999;ok dnat to ct mark map { 0x00000014 : 1.2.3.4};ok dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok + +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok +ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 };ok +meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 };ok +dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 };ok diff --git a/tests/py/ip/dnat.t.json b/tests/py/ip/dnat.t.json index 0481a368..fe15d072 100644 --- a/tests/py/ip/dnat.t.json +++ b/tests/py/ip/dnat.t.json @@ -262,3 +262,482 @@ } ] +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": "192.168.3.2", + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": 8080 + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + "10.141.10.2", + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + 80, + { + "concat": [ + "10.141.10.4", + 8080 + ] + } + ], + [ + 443, + { + "concat": [ + "10.141.10.4", + 8443 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "concat": [ + "1.1.2.69", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + }, + 22 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "prefix": { + "addr": "1.1.2.69", + "len": 32 + } + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip index 1b869d0a..439c6abe 100644 --- a/tests/py/ip/dnat.t.payload.ip +++ b/tests/py/ip/dnat.t.payload.ip @@ -8,7 +8,7 @@ ip test-ip4 prerouting [ cmp gte reg 1 0x00005000 ] [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2 ip test-ip4 prerouting @@ -19,7 +19,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2 __set%d test-ip4 3 @@ -33,7 +33,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2 __set%d test-ip4 3 @@ -47,7 +47,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2 ip test-ip4 prerouting @@ -58,7 +58,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00001700 0x00002200 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080 ip test-ip4 prerouting @@ -70,7 +70,7 @@ ip test-ip4 prerouting [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0203a8c0 ] [ immediate reg 2 0x0000901f ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat to ct mark map { 0x00000014 : 1.2.3.4} __map%d test-ip4 b @@ -79,7 +79,7 @@ __map%d test-ip4 0 ip test-ip4 prerouting [ ct load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} __map%d test-ip4 b @@ -89,5 +89,116 @@ ip test-ip4 output [ ct load mark => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 020a8d0a 0000b822 020a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0000901f ] + [ immediate reg 3 0x00002723 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ immediate reg 4 0x00002723 ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 00001600 45020101 00001600 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 00001600 4eec5401 00001600 0 [end] +ip test-ip4 prerouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 45020101 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 4eec5401 0 [end] +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 9 ] diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t deleted file mode 100644 index 086c6cf6..00000000 --- a/tests/py/ip/flowtable.t +++ /dev/null @@ -1,5 +0,0 @@ -:input;type filter hook input priority 0 - -*ip;test-ip;input - -meter xyz size 8192 { ip saddr timeout 30s counter};ok diff --git a/tests/py/ip/flowtable.t.json b/tests/py/ip/flowtable.t.json deleted file mode 100644 index a03cc9d7..00000000 --- a/tests/py/ip/flowtable.t.json +++ /dev/null @@ -1,24 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -[ - { - "meter": { - "key": { - "elem": { - "timeout": 30, - "val": { - "payload": { - "field": "saddr", - "protocol": "ip" - } - } - } - }, - "name": "xyz", - "size": 8192, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload deleted file mode 100644 index c0aad39e..00000000 --- a/tests/py/ip/flowtable.t.payload +++ /dev/null @@ -1,7 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -xyz test-ip 31 -xyz test-ip 0 -ip test-ip input - [ payload load 4b @ network header + 12 => reg 1 ] - [ dynset update reg_key 1 set xyz timeout 30000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip/hash.t.payload b/tests/py/ip/hash.t.payload index 71ab0652..fefe492d 100644 --- a/tests/py/ip/hash.t.payload +++ b/tests/py/ip/hash.t.payload @@ -41,7 +41,7 @@ ip test-ip4 pre [ payload load 4b @ network header + 12 => reg 2 ] [ hash reg 1 = jhash(reg 2, 4, 0xdeadbeef) % mod 2 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # ct mark set symhash mod 2 offset 100 ip test-ip4 pre diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 6c05fb9d..226c339b 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -26,51 +26,43 @@ icmp code 111 accept;ok icmp code != 111 accept;ok icmp code 33-55;ok icmp code != 33-55;ok -icmp code { 33-55};ok -icmp code != { 33-55};ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56} -icmp code != { prot-unreachable, 4, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok;icmp code != { 2, 4, 33, 54, 56} icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok icmp checksum 11-343 accept;ok icmp checksum != 11-343 accept;ok -icmp checksum { 11-343} accept;ok -icmp checksum != { 11-343} accept;ok icmp checksum { 1111, 222, 343} accept;ok icmp checksum != { 1111, 222, 343} accept;ok -icmp id 1245 log;ok -icmp id 22;ok -icmp id != 233;ok -icmp id 33-45;ok -icmp id != 33-45;ok -icmp id { 33-55};ok -icmp id != { 33-55};ok -icmp id { 22, 34, 333};ok -icmp id != { 22, 34, 333};ok +icmp id 1245 log;ok;icmp type { echo-reply, echo-request} icmp id 1245 log +icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22 +icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233 +icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45 +icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45 -icmp sequence 22;ok -icmp sequence != 233;ok -icmp sequence 33-45;ok -icmp sequence != 33-45;ok -icmp sequence { 33, 55, 67, 88};ok -icmp sequence != { 33, 55, 67, 88};ok -icmp sequence { 33-55};ok -icmp sequence != { 33-55};ok +icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333} +icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333} + +icmp sequence 22;ok;icmp type { echo-reply, echo-request} icmp sequence 22 +icmp sequence != 233;ok;icmp type { echo-reply, echo-request} icmp sequence != 233 +icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45 +icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45 +icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88} +icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88} +icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok +icmp type echo-reply icmp id 1;ok icmp mtu 33;ok icmp mtu 22-33;ok -icmp mtu { 22-33};ok -icmp mtu != { 22-33};ok icmp mtu 22;ok icmp mtu != 233;ok icmp mtu 33-45;ok icmp mtu != 33-45;ok icmp mtu { 33, 55, 67, 88};ok icmp mtu != { 33, 55, 67, 88};ok -icmp mtu { 33-55};ok -icmp mtu != { 33-55};ok icmp gateway 22;ok icmp gateway != 233;ok @@ -78,7 +70,8 @@ icmp gateway 33-45;ok icmp gateway != 33-45;ok icmp gateway { 33, 55, 67, 88};ok icmp gateway != { 33, 55, 67, 88};ok -icmp gateway { 33-55};ok -icmp gateway != { 33-55};ok icmp gateway != 34;ok icmp gateway != { 333, 334};ok + +icmp code 1 icmp type 2;ok;icmp type 2 icmp code 1 +icmp code != 1 icmp type 2 icmp mtu 5;fail diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json index 4e172745..45e04c78 100644 --- a/tests/py/ip/icmp.t.json +++ b/tests/py/ip/icmp.t.json @@ -8,7 +8,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "echo-reply" } }, @@ -27,7 +27,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "destination-unreachable" } }, @@ -46,7 +46,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "source-quench" } }, @@ -65,7 +65,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "redirect" } }, @@ -84,7 +84,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "echo-request" } }, @@ -103,7 +103,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "time-exceeded" } }, @@ -122,7 +122,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "parameter-problem" } }, @@ -141,7 +141,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "timestamp-request" } }, @@ -160,7 +160,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "timestamp-reply" } }, @@ -179,7 +179,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "info-request" } }, @@ -198,7 +198,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "info-reply" } }, @@ -217,7 +217,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "address-mask-request" } }, @@ -236,7 +236,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "address-mask-reply" } }, @@ -255,7 +255,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "router-advertisement" } }, @@ -274,7 +274,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": "router-solicitation" } }, @@ -293,7 +293,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ "echo-reply", @@ -301,6 +301,8 @@ "source-quench", "redirect", "echo-request", + "router-advertisement", + "router-solicitation", "time-exceeded", "parameter-problem", "timestamp-request", @@ -308,9 +310,7 @@ "info-request", "info-reply", "address-mask-request", - "address-mask-reply", - "router-advertisement", - "router-solicitation" + "address-mask-reply" ] } } @@ -352,7 +352,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 111 } }, @@ -390,53 +390,18 @@ "protocol": "icmp" } }, - "op": "==", - "right": { - "range": [ 33, 55 ] - } - } - } -] - -# icmp code != 33-55 -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "range": [ 33, 55 ] - } - } - } -] - -# icmp code { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmp" - } - }, - "op": "==", + "op": "==", "right": { - "set": [ - { "range": [ 33, 55 ] } + "range": [ + 33, + 55 ] } } } ] -# icmp code != { 33-55} +# icmp code != 33-55 [ { "match": { @@ -448,8 +413,9 @@ }, "op": "!=", "right": { - "set": [ - { "range": [ 33, 55 ] } + "range": [ + 33, + 55 ] } } @@ -466,7 +432,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ 2, @@ -480,7 +446,7 @@ } ] -# icmp code != { prot-unreachable, 4, 33, 54, 56} +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} [ { "match": { @@ -493,7 +459,7 @@ "op": "!=", "right": { "set": [ - "prot-unreachable", + 2, 4, 33, 54, @@ -514,7 +480,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 12343 } }, @@ -552,52 +518,11 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { - "range": [ 11, 343 ] - } - } - }, - { - "accept": null - } -] - -# icmp checksum != 11-343 accept -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "range": [ 11, 343 ] - } - } - }, - { - "accept": null - } -] - -# icmp checksum { 11-343} accept -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 11, 343 ] } + "range": [ + 11, + 343 ] } } @@ -607,7 +532,7 @@ } ] -# icmp checksum != { 11-343} accept +# icmp checksum != 11-343 accept [ { "match": { @@ -619,8 +544,9 @@ }, "op": "!=", "right": { - "set": [ - { "range": [ 11, 343 ] } + "range": [ + 11, + 343 ] } } @@ -640,12 +566,12 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ - 1111, 222, - 343 + 343, + 1111 ] } } @@ -668,9 +594,9 @@ "op": "!=", "right": { "set": [ - 1111, 222, - 343 + 343, + 1111 ] } } @@ -690,7 +616,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 1245 } }, @@ -709,7 +635,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 22 } } @@ -737,20 +663,19 @@ "match": { "left": { "payload": { - "field": "id", + "field": "type", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { - "range": [ 33, 45 ] + "set": [ + "echo-reply", + "echo-request" + ] } } - } -] - -# icmp id != 33-45 -[ + }, { "match": { "left": { @@ -759,36 +684,36 @@ "protocol": "icmp" } }, - "op": "!=", + "op": "==", "right": { - "range": [ 33, 45 ] + "range": [ + 33, + 45 + ] } } } ] -# icmp id { 33-55} +# icmp id != 33-45 [ { "match": { "left": { "payload": { - "field": "id", + "field": "type", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "echo-reply", + "echo-request" ] } } - } -] - -# icmp id != { 33-55} -[ + }, { "match": { "left": { @@ -799,8 +724,9 @@ }, "op": "!=", "right": { - "set": [ - { "range": [ 33, 55 ] } + "range": [ + 33, + 45 ] } } @@ -813,11 +739,28 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "id", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ 22, @@ -835,6 +778,23 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "id", "protocol": "icmp" } @@ -857,11 +817,28 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 22 } } @@ -873,6 +850,23 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } @@ -889,13 +883,33 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { - "range": [ 33, 45 ] + "range": [ + 33, + 45 + ] } } } @@ -907,13 +921,33 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } }, "op": "!=", "right": { - "range": [ 33, 45 ] + "range": [ + 33, + 45 + ] } } } @@ -925,11 +959,28 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ 33, @@ -948,6 +999,23 @@ "match": { "left": { "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { "field": "sequence", "protocol": "icmp" } @@ -965,121 +1033,125 @@ } ] -# icmp sequence { 33-55} +# icmp id 1 icmp sequence 2 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "type", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "echo-reply", + "echo-request" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": 2 + } } ] -# icmp sequence != { 33-55} +# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "type", "protocol": "icmp" } }, - "op": "!=", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "echo-reply", + "echo-request" ] } } - } -] - -# icmp mtu 33 -[ + }, { "match": { "left": { "payload": { - "field": "mtu", + "field": "id", "protocol": "icmp" } }, - "op": "==", - "right": 33 + "op": "==", + "right": 1 } - } -] - -# icmp mtu 22-33 -[ + }, { "match": { "left": { "payload": { - "field": "mtu", + "field": "sequence", "protocol": "icmp" } }, - "op": "==", - "right": { - "range": [ 22, 33 ] - } + "op": "==", + "right": 2 } } ] -# icmp mtu { 22-33} +# icmp type echo-reply icmp id 1 [ { "match": { "left": { "payload": { - "field": "mtu", + "field": "type", "protocol": "icmp" } }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 33 ] } - ] - } + "op": "==", + "right": "echo-reply" } - } -] - -# icmp mtu != { 22-33} -[ + }, { "match": { "left": { "payload": { - "field": "mtu", + "field": "id", "protocol": "icmp" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 33 ] } - ] - } + "op": "==", + "right": 1 } } ] -# icmp mtu 22 +# icmp mtu 33 [ { "match": { @@ -1089,13 +1161,13 @@ "protocol": "icmp" } }, - "op": "==", - "right": 22 + "op": "==", + "right": 33 } } ] -# icmp mtu != 233 +# icmp mtu 22-33 [ { "match": { @@ -1105,13 +1177,18 @@ "protocol": "icmp" } }, - "op": "!=", - "right": 233 + "op": "==", + "right": { + "range": [ + 22, + 33 + ] + } } } ] -# icmp mtu 33-45 +# icmp mtu 22 [ { "match": { @@ -1121,15 +1198,13 @@ "protocol": "icmp" } }, - "op": "==", - "right": { - "range": [ 33, 45 ] - } + "op": "==", + "right": 22 } } ] -# icmp mtu != 33-45 +# icmp mtu != 233 [ { "match": { @@ -1140,14 +1215,12 @@ } }, "op": "!=", - "right": { - "range": [ 33, 45 ] - } + "right": 233 } } ] -# icmp mtu { 33, 55, 67, 88} +# icmp mtu 33-45 [ { "match": { @@ -1157,20 +1230,18 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { - "set": [ + "range": [ 33, - 55, - 67, - 88 + 45 ] } } } ] -# icmp mtu != { 33, 55, 67, 88} +# icmp mtu != 33-45 [ { "match": { @@ -1182,18 +1253,16 @@ }, "op": "!=", "right": { - "set": [ + "range": [ 33, - 55, - 67, - 88 + 45 ] } } } ] -# icmp mtu { 33-55} +# icmp mtu { 33, 55, 67, 88} [ { "match": { @@ -1203,17 +1272,20 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } } ] -# icmp mtu != { 33-55} +# icmp mtu != { 33, 55, 67, 88} [ { "match": { @@ -1226,7 +1298,10 @@ "op": "!=", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } @@ -1243,7 +1318,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": 22 } } @@ -1275,9 +1350,12 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { - "range": [ 33, 45 ] + "range": [ + 33, + 45 + ] } } } @@ -1295,7 +1373,10 @@ }, "op": "!=", "right": { - "range": [ 33, 45 ] + "range": [ + 33, + 45 + ] } } } @@ -1311,7 +1392,7 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ 33, @@ -1347,7 +1428,7 @@ } ] -# icmp gateway { 33-55} +# icmp gateway != 34 [ { "match": { @@ -1357,17 +1438,13 @@ "protocol": "icmp" } }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "!=", + "right": 34 } } ] -# icmp gateway != { 33-55} +# icmp gateway != { 333, 334} [ { "match": { @@ -1380,47 +1457,38 @@ "op": "!=", "right": { "set": [ - { "range": [ 33, 55 ] } + 333, + 334 ] } } } ] -# icmp gateway != 34 +# icmp code 1 icmp type 2 [ { "match": { "left": { "payload": { - "field": "gateway", + "field": "type", "protocol": "icmp" } }, - "op": "!=", - "right": 34 + "op": "==", + "right": 2 } - } -] - -# icmp gateway != { 333, 334} -[ + }, { "match": { "left": { "payload": { - "field": "gateway", + "field": "code", "protocol": "icmp" } }, - "op": "!=", - "right": { - "set": [ - 333, - 334 - ] - } + "op": "==", + "right": 1 } } ] - diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output index e8045bb8..52fd6016 100644 --- a/tests/py/ip/icmp.t.json.output +++ b/tests/py/ip/icmp.t.json.output @@ -1,4 +1,28 @@ -# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept +# icmp code { 2, 4, 54, 33, 56} +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 2, + 4, + 33, + 54, + 56 + ] + } + } + } +] + +# icmp id 1245 log [ { "match": { @@ -8,104 +32,138 @@ "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ "echo-reply", - "destination-unreachable", - "source-quench", - "redirect", - "echo-request", - "router-advertisement", - "router-solicitation", - "time-exceeded", - "parameter-problem", - "timestamp-request", - "timestamp-reply", - "info-request", - "info-reply", - "address-mask-request", - "address-mask-reply" + "echo-request" ] } } }, { - "accept": null + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1245 + } + }, + { + "log": null } ] -# icmp code { 2, 4, 54, 33, 56} +# icmp id 22 [ { "match": { "left": { "payload": { - "field": "code", + "field": "type", "protocol": "icmp" } }, "op": "==", "right": { "set": [ - "prot-unreachable", - 4, - 33, - 54, - 56 + "echo-reply", + "echo-request" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } } ] -# icmp checksum { 1111, 222, 343} accept +# icmp id != 233 [ { "match": { "left": { "payload": { - "field": "checksum", + "field": "type", "protocol": "icmp" } }, - "op": "==", + "op": "==", "right": { "set": [ - 222, - 343, - 1111 + "echo-reply", + "echo-request" ] } } }, { - "accept": null + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } } ] -# icmp checksum != { 1111, 222, 343} accept +# icmp id { 33-55} [ { "match": { "left": { "payload": { - "field": "checksum", + "field": "type", "protocol": "icmp" } }, - "op": "!=", + "op": "==", "right": { "set": [ - 222, - 343, - 1111 + "echo-reply", + "echo-request" ] } } }, { - "accept": null + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + { + "range": [ + 33, + 55 + ] + } + ] + } + } } ] + diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index 27f22207..3bc6de3c 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -102,17 +102,6 @@ ip test-ip4 input [ cmp eq reg 1 0x00000012 ] [ immediate reg 0 accept ] -# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000000 : 0 [end] element 00000003 : 0 [end] element 00000004 : 0 [end] element 00000005 : 0 [end] element 00000008 : 0 [end] element 0000000b : 0 [end] element 0000000c : 0 [end] element 0000000d : 0 [end] element 0000000e : 0 [end] element 0000000f : 0 [end] element 00000010 : 0 [end] element 00000011 : 0 [end] element 00000012 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - # icmp type != {echo-reply, destination-unreachable, source-quench} __set%d test-ip4 3 __set%d test-ip4 0 @@ -154,26 +143,6 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ range neq reg 1 0x00000021 0x00000037 ] -# icmp code { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp code != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp code { 2, 4, 54, 33, 56} __set%d test-ip4 3 __set%d test-ip4 0 @@ -184,7 +153,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d ] -# icmp code != { prot-unreachable, 4, 33, 54, 56} +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} __set%d test-ip4 3 __set%d test-ip4 0 element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] @@ -227,28 +196,6 @@ ip test-ip4 input [ range neq reg 1 0x00000b00 0x00005701 ] [ immediate reg 0 accept ] -# icmp checksum { 11-343} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# icmp checksum != { 11-343} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # icmp checksum { 1111, 222, 343} accept __set%d test-ip4 3 __set%d test-ip4 0 @@ -272,155 +219,215 @@ ip test-ip4 input [ immediate reg 0 accept ] # icmp id 1245 log +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp eq reg 1 0x0000dd04 ] [ log ] # icmp id 22 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp eq reg 1 0x00001600 ] # icmp id != 233 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # icmp id 33-45 +__set%d test-ip4 3 +__set%d test-ip4 input + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # icmp id != 33-45 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ range neq reg 1 0x00002100 0x00002d00 ] - -# icmp id { 33-55} -__set%d test-ip4 7 +__set%d test-ip4 3 __set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] - -# icmp id != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] # icmp id { 22, 34, 333} __set%d test-ip4 3 __set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] # icmp id != { 22, 34, 333} __set%d test-ip4 3 __set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # icmp sequence 22 -ip test-ip4 input +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp eq reg 1 0x00001600 ] # icmp sequence != 233 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # icmp sequence 33-45 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # icmp sequence != 33-45 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] # icmp sequence { 33, 55, 67, 88} __set%d test-ip4 3 __set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] # icmp sequence != { 33, 55, 67, 88} __set%d test-ip4 3 __set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmp sequence { 33-55} -__set%d test-ip4 7 +# icmp id 1 icmp sequence 2 +__set%d test-ip4 3 __set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] -# icmp sequence != { 33-55} -__set%d test-ip4 7 +# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +__set%d test-ip4 3 __set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input + element 00000000 : 0 [end] element 00000008 : 0 [end] +ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# icmp type echo-reply icmp id 1 +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] # icmp mtu 33 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp eq reg 1 0x00002100 ] @@ -428,34 +435,18 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp gte reg 1 0x00001600 ] [ cmp lte reg 1 0x00002100 ] -# icmp mtu { 22-33} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp mtu != { 22-33} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp mtu 22 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp eq reg 1 0x00001600 ] @@ -463,6 +454,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] @@ -470,6 +463,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] @@ -478,6 +473,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] @@ -488,6 +485,8 @@ __set%d test-ip4 0 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -498,26 +497,8 @@ __set%d test-ip4 0 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# icmp mtu { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp mtu != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] @@ -525,6 +506,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp eq reg 1 0x16000000 ] @@ -532,6 +515,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp neq reg 1 0xe9000000 ] @@ -539,6 +524,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp gte reg 1 0x21000000 ] [ cmp lte reg 1 0x2d000000 ] @@ -547,6 +534,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ range neq reg 1 0x21000000 0x2d000000 ] @@ -557,6 +546,8 @@ __set%d test-ip4 0 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -567,26 +558,8 @@ __set%d test-ip4 0 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# icmp gateway { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp gateway != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] @@ -594,6 +567,8 @@ ip test-ip4 input ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp neq reg 1 0x22000000 ] @@ -604,6 +579,8 @@ __set%d test-ip4 0 ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] @@ -634,3 +611,9 @@ ip test-ip4 input [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] +# icmp code 1 icmp type 2 +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000102 ] diff --git a/tests/py/ip/igmp.t b/tests/py/ip/igmp.t index 939dcc32..a556e475 100644 --- a/tests/py/ip/igmp.t +++ b/tests/py/ip/igmp.t @@ -16,8 +16,6 @@ igmp checksum 12343;ok igmp checksum != 12343;ok igmp checksum 11-343;ok igmp checksum != 11-343;ok -igmp checksum { 11-343};ok -igmp checksum != { 11-343};ok igmp checksum { 1111, 222, 343};ok igmp checksum != { 1111, 222, 343};ok diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json index 66dd3bb7..0e2a43f3 100644 --- a/tests/py/ip/igmp.t.json +++ b/tests/py/ip/igmp.t.json @@ -196,56 +196,6 @@ } ] -# igmp checksum { 11-343} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "igmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - } -] - -# igmp checksum != { 11-343} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "igmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - } -] - # igmp checksum { 1111, 222, 343} [ { diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload index 1319c324..940fe2cd 100644 --- a/tests/py/ip/igmp.t.payload +++ b/tests/py/ip/igmp.t.payload @@ -62,150 +62,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00000b00 0x00005701 ] -# igmp checksum { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# igmp checksum { 1111, 222, 343} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 1111, 222, 343} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# igmp type membership-query -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - -# igmp type membership-report-v1 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000012 ] - -# igmp type membership-report-v2 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000016 ] - -# igmp type membership-report-v3 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000022 ] - -# igmp type leave-group -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000017 ] - -# igmp type { membership-report-v1, membership-report-v2, membership-report-v3} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00000012 : 0 [end] element 00000016 : 0 [end] element 00000022 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00000012 : 0 [end] element 00000016 : 0 [end] element 00000022 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# igmp checksum 12343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00003730 ] - -# igmp checksum != 12343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp neq reg 1 0x00003730 ] - -# igmp checksum 11-343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00000b00 ] - [ cmp lte reg 1 0x00005701 ] - -# igmp checksum != 11-343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ range neq reg 1 0x00000b00 0x00005701 ] - -# igmp checksum { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # igmp checksum { 1111, 222, 343} __set%d test-ip4 3 size 3 __set%d test-ip4 0 @@ -226,41 +82,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# igmp type membership-query -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - -# igmp type membership-report-v1 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000012 ] - -# igmp type membership-report-v2 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000016 ] - -# igmp type membership-report-v3 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000022 ] - -# igmp type leave-group -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000017 ] - # igmp type { membership-report-v1, membership-report-v2, membership-report-v3} __set%d test-ip4 3 size 3 __set%d test-ip4 0 @@ -281,75 +102,6 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# igmp checksum 12343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00003730 ] - -# igmp checksum != 12343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp neq reg 1 0x00003730 ] - -# igmp checksum 11-343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00000b00 ] - [ cmp lte reg 1 0x00005701 ] - -# igmp checksum != 11-343 -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ range neq reg 1 0x00000b00 0x00005701 ] - -# igmp checksum { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# igmp checksum { 1111, 222, 343} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 1111, 222, 343} -__set%d test-ip4 3 size 3 -__set%d test-ip4 0 - element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # igmp mrt 10 ip test-ip4 input [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t index 0421d01b..e6999c29 100644 --- a/tests/py/ip/ip.t +++ b/tests/py/ip/ip.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress - ip version 2;ok @@ -39,8 +40,6 @@ ip length 333-435;ok ip length != 333-453;ok ip length { 333, 553, 673, 838};ok ip length != { 333, 553, 673, 838};ok -ip length { 333-535};ok -ip length != { 333-535};ok ip id 22;ok ip id != 233;ok @@ -48,17 +47,16 @@ ip id 33-45;ok ip id != 33-45;ok ip id { 33, 55, 67, 88};ok ip id != { 33, 55, 67, 88};ok -ip id { 33-55};ok -ip id != { 33-55};ok - -ip frag-off 222 accept;ok -ip frag-off != 233;ok -ip frag-off 33-45;ok -ip frag-off != 33-45;ok -ip frag-off { 33, 55, 67, 88};ok -ip frag-off != { 33, 55, 67, 88};ok -ip frag-off { 33-55};ok -ip frag-off != { 33-55};ok + +ip frag-off 0xde accept;ok +ip frag-off != 0xe9;ok +ip frag-off 0x21-0x2d;ok +ip frag-off != 0x21-0x2d;ok +ip frag-off { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off != { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off & 0x1fff != 0x0;ok +ip frag-off & 0x2000 != 0x0;ok +ip frag-off & 0x4000 != 0x0;ok ip ttl 0 drop;ok ip ttl 233;ok @@ -66,8 +64,6 @@ ip ttl 33-55;ok ip ttl != 45-50;ok ip ttl {43, 53, 45 };ok ip ttl != {43, 53, 45 };ok -ip ttl { 33-55};ok -ip ttl != { 33-55};ok ip protocol tcp;ok;ip protocol 6 ip protocol != tcp;ok;ip protocol != 6 @@ -84,23 +80,19 @@ ip checksum 33-45;ok ip checksum != 33-45;ok ip checksum { 33, 55, 67, 88};ok ip checksum != { 33, 55, 67, 88};ok -ip checksum { 33-55};ok -ip checksum != { 33-55};ok ip saddr set {192.19.1.2, 191.1.22.1};fail ip saddr 192.168.2.0/24;ok ip saddr != 192.168.2.0/24;ok ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok -ip saddr != 1.1.1.1;ok;ip saddr != 1.1.1.1 -ip saddr 1.1.1.1;ok;ip saddr 1.1.1.1 +ip saddr != 1.1.1.1;ok +ip saddr 1.1.1.1;ok ip daddr 192.168.0.1-192.168.0.250;ok ip daddr 10.0.0.0-10.255.255.255;ok ip daddr 172.16.0.0-172.31.255.255;ok ip daddr 192.168.3.1-192.168.4.250;ok ip daddr != 192.168.0.1-192.168.0.250;ok -ip daddr { 192.168.0.1-192.168.0.250};ok -ip daddr != { 192.168.0.1-192.168.0.250};ok ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok @@ -135,3 +127,11 @@ iif "lo" ip protocol set 1;ok iif "lo" ip dscp set af23;ok iif "lo" ip dscp set cs0;ok + +ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok +ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok + +ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok +ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok + +ip dscp 1/6;ok;ip dscp & 0x3f == lephb diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json index 3131ab79..a170e5c1 100644 --- a/tests/py/ip/ip.t.json +++ b/tests/py/ip/ip.t.json @@ -270,46 +270,6 @@ } ] -# ip length { 333-535} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 333, 535 ] } - ] - } - } - } -] - -# ip length != { 333-535} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 333, 535 ] } - ] - } - } - } -] - # ip id 22 [ { @@ -424,47 +384,7 @@ } ] -# ip id { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip id != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip frag-off 222 accept +# ip frag-off 0xde accept [ { "match": { @@ -483,7 +403,7 @@ } ] -# ip frag-off != 233 +# ip frag-off != 0xe9 [ { "match": { @@ -499,7 +419,7 @@ } ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d [ { "match": { @@ -517,7 +437,7 @@ } ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d [ { "match": { @@ -535,7 +455,7 @@ } ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -558,7 +478,7 @@ } ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -581,42 +501,65 @@ } ] -# ip frag-off { 33-55} +# ip frag-off & 0x1fff != 0x0 [ { "match": { "left": { - "payload": { - "field": "frag-off", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8191 ] - } + }, + "op": "!=", + "right": 0 } } ] -# ip frag-off != { 33-55} +# ip frag-off & 0x2000 != 0x0 [ { "match": { "left": { - "payload": { - "field": "frag-off", - "protocol": "ip" - } + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8192 + ] }, "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } + "right": 0 + } + } +] + +# ip frag-off & 0x4000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 16384 ] - } + }, + "op": "!=", + "right": 0 } } ] @@ -736,46 +679,6 @@ } ] -# ip ttl { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ttl", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip ttl != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ttl", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip protocol tcp [ { @@ -1019,46 +922,6 @@ } ] -# ip checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip saddr 192.168.2.0/24 [ { @@ -1251,46 +1114,6 @@ } ] -# ip daddr { 192.168.0.1-192.168.0.250} -[ - { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ "192.168.0.1", "192.168.0.250" ] } - ] - } - } - } -] - -# ip daddr != { 192.168.0.1-192.168.0.250} -[ - { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ "192.168.0.1", "192.168.0.250" ] } - ] - } - } - } -] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept [ { @@ -1836,3 +1659,174 @@ } ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "192.0.2.1", + { + "range": [ + "10.0.0.1", + "10.0.0.2" + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + "192.168.5.1", + "192.168.5.128" + ] + }, + { + "range": [ + "192.168.6.1", + "192.168.6.128" + ] + } + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + } + } + } +] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip dscp 1/6 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 63 + ] + }, + "op": "==", + "right": "lephb" + } + } +] diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output index b201cdaa..351ae935 100644 --- a/tests/py/ip/ip.t.json.output +++ b/tests/py/ip/ip.t.json.output @@ -230,3 +230,34 @@ } ] +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload index d627b22f..d7ddf7be 100644 --- a/tests/py/ip/ip.t.payload +++ b/tests/py/ip/ip.t.payload @@ -1,25 +1,25 @@ # ip dscp cs1 ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000020 ] # ip dscp != cs1 ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000020 ] # ip dscp 0x38 ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] # ip dscp != 0x20 ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] # ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -28,7 +28,7 @@ __set%d test-ip4 0 element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000000 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip dscp != {cs0, cs3} @@ -37,16 +37,16 @@ __set%d test-ip4 0 element 00000000 : 0 [end] element 00000060 : 0 [end] ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-ip4 b size 2 __map%d test-ip4 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -87,22 +87,6 @@ ip test-ip4 input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] @@ -140,45 +124,29 @@ ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -186,7 +154,7 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -194,21 +162,23 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop ip test-ip4 input @@ -248,22 +218,6 @@ ip test-ip4 input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp ip test-ip4 input [ payload load 1b @ network header + 9 => reg 1 ] @@ -340,32 +294,14 @@ ip test-ip4 input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 ip test-ip4 input - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0002a8c0 ] # ip saddr != 192.168.2.0/24 ip test-ip4 input - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp neq reg 1 0x0002a8c0 ] # ip saddr 192.168.3.1 ip daddr 192.168.3.100 @@ -414,22 +350,6 @@ ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-ip4 3 __set%d test-ip4 0 @@ -489,59 +409,49 @@ ip test-ip4 input # ip saddr & 0xff == 1 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x01000000 ] # ip saddr & 0.0.0.255 < 0.0.0.127 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp lt reg 1 0x7f000000 ] # ip saddr & 0xffff0000 == 0xffff0000 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000ffff ] -# ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp} -__set%d test-ip 3 -__set%d test-ip 0 - element 01010101 02020202 00000006 : 0 [end] element 01010101 03030303 00000011 : 0 [end] -ip test-ip input - [ payload load 4b @ network header + 12 => reg 1 ] - [ payload load 4b @ network header + 16 => reg 9 ] - [ payload load 1b @ network header + 9 => reg 10 ] - [ lookup reg 1 set __set%d ] - # ip version 4 ip hdrlength 5 ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000005 ] # ip hdrlength 0 ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # ip hdrlength 15 ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000f ] # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-ip4 f size 4 __map%d test-ip4 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -571,7 +481,7 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set ce @@ -579,7 +489,7 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set af23 @@ -587,7 +497,7 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set cs0 @@ -595,7 +505,7 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ttl set 23 @@ -603,7 +513,7 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff00 ) ^ 0x00000017 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip protocol set 1 @@ -611,6 +521,46 @@ ip test-ip4 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-ip4 87 size 1 +__set%d test-ip4 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-ip4 8f size 1 +__map%d test-ip4 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge index 91a4fde3..53f881d3 100644 --- a/tests/py/ip/ip.t.payload.bridge +++ b/tests/py/ip/ip.t.payload.bridge @@ -3,7 +3,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000020 ] # ip dscp != cs1 @@ -11,7 +11,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000020 ] # ip dscp 0x38 @@ -19,7 +19,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] # ip dscp != 0x20 @@ -27,7 +27,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] # ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -38,7 +38,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip dscp != {cs0, cs3} @@ -49,18 +49,18 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-bridge b size 2 __map%d test-bridge 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -113,26 +113,6 @@ bridge test-bridge input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 bridge test-bridge input [ meta load protocol => reg 1 ] @@ -182,27 +162,7 @@ bridge test-bridge input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -210,14 +170,14 @@ bridge test-bridge input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -225,14 +185,14 @@ bridge test-bridge input [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -242,7 +202,7 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -252,25 +212,29 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop bridge test-bridge input @@ -322,26 +286,6 @@ bridge test-bridge input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp bridge test-bridge input [ meta load protocol => reg 1 ] @@ -442,40 +386,18 @@ bridge test-bridge input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0002a8c0 ] # ip saddr != 192.168.2.0/24 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp neq reg 1 0x0002a8c0 ] # ip saddr 192.168.3.1 ip daddr 192.168.3.100 @@ -540,26 +462,6 @@ bridge test-bridge input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-bridge 3 size 3 __set%d test-bridge 0 @@ -639,7 +541,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x01000000 ] # ip saddr & 0.0.0.255 < 0.0.0.127 @@ -647,7 +549,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp lt reg 1 0x7f000000 ] # ip saddr & 0xffff0000 == 0xffff0000 @@ -655,7 +557,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000ffff ] # ip version 4 ip hdrlength 5 @@ -663,10 +565,10 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000005 ] # ip hdrlength 0 @@ -674,7 +576,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # ip hdrlength 15 @@ -682,18 +584,18 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000f ] # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-bridge f size 4 __map%d test-bridge 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -731,7 +633,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set ce @@ -741,7 +643,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ttl set 23 @@ -751,7 +653,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff00 ) ^ 0x00000017 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip protocol set 1 @@ -761,7 +663,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] # iif "lo" ip dscp set af23 @@ -771,7 +673,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set cs0 @@ -781,6 +683,56 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-bridge 87 size 1 +__set%d test-bridge 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-bridge 8f size 1 +__map%d test-bridge 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet index b9cb28a2..08674c98 100644 --- a/tests/py/ip/ip.t.payload.inet +++ b/tests/py/ip/ip.t.payload.inet @@ -3,7 +3,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000020 ] # ip dscp != cs1 @@ -11,7 +11,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000020 ] # ip dscp 0x38 @@ -19,7 +19,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] # ip dscp != 0x20 @@ -27,7 +27,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] # ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -38,7 +38,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip dscp != {cs0, cs3} @@ -49,18 +49,18 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-inet b size 2 __map%d test-inet 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -113,26 +113,6 @@ inet test-inet input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -182,27 +162,7 @@ inet test-inet input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -210,14 +170,14 @@ inet test-inet input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -225,14 +185,14 @@ inet test-inet input [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -242,7 +202,7 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -252,25 +212,29 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop inet test-inet input @@ -322,26 +286,6 @@ inet test-inet input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp inet test-inet input [ meta load nfproto => reg 1 ] @@ -442,40 +386,18 @@ inet test-inet input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0002a8c0 ] # ip saddr != 192.168.2.0/24 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp neq reg 1 0x0002a8c0 ] # ip saddr 192.168.3.1 ip daddr 192.168.3.100 @@ -540,26 +462,6 @@ inet test-inet input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-inet 3 __set%d test-inet 0 @@ -639,7 +541,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x01000000 ] # ip saddr & 0.0.0.255 < 0.0.0.127 @@ -647,7 +549,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp lt reg 1 0x7f000000 ] # ip saddr & 0xffff0000 == 0xffff0000 @@ -655,30 +557,18 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000ffff ] -# ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp} -__set%d test-ip 3 -__set%d test-ip 0 - element 01010101 02020202 00000006 : 0 [end] element 01010101 03030303 00000011 : 0 [end] -inet test-ip input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ payload load 4b @ network header + 16 => reg 9 ] - [ payload load 1b @ network header + 9 => reg 10 ] - [ lookup reg 1 set __set%d ] - # ip version 4 ip hdrlength 5 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000005 ] # ip hdrlength 0 @@ -686,7 +576,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # ip hdrlength 15 @@ -694,18 +584,18 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000f ] # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-inet f size 4 __map%d test-inet 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -743,7 +633,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set ce @@ -753,7 +643,7 @@ inet test-netdev ingress [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set af23 @@ -763,7 +653,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set cs0 @@ -773,7 +663,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ttl set 23 @@ -783,7 +673,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff00 ) ^ 0x00000017 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip protocol set 1 @@ -793,6 +683,56 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-inet 8f size 1 +__map%d test-inet 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev index 588e5ca2..8220b05d 100644 --- a/tests/py/ip/ip.t.payload.netdev +++ b/tests/py/ip/ip.t.payload.netdev @@ -47,26 +47,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -116,27 +96,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -144,14 +104,14 @@ netdev test-netdev ingress [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -159,14 +119,14 @@ netdev test-netdev ingress [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -176,7 +136,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -186,25 +146,29 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress +# ip frag-off & 0x1fff != 0x0 +netdev x y [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress +# ip frag-off & 0x2000 != 0x0 +netdev x y [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop netdev test-netdev ingress @@ -249,26 +213,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept __set%d test-netdev 3 __set%d test-netdev 0 @@ -355,40 +299,18 @@ netdev test-netdev ingress [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0002a8c0 ] # ip saddr != 192.168.2.0/24 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ payload load 3b @ network header + 12 => reg 1 ] [ cmp neq reg 1 0x0002a8c0 ] # ip saddr 192.168.3.1 ip daddr 192.168.3.100 @@ -446,26 +368,6 @@ netdev test-netdev ingress [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-netdev 3 __set%d test-netdev 0 @@ -538,7 +440,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x01000000 ] # ip saddr & 0.0.0.255 < 0.0.0.127 @@ -546,7 +448,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] [ cmp lt reg 1 0x7f000000 ] # ip saddr & 0xffff0000 == 0xffff0000 @@ -554,7 +456,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000ffff ] # ip version 4 ip hdrlength 5 @@ -562,10 +464,10 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000005 ] # ip hdrlength 0 @@ -573,7 +475,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # ip hdrlength 15 @@ -581,18 +483,18 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000f ] # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-netdev f size 4 __map%d test-netdev 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -631,124 +533,12 @@ netdev test-netdev ingress [ payload load 4b @ network header + 16 => reg 1 ] [ cmp eq reg 1 0x0200a8c0 ] -# ip ttl 233 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp eq reg 1 0x000000e9 ] - -# ip protocol tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# ip protocol != tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp neq reg 1 0x00000006 ] - -# ip saddr != 1.1.1.1 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp neq reg 1 0x01010101 ] - -# ip daddr 192.168.0.2 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x0200a8c0 ] - -# ip ttl 233 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp eq reg 1 0x000000e9 ] - -# ip protocol tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# ip protocol != tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp neq reg 1 0x00000006 ] - -# ip saddr != 1.1.1.1 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp neq reg 1 0x01010101 ] - -# ip daddr 192.168.0.2 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x0200a8c0 ] - -# ip ttl 233 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp eq reg 1 0x000000e9 ] - -# ip protocol tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# ip protocol != tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp neq reg 1 0x00000006 ] - -# ip ttl 233 -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp eq reg 1 0x000000e9 ] - -# ip protocol tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# ip protocol != tcp -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp neq reg 1 0x00000006 ] - # ip dscp cs1 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000020 ] # ip dscp != cs1 @@ -756,7 +546,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000020 ] # ip dscp 0x38 @@ -764,7 +554,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] # ip dscp != 0x20 @@ -772,7 +562,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] # ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -783,7 +573,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip dscp != {cs0, cs3} @@ -794,18 +584,18 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-netdev b size 2 __map%d test-netdev 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] @@ -843,7 +633,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set ce @@ -853,7 +643,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set af23 @@ -863,7 +653,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set cs0 @@ -873,7 +663,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ttl set 23 @@ -883,7 +673,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000ff00 ) ^ 0x00000017 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip protocol set 1 @@ -893,6 +683,56 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000100 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-netdev 87 size 1 +__set%d test-netdev 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t index 467da3ef..ff398aa6 100644 --- a/tests/py/ip/ip_tcp.t +++ b/tests/py/ip/ip_tcp.t @@ -1,5 +1,4 @@ :input;type filter hook input priority 0 -:ingress;type filter hook ingress device lo priority 0 *ip;test-ip;input diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload index 83351526..79e52856 100644 --- a/tests/py/ip/masquerade.t.payload +++ b/tests/py/ip/masquerade.t.payload @@ -112,12 +112,12 @@ ip test-ip4 postrouting # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade __map%d test-ip4 b __map%d test-ip4 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip test-ip4 postrouting [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -130,7 +130,7 @@ ip test-ip4 postrouting [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] - [ masq proto_min reg 1 proto_max reg 0 ] + [ masq proto_min reg 1 flags 0x2 ] # ip protocol 6 masquerade to :1024-2048 ip test-ip4 postrouting @@ -138,5 +138,5 @@ ip test-ip4 postrouting [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] [ immediate reg 2 0x00000008 ] - [ masq proto_min reg 1 proto_max reg 2 ] + [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ] diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index f733d22d..a88a6145 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -8,8 +8,15 @@ meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-adv meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert icmpv6 type nd-router-advert;ok +meta protocol ip udp dport 67;ok;udp dport 67 + meta ibrname "br0";fail meta obrname "br0";fail meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok + +meta mark set ip dscp << 2 | 0x10;ok +meta mark set ip dscp << 26 | 0x10;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index f873aa88..25936dba 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -105,3 +105,132 @@ } ] +# meta sdif "lo" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdif" + } + }, + "op": "==", + "right": "lo" + } + }, + { + "accept": null + } +] + +# meta sdifname != "vrf1" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdifname" + } + }, + "op": "!=", + "right": "vrf1" + } + }, + { + "accept": null + } +] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + + +# meta mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index 7bc69a29..880ac5d6 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -44,3 +44,35 @@ ip6 test-ip4 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 2 | 0x10 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t index 29a6a105..2a881460 100644 --- a/tests/py/ip/numgen.t +++ b/tests/py/ip/numgen.t @@ -5,3 +5,5 @@ ct mark set numgen inc mod 2;ok ct mark set numgen inc mod 2 offset 100;ok dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok +dnat to numgen inc mod 7 offset 167772161;ok +dnat to numgen inc mod 255 offset 167772161;ok diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json index 9902c2cf..6cf66041 100644 --- a/tests/py/ip/numgen.t.json +++ b/tests/py/ip/numgen.t.json @@ -97,3 +97,33 @@ } ] +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload index 04088b75..b4eadf85 100644 --- a/tests/py/ip/numgen.t.payload +++ b/tests/py/ip/numgen.t.payload @@ -10,7 +10,7 @@ __map%d x 0 ip test-ip4 pre [ numgen reg 1 = inc mod 2 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200} __map%d test-ip4 f @@ -20,10 +20,21 @@ ip test-ip4 pre [ numgen reg 1 = inc mod 10 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # ct mark set numgen inc mod 2 offset 100 ip test-ip4 pre [ numgen reg 1 = inc mod 2 offset 100 ] [ ct set mark with reg 1 ] +# dnat to numgen inc mod 7 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 7 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 255 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 255 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t index d2991ce2..8c2b52f0 100644 --- a/tests/py/ip/redirect.t +++ b/tests/py/ip/redirect.t @@ -47,5 +47,5 @@ ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json index 3544e7f1..2afdf9b1 100644 --- a/tests/py/ip/redirect.t.json +++ b/tests/py/ip/redirect.t.json @@ -593,21 +593,9 @@ } ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "protocol", - "protocol": "ip" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload index f208aacb..4bed47c1 100644 --- a/tests/py/ip/redirect.t.payload +++ b/tests/py/ip/redirect.t.payload @@ -93,7 +93,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00001600 ] [ immediate reg 1 0x00001600 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # udp dport 1234 redirect to :4321 ip test-ip4 output @@ -102,7 +102,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000d204 ] [ immediate reg 1 0x0000e110 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # ip daddr 172.16.0.1 udp dport 9998 redirect to :6515 ip test-ip4 output @@ -113,7 +113,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00000e27 ] [ immediate reg 1 0x00007319 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # tcp dport 39128 redirect to :993 ip test-ip4 output @@ -122,7 +122,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000d898 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # ip protocol tcp redirect to :100-200 ip test-ip4 output @@ -130,7 +130,7 @@ ip test-ip4 output [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] - [ redir proto_min reg 1 proto_max reg 2 ] + [ redir proto_min reg 1 proto_max reg 2 flags 0x2 ] # tcp dport 9128 redirect to :993 random ip test-ip4 output @@ -139,7 +139,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 flags 0x4 ] + [ redir proto_min reg 1 flags 0x6 ] # tcp dport 9128 redirect to :993 fully-random ip test-ip4 output @@ -148,7 +148,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 flags 0x10 ] + [ redir proto_min reg 1 flags 0x12 ] # tcp dport 9128 redirect to :123 persistent ip test-ip4 output @@ -157,7 +157,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x00007b00 ] - [ redir proto_min reg 1 flags 0x8 ] + [ redir proto_min reg 1 flags 0xa ] # tcp dport 9128 redirect to :123 random,persistent ip test-ip4 output @@ -166,7 +166,7 @@ ip test-ip4 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x00007b00 ] - [ redir proto_min reg 1 flags 0xc ] + [ redir proto_min reg 1 flags 0xe ] # tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect __set%d test-ip4 3 @@ -194,12 +194,12 @@ ip test-ip4 output # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect __map%d test-ip4 b __map%d test-ip4 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip test-ip4 output [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -207,14 +207,14 @@ ip test-ip4 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip4 b __map%d test-ip4 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip test-ip4 output - [ payload load 1b @ network header + 9 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t index cc5561a0..ad009944 100644 --- a/tests/py/ip/reject.t +++ b/tests/py/ip/reject.t @@ -3,14 +3,15 @@ *ip;test-ip4;output reject;ok -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok;reject -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok;reject +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok +reject with icmp 3;ok;reject mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset -reject with icmp type no-route;fail -reject with icmpv6 type no-route;fail +reject with icmp no-route;fail +reject with icmpv6 no-route;fail diff --git a/tests/py/ip/reject.t.json b/tests/py/ip/reject.t.json index d120b9f1..3e1d28de 100644 --- a/tests/py/ip/reject.t.json +++ b/tests/py/ip/reject.t.json @@ -5,7 +5,7 @@ } ] -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -15,7 +15,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -25,7 +25,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -35,7 +35,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -45,7 +45,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -55,7 +55,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -65,7 +65,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -75,6 +75,16 @@ } ] +# reject with icmp 3 +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + # mark 0x80000000 reject with tcp reset [ { diff --git a/tests/py/ip/reject.t.json.output b/tests/py/ip/reject.t.json.output index b2529dd7..3917413d 100644 --- a/tests/py/ip/reject.t.json.output +++ b/tests/py/ip/reject.t.json.output @@ -1,7 +1,10 @@ -# reject with icmp type port-unreachable +# reject [ { - "reject": null + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } } ] diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload index 07e4cc8d..5829065a 100644 --- a/tests/py/ip/reject.t.payload +++ b/tests/py/ip/reject.t.payload @@ -2,34 +2,38 @@ ip test-ip4 output [ reject type 0 code 3 ] -# reject with icmp type host-unreachable +# reject with icmp host-unreachable ip test-ip4 output [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable ip test-ip4 output [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable ip test-ip4 output [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable ip test-ip4 output [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited ip test-ip4 output [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited ip test-ip4 output [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited ip test-ip4 output [ reject type 0 code 13 ] +# reject with icmp 3 +ip test-ip4 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip test-ip4 output [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t index 7b7e0722..46d9686b 100644 --- a/tests/py/ip/sets.t +++ b/tests/py/ip/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !w type ipv4_addr;ok !x type inet_proto;ok @@ -51,6 +52,17 @@ ip saddr != @set33 drop;fail ip saddr . ip daddr @set5 drop;ok add @set5 { ip saddr . ip daddr };ok +!map1 type ipv4_addr . ipv4_addr : mark;ok +add @map1 { ip saddr . ip daddr : meta mark };ok + # test nested anonymous sets ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 } ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + +!set6 type ipv4_addr;ok +?set6 192.168.3.5, *;ok +ip saddr @set6 drop;ok + +ip saddr vmap { 1.1.1.1 : drop, * : accept };ok +meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 };ok + diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json index 65d2df87..44ca1528 100644 --- a/tests/py/ip/sets.t.json +++ b/tests/py/ip/sets.t.json @@ -188,3 +188,118 @@ } ] +# ip saddr @set6 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set6" + } + }, + { + "drop": null + } +] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + "1.1.1.1", + { + "drop": null + } + ], + [ + "*", + { + "accept": null + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "1.1.1.1", + 1 + ], + [ + "*", + 2 + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } + } + } +] + +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet index fa956c0c..fd6517a5 100644 --- a/tests/py/ip/sets.t.payload.inet +++ b/tests/py/ip/sets.t.payload.inet @@ -66,3 +66,41 @@ inet test-inet input [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# add @map1 { ip saddr . ip daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip index ca3b5ade..d9cc32b6 100644 --- a/tests/py/ip/sets.t.payload.ip +++ b/tests/py/ip/sets.t.payload.ip @@ -50,3 +50,34 @@ __set%d test-ip4 0 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev index 9772d756..d41b9e8b 100644 --- a/tests/py/ip/sets.t.payload.netdev +++ b/tests/py/ip/sets.t.payload.netdev @@ -66,3 +66,42 @@ netdev test-netdev ingress [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t index 7281bf5f..d4b0d2cb 100644 --- a/tests/py/ip/snat.t +++ b/tests/py/ip/snat.t @@ -6,5 +6,16 @@ iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok +iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255;ok;iifname "eth0" tcp dport 80-90 snat to 192.168.3.0/24 +iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240;ok iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok + +meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok +snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 };ok +snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 };ok + +meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80};ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };fail +snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80 };fail diff --git a/tests/py/ip/snat.t.json b/tests/py/ip/snat.t.json index e87b524e..967560e6 100644 --- a/tests/py/ip/snat.t.json +++ b/tests/py/ip/snat.t.json @@ -166,3 +166,365 @@ } ] +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + } + } +] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "range": [ + "192.168.3.15", + "192.168.3.240" + ] + } + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "type_flags": "concat" + } + } +] + +# snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "range": [ + "192.168.2.2", + "192.168.2.4" + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "type_flags": "interval" + } + } +] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "flags": "netmap", + "type_flags": [ + "interval", + "prefix" + ] + } + } +] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": "udp" + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "range": [ + "192.168.2.2", + "192.168.2.4" + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.12.14", + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/snat.t.json.output b/tests/py/ip/snat.t.json.output index 1365316c..2a997801 100644 --- a/tests/py/ip/snat.t.json.output +++ b/tests/py/ip/snat.t.json.output @@ -70,3 +70,180 @@ } ] +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "flags": "netmap", + "type_flags": "prefix" + } + } +] + diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload index 789933ff..71a5e2f1 100644 --- a/tests/py/ip/snat.t.payload +++ b/tests/py/ip/snat.t.payload @@ -8,7 +8,7 @@ ip test-ip4 postrouting [ cmp gte reg 1 0x00005000 ] [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2 ip test-ip4 postrouting @@ -19,7 +19,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2 __set%d test-ip4 3 @@ -33,7 +33,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2 __set%d test-ip4 3 @@ -47,7 +47,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2 ip test-ip4 postrouting @@ -58,5 +58,97 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00001700 0x00002200 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0003a8c0 ] + [ immediate reg 2 0xff03a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0f03a8c0 ] + [ immediate reg 2 0xf003a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a : 0302a8c0 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a : 0202a8c0 0402a8c0 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 ] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +__map%d test-ip4 f size 3 +__map%d test-ip4 0 + element 00000000 : 1 [end] element 000b8d0a : 0002a8c0 ff02a8c0 0 [end] element 000c8d0a : 1 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 flags 0x40 ] + +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0e0c8d0a : 0002a8c0 ff02a8c0 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 ] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +__set%d test-ip4 3 size 2 +__set%d test-ip4 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a 00001400 : 0302a8c0 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] + +# ip daddr 192.168.0.1 dnat to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d x b size 2 +__map%d x 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] diff --git a/tests/py/ip/tcpopt.t b/tests/py/ip/tcpopt.t deleted file mode 100644 index 7ee50a89..00000000 --- a/tests/py/ip/tcpopt.t +++ /dev/null @@ -1,38 +0,0 @@ -:input;type filter hook input priority 0 - -*ip;test-ip;input - -tcp option eol kind 1;ok -tcp option noop kind 1;ok -tcp option maxseg kind 1;ok -tcp option maxseg length 1;ok -tcp option maxseg size 1;ok -tcp option window kind 1;ok -tcp option window length 1;ok -tcp option window count 1;ok -tcp option sack-permitted kind 1;ok -tcp option sack-permitted length 1;ok -tcp option sack kind 1;ok -tcp option sack length 1;ok -tcp option sack left 1;ok -tcp option sack0 left 1;ok;tcp option sack left 1 -tcp option sack1 left 1;ok -tcp option sack2 left 1;ok -tcp option sack3 left 1;ok -tcp option sack right 1;ok -tcp option sack0 right 1;ok;tcp option sack right 1 -tcp option sack1 right 1;ok -tcp option sack2 right 1;ok -tcp option sack3 right 1;ok -tcp option timestamp kind 1;ok -tcp option timestamp length 1;ok -tcp option timestamp tsval 1;ok -tcp option timestamp tsecr 1;ok - -tcp option foobar;fail -tcp option foo bar;fail -tcp option eol left;fail -tcp option eol left 1;fail -tcp option eol left 1;fail -tcp option sack window;fail -tcp option sack window 1;fail diff --git a/tests/py/ip/tcpopt.t.json b/tests/py/ip/tcpopt.t.json deleted file mode 100644 index d573dd1c..00000000 --- a/tests/py/ip/tcpopt.t.json +++ /dev/null @@ -1,416 +0,0 @@ -# tcp option eol kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "eol" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option noop kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "noop" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg size 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "size", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window count 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "count", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack-permitted kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "sack-permitted" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack-permitted length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "sack-permitted" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack0 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack1 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack1" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack2 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack2" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack3 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack3" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack0 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack0" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack1 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack1" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack2 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack2" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack3 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack3" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp tsval 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "tsval", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp tsecr 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "tsecr", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - diff --git a/tests/py/ip/tcpopt.t.json.output b/tests/py/ip/tcpopt.t.json.output deleted file mode 100644 index 81dd8ad8..00000000 --- a/tests/py/ip/tcpopt.t.json.output +++ /dev/null @@ -1,16 +0,0 @@ -# tcp option sack0 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - diff --git a/tests/py/ip/tcpopt.t.payload b/tests/py/ip/tcpopt.t.payload deleted file mode 100644 index b2e5bdb2..00000000 --- a/tests/py/ip/tcpopt.t.payload +++ /dev/null @@ -1,181 +0,0 @@ -# tcp option eol kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 0 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option noop kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 1 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg length 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg size 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000100 ] - -# tcp option window kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window length 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window count 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted length 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack length 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack left 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 left 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 left 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 left 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 left 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack right 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 right 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 right 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 right 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 right 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp kind 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp length 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp tsval 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp tsecr 1 -ip test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] diff --git a/tests/py/ip6/ct.t b/tests/py/ip6/ct.t new file mode 100644 index 00000000..c06fd6a0 --- /dev/null +++ b/tests/py/ip6/ct.t @@ -0,0 +1,9 @@ +:output;type filter hook output priority 0 + +*ip6;test-ip6;output + +ct mark set ip6 dscp << 2 | 0x10;ok +ct mark set ip6 dscp << 26 | 0x10;ok +ct mark set ip6 dscp | 0x04;ok +ct mark set ip6 dscp | 0xff000000;ok +ct mark set ip6 dscp & 0x0f << 2;ok;ct mark set ip6 dscp & 0x3c diff --git a/tests/py/ip6/ct.t.json b/tests/py/ip6/ct.t.json new file mode 100644 index 00000000..7d8c88bb --- /dev/null +++ b/tests/py/ip6/ct.t.json @@ -0,0 +1,293 @@ +# ct mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 60 + ] + } + } + } +] diff --git a/tests/py/ip6/ct.t.payload b/tests/py/ip6/ct.t.payload new file mode 100644 index 00000000..944208f2 --- /dev/null +++ b/tests/py/ip6/ct.t.payload @@ -0,0 +1,46 @@ +# ct mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0x04 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0xff000000 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x00ffffff ) ^ 0xff000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp & 0x0f << 2 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t index db5fde58..89d5a5f9 100644 --- a/tests/py/ip6/dnat.t +++ b/tests/py/ip6/dnat.t @@ -3,7 +3,7 @@ *ip6;test-ip6;prerouting tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok -tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok;tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100 +tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok tcp dport 80-90 dnat to [2001:838:35f:1::]:80;ok -dnat to [2001:838:35f:1::]/64;ok;dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff -dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff;ok +dnat to [2001:838:35f:1::]/64;ok;dnat to 2001:838:35f:1::/64 +dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff;ok;dnat to 2001:838:35f:1::/64 diff --git a/tests/py/ip6/dnat.t.json b/tests/py/ip6/dnat.t.json index 3419b60f..cbfdb68b 100644 --- a/tests/py/ip6/dnat.t.json +++ b/tests/py/ip6/dnat.t.json @@ -81,10 +81,10 @@ { "dnat": { "addr": { - "range": [ - "2001:838:35f:1::", - "2001:838:35f:1:ffff:ffff:ffff:ffff" - ] + "prefix": { + "addr": "2001:838:35f:1::", + "len": 64 + } } } } @@ -95,11 +95,12 @@ { "dnat": { "addr": { - "range": [ - "2001:838:35f:1::", - "2001:838:35f:1:ffff:ffff:ffff:ffff" - ] + "prefix": { + "addr": "2001:838:35f:1::", + "len": 64 + } } } } ] + diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6 index 985159e2..004ffdeb 100644 --- a/tests/py/ip6/dnat.t.payload.ip6 +++ b/tests/py/ip6/dnat.t.payload.ip6 @@ -9,7 +9,7 @@ ip6 test-ip6 prerouting [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00005000 ] [ immediate reg 4 0x00006400 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ] + [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ] # tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100 ip6 test-ip6 prerouting @@ -21,7 +21,7 @@ ip6 test-ip6 prerouting [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 ] + [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] # tcp dport 80-90 dnat to [2001:838:35f:1::]:80 ip6 test-ip6 prerouting @@ -32,7 +32,7 @@ ip6 test-ip6 prerouting [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x00005000 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat to [2001:838:35f:1::]/64 ip6 test-ip6 prerouting diff --git a/tests/py/ip6/dst.t b/tests/py/ip6/dst.t index 9e7c554f..cd1fd3b2 100644 --- a/tests/py/ip6/dst.t +++ b/tests/py/ip6/dst.t @@ -9,8 +9,6 @@ dst nexthdr 33-45;ok dst nexthdr != 33-45;ok dst nexthdr { 33, 55, 67, 88};ok dst nexthdr != { 33, 55, 67, 88};ok -dst nexthdr { 33-55};ok -dst nexthdr != { 33-55};ok dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108} dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108} dst nexthdr icmp;ok;dst nexthdr 1 @@ -21,6 +19,3 @@ dst hdrlength != 233;ok dst hdrlength 33-45;ok dst hdrlength != 33-45;ok dst hdrlength { 33, 55, 67, 88};ok -dst hdrlength != { 33, 55, 67, 88};ok -dst hdrlength { 33-55};ok -dst hdrlength != { 33-55};ok diff --git a/tests/py/ip6/dst.t.json b/tests/py/ip6/dst.t.json index 1373e177..e947a76f 100644 --- a/tests/py/ip6/dst.t.json +++ b/tests/py/ip6/dst.t.json @@ -112,46 +112,6 @@ } ] -# dst nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "dst" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# dst nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "dst" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} [ { @@ -353,44 +313,3 @@ } } ] - -# dst hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "dst" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# dst hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "dst" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet index ff22237e..90d6bda1 100644 --- a/tests/py/ip6/dst.t.payload.inet +++ b/tests/py/ip6/dst.t.payload.inet @@ -47,26 +47,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dst nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} __set%d test-inet 3 __set%d test-inet 0 @@ -149,24 +129,3 @@ ip6 test-ip6 input [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# dst hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6 index 9bf564cb..941140d0 100644 --- a/tests/py/ip6/dst.t.payload.ip6 +++ b/tests/py/ip6/dst.t.payload.ip6 @@ -35,22 +35,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dst nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} __set%d test-ip6 3 __set%d test-ip6 0 @@ -113,21 +97,3 @@ __set%d test-ip6 0 ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# dst hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - - diff --git a/tests/py/ip6/ether.t b/tests/py/ip6/ether.t index d94a0d21..49d7d063 100644 --- a/tests/py/ip6/ether.t +++ b/tests/py/ip6/ether.t @@ -3,6 +3,6 @@ *ip6;test-ip6;input tcp dport 22 iiftype ether ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept -tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04;ok;tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 +tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04;ok tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2;ok ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2 accept;ok diff --git a/tests/py/ip6/exthdr.t.json.output b/tests/py/ip6/exthdr.t.json.output index c9f5b49b..813402a2 100644 --- a/tests/py/ip6/exthdr.t.json.output +++ b/tests/py/ip6/exthdr.t.json.output @@ -1,33 +1,3 @@ -# exthdr hbh == exists -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": true - } - } -] - -# exthdr hbh == missing -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": false - } - } -] - # exthdr hbh 1 [ { diff --git a/tests/py/ip6/flowtable.t b/tests/py/ip6/flowtable.t deleted file mode 100644 index e58d51bb..00000000 --- a/tests/py/ip6/flowtable.t +++ /dev/null @@ -1,6 +0,0 @@ -:input;type filter hook input priority 0 - -*ip6;test-ip6;input - -meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter };ok;meter acct_out size 4096 { iif . ip6 saddr timeout 10m counter } -meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter };ok;meter acct_out size 12345 { ip6 saddr . iif timeout 10m counter } diff --git a/tests/py/ip6/flowtable.t.json b/tests/py/ip6/flowtable.t.json deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.json.output b/tests/py/ip6/flowtable.t.json.output deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json.output +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.payload b/tests/py/ip6/flowtable.t.payload deleted file mode 100644 index 559475f6..00000000 --- a/tests/py/ip6/flowtable.t.payload +++ /dev/null @@ -1,16 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ meta load iif => reg 1 ] - [ payload load 16b @ network header + 8 => reg 9 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ payload load 16b @ network header + 8 => reg 1 ] - [ meta load iif => reg 2 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t index e16529ad..6bbd6ac0 100644 --- a/tests/py/ip6/frag.t +++ b/tests/py/ip6/frag.t @@ -1,8 +1,10 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;output *inet;test-inet;output +*netdev;test-netdev;ingress,egress frag nexthdr tcp;ok;frag nexthdr 6 frag nexthdr != icmp;ok;frag nexthdr != 1 @@ -17,8 +19,6 @@ frag reserved 33-45;ok frag reserved != 33-45;ok frag reserved { 33, 55, 67, 88};ok frag reserved != { 33, 55, 67, 88};ok -frag reserved { 33-55};ok -frag reserved != { 33-55};ok frag frag-off 22;ok frag frag-off != 233;ok @@ -26,8 +26,6 @@ frag frag-off 33-45;ok frag frag-off != 33-45;ok frag frag-off { 33, 55, 67, 88};ok frag frag-off != { 33, 55, 67, 88};ok -frag frag-off { 33-55};ok -frag frag-off != { 33-55};ok frag reserved2 1;ok frag more-fragments 0;ok @@ -40,5 +38,3 @@ frag id 33-45;ok frag id != 33-45;ok frag id { 33, 55, 67, 88};ok frag id != { 33, 55, 67, 88};ok -frag id { 33-55};ok -frag id != { 33-55};ok diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet index ef44f1ae..20334f44 100644 --- a/tests/py/ip6/frag.t.payload.inet +++ b/tests/py/ip6/frag.t.payload.inet @@ -95,32 +95,12 @@ inet test-inet output [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag frag-off 22 inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000b000 ] # frag frag-off != 233 @@ -128,7 +108,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp neq reg 1 0x00004807 ] # frag frag-off 33-45 @@ -136,7 +116,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp gte reg 1 0x00000801 ] [ cmp lte reg 1 0x00006801 ] @@ -145,7 +125,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ range neq reg 1 0x00000801 0x00006801 ] # frag frag-off { 33, 55, 67, 88} @@ -156,7 +136,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # frag frag-off != { 33, 55, 67, 88} @@ -167,39 +147,9 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag more-fragments 1 -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - # frag id 1 inet test-inet output [ meta load nfproto => reg 1 ] @@ -256,32 +206,12 @@ inet test-inet output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag id { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag reserved2 1 inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] # frag more-fragments 0 @@ -289,7 +219,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # frag more-fragments 1 @@ -297,6 +227,6 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6 index 940fb9f0..7c3e7a4e 100644 --- a/tests/py/ip6/frag.t.payload.ip6 +++ b/tests/py/ip6/frag.t.payload.ip6 @@ -71,45 +71,29 @@ ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag reserved { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag frag-off 22 ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000b000 ] # frag frag-off != 233 ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp neq reg 1 0x00004807 ] # frag frag-off 33-45 ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp gte reg 1 0x00000801 ] [ cmp lte reg 1 0x00006801 ] # frag frag-off != 33-45 ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ range neq reg 1 0x00000801 0x00006801 ] # frag frag-off { 33, 55, 67, 88} @@ -118,7 +102,7 @@ __set%d test-ip6 0 element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # frag frag-off != { 33, 55, 67, 88} @@ -127,33 +111,9 @@ __set%d test-ip6 0 element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag more-fragments 1 -ip6 test-ip6 output - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - # frag id 1 ip6 test-ip6 output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] @@ -196,37 +156,21 @@ ip6 test-ip6 output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag id { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag reserved2 1 ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] # frag more-fragments 0 ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # frag more-fragments 1 ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip6/frag.t.payload.netdev b/tests/py/ip6/frag.t.payload.netdev new file mode 100644 index 00000000..05620754 --- /dev/null +++ b/tests/py/ip6/frag.t.payload.netdev @@ -0,0 +1,232 @@ +# frag nexthdr tcp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# frag nexthdr != icmp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp neq reg 1 0x00000001 ] + +# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} +__set%d test-netdev 3 size 8 +__set%d test-netdev 0 + element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} +__set%d test-netdev 3 size 8 +__set%d test-netdev 0 + element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag nexthdr esp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + +# frag nexthdr ah +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + +# frag reserved 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000016 ] + +# frag reserved != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp neq reg 1 0x000000e9 ] + +# frag reserved 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x0000002d ] + +# frag reserved != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ range neq reg 1 0x00000021 0x0000002d ] + +# frag reserved { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag reserved != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag frag-off 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000b000 ] + +# frag frag-off != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00004807 ] + +# frag frag-off 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp gte reg 1 0x00000801 ] + [ cmp lte reg 1 0x00006801 ] + +# frag frag-off != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ range neq reg 1 0x00000801 0x00006801 ] + +# frag frag-off { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# frag frag-off != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag reserved2 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# frag more-fragments 0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# frag more-fragments 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# frag id 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# frag id 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# frag id != 33 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp neq reg 1 0x21000000 ] + +# frag id 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# frag id != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# frag id { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag id != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + diff --git a/tests/py/ip6/hbh.t b/tests/py/ip6/hbh.t index f367a384..fce5feae 100644 --- a/tests/py/ip6/hbh.t +++ b/tests/py/ip6/hbh.t @@ -9,8 +9,6 @@ hbh hdrlength 33-45;ok hbh hdrlength != 33-45;ok hbh hdrlength {33, 55, 67, 88};ok hbh hdrlength != {33, 55, 67, 88};ok -hbh hdrlength { 33-55};ok -hbh hdrlength != { 33-55};ok hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108} hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108} @@ -20,7 +18,5 @@ hbh nexthdr 33-45;ok hbh nexthdr != 33-45;ok hbh nexthdr {33, 55, 67, 88};ok hbh nexthdr != {33, 55, 67, 88};ok -hbh nexthdr { 33-55};ok -hbh nexthdr != { 33-55};ok hbh nexthdr ip;ok;hbh nexthdr 0 hbh nexthdr != ip;ok;hbh nexthdr != 0 diff --git a/tests/py/ip6/hbh.t.json b/tests/py/ip6/hbh.t.json index 441d3bfe..68670a3b 100644 --- a/tests/py/ip6/hbh.t.json +++ b/tests/py/ip6/hbh.t.json @@ -112,46 +112,6 @@ } ] -# hbh hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "hbh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# hbh hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "hbh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} [ { @@ -322,46 +282,6 @@ } ] -# hbh nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "hbh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# hbh nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "hbh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # hbh nexthdr ip [ { diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet index e358351d..63afd832 100644 --- a/tests/py/ip6/hbh.t.payload.inet +++ b/tests/py/ip6/hbh.t.payload.inet @@ -47,26 +47,6 @@ inet test-inet filter-input [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh hdrlength { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh hdrlength != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} __set%d test-inet 3 __set%d test-inet 0 @@ -136,26 +116,6 @@ inet test-inet filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr ip inet test-inet filter-input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6 index a4b131a5..913505a5 100644 --- a/tests/py/ip6/hbh.t.payload.ip6 +++ b/tests/py/ip6/hbh.t.payload.ip6 @@ -35,22 +35,6 @@ ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} __set%d test-ip6 3 __set%d test-ip6 0 @@ -104,22 +88,6 @@ ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr ip ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index 8d794115..7632bfd8 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,25 +28,20 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok;icmpv6 code port-unreachable +icmpv6 code 4;ok icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept -icmpv6 code != {policy-fail, reject-route, 7} accept;ok -icmpv6 code { 3-66};ok -icmpv6 code != { 3-66};ok +icmpv6 code {5, 6, 7} accept;ok +icmpv6 code != {policy-fail, reject-route, 7} accept;ok;icmpv6 code != {5, 6, 7} accept icmpv6 checksum 2222 log;ok icmpv6 checksum != 2222 log;ok icmpv6 checksum 222-226;ok -icmpv6 checksum != 2222 log;ok +icmpv6 checksum != 222-226;ok icmpv6 checksum { 222, 226};ok icmpv6 checksum != { 222, 226};ok -icmpv6 checksum { 222-226};ok -icmpv6 checksum != { 222-226};ok -# BUG: icmpv6 parameter-problem, pptr, mtu, packet-too-big +# BUG: icmpv6 parameter-problem, pptr # [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr), -# [ICMP6HDR_MTU] = ICMP6HDR_FIELD("packet-too-big", icmp6_mtu), # $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 35 # <cmdline>:1:53-53: Error: syntax error, unexpected end of file # add rule ip6 test6 input icmpv6 parameter-problem 35 @@ -59,44 +54,46 @@ icmpv6 checksum != { 222-226};ok # <cmdline>:1:54-54: Error: syntax error, unexpected end of file # add rule ip6 test6 input icmpv6 parameter-problem 2-4 -# BUG: packet-too-big -# $ sudo nft add rule ip6 test6 input icmpv6 packet-too-big 34 -# <cmdline>:1:50-50: Error: syntax error, unexpected end of file -# add rule ip6 test6 input icmpv6 packet-too-big 34 - icmpv6 mtu 22;ok icmpv6 mtu != 233;ok icmpv6 mtu 33-45;ok icmpv6 mtu != 33-45;ok icmpv6 mtu {33, 55, 67, 88};ok icmpv6 mtu != {33, 55, 67, 88};ok -icmpv6 mtu {33-55};ok -icmpv6 mtu != {33-55};ok - -- icmpv6 id 2;ok -- icmpv6 id != 233;ok -icmpv6 id 33-45;ok -icmpv6 id != 33-45;ok -icmpv6 id {33, 55, 67, 88};ok -icmpv6 id != {33, 55, 67, 88};ok -icmpv6 id {33-55};ok -icmpv6 id != {33-55};ok - -icmpv6 sequence 2;ok -icmpv6 sequence {3, 4, 5, 6, 7} accept;ok - -icmpv6 sequence {2, 4};ok -icmpv6 sequence != {2, 4};ok -icmpv6 sequence 2-4;ok -icmpv6 sequence != 2-4;ok -icmpv6 sequence { 2-4};ok -icmpv6 sequence != { 2-4};ok - -- icmpv6 max-delay 22;ok -- icmpv6 max-delay != 233;ok +icmpv6 type packet-too-big icmpv6 mtu 1280;ok;icmpv6 mtu 1280 + +icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45 +icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45 +icmpv6 id {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33, 55, 67, 88} +icmpv6 id != {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33, 55, 67, 88} + +icmpv6 id 1;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 1 +icmpv6 type echo-reply icmpv6 id 65534;ok + +icmpv6 sequence 2;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2 +icmpv6 sequence {3, 4, 5, 6, 7} accept;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 3, 4, 5, 6, 7} accept + + +icmpv6 sequence {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2, 4} +icmpv6 sequence != {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2, 4} +icmpv6 sequence 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2-4 +icmpv6 sequence != 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != 2-4 + icmpv6 max-delay 33-45;ok icmpv6 max-delay != 33-45;ok icmpv6 max-delay {33, 55, 67, 88};ok icmpv6 max-delay != {33, 55, 67, 88};ok -icmpv6 max-delay {33-55};ok -icmpv6 max-delay != {33-55};ok + +icmpv6 type parameter-problem icmpv6 code 0;ok + +icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133;ok +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133;ok +icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133;ok +icmpv6 daddr 2001:db8::133;ok +icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133;ok;icmpv6 daddr 2001:db8::133 diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json index f6cfbf17..9df886dd 100644 --- a/tests/py/ip6/icmpv6.t.json +++ b/tests/py/ip6/icmpv6.t.json @@ -532,8 +532,8 @@ "op": "!=", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } @@ -544,46 +544,6 @@ } ] -# icmpv6 code { 3-66} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 3, 66 ] } - ] - } - } - } -] - -# icmpv6 code != { 3-66} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 3, 66 ] } - ] - } - } - } -] - # icmpv6 checksum 2222 log [ { @@ -640,7 +600,7 @@ } ] -# icmpv6 checksum != 2222 log +# icmpv6 checksum != 222-226 [ { "match": { @@ -650,12 +610,11 @@ "protocol": "icmpv6" } }, - "op": "!=", - "right": 2222 + "op": "!=", + "right": { + "range": [ 222, 226 ] + } } - }, - { - "log": null } ] @@ -701,46 +660,6 @@ } ] -# icmpv6 checksum { 222-226} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 222, 226 ] } - ] - } - } - } -] - -# icmpv6 checksum != { 222-226} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 222, 226 ] } - ] - } - } - } -] - # icmpv6 mtu 22 [ { @@ -855,46 +774,6 @@ } ] -# icmpv6 mtu {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# icmpv6 mtu != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # icmpv6 id 33-45 [ { @@ -977,42 +856,63 @@ } ] -# icmpv6 id {33-55} +# icmpv6 id 1 [ { "match": { "left": { "payload": { - "field": "id", + "field": "type", "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "echo-request", + "echo-reply" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 1 + } } ] -# icmpv6 id != {33-55} +# icmpv6 type echo-reply icmpv6 id 65534 [ { "match": { "left": { "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-reply" + } + }, + { + "match": { + "left": { + "payload": { "field": "id", "protocol": "icmpv6" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": 65534 } } ] @@ -1138,165 +1038,388 @@ } ] -# icmpv6 sequence { 2-4} +# icmpv6 max-delay 33-45 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "max-delay", "protocol": "icmpv6" } }, "op": "==", "right": { - "set": [ - { "range": [ 2, 4 ] } - ] + "range": [ 33, 45 ] } } } ] -# icmpv6 sequence != { 2-4} +# icmpv6 max-delay != 33-45 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "max-delay", "protocol": "icmpv6" } }, "op": "!=", "right": { - "set": [ - { "range": [ 2, 4 ] } - ] + "range": [ 33, 45 ] } } } ] -# icmpv6 max-delay 33-45 +# icmpv6 max-delay {33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "max-delay", - "name": "icmpv6" + "protocol": "icmpv6" } }, "op": "==", "right": { - "range": [ 33, 45 ] + "set": [ + 33, + 55, + 67, + 88 + ] } } } ] -# icmpv6 max-delay != 33-45 +# icmpv6 max-delay != {33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "max-delay", - "name": "icmpv6" + "protocol": "icmpv6" } }, "op": "!=", "right": { - "range": [ 33, 45 ] + "set": [ + 33, + 55, + 67, + 88 + ] } } } ] -# icmpv6 max-delay {33, 55, 67, 88} +# icmpv6 type packet-too-big icmpv6 mtu 1280 [ { "match": { "left": { "payload": { - "field": "max-delay", - "name": "icmpv6" + "field": "mtu", + "protocol": "icmpv6" } }, - "op": "==", + "op": "==", + "right": 1280 + } + } +] + +# icmpv6 type parameter-problem icmpv6 code 0 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "parameter-problem" + } + }, + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 0 + } + } +] + +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "mld-listener-query" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-solicit" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-advert" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", "right": { "set": [ - 33, - 55, - 67, - 88 + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 max-delay != {33, 55, 67, 88} +# icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "max-delay", - "name": "icmpv6" + "field": "type", + "protocol": "icmpv6" } }, - "op": "!=", + "op": "==", "right": { "set": [ - 33, - 55, - 67, - 88 + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 max-delay {33-55} +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "max-delay", - "name": "icmpv6" + "field": "type", + "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 max-delay != {33-55} +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "max-delay", - "name": "icmpv6" + "field": "type", + "protocol": "icmpv6" } }, - "op": "!=", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "nd-neighbor-solicit", + "nd-neighbor-advert" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] +# icmpv6 daddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output index 3a106621..f29b346c 100644 --- a/tests/py/ip6/icmpv6.t.json.output +++ b/tests/py/ip6/icmpv6.t.json.output @@ -8,7 +8,7 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": "mld-listener-done" } }, @@ -27,7 +27,7 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ "time-exceeded", @@ -53,7 +53,7 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ "time-exceeded", @@ -103,8 +103,8 @@ "protocol": "icmpv6" } }, - "op": "==", - "right": "port-unreachable" + "op": "==", + "right": 4 } } ] @@ -119,9 +119,12 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { - "range": [ "addr-unreachable", 66 ] + "range": [ + 3, + 66 + ] } } } @@ -137,11 +140,11 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } @@ -162,10 +165,15 @@ "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ "addr-unreachable", 66 ] } + { + "range": [ + "addr-unreachable", + 66 + ] + } ] } } @@ -185,7 +193,565 @@ "op": "!=", "right": { "set": [ - { "range": [ "addr-unreachable", 66 ] } + { + "range": [ + "addr-unreachable", + 66 + ] + } + ] + } + } + } +] + +# icmpv6 id 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmpv6 id != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmpv6 id {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmpv6 id != {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmpv6 id {33-55} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + { + "range": [ + 33, + 55 + ] + } + ] + } + } + } +] + +# icmpv6 id != {33-55} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "set": [ + { + "range": [ + 33, + 55 + ] + } + ] + } + } + } +] + +# icmpv6 sequence 2 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 2 + } + } +] + +# icmpv6 sequence {3, 4, 5, 6, 7} accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + 3, + 4, + 5, + 6, + 7 + ] + } + } + }, + { + "accept": null + } +] + +# icmpv6 sequence {2, 4} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + 2, + 4 + ] + } + } + } +] + +# icmpv6 sequence != {2, 4} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "set": [ + 2, + 4 + ] + } + } + } +] + +# icmpv6 sequence 2-4 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "range": [ + 2, + 4 + ] + } + } + } +] + +# icmpv6 sequence != 2-4 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "range": [ + 2, + 4 + ] + } + } + } +] + +# icmpv6 sequence { 2-4} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + { + "range": [ + 2, + 4 + ] + } + ] + } + } + } +] + +# icmpv6 sequence != { 2-4} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "echo-request", + "echo-reply" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmpv6" + } + }, + "op": "!=", + "right": { + "set": [ + { + "range": [ + 2, + 4 + ] + } ] } } diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index 51d71f41..5b6035d1 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -231,26 +231,6 @@ ip6 test-ip6 input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# icmpv6 code { 3-66} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 code != { 3-66} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 checksum 2222 log ip6 test-ip6 input [ meta load l4proto => reg 1 ] @@ -275,13 +255,12 @@ ip6 test-ip6 input [ cmp gte reg 1 0x0000de00 ] [ cmp lte reg 1 0x0000e200 ] -# icmpv6 checksum != 2222 log -ip6 test-ip6 input +# icmpv6 checksum != 222-226 +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp neq reg 1 0x0000ae08 ] - [ log ] + [ range neq reg 1 0x0000de00 0x0000e200 ] # icmpv6 checksum { 222, 226} __set%d test-ip6 3 @@ -303,30 +282,12 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 checksum { 222-226} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 checksum != { 222-226} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 mtu 22 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp eq reg 1 0x16000000 ] @@ -334,6 +295,8 @@ ip6 test-ip6 input ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp neq reg 1 0xe9000000 ] @@ -341,6 +304,8 @@ ip6 test-ip6 input ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp gte reg 1 0x21000000 ] [ cmp lte reg 1 0x2d000000 ] @@ -349,6 +314,8 @@ ip6 test-ip6 input ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ range neq reg 1 0x21000000 0x2d000000 ] @@ -359,6 +326,8 @@ __set%d test-ip6 0 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -369,172 +338,185 @@ __set%d test-ip6 0 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 mtu {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 mtu != {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 input +# icmpv6 type packet-too-big icmpv6 mtu 1280 +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ cmp eq reg 1 0x00050000 ] # icmpv6 id 33-45 +__set%d test-ip6 3 +__set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # icmpv6 id != 33-45 +__set%d test-ip6 3 +__set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] # icmpv6 id {33, 55, 67, 88} __set%d test-ip6 3 __set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] +__set%d test-ip6 3 +__set%d test-ip6 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] # icmpv6 id != {33, 55, 67, 88} __set%d test-ip6 3 __set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] +__set%d test-ip6 3 +__set%d test-ip6 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 id {33-55} -__set%d test-ip6 7 +# icmpv6 id 1 +__set%d test-ip6 3 size 2 __set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input + element 00000080 : 0 [end] element 00000081 : 0 [end] +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] -# icmpv6 id != {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input +# icmpv6 type echo-reply icmpv6 id 65534 +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ cmp eq reg 1 0x0000feff ] # icmpv6 sequence 2 +__set%d test-ip6 3 +__set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp eq reg 1 0x00000200 ] # icmpv6 sequence {3, 4, 5, 6, 7} accept __set%d test-ip6 3 __set%d test-ip6 0 - element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# icmpv6 sequence != {3, 4, 5, 6, 7} accept + element 00000080 : 0 [end] element 00000081 : 0 [end] __set%d test-ip6 3 __set%d test-ip6 0 element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] # icmpv6 sequence {2, 4} __set%d test-ip6 3 __set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] +__set%d test-ip6 3 +__set%d test-ip6 0 element 00000200 : 0 [end] element 00000400 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] # icmpv6 sequence != {2, 4} __set%d test-ip6 3 __set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] +__set%d test-ip6 3 +__set%d test-ip6 0 element 00000200 : 0 [end] element 00000400 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # icmpv6 sequence 2-4 +__set%d test-ip6 3 +__set%d test-ip6 0 + element 00000080 : 0 [end] element 00000081 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] [ cmp gte reg 1 0x00000200 ] [ cmp lte reg 1 0x00000400 ] # icmpv6 sequence != 2-4 -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ range neq reg 1 0x00000200 0x00000400 ] - -# icmpv6 sequence { 2-4} -__set%d test-ip6 7 +__set%d test-ip6 3 __set%d test-ip6 0 - element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end] + element 00000080 : 0 [end] element 00000081 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 6 => reg 1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] - -# icmpv6 sequence != { 2-4} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ range neq reg 1 0x00000200 0x00000400 ] # icmpv6 max-delay 33-45 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] [ payload load 2b @ transport header + 4 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] @@ -543,6 +525,8 @@ ip6 test-ip6 input ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] [ payload load 2b @ transport header + 4 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] @@ -553,6 +537,8 @@ __set%d test-ip6 0 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -563,26 +549,95 @@ __set%d test-ip6 0 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 max-delay {33-55} -__set%d test-ip6 7 +# icmpv6 type parameter-problem icmpv6 code 0 +ip6 + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000087 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 __set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] -# icmpv6 max-delay != {33-55} -__set%d test-ip6 7 +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 __set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 2 +__set%d test-ip6 0 + element 00000087 : 0 [end] element 00000088 : 0 [end] +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] +# icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t index 8210d22b..430dd571 100644 --- a/tests/py/ip6/ip6.t +++ b/tests/py/ip6/ip6.t @@ -17,6 +17,15 @@ ip6 dscp != 0x20;ok;ip6 dscp != cs4 ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok +!map1 type dscp : mark;ok +meta mark set ip6 dscp map @map1;ok +!map2 type dscp . ipv6_addr : mark;ok +meta mark set ip6 dscp . ip6 daddr map @map2;ok +!map3 type dscp : mark;ok +ip6 dscp @map3;ok +!map4 type dscp . ipv6_addr : mark;ok +ip6 dscp . ip6 daddr @map4;ok + ip6 flowlabel 22;ok ip6 flowlabel != 233;ok - ip6 flowlabel 33-45;ok @@ -24,9 +33,7 @@ ip6 flowlabel != 233;ok ip6 flowlabel { 33, 55, 67, 88};ok # BUG ip6 flowlabel { 5046528, 2883584, 13522432 } ip6 flowlabel != { 33, 55, 67, 88};ok -ip6 flowlabel { 33-55};ok -ip6 flowlabel != { 33-55};ok -ip6 flowlabel vmap { 0 : accept, 2 : continue } ;ok +ip6 flowlabel vmap { 0 : accept, 2 : continue };ok ip6 length 22;ok ip6 length != 233;ok @@ -34,16 +41,12 @@ ip6 length 33-45;ok ip6 length != 33-45;ok ip6 length { 33, 55, 67, 88};ok ip6 length != {33, 55, 67, 88};ok -ip6 length { 33-55};ok -ip6 length != { 33-55};ok ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6} ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51} ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51} ip6 nexthdr esp;ok;ip6 nexthdr 50 ip6 nexthdr != esp;ok;ip6 nexthdr != 50 -ip6 nexthdr { 33-44};ok -ip6 nexthdr != { 33-44};ok ip6 nexthdr 33-44;ok ip6 nexthdr != 33-44;ok @@ -53,8 +56,6 @@ ip6 hoplimit 33-45;ok ip6 hoplimit != 33-45;ok ip6 hoplimit {33, 55, 67, 88};ok ip6 hoplimit != {33, 55, 67, 88};ok -ip6 hoplimit {33-55};ok -ip6 hoplimit != {33-55};ok # from src/scanner.l # v680 (({hex4}:){7}{hex4}) diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json index f898240f..49e5a2dd 100644 --- a/tests/py/ip6/ip6.t.json +++ b/tests/py/ip6/ip6.t.json @@ -135,39 +135,107 @@ } ] -# ip6 flowlabel 22 +# meta mark set ip6 dscp map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } + } + } +] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map2", + "key": { + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + } + } + } + } + } +] + +# ip6 dscp @map3 [ { "match": { "left": { "payload": { - "field": "flowlabel", + "field": "dscp", "protocol": "ip6" } }, - "op": "==", - "right": 22 + "op": "==", + "right": "@map3" } } ] -# ip6 flowlabel != 233 +# ip6 dscp . ip6 daddr @map4 [ { "match": { "left": { - "payload": { - "field": "flowlabel", - "protocol": "ip6" - } + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] }, - "op": "!=", - "right": 233 + "op": "==", + "right": "@map4" } } ] -# ip6 flowlabel { 33, 55, 67, 88} +# ip6 flowlabel 22 [ { "match": { @@ -178,19 +246,12 @@ } }, "op": "==", - "right": { - "set": [ - 33, - 55, - 67, - 88 - ] - } + "right": 22 } } ] -# ip6 flowlabel != { 33, 55, 67, 88} +# ip6 flowlabel != 233 [ { "match": { @@ -201,19 +262,12 @@ } }, "op": "!=", - "right": { - "set": [ - 33, - 55, - 67, - 88 - ] - } + "right": 233 } } ] -# ip6 flowlabel { 33-55} +# ip6 flowlabel { 33, 55, 67, 88} [ { "match": { @@ -226,14 +280,17 @@ "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } } ] -# ip6 flowlabel != { 33-55} +# ip6 flowlabel != { 33, 55, 67, 88} [ { "match": { @@ -246,7 +303,10 @@ "op": "!=", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } @@ -397,48 +457,6 @@ } ] -# ip6 length { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip6" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ 33, 55 ] - } - ] - } - } - } -] - -# ip6 length != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} [ { @@ -743,46 +761,6 @@ } ] -# ip6 hoplimit {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hoplimit", - "protocol": "ip6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip6 hoplimit != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hoplimit", - "protocol": "ip6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 [ { diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet index d015c8ef..dbb430af 100644 --- a/tests/py/ip6/ip6.t.payload.inet +++ b/tests/py/ip6/ip6.t.payload.inet @@ -3,7 +3,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] # ip6 dscp != cs1 @@ -11,7 +11,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000002 ] # ip6 dscp 0x38 @@ -19,7 +19,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000e ] # ip6 dscp != 0x20 @@ -27,7 +27,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000008 ] # ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -38,27 +38,71 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter __map%d test-inet b size 2 __map%d test-inet 0 - element 00000001 : 0 [end] element 0000c00f : 0 [end] + element 00000001 : accept 0 [end] element 0000c00f : continue 0 [end] ip6 test-ip6 input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00160000 ] # ip6 flowlabel != 233 @@ -66,7 +110,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00e90000 ] # ip6 flowlabel { 33, 55, 67, 88} @@ -77,7 +121,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip6 flowlabel != { 33, 55, 67, 88} @@ -88,40 +132,18 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 flowlabel { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# ip6 flowlabel != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip6 flowlabel vmap { 0 : accept, 2 : continue } +# ip6 flowlabel vmap { 0 : accept, 2 : continue } __map%d test-inet b size 2 __map%d test-inet 0 - element 00000000 : 0 [end] element 00020000 : 0 [end] + element 00000000 : accept 0 [end] element 00020000 : continue 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] # ip6 length 22 @@ -173,26 +195,6 @@ inet test-inet input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 length { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 length != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} __set%d test-inet 3 __set%d test-inet 0 @@ -237,26 +239,6 @@ inet test-inet input [ payload load 1b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000032 ] -# ip6 nexthdr { 33-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 nexthdr != { 33-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr 33-44 inet test-inet input [ meta load nfproto => reg 1 ] @@ -321,26 +303,6 @@ inet test-inet input [ payload load 1b @ network header + 7 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 hoplimit {33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 hoplimit != {33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 inet test-inet input [ meta load nfproto => reg 1 ] @@ -604,9 +566,8 @@ inet test-inet input inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] - [ payload load 16b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] - [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ payload load 8b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 0x00000000 ] # ip6 saddr ::1 ip6 daddr ::2 inet test-inet input @@ -659,7 +620,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00003ff0 ) ^ 0x00000009 ] + [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x00000009 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 dscp set 63 @@ -669,7 +630,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00003ff0 ) ^ 0x0000c00f ] + [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x0000c00f ] [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 ecn set ect0 @@ -679,7 +640,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000020 ] + [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000020 ] [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 ecn set ce @@ -689,7 +650,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000030 ] + [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000030 ] [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 0 @@ -699,7 +660,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 12345 @@ -709,7 +670,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00393000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00393000 ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 0xfffff @@ -719,6 +680,6 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00ffff0f ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00ffff0f ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 index b2e8363c..b1289232 100644 --- a/tests/py/ip6/ip6.t.payload.ip6 +++ b/tests/py/ip6/ip6.t.payload.ip6 @@ -1,25 +1,25 @@ # ip6 dscp cs1 ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] # ip6 dscp != cs1 ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000002 ] # ip6 dscp 0x38 ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000e ] # ip6 dscp != 0x20 ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000008 ] # ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} @@ -28,29 +28,65 @@ __set%d test-ip6 0 element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000000 : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end] ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter __map%d test-ip6 b size 2 __map%d test-ip6 0 - element 00000001 : 0 [end] element 0000c00f : 0 [end] + element 00000001 : accept 0 [end] element 0000c00f : continue 0 [end] ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00160000 ] # ip6 flowlabel != 233 ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00e90000 ] # ip6 flowlabel { 33, 55, 67, 88} @@ -59,7 +95,7 @@ __set%d test-ip6 0 element 00210000 : 0 [end] element 00370000 : 0 [end] element 00430000 : 0 [end] element 00580000 : 0 [end] ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip6 flowlabel != { 33, 55, 67, 88} @@ -68,34 +104,16 @@ __set%d test-ip6 0 element 00210000 : 0 [end] element 00370000 : 0 [end] element 00430000 : 0 [end] element 00580000 : 0 [end] ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 flowlabel { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -ip6 test-ip6 input - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# ip6 flowlabel != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -ip6 test-ip6 input - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip6 flowlabel vmap { 0 : accept, 2 : continue } +# ip6 flowlabel vmap { 0 : accept, 2 : continue } __map%d test-ip6 b size 2 __map%d test-ip6 0 - element 00000000 : 0 [end] element 00020000 : 0 [end] + element 00000000 : accept 0 [end] element 00020000 : continue 0 [end] ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] # ip6 length 22 @@ -135,22 +153,6 @@ ip6 test-ip6 input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 length { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 length != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} __set%d test-ip6 3 __set%d test-ip6 0 @@ -185,22 +187,6 @@ ip6 test-ip6 input [ payload load 1b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000032 ] -# ip6 nexthdr { 33-44} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 nexthdr != { 33-44} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr 33-44 ip6 test-ip6 input [ payload load 1b @ network header + 6 => reg 1 ] @@ -249,22 +235,6 @@ ip6 test-ip6 input [ payload load 1b @ network header + 7 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 hoplimit {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 hoplimit != {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] @@ -452,9 +422,8 @@ ip6 test-ip6 input # ip6 saddr ::/64 ip6 test-ip6 input - [ payload load 16b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] - [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ payload load 8b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 0x00000000 ] # ip6 saddr ::1 ip6 daddr ::2 ip6 test-ip6 input @@ -495,7 +464,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00003ff0 ) ^ 0x00000009 ] + [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x00000009 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 dscp set 63 @@ -503,7 +472,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00003ff0 ) ^ 0x0000c00f ] + [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x0000c00f ] [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 ecn set ect0 @@ -511,7 +480,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000020 ] + [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000020 ] [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 ecn set ce @@ -519,7 +488,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 1b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000030 ] + [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000030 ] [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 0 @@ -527,7 +496,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 12345 @@ -535,7 +504,7 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00393000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00393000 ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] # iif "lo" ip6 flowlabel set 0xfffff @@ -543,6 +512,6 @@ ip6 test-ip6 input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00ffff0f ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00ffff0f ] [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ] diff --git a/tests/py/ip6/map.t.payload b/tests/py/ip6/map.t.payload index 9b393a60..8e900c18 100644 --- a/tests/py/ip6/map.t.payload +++ b/tests/py/ip6/map.t.payload @@ -4,7 +4,7 @@ __map%d test-ip6 0 element 00000000 00000000 00000000 02000000 : 0000002a 0 [end] element 00000000 00000000 00000000 ffff0000 : 00000017 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000000 0x00000000 0x00000000 0xffff0000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000000 0x00000000 0x00000000 0xffff0000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/ip6/masquerade.t.payload.ip6 b/tests/py/ip6/masquerade.t.payload.ip6 index 98657551..43ae2ae4 100644 --- a/tests/py/ip6/masquerade.t.payload.ip6 +++ b/tests/py/ip6/masquerade.t.payload.ip6 @@ -112,12 +112,12 @@ ip6 test-ip6 postrouting # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade __map%d test-ip6 b __map%d test-ip6 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip6 test-ip6 postrouting [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -130,7 +130,7 @@ ip6 test-ip6 postrouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] - [ masq proto_min reg 1 proto_max reg 0 ] + [ masq proto_min reg 1 flags 0x2 ] # meta l4proto 6 masquerade to :1024-2048 ip6 test-ip6 postrouting @@ -138,5 +138,5 @@ ip6 test-ip6 postrouting [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] [ immediate reg 2 0x00000008 ] - [ masq proto_min reg 1 proto_max reg 2 ] + [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ] diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t index dce97f5b..c177b081 100644 --- a/tests/py/ip6/meta.t +++ b/tests/py/ip6/meta.t @@ -9,5 +9,11 @@ meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto 1 icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok;udp dport 67 + meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip6 dscp << 2 | 0x10;ok +meta mark set ip6 dscp << 26 | 0x10;ok diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json index 29cf9fd2..1a2394d8 100644 --- a/tests/py/ip6/meta.t.json +++ b/tests/py/ip6/meta.t.json @@ -105,3 +105,209 @@ } ] +# meta sdif "lo" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdif" + } + }, + "op": "==", + "right": "lo" + } + }, + { + "accept": null + } +] + +# meta sdifname != "vrf1" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdifname" + } + }, + "op": "!=", + "right": "vrf1" + } + }, + { + "accept": null + } +] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + diff --git a/tests/py/ip6/meta.t.json.output b/tests/py/ip6/meta.t.json.output index dede9b16..61adf184 100644 --- a/tests/py/ip6/meta.t.json.output +++ b/tests/py/ip6/meta.t.json.output @@ -46,3 +46,19 @@ } ] +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload index be04816e..6a37f1de 100644 --- a/tests/py/ip6/meta.t.payload +++ b/tests/py/ip6/meta.t.payload @@ -44,3 +44,39 @@ ip6 test-ip6 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip6 test-ip6 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t index 2f90372e..46f4ba05 100644 --- a/tests/py/ip6/mh.t +++ b/tests/py/ip6/mh.t @@ -15,8 +15,6 @@ mh nexthdr 33-45;ok mh nexthdr != 33-45;ok mh nexthdr { 33, 55, 67, 88 };ok mh nexthdr != { 33, 55, 67, 88 };ok -mh nexthdr { 33-55 };ok -mh nexthdr != { 33-55 };ok mh hdrlength 22;ok mh hdrlength != 233;ok @@ -24,8 +22,6 @@ mh hdrlength 33-45;ok mh hdrlength != 33-45;ok mh hdrlength { 33, 55, 67, 88 };ok mh hdrlength != { 33, 55, 67, 88 };ok -mh hdrlength { 33-55 };ok -mh hdrlength != { 33-55 };ok mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok mh type home-agent-switch-message;ok @@ -37,8 +33,6 @@ mh reserved 33-45;ok mh reserved != 33-45;ok mh reserved { 33, 55, 67, 88};ok mh reserved != { 33, 55, 67, 88};ok -mh reserved { 33-55};ok -mh reserved != { 33-55};ok mh checksum 22;ok mh checksum != 233;ok @@ -46,5 +40,3 @@ mh checksum 33-45;ok mh checksum != 33-45;ok mh checksum { 33, 55, 67, 88};ok mh checksum != { 33, 55, 67, 88};ok -mh checksum { 33-55};ok -mh checksum != { 33-55};ok diff --git a/tests/py/ip6/mh.t.json b/tests/py/ip6/mh.t.json index 211477d3..3159b14b 100644 --- a/tests/py/ip6/mh.t.json +++ b/tests/py/ip6/mh.t.json @@ -232,48 +232,6 @@ } ] -# mh nexthdr { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ 33, 55 ] - } - ] - } - } - } -] - -# mh nexthdr != { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh hdrlength 22 [ { @@ -388,46 +346,6 @@ } ] -# mh hdrlength { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh hdrlength != { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} [ { @@ -606,46 +524,6 @@ } ] -# mh reserved { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "reserved", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh reserved != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "reserved", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh checksum 22 [ { @@ -760,43 +638,3 @@ } ] -# mh checksum { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "checksum", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh checksum != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "checksum", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet index 2c473fbd..54eaa70e 100644 --- a/tests/py/ip6/mh.t.payload.inet +++ b/tests/py/ip6/mh.t.payload.inet @@ -95,26 +95,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh nexthdr { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh nexthdr != { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh hdrlength 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -164,26 +144,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh hdrlength { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh hdrlength != { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} __set%d test-inet 3 __set%d test-inet 0 @@ -257,26 +217,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh checksum 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -325,24 +265,3 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# mh checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6 index 93744dac..73bd4226 100644 --- a/tests/py/ip6/mh.t.payload.ip6 +++ b/tests/py/ip6/mh.t.payload.ip6 @@ -71,22 +71,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh nexthdr { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh nexthdr != { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh hdrlength 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] @@ -124,22 +108,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh hdrlength { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh hdrlength != { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} __set%d test-ip6 3 __set%d test-ip6 0 @@ -195,22 +163,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh reserved { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh reserved != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh checksum 22 ip6 test-ip6 input [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] @@ -247,20 +199,3 @@ __set%d test-ip6 0 ip6 test-ip6 input [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# mh checksum { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh checksum != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t index 778d53f3..70ef7f9f 100644 --- a/tests/py/ip6/redirect.t +++ b/tests/py/ip6/redirect.t @@ -46,4 +46,4 @@ ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip6/redirect.t.json b/tests/py/ip6/redirect.t.json index 0059c7ac..c18223fa 100644 --- a/tests/py/ip6/redirect.t.json +++ b/tests/py/ip6/redirect.t.json @@ -557,21 +557,9 @@ } ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "nexthdr", - "protocol": "ip6" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6 index 8f85a570..cfc29013 100644 --- a/tests/py/ip6/redirect.t.payload.ip6 +++ b/tests/py/ip6/redirect.t.payload.ip6 @@ -104,7 +104,7 @@ ip6 test-ip6 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000d204 ] [ immediate reg 1 0x0000d204 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # ip6 daddr fe00::cafe udp dport 9998 redirect to :6515 ip6 test-ip6 output @@ -115,7 +115,7 @@ ip6 test-ip6 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00000e27 ] [ immediate reg 1 0x00007319 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # ip6 nexthdr tcp redirect to :100-200 ip6 test-ip6 output @@ -123,7 +123,7 @@ ip6 test-ip6 output [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] - [ redir proto_min reg 1 proto_max reg 2 ] + [ redir proto_min reg 1 proto_max reg 2 flags 0x2 ] # tcp dport 39128 redirect to :993 ip6 test-ip6 output @@ -132,7 +132,7 @@ ip6 test-ip6 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000d898 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] # tcp dport 9128 redirect to :993 random ip6 test-ip6 output @@ -141,7 +141,7 @@ ip6 test-ip6 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 flags 0x4 ] + [ redir proto_min reg 1 flags 0x6 ] # tcp dport 9128 redirect to :993 fully-random,persistent ip6 test-ip6 output @@ -150,7 +150,7 @@ ip6 test-ip6 output [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000a823 ] [ immediate reg 1 0x0000e103 ] - [ redir proto_min reg 1 flags 0x18 ] + [ redir proto_min reg 1 flags 0x1a ] # tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect __set%d test-ip6 3 @@ -178,12 +178,12 @@ ip6 test-ip6 output # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect __map%d test-ip6 b __map%d test-ip6 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip6 test-ip6 output [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] [ ct load state => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -191,14 +191,14 @@ ip6 test-ip6 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip6 b __map%d test-ip6 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip6 test-ip6 output - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ redir proto_min reg 1 ] + [ redir proto_min reg 1 flags 0x2 ] diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t index 7fa04eec..bfdd094e 100644 --- a/tests/py/ip6/reject.t +++ b/tests/py/ip6/reject.t @@ -3,13 +3,14 @@ *ip6;test-ip6;output reject;ok -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok;reject -reject with icmpv6 type policy-fail;ok -reject with icmpv6 type reject-route;ok +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok;reject +reject with icmpv6 policy-fail;ok +reject with icmpv6 reject-route;ok +reject with icmpv6 3;ok;reject with icmpv6 addr-unreachable mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset -reject with icmpv6 type host-unreachable;fail -reject with icmp type host-unreachable;fail +reject with icmpv6 host-unreachable;fail +reject with icmp host-unreachable;fail diff --git a/tests/py/ip6/reject.t.json b/tests/py/ip6/reject.t.json index ae57c333..312a7dab 100644 --- a/tests/py/ip6/reject.t.json +++ b/tests/py/ip6/reject.t.json @@ -5,7 +5,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -15,7 +15,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -25,7 +25,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -35,7 +35,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -45,7 +45,7 @@ } ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail [ { "reject": { @@ -55,7 +55,7 @@ } ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route [ { "reject": { @@ -65,6 +65,16 @@ } ] +# reject with icmpv6 3 +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + # mark 0x80000000 reject with tcp reset [ { diff --git a/tests/py/ip6/reject.t.json.output b/tests/py/ip6/reject.t.json.output index 4e2058fe..04f12f56 100644 --- a/tests/py/ip6/reject.t.json.output +++ b/tests/py/ip6/reject.t.json.output @@ -1,7 +1,10 @@ -# reject with icmpv6 type port-unreachable +# reject [ { - "reject": null + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } } ] diff --git a/tests/py/ip6/reject.t.payload.ip6 b/tests/py/ip6/reject.t.payload.ip6 index dd4491ae..3d4321b0 100644 --- a/tests/py/ip6/reject.t.payload.ip6 +++ b/tests/py/ip6/reject.t.payload.ip6 @@ -2,30 +2,34 @@ ip6 test-ip6 output [ reject type 0 code 4 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route ip6 test-ip6 output [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited ip6 test-ip6 output [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable ip6 test-ip6 output [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable ip6 test-ip6 output [ reject type 0 code 4 ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail ip6 test-ip6 output [ reject type 0 code 5 ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route ip6 test-ip6 output [ reject type 0 code 6 ] +# reject with icmpv6 3 +ip6 test-ip6 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip6 test-ip6 output [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip6/rt.t b/tests/py/ip6/rt.t index c3feaabe..c33d38a5 100644 --- a/tests/py/ip6/rt.t +++ b/tests/py/ip6/rt.t @@ -15,8 +15,6 @@ rt nexthdr 33-45;ok rt nexthdr != 33-45;ok rt nexthdr { 33, 55, 67, 88};ok rt nexthdr != { 33, 55, 67, 88};ok -rt nexthdr { 33-55};ok -rt nexthdr != { 33-55};ok rt hdrlength 22;ok rt hdrlength != 233;ok @@ -24,8 +22,6 @@ rt hdrlength 33-45;ok rt hdrlength != 33-45;ok rt hdrlength { 33, 55, 67, 88};ok rt hdrlength != { 33, 55, 67, 88};ok -rt hdrlength { 33-55};ok -rt hdrlength != { 33-55};ok rt type 22;ok rt type != 233;ok @@ -33,8 +29,6 @@ rt type 33-45;ok rt type != 33-45;ok rt type { 33, 55, 67, 88};ok rt type != { 33, 55, 67, 88};ok -rt type { 33-55};ok -rt type != { 33-55};ok rt seg-left 22;ok rt seg-left != 233;ok @@ -42,5 +36,3 @@ rt seg-left 33-45;ok rt seg-left != 33-45;ok rt seg-left { 33, 55, 67, 88};ok rt seg-left != { 33, 55, 67, 88};ok -rt seg-left { 33-55};ok -rt seg-left != { 33-55};ok diff --git a/tests/py/ip6/rt.t.json b/tests/py/ip6/rt.t.json index 86a46402..b12873d6 100644 --- a/tests/py/ip6/rt.t.json +++ b/tests/py/ip6/rt.t.json @@ -232,46 +232,6 @@ } ] -# rt nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt hdrlength 22 [ { @@ -386,46 +346,6 @@ } ] -# rt hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt type 22 [ { @@ -540,46 +460,6 @@ } ] -# rt type { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "type", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt type != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "type", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt seg-left 22 [ { @@ -694,43 +574,3 @@ } ] -# rt seg-left { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "seg-left", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt seg-left != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "seg-left", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet index eafb4a00..864d3114 100644 --- a/tests/py/ip6/rt.t.payload.inet +++ b/tests/py/ip6/rt.t.payload.inet @@ -95,26 +95,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt hdrlength 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -164,26 +144,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt hdrlength { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt hdrlength != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt type 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -233,26 +193,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt type { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt type != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt seg-left 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -302,23 +242,3 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt seg-left { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt seg-left != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6 index 929cf9e1..c7b52f82 100644 --- a/tests/py/ip6/rt.t.payload.ip6 +++ b/tests/py/ip6/rt.t.payload.ip6 @@ -71,22 +71,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt hdrlength 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] @@ -124,22 +108,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt type 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] @@ -177,22 +145,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt type { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt type != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt seg-left 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] @@ -230,19 +182,3 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt seg-left { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt seg-left != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t index add82eb8..17fd62f5 100644 --- a/tests/py/ip6/sets.t +++ b/tests/py/ip6/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !w type ipv6_addr;ok !x type inet_proto;ok @@ -40,4 +41,8 @@ ip6 saddr != @set33 drop;fail !set5 type ipv6_addr . ipv6_addr;ok ip6 saddr . ip6 daddr @set5 drop;ok add @set5 { ip6 saddr . ip6 daddr };ok + +!map1 type ipv6_addr . ipv6_addr : mark;ok +add @map1 { ip6 saddr . ip6 daddr : meta mark };ok + delete @set5 { ip6 saddr . ip6 daddr };ok diff --git a/tests/py/ip6/sets.t.json b/tests/py/ip6/sets.t.json index 948c1f16..2029d2b5 100644 --- a/tests/py/ip6/sets.t.json +++ b/tests/py/ip6/sets.t.json @@ -116,3 +116,35 @@ } } ] + +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip6/sets.t.payload.inet b/tests/py/ip6/sets.t.payload.inet index 47ad86a2..2bbd5573 100644 --- a/tests/py/ip6/sets.t.payload.inet +++ b/tests/py/ip6/sets.t.payload.inet @@ -31,6 +31,15 @@ inet test-inet input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset add reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + # delete @set5 { ip6 saddr . ip6 daddr } inet test-inet input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/sets.t.payload.ip6 b/tests/py/ip6/sets.t.payload.ip6 index a5febb9f..c59f7b5c 100644 --- a/tests/py/ip6/sets.t.payload.ip6 +++ b/tests/py/ip6/sets.t.payload.ip6 @@ -29,3 +29,10 @@ ip6 test-ip6 input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +ip6 test-ip6 input + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + diff --git a/tests/py/ip6/sets.t.payload.netdev b/tests/py/ip6/sets.t.payload.netdev index dab74159..1866d26b 100644 --- a/tests/py/ip6/sets.t.payload.netdev +++ b/tests/py/ip6/sets.t.payload.netdev @@ -39,3 +39,12 @@ netdev test-netdev ingress [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + diff --git a/tests/py/ip6/snat.t b/tests/py/ip6/snat.t index c259f934..564f0894 100644 --- a/tests/py/ip6/snat.t +++ b/tests/py/ip6/snat.t @@ -2,5 +2,5 @@ *ip6;test-ip6;postrouting -tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok;tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100 +tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6 index 537e6682..66a29672 100644 --- a/tests/py/ip6/snat.t.payload.ip6 +++ b/tests/py/ip6/snat.t.payload.ip6 @@ -9,7 +9,7 @@ ip6 test-ip6 postrouting [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00005000 ] [ immediate reg 4 0x00006400 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ] + [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ] # tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100 ip6 test-ip6 postrouting @@ -21,5 +21,5 @@ ip6 test-ip6 postrouting [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 ] + [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] diff --git a/tests/py/ip6/srh.t.payload b/tests/py/ip6/srh.t.payload index b6247456..364940a9 100644 --- a/tests/py/ip6/srh.t.payload +++ b/tests/py/ip6/srh.t.payload @@ -11,7 +11,7 @@ ip6 test-ip6 input # srh last-entry { 0, 4-127, 255 } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 4 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -29,7 +29,7 @@ ip6 test-ip6 input # srh flags { 0, 4-127, 255 } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 5 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -47,7 +47,7 @@ ip6 test-ip6 input # srh tag { 0, 4-127, 0xffff } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000100 : 1 [end] element 00000400 : 0 [end] element 00008000 : 1 [end] element 0000ffff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000100 : 1 [end] element 00000400 : 0 [end] element 00008000 : 1 [end] element 0000ffff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 2b @ 43 + 6 => reg 1 ] [ lookup reg 1 set __set%d ] diff --git a/tests/py/ip6/tcpopt.t b/tests/py/ip6/tcpopt.t deleted file mode 100644 index 497f69fc..00000000 --- a/tests/py/ip6/tcpopt.t +++ /dev/null @@ -1,37 +0,0 @@ -:input;type filter hook input priority 0 -*ip6;test-ip6;input - -tcp option eol kind 1;ok -tcp option noop kind 1;ok -tcp option maxseg kind 1;ok -tcp option maxseg length 1;ok -tcp option maxseg size 1;ok -tcp option window kind 1;ok -tcp option window length 1;ok -tcp option window count 1;ok -tcp option sack-permitted kind 1;ok -tcp option sack-permitted length 1;ok -tcp option sack kind 1;ok -tcp option sack length 1;ok -tcp option sack left 1;ok -tcp option sack0 left 1;ok;tcp option sack left 1 -tcp option sack1 left 1;ok -tcp option sack2 left 1;ok -tcp option sack3 left 1;ok -tcp option sack right 1;ok -tcp option sack0 right 1;ok;tcp option sack right 1 -tcp option sack1 right 1;ok -tcp option sack2 right 1;ok -tcp option sack3 right 1;ok -tcp option timestamp kind 1;ok -tcp option timestamp length 1;ok -tcp option timestamp tsval 1;ok -tcp option timestamp tsecr 1;ok - -tcp option foobar;fail -tcp option foo bar;fail -tcp option eol left;fail -tcp option eol left 1;fail -tcp option eol left 1;fail -tcp option sack window;fail -tcp option sack window 1;fail diff --git a/tests/py/ip6/tcpopt.t.json b/tests/py/ip6/tcpopt.t.json deleted file mode 100644 index d573dd1c..00000000 --- a/tests/py/ip6/tcpopt.t.json +++ /dev/null @@ -1,416 +0,0 @@ -# tcp option eol kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "eol" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option noop kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "noop" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option maxseg size 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "size", - "name": "maxseg" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option window count 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "count", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack-permitted kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "sack-permitted" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack-permitted length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "sack-permitted" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack0 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack1 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack1" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack2 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack2" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack3 left 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "left", - "name": "sack3" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack0 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack0" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack1 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack1" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack2 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack2" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option sack3 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack3" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp length 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "length", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp tsval 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "tsval", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - -# tcp option timestamp tsecr 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "tsecr", - "name": "timestamp" - } - }, - "op": "==", - "right": 1 - } - } -] - diff --git a/tests/py/ip6/tcpopt.t.json.output b/tests/py/ip6/tcpopt.t.json.output deleted file mode 100644 index 81dd8ad8..00000000 --- a/tests/py/ip6/tcpopt.t.json.output +++ /dev/null @@ -1,16 +0,0 @@ -# tcp option sack0 right 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "right", - "name": "sack" - } - }, - "op": "==", - "right": 1 - } - } -] - diff --git a/tests/py/ip6/tcpopt.t.payload b/tests/py/ip6/tcpopt.t.payload deleted file mode 100644 index 4b189197..00000000 --- a/tests/py/ip6/tcpopt.t.payload +++ /dev/null @@ -1,181 +0,0 @@ -# tcp option eol kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 0 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option noop kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 1 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg length 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option maxseg size 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000100 ] - -# tcp option window kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window length 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option window count 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack-permitted length 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack length 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option sack left 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 left 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 left 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 left 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 left 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack right 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack0 right 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack1 right 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack2 right 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option sack3 right 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp kind 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp length 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# tcp option timestamp tsval 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# tcp option timestamp tsecr 1 -ip6 test-ip input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] diff --git a/tests/py/ip6/vmap.t b/tests/py/ip6/vmap.t index 434f5d92..2d54b822 100644 --- a/tests/py/ip6/vmap.t +++ b/tests/py/ip6/vmap.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip6 saddr vmap { abcd::3 : accept };ok ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234:1234;fail diff --git a/tests/py/ip6/vmap.t.payload.inet b/tests/py/ip6/vmap.t.payload.inet index 53f19eb9..931cc6bd 100644 --- a/tests/py/ip6/vmap.t.payload.inet +++ b/tests/py/ip6/vmap.t.payload.inet @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-inet b __map%d test-inet 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -11,7 +11,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -21,7 +21,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -31,7 +31,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -41,7 +41,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -51,7 +51,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -61,7 +61,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -71,7 +71,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -81,7 +81,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -91,7 +91,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -101,7 +101,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -111,7 +111,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -121,7 +121,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -131,7 +131,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -141,7 +141,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -151,7 +151,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -161,7 +161,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -171,7 +171,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -181,7 +181,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -191,7 +191,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -201,7 +201,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -211,7 +211,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -221,7 +221,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -231,7 +231,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -241,7 +241,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -251,7 +251,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -261,7 +261,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -271,7 +271,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -281,7 +281,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -291,7 +291,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -301,7 +301,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -311,7 +311,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -321,7 +321,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -331,7 +331,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -341,7 +341,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -351,7 +351,7 @@ inet test-inet input # ip6 saddr vmap { ::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -361,7 +361,7 @@ inet test-inet input # ip6 saddr vmap { 1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -371,7 +371,7 @@ inet test-inet input # ip6 saddr vmap { ::/64 : accept} __map%d test-inet f __map%d test-inet 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -381,7 +381,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -391,7 +391,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -401,7 +401,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -411,7 +411,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] diff --git a/tests/py/ip6/vmap.t.payload.ip6 b/tests/py/ip6/vmap.t.payload.ip6 index 620979f0..6e077b27 100644 --- a/tests/py/ip6/vmap.t.payload.ip6 +++ b/tests/py/ip6/vmap.t.payload.ip6 @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-ip6 b __map%d test-ip6 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -9,7 +9,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -17,7 +17,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -25,7 +25,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -33,7 +33,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -41,7 +41,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -49,7 +49,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -57,7 +57,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -65,7 +65,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -73,7 +73,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -81,7 +81,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -89,7 +89,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -97,7 +97,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -105,7 +105,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -113,7 +113,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -121,7 +121,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -129,7 +129,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -137,7 +137,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -145,7 +145,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -153,7 +153,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -161,7 +161,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -169,7 +169,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -177,7 +177,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -185,7 +185,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -193,7 +193,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -201,7 +201,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -209,7 +209,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -217,7 +217,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -225,7 +225,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -233,7 +233,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -241,7 +241,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -249,7 +249,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -257,7 +257,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -265,7 +265,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -273,7 +273,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -281,7 +281,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -289,7 +289,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -297,7 +297,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::/64 : accept} __map%d test-ip6 f __map%d test-ip6 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -305,7 +305,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -313,7 +313,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -321,7 +321,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -329,7 +329,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] diff --git a/tests/py/ip6/vmap.t.payload.netdev b/tests/py/ip6/vmap.t.payload.netdev index 0ae5d5b0..45f2c0b0 100644 --- a/tests/py/ip6/vmap.t.payload.netdev +++ b/tests/py/ip6/vmap.t.payload.netdev @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-netdev b __map%d test-netdev 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -11,7 +11,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -21,7 +21,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -31,7 +31,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -41,7 +41,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -51,7 +51,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -61,7 +61,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -71,7 +71,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -81,7 +81,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -91,7 +91,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -101,7 +101,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -111,7 +111,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -121,7 +121,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -131,7 +131,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -141,7 +141,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -151,7 +151,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -161,7 +161,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -171,7 +171,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -181,7 +181,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -191,7 +191,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -201,7 +201,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -211,7 +211,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -221,7 +221,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -231,7 +231,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -241,7 +241,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -251,7 +251,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -261,7 +261,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -271,7 +271,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -281,7 +281,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -291,7 +291,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -301,7 +301,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -311,7 +311,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -321,7 +321,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -331,7 +331,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -341,7 +341,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -351,7 +351,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -361,7 +361,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -371,7 +371,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::/64 : accept} __map%d test-netdev f __map%d test-netdev 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -381,7 +381,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -391,7 +391,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -401,7 +401,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -411,7 +411,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] diff --git a/tests/py/any/dup.t b/tests/py/netdev/dup.t index 181b4195..56328022 100644 --- a/tests/py/any/dup.t +++ b/tests/py/netdev/dup.t @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dup to "lo";ok dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok diff --git a/tests/py/any/dup.t.json b/tests/py/netdev/dup.t.json index dc56f649..dc56f649 100644 --- a/tests/py/any/dup.t.json +++ b/tests/py/netdev/dup.t.json diff --git a/tests/py/any/dup.t.payload b/tests/py/netdev/dup.t.payload index 51ff782c..51ff782c 100644 --- a/tests/py/any/dup.t.payload +++ b/tests/py/netdev/dup.t.payload diff --git a/tests/py/any/fwd.t b/tests/py/netdev/fwd.t index 2e34d55a..6051560a 100644 --- a/tests/py/any/fwd.t +++ b/tests/py/netdev/fwd.t @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress fwd to "lo";ok fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok diff --git a/tests/py/any/fwd.t.json b/tests/py/netdev/fwd.t.json index 583606c0..583606c0 100644 --- a/tests/py/any/fwd.t.json +++ b/tests/py/netdev/fwd.t.json diff --git a/tests/py/any/fwd.t.json.output b/tests/py/netdev/fwd.t.json.output index 8433e492..8433e492 100644 --- a/tests/py/any/fwd.t.json.output +++ b/tests/py/netdev/fwd.t.json.output diff --git a/tests/py/any/fwd.t.payload b/tests/py/netdev/fwd.t.payload index f03077a6..f03077a6 100644 --- a/tests/py/any/fwd.t.payload +++ b/tests/py/netdev/fwd.t.payload diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t new file mode 100644 index 00000000..c66e649c --- /dev/null +++ b/tests/py/netdev/reject.t @@ -0,0 +1,40 @@ +:ingress;type filter hook ingress device lo priority 0 + +*netdev;test-netdev;ingress + +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok +reject with icmpv6 policy-fail;ok +reject with icmpv6 reject-route;ok + +mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset + +reject;ok +meta protocol ip reject;ok;reject with icmp port-unreachable +meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable + +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject + +meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route + +meta protocol ip6 reject with icmp host-unreachable;fail +meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail +meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail +meta l4proto udp reject with tcp reset;fail + +meta protocol ip reject with icmpx admin-prohibited;ok +meta protocol ip6 reject with icmpx admin-prohibited;ok diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json new file mode 100644 index 00000000..9968aaf8 --- /dev/null +++ b/tests/py/netdev/reject.t.json @@ -0,0 +1,293 @@ +# reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 policy-fail +[ + { + "reject": { + "expr": "policy-fail", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 reject-route +[ + { + "reject": { + "expr": "reject-route", + "type": "icmpv6" + } + } +] + +# mark 12345 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "meta": { + "key": "mark" + } + }, + "op": "==", + "right": 12345 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# meta protocol ip reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# meta protocol ip6 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpx host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmpx" + } + } +] + +# reject with icmpx no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpx" + } + } +] + +# reject with icmpx admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# reject with icmpx port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# meta protocol ip reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# meta protocol ip6 reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# meta protocol ip reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta protocol ip6 reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload new file mode 100644 index 00000000..d014adab --- /dev/null +++ b/tests/py/netdev/reject.t.payload @@ -0,0 +1,142 @@ +# reject with icmp host-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 1 ] + +# reject with icmp net-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 0 ] + +# reject with icmp prot-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 2 ] + +# reject with icmp port-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 3 ] + +# reject with icmp net-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 9 ] + +# reject with icmp host-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 10 ] + +# reject with icmp admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 13 ] + +# reject with icmpv6 no-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 0 ] + +# reject with icmpv6 admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 1 ] + +# reject with icmpv6 addr-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 3 ] + +# reject with icmpv6 port-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 4 ] + +# reject with icmpv6 policy-fail +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 5 ] + +# reject with icmpv6 reject-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 6 ] + +# mark 12345 reject with tcp reset +netdev + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ cmp eq reg 1 0x00003039 ] + [ reject type 1 code 0 ] + +# reject +netdev + [ reject type 2 code 1 ] + +# meta protocol ip reject +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 3 ] + +# meta protocol ip6 reject +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 4 ] + +# reject with icmpx host-unreachable +netdev + [ reject type 2 code 2 ] + +# reject with icmpx no-route +netdev + [ reject type 2 code 0 ] + +# reject with icmpx admin-prohibited +netdev + [ reject type 2 code 3 ] + +# reject with icmpx port-unreachable +netdev + [ reject type 2 code 1 ] + +# meta protocol ip reject with icmp host-unreachable +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 0 code 1 ] + +# meta protocol ip6 reject with icmpv6 no-route +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 0 code 0 ] + +# meta protocol ip reject with icmpx admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ reject type 2 code 3 ] + +# meta protocol ip6 reject with icmpx admin-prohibited +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ reject type 2 code 3 ] + diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 6edca3c6..1bc89558 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -28,7 +28,7 @@ os.environ['TZ'] = 'UTC-2' from nftables import Nftables -TESTS_DIRECTORY = ["any", "arp", "bridge", "inet", "ip", "ip6"] +TESTS_DIRECTORY = ["any", "arp", "bridge", "inet", "ip", "ip6", "netdev"] LOGFILE = "/tmp/nftables-test.log" log_file = None table_list = [] @@ -39,7 +39,7 @@ signal_received = 0 class Colors: - if sys.stdout.isatty(): + if sys.stdout.isatty() and sys.stderr.isatty(): HEADER = '\033[95m' GREEN = '\033[92m' YELLOW = '\033[93m' @@ -86,11 +86,12 @@ class Table: class Set: """Class that represents a set""" - def __init__(self, family, table, name, type, timeout, flags): + def __init__(self, family, table, name, type, data, timeout, flags): self.family = family self.table = table self.name = name self.type = type + self.data = data self.timeout = timeout self.flags = flags @@ -366,7 +367,11 @@ def set_add(s, test_result, filename, lineno): if flags != "": flags = "flags %s; " % flags - cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + if s.data == "": + cmd = "add set %s %s { %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + else: + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + ret = execute_cmd(cmd, filename, lineno) if (ret == 0 and test_result == "fail") or \ @@ -384,6 +389,44 @@ def set_add(s, test_result, filename, lineno): return 0 +def map_add(s, test_result, filename, lineno): + ''' + Adds a map + ''' + if not table_list: + reason = "Missing table to add rule" + print_error(reason, filename, lineno) + return -1 + + for table in table_list: + s.table = table.name + s.family = table.family + if _map_exist(s, filename, lineno): + reason = "Map %s already exists in %s" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + flags = s.flags + if flags != "": + flags = "flags %s; " % flags + + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + + ret = execute_cmd(cmd, filename, lineno) + + if (ret == 0 and test_result == "fail") or \ + (ret != 0 and test_result == "ok"): + reason = "%s: I cannot add the set %s" % (cmd, s.name) + print_error(reason, filename, lineno) + return -1 + + if not _map_exist(s, filename, lineno): + reason = "I have just added the set %s to " \ + "the table %s but it does not exist" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + def set_add_elements(set_element, set_name, state, filename, lineno): ''' Adds elements to the set. @@ -407,7 +450,11 @@ def set_add_elements(set_element, set_name, state, filename, lineno): ret = execute_cmd(cmd, filename, lineno) if (state == "fail" and ret == 0) or (state == "ok" and ret != 0): - test_state = "This rule should have failed." + if state == "fail": + test_state = "This rule should have failed." + else: + test_state = "This rule should not have failed." + reason = cmd + ": " + test_state print_error(reason, filename, lineno) return -1 @@ -486,6 +533,16 @@ def _set_exist(s, filename, lineno): return True if (ret == 0) else False +def _map_exist(s, filename, lineno): + ''' + Check if the map exists. + ''' + cmd = "list map %s %s %s" % (s.family, s.table, s.name) + ret = execute_cmd(cmd, filename, lineno) + + return True if (ret == 0) else False + + def set_check_element(rule1, rule2): ''' Check if element exists in anonymous sets. @@ -712,8 +769,10 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): if rule[1].strip() == "ok": payload_expected = None + payload_path = None try: payload_log = open("%s.payload" % filename_path) + payload_path = payload_log.name payload_expected = payload_find_expected(payload_log, rule[0]) except: payload_log = None @@ -750,12 +809,15 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): reason = "Invalid JSON syntax in expected output: %s" % json_expected print_error(reason) return [-1, warning, error, unit_tests] + if json_expected == json_input: + print_warning("Recorded JSON output matches input for: %s" % rule[0]) for table in table_list: if rule[1].strip() == "ok": table_payload_expected = None try: payload_log = open("%s.payload.%s" % (filename_path, table.family)) + payload_path = payload_log.name table_payload_expected = payload_find_expected(payload_log, rule[0]) except: if not payload_log: @@ -802,17 +864,26 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): if state == "ok" and not payload_check(table_payload_expected, payload_log, cmd): error += 1 - gotf = open("%s.payload.got" % filename_path, 'a') + + try: + gotf = open("%s.got" % payload_path) + gotf_payload_expected = payload_find_expected(gotf, rule[0]) + gotf.close() + except: + gotf_payload_expected = None payload_log.seek(0, 0) - gotf.write("# %s\n" % rule[0]) - while True: - line = payload_log.readline() - if line == "": - break - gotf.write(line) - gotf.close() - print_warning("Wrote payload for rule %s" % rule[0], - gotf.name, 1) + if not payload_check(gotf_payload_expected, payload_log, cmd): + gotf = open("%s.got" % payload_path, 'a') + payload_log.seek(0, 0) + gotf.write("# %s\n" % rule[0]) + while True: + line = payload_log.readline() + if line == "": + break + gotf.write(line) + gotf.close() + print_warning("Wrote payload for rule %s" % rule[0], + gotf.name, 1) # Check for matching ruleset listing numeric_proto_old = nftables.set_numeric_proto_output(True) @@ -1022,6 +1093,8 @@ def execute_cmd(cmd, filename, lineno, stdout_log=False, debug=False): if debug_option: print(cmd) + log_file.flush() + if debug: debug_old = nftables.get_debug() nftables.set_debug(debug) @@ -1073,14 +1146,28 @@ def set_process(set_line, filename, lineno): tokens = set_line[0].split(" ") set_name = tokens[0] - set_type = tokens[2] + parse_typeof = tokens[1] == "typeof" + set_type = tokens[1] + " " + tokens[2] + set_data = "" set_flags = "" i = 3 + if parse_typeof and tokens[i] == "id": + set_type += " " + tokens[i] + i += 1; + while len(tokens) > i and tokens[i] == ".": set_type += " . " + tokens[i+1] i += 2 + while len(tokens) > i and tokens[i] == ":": + set_data = tokens[i+1] + i += 2 + + if parse_typeof and tokens[i] == "mark": + set_data += " " + tokens[i] + i += 1; + if len(tokens) == i+2 and tokens[i] == "timeout": timeout = "timeout " + tokens[i+1] + ";" i += 2 @@ -1090,9 +1177,13 @@ def set_process(set_line, filename, lineno): elif len(tokens) != i: print_error(set_name + " bad flag: " + tokens[i], filename, lineno) - s = Set("", "", set_name, set_type, timeout, set_flags) + s = Set("", "", set_name, set_type, set_data, timeout, set_flags) + + if set_data == "": + ret = set_add(s, test_result, filename, lineno) + else: + ret = map_add(s, test_result, filename, lineno) - ret = set_add(s, test_result, filename, lineno) if ret == 0: all_set[set_name] = set() @@ -1340,6 +1431,33 @@ def run_test_file(filename, force_all_family_option, specific_file): return [tests, passed, total_warning, total_error, total_unit_run] +def spawn_netns(): + # prefer unshare module + try: + import unshare + unshare.unshare(unshare.CLONE_NEWNET) + return True + except: + pass + + # sledgehammer style: + # - call ourselves prefixed by 'unshare -n' if found + # - pass extra --no-netns parameter to avoid another recursion + try: + import shutil + + unshare = shutil.which("unshare") + if unshare is None: + return False + + sys.argv.append("--no-netns") + if debug_option: + print("calling: ", [unshare, "-n", sys.executable] + sys.argv) + os.execv(unshare, [unshare, "-n", sys.executable] + sys.argv) + except: + pass + + return False def main(): parser = argparse.ArgumentParser(description='Run nft tests') @@ -1357,10 +1475,20 @@ def main(): dest='force_all_family', help='keep testing all families on error') + parser.add_argument('-H', '--host', action='store_true', + help='run tests against installed libnftables.so.1') + parser.add_argument('-j', '--enable-json', action='store_true', dest='enable_json', help='test JSON functionality as well') + parser.add_argument('-l', '--library', default=None, + help='path to libntables.so.1, overrides --host') + + parser.add_argument('-N', '--no-netns', action='store_true', + dest='no_netns', + help='Do not run in own network namespace') + parser.add_argument('-s', '--schema', action='store_true', dest='enable_schema', help='verify json input/output against schema') @@ -1385,12 +1513,23 @@ def main(): print("You need to be root to run this, sorry") return + if not args.no_netns and not spawn_netns(): + print_warning("cannot run in own namespace, connectivity might break") + # Change working directory to repository root os.chdir(TESTS_PATH + "/../..") - if not os.path.exists('src/.libs/libnftables.so'): - print("The nftables library does not exist. " - "You need to build the project.") + check_lib_path = True + if args.library is None: + if args.host: + args.library = 'libnftables.so.1' + check_lib_path = False + else: + args.library = 'src/.libs/libnftables.so.1' + + if check_lib_path and not os.path.exists(args.library): + print("The nftables library at '%s' does not exist. " + "You need to build the project." % args.library) return if args.enable_schema and not args.enable_json: @@ -1398,7 +1537,7 @@ def main(): return global nftables - nftables = Nftables(sofile = 'src/.libs/libnftables.so') + nftables = Nftables(sofile = args.library) test_files = files_ok = run_total = 0 tests = passed = warnings = errors = 0 diff --git a/tests/py/tools/test-sanitizer.sh b/tests/py/tools/test-sanitizer.sh new file mode 100755 index 00000000..92354d2b --- /dev/null +++ b/tests/py/tools/test-sanitizer.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +# Do some simple sanity checks on tests: +# - Report tests where reply matches command +# - Report tests with non-ok exit but reply +# - Check for duplicate test commands in *.t files +# - Check for duplicate or stale payload records in *.t.payload* files +# - Check for duplicate or stale json equivalents in *.t.json files + +cd $(dirname $0)/../ + +[[ $1 ]] && tests="$@" || tests="*/*.t" + +reportfile="" +report() { # (file, msg) + [[ "$reportfile" == "$1" ]] || { + reportfile="$1" + echo "" + echo "In $reportfile:" + } + shift + echo "$@" +} + +for t in $tests; do + [[ -f $t ]] || continue + + readarray -t cmdlines <<< $(grep -v -e '^ *[:*#-?]' -e '^ *$' $t) + + cmds="" + for cmdline in "${cmdlines[@]}"; do + readarray -t -d ';' cmdparts <<< "$cmdline" + cmd="${cmdparts[0]}" + rc="${cmdparts[1]}" + out="${cmdparts[2]}" + + [[ -n $cmd ]] || continue + + #echo "cmdline: $cmdline" + #echo "cmd: $cmd" + #echo "rc: $rc" + #echo "out: $out" + + [[ "$cmd" != "$out" ]] || \ + report $t "reply matches cmd: $cmd" + [[ "$rc" != "ok" && "$out" ]] && \ + report $t "output record with non-ok exit: $cmd" + + cmds+="${cmd}\n" + done + + readarray -t dups <<< $(echo -e "$cmds" | sort | uniq -d) + for dup in "${dups[@]}"; do + [[ -n $dup ]] || continue + report $t "duplicate command: $dup" + done + + for p in $t.payload* $t.json; do + [[ -f $p ]] || continue + [[ $p == *.got ]] && continue + [[ $p == *.json ]] && t="json" || t="payload" + + pcmds=$(grep '^#' $p) + readarray -t dups <<< $(echo "$pcmds" | sort | uniq -d) + readarray -t stales <<< $(echo "$pcmds" | while read hash pcmd; do + echo -e "$cmds" | grep -qxF "${pcmd}" || echo "# ${pcmd}" + done) + + for stale in "${stales[@]}"; do + [[ -n $stale ]] || continue + report $p "stale $t record: $stale" + done + for dup in "${dups[@]}"; do + [[ -n $dup ]] || continue + report $p "duplicate $t record: $dup" + done + done +done diff --git a/tests/shell/README b/tests/shell/README index e0279bbd..3af17a9e 100644 --- a/tests/shell/README +++ b/tests/shell/README @@ -1,16 +1,20 @@ -This test-suite is intended to perform tests of higher level than -the other regression test-suite. +This test suite is intended to perform tests on a higher level +than the other regression test suites. -It can run arbitrary executables which can perform any test apart of testing -the nft syntax or netlink code (which is what the regression tests does). +It can run arbitrary executables which can perform any test, not +limited to testing the nft syntax or netlink code (which is what +the regression tests do). To run the test suite (as root): $ cd tests/shell # ./run-tests.sh -Test files are executables files with the pattern <<name_N>>, where N is the -expected return code of the executable. Since they are located with `find', -test-files can be spread in any sub-directories. +Test files are executable files matching the pattern <<name_N>>, +where N should be 0 in all new tests. All tests should return 0 on +success. + +Since they are located with `find', test files can be put in any +subdirectory. You can turn on a verbose execution by calling: # ./run-tests.sh -v @@ -18,11 +22,14 @@ You can turn on a verbose execution by calling: And generate missing dump files with: # ./run-tests.sh -g <TESTFILE> -Before each call to the test-files, `nft flush ruleset' will be called. -Also, test-files will receive the environment variable $NFT which contains the -path to the nftables binary being tested. +Before each test file invocation, `nft flush ruleset' will be called. +Also, test file process environment will include the variable $NFT +which contains the nft command being tested. You can pass an arbitrary $NFT value as well: # NFT=/usr/local/sbin/nft ./run-tests.sh -By default the tests are run with the nft binary at '../../src/nft' +Note that, to support usage such as NFT='valgrind nft', tests must +invoke $NFT unquoted. + +By default, the tests are run with the nft binary at '../../src/nft' diff --git a/tests/shell/features/bitshift.nft b/tests/shell/features/bitshift.nft new file mode 100644 index 00000000..7f9ccb64 --- /dev/null +++ b/tests/shell/features/bitshift.nft @@ -0,0 +1,7 @@ +# 567d746b55bc ("netfilter: bitwise: add support for shifts.") +# v5.6-rc1~151^2~73^2 +table ip t { + chain c { + meta mark set meta mark << 2 + } +} diff --git a/tests/shell/features/catchall_element.nft b/tests/shell/features/catchall_element.nft new file mode 100644 index 00000000..1a02fd61 --- /dev/null +++ b/tests/shell/features/catchall_element.nft @@ -0,0 +1,8 @@ +# aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +# v5.13-rc1~94^2~10^2~2 +table t { + map m { + type inet_service : inet_service + elements = { * : 42 } + } +} diff --git a/tests/shell/features/chain_binding.nft b/tests/shell/features/chain_binding.nft new file mode 100644 index 00000000..b381ec54 --- /dev/null +++ b/tests/shell/features/chain_binding.nft @@ -0,0 +1,7 @@ +# d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +# v5.9-rc1~133^2~302^2~1 +table ip t { + chain c { + jump { counter; } + } +} diff --git a/tests/shell/features/comment.sh b/tests/shell/features/comment.sh new file mode 100755 index 00000000..0ad24d04 --- /dev/null +++ b/tests/shell/features/comment.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# 002f21765320 ("netfilter: nf_tables: add userdata attributes to nft_chain") +# v5.10-rc1~107^2~60^2~5 + +EXPECTED="table ip x { + chain y { + comment \"test\" + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/ctexpect.nft b/tests/shell/features/ctexpect.nft new file mode 100644 index 00000000..02c3dfd7 --- /dev/null +++ b/tests/shell/features/ctexpect.nft @@ -0,0 +1,10 @@ +# 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +# v5.3-rc1~140^2~153^2~19 +table t { + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12; + } +} diff --git a/tests/shell/features/cttimeout.nft b/tests/shell/features/cttimeout.nft new file mode 100644 index 00000000..4be58cd3 --- /dev/null +++ b/tests/shell/features/cttimeout.nft @@ -0,0 +1,8 @@ +# 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +# v4.19-rc1~140^2~64^2~3 +table t { + ct timeout cttime { + protocol tcp; + policy = {established: 120 } + } +} diff --git a/tests/shell/features/destroy.nft b/tests/shell/features/destroy.nft new file mode 100644 index 00000000..b97242e4 --- /dev/null +++ b/tests/shell/features/destroy.nft @@ -0,0 +1,3 @@ +# f80a612dd77c ("netfilter: nf_tables: add support to destroy operation") +# v6.3-rc1~162^2~264^2 +destroy table t diff --git a/tests/shell/features/dynset_op_delete.nft b/tests/shell/features/dynset_op_delete.nft new file mode 100644 index 00000000..125b4526 --- /dev/null +++ b/tests/shell/features/dynset_op_delete.nft @@ -0,0 +1,12 @@ +# d0a8d877da97 ("netfilter: nft_dynset: support for element deletion") +# v5.4-rc1~131^2~59^2~4 +table ip x { + set s { + flags dynamic; + type inet_service; + } + + chain y { + delete @s { tcp dport } + } +} diff --git a/tests/shell/features/flowtable_counter.sh b/tests/shell/features/flowtable_counter.sh new file mode 100755 index 00000000..a4c4c621 --- /dev/null +++ b/tests/shell/features/flowtable_counter.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# 53c2b2899af7 ("netfilter: flowtable: add counter support") +# v5.7-rc1~146^2~12^2~16 + +EXPECTED="table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/flowtable_no_devices.nft b/tests/shell/features/flowtable_no_devices.nft new file mode 100755 index 00000000..30dd3db8 --- /dev/null +++ b/tests/shell/features/flowtable_no_devices.nft @@ -0,0 +1,8 @@ +# 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices") +# v5.8-rc1~165^2~27^2~1 +table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + counter + } +} diff --git a/tests/shell/features/inet_ingress.nft b/tests/shell/features/inet_ingress.nft new file mode 100644 index 00000000..944a5c77 --- /dev/null +++ b/tests/shell/features/inet_ingress.nft @@ -0,0 +1,7 @@ +# d3519cb89f6d ("netfilter: nf_tables: add inet ingress support") +# v5.10-rc1~107^2~17^2~1 +table inet t { + chain c { + type filter hook ingress device "lo" priority filter; policy accept; + } +} diff --git a/tests/shell/features/inet_nat.nft b/tests/shell/features/inet_nat.nft new file mode 100644 index 00000000..189ea1d0 --- /dev/null +++ b/tests/shell/features/inet_nat.nft @@ -0,0 +1,7 @@ +# v5.2-rc1~133^2~174^2~15 +# d164385ec572 ("netfilter: nat: add inet family nat support") +table inet x { + chain y { + type nat hook prerouting priority dstnat; + } +} diff --git a/tests/shell/features/inner_matching.nft b/tests/shell/features/inner_matching.nft new file mode 100644 index 00000000..6c86fd35 --- /dev/null +++ b/tests/shell/features/inner_matching.nft @@ -0,0 +1,7 @@ +# 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") +# v6.2-rc1~99^2~350^2~4 +table ip t { + chain c { + udp dport 4789 vxlan ip saddr 1.2.3.4 + } +} diff --git a/tests/shell/features/json.sh b/tests/shell/features/json.sh new file mode 100755 index 00000000..d8115702 --- /dev/null +++ b/tests/shell/features/json.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# Detect JSON support. Note that $NFT may not be the binary from our build +# tree, hence we detect it by running the binary (instead of asking the build +# configuration). +$NFT -j list ruleset diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft new file mode 100644 index 00000000..06c4c9d9 --- /dev/null +++ b/tests/shell/features/map_lookup.nft @@ -0,0 +1,11 @@ +# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks") +# v6.5-rc1~163^2~256^2~8 +table ip t { + map m { + typeof ip daddr : meta mark + } + + chain c { + ip saddr @m + } +} diff --git a/tests/shell/features/meta_time.nft b/tests/shell/features/meta_time.nft new file mode 100644 index 00000000..34550de4 --- /dev/null +++ b/tests/shell/features/meta_time.nft @@ -0,0 +1,7 @@ +# 63d10e12b00d ("netfilter: nft_meta: support for time matching") +# v5.4-rc1~131^2~59^2~6 +table ip t { + chain c { + meta time "1970-05-23 21:07:14" + } +} diff --git a/tests/shell/features/netdev_chain_multidevice.sh b/tests/shell/features/netdev_chain_multidevice.sh new file mode 100755 index 00000000..d2a56d6d --- /dev/null +++ b/tests/shell/features/netdev_chain_multidevice.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") +# v5.5-rc1~174^2~312^2~4 + +trap "ip link del d0; ip link del d1" EXIT + +ip link add d0 type dummy +ip link add d1 type dummy + +EXPECTED="table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \"d0\", \"d1\" } priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/features/netdev_chain_without_device.nft b/tests/shell/features/netdev_chain_without_device.nft new file mode 100644 index 00000000..25eb200f --- /dev/null +++ b/tests/shell/features/netdev_chain_without_device.nft @@ -0,0 +1,7 @@ +# 207296f1a03b ("netfilter: nf_tables: allow to create netdev chain without device") +# v6.4-rc1~132^2~14^2 +table netdev t { + chain c { + type filter hook ingress priority 0; policy accept; + } +} diff --git a/tests/shell/features/netdev_egress.nft b/tests/shell/features/netdev_egress.nft new file mode 100644 index 00000000..67d706d8 --- /dev/null +++ b/tests/shell/features/netdev_egress.nft @@ -0,0 +1,7 @@ +# 42df6e1d221d ("netfilter: Introduce egress hook") +# v5.16-rc1~159^2~167^2~10 +table netdev t { + chain c { + type filter hook egress devices = { lo } priority 0; policy accept; + } +} diff --git a/tests/shell/features/netmap.nft b/tests/shell/features/netmap.nft new file mode 100644 index 00000000..2580a8dc --- /dev/null +++ b/tests/shell/features/netmap.nft @@ -0,0 +1,8 @@ +# 3ff7ddb1353d ("netfilter: nft_nat: add netmap support") +# v5.8-rc1~165^2~393^2 +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } + } +} diff --git a/tests/shell/features/osf.nft b/tests/shell/features/osf.nft new file mode 100644 index 00000000..dbb6b4c3 --- /dev/null +++ b/tests/shell/features/osf.nft @@ -0,0 +1,7 @@ +# b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +# v4.19-rc1~140^2~135^2~15 +table t { + chain c { + osf name "Linux" + } +} diff --git a/tests/shell/features/pipapo.nft b/tests/shell/features/pipapo.nft new file mode 100644 index 00000000..3557721e --- /dev/null +++ b/tests/shell/features/pipapo.nft @@ -0,0 +1,9 @@ +# 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +# v5.6-rc1~151^2~28^2~1 +table t { + set s { + type ipv4_addr . inet_service + flags interval + elements = { 1.1.1.1-2.2.2.2 . 80-90 } + } +} diff --git a/tests/shell/features/prerouting_reject.nft b/tests/shell/features/prerouting_reject.nft new file mode 100644 index 00000000..3dcfb40e --- /dev/null +++ b/tests/shell/features/prerouting_reject.nft @@ -0,0 +1,8 @@ +# f53b9b0bdc59 netfilter: introduce support for reject at prerouting stage +# v5.9-rc1~133^2~302^2~11 +table inet t { + chain nat_filter { + type filter hook prerouting priority 0; policy accept; + reject with icmpx type host-unreachable + } +} diff --git a/tests/shell/features/reset_rule.sh b/tests/shell/features/reset_rule.sh new file mode 100755 index 00000000..567ee2f1 --- /dev/null +++ b/tests/shell/features/reset_rule.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# 8daa8fde3fc3 ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET") +# v6.2-rc1~99^2~210^2~2 + +unshare -n bash -c "$NFT \"add table t; add chain t c ; add rule t c counter packets 1 bytes 42\"; \ +$NFT reset rules chain t c ; \ +$NFT reset rules chain t c |grep counter\ packets\ 0\ bytes\ 0" diff --git a/tests/shell/features/reset_set.sh b/tests/shell/features/reset_set.sh new file mode 100755 index 00000000..3d034175 --- /dev/null +++ b/tests/shell/features/reset_set.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET") +# v6.5-rc1~163^2~9^2~1 + +unshare -n bash -c "$NFT add table t; \ + $NFT add set t s { type ipv4_addr\; counter\; elements = { 127.0.0.1 counter packets 1 bytes 2 } } ; \ + $NFT reset set t s ; \ + $NFT reset set t s | grep counter\ packets\ 0\ bytes\ 0 +" diff --git a/tests/shell/features/reset_tcp_options.nft b/tests/shell/features/reset_tcp_options.nft new file mode 100644 index 00000000..47d1c7b8 --- /dev/null +++ b/tests/shell/features/reset_tcp_options.nft @@ -0,0 +1,5 @@ +table inet t { + chain c { + reset tcp option fastopen + } +} diff --git a/tests/shell/features/sctp_chunks.nft b/tests/shell/features/sctp_chunks.nft new file mode 100644 index 00000000..520afd64 --- /dev/null +++ b/tests/shell/features/sctp_chunks.nft @@ -0,0 +1,7 @@ +# 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") +# v5.14-rc1~119^2~373^2~15 +table ip t { + chain c { + sctp chunk init 0 + } +} diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft new file mode 100644 index 00000000..ccbb572f --- /dev/null +++ b/tests/shell/features/secmark.nft @@ -0,0 +1,7 @@ +# fb961945457f ("netfilter: nf_tables: add SECMARK support") +# v4.20-rc1~14^2~125^2~5 +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } +} diff --git a/tests/shell/features/set_expr.sh b/tests/shell/features/set_expr.sh new file mode 100755 index 00000000..fbdfc228 --- /dev/null +++ b/tests/shell/features/set_expr.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") +# v5.7-rc1~146^2~12^2~25 + +# NFT_SET_EXPR to detect kernel feature only available since +# b4e70d8dd9ea ("netfilter: nftables: add set expression flags") +# v5.11-rc3~39^2^2 + +EXPECTED="table ip x { + set y { + typeof ip saddr + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft new file mode 100644 index 00000000..97632a7a --- /dev/null +++ b/tests/shell/features/set_with_two_expressions.nft @@ -0,0 +1,9 @@ +# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") +# v5.11-rc1~169^2~25^2 +table x { + set y { + type ipv4_addr + size 65535 + counter quota 500 bytes + } +} diff --git a/tests/shell/features/setelem_expiration.sh b/tests/shell/features/setelem_expiration.sh new file mode 100755 index 00000000..c539ceba --- /dev/null +++ b/tests/shell/features/setelem_expiration.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# v5.3-rc1~140^2~153^2~8 +# 79ebb5bb4e38 ("netfilter: nf_tables: enable set expiration time for set elements") + +RULESET="table ip x { + set y { + type ipv4_addr + flags dynamic + timeout 1h + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element ip x y { 1.1.1.1 timeout 1h expires 15m59s } + +$NFT list ruleset | grep "expires 15m" diff --git a/tests/shell/features/stateful_object_update.sh b/tests/shell/features/stateful_object_update.sh new file mode 100755 index 00000000..62fbf7e3 --- /dev/null +++ b/tests/shell/features/stateful_object_update.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation") +# v5.4-rc1~131^2~59^2~2 + +set -e +$NFT add table test-ip +$NFT add quota test-ip traffic-quota 25 mbytes +$NFT add quota test-ip traffic-quota 50 mbytes + +EXPECTED="table ip test-ip { + quota traffic-quota { + 50 mbytes + } +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + diff -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/features/synproxy.nft b/tests/shell/features/synproxy.nft new file mode 100644 index 00000000..bea4f920 --- /dev/null +++ b/tests/shell/features/synproxy.nft @@ -0,0 +1,9 @@ +# v5.3-rc1~140^2~44^2~10 +# ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } +} diff --git a/tests/shell/features/table_flag_owner.nft b/tests/shell/features/table_flag_owner.nft new file mode 100644 index 00000000..aef122a0 --- /dev/null +++ b/tests/shell/features/table_flag_owner.nft @@ -0,0 +1,5 @@ +# 6001a930ce03 ("netfilter: nftables: introduce table ownership") +# v5.12-rc1~200^2~6^2 +table t { + flags owner; +} diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} diff --git a/tests/shell/helpers/json-diff-pretty.sh b/tests/shell/helpers/json-diff-pretty.sh new file mode 100755 index 00000000..bebb7e8e --- /dev/null +++ b/tests/shell/helpers/json-diff-pretty.sh @@ -0,0 +1,17 @@ +#!/bin/bash -e + +BASEDIR="$(dirname "$0")" + +[ $# -eq 2 ] || (echo "$0: expects two JSON files as arguments" ; exit 1) + +FILE1="$1" +FILE2="$2" + +pretty() +{ + "$BASEDIR/json-pretty.sh" < "$1" 2>&1 || : +} + +echo "Cmd: \"$0\" \"$FILE1\" \"$FILE2\"" +diff -u "$FILE1" "$FILE2" 2>&1 || : +diff -u <(pretty "$FILE1") <(pretty "$FILE2") 2>&1 || : diff --git a/tests/shell/helpers/json-pretty.sh b/tests/shell/helpers/json-pretty.sh new file mode 100755 index 00000000..5407a842 --- /dev/null +++ b/tests/shell/helpers/json-pretty.sh @@ -0,0 +1,30 @@ +#!/bin/bash -e + +exec_pretty() { + # The output of this command must be stable (and `jq` and python + # fallback must generate the same output. + + if command -v jq &>/dev/null ; then + # If we have, use `jq` + exec jq + fi + + # Fallback to python. + exec python -c ' +import json +import sys + +parsed = json.load(sys.stdin) +print(json.dumps(parsed, indent=2)) +' +} + +[ "$#" -le 1 ] || { echo "At most one argument supported" ; exit 1 ; } + +if [ "$#" -eq 1 ] ; then + # One argument passed. This must be a JSON file. + [ -f "$1" ] || { echo "File \"$1\" does not exist" ; exit 1 ; } + exec_pretty < "$1" +fi + +exec_pretty diff --git a/tests/shell/helpers/json-sanitize-ruleset.sh b/tests/shell/helpers/json-sanitize-ruleset.sh new file mode 100755 index 00000000..31b85cbd --- /dev/null +++ b/tests/shell/helpers/json-sanitize-ruleset.sh @@ -0,0 +1,30 @@ +#!/bin/bash -e + +die() { + printf "%s\n" "$*" + exit 1 +} + +do_sed() { + # Normalize the "version"/"release_name", otherwise we have to + # regenerate the JSON output upon new release. + # + # Also, "handle" are not stable. Normalize them 0. + sed \ + -e '1s/^\({"nftables": \[{"metainfo": {"version": "\)[0-9.]\+\(", "release_name": "\)[^"]\+\(", "\)/\1VERSION\2RELEASE_NAME\3/' \ + -e '1s/"handle": [0-9]\+\>/"handle": 0/g' \ + "$@" +} + +if [ "$#" = 0 ] ; then + do_sed + exit $? +fi + +for f ; do + test -f "$f" || die "$0: file \"$f\" does not exist" +done + +for f ; do + do_sed -i "$f" || die "$0: \`sed -i\` failed for \"$f\"" +done diff --git a/tests/shell/helpers/nft-valgrind-wrapper.sh b/tests/shell/helpers/nft-valgrind-wrapper.sh new file mode 100755 index 00000000..98bbdf43 --- /dev/null +++ b/tests/shell/helpers/nft-valgrind-wrapper.sh @@ -0,0 +1,31 @@ +#!/bin/bash -e + +SUFFIX="$(date "+%H%M%S.%6N").$$" + +rc=0 +libtool \ + --mode=execute \ + valgrind \ + --log-file="$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX.%p.log" \ + --trace-children=yes \ + --leak-check=full \ + --show-leak-kinds=all \ + --num-callers=100 \ + --error-exitcode=122 \ + --vgdb-prefix="$_NFT_TEST_VALGRIND_VGDB_PREFIX-$SUFFIX" \ + $NFT_TEST_VALGRIND_OPTS \ + "$NFT_REAL" \ + "$@" \ + || rc=$? + +if [ "$rc" -eq 122 ] ; then + shopt -s nullglob + FILES=( "$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX."*".log" ) + shopt -u nullglob + ( + printf '%s\n' "args: $*" + printf '%s\n' "${FILES[*]}" + ) >> "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" +fi + +exit $rc diff --git a/tests/shell/helpers/random-source.sh b/tests/shell/helpers/random-source.sh new file mode 100755 index 00000000..91a8248b --- /dev/null +++ b/tests/shell/helpers/random-source.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Commands like `sort` and `shuf` have a "--random-source" argument, for +# generating a stable, reproducible output. However, they require an input +# that provides sufficiently many bytes (depending on the input). +# +# This script generates a stream that can be used like +# +# shuf --random-source=<($0 "$seed") + +seed="" +for a; do + seed="$seed${#a}:$a\n" +done + +if command -v openssl &>/dev/null ; then + # We have openssl. Use it. + # https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html#Random-sources + # + # Note that we don't care that different installations/architectures generate the + # same output. + openssl enc -aes-256-ctr -pass "pass:$seed" -nosalt </dev/zero 2>/dev/null +else + # Hack something. It's much slower. + idx=0 + while : ; do + idx="$((idx++))" + seed="$(sha256sum <<<"$idx.$seed")" + echo ">>>$seed" >> a + seed="${seed%% *}" + LANG=C awk -v s="$seed" 'BEGIN{ + for (i=1; i <= length(s); i+=2) { + xchar = substr(s, i, 2); + decnum = strtonum("0x"xchar); + printf("%c", decnum); + } + }' || break + done +fi +exit 0 diff --git a/tests/shell/helpers/test-wrapper.sh b/tests/shell/helpers/test-wrapper.sh new file mode 100755 index 00000000..c016e0ce --- /dev/null +++ b/tests/shell/helpers/test-wrapper.sh @@ -0,0 +1,328 @@ +#!/bin/bash -e + +# This wrapper wraps the invocation of the test. It is called by run-tests.sh, +# and already in the unshared namespace. +# +# For some printf debugging, you can also patch this file. + +array_contains() { + local needle="$1" + local a + shift + for a; do + [ "$a" = "$needle" ] && return 0 + done + return 1 +} + +show_file() { + local filename="$1" + shift + local msg="$*" + + printf '%s\n>>>>\n' "$msg" + cat "$filename" + printf "<<<<\n" +} + +json_pretty() { + "$NFT_TEST_BASEDIR/helpers/json-pretty.sh" "$@" 2>&1 || : +} + +TEST="$1" +TESTBASE="$(basename "$TEST")" +TESTDIR="$(dirname "$TEST")" + +START_TIME="$(cut -d ' ' -f1 /proc/uptime)" + +export TMPDIR="$NFT_TEST_TESTTMPDIR" + +CLEANUP_UMOUNT_VAR_RUN=n + +cleanup() { + if [ "$CLEANUP_UMOUNT_VAR_RUN" = y ] ; then + umount "/var/run" &>/dev/null || : + fi +} + +trap cleanup EXIT + +printf '%s\n' "$TEST" > "$NFT_TEST_TESTTMPDIR/name" + +read tainted_before < /proc/sys/kernel/tainted + +if [ "$NFT_TEST_HAS_UNSHARED_MOUNT" = y ] ; then + # We have a private mount namespace. We will mount /var/run/ as a tmpfs. + # + # The main purpose is so that we can create /var/run/netns, which is + # required for `ip netns add` to work. When running as rootless, this + # is necessary to get such tests to pass. When running rootful, it's + # still useful to not touch the "real" /var/run/netns of the system. + # + # Note that this also hides everything that might reside in /var/run. + # That is desirable, as tests should not depend on content there (or if + # they do, we need to explicitly handle it as appropriate). + if mount -t tmpfs --make-private tmpfs "/var/run" ; then + CLEANUP_UMOUNT_VAR_RUN=y + fi + mkdir -p /var/run/netns +fi + +TEST_TAGS_PARSED=0 +ensure_TEST_TAGS() { + if [ "$TEST_TAGS_PARSED" = 0 ] ; then + TEST_TAGS_PARSED=1 + TEST_TAGS=( $(sed -n '1,10 { s/^.*\<\(NFT_TEST_REQUIRES\|NFT_TEST_SKIP\)\>\s*(\s*\(NFT_TEST_SKIP_[a-zA-Z0-9_]\+\|NFT_TEST_HAVE_[a-zA-Z0-9_]\+\)\s*).*$/\1(\2)/p }' "$1" 2>/dev/null || : ) ) + fi +} + +rc_test=0 + +if [ "$rc_test" -eq 0 ] ; then + for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_') ; do + if [ "${!KEY}" != n ]; then + continue + fi + ensure_TEST_TAGS "$TEST" + if array_contains "NFT_TEST_REQUIRES($KEY)" "${TEST_TAGS[@]}" ; then + echo "Test skipped due to $KEY=n (test has \"NFT_TEST_REQUIRES($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log" + rc_test=77 + break + fi + done +fi + +if [ "$rc_test" -eq 0 ] ; then + for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_') ; do + if [ "${!KEY}" != y ]; then + continue + fi + ensure_TEST_TAGS "$TEST" + if array_contains "NFT_TEST_SKIP($KEY)" "${TEST_TAGS[@]}" ; then + echo "Test skipped due to $KEY=y (test has \"NFT_TEST_SKIP($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log" + rc_test=77 + break + fi + done +fi + +if [ "$rc_test" -eq 0 ] ; then + CMD=( "$TEST" ) + if [ "$NFT_TEST_VERBOSE_TEST" = y ] ; then + X="$(sed -n '1 s/^#!\(\/bin\/bash\>.*$\)/\1/p' "$TEST" 2>/dev/null)" + if [ -n "$X" ] ; then + # Note that kernel parses the shebang differently and does not + # word splitting for the arguments. We do split the arguments here + # which would matter if there are spaces. For our tests, there + # are either no arguments or only one argument without space. So + # this is good enough. + CMD=( $X -x "$TEST" ) + fi + fi + printf "Command: $(printf '%q ' "${CMD[@]}")\n" &>> "$NFT_TEST_TESTTMPDIR/testout.log" + "${CMD[@]}" &>> "$NFT_TEST_TESTTMPDIR/testout.log" || rc_test=$? +fi + +rc_chkdump=0 +rc=0 +$NFT list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after" 2> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=$? +if [ "$rc" -ne 0 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT list ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +if [ "$NFT_TEST_HAVE_json" != n ] ; then + rc=0 + $NFT -j list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after.json" 2> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=$? + + # Workaround known bug in stmt_print_json(), due to + # "chain_stmt_ops.json" being NULL. This spams stderr. + sed -i '/^warning: stmt ops chain have no json callback$/d' "$NFT_TEST_TESTTMPDIR/chkdump" + + if [ "$rc" -ne 0 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j list ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + # JSON output needs normalization/sanitization, otherwise it's not stable. + "$NFT_TEST_BASEDIR/helpers/json-sanitize-ruleset.sh" "$NFT_TEST_TESTTMPDIR/ruleset-after.json" + json_pretty "$NFT_TEST_TESTTMPDIR/ruleset-after.json" > "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" +fi + +read tainted_after < /proc/sys/kernel/tainted + +DUMPPATH="$TESTDIR/dumps" +DUMPFILE="$DUMPPATH/$TESTBASE.nft" +JDUMPFILE="$DUMPPATH/$TESTBASE.json-nft" +NODUMPFILE="$DUMPPATH/$TESTBASE.nodump" + +# The caller can request a re-geneating of the .nft, .nodump, .json-nft dump files +# by setting DUMPGEN=y. In that case, only the existing files will be regenerated +# (unless all three files are missing, in which case all of them are generated). +# +# By setting DUMPGEN=all, all 3 files are always regenerated. +dump_written=n +if [ "$rc_test" -eq 0 -a '(' "$DUMPGEN" = all -o "$DUMPGEN" = y ')' ] ; then + dump_written=y + if [ ! -d "$DUMPPATH" ] ; then + mkdir "$DUMPPATH" + fi + if [ "$DUMPGEN" = all ] ; then + gen_nodumpfile=y + gen_dumpfile=y + gen_jdumpfile=y + else + # by default, only regenerate the files that we already have on disk. + gen_nodumpfile=n + gen_dumpfile=n + gen_jdumpfile=n + test -f "$DUMPFILE" && gen_dumpfile=y + test -f "$JDUMPFILE" && gen_jdumpfile=y + test -f "$NODUMPFILE" && gen_nodumpfile=y + if [ "$gen_dumpfile" != y -a "$gen_jdumpfile" != y -a "$gen_nodumpfile" != y ] ; then + # Except, if no files exist. Them generate all files. + gen_dumpfile=y + gen_jdumpfile=y + gen_nodumpfile=y + fi + fi + if [ "$gen_nodumpfile" = y ] ; then + : > "$NODUMPFILE" + fi + if [ "$gen_dumpfile" = y ] ; then + cat "$NFT_TEST_TESTTMPDIR/ruleset-after" > "$DUMPFILE" + fi + if [ "$NFT_TEST_HAVE_json" != n -a "$gen_jdumpfile" = y ] ; then + cat "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" > "$JDUMPFILE" + fi +fi + +rc_dump=0 +if [ "$rc_test" -ne 77 -a "$dump_written" != y ] ; then + if [ -f "$DUMPFILE" ] ; then + if ! $DIFF -u "$DUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after" &> "$NFT_TEST_TESTTMPDIR/ruleset-diff" ; then + show_file "$NFT_TEST_TESTTMPDIR/ruleset-diff" "Failed \`$DIFF -u \"$DUMPFILE\" \"$NFT_TEST_TESTTMPDIR/ruleset-after\"\`" >> "$NFT_TEST_TESTTMPDIR/rc-failed-dump" + rc_dump=1 + else + rm -f "$NFT_TEST_TESTTMPDIR/ruleset-diff" + fi + fi + if [ "$NFT_TEST_HAVE_json" != n -a -f "$JDUMPFILE" ] ; then + if ! $DIFF -u "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &> "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" ; then + show_file "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" "Failed \`$DIFF -u \"$JDUMPFILE\" \"$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty\"\`" >> "$NFT_TEST_TESTTMPDIR/rc-failed-dump" + rc_dump=1 + else + rm -f "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" + fi + fi +fi + +# check that a flush after the test succeeds. We anyway need a clean ruleset +# for the `nft --check` next. +rc=0 +$NFT flush ruleset &> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=1 +if [ "$rc" = 1 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT flush ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +# Check that `nft [-j] list ruleset | nft [-j] --check -f -` works. +fail=n +$NFT --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y +test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y +if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +if [ -f "$DUMPFILE" ] && ! cmp "$DUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after" &>/dev/null ; then + # Also check the $DUMPFILE to hit possibly new code paths. This + # is useful to see crashes and with ASAN/valgrind. + $NFT --check -f "$DUMPFILE" &>/dev/null || : +fi +if [ "$NFT_TEST_HAVE_json" != n ] ; then + if [ ! -f "$JDUMPFILE" ] ; then + # Optimally, `nft -j list ruleset | nft -j --check -f -` never + # fails. However, there are known issues where this doesn't + # work, and we cannot assert hard against that. It's those + # tests that don't have a .json-nft file. + # + # This should be fixed, every test should have a .json-nft + # file, and this workaround removed. + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &>/dev/null || : + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &>/dev/null || : + else + fail=n + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y + test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y + if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after.json\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + fail=n + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y + test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y + if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + fi + if [ -f "$JDUMPFILE" ] \ + && ! cmp "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &>/dev/null \ + && ! cmp "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &>/dev/null ; \ + then + $NFT -j --check -f "$JDUMPFILE" &>/dev/null || : + fi +fi +rm -f "$NFT_TEST_TESTTMPDIR/chkdump" + +rc_valgrind=0 +[ -f "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" ] && rc_valgrind=1 + +rc_tainted=0 +if [ "$tainted_before" != "$tainted_after" ] ; then + echo "$tainted_after" > "$NFT_TEST_TESTTMPDIR/rc-failed-tainted" + rc_tainted=1 +fi + +if [ "$rc_valgrind" -ne 0 ] ; then + rc_exit=122 +elif [ "$rc_tainted" -ne 0 ] ; then + rc_exit=123 +elif [ "$rc_test" -ge 118 -a "$rc_test" -le 124 ] ; then + # Special exit codes are reserved. Coerce them. + rc_exit=125 +elif [ "$rc_test" -ne 0 ] ; then + rc_exit="$rc_test" +elif [ "$rc_dump" -ne 0 ] ; then + rc_exit=124 +elif [ "$rc_chkdump" -ne 0 ] ; then + rc_exit=121 +else + rc_exit=0 +fi + + +# We always write the real exit code of the test ($rc_test) to one of the files +# rc-{ok,skipped,failed}, depending on which it is. +# +# Note that there might be other rc-failed-{dump,tainted,valgrind} files with +# additional errors. Note that if such files exist, the overall state will +# always be failed too (and an "rc-failed" file exists). +# +# On failure, we also write the combined "$rc_exit" code from "test-wrapper.sh" +# to "rc-failed-exit" file. +# +# This means, failed tests will have a "rc-failed" file, and additional +# "rc-failed-*" files exist for further information. +if [ "$rc_exit" -eq 0 ] ; then + RC_FILENAME="rc-ok" +elif [ "$rc_exit" -eq 77 ] ; then + RC_FILENAME="rc-skipped" +else + RC_FILENAME="rc-failed" + echo "$rc_exit" > "$NFT_TEST_TESTTMPDIR/rc-failed-exit" +fi +echo "$rc_test" > "$NFT_TEST_TESTTMPDIR/$RC_FILENAME" + +END_TIME="$(cut -d ' ' -f1 /proc/uptime)" +WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")" +printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TESTTMPDIR/times" + +exit "$rc_exit" diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 2c415489..6a9b518c 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -1,46 +1,617 @@ #!/bin/bash -# Configuration -TESTDIR="./$(dirname $0)/testcases" -SRC_NFT="$(dirname $0)/../../src/nft" -DIFF=$(which diff) +unset LANGUAGE +export LANG=C +export LC_ALL=C + +GREEN="" +YELLOW="" +RED="" +RESET="" +if [ -z "$NO_COLOR" ] ; then + if [ -n "$CLICOLOR_FORCE" ] || [[ -t 1 ]] ; then + # See https://bixense.com/clicolors/ . We only check isatty() on + # file descriptor 1, to decide whether colorizing happens (although, + # we might also colorize on other places/FDs). + GREEN=$'\e[32m' + YELLOW=$'\e[33m' + RED=$'\e[31m' + RESET=$'\e[0m' + fi +fi + +array_contains() { + local needle="$1" + local a + shift + for a; do + [ "$a" = "$needle" ] && return 0 + done + return 1 +} + +array_remove_first() { + local _varname="$1" + local _needle="$2" + local _result=() + local _a + + eval "local _input=( \"\${$_varname[@]}\" )" + for _a in "${_input[@]}" ; do + if [ -n "${_needle+x}" -a "$_needle" = "$_a" ] ; then + unset _needle + else + _result+=("$_a") + fi + done + eval "$_varname="'( "${_result[@]}" )' +} + +colorize_keywords() { + local out_variable="$1" + local color="$2" + local val="$3" + local val2 + shift 3 + + printf -v val2 '%q' "$val" + array_contains "$val" "$@" && val2="$color$val2$RESET" + printf -v "$out_variable" '%s' "$val2" +} + +strtonum() { + local s="$1" + local n + local n2 + + re='^[[:space:]]*([0-9]+)[[:space:]]*$' + if [[ "$s" =~ $re ]] ; then + n="${BASH_REMATCH[1]}" + if [ "$(( n + 0 ))" = "$n" ] ; then + echo "$n" + return 0 + fi + fi + re='^[[:space:]]*0x([0-9a-fA-F]+)[[:space:]]*$' + if [[ "$s" =~ $re ]] ; then + n="${BASH_REMATCH[1]}" + n2="$(( 16#$n + 0 ))" + if [ "$n2" = "$(printf '%d' "0x$n" 2>/dev/null)" ] ; then + echo "$n2" + return 0 + fi + fi + return 1 +} + +_msg() { + local level="$1" + shift + + if [ "$level" = E ] ; then + printf '%s\n' "$RED$level$RESET: $*" + elif [ "$level" = W ] ; then + printf '%s\n' "$YELLOW$level$RESET: $*" + else + printf '%s\n' "$level: $*" + fi + if [ "$level" = E ] ; then + exit 1 + fi +} msg_error() { - echo "E: $1 ..." >&2 - exit 1 + _msg E "$@" } msg_warn() { - echo "W: $1" >&2 + _msg W "$@" } msg_info() { - echo "I: $1" + _msg I "$@" +} + +align_text() { + local _OUT_VARNAME="$1" + local _LEFT_OR_RIGHT="$2" + local _INDENT="$3" + shift 3 + local _text="$*" + local _text_plain + local _text_align + local _text_result + local _i + + # This function is needed, because "$text" might contain color escape + # sequences. A plain `printf '%12s' "$text"` will not align properly. + + # strip escape sequences + _text_plain="${_text//$'\e['[0-9]m/}" + _text_plain="${_text_plain//$'\e['[0-9][0-9]m/}" + + _text_align="" + for (( _i = "${#_text_plain}" ; "$_i" < "$_INDENT" ; _i++ )) ; do + _text_align="$_text_align " + done + + if [ "$_LEFT_OR_RIGHT" = left ] ; then + _text_result="$(printf "%s$_text_align-" "$_text")" + else + _text_result="$(printf "$_text_align%s-" "$_text")" + fi + _text_result="${_text_result%-}" + + eval "$_OUT_VARNAME=\"\$_text_result\"" +} + +bool_n() { + case "$1" in + n|N|no|No|NO|0|false|False|FALSE) + printf n + ;; + *) + printf y + ;; + esac +} + +bool_y() { + case "$1" in + y|Y|yes|Yes|YES|1|true|True|TRUE) + printf y + ;; + *) + printf n + ;; + esac +} + +usage() { + echo " $0 [OPTIONS] [TESTS...]" + echo + echo "OPTIONS:" + echo " -h|--help : Print usage." + echo " -L|--list-tests : List test names and quit." + echo " -v : Sets VERBOSE=y." + echo " -g : Sets DUMPGEN=y." + echo " -V : Sets VALGRIND=y." + echo " -K : Sets KMEMLEAK=y." + echo " -R|--without-realroot : Sets NFT_TEST_HAS_REALROOT=n." + echo " -U|--no-unshare : Sets NFT_TEST_UNSHARE_CMD=\"\"." + echo " -k|--keep-logs : Sets NFT_TEST_KEEP_LOGS=y." + echo " -x : Sets NFT_TEST_VERBOSE_TEST=y." + echo " -s|--sequential : Sets NFT_TEST_JOBS=0, which also enables global cleanups." + echo " Also sets NFT_TEST_SHUFFLE_TESTS=n if left unspecified." + echo " -Q|--quick : Sets NFT_TEST_SKIP_slow=y." + echo " -S|--setup-host : Modify the host to run as rootless. Otherwise, some tests will be" + echo " skipped. Basically, this bumps /proc/sys/net/core/{wmem_max,rmem_max}." + echo " Must run as root and this option must be specified alone." + echo " -- : Separate options from tests." + echo " [TESTS...] : Other options are treated as test names," + echo " that is, executables that are run by the runner." + echo + echo "ENVIRONMENT VARIABLES:" + echo " NFT=<CMD> : Path to nft executable. Will be called as \`\$NFT [...]\` so" + echo " it can be a command with parameters. Note that in this mode quoting" + echo " does not work, so the usage is limited and the command cannot contain" + echo " spaces." + echo " NFT_REAL=<CMD> : Real nft comand. Usually this is just the same as \$NFT," + echo " however, you may set NFT='valgrind nft' and NFT_REAL to the real command." + echo " VERBOSE=*|y : Enable verbose output." + echo " NFT_TEST_VERBOSE_TEST=*|y: if true, enable verbose output for tests. For bash scripts, this means" + echo " to pass \"-x\" to the interpreter." + echo " DUMPGEN=*|y|all : Regenerate dump files \".{nft,json-nft,nodump}\". \"DUMPGEN=y\" only regenerates existing" + echo " files, unless the test has no files (then all three files are generated, and you need to" + echo " choose which to keep). With \"DUMPGEN=all\" all 3 files are regenerated, regardless" + echo " whether they already exist." + echo " VALGRIND=*|y : Run \$NFT in valgrind." + echo " KMEMLEAK=*|y : Check for kernel memleaks." + echo " NFT_TEST_HAS_REALROOT=*|y : To indicate whether the test has real root permissions." + echo " Usually, you don't need this and it gets autodetected." + echo " You might want to set it, if you know better than the" + echo " \`id -u\` check, whether the user is root in the main namespace." + echo " Note that without real root, certain tests may not work," + echo " e.g. due to limited /proc/sys/net/core/{wmem_max,rmem_max}." + echo " Checks that cannot pass in such environment should check for" + echo " [ \"\$NFT_TEST_HAS_REALROOT\" != y ] and skip gracefully." + echo " NFT_TEST_HAS_SOCKET_LIMITS=*|n : some tests will fail if /proc/sys/net/core/{wmem_max,rmem_max} is" + echo " too small. When running as real root, then test can override those limits. However," + echo " with rootless the test would fail. Tests will check for [ "\$NFT_TEST_HAS_SOCKET_LIMITS" = y ]" + echo " and skip. You may set NFT_TEST_HAS_SOCKET_LIMITS=n if you ensure those limits are" + echo " suitable to run the test rootless. Otherwise will be autodetected." + echo " Set /proc/sys/net/core/{wmem_max,rmem_max} to at least 4MB to get them to pass automatically." + echo " NFT_TEST_UNSHARE_CMD=cmd : when set, this is the command line for an unshare" + echo " command, which is used to sandbox each test invocation. By" + echo " setting it to empty, no unsharing is done." + echo " By default it is unset, in which case it's autodetected as" + echo " \`unshare -f -p\` (for root) or as \`unshare -f -p --mount-proc -U --map-root-user -n\`" + echo " for non-root." + echo " When setting this, you may also want to set NFT_TEST_HAS_UNSHARED=," + echo " NFT_TEST_HAS_REALROOT= and NFT_TEST_HAS_UNSHARED_MOUNT= accordingly." + echo " NFT_TEST_HAS_UNSHARED=*|y : To indicate to the test whether the test run will be unshared." + echo " Test may consider this." + echo " This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected." + echo " NFT_TEST_HAS_UNSHARED_MOUNT=*|y : To indicate to the test whether the test run will have a private" + echo " mount namespace." + echo " This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected." + echo " NFT_TEST_KEEP_LOGS=*|y: Keep the temp directory. On success, it will be deleted by default." + echo " NFT_TEST_JOBS=<NUM}>: number of jobs for parallel execution. Defaults to \"\$(nproc)*1.5\" for parallel run." + echo " Setting this to \"0\" or \"1\", means to run jobs sequentially." + echo " Setting this to \"0\" means also to perform global cleanups between tests (remove" + echo " kernel modules)." + echo " Parallel jobs requires unshare and are disabled with NFT_TEST_UNSHARE_CMD=\"\"." + echo " NFT_TEST_FAIL_ON_SKIP=*|y: if any jobs are skipped, exit with error." + echo " NFT_TEST_RANDOM_SEED=<SEED>: The test runner will export the environment variable NFT_TEST_RANDOM_SEED" + echo " set to a random number. This can be used as a stable seed for tests to randomize behavior." + echo " Set this to a fixed value to get reproducible behavior." + echo " NFT_TEST_SHUFFLE_TESTS=*|n|y: control whether to randomly shuffle the order of tests. By default, if" + echo " tests are specified explicitly, they are not shuffled while they are shuffled when" + echo " all tests are run. The shuffling is based on NFT_TEST_RANDOM_SEED." + echo " TMPDIR=<PATH> : select a different base directory for the result data." + echo + echo " NFT_TEST_HAVE_<FEATURE>=*|y: Some tests requires certain features or will be skipped." + echo " The features are autodetected, but you can force it by setting the variable." + echo " Supported <FEATURE>s are: ${_HAVE_OPTS[@]}." + echo " NFT_TEST_SKIP_<OPTION>=*|y: if set, certain tests are skipped." + echo " Supported <OPTION>s are: ${_SKIP_OPTS[@]}." +} + +NFT_TEST_BASEDIR="$(dirname "$0")" + +# Export the base directory. It may be used by tests. +export NFT_TEST_BASEDIR + +_HAVE_OPTS=() +shopt -s nullglob +F=( "$NFT_TEST_BASEDIR/features/"*.nft "$NFT_TEST_BASEDIR/features/"*.sh ) +shopt -u nullglob +for file in "${F[@]}"; do + feat="${file##*/}" + feat="${feat%.*}" + re="^[a-z_0-9]+$" + if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then + _HAVE_OPTS+=( "$feat" ) + else + msg_warn "Ignore feature file \"$file\"" + fi +done +_HAVE_OPTS=( $(printf '%s\n' "${_HAVE_OPTS[@]}" | sort) ) + +for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do + if ! array_contains "${KEY#NFT_TEST_HAVE_}" "${_HAVE_OPTS[@]}" ; then + unset "$KEY" + fi +done + +_SKIP_OPTS=( slow ) +for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do + if ! array_contains "${KEY#NFT_TEST_SKIP_}" "${_SKIP_OPTS[@]}" ; then + unset "$KEY" + fi +done + +_NFT_TEST_JOBS_DEFAULT="$(nproc)" +[ "$_NFT_TEST_JOBS_DEFAULT" -gt 0 ] 2>/dev/null || _NFT_TEST_JOBS_DEFAULT=1 +_NFT_TEST_JOBS_DEFAULT="$(( _NFT_TEST_JOBS_DEFAULT + (_NFT_TEST_JOBS_DEFAULT + 1) / 2 ))" + +VERBOSE="$(bool_y "$VERBOSE")" +NFT_TEST_VERBOSE_TEST="$(bool_y "$NFT_TEST_VERBOSE_TEST")" +if [ "$DUMPGEN" != "all" ] ; then + DUMPGEN="$(bool_y "$DUMPGEN")" +fi +VALGRIND="$(bool_y "$VALGRIND")" +KMEMLEAK="$(bool_y "$KMEMLEAK")" +NFT_TEST_KEEP_LOGS="$(bool_y "$NFT_TEST_KEEP_LOGS")" +NFT_TEST_HAS_REALROOT="$NFT_TEST_HAS_REALROOT" +NFT_TEST_JOBS="${NFT_TEST_JOBS:-$_NFT_TEST_JOBS_DEFAULT}" +NFT_TEST_FAIL_ON_SKIP="$(bool_y "$NFT_TEST_FAIL_ON_SKIP")" +NFT_TEST_RANDOM_SEED="$NFT_TEST_RANDOM_SEED" +NFT_TEST_SHUFFLE_TESTS="$NFT_TEST_SHUFFLE_TESTS" +NFT_TEST_SKIP_slow="$(bool_y "$NFT_TEST_SKIP_slow")" +DO_LIST_TESTS= + +if [ -z "$NFT_TEST_RANDOM_SEED" ] ; then + # Choose a random value. + n="$SRANDOM" + [ -z "$n" ] && n="$RANDOM" +else + # Parse as number. + n="$(strtonum "$NFT_TEST_RANDOM_SEED")" + if [ -z "$n" ] ; then + # If not a number, pick a hash based on the SHA-sum of the seed. + n="$(printf "%d" "0x$(sha256sum <<<"NFT_TEST_RANDOM_SEED:$NFT_TEST_RANDOM_SEED" | sed -n '1 { s/^\(........\).*/\1/p }')")" + fi +fi +# Limit a 31 bit decimal so tests can rely on this being in a certain +# restricted form. +NFT_TEST_RANDOM_SEED="$(( $n % 0x80000000 ))" +export NFT_TEST_RANDOM_SEED + +TESTS=() + +SETUP_HOST= +SETUP_HOST_OTHER= + +ARGV_ORIG=( "$@" ) + +while [ $# -gt 0 ] ; do + A="$1" + shift + case "$A" in + -S|--setup-host) + ;; + *) + SETUP_HOST_OTHER=y + ;; + esac + case "$A" in + -S|--setup-host) + SETUP_HOST="$A" + ;; + -v) + VERBOSE=y + ;; + -x) + NFT_TEST_VERBOSE_TEST=y + ;; + -g) + DUMPGEN=y + ;; + -V) + VALGRIND=y + ;; + -K) + KMEMLEAK=y + ;; + -h|--help) + usage + exit 0 + ;; + -k|--keep-logs) + NFT_TEST_KEEP_LOGS=y + ;; + -L|--list-tests) + DO_LIST_TESTS=y + ;; + -R|--without-realroot) + NFT_TEST_HAS_REALROOT=n + ;; + -U|--no-unshare) + NFT_TEST_UNSHARE_CMD= + ;; + -s|--sequential) + NFT_TEST_JOBS=0 + if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then + NFT_TEST_SHUFFLE_TESTS=n + fi + ;; + -Q|--quick) + NFT_TEST_SKIP_slow=y + ;; + --) + TESTS+=( "$@" ) + shift $# + ;; + *) + TESTS+=( "$A" ) + ;; + esac +done + +sysctl_bump() { + local sysctl="$1" + local val="$2" + local cur; + + cur="$(cat "$sysctl" 2>/dev/null)" || : + if [ -n "$cur" -a "$cur" -ge "$val" ] ; then + echo "# Skip: echo $val > $sysctl (current value $cur)" + return 0 + fi + echo " echo $val > $sysctl (previous value $cur)" + echo "$val" > "$sysctl" +} + +setup_host() { + echo "Setting up host for running as rootless (requires root)." + sysctl_bump /proc/sys/net/core/rmem_max $((4000*1024)) || return $? + sysctl_bump /proc/sys/net/core/wmem_max $((4000*1024)) || return $? +} + +if [ -n "$SETUP_HOST" ] ; then + if [ "$SETUP_HOST_OTHER" = y ] ; then + msg_error "The $SETUP_HOST option must be specified alone." + fi + setup_host + exit $? +fi + +find_tests() { + find "$1" -type f -executable | sort } -if [ "$(id -u)" != "0" ] ; then - msg_error "this requires root!" +if [ "${#TESTS[@]}" -eq 0 ] ; then + d="$NFT_TEST_BASEDIR/testcases/" + d="${d#./}" + TESTS=( $(find_tests "$d") ) + test "${#TESTS[@]}" -gt 0 || msg_error "Could not find tests" + if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then + NFT_TEST_SHUFFLE_TESTS=y + fi +fi + +TESTSOLD=( "${TESTS[@]}" ) +TESTS=() +for t in "${TESTSOLD[@]}" ; do + if [ -f "$t" -a -x "$t" ] ; then + TESTS+=( "$t" ) + elif [ -d "$t" ] ; then + TESTS+=( $(find_tests "$t") ) + else + msg_error "Unknown test \"$t\"" + fi +done + +NFT_TEST_SHUFFLE_TESTS="$(bool_y "$NFT_TEST_SHUFFLE_TESTS")" + +if [ "$DO_LIST_TESTS" = y ] ; then + printf '%s\n' "${TESTS[@]}" + exit 0 fi -[ -z "$NFT" ] && NFT=$SRC_NFT -if [ ! -x "$NFT" ] ; then - msg_error "no nft binary!" +START_TIME="$(cut -d ' ' -f1 /proc/uptime)" + +_TMPDIR="${TMPDIR:-/tmp}" + +# Export the orignal TMPDIR for the tests. "test-wrapper.sh" sets TMPDIR to +# NFT_TEST_TESTTMPDIR, so that temporary files are placed along side the +# test data. In some cases, we may want to know the original TMPDIR. +export NFT_TEST_TMPDIR_ORIG="$_TMPDIR" + +if [ "$NFT_TEST_HAS_REALROOT" = "" ] ; then + # The caller didn't set NFT_TEST_HAS_REALROOT and didn't specify + # -R/--without-root option. Autodetect it based on `id -u`. + export NFT_TEST_HAS_REALROOT="$(test "$(id -u)" = "0" && echo y || echo n)" else - msg_info "using nft binary $NFT" + NFT_TEST_HAS_REALROOT="$(bool_y "$NFT_TEST_HAS_REALROOT")" +fi +export NFT_TEST_HAS_REALROOT + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = "" ] ; then + if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then + NFT_TEST_HAS_SOCKET_LIMITS=n + elif [ "$(cat /proc/sys/net/core/wmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null && \ + [ "$(cat /proc/sys/net/core/rmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null ; then + NFT_TEST_HAS_SOCKET_LIMITS=n + else + NFT_TEST_HAS_SOCKET_LIMITS=y + fi +else + NFT_TEST_HAS_SOCKET_LIMITS="$(bool_n "$NFT_TEST_HAS_SOCKET_LIMITS")" +fi +export NFT_TEST_HAS_SOCKET_LIMITS + +detect_unshare() { + if ! $1 true &>/dev/null ; then + return 1 + fi + NFT_TEST_UNSHARE_CMD="$1" + return 0 +} + +if [ -n "${NFT_TEST_UNSHARE_CMD+x}" ] ; then + # User overrides the unshare command. + if ! detect_unshare "$NFT_TEST_UNSHARE_CMD" ; then + msg_error "Cannot unshare via NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")" + fi + if [ -z "${NFT_TEST_HAS_UNSHARED+x}" ] ; then + # Autodetect NFT_TEST_HAS_UNSHARED based one whether + # $NFT_TEST_UNSHARE_CMD is set. + if [ -n "$NFT_TEST_UNSHARE_CMD" ] ; then + NFT_TEST_HAS_UNSHARED="y" + else + NFT_TEST_HAS_UNSHARED="n" + fi + else + NFT_TEST_HAS_UNSHARED="$(bool_y "$NFT_TEST_HAS_UNSHARED")" + fi + if [ -z "${NFT_TEST_HAS_UNSHARED_MOUNT+x}" ] ; then + NFT_TEST_HAS_UNSHARED_MOUNT=n + if [ "$NFT_TEST_HAS_UNSHARED" == y ] ; then + case "$NFT_TEST_UNSHARE_CMD" in + unshare*-m*|unshare*--mount-proc*) + NFT_TEST_HAS_UNSHARED_MOUNT=y + ;; + esac + fi + else + NFT_TEST_HAS_UNSHARED_MOUNT="$(bool_y "$NFT_TEST_HAS_UNSHARED_MOUNT")" + fi +else + NFT_TEST_HAS_UNSHARED_MOUNT=n + if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then + # We appear to have real root. So try to unshare + # without a separate USERNS. CLONE_NEWUSER will break + # tests that are limited by + # /proc/sys/net/core/{wmem_max,rmem_max}. With real + # root, we want to test that. + if detect_unshare "unshare -f -n -m" ; then + NFT_TEST_HAS_UNSHARED_MOUNT=y + else + detect_unshare "unshare -f -n" || + detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" || + detect_unshare "unshare -f -U --map-root-user -n" + fi + else + if detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" ; then + NFT_TEST_HAS_UNSHARED_MOUNT=y + else + detect_unshare "unshare -f -U --map-root-user -n" + fi + fi + if [ -z "$NFT_TEST_UNSHARE_CMD" ] ; then + msg_error "Unshare does not work. Run as root with -U/--no-unshare or set NFT_TEST_UNSHARE_CMD" + fi + NFT_TEST_HAS_UNSHARED=y fi +# If tests wish, they can know whether they are unshared via this variable. +export NFT_TEST_HAS_UNSHARED +export NFT_TEST_HAS_UNSHARED_MOUNT -if [ ! -d "$TESTDIR" ] ; then - msg_error "missing testdir $TESTDIR" +# normalize the jobs number to be an integer. +case "$NFT_TEST_JOBS" in + ''|*[!0-9]*) NFT_TEST_JOBS=_NFT_TEST_JOBS_DEFAULT ;; +esac +if [ -z "$NFT_TEST_UNSHARE_CMD" -a "$NFT_TEST_JOBS" -gt 1 ] ; then + NFT_TEST_JOBS=1 fi -FIND="$(which find)" -if [ ! -x "$FIND" ] ; then - msg_error "no find binary found" +[ -z "$NFT" ] && NFT="$NFT_TEST_BASEDIR/../../src/nft" +${NFT} > /dev/null 2>&1 +ret=$? +if [ ${ret} -eq 126 ] || [ ${ret} -eq 127 ]; then + msg_error "cannot execute nft command: $NFT" fi -MODPROBE="$(which modprobe)" -if [ ! -x "$MODPROBE" ] ; then - msg_error "no modprobe binary found" +NFT_REAL="${NFT_REAL-$NFT}" + +feature_probe() +{ + local with_path="$NFT_TEST_BASEDIR/features/$1" + + if [ -r "$with_path.nft" ] ; then + $NFT_TEST_UNSHARE_CMD "$NFT_REAL" --check -f "$with_path.nft" &>/dev/null + return $? + fi + + if [ -x "$with_path.sh" ] ; then + NFT="$NFT_REAL" $NFT_TEST_UNSHARE_CMD "$with_path.sh" &>/dev/null + return $? + fi + + return 1 +} + +for feat in "${_HAVE_OPTS[@]}" ; do + var="NFT_TEST_HAVE_$feat" + if [ -z "${!var+x}" ] ; then + val='y' + feature_probe "$feat" || val='n' + else + val="$(bool_n "${!var}")" + fi + eval "export $var=$val" + if [ "$NFT_TEST_HAS_UNSHARED" != y ] ; then + $NFT flush ruleset + fi +done + +if [ "$NFT_TEST_JOBS" -eq 0 ] ; then + MODPROBE="$(which modprobe)" + if [ ! -x "$MODPROBE" ] ; then + msg_error "no modprobe binary found" + fi fi DIFF="$(which diff)" @@ -48,23 +619,102 @@ if [ ! -x "$DIFF" ] ; then DIFF=true fi -if [ "$1" == "-v" ] ; then - VERBOSE=y - shift -fi +JOBS_PIDLIST_ARR=() +declare -A JOBS_PIDLIST -if [ "$1" == "-g" ] ; then - DUMPGEN=y - shift -fi +_NFT_TEST_VALGRIND_VGDB_PREFIX= + +cleanup_on_exit() { + pids_search='' + for pid in "${JOBS_PIDLIST_ARR[@]}" ; do + kill -- "-$pid" &>/dev/null + pids_search="$pids_search\\|\\<$pid\\>" + done + if [ -n "$pids_search" ] ; then + pids_search="${pids_search:2}" + for i in {1..100}; do + ps xh -o pgrp | grep -q "$pids_search" || break + sleep 0.01 + done + fi + if [ "$NFT_TEST_KEEP_LOGS" != y -a -n "$NFT_TEST_TMPDIR" ] ; then + rm -rf "$NFT_TEST_TMPDIR" + fi + if [ -n "$_NFT_TEST_VALGRIND_VGDB_PREFIX" ] ; then + rm -rf "$_NFT_TEST_VALGRIND_VGDB_PREFIX"* &>/dev/null + fi +} + +trap 'exit 130' SIGINT +trap 'exit 143' SIGTERM +trap 'rc=$?; cleanup_on_exit; exit $rc' EXIT + +TIMESTAMP=$(date '+%Y%m%d-%H%M%S.%3N') +NFT_TEST_TMPDIR="$(mktemp --tmpdir="$_TMPDIR" -d "nft-test.$TIMESTAMP$NFT_TEST_TMPDIR_TAG.XXXXXX")" || + msg_error "Failure to create temp directory in \"$_TMPDIR\"" +chmod 755 "$NFT_TEST_TMPDIR" + +exec &> >(tee "$NFT_TEST_TMPDIR/test.log") -for arg in "$@"; do - SINGLE+=" $arg" - VERBOSE=y +msg_info "conf: NFT=$(printf '%q' "$NFT")" +msg_info "conf: NFT_REAL=$(printf '%q' "$NFT_REAL")" +msg_info "conf: VERBOSE=$(printf '%q' "$VERBOSE")" +msg_info "conf: NFT_TEST_VERBOSE_TEST=$(printf '%q' "$NFT_TEST_VERBOSE_TEST")" +msg_info "conf: DUMPGEN=$(printf '%q' "$DUMPGEN")" +msg_info "conf: VALGRIND=$(printf '%q' "$VALGRIND")" +msg_info "conf: KMEMLEAK=$(printf '%q' "$KMEMLEAK")" +msg_info "conf: NFT_TEST_HAS_REALROOT=$(printf '%q' "$NFT_TEST_HAS_REALROOT")" +colorize_keywords value "$YELLOW" "$NFT_TEST_HAS_SOCKET_LIMITS" y +msg_info "conf: NFT_TEST_HAS_SOCKET_LIMITS=$value" +msg_info "conf: NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")" +msg_info "conf: NFT_TEST_HAS_UNSHARED=$(printf '%q' "$NFT_TEST_HAS_UNSHARED")" +msg_info "conf: NFT_TEST_HAS_UNSHARED_MOUNT=$(printf '%q' "$NFT_TEST_HAS_UNSHARED_MOUNT")" +msg_info "conf: NFT_TEST_KEEP_LOGS=$(printf '%q' "$NFT_TEST_KEEP_LOGS")" +msg_info "conf: NFT_TEST_JOBS=$NFT_TEST_JOBS" +msg_info "conf: NFT_TEST_FAIL_ON_SKIP=$NFT_TEST_FAIL_ON_SKIP" +msg_info "conf: NFT_TEST_RANDOM_SEED=$NFT_TEST_RANDOM_SEED" +msg_info "conf: NFT_TEST_SHUFFLE_TESTS=$NFT_TEST_SHUFFLE_TESTS" +msg_info "conf: TMPDIR=$(printf '%q' "$_TMPDIR")" +echo +for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do + colorize_keywords value "$YELLOW" "${!KEY}" y + msg_info "conf: $KEY=$value" + export "$KEY" done +for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do + colorize_keywords value "$YELLOW" "${!KEY}" n + msg_info "conf: $KEY=$value" + export "$KEY" +done + +NFT_TEST_LATEST="$_TMPDIR/nft-test.latest.$USER" + +ln -snf "$NFT_TEST_TMPDIR" "$NFT_TEST_LATEST" + +# export the tmp directory for tests. They may use it, but create distinct +# files! On success, it will be deleted on EXIT. See also "--keep-logs" +export NFT_TEST_TMPDIR + +echo +msg_info "info: NFT_TEST_BASEDIR=$(printf '%q' "$NFT_TEST_BASEDIR")" +msg_info "info: NFT_TEST_TMPDIR=$(printf '%q' "$NFT_TEST_TMPDIR")" + +if [ "$VALGRIND" == "y" ]; then + NFT="$NFT_TEST_BASEDIR/helpers/nft-valgrind-wrapper.sh" + msg_info "info: NFT=$(printf '%q' "$NFT")" + _NFT_TEST_VALGRIND_VGDB_PREFIX="$NFT_TEST_TMPDIR_ORIG/vgdb-pipe-nft-test-$TIMESTAMP.$$.$RANDOM" + export _NFT_TEST_VALGRIND_VGDB_PREFIX +fi kernel_cleanup() { - $NFT flush ruleset + if [ "$NFT_TEST_JOBS" -ne 0 ] ; then + # When we run jobs in parallel (even with only one "parallel" + # job via `NFT_TEST_JOBS=1`), we skip such global cleanups. + return + fi + if [ "$NFT_TEST_HAS_UNSHARED" != y ] ; then + $NFT flush ruleset + fi $MODPROBE -raq \ nft_reject_ipv4 nft_reject_bridge nft_reject_ipv6 nft_reject \ nft_redir_ipv4 nft_redir_ipv6 nft_redir \ @@ -76,76 +726,273 @@ kernel_cleanup() { nft_fib nft_fib_ipv4 nft_fib_ipv6 nft_fib_inet \ nft_hash nft_ct nft_compat nft_rt nft_objref \ nft_set_hash nft_set_rbtree nft_set_bitmap \ + nft_synproxy nft_connlimit \ nft_chain_nat \ nft_chain_route_ipv4 nft_chain_route_ipv6 \ nft_dup_netdev nft_fwd_netdev \ - nft_reject nft_reject_inet \ + nft_reject nft_reject_inet nft_reject_netdev \ nf_tables_set nf_tables \ nf_flow_table nf_flow_table_ipv4 nf_flow_tables_ipv6 \ - nf_flow_table_inet nft_flow_offload + nf_flow_table_inet nft_flow_offload \ + nft_xfrm } -find_tests() { - if [ ! -z "$SINGLE" ] ; then - echo $SINGLE +echo "" +ok=0 +skipped=0 +failed=0 + +kmem_runs=0 +kmemleak_found=0 + +check_kmemleak_force() +{ + test -f /sys/kernel/debug/kmemleak || return 0 + + echo scan > /sys/kernel/debug/kmemleak + + lines=$(grep "unreferenced object" /sys/kernel/debug/kmemleak | wc -l) + if [ $lines -ne $kmemleak_found ];then + msg_warn "[FAILED] kmemleak detected $lines memory leaks" + kmemleak_found=$lines + fi + + if [ $lines -ne 0 ];then + return 1 + fi + + return 0 +} + +check_kmemleak() +{ + test -f /sys/kernel/debug/kmemleak || return + + if [ "$KMEMLEAK" == "y" ] ; then + check_kmemleak_force return fi - ${FIND} ${TESTDIR} -type f -executable | sort + + kmem_runs=$((kmem_runs + 1)) + if [ $((kmem_runs % 30)) -eq 0 ]; then + # scan slows tests down quite a bit, hence + # do this only for every 30th test file by + # default. + check_kmemleak_force + fi } -echo "" -ok=0 -failed=0 -for testfile in $(find_tests) -do - kernel_cleanup +read kernel_tainted < /proc/sys/kernel/tainted +if [ "$kernel_tainted" -ne 0 ] ; then + msg_warn "kernel is tainted" + echo +fi + +print_test_header() { + local msglevel="$1" + local testfile="$2" + local testidx_completed="$3" + local status="$4" + local text + local s_idx + + s_idx="${#TESTS[@]}" + align_text text right "${#s_idx}" "$testidx_completed" + s_idx="$text/${#TESTS[@]}" + + align_text text left 12 "[$status]" + _msg "$msglevel" "$text $s_idx $testfile" +} + +print_test_result() { + local NFT_TEST_TESTTMPDIR="$1" + local testfile="$2" + local rc_got="$3" - msg_info "[EXECUTING] $testfile" - test_output=$(NFT=$NFT DIFF=$DIFF ${testfile} 2>&1) - rc_got=$? - echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line + local result_msg_level="I" + local result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" "$NFT_TEST_TESTTMPDIR/ruleset-diff" ) + local result_msg_status if [ "$rc_got" -eq 0 ] ; then - # check nft dump only for positive tests - dumppath="$(dirname ${testfile})/dumps" - dumpfile="${dumppath}/$(basename ${testfile}).nft" - rc_spec=0 - if [ "$rc_got" -eq 0 ] && [ -f ${dumpfile} ]; then - test_output=$(${DIFF} -u ${dumpfile} <($NFT list ruleset) 2>&1) - rc_spec=$? + ((ok++)) + result_msg_status="${GREEN}OK$RESET" + elif [ "$rc_got" -eq 77 ] ; then + ((skipped++)) + result_msg_status="${YELLOW}SKIPPED$RESET" + else + ((failed++)) + result_msg_level="W" + if [ "$rc_got" -eq 121 ] ; then + result_msg_status="CHK DUMP" + elif [ "$rc_got" -eq 122 ] ; then + result_msg_status="VALGRIND" + elif [ "$rc_got" -eq 123 ] ; then + result_msg_status="TAINTED" + elif [ "$rc_got" -eq 124 ] ; then + result_msg_status="DUMP FAIL" + else + result_msg_status="FAILED" fi + result_msg_status="$RED$result_msg_status$RESET" + result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" ) + fi - if [ "$rc_spec" -eq 0 ]; then - msg_info "[OK] $testfile" - [ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output" - ((ok++)) + print_test_header "$result_msg_level" "$testfile" "$((ok + skipped + failed))" "$result_msg_status" - if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == 0 ] && [ ! -f "${dumpfile}" ]; then - mkdir -p "${dumppath}" - nft list ruleset > "${dumpfile}" - fi - else - ((failed++)) - if [ "$VERBOSE" == "y" ] ; then - msg_warn "[DUMP FAIL] $testfile: dump diff detected" - [ ! -z "$test_output" ] && echo "$test_output" - else - msg_warn "[DUMP FAIL] $testfile" + if [ "$VERBOSE" = "y" ] ; then + local f + + for f in "${result_msg_files[@]}"; do + if [ -s "$f" ] ; then + cat "$f" fi + done + + if [ "$rc_got" -ne 0 ] ; then + msg_info "check \"$NFT_TEST_TESTTMPDIR\"" fi - else - ((failed++)) - if [ "$VERBOSE" == "y" ] ; then - msg_warn "[FAILED] $testfile: got $rc_got" - [ ! -z "$test_output" ] && echo "$test_output" + fi +} + +declare -A JOBS_TEMPDIR + +job_start() { + local testfile="$1" + local testidx="$2" + + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then + print_test_header I "$testfile" "$testidx" "EXECUTING" + fi + + NFT_TEST_TESTTMPDIR="${JOBS_TEMPDIR["$testfile"]}" \ + NFT="$NFT" \ + NFT_REAL="$NFT_REAL" \ + DIFF="$DIFF" \ + DUMPGEN="$DUMPGEN" \ + NFT_TEST_VERBOSE_TEST="$NFT_TEST_VERBOSE_TEST" \ + $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile" + local rc_got=$? + + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then + echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line + fi + + return "$rc_got" +} + +# `wait -p` is only supported since bash 5.1 +WAIT_SUPPORTS_P=1 +[ "${BASH_VERSINFO[0]}" -le 4 -o \( "${BASH_VERSINFO[0]}" -eq 5 -a "${BASH_VERSINFO[1]}" -eq 0 \) ] && WAIT_SUPPORTS_P=0 + +job_wait() +{ + local num_jobs="$1" + local JOBCOMPLETED + local rc_got + + while [ "${#JOBS_PIDLIST_ARR[@]}" -gt 0 -a "${#JOBS_PIDLIST_ARR[@]}" -ge "$num_jobs" ] ; do + if [ "$WAIT_SUPPORTS_P" = 1 ] ; then + wait -n -p JOBCOMPLETED + rc_got="$?" + array_remove_first JOBS_PIDLIST_ARR "$JOBCOMPLETED" else - msg_warn "[FAILED] $testfile" + # Without `wait -p` support, we need to explicitly wait + # for a PID. That reduces parallelism. + JOBCOMPLETED="${JOBS_PIDLIST_ARR[0]}" + JOBS_PIDLIST_ARR=( "${JOBS_PIDLIST_ARR[@]:1}" ) + wait -n "$JOBCOMPLETED" + rc_got="$?" fi - fi + + local testfile2="${JOBS_PIDLIST[$JOBCOMPLETED]}" + unset JOBS_PIDLIST[$JOBCOMPLETED] + print_test_result "${JOBS_TEMPDIR["$testfile2"]}" "$testfile2" "$rc_got" + check_kmemleak + done +} + +if [ "$NFT_TEST_SHUFFLE_TESTS" = y ] ; then + TESTS=( $(printf '%s\n' "${TESTS[@]}" | shuf --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "nft-test-shuffle-tests" "$NFT_TEST_RANDOM_SEED") ) ) +fi + +TESTIDX=0 +for testfile in "${TESTS[@]}" ; do + job_wait "$NFT_TEST_JOBS" + + kernel_cleanup + + ((TESTIDX++)) + + NFT_TEST_TESTTMPDIR="$NFT_TEST_TMPDIR/test-${testfile//\//-}.$TESTIDX" + mkdir "$NFT_TEST_TESTTMPDIR" + chmod 755 "$NFT_TEST_TESTTMPDIR" + JOBS_TEMPDIR["$testfile"]="$NFT_TEST_TESTTMPDIR" + + [[ -o monitor ]] && set_old_state='set -m' || set_old_state='set +m' + set -m + ( job_start "$testfile" "$TESTIDX" ) & + pid=$! + eval "$set_old_state" + JOBS_PIDLIST[$pid]="$testfile" + JOBS_PIDLIST_ARR+=( "$pid" ) done +job_wait 0 + echo "" -msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" + +# kmemleak may report suspected leaks +# that get free'd after all, so always do +# a check after all test cases +# have completed and reset the counter +# so another warning gets emitted. +kmemleak_found=0 +check_kmemleak_force + +failed_total="$failed" +if [ "$NFT_TEST_FAIL_ON_SKIP" = y ] ; then + failed_total="$((failed_total + skipped))" +fi + +if [ "$failed_total" -gt 0 ] ; then + RR="$RED" +elif [ "$skipped" -gt 0 ] ; then + RR="$YELLOW" +else + RR="$GREEN" +fi +msg_info "${RR}results$RESET: [OK] $GREEN$ok$RESET [SKIPPED] $YELLOW$skipped$RESET [FAILED] $RED$failed$RESET [TOTAL] $((ok+skipped+failed))" kernel_cleanup -exit $failed + +# ( \ +# for d in /tmp/nft-test.latest.*/test-*/ ; do \ +# printf '%10.2f %s\n' \ +# "$(sed '1!d' "$d/times")" \ +# "$(cat "$d/name")" ; \ +# done \ +# | sort -n \ +# | awk '{print $0; s+=$1} END{printf("%10.2f\n", s)}' ; \ +# printf '%10.2f wall time\n' "$(sed '1!d' /tmp/nft-test.latest.*/times)" \ +# ) +END_TIME="$(cut -d ' ' -f1 /proc/uptime)" +WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")" +printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TMPDIR/times" + +if [ "$failed_total" -gt 0 -o "$NFT_TEST_KEEP_LOGS" = y ] ; then + msg_info "check the temp directory \"$NFT_TEST_TMPDIR\" (\"$NFT_TEST_LATEST\")" + msg_info " ls -lad \"$NFT_TEST_LATEST\"/*/*" + msg_info " grep -R ^ \"$NFT_TEST_LATEST\"/" + NFT_TEST_TMPDIR= +fi + +if [ "$failed" -gt 0 ] ; then + exit 1 +elif [ "$NFT_TEST_FAIL_ON_SKIP" = y -a "$skipped" -gt 0 ] ; then + msg_info "some tests were skipped. Fail due to NFT_TEST_FAIL_ON_SKIP=y" + exit 1 +elif [ "$ok" -eq 0 -a "$skipped" -gt 0 ] ; then + exit 77 +else + exit 0 +fi diff --git a/tests/shell/testcases/bitwise/0040mark_binop_0 b/tests/shell/testcases/bitwise/0040mark_binop_0 new file mode 100755 index 00000000..4ecc9d3d --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c oif lo ct mark set (meta mark | 0x10) << 8 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_1 b/tests/shell/testcases/bitwise/0040mark_binop_1 new file mode 100755 index 00000000..bd9e028d --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c iif lo ct mark & 0xff 0x10 meta mark set ct mark >> 8 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_2 b/tests/shell/testcases/bitwise/0040mark_binop_2 new file mode 100755 index 00000000..5e66a27a --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_2 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_3 b/tests/shell/testcases/bitwise/0040mark_binop_3 new file mode 100755 index 00000000..21dda670 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_3 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_4 b/tests/shell/testcases/bitwise/0040mark_binop_4 new file mode 100755 index 00000000..e5c8a42a --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_4 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_5 b/tests/shell/testcases/bitwise/0040mark_binop_5 new file mode 100755 index 00000000..184fbed0 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_5 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_6 b/tests/shell/testcases/bitwise/0040mark_binop_6 new file mode 100755 index 00000000..129dd5c0 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_6 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_7 b/tests/shell/testcases/bitwise/0040mark_binop_7 new file mode 100755 index 00000000..791a7943 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_7 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_8 b/tests/shell/testcases/bitwise/0040mark_binop_8 new file mode 100755 index 00000000..5e7bd28d --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_8 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_9 b/tests/shell/testcases/bitwise/0040mark_binop_9 new file mode 100755 index 00000000..a7b60fb8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_9 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft new file mode 100644 index 00000000..8973de85 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "<<": [ + { + "|": [ + { + "meta": { + "key": "mark" + } + }, + 16 + ] + }, + 8 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft new file mode 100644 index 00000000..fc0a600a --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + oif "lo" ct mark set (meta mark | 0x00000010) << 8 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft new file mode 100644 index 00000000..ed8e1a0d --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft @@ -0,0 +1,86 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 255 + ] + }, + "right": 16 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + ">>": [ + { + "ct": { + "key": "mark" + } + }, + 8 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft new file mode 100644 index 00000000..dbaacefb --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + iif "lo" ct mark & 0x000000ff == 0x00000010 meta mark set ct mark >> 8 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft new file mode 100644 index 00000000..3cd9a831 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft new file mode 100644 index 00000000..2b9be36e --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft new file mode 100644 index 00000000..00c5b78a --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft new file mode 100644 index 00000000..8206fec0 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft new file mode 100644 index 00000000..3aa81605 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft new file mode 100644 index 00000000..91d9f566 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft new file mode 100644 index 00000000..a3214973 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft new file mode 100644 index 00000000..f2b51eb8 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft new file mode 100644 index 00000000..2de0323d --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft new file mode 100644 index 00000000..cf7be90c --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft new file mode 100644 index 00000000..72aee701 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft new file mode 100644 index 00000000..a9663e62 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft new file mode 100644 index 00000000..1cf84be5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft new file mode 100644 index 00000000..04b866ad --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft new file mode 100644 index 00000000..6f4494b1 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft new file mode 100644 index 00000000..d4745ea4 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures new file mode 100755 index 00000000..79099427 --- /dev/null +++ b/tests/shell/testcases/bogons/assert_failures @@ -0,0 +1,12 @@ +#!/bin/bash + +dir=$(dirname $0)/nft-f/ + +for f in $dir/*; do + $NFT --check -f "$f" + + if [ $? -ne 1 ]; then + echo "Bogus input file $f did not cause expected error code" 1>&2 + exit 111 + fi +done diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.json-nft b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.nft b/tests/shell/testcases/bogons/dumps/assert_failures.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.nft diff --git a/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash new file mode 100644 index 00000000..80a01b45 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash @@ -0,0 +1,11 @@ +table t { + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert new file mode 100644 index 00000000..e8436008 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + oifname set ip9dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert new file mode 100644 index 00000000..0e75e6f1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert @@ -0,0 +1,5 @@ +table inet t { + chain c { + udp length . @th,160,138 vmap { 47-63 . 0xe37313536313033&131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow new file mode 100644 index 00000000..01640528 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow @@ -0,0 +1,6 @@ +table inet x { + chain nat_dns_acme { + udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, } + drop + } +} diff --git a/tests/shell/testcases/bogons/nft-f/counter_objref_crash b/tests/shell/testcases/bogons/nft-f/counter_objref_crash new file mode 100644 index 00000000..3a4b981b --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/counter_objref_crash @@ -0,0 +1,5 @@ +table inet x { + chain y { + counter name ip saddr bytes 1.1.1. 1024 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow new file mode 100644 index 00000000..18eb25eb --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow @@ -0,0 +1,14 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + }5060t { + type "sip" protocol tcp + l3pownerip + } + + chain input { + type filtol/dev/stdinok input priority f)lser; policy accept; + ct helper set ip protocol . th dport map { udp . 1-20000 : "si60u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak new file mode 100644 index 00000000..014525a3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak @@ -0,0 +1,7 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { estabQisheestablished : 2m3s, cd : 2m3s, } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree new file mode 100644 index 00000000..28b1a211 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree @@ -0,0 +1,5 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { close : 12s } diff --git a/tests/shell/testcases/bogons/nft-f/define_policy_assert b/tests/shell/testcases/bogons/nft-f/define_policy_assert new file mode 100644 index 00000000..f1e58b55 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/define_policy_assert @@ -0,0 +1,3 @@ +chain y x { priority filter +define p = foo +policy $p diff --git a/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert new file mode 100644 index 00000000..b7a9a1cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert @@ -0,0 +1,6 @@ +table inet t { + chain c { + udp length . @th,160,118 vmap { 47-63 . 0xe3731353631303331313037353532/3 : accept } + jump noexist # only here so this fails to load after patch. + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges new file mode 100644 index 00000000..efaff9e5 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges @@ -0,0 +1,14 @@ +define dev = "1"-"2" + +table netdev t { + chain c { + fwd to 1-2 + dup to 1-2 + } +} + +table ip t { + chain c { + dup to 1-2 device $dev + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix new file mode 100644 index 00000000..23c2dc31 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport set ip daddr map { 192.168.0.1 : 0x000/0001 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert new file mode 100644 index 00000000..43d72c4d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert @@ -0,0 +1,5 @@ +table ip6 t { + chain c { + ip6 nexthdr comp udp dport 4789 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug new file mode 100644 index 00000000..e307e7cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug @@ -0,0 +1 @@ +add rule t c ip option ra set 0-1 diff --git a/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash new file mode 100644 index 00000000..8d1da726 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash @@ -0,0 +1,5 @@ +table t { + chain c { + meta oifname^a^b^c^d^e^f^g^h^i^j^k^l^m^n^o^p^q^r^s^t^u^v^w^x^y^z^A^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z^0^1^2^3^4^5^6^7^8^9 bar + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert new file mode 100644 index 00000000..161f867d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert @@ -0,0 +1,5 @@ +table inet x { + chain c { + udp length vmap { 1 : goto rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert new file mode 100644 index 00000000..3c2c0d3e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert @@ -0,0 +1,7 @@ +define huge = rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr + +table t { + chain d { + jump $huge + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_prio b/tests/shell/testcases/bogons/nft-f/huge_chain_prio new file mode 100644 index 00000000..41f8061a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_prio @@ -0,0 +1,5 @@ +table t { + chain c { + type filter hook input priority srcnDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD#DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD; policy accept; + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_shift_assert b/tests/shell/testcases/bogons/nft-f/huge_shift_assert new file mode 100644 index 00000000..7599f850 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_shift_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + counter name meta mark >> 88888888888888888888 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert new file mode 100644 index 00000000..1fc85b29 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert @@ -0,0 +1 @@ +rule t c reject with icmp 512 diff --git a/tests/shell/testcases/bogons/nft-f/include-device b/tests/shell/testcases/bogons/nft-f/include-device new file mode 100644 index 00000000..1eb79773 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/include-device @@ -0,0 +1 @@ +include "/dev/null" diff --git a/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert new file mode 100644 index 00000000..7205ff4f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert @@ -0,0 +1 @@ +xy mame ip saddr map h& p p diff --git a/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop new file mode 100644 index 00000000..514d6ffe --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop @@ -0,0 +1,12 @@ +table ip x { + map z { + type ipv4_addr : ipv4_addr + elements = { 1&.141.0.1 - 192.168.0.2} + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0, * : 192.168.0.4 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/map_without_key b/tests/shell/testcases/bogons/nft-f/map_without_key new file mode 100644 index 00000000..78f16b23 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/map_without_key @@ -0,0 +1,5 @@ +table t { + map m { + elements = { 0x00000023 : 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash new file mode 100644 index 00000000..9f7084c8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash @@ -0,0 +1 @@ +bla to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } bla diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error new file mode 100644 index 00000000..6f52658f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error @@ -0,0 +1,21 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + size 12 + l3proto ip + } . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priori + + chain c { + cttable inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priority filuer; policy
\ No newline at end of file diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath new file mode 100644 index 00000000..917e8bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath @@ -0,0 +1,5 @@ +table filter { + chain y { + meta seccark set ct secmark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert new file mode 100644 index 00000000..18c7edd1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert @@ -0,0 +1,7 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 } + } +} + diff --git a/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map new file mode 100644 index 00000000..b1302278 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map @@ -0,0 +1,10 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + snat ip to ip saddr map @y + } +} diff --git a/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert new file mode 100644 index 00000000..547b937f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert @@ -0,0 +1,6 @@ +table ip x { + map sctm_o1 { + type mark : counter + counter name meta mark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash new file mode 100644 index 00000000..16d3e41f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash @@ -0,0 +1 @@ +cPoR et ip dscp << 2>0 ,xl rt ipsec c0tt in tabl rt ipsec cl diff --git a/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert new file mode 100644 index 00000000..d880a377 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert @@ -0,0 +1,6 @@ +table t { + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "x*" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert new file mode 100644 index 00000000..64bd596a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert @@ -0,0 +1 @@ +x x comp nexthdr comp diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store new file mode 100644 index 00000000..c1358df4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store @@ -0,0 +1 @@ +add rule f i @th,1,128 set 1 diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert new file mode 100644 index 00000000..f85a04e7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert @@ -0,0 +1 @@ +add rule t c @th,0,0 0 diff --git a/tests/shell/testcases/bogons/nft-f/scope_underflow_assert b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert new file mode 100644 index 00000000..aee1dcbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert @@ -0,0 +1,6 @@ +table t { + chain c { + jump{ + jump { + jump + diff --git a/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert new file mode 100644 index 00000000..59ef1ab3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert @@ -0,0 +1,12 @@ +table inet testifsets { + map map_wild { elements = { "abcdex*", + "othername", + "ppp0" } + } + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdez*" : jump do_nothing, + "eth0" : jump do_nothing } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/set_without_key b/tests/shell/testcases/bogons/nft-f/set_without_key new file mode 100644 index 00000000..f194afbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_without_key @@ -0,0 +1,5 @@ +table ip t { + set s { + elements = { 0x00000023-0x00000142, 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr new file mode 100644 index 00000000..8b0d2744 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr @@ -0,0 +1,5 @@ +table t { + chain c { + udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr new file mode 100644 index 00000000..66bd6bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr @@ -0,0 +1,5 @@ +table t { + chain c { + @th,160,1272 gt 0 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow new file mode 100644 index 00000000..ea7186bf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow @@ -0,0 +1,6 @@ +table t { +map m { + type ipv4_addr : classid + elements = { 1.1.26.3 : ::a } +} +} diff --git a/tests/shell/testcases/bogons/nft-f/tcp_option_without_template b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template new file mode 100644 index 00000000..fd732fd3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template @@ -0,0 +1 @@ +add rule f i tcp option nop length . @ih,32,3 1 diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges new file mode 100644 index 00000000..1230860e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges @@ -0,0 +1,8 @@ +define range = 42-80 + +table t { + chain c { + tcp dport 42 tproxy to 192.168.0.1:$range + tcp dport 42 tproxy to 192.168.0.0/16 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert new file mode 100644 index 00000000..35eecf60 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport { tcp / 22, udp . 67 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map new file mode 100644 index 00000000..3da16ce1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map @@ -0,0 +1,5 @@ +table ip x { + chain y { + meta mark set ip protocol . th dport map { tcp / 22 : 1234, udp . 67 : 1234 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap new file mode 100644 index 00000000..f4dc273f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport vmap { tcp / 22 : accept, udp . 67 : drop } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert new file mode 100644 index 00000000..e6206736 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert @@ -0,0 +1,7 @@ +table ip x { + chain k { + meta mark set 0x001-3434 + ct mark set 0x001-3434 + tcp dport set 1-3 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal new file mode 100644 index 00000000..bb9632b0 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal @@ -0,0 +1,5 @@ +delete chain d iUi { +}} +delete chain d hUi { +delete chain o +c b icmpv6 id$i diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert new file mode 100644 index 00000000..fe416f85 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert @@ -0,0 +1,5 @@ +table netdev x { + chain Main_Ingress1 { + type filter hook ingress device "" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert new file mode 100644 index 00000000..84f33073 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert @@ -0,0 +1,5 @@ +table ip x { + chain Main_Ingress1 { + type filter hook ingress device""lo" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert new file mode 100644 index 00000000..2c3e6c3f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert @@ -0,0 +1,5 @@ +table t { + flowtable f { + devices = { """"lo } + } +} diff --git a/tests/shell/testcases/cache/0008_delete_by_handle_0 b/tests/shell/testcases/cache/0008_delete_by_handle_0 new file mode 100755 index 00000000..0db4c693 --- /dev/null +++ b/tests/shell/testcases/cache/0008_delete_by_handle_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +$NFT add table t +HANDLE=`$NFT -a list ruleset | grep "table.*handle" | cut -d' ' -f7` +$NFT delete table handle $HANDLE + +$NFT add table t + +$NFT add chain t c +HANDLE=`$NFT -a list ruleset | grep "chain.*handle" | cut -d' ' -f6` +$NFT delete chain t handle $HANDLE + +$NFT add set t s { type ipv4_addr\; } +HANDLE=`$NFT -a list ruleset | grep "set.*handle" | cut -d' ' -f6` +$NFT delete set t handle $HANDLE + +$NFT add flowtable t f { hook ingress priority 0\; devices = { lo } \; } +HANDLE=`$NFT -a list ruleset | grep "flowtable.*handle" | cut -d' ' -f6` +$NFT delete flowtable t handle $HANDLE + +$NFT add counter t x +HANDLE=`$NFT -a list ruleset | grep "counter.*handle" | cut -d' ' -f6` +$NFT delete counter t handle $HANDLE diff --git a/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 new file mode 100755 index 00000000..f0bb02a6 --- /dev/null +++ b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 @@ -0,0 +1,8 @@ +#!/bin/bash + +$NFT delete table handle 4000 && exit 1 +$NFT delete chain t handle 4000 && exit 1 +$NFT delete set t handle 4000 && exit 1 +$NFT delete flowtable t handle 4000 && exit 1 +$NFT delete counter t handle 4000 && exit 1 +exit 0 diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0 new file mode 100755 index 00000000..834dc6e4 --- /dev/null +++ b/tests/shell/testcases/cache/0010_implicit_chain_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +set -e + +EXPECTED="table ip f { + chain c { + jump { + accept + } + } +}" + +$NFT 'table ip f { chain c { jump { accept; }; }; }' +GET="$($NFT list chain ip f c)" + +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0 new file mode 100755 index 00000000..c9eb8683 --- /dev/null +++ b/tests/shell/testcases/cache/0011_index_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +RULESET="flush ruleset +add table inet t +add chain inet t c { type filter hook input priority 0 ; } +add rule inet t c tcp dport 1234 accept +add rule inet t c accept +insert rule inet t c index 1 udp dport 4321 accept" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft new file mode 100644 index 00000000..7a2eacdd --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft @@ -0,0 +1,142 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "3.3.3.3" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@test" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft new file mode 100644 index 00000000..fa15d658 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft new file mode 100644 index 00000000..e09a694c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft @@ -0,0 +1,137 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t3", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t4", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "icmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "igmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft new file mode 100644 index 00000000..43898d33 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft @@ -0,0 +1,18 @@ +table ip t { + chain c { + } +} +table ip t2 { + chain c { + } +} +table ip t3 { +} +table ip t4 { + chain c { + meta l4proto icmp accept + drop + meta l4proto igmp accept + drop + } +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft new file mode 100644 index 00000000..d1864f00 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft @@ -0,0 +1,42 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testfilter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testfilter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "testfilter", + "chain": "test", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft new file mode 100644 index 00000000..4f5761bc --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft @@ -0,0 +1,5 @@ +table inet testfilter { + chain test { + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft new file mode 100644 index 00000000..0968d8a4 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "first", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "second", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "third", + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft diff --git a/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft new file mode 100644 index 00000000..aba92c0e --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft @@ -0,0 +1,7 @@ +table ip f { + chain c { + jump { + accept + } + } +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.json-nft b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft new file mode 100644 index 00000000..46b2909f --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft @@ -0,0 +1,93 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4321 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.nft b/tests/shell/testcases/cache/dumps/0011_index_0.nft new file mode 100644 index 00000000..7e855eb1 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.nft @@ -0,0 +1,8 @@ +table inet t { + chain c { + type filter hook input priority filter; policy accept; + tcp dport 1234 accept + udp dport 4321 accept + accept + } +} diff --git a/tests/shell/testcases/chains/0012reject_in_prerouting_1 b/tests/shell/testcases/chains/0012reject_in_prerouting_1 deleted file mode 100755 index 0ee86c11..00000000 --- a/tests/shell/testcases/chains/0012reject_in_prerouting_1 +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -set -e - -$NFT add table t -$NFT add chain t prerouting {type filter hook prerouting priority 0 \; } - -# wrong hook prerouting, only input/forward/output is valid -$NFT add rule t prerouting reject 2>/dev/null || exit 0 -echo "E: accepted reject in prerouting hook" >&2 -exit 1 diff --git a/tests/shell/testcases/chains/0014rename_0 b/tests/shell/testcases/chains/0014rename_0 index bebe48d6..bd84e957 100755 --- a/tests/shell/testcases/chains/0014rename_0 +++ b/tests/shell/testcases/chains/0014rename_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash $NFT add table t || exit 1 $NFT add chain t c1 || exit 1 diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0 index e7612974..ceda1558 100755 --- a/tests/shell/testcases/chains/0021prio_0 +++ b/tests/shell/testcases/chains/0021prio_0 @@ -69,6 +69,7 @@ done family=netdev echo "add table $family x" gen_chains $family ingress filter lo +[ "$NFT_TEST_HAVE_netdev_egress" != n ] && gen_chains $family egress filter lo family=bridge echo "add table $family x" @@ -82,3 +83,8 @@ gen_chains $family postrouting srcnat ) >$tmpfile $NFT -f $tmpfile + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ]; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 index d2b1fa43..e4a668e1 100755 --- a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 +++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 @@ -2,7 +2,7 @@ for family in ip ip6 inet do - for hook in prerouting input forward output + for hook in prerouting forward output do $NFT add table $family x $NFT add chain $family x y "{ type filter hook $hook priority srcnat; }" &> /dev/null diff --git a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 index d112f2c9..f1b802a0 100755 --- a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 +++ b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 @@ -2,7 +2,7 @@ for family in ip ip6 inet do - for hook in input forward output postrouting + for hook in input forward postrouting do $NFT add table $family x $NFT add chain $family x y "{ type filter hook $hook priority dstnat; }" &> /dev/null diff --git a/tests/shell/testcases/chains/0026prio_netdev_1 b/tests/shell/testcases/chains/0026prio_netdev_1 index aa902e9b..b6fa3db5 100755 --- a/tests/shell/testcases/chains/0026prio_netdev_1 +++ b/tests/shell/testcases/chains/0026prio_netdev_1 @@ -1,7 +1,8 @@ #!/bin/bash family=netdev - hook=ingress + for hook in ingress egress + do for prioname in raw mangle dstnat security srcnat do $NFT add table $family x || exit 1 @@ -12,4 +13,5 @@ family=netdev exit 1 fi done + done exit 0 diff --git a/tests/shell/testcases/chains/0030create_0 b/tests/shell/testcases/chains/0030create_0 index 0b457f91..0b457f91 100644..100755 --- a/tests/shell/testcases/chains/0030create_0 +++ b/tests/shell/testcases/chains/0030create_0 diff --git a/tests/shell/testcases/chains/0032priority_variable_0 b/tests/shell/testcases/chains/0032priority_variable_0 index 51bc5eb1..8f2e57b9 100755 --- a/tests/shell/testcases/chains/0032priority_variable_0 +++ b/tests/shell/testcases/chains/0032priority_variable_0 @@ -6,12 +6,22 @@ set -e RULESET=" define pri = 10 +define post = -10 +define for = \"filter - 100\" table inet global { chain prerouting { type filter hook prerouting priority \$pri policy accept } + chain forward { + type filter hook prerouting priority \$for + policy accept + } + chain postrouting { + type filter hook postrouting priority \$post + policy accept + } }" $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0 new file mode 100755 index 00000000..141a4b6d --- /dev/null +++ b/tests/shell/testcases/chains/0041chain_binding_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# no table x, caused segfault in earlier nft releases +$NFT insert rule inet x y handle 107 'goto { log prefix "MOO! "; }' +if [ $? -ne 1 ]; then + exit 1 +fi + +if [ $NFT_TEST_HAVE_chain_binding = "n" ] ; then + echo "Test partially skipped due to NFT_TEST_HAVE_chain_binding=n" + exit 77 +fi + +set -e + +EXPECTED="table inet x { + chain y { + type filter hook input priority 0; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept + ip6 saddr ::1/128 counter accept + } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule inet x y meta l4proto icmpv6 jump { counter accept\; } +$NFT add rule inet x y meta l4proto sctp jump { drop\; } +$NFT delete rule inet x y handle 13 diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0 new file mode 100755 index 00000000..c5de495e --- /dev/null +++ b/tests/shell/testcases/chains/0042chain_variable_0 @@ -0,0 +1,71 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +ip link add name d23456789012345 type dummy + + +EXPECTED="define if_main = \"lo\" + +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device \$if_main priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + + +EXPECTED="define if_main = \"lo\" + +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \$if_main, d23456789012345x } priority -500; policy accept; + } +}" + +rc=0 +$NFT -f - <<< $EXPECTED || rc=$? +test "$rc" = 1 +cat <<EOF | $DIFF -u <($NFT list ruleset) - +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device "lo" priority -500; policy accept; + } +} +EOF + + +EXPECTED="define if_main = \"lo\" + +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \$if_main, d23456789012345 } priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ] ; then + echo "Skip parts of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi + + +EXPECTED="define if_main = { lo, d23456789012345 } +define lan_interfaces = { lo } + +table netdev filter3 { + chain Main_Ingress3 { + type filter hook ingress devices = \$if_main priority -500; policy accept; + } + chain Main_Egress3 { + type filter hook egress devices = \$lan_interfaces priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0 new file mode 100755 index 00000000..a6973b99 --- /dev/null +++ b/tests/shell/testcases/chains/0043chain_ingress_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e +RULESET="table inet filter { + chain ingress { + type filter hook ingress device \"lo\" priority filter; policy accept; + } + chain input { + type filter hook input priority filter; policy accept; + } + chain forward { + type filter hook forward priority filter; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" && exit 0 +exit 1 diff --git a/tests/shell/testcases/chains/0044chain_destroy_0 b/tests/shell/testcases/chains/0044chain_destroy_0 new file mode 100755 index 00000000..5c5a10a7 --- /dev/null +++ b/tests/shell/testcases/chains/0044chain_destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t + +# pass for non-existent chain +$NFT destroy chain t c + +# successfully delete existing chain +$NFT add chain t c +$NFT destroy chain t c diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft b/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft new file mode 100644 index 00000000..ceef3224 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft @@ -0,0 +1,371 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft b/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft new file mode 100644 index 00000000..66f921a0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft @@ -0,0 +1,383 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c17", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.nft b/tests/shell/testcases/chains/dumps/0002jumps_1.nft new file mode 100644 index 00000000..ed37ad0e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0002jumps_1.nft @@ -0,0 +1,68 @@ +table ip t { + chain c1 { + type filter hook input priority filter; policy accept; + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } + + chain c17 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft new file mode 100644 index 00000000..ceef3224 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft @@ -0,0 +1,371 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft new file mode 100644 index 00000000..7054cde4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft @@ -0,0 +1,64 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.json-nft b/tests/shell/testcases/chains/dumps/0004busy_1.json-nft new file mode 100644 index 00000000..314245ff --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0004busy_1.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.nft b/tests/shell/testcases/chains/dumps/0004busy_1.nft new file mode 100644 index 00000000..429dd494 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0004busy_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft new file mode 100644 index 00000000..ce776822 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft @@ -0,0 +1,66 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "jump": { + "target": "c2" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft new file mode 100644 index 00000000..acf23183 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + tcp dport vmap { 1 : jump c2 } + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft new file mode 100644 index 00000000..b6fc221f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft @@ -0,0 +1,43 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft new file mode 100644 index 00000000..98b51044 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft new file mode 100644 index 00000000..b25355f7 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft @@ -0,0 +1,5 @@ +table ip t { + chain c1 { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft new file mode 100644 index 00000000..3215496f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "output", + "handle": 0, + "type": "nat", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft new file mode 100644 index 00000000..49910711 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft new file mode 100644 index 00000000..3215496f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "output", + "handle": 0, + "type": "nat", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft new file mode 100644 index 00000000..49910711 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft new file mode 100644 index 00000000..e1a2262f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 2, + { + "jump": { + "target": "c2" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@m" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft new file mode 100644 index 00000000..ca0a7378 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft @@ -0,0 +1,13 @@ +table ip t { + map m { + type inet_service : verdict + elements = { 2 : jump c2 } + } + + chain c1 { + tcp dport vmap @m + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.json-nft b/tests/shell/testcases/chains/dumps/0013rename_0.json-nft new file mode 100644 index 00000000..f89c455a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0013rename_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.json-nft b/tests/shell/testcases/chains/dumps/0014rename_0.json-nft new file mode 100644 index 00000000..f4c6855e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0014rename_0.json-nft @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.nft b/tests/shell/testcases/chains/dumps/0014rename_0.nft new file mode 100644 index 00000000..574c4863 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0014rename_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c1 { + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft new file mode 100644 index 00000000..314245ff --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft new file mode 100644 index 00000000..429dd494 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft new file mode 100644 index 00000000..ca1311db --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test-ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test-ip", + "name": "z", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test-ip6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test-ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test-ip6", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft new file mode 100644 index 00000000..b368c23a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 4, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft new file mode 100644 index 00000000..636e8440 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + jump c1 + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft new file mode 100644 index 00000000..7294c841 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "ap1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "ap2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "ap1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "ap2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft new file mode 100644 index 00000000..437900bc --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft @@ -0,0 +1,8 @@ +table ip filter { + chain ap1 { + jump ap2 + } + + chain ap2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft new file mode 100644 index 00000000..c164ffb8 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft @@ -0,0 +1,70 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 4, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + { + "jump": { + "target": "c1" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft new file mode 100644 index 00000000..81cf9cc7 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + ip saddr vmap { 1.1.1.1 : jump c1 } + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.json-nft b/tests/shell/testcases/chains/dumps/0020depth_1.json-nft new file mode 100644 index 00000000..31bc2b13 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0020depth_1.json-nft @@ -0,0 +1,475 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a16", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a17", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a18", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a19", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a0", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a16" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a16", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a17" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a17", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a18" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a18", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a19" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.nft b/tests/shell/testcases/chains/dumps/0020depth_1.nft new file mode 100644 index 00000000..422c3952 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0020depth_1.nft @@ -0,0 +1,84 @@ +table ip filter { + chain input { + type filter hook input priority filter; policy accept; + jump a1 + } + + chain a0 { + jump a1 + } + + chain a1 { + jump a2 + } + + chain a2 { + jump a3 + } + + chain a3 { + jump a4 + } + + chain a4 { + jump a5 + } + + chain a5 { + jump a6 + } + + chain a6 { + jump a7 + } + + chain a7 { + jump a8 + } + + chain a8 { + jump a9 + } + + chain a9 { + jump a10 + } + + chain a10 { + } + + chain a11 { + jump a12 + } + + chain a12 { + jump a13 + } + + chain a13 { + jump a14 + } + + chain a14 { + jump a15 + } + + chain a15 { + jump a16 + } + + chain a16 { + jump a17 + } + + chain a17 { + jump a18 + } + + chain a18 { + jump a19 + } + + chain a19 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.json-nft b/tests/shell/testcases/chains/dumps/0021prio_0.json-nft new file mode 100644 index 00000000..1a3e1161 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0021prio_0.json-nft @@ -0,0 +1,4743 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "arp", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterm11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterm10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilter", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterp10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterp11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterm11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterm10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilter", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterp10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterp11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 11, + "policy": "accept" + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputout", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 111, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 289, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 290, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 300, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 310, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 311, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.nft b/tests/shell/testcases/chains/dumps/0021prio_0.nft index ca94d441..4297d246 100644 --- a/tests/shell/testcases/chains/dumps/0021prio_0.nft +++ b/tests/shell/testcases/chains/dumps/0021prio_0.nft @@ -1382,6 +1382,26 @@ table netdev x { chain ingressfilterp11 { type filter hook ingress device "lo" priority 11; policy accept; } + + chain egressfilterm11 { + type filter hook egress device "lo" priority -11; policy accept; + } + + chain egressfilterm10 { + type filter hook egress device "lo" priority filter - 10; policy accept; + } + + chain egressfilter { + type filter hook egress device "lo" priority filter; policy accept; + } + + chain egressfilterp10 { + type filter hook egress device "lo" priority filter + 10; policy accept; + } + + chain egressfilterp11 { + type filter hook egress device "lo" priority 11; policy accept; + } } table bridge x { chain preroutingfilterm11 { diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft new file mode 100644 index 00000000..72e0d438 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft new file mode 100644 index 00000000..46912eaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft new file mode 100644 index 00000000..72e0d438 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft new file mode 100644 index 00000000..46912eaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft new file mode 100644 index 00000000..17410e32 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "arp", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft new file mode 100644 index 00000000..7483cdaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft @@ -0,0 +1,2 @@ +table arp x { +} diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft new file mode 100644 index 00000000..7d78bd67 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft new file mode 100644 index 00000000..aa571e00 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0030create_0.json-nft b/tests/shell/testcases/chains/dumps/0030create_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0030create_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft new file mode 100644 index 00000000..9572eda3 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0021priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft index f4093097..f4093097 100644 --- a/tests/shell/testcases/nft-f/dumps/0021priority_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft diff --git a/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft new file mode 100644 index 00000000..3044a668 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft @@ -0,0 +1,54 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "postrouting", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft new file mode 100644 index 00000000..1a1b0794 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft @@ -0,0 +1,13 @@ +table inet global { + chain prerouting { + type filter hook prerouting priority filter + 10; policy accept; + } + + chain forward { + type filter hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type filter hook postrouting priority filter - 10; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft new file mode 100644 index 00000000..9572eda3 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0025policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft index f4093097..f4093097 100644 --- a/tests/shell/testcases/nft-f/dumps/0025policy_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft diff --git a/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft new file mode 100644 index 00000000..fc688463 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "drop" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0026policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft index d729e1ea..d729e1ea 100644 --- a/tests/shell/testcases/nft-f/dumps/0026policy_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft new file mode 100644 index 00000000..94218a8d --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -30, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft new file mode 100644 index 00000000..20f8272a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type filter hook input priority -30; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft new file mode 100644 index 00000000..520203d8 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft @@ -0,0 +1,12 @@ +table inet x { + chain y { + type filter hook input priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter packets 0 bytes 0 accept + ip6 saddr ::1 counter packets 0 bytes 0 accept + } + meta l4proto ipv6-icmp jump { + counter packets 0 bytes 0 accept + } + } +} diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft new file mode 100644 index 00000000..4059e85b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft @@ -0,0 +1,90 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "filter1", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter1", + "name": "Main_Ingress1", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "filter2", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter2", + "name": "Main_Ingress2", + "handle": 0, + "dev": [ + "d23456789012345", + "lo" + ], + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "filter3", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter3", + "name": "Main_Ingress3", + "handle": 0, + "dev": [ + "d23456789012345", + "lo" + ], + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "filter3", + "name": "Main_Egress3", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -500, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft new file mode 100644 index 00000000..84a908d3 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft @@ -0,0 +1,19 @@ +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device "lo" priority -500; policy accept; + } +} +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { d23456789012345, lo } priority -500; policy accept; + } +} +table netdev filter3 { + chain Main_Ingress3 { + type filter hook ingress devices = { d23456789012345, lo } priority -500; policy accept; + } + + chain Main_Egress3 { + type filter hook egress device "lo" priority -500; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft new file mode 100644 index 00000000..6753658e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft @@ -0,0 +1,55 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ingress", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft new file mode 100644 index 00000000..8483b265 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft @@ -0,0 +1,13 @@ +table inet filter { + chain ingress { + type filter hook ingress device "lo" priority filter; policy accept; + } + + chain input { + type filter hook input priority filter; policy accept; + } + + chain forward { + type filter hook forward priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft new file mode 100644 index 00000000..7d78bd67 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft new file mode 100644 index 00000000..aa571e00 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0 new file mode 100755 index 00000000..a323e6ec --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : + ip link del d1 &>/dev/null || : + ip link del d2 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy +ip link add d1 type dummy +ip link add d2 type dummy + +RULESET="table netdev x { + chain y { + type filter hook ingress priority 0; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT add chain netdev x y '{ devices = { d0 }; }' +$NFT add chain netdev x y '{ devices = { d1, d2, lo }; }' +$NFT delete chain netdev x y '{ devices = { lo }; }' diff --git a/tests/shell/testcases/chains/netdev_chain_autoremove b/tests/shell/testcases/chains/netdev_chain_autoremove new file mode 100755 index 00000000..21f3ad29 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_autoremove @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Test auto-removal of chain hook on netns removal +unshare -n bash -e -c "ip link add br0 type bridge; \ + $NFT add table netdev test; \ + $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ +" diff --git a/tests/shell/testcases/chains/netdev_chain_dev_gone b/tests/shell/testcases/chains/netdev_chain_dev_gone new file mode 100755 index 00000000..99933a31 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dev_gone @@ -0,0 +1,34 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +ip link add d0 type dummy + +load_ruleset() { + family=$1 + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump x + } + chain y { + type filter hook ingress device \"d0\" priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + $NFT -c -f - <<< $RULESET + $NFT -f - <<< $RULESET +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_chain_multidev_gone b/tests/shell/testcases/chains/netdev_chain_multidev_gone new file mode 100755 index 00000000..e82698a7 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_multidev_gone @@ -0,0 +1,41 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : + ip link del d1 &>/dev/null || : + ip link del d2 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +ip link add d0 type dummy +ip link add d1 type dummy +ip link add d2 type dummy + +load_ruleset() { + family=$1 + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump { + ip daddr vmap { 8.7.6.3 : jump x, 8.7.6.4 : jump x } + } + } + chain y { + type filter hook ingress devices = { d0, d1, d2 } priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + $NFT -c -f - <<< $RULESET + $NFT -f - <<< $RULESET +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_multidev_netns_gone b/tests/shell/testcases/chains/netdev_multidev_netns_gone new file mode 100755 index 00000000..31ab29bd --- /dev/null +++ b/tests/shell/testcases/chains/netdev_multidev_netns_gone @@ -0,0 +1,43 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ns-$rnd" + +iface_cleanup() { + ip netns del $ns1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +load_ruleset() { + family=$1 + + ip netns add $ns1 + ip -net $ns1 link add d0 type dummy + ip -net $ns1 link add d1 type dummy + ip -net $ns1 link add d2 type dummy + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump { + ip daddr vmap { 8.7.6.3 : jump x, 8.7.6.4 : jump x } + } + } + chain y { + type filter hook ingress devices = { d0, d1, d2 } priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + ip netns exec $ns1 $NFT -f - <<< $RULESET + ip netns del $ns1 +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_netns_gone b/tests/shell/testcases/chains/netdev_netns_gone new file mode 100755 index 00000000..3a92c99e --- /dev/null +++ b/tests/shell/testcases/chains/netdev_netns_gone @@ -0,0 +1,37 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ns-$rnd" + +iface_cleanup() { + ip netns del $ns1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +load_ruleset() { + family=$1 + + ip netns add $ns1 + ip -net $ns1 link add d0 type dummy + + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump x + } + chain y { + type filter hook ingress device \"d0\" priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + ip netns exec $ns1 $NFT -f - <<< $RULESET + ip netns del $ns1 +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/comments/comments_0 b/tests/shell/testcases/comments/comments_0 new file mode 100755 index 00000000..a50387d6 --- /dev/null +++ b/tests/shell/testcases/comments/comments_0 @@ -0,0 +1,44 @@ +#!/bin/bash + +RULESET="table inet x { # comment + # comment 1 + # comment 2 + set y { # comment here + type ipv4_addr # comment + elements = { + # 1.1.1.1 + 2.2.2.2, # comment + # more comments + 3.3.3.3, # comment +# comment + } + # comment + } + + # comments are allowed here + chain y { + # comments are allowed here + icmpv6 type { + 1, # comments are allowed here + 2, + } accept + + icmp type { +# comment + 1, + # comments also allowed here + 2, + } accept + + tcp dport { + # normal FTP + 21, + # patched FTP + 2121 + } counter accept + } +} +" + +$NFT -f - <<< "$RULESET" + diff --git a/tests/shell/testcases/comments/dumps/comments_0.json-nft b/tests/shell/testcases/comments/dumps/comments_0.json-nft new file mode 100644 index 00000000..201abd6f --- /dev/null +++ b/tests/shell/testcases/comments/dumps/comments_0.json-nft @@ -0,0 +1,135 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "2.2.2.2", + "3.3.3.3" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "destination-unreachable", + "packet-too-big" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + 1, + 2 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 21, + 2121 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/comments/dumps/comments_0.nft b/tests/shell/testcases/comments/dumps/comments_0.nft new file mode 100644 index 00000000..82ae510b --- /dev/null +++ b/tests/shell/testcases/comments/dumps/comments_0.nft @@ -0,0 +1,12 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + icmpv6 type { destination-unreachable, packet-too-big } accept + icmp type { 1, 2 } accept + tcp dport { 21, 2121 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0 index de590b77..fb7c52fe 100755 --- a/tests/shell/testcases/flowtable/0006segfault_0 +++ b/tests/shell/testcases/flowtable/0006segfault_0 @@ -9,6 +9,3 @@ $NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } } $NFT add flowtable ip t f { hook ingress\; priority 10\; } [[ $? -eq 1 ]] || exit 1 - -$NFT add flowtable ip t f { hook ingress priority 10\; } -[[ $? -eq 1 ]] || exit 1 diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0 new file mode 100755 index 00000000..9c03820f --- /dev/null +++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_counter) + +set -e + +iface_cleanup() { + ip link del dummy1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add name dummy1 type dummy + +EXPECTED="define if_main = { lo, dummy1 } + +table filter1 { + flowtable Main_ft1 { + hook ingress priority filter + counter + devices = \$if_main + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="define if_main = \"lo\" + +table filter2 { + flowtable Main_ft2 { + hook ingress priority filter + counter + devices = { \$if_main, dummy1 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/flowtable/0013addafterdelete_0 b/tests/shell/testcases/flowtable/0013addafterdelete_0 new file mode 100755 index 00000000..56c9834f --- /dev/null +++ b/tests/shell/testcases/flowtable/0013addafterdelete_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete flowtable inet filter f + +table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0014addafterdelete_0 b/tests/shell/testcases/flowtable/0014addafterdelete_0 new file mode 100755 index 00000000..1ac65104 --- /dev/null +++ b/tests/shell/testcases/flowtable/0014addafterdelete_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_counter) + +set -e + +RULESET='table inet filter { + + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" + +RULESET='delete rule inet filter y handle 3 +delete flowtable inet filter f + +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority 0; + flow add @f counter + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0 new file mode 100755 index 00000000..cea33524 --- /dev/null +++ b/tests/shell/testcases/flowtable/0015destroy_0 @@ -0,0 +1,20 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +trap "ip link del dummy1" EXIT + +ip link add dummy1 type dummy +ip link set dummy1 up + +$NFT add table t + +# pass for non-existent flowtable +$NFT destroy flowtable t f + +# successfully delete existing flowtable +$NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }' + +$NFT 'add flowtable t f { devices = { dummy1 } ; }' + +$NFT destroy flowtable t f diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft new file mode 100644 index 00000000..4d15fe3a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "t", + "handle": 0, + "hook": "ingress", + "prio": 10, + "dev": "lo" + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@f" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft new file mode 100644 index 00000000..0013512b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "f", + "table": "t", + "handle": 0, + "hook": "ingress", + "prio": 10, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft new file mode 100644 index 00000000..aecfb2ab --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft @@ -0,0 +1,6 @@ +table ip t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft new file mode 100644 index 00000000..04057f1f --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "y", + "table": "x", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft new file mode 100644 index 00000000..dd904f44 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft @@ -0,0 +1,6 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft new file mode 100644 index 00000000..302502dc --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "y", + "table": "x", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft new file mode 100644 index 00000000..c1d79e7b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft @@ -0,0 +1,10 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } + + chain x { + flow add @y + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft new file mode 100644 index 00000000..10372b0e --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft new file mode 100644 index 00000000..17838bdf --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft @@ -0,0 +1,2 @@ +table inet t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft new file mode 100644 index 00000000..10f1df98 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter1", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "Main_ft1", + "table": "filter1", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "table": { + "family": "ip", + "name": "filter2", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "Main_ft2", + "table": "filter2", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft new file mode 100644 index 00000000..df1c51a2 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft @@ -0,0 +1,14 @@ +table ip filter1 { + flowtable Main_ft1 { + hook ingress priority filter + devices = { lo } + counter + } +} +table ip filter2 { + flowtable Main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft new file mode 100644 index 00000000..85c7b327 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": -1, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft new file mode 100644 index 00000000..67db7d02 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft @@ -0,0 +1,6 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft new file mode 100644 index 00000000..471ba5be --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft @@ -0,0 +1,63 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": -1, + "dev": "lo" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "y", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@f" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft new file mode 100644 index 00000000..145aa081 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft @@ -0,0 +1,12 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority filter; policy accept; + flow add @f counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/include/0003includepath_0 b/tests/shell/testcases/include/0003includepath_0 index ba722068..20037a8f 100755 --- a/tests/shell/testcases/include/0003includepath_0 +++ b/tests/shell/testcases/include/0003includepath_0 @@ -8,7 +8,7 @@ if [ ! -w $tmpfile1 ] ; then exit 0 fi -tmpfile3=$(echo "$tmpfile1" | cut -d'/' -f 3) +tmpfile3="$(basename "$tmpfile1")" tmpfile2=$(mktemp) if [ ! -w $tmpfile2 ] ; then @@ -24,7 +24,7 @@ RULESET2="include \"$tmpfile3\"" echo "$RULESET1" > $tmpfile1 echo "$RULESET2" > $tmpfile2 -$NFT -I /tmp -f $tmpfile2 +$NFT -I "$(dirname "$tmpfile1")" -f $tmpfile2 if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 diff --git a/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 new file mode 100755 index 00000000..6499bcc8 --- /dev/null +++ b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 @@ -0,0 +1,39 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +tmpdir1=$(mktemp -d) +if [ ! -d $tmpdir1 ] ; then + echo "Failed to create tmp directory" >&2 + exit 0 +fi + +tmpfiles="" +for i in `seq -w 1 32`; do + tmpfile2=$(mktemp -p $tmpdir1) + if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 + fi + tmpfiles="$tmpfiles $tmpfile2" +done + +trap "rm -rf $tmpfile $tmpfiles && rmdir $tmpdir1" EXIT # cleanup if aborted + +RULESET=" \ +include \"$tmpdir1/*\" +" + +echo "$RULESET" > $tmpfile + +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi diff --git a/tests/shell/testcases/include/0018include_error_0 b/tests/shell/testcases/include/0018include_error_0 new file mode 100755 index 00000000..ae2dba3c --- /dev/null +++ b/tests/shell/testcases/include/0018include_error_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +touch $tmpfile1 + +RULESET="include \"$tmpfile1\" +) +" + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "/dev/stdin:2:1-1: Error: syntax error, unexpected ')' +) +^" > $tmpfile3 + +$NFT -I/tmp/ -f - <<< "$RULESET" 2> $tmpfile2 +$DIFF -u $tmpfile2 $tmpfile3 + +rm $tmpfile1 $tmpfile2 $tmpfile3 diff --git a/tests/shell/testcases/include/0019include_error_0 b/tests/shell/testcases/include/0019include_error_0 new file mode 100755 index 00000000..4b84a578 --- /dev/null +++ b/tests/shell/testcases/include/0019include_error_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +tmpfile1=$(mktemp) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +tmpfile2=$(mktemp) +if [ ! -w $tmpfile2 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "(" >> $tmpfile2 + +tmpdir=$(mktemp -d) + +echo "include \"$tmpfile2\" +include \"$tmpdir/*.nft\" +x" > $tmpfile1 + +echo "=" > $tmpdir/1.nft +echo ")" > $tmpdir/2.nft +echo "-" > $tmpdir/3.nft + +tmpfile3=$(mktemp) +if [ ! -w $tmpfile3 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +echo "In file included from $tmpfile1:1:1-30: +$tmpfile2:1:1-1: Error: syntax error, unexpected '(' +( +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/1.nft:1:1-1: Error: syntax error, unexpected '=' += +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/2.nft:1:1-1: Error: syntax error, unexpected ')' +) +^ +In file included from $tmpfile1:2:1-36: +$tmpdir/3.nft:1:1-1: Error: syntax error, unexpected - +- +^ +$tmpfile1:3:2-2: Error: syntax error, unexpected newline, expecting string +x + ^" > $tmpfile3 + +tmpfile4=$(mktemp) +if [ ! -w $tmpfile4 ] ; then + echo "Failed to create tmp file" >&2 + exit 1 +fi + +$NFT -I/tmp/ -f $tmpfile1 2> $tmpfile4 +$DIFF -u $tmpfile3 $tmpfile4 + +rm $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4 +rm -r $tmpdir diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0 new file mode 100755 index 00000000..49b6f76c --- /dev/null +++ b/tests/shell/testcases/include/0020include_chain_0 @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e + +tmpfile1=$(mktemp -p .) +if [ ! -w $tmpfile1 ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile1" EXIT # cleanup if aborted + +RULESET="table inet filter { } +include \"$tmpfile1\"" + +RULESET2="chain inet filter input2 { + type filter hook input priority filter; policy accept; + ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET2" > $tmpfile1 + +RULESET3="create chain inet filter output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET3" >> $tmpfile1 + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.json-nft b/tests/shell/testcases/include/dumps/0001absolute_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0001absolute_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0002relative_0.json-nft b/tests/shell/testcases/include/dumps/0002relative_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0002relative_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.json-nft b/tests/shell/testcases/include/dumps/0003includepath_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0003includepath_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft b/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft b/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.json-nft b/tests/shell/testcases/include/dumps/0018include_error_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0018include_error_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.nft b/tests/shell/testcases/include/dumps/0018include_error_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0018include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.json-nft b/tests/shell/testcases/include/dumps/0019include_error_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0019include_error_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.nft b/tests/shell/testcases/include/dumps/0019include_error_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0019include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft b/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft new file mode 100644 index 00000000..e893ccf1 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input2", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output2", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 123, + 443 + ] + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 123, + 443 + ] + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft new file mode 100644 index 00000000..bf596ffb --- /dev/null +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft @@ -0,0 +1,11 @@ +table inet filter { + chain input2 { + type filter hook input priority filter; policy accept; + ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } + + chain output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } +} diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0 new file mode 100755 index 00000000..fc4941f4 --- /dev/null +++ b/tests/shell/testcases/json/0001set_statements_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "testt", "handle": 3}}, {"set": {"family": "ip", "name": "ssh_meter", "table": "testt", "type": "ipv4_addr", "handle": 2, "size": 65535}}, {"chain": {"family": "ip", "table": "testt", "name": "testc", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"rule": {"family": "ip", "table": "testt", "chain": "testc", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 22}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"set": {"op": "add", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "stmt": [{"limit": {"rate": 10, "burst": 5, "per": "second"}}], "set": "@ssh_meter"}}, {"accept": null}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0 new file mode 100755 index 00000000..a1e9f263 --- /dev/null +++ b/tests/shell/testcases/json/0002table_map_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "t", "handle": 4}}, {"map": {"family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [{"counter": {"packets": 0, "bytes": 0}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0 new file mode 100755 index 00000000..43f387a1 --- /dev/null +++ b/tests/shell/testcases/json/0003json_schema_version_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1 new file mode 100755 index 00000000..0f8d586f --- /dev/null +++ b/tests/shell/testcases/json/0004json_schema_version_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}' + +$NFT -j -f - <<< $RULESET && exit 1 + +exit 0 diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 new file mode 100755 index 00000000..5c44f093 --- /dev/null +++ b/tests/shell/testcases/json/0005secmark_objref_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0006obj_comment_0 b/tests/shell/testcases/json/0006obj_comment_0 new file mode 100755 index 00000000..7ce859d2 --- /dev/null +++ b/tests/shell/testcases/json/0006obj_comment_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "t", "handle": 9}}, {"counter": {"family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft new file mode 100644 index 00000000..91db43e2 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft @@ -0,0 +1,100 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "testt", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "testt", + "name": "testc", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "ssh_meter", + "table": "testt", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "testt", + "chain": "testc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@ssh_meter", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft new file mode 100644 index 00000000..d80a4321 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft @@ -0,0 +1,12 @@ +table ip testt { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic + } + + chain testc { + type filter hook input priority filter; policy accept; + tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second burst 5 packets } accept + } +} diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.json-nft b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft new file mode 100644 index 00000000..78e3c8ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.nft b/tests/shell/testcases/json/dumps/0002table_map_0.nft new file mode 100644 index 00000000..357e92cc --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.nft @@ -0,0 +1,6 @@ +table ip t { + map m { + type ipv4_addr : mark + counter + } +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft new file mode 100644 index 00000000..3783c6b7 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft @@ -0,0 +1,233 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -225, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 225, + "policy": "accept" + } + }, + { + "secmark": { + "family": "inet", + "name": "ssh_server", + "table": "x", + "handle": 0, + "context": "system_u:object_r:ssh_server_packet_t:s0" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2222 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "secmark": "ssh_server" + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft new file mode 100644 index 00000000..4c218e93 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft @@ -0,0 +1,18 @@ +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } + + chain y { + type filter hook input priority -225; policy accept; + tcp dport 2222 ct state new meta secmark set "ssh_server" + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } + + chain z { + type filter hook output priority 225; policy accept; + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft new file mode 100644 index 00000000..208e13ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "mycounter", + "table": "t", + "handle": 0, + "comment": "my comment in counter", + "packets": 0, + "bytes": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft new file mode 100644 index 00000000..e52b21b4 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft @@ -0,0 +1,6 @@ +table inet t { + counter mycounter { + comment "my comment in counter" + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/json/dumps/netdev.json-nft b/tests/shell/testcases/json/dumps/netdev.json-nft new file mode 100644 index 00000000..e0d2bfb4 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "test_table", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft new file mode 100644 index 00000000..3c568ed3 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.nft @@ -0,0 +1,2 @@ +table netdev test_table { +} diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev new file mode 100755 index 00000000..8c16cf42 --- /dev/null +++ b/tests/shell/testcases/json/netdev @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy + +$NFT flush ruleset +$NFT add table inet test +$NFT add chain inet test c + +$NFT flush ruleset + +RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}' + +if [ "$NFT_TEST_HAVE_json" != n ]; then + $NFT -j -f - <<< $RULESET +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 index 4d39143d..c78ada94 100755 --- a/tests/shell/testcases/listing/0013objects_0 +++ b/tests/shell/testcases/listing/0013objects_0 @@ -1,47 +1,23 @@ #!/bin/bash -# list table with all objects and chains - -EXPECTED="table ip test { - quota https-quota { - 25 mbytes - } - - ct helper cthelp { - type \"sip\" protocol tcp - l3proto ip - } - - ct timeout cttime { - protocol udp - l3proto ip - policy = { unreplied : 15, replied : 12 } - } - - ct expectation ctexpect { - protocol tcp - dport 5432 - timeout 1h - size 12 - l3proto ip - } - - chain input { - } -}" - set -e $NFT add table test $NFT add chain test input $NFT add quota test https-quota 25 mbytes $NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } -$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } -$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } -$NFT add table test-ip +if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then + $NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } +fi +if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then + $NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } +fi -GET="$($NFT list table test)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 +if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)" + exit 77 +fi +if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)" + exit 77 fi diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 index 2f0a98d1..0e89f5dd 100755 --- a/tests/shell/testcases/listing/0020flowtable_0 +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -1,20 +1,65 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_no_devices) + # list only the flowtable asked for with table +set -e + +FLOWTABLES="flowtable f { + hook ingress priority filter + devices = { lo } +} +flowtable f2 { + hook ingress priority filter + devices = { d0 } +}" + +RULESET="table inet filter { + $FLOWTABLES +} +table ip filter { + $FLOWTABLES +}" + EXPECTED="table inet filter { flowtable f { hook ingress priority filter devices = { lo } } }" +EXPECTED2="table ip filter { + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" +EXPECTED3="table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" -set -e +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy -$NFT -f - <<< "$EXPECTED" +$NFT -f - <<< "$RULESET" GET="$($NFT list flowtable inet filter f)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi +$DIFF -u <(echo "$EXPECTED") <(echo "$GET") + +GET="$($NFT list flowtable ip filter f2)" +$DIFF -u <(echo "$EXPECTED2") <(echo "$GET") + +GET="$($NFT list flowtables ip)" +$DIFF -u <(echo "$EXPECTED3") <(echo "$GET") diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0 new file mode 100755 index 00000000..98a7ce8a --- /dev/null +++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +$NFT flush ruleset +$NFT add table ip test +$NFT add chain ip test c +$NFT add set ip test s { type ipv4_addr\; } +$NFT add element ip test s { 192.168.3.4, 192.168.3.5 } + +if [ "$NFT_TEST_HAVE_json" != n ]; then + if $NFT -j -t list ruleset | grep '192\.168' + then + exit 1 + fi +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0 new file mode 100755 index 00000000..4841771c --- /dev/null +++ b/tests/shell/testcases/listing/0022terse_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +set -e + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list ruleset)" +if [ "$RULESET" != "$GET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +GET="$($NFT -t list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } +}" + +GET="$($NFT list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } +}" + +GET="$($NFT -t list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft diff --git a/tests/shell/testcases/listing/dumps/0003table_0.json-nft b/tests/shell/testcases/listing/dumps/0003table_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0003table_0.nft b/tests/shell/testcases/listing/dumps/0003table_0.nft new file mode 100644 index 00000000..1c9f40c5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.json-nft b/tests/shell/testcases/listing/dumps/0004table_0.json-nft new file mode 100644 index 00000000..85e9b287 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.nft b/tests/shell/testcases/listing/dumps/0004table_0.nft new file mode 100644 index 00000000..56d035d1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.nft @@ -0,0 +1,4 @@ +table ip test { +} +table ip test2 { +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.json-nft b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft new file mode 100644 index 00000000..efca892e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft @@ -0,0 +1,124 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.nft b/tests/shell/testcases/listing/dumps/0010sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.json-nft b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft new file mode 100644 index 00000000..a742fa45 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "sport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "chain": { + "family": "arp", + "table": "test_arp", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "arp", + "table": "test_arp", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "test_bridge", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "test_bridge", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "1.1.1.1", + "2.2.2.2" + ] + } + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.nft b/tests/shell/testcases/listing/dumps/0011sets_0.nft new file mode 100644 index 00000000..4d0aeaf3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.nft @@ -0,0 +1,25 @@ +table ip nat { + chain test { + tcp dport { 123, 321 } + } +} +table ip6 test { + chain test { + udp sport { 123, 321 } + } +} +table arp test_arp { + chain test { + meta mark { 0x0000007b, 0x00000141 } + } +} +table bridge test_bridge { + chain test { + ip daddr { 1.1.1.1, 2.2.2.2 } + } +} +table inet filter { + chain test { + tcp dport { 80, 443 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.json-nft b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft new file mode 100644 index 00000000..efca892e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft @@ -0,0 +1,124 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": [ + "constant" + ] + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.nft b/tests/shell/testcases/listing/dumps/0012sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft new file mode 100644 index 00000000..830aad85 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "input", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "test", + "handle": 0, + "protocol": "udp", + "l3proto": "ip", + "policy": { + "unreplied": 15, + "replied": 12 + } + } + }, + { + "ct expectation": { + "family": "ip", + "name": "ctexpect", + "table": "test", + "handle": 0, + "protocol": "tcp", + "dport": 5432, + "timeout": 3600000, + "size": 12, + "l3proto": "ip" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft new file mode 100644 index 00000000..427db268 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft @@ -0,0 +1,27 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } + + ct timeout cttime { + protocol udp + l3proto ip + policy = { unreplied : 15s, replied : 12s } + } + + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + + chain input { + } +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.json-nft b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft new file mode 100644 index 00000000..83f72d40 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.nft b/tests/shell/testcases/listing/dumps/0014objects_0.nft new file mode 100644 index 00000000..9281a1a0 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.nft @@ -0,0 +1,12 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } +} +table ip test-ip { +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft new file mode 100644 index 00000000..a94a1b04 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "test_set", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr", + "inet_service", + "inet_proto" + ], + "handle": 0, + "size": 100000, + "flags": [ + "timeout", + "dynamic" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft new file mode 100644 index 00000000..0f4244bf --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto + size 100000 + flags dynamic,timeout + } +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft new file mode 100644 index 00000000..e47ccb8e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.1.1.1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + 2 + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft new file mode 100644 index 00000000..cb089337 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr 1.1.1.1 + meta mark set ip saddr map { 1.1.1.1 : 0x00000002 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.json-nft b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft new file mode 100644 index 00000000..d735f7a1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "countermap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.nft b/tests/shell/testcases/listing/dumps/0017objects_0.nft new file mode 100644 index 00000000..e60e3afa --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map countermap { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.json-nft b/tests/shell/testcases/listing/dumps/0018data_0.json-nft new file mode 100644 index 00000000..211dcd30 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "ipmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.nft b/tests/shell/testcases/listing/dumps/0018data_0.nft new file mode 100644 index 00000000..5d318550 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map ipmap { + type ipv4_addr : ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.json-nft b/tests/shell/testcases/listing/dumps/0019set_0.json-nft new file mode 100644 index 00000000..3bb7cb8a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ipset", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.nft b/tests/shell/testcases/listing/dumps/0019set_0.nft new file mode 100644 index 00000000..915922ca --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.nft @@ -0,0 +1,5 @@ +table inet filter { + set ipset { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft new file mode 100644 index 00000000..d511739a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "inet", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "ip", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft new file mode 100644 index 00000000..4a64e531 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft @@ -0,0 +1,20 @@ +table inet filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} +table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft new file mode 100644 index 00000000..d1131bb4 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "192.168.3.4", + "192.168.3.5" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft new file mode 100644 index 00000000..13c8ac63 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft @@ -0,0 +1,9 @@ +table ip test { + set s { + type ipv4_addr + elements = { 192.168.3.4, 192.168.3.5 } + } + + chain c { + } +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft new file mode 100644 index 00000000..bd6383da --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft @@ -0,0 +1,88 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "example", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "10.10.10.10", + "10.10.11.11" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "10.10.10.100", + "10.10.10.111" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@example" + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.nft b/tests/shell/testcases/listing/dumps/0022terse_0.nft new file mode 100644 index 00000000..40665cb7 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +} diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/meta_time.nodump diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time new file mode 100755 index 00000000..96a9d557 --- /dev/null +++ b/tests/shell/testcases/listing/meta_time @@ -0,0 +1,67 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_meta_time) + +set -e + +TMP1=$(mktemp) +TMP2=$(mktemp) + +cleanup() +{ + rm -f "$TMP1" + rm -f "$TMP2" +} + +check_decode() +{ + TZ=$1 $NFT list chain t c | grep meta > "$TMP2" + diff -u "$TMP1" "$TMP2" +} + +trap cleanup EXIT + +$NFT -f - <<EOF +table t { + chain c { + } +} +EOF + +for i in $(seq -w 0 23); do + TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59" +done + +# Check decoding in UTC, this mirrors 1:1 what should have been added. +for i in $(seq 0 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done + +check_decode UTC + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1" +for i in $(seq 0 22); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +check_decode UTC+1 + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1" +for i in $(seq 2 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" + +check_decode UTC-1 + +$NFT flush chain t c +TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00" +TZ=EADT $NFT add rule t c meta hour "04:00"-"15:00" +TZ=EADT $NFT add rule t c meta hour "05:00"-"16:00" +TZ=EADT $NFT add rule t c meta hour "06:00"-"17:00" + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 3 0 14 0 > "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 4 0 15 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1" + +check_decode EADT diff --git a/tests/shell/testcases/maps/0004interval_map_create_once_0 b/tests/shell/testcases/maps/0004interval_map_create_once_0 index 3de0c9de..64f434ad 100755 --- a/tests/shell/testcases/maps/0004interval_map_create_once_0 +++ b/tests/shell/testcases/maps/0004interval_map_create_once_0 @@ -5,6 +5,10 @@ HOWMANY=63 +if [ "$NFT_TEST_SKIP_slow" = y ] ; then + HOWMANY=5 +fi + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then echo "Failed to create tmp file" >&2 @@ -64,3 +68,7 @@ if [ "$EXPECTED" != "$GET" ] ; then exit 1 fi +if [ "$HOWMANY" != 63 ] ; then + echo "Run a partial test due to NFT_TEST_SKIP_slow=y. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 new file mode 100755 index 00000000..4e133b72 --- /dev/null +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +EXPECTED="table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" counter : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0 new file mode 100755 index 00000000..859bbfcf --- /dev/null +++ b/tests/shell/testcases/maps/0010concat_map_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) + +set -e + +EXPECTED="table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { + 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 + } + } + + chain y { + type nat hook prerouting priority dstnat; + dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0 new file mode 100755 index 00000000..3e6fa78d --- /dev/null +++ b/tests/shell/testcases/maps/0011vmap_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + map portmap { + type inet_service : verdict + counter + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" + +if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then + $NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }' +fi + +if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then + echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0 new file mode 100755 index 00000000..dd93c482 --- /dev/null +++ b/tests/shell/testcases/maps/0012map_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +EXPECTED="define interfaces = { eth0, eth1 } + +table ip x { + map z { + type ifname : verdict + elements = { \$interfaces : drop, lo : accept } + } + chain y { + iifname vmap { lo : accept, \$interfaces : drop } + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0012map_concat_0 b/tests/shell/testcases/maps/0012map_concat_0 new file mode 100755 index 00000000..d18c7a73 --- /dev/null +++ b/tests/shell/testcases/maps/0012map_concat_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +EXPECTED="table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, + } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x123434 + ip saddr . meta mark vmap @w + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 new file mode 100755 index 00000000..c8d20cee --- /dev/null +++ b/tests/shell/testcases/maps/0013map_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET=" +flush ruleset + +add table ip filter +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; } +add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter +add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0 new file mode 100755 index 00000000..ee81e3cd --- /dev/null +++ b/tests/shell/testcases/maps/0014destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent map +$NFT destroy map x y + +# successfully delete existing map +$NFT add map x y '{ type ipv4_addr : ipv4_addr; }' +$NFT destroy map x y diff --git a/tests/shell/testcases/maps/0016map_leak_0 b/tests/shell/testcases/maps/0016map_leak_0 new file mode 100755 index 00000000..e110ee4b --- /dev/null +++ b/tests/shell/testcases/maps/0016map_leak_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0 new file mode 100755 index 00000000..e01adb4c --- /dev/null +++ b/tests/shell/testcases/maps/0017_map_variable_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then + CATCHALL="* : 3," +else + CATCHALL="," +fi + +RULESET="define x = { + 1.1.1.1 : 2, + $CATCHALL +} + +table ip x { + map y { + typeof ip saddr : mark + elements = \$x + } + map z { + typeof ip saddr : mark + elements = \$x + } +}" + +$NFT -f - <<< "$RULESET" + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0018map_leak_timeout_0 b/tests/shell/testcases/maps/0018map_leak_timeout_0 new file mode 100755 index 00000000..09db315a --- /dev/null +++ b/tests/shell/testcases/maps/0018map_leak_timeout_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + timeout 3s + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" + +# wait for elements to expire +sleep 5 + +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + timeout 3s + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak + +# wait for elements to expire +sleep 5 + +$NFT flush ruleset diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/maps/0024named_objects_0 index 21200c3c..21200c3c 100755 --- a/tests/shell/testcases/sets/0024named_objects_0 +++ b/tests/shell/testcases/maps/0024named_objects_0 diff --git a/tests/shell/testcases/maps/anon_objmap_concat b/tests/shell/testcases/maps/anon_objmap_concat new file mode 100755 index 00000000..34465f1d --- /dev/null +++ b/tests/shell/testcases/maps/anon_objmap_concat @@ -0,0 +1,8 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft new file mode 100644 index 00000000..1b5c2a23 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft @@ -0,0 +1,3874 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.0.1.1", + "10.0.1.1" + ], + [ + "10.0.1.2", + "10.0.1.2" + ], + [ + "10.0.1.3", + "10.0.1.3" + ], + [ + "10.0.1.4", + "10.0.1.4" + ], + [ + "10.0.1.5", + "10.0.1.5" + ], + [ + "10.0.1.6", + "10.0.1.6" + ], + [ + "10.0.1.7", + "10.0.1.7" + ], + [ + "10.0.1.8", + "10.0.1.8" + ], + [ + "10.0.1.9", + "10.0.1.9" + ], + [ + "10.0.1.10", + "10.0.1.10" + ], + [ + "10.0.1.11", + "10.0.1.11" + ], + [ + "10.0.1.12", + "10.0.1.12" + ], + [ + "10.0.1.13", + "10.0.1.13" + ], + [ + "10.0.1.14", + "10.0.1.14" + ], + [ + "10.0.1.15", + "10.0.1.15" + ], + [ + "10.0.1.16", + "10.0.1.16" + ], + [ + "10.0.1.17", + "10.0.1.17" + ], + [ + "10.0.1.18", + "10.0.1.18" + ], + [ + "10.0.1.19", + "10.0.1.19" + ], + [ + "10.0.1.20", + "10.0.1.20" + ], + [ + "10.0.1.21", + "10.0.1.21" + ], + [ + "10.0.1.22", + "10.0.1.22" + ], + [ + "10.0.1.23", + "10.0.1.23" + ], + [ + "10.0.1.24", + "10.0.1.24" + ], + [ + "10.0.1.25", + "10.0.1.25" + ], + [ + "10.0.1.26", + "10.0.1.26" + ], + [ + "10.0.1.27", + "10.0.1.27" + ], + [ + "10.0.1.28", + "10.0.1.28" + ], + [ + "10.0.1.29", + "10.0.1.29" + ], + [ + "10.0.1.30", + "10.0.1.30" + ], + [ + "10.0.1.31", + "10.0.1.31" + ], + [ + "10.0.2.1", + "10.0.2.1" + ], + [ + "10.0.2.2", + "10.0.2.2" + ], + [ + "10.0.2.3", + "10.0.2.3" + ], + [ + "10.0.2.4", + "10.0.2.4" + ], + [ + "10.0.2.5", + "10.0.2.5" + ], + [ + "10.0.2.6", + "10.0.2.6" + ], + [ + "10.0.2.7", + "10.0.2.7" + ], + [ + "10.0.2.8", + "10.0.2.8" + ], + [ + "10.0.2.9", + "10.0.2.9" + ], + [ + "10.0.2.10", + "10.0.2.10" + ], + [ + "10.0.2.11", + "10.0.2.11" + ], + [ + "10.0.2.12", + "10.0.2.12" + ], + [ + "10.0.2.13", + "10.0.2.13" + ], + [ + "10.0.2.14", + "10.0.2.14" + ], + [ + "10.0.2.15", + "10.0.2.15" + ], + [ + "10.0.2.16", + "10.0.2.16" + ], + [ + "10.0.2.17", + "10.0.2.17" + ], + [ + "10.0.2.18", + "10.0.2.18" + ], + [ + "10.0.2.19", + "10.0.2.19" + ], + [ + "10.0.2.20", + "10.0.2.20" + ], + [ + "10.0.2.21", + "10.0.2.21" + ], + [ + "10.0.2.22", + "10.0.2.22" + ], + [ + "10.0.2.23", + "10.0.2.23" + ], + [ + "10.0.2.24", + "10.0.2.24" + ], + [ + "10.0.2.25", + "10.0.2.25" + ], + [ + "10.0.2.26", + "10.0.2.26" + ], + [ + "10.0.2.27", + "10.0.2.27" + ], + [ + "10.0.2.28", + "10.0.2.28" + ], + [ + "10.0.2.29", + "10.0.2.29" + ], + [ + "10.0.2.30", + "10.0.2.30" + ], + [ + "10.0.2.31", + "10.0.2.31" + ], + [ + "10.0.3.1", + "10.0.3.1" + ], + [ + "10.0.3.2", + "10.0.3.2" + ], + [ + "10.0.3.3", + "10.0.3.3" + ], + [ + "10.0.3.4", + "10.0.3.4" + ], + [ + "10.0.3.5", + "10.0.3.5" + ], + [ + "10.0.3.6", + "10.0.3.6" + ], + [ + "10.0.3.7", + "10.0.3.7" + ], + [ + "10.0.3.8", + "10.0.3.8" + ], + [ + "10.0.3.9", + "10.0.3.9" + ], + [ + "10.0.3.10", + "10.0.3.10" + ], + [ + "10.0.3.11", + "10.0.3.11" + ], + [ + "10.0.3.12", + "10.0.3.12" + ], + [ + "10.0.3.13", + "10.0.3.13" + ], + [ + "10.0.3.14", + "10.0.3.14" + ], + [ + "10.0.3.15", + "10.0.3.15" + ], + [ + "10.0.3.16", + "10.0.3.16" + ], + [ + "10.0.3.17", + "10.0.3.17" + ], + [ + "10.0.3.18", + "10.0.3.18" + ], + [ + "10.0.3.19", + "10.0.3.19" + ], + [ + "10.0.3.20", + "10.0.3.20" + ], + [ + "10.0.3.21", + "10.0.3.21" + ], + [ + "10.0.3.22", + "10.0.3.22" + ], + [ + "10.0.3.23", + "10.0.3.23" + ], + [ + "10.0.3.24", + "10.0.3.24" + ], + [ + "10.0.3.25", + "10.0.3.25" + ], + [ + "10.0.3.26", + "10.0.3.26" + ], + [ + "10.0.3.27", + "10.0.3.27" + ], + [ + "10.0.3.28", + "10.0.3.28" + ], + [ + "10.0.3.29", + "10.0.3.29" + ], + [ + "10.0.3.30", + "10.0.3.30" + ], + [ + "10.0.3.31", + "10.0.3.31" + ], + [ + "10.0.4.1", + "10.0.4.1" + ], + [ + "10.0.4.2", + "10.0.4.2" + ], + [ + "10.0.4.3", + "10.0.4.3" + ], + [ + "10.0.4.4", + "10.0.4.4" + ], + [ + "10.0.4.5", + "10.0.4.5" + ], + [ + "10.0.4.6", + "10.0.4.6" + ], + [ + "10.0.4.7", + "10.0.4.7" + ], + [ + "10.0.4.8", + "10.0.4.8" + ], + [ + "10.0.4.9", + "10.0.4.9" + ], + [ + "10.0.4.10", + "10.0.4.10" + ], + [ + "10.0.4.11", + "10.0.4.11" + ], + [ + "10.0.4.12", + "10.0.4.12" + ], + [ + "10.0.4.13", + "10.0.4.13" + ], + [ + "10.0.4.14", + "10.0.4.14" + ], + [ + "10.0.4.15", + "10.0.4.15" + ], + [ + "10.0.4.16", + "10.0.4.16" + ], + [ + "10.0.4.17", + "10.0.4.17" + ], + [ + "10.0.4.18", + "10.0.4.18" + ], + [ + "10.0.4.19", + "10.0.4.19" + ], + [ + "10.0.4.20", + "10.0.4.20" + ], + [ + "10.0.4.21", + "10.0.4.21" + ], + [ + "10.0.4.22", + "10.0.4.22" + ], + [ + "10.0.4.23", + "10.0.4.23" + ], + [ + "10.0.4.24", + "10.0.4.24" + ], + [ + "10.0.4.25", + "10.0.4.25" + ], + [ + "10.0.4.26", + "10.0.4.26" + ], + [ + "10.0.4.27", + "10.0.4.27" + ], + [ + "10.0.4.28", + "10.0.4.28" + ], + [ + "10.0.4.29", + "10.0.4.29" + ], + [ + "10.0.4.30", + "10.0.4.30" + ], + [ + "10.0.4.31", + "10.0.4.31" + ], + [ + "10.0.5.1", + "10.0.5.1" + ], + [ + "10.0.5.2", + "10.0.5.2" + ], + [ + "10.0.5.3", + "10.0.5.3" + ], + [ + "10.0.5.4", + "10.0.5.4" + ], + [ + "10.0.5.5", + "10.0.5.5" + ], + [ + "10.0.5.6", + "10.0.5.6" + ], + [ + "10.0.5.7", + "10.0.5.7" + ], + [ + "10.0.5.8", + "10.0.5.8" + ], + [ + "10.0.5.9", + "10.0.5.9" + ], + [ + "10.0.5.10", + "10.0.5.10" + ], + [ + "10.0.5.11", + "10.0.5.11" + ], + [ + "10.0.5.12", + "10.0.5.12" + ], + [ + "10.0.5.13", + "10.0.5.13" + ], + [ + "10.0.5.14", + "10.0.5.14" + ], + [ + "10.0.5.15", + "10.0.5.15" + ], + [ + "10.0.5.16", + "10.0.5.16" + ], + [ + "10.0.5.17", + "10.0.5.17" + ], + [ + "10.0.5.18", + "10.0.5.18" + ], + [ + "10.0.5.19", + "10.0.5.19" + ], + [ + "10.0.5.20", + "10.0.5.20" + ], + [ + "10.0.5.21", + "10.0.5.21" + ], + [ + "10.0.5.22", + "10.0.5.22" + ], + [ + "10.0.5.23", + "10.0.5.23" + ], + [ + "10.0.5.24", + "10.0.5.24" + ], + [ + "10.0.5.25", + "10.0.5.25" + ], + [ + "10.0.5.26", + "10.0.5.26" + ], + [ + "10.0.5.27", + "10.0.5.27" + ], + [ + "10.0.5.28", + "10.0.5.28" + ], + [ + "10.0.5.29", + "10.0.5.29" + ], + [ + "10.0.5.30", + "10.0.5.30" + ], + [ + "10.0.5.31", + "10.0.5.31" + ], + [ + "10.0.6.1", + "10.0.6.1" + ], + [ + "10.0.6.2", + "10.0.6.2" + ], + [ + "10.0.6.3", + "10.0.6.3" + ], + [ + "10.0.6.4", + "10.0.6.4" + ], + [ + "10.0.6.5", + "10.0.6.5" + ], + [ + "10.0.6.6", + "10.0.6.6" + ], + [ + "10.0.6.7", + "10.0.6.7" + ], + [ + "10.0.6.8", + "10.0.6.8" + ], + [ + "10.0.6.9", + "10.0.6.9" + ], + [ + "10.0.6.10", + "10.0.6.10" + ], + [ + "10.0.6.11", + "10.0.6.11" + ], + [ + "10.0.6.12", + "10.0.6.12" + ], + [ + "10.0.6.13", + "10.0.6.13" + ], + [ + "10.0.6.14", + "10.0.6.14" + ], + [ + "10.0.6.15", + "10.0.6.15" + ], + [ + "10.0.6.16", + "10.0.6.16" + ], + [ + "10.0.6.17", + "10.0.6.17" + ], + [ + "10.0.6.18", + "10.0.6.18" + ], + [ + "10.0.6.19", + "10.0.6.19" + ], + [ + "10.0.6.20", + "10.0.6.20" + ], + [ + "10.0.6.21", + "10.0.6.21" + ], + [ + "10.0.6.22", + "10.0.6.22" + ], + [ + "10.0.6.23", + "10.0.6.23" + ], + [ + "10.0.6.24", + "10.0.6.24" + ], + [ + "10.0.6.25", + "10.0.6.25" + ], + [ + "10.0.6.26", + "10.0.6.26" + ], + [ + "10.0.6.27", + "10.0.6.27" + ], + [ + "10.0.6.28", + "10.0.6.28" + ], + [ + "10.0.6.29", + "10.0.6.29" + ], + [ + "10.0.6.30", + "10.0.6.30" + ], + [ + "10.0.6.31", + "10.0.6.31" + ], + [ + "10.0.7.1", + "10.0.7.1" + ], + [ + "10.0.7.2", + "10.0.7.2" + ], + [ + "10.0.7.3", + "10.0.7.3" + ], + [ + "10.0.7.4", + "10.0.7.4" + ], + [ + "10.0.7.5", + "10.0.7.5" + ], + [ + "10.0.7.6", + "10.0.7.6" + ], + [ + "10.0.7.7", + "10.0.7.7" + ], + [ + "10.0.7.8", + "10.0.7.8" + ], + [ + "10.0.7.9", + "10.0.7.9" + ], + [ + "10.0.7.10", + "10.0.7.10" + ], + [ + "10.0.7.11", + "10.0.7.11" + ], + [ + "10.0.7.12", + "10.0.7.12" + ], + [ + "10.0.7.13", + "10.0.7.13" + ], + [ + "10.0.7.14", + "10.0.7.14" + ], + [ + "10.0.7.15", + "10.0.7.15" + ], + [ + "10.0.7.16", + "10.0.7.16" + ], + [ + "10.0.7.17", + "10.0.7.17" + ], + [ + "10.0.7.18", + "10.0.7.18" + ], + [ + "10.0.7.19", + "10.0.7.19" + ], + [ + "10.0.7.20", + "10.0.7.20" + ], + [ + "10.0.7.21", + "10.0.7.21" + ], + [ + "10.0.7.22", + "10.0.7.22" + ], + [ + "10.0.7.23", + "10.0.7.23" + ], + [ + "10.0.7.24", + "10.0.7.24" + ], + [ + "10.0.7.25", + "10.0.7.25" + ], + [ + "10.0.7.26", + "10.0.7.26" + ], + [ + "10.0.7.27", + "10.0.7.27" + ], + [ + "10.0.7.28", + "10.0.7.28" + ], + [ + "10.0.7.29", + "10.0.7.29" + ], + [ + "10.0.7.30", + "10.0.7.30" + ], + [ + "10.0.7.31", + "10.0.7.31" + ], + [ + "10.0.8.1", + "10.0.8.1" + ], + [ + "10.0.8.2", + "10.0.8.2" + ], + [ + "10.0.8.3", + "10.0.8.3" + ], + [ + "10.0.8.4", + "10.0.8.4" + ], + [ + "10.0.8.5", + "10.0.8.5" + ], + [ + "10.0.8.6", + "10.0.8.6" + ], + [ + "10.0.8.7", + "10.0.8.7" + ], + [ + "10.0.8.8", + "10.0.8.8" + ], + [ + "10.0.8.9", + "10.0.8.9" + ], + [ + "10.0.8.10", + "10.0.8.10" + ], + [ + "10.0.8.11", + "10.0.8.11" + ], + [ + "10.0.8.12", + "10.0.8.12" + ], + [ + "10.0.8.13", + "10.0.8.13" + ], + [ + "10.0.8.14", + "10.0.8.14" + ], + [ + "10.0.8.15", + "10.0.8.15" + ], + [ + "10.0.8.16", + "10.0.8.16" + ], + [ + "10.0.8.17", + "10.0.8.17" + ], + [ + "10.0.8.18", + "10.0.8.18" + ], + [ + "10.0.8.19", + "10.0.8.19" + ], + [ + "10.0.8.20", + "10.0.8.20" + ], + [ + "10.0.8.21", + "10.0.8.21" + ], + [ + "10.0.8.22", + "10.0.8.22" + ], + [ + "10.0.8.23", + "10.0.8.23" + ], + [ + "10.0.8.24", + "10.0.8.24" + ], + [ + "10.0.8.25", + "10.0.8.25" + ], + [ + "10.0.8.26", + "10.0.8.26" + ], + [ + "10.0.8.27", + "10.0.8.27" + ], + [ + "10.0.8.28", + "10.0.8.28" + ], + [ + "10.0.8.29", + "10.0.8.29" + ], + [ + "10.0.8.30", + "10.0.8.30" + ], + [ + "10.0.8.31", + "10.0.8.31" + ], + [ + "10.0.9.1", + "10.0.9.1" + ], + [ + "10.0.9.2", + "10.0.9.2" + ], + [ + "10.0.9.3", + "10.0.9.3" + ], + [ + "10.0.9.4", + "10.0.9.4" + ], + [ + "10.0.9.5", + "10.0.9.5" + ], + [ + "10.0.9.6", + "10.0.9.6" + ], + [ + "10.0.9.7", + "10.0.9.7" + ], + [ + "10.0.9.8", + "10.0.9.8" + ], + [ + "10.0.9.9", + "10.0.9.9" + ], + [ + "10.0.9.10", + "10.0.9.10" + ], + [ + "10.0.9.11", + "10.0.9.11" + ], + [ + "10.0.9.12", + "10.0.9.12" + ], + [ + "10.0.9.13", + "10.0.9.13" + ], + [ + "10.0.9.14", + "10.0.9.14" + ], + [ + "10.0.9.15", + "10.0.9.15" + ], + [ + "10.0.9.16", + "10.0.9.16" + ], + [ + "10.0.9.17", + "10.0.9.17" + ], + [ + "10.0.9.18", + "10.0.9.18" + ], + [ + "10.0.9.19", + "10.0.9.19" + ], + [ + "10.0.9.20", + "10.0.9.20" + ], + [ + "10.0.9.21", + "10.0.9.21" + ], + [ + "10.0.9.22", + "10.0.9.22" + ], + [ + "10.0.9.23", + "10.0.9.23" + ], + [ + "10.0.9.24", + "10.0.9.24" + ], + [ + "10.0.9.25", + "10.0.9.25" + ], + [ + "10.0.9.26", + "10.0.9.26" + ], + [ + "10.0.9.27", + "10.0.9.27" + ], + [ + "10.0.9.28", + "10.0.9.28" + ], + [ + "10.0.9.29", + "10.0.9.29" + ], + [ + "10.0.9.30", + "10.0.9.30" + ], + [ + "10.0.9.31", + "10.0.9.31" + ], + [ + "10.0.10.1", + "10.0.10.1" + ], + [ + "10.0.10.2", + "10.0.10.2" + ], + [ + "10.0.10.3", + "10.0.10.3" + ], + [ + "10.0.10.4", + "10.0.10.4" + ], + [ + "10.0.10.5", + "10.0.10.5" + ], + [ + "10.0.10.6", + "10.0.10.6" + ], + [ + "10.0.10.7", + "10.0.10.7" + ], + [ + "10.0.10.8", + "10.0.10.8" + ], + [ + "10.0.10.9", + "10.0.10.9" + ], + [ + "10.0.10.10", + "10.0.10.10" + ], + [ + "10.0.10.11", + "10.0.10.11" + ], + [ + "10.0.10.12", + "10.0.10.12" + ], + [ + "10.0.10.13", + "10.0.10.13" + ], + [ + "10.0.10.14", + "10.0.10.14" + ], + [ + "10.0.10.15", + "10.0.10.15" + ], + [ + "10.0.10.16", + "10.0.10.16" + ], + [ + "10.0.10.17", + "10.0.10.17" + ], + [ + "10.0.10.18", + "10.0.10.18" + ], + [ + "10.0.10.19", + "10.0.10.19" + ], + [ + "10.0.10.20", + "10.0.10.20" + ], + [ + "10.0.10.21", + "10.0.10.21" + ], + [ + "10.0.10.22", + "10.0.10.22" + ], + [ + "10.0.10.23", + "10.0.10.23" + ], + [ + "10.0.10.24", + "10.0.10.24" + ], + [ + "10.0.10.25", + "10.0.10.25" + ], + [ + "10.0.10.26", + "10.0.10.26" + ], + [ + "10.0.10.27", + "10.0.10.27" + ], + [ + "10.0.10.28", + "10.0.10.28" + ], + [ + "10.0.10.29", + "10.0.10.29" + ], + [ + "10.0.10.30", + "10.0.10.30" + ], + [ + "10.0.10.31", + "10.0.10.31" + ], + [ + "10.0.11.1", + "10.0.11.1" + ], + [ + "10.0.11.2", + "10.0.11.2" + ], + [ + "10.0.11.3", + "10.0.11.3" + ], + [ + "10.0.11.4", + "10.0.11.4" + ], + [ + "10.0.11.5", + "10.0.11.5" + ], + [ + "10.0.11.6", + "10.0.11.6" + ], + [ + "10.0.11.7", + "10.0.11.7" + ], + [ + "10.0.11.8", + "10.0.11.8" + ], + [ + "10.0.11.9", + "10.0.11.9" + ], + [ + "10.0.11.10", + "10.0.11.10" + ], + [ + "10.0.11.11", + "10.0.11.11" + ], + [ + "10.0.11.12", + "10.0.11.12" + ], + [ + "10.0.11.13", + "10.0.11.13" + ], + [ + "10.0.11.14", + "10.0.11.14" + ], + [ + "10.0.11.15", + "10.0.11.15" + ], + [ + "10.0.11.16", + "10.0.11.16" + ], + [ + "10.0.11.17", + "10.0.11.17" + ], + [ + "10.0.11.18", + "10.0.11.18" + ], + [ + "10.0.11.19", + "10.0.11.19" + ], + [ + "10.0.11.20", + "10.0.11.20" + ], + [ + "10.0.11.21", + "10.0.11.21" + ], + [ + "10.0.11.22", + "10.0.11.22" + ], + [ + "10.0.11.23", + "10.0.11.23" + ], + [ + "10.0.11.24", + "10.0.11.24" + ], + [ + "10.0.11.25", + "10.0.11.25" + ], + [ + "10.0.11.26", + "10.0.11.26" + ], + [ + "10.0.11.27", + "10.0.11.27" + ], + [ + "10.0.11.28", + "10.0.11.28" + ], + [ + "10.0.11.29", + "10.0.11.29" + ], + [ + "10.0.11.30", + "10.0.11.30" + ], + [ + "10.0.11.31", + "10.0.11.31" + ], + [ + "10.0.12.1", + "10.0.12.1" + ], + [ + "10.0.12.2", + "10.0.12.2" + ], + [ + "10.0.12.3", + "10.0.12.3" + ], + [ + "10.0.12.4", + "10.0.12.4" + ], + [ + "10.0.12.5", + "10.0.12.5" + ], + [ + "10.0.12.6", + "10.0.12.6" + ], + [ + "10.0.12.7", + "10.0.12.7" + ], + [ + "10.0.12.8", + "10.0.12.8" + ], + [ + "10.0.12.9", + "10.0.12.9" + ], + [ + "10.0.12.10", + "10.0.12.10" + ], + [ + "10.0.12.11", + "10.0.12.11" + ], + [ + "10.0.12.12", + "10.0.12.12" + ], + [ + "10.0.12.13", + "10.0.12.13" + ], + [ + "10.0.12.14", + "10.0.12.14" + ], + [ + "10.0.12.15", + "10.0.12.15" + ], + [ + "10.0.12.16", + "10.0.12.16" + ], + [ + "10.0.12.17", + "10.0.12.17" + ], + [ + "10.0.12.18", + "10.0.12.18" + ], + [ + "10.0.12.19", + "10.0.12.19" + ], + [ + "10.0.12.20", + "10.0.12.20" + ], + [ + "10.0.12.21", + "10.0.12.21" + ], + [ + "10.0.12.22", + "10.0.12.22" + ], + [ + "10.0.12.23", + "10.0.12.23" + ], + [ + "10.0.12.24", + "10.0.12.24" + ], + [ + "10.0.12.25", + "10.0.12.25" + ], + [ + "10.0.12.26", + "10.0.12.26" + ], + [ + "10.0.12.27", + "10.0.12.27" + ], + [ + "10.0.12.28", + "10.0.12.28" + ], + [ + "10.0.12.29", + "10.0.12.29" + ], + [ + "10.0.12.30", + "10.0.12.30" + ], + [ + "10.0.12.31", + "10.0.12.31" + ], + [ + "10.0.13.1", + "10.0.13.1" + ], + [ + "10.0.13.2", + "10.0.13.2" + ], + [ + "10.0.13.3", + "10.0.13.3" + ], + [ + "10.0.13.4", + "10.0.13.4" + ], + [ + "10.0.13.5", + "10.0.13.5" + ], + [ + "10.0.13.6", + "10.0.13.6" + ], + [ + "10.0.13.7", + "10.0.13.7" + ], + [ + "10.0.13.8", + "10.0.13.8" + ], + [ + "10.0.13.9", + "10.0.13.9" + ], + [ + "10.0.13.10", + "10.0.13.10" + ], + [ + "10.0.13.11", + "10.0.13.11" + ], + [ + "10.0.13.12", + "10.0.13.12" + ], + [ + "10.0.13.13", + "10.0.13.13" + ], + [ + "10.0.13.14", + "10.0.13.14" + ], + [ + "10.0.13.15", + "10.0.13.15" + ], + [ + "10.0.13.16", + "10.0.13.16" + ], + [ + "10.0.13.17", + "10.0.13.17" + ], + [ + "10.0.13.18", + "10.0.13.18" + ], + [ + "10.0.13.19", + "10.0.13.19" + ], + [ + "10.0.13.20", + "10.0.13.20" + ], + [ + "10.0.13.21", + "10.0.13.21" + ], + [ + "10.0.13.22", + "10.0.13.22" + ], + [ + "10.0.13.23", + "10.0.13.23" + ], + [ + "10.0.13.24", + "10.0.13.24" + ], + [ + "10.0.13.25", + "10.0.13.25" + ], + [ + "10.0.13.26", + "10.0.13.26" + ], + [ + "10.0.13.27", + "10.0.13.27" + ], + [ + "10.0.13.28", + "10.0.13.28" + ], + [ + "10.0.13.29", + "10.0.13.29" + ], + [ + "10.0.13.30", + "10.0.13.30" + ], + [ + "10.0.13.31", + "10.0.13.31" + ], + [ + "10.0.14.1", + "10.0.14.1" + ], + [ + "10.0.14.2", + "10.0.14.2" + ], + [ + "10.0.14.3", + "10.0.14.3" + ], + [ + "10.0.14.4", + "10.0.14.4" + ], + [ + "10.0.14.5", + "10.0.14.5" + ], + [ + "10.0.14.6", + "10.0.14.6" + ], + [ + "10.0.14.7", + "10.0.14.7" + ], + [ + "10.0.14.8", + "10.0.14.8" + ], + [ + "10.0.14.9", + "10.0.14.9" + ], + [ + "10.0.14.10", + "10.0.14.10" + ], + [ + "10.0.14.11", + "10.0.14.11" + ], + [ + "10.0.14.12", + "10.0.14.12" + ], + [ + "10.0.14.13", + "10.0.14.13" + ], + [ + "10.0.14.14", + "10.0.14.14" + ], + [ + "10.0.14.15", + "10.0.14.15" + ], + [ + "10.0.14.16", + "10.0.14.16" + ], + [ + "10.0.14.17", + "10.0.14.17" + ], + [ + "10.0.14.18", + "10.0.14.18" + ], + [ + "10.0.14.19", + "10.0.14.19" + ], + [ + "10.0.14.20", + "10.0.14.20" + ], + [ + "10.0.14.21", + "10.0.14.21" + ], + [ + "10.0.14.22", + "10.0.14.22" + ], + [ + "10.0.14.23", + "10.0.14.23" + ], + [ + "10.0.14.24", + "10.0.14.24" + ], + [ + "10.0.14.25", + "10.0.14.25" + ], + [ + "10.0.14.26", + "10.0.14.26" + ], + [ + "10.0.14.27", + "10.0.14.27" + ], + [ + "10.0.14.28", + "10.0.14.28" + ], + [ + "10.0.14.29", + "10.0.14.29" + ], + [ + "10.0.14.30", + "10.0.14.30" + ], + [ + "10.0.14.31", + "10.0.14.31" + ], + [ + "10.0.15.1", + "10.0.15.1" + ], + [ + "10.0.15.2", + "10.0.15.2" + ], + [ + "10.0.15.3", + "10.0.15.3" + ], + [ + "10.0.15.4", + "10.0.15.4" + ], + [ + "10.0.15.5", + "10.0.15.5" + ], + [ + "10.0.15.6", + "10.0.15.6" + ], + [ + "10.0.15.7", + "10.0.15.7" + ], + [ + "10.0.15.8", + "10.0.15.8" + ], + [ + "10.0.15.9", + "10.0.15.9" + ], + [ + "10.0.15.10", + "10.0.15.10" + ], + [ + "10.0.15.11", + "10.0.15.11" + ], + [ + "10.0.15.12", + "10.0.15.12" + ], + [ + "10.0.15.13", + "10.0.15.13" + ], + [ + "10.0.15.14", + "10.0.15.14" + ], + [ + "10.0.15.15", + "10.0.15.15" + ], + [ + "10.0.15.16", + "10.0.15.16" + ], + [ + "10.0.15.17", + "10.0.15.17" + ], + [ + "10.0.15.18", + "10.0.15.18" + ], + [ + "10.0.15.19", + "10.0.15.19" + ], + [ + "10.0.15.20", + "10.0.15.20" + ], + [ + "10.0.15.21", + "10.0.15.21" + ], + [ + "10.0.15.22", + "10.0.15.22" + ], + [ + "10.0.15.23", + "10.0.15.23" + ], + [ + "10.0.15.24", + "10.0.15.24" + ], + [ + "10.0.15.25", + "10.0.15.25" + ], + [ + "10.0.15.26", + "10.0.15.26" + ], + [ + "10.0.15.27", + "10.0.15.27" + ], + [ + "10.0.15.28", + "10.0.15.28" + ], + [ + "10.0.15.29", + "10.0.15.29" + ], + [ + "10.0.15.30", + "10.0.15.30" + ], + [ + "10.0.15.31", + "10.0.15.31" + ], + [ + "10.0.16.1", + "10.0.16.1" + ], + [ + "10.0.16.2", + "10.0.16.2" + ], + [ + "10.0.16.3", + "10.0.16.3" + ], + [ + "10.0.16.4", + "10.0.16.4" + ], + [ + "10.0.16.5", + "10.0.16.5" + ], + [ + "10.0.16.6", + "10.0.16.6" + ], + [ + "10.0.16.7", + "10.0.16.7" + ], + [ + "10.0.16.8", + "10.0.16.8" + ], + [ + "10.0.16.9", + "10.0.16.9" + ], + [ + "10.0.16.10", + "10.0.16.10" + ], + [ + "10.0.16.11", + "10.0.16.11" + ], + [ + "10.0.16.12", + "10.0.16.12" + ], + [ + "10.0.16.13", + "10.0.16.13" + ], + [ + "10.0.16.14", + "10.0.16.14" + ], + [ + "10.0.16.15", + "10.0.16.15" + ], + [ + "10.0.16.16", + "10.0.16.16" + ], + [ + "10.0.16.17", + "10.0.16.17" + ], + [ + "10.0.16.18", + "10.0.16.18" + ], + [ + "10.0.16.19", + "10.0.16.19" + ], + [ + "10.0.16.20", + "10.0.16.20" + ], + [ + "10.0.16.21", + "10.0.16.21" + ], + [ + "10.0.16.22", + "10.0.16.22" + ], + [ + "10.0.16.23", + "10.0.16.23" + ], + [ + "10.0.16.24", + "10.0.16.24" + ], + [ + "10.0.16.25", + "10.0.16.25" + ], + [ + "10.0.16.26", + "10.0.16.26" + ], + [ + "10.0.16.27", + "10.0.16.27" + ], + [ + "10.0.16.28", + "10.0.16.28" + ], + [ + "10.0.16.29", + "10.0.16.29" + ], + [ + "10.0.16.30", + "10.0.16.30" + ], + [ + "10.0.16.31", + "10.0.16.31" + ], + [ + "10.0.17.1", + "10.0.17.1" + ], + [ + "10.0.17.2", + "10.0.17.2" + ], + [ + "10.0.17.3", + "10.0.17.3" + ], + [ + "10.0.17.4", + "10.0.17.4" + ], + [ + "10.0.17.5", + "10.0.17.5" + ], + [ + "10.0.17.6", + "10.0.17.6" + ], + [ + "10.0.17.7", + "10.0.17.7" + ], + [ + "10.0.17.8", + "10.0.17.8" + ], + [ + "10.0.17.9", + "10.0.17.9" + ], + [ + "10.0.17.10", + "10.0.17.10" + ], + [ + "10.0.17.11", + "10.0.17.11" + ], + [ + "10.0.17.12", + "10.0.17.12" + ], + [ + "10.0.17.13", + "10.0.17.13" + ], + [ + "10.0.17.14", + "10.0.17.14" + ], + [ + "10.0.17.15", + "10.0.17.15" + ], + [ + "10.0.17.16", + "10.0.17.16" + ], + [ + "10.0.17.17", + "10.0.17.17" + ], + [ + "10.0.17.18", + "10.0.17.18" + ], + [ + "10.0.17.19", + "10.0.17.19" + ], + [ + "10.0.17.20", + "10.0.17.20" + ], + [ + "10.0.17.21", + "10.0.17.21" + ], + [ + "10.0.17.22", + "10.0.17.22" + ], + [ + "10.0.17.23", + "10.0.17.23" + ], + [ + "10.0.17.24", + "10.0.17.24" + ], + [ + "10.0.17.25", + "10.0.17.25" + ], + [ + "10.0.17.26", + "10.0.17.26" + ], + [ + "10.0.17.27", + "10.0.17.27" + ], + [ + "10.0.17.28", + "10.0.17.28" + ], + [ + "10.0.17.29", + "10.0.17.29" + ], + [ + "10.0.17.30", + "10.0.17.30" + ], + [ + "10.0.17.31", + "10.0.17.31" + ], + [ + "10.0.18.1", + "10.0.18.1" + ], + [ + "10.0.18.2", + "10.0.18.2" + ], + [ + "10.0.18.3", + "10.0.18.3" + ], + [ + "10.0.18.4", + "10.0.18.4" + ], + [ + "10.0.18.5", + "10.0.18.5" + ], + [ + "10.0.18.6", + "10.0.18.6" + ], + [ + "10.0.18.7", + "10.0.18.7" + ], + [ + "10.0.18.8", + "10.0.18.8" + ], + [ + "10.0.18.9", + "10.0.18.9" + ], + [ + "10.0.18.10", + "10.0.18.10" + ], + [ + "10.0.18.11", + "10.0.18.11" + ], + [ + "10.0.18.12", + "10.0.18.12" + ], + [ + "10.0.18.13", + "10.0.18.13" + ], + [ + "10.0.18.14", + "10.0.18.14" + ], + [ + "10.0.18.15", + "10.0.18.15" + ], + [ + "10.0.18.16", + "10.0.18.16" + ], + [ + "10.0.18.17", + "10.0.18.17" + ], + [ + "10.0.18.18", + "10.0.18.18" + ], + [ + "10.0.18.19", + "10.0.18.19" + ], + [ + "10.0.18.20", + "10.0.18.20" + ], + [ + "10.0.18.21", + "10.0.18.21" + ], + [ + "10.0.18.22", + "10.0.18.22" + ], + [ + "10.0.18.23", + "10.0.18.23" + ], + [ + "10.0.18.24", + "10.0.18.24" + ], + [ + "10.0.18.25", + "10.0.18.25" + ], + [ + "10.0.18.26", + "10.0.18.26" + ], + [ + "10.0.18.27", + "10.0.18.27" + ], + [ + "10.0.18.28", + "10.0.18.28" + ], + [ + "10.0.18.29", + "10.0.18.29" + ], + [ + "10.0.18.30", + "10.0.18.30" + ], + [ + "10.0.18.31", + "10.0.18.31" + ], + [ + "10.0.19.1", + "10.0.19.1" + ], + [ + "10.0.19.2", + "10.0.19.2" + ], + [ + "10.0.19.3", + "10.0.19.3" + ], + [ + "10.0.19.4", + "10.0.19.4" + ], + [ + "10.0.19.5", + "10.0.19.5" + ], + [ + "10.0.19.6", + "10.0.19.6" + ], + [ + "10.0.19.7", + "10.0.19.7" + ], + [ + "10.0.19.8", + "10.0.19.8" + ], + [ + "10.0.19.9", + "10.0.19.9" + ], + [ + "10.0.19.10", + "10.0.19.10" + ], + [ + "10.0.19.11", + "10.0.19.11" + ], + [ + "10.0.19.12", + "10.0.19.12" + ], + [ + "10.0.19.13", + "10.0.19.13" + ], + [ + "10.0.19.14", + "10.0.19.14" + ], + [ + "10.0.19.15", + "10.0.19.15" + ], + [ + "10.0.19.16", + "10.0.19.16" + ], + [ + "10.0.19.17", + "10.0.19.17" + ], + [ + "10.0.19.18", + "10.0.19.18" + ], + [ + "10.0.19.19", + "10.0.19.19" + ], + [ + "10.0.19.20", + "10.0.19.20" + ], + [ + "10.0.19.21", + "10.0.19.21" + ], + [ + "10.0.19.22", + "10.0.19.22" + ], + [ + "10.0.19.23", + "10.0.19.23" + ], + [ + "10.0.19.24", + "10.0.19.24" + ], + [ + "10.0.19.25", + "10.0.19.25" + ], + [ + "10.0.19.26", + "10.0.19.26" + ], + [ + "10.0.19.27", + "10.0.19.27" + ], + [ + "10.0.19.28", + "10.0.19.28" + ], + [ + "10.0.19.29", + "10.0.19.29" + ], + [ + "10.0.19.30", + "10.0.19.30" + ], + [ + "10.0.19.31", + "10.0.19.31" + ], + [ + "10.0.20.1", + "10.0.20.1" + ], + [ + "10.0.20.2", + "10.0.20.2" + ], + [ + "10.0.20.3", + "10.0.20.3" + ], + [ + "10.0.20.4", + "10.0.20.4" + ], + [ + "10.0.20.5", + "10.0.20.5" + ], + [ + "10.0.20.6", + "10.0.20.6" + ], + [ + "10.0.20.7", + "10.0.20.7" + ], + [ + "10.0.20.8", + "10.0.20.8" + ], + [ + "10.0.20.9", + "10.0.20.9" + ], + [ + "10.0.20.10", + "10.0.20.10" + ], + [ + "10.0.20.11", + "10.0.20.11" + ], + [ + "10.0.20.12", + "10.0.20.12" + ], + [ + "10.0.20.13", + "10.0.20.13" + ], + [ + "10.0.20.14", + "10.0.20.14" + ], + [ + "10.0.20.15", + "10.0.20.15" + ], + [ + "10.0.20.16", + "10.0.20.16" + ], + [ + "10.0.20.17", + "10.0.20.17" + ], + [ + "10.0.20.18", + "10.0.20.18" + ], + [ + "10.0.20.19", + "10.0.20.19" + ], + [ + "10.0.20.20", + "10.0.20.20" + ], + [ + "10.0.20.21", + "10.0.20.21" + ], + [ + "10.0.20.22", + "10.0.20.22" + ], + [ + "10.0.20.23", + "10.0.20.23" + ], + [ + "10.0.20.24", + "10.0.20.24" + ], + [ + "10.0.20.25", + "10.0.20.25" + ], + [ + "10.0.20.26", + "10.0.20.26" + ], + [ + "10.0.20.27", + "10.0.20.27" + ], + [ + "10.0.20.28", + "10.0.20.28" + ], + [ + "10.0.20.29", + "10.0.20.29" + ], + [ + "10.0.20.30", + "10.0.20.30" + ], + [ + "10.0.20.31", + "10.0.20.31" + ], + [ + "10.0.21.1", + "10.0.21.1" + ], + [ + "10.0.21.2", + "10.0.21.2" + ], + [ + "10.0.21.3", + "10.0.21.3" + ], + [ + "10.0.21.4", + "10.0.21.4" + ], + [ + "10.0.21.5", + "10.0.21.5" + ], + [ + "10.0.21.6", + "10.0.21.6" + ], + [ + "10.0.21.7", + "10.0.21.7" + ], + [ + "10.0.21.8", + "10.0.21.8" + ], + [ + "10.0.21.9", + "10.0.21.9" + ], + [ + "10.0.21.10", + "10.0.21.10" + ], + [ + "10.0.21.11", + "10.0.21.11" + ], + [ + "10.0.21.12", + "10.0.21.12" + ], + [ + "10.0.21.13", + "10.0.21.13" + ], + [ + "10.0.21.14", + "10.0.21.14" + ], + [ + "10.0.21.15", + "10.0.21.15" + ], + [ + "10.0.21.16", + "10.0.21.16" + ], + [ + "10.0.21.17", + "10.0.21.17" + ], + [ + "10.0.21.18", + "10.0.21.18" + ], + [ + "10.0.21.19", + "10.0.21.19" + ], + [ + "10.0.21.20", + "10.0.21.20" + ], + [ + "10.0.21.21", + "10.0.21.21" + ], + [ + "10.0.21.22", + "10.0.21.22" + ], + [ + "10.0.21.23", + "10.0.21.23" + ], + [ + "10.0.21.24", + "10.0.21.24" + ], + [ + "10.0.21.25", + "10.0.21.25" + ], + [ + "10.0.21.26", + "10.0.21.26" + ], + [ + "10.0.21.27", + "10.0.21.27" + ], + [ + "10.0.21.28", + "10.0.21.28" + ], + [ + "10.0.21.29", + "10.0.21.29" + ], + [ + "10.0.21.30", + "10.0.21.30" + ], + [ + "10.0.21.31", + "10.0.21.31" + ], + [ + "10.0.22.1", + "10.0.22.1" + ], + [ + "10.0.22.2", + "10.0.22.2" + ], + [ + "10.0.22.3", + "10.0.22.3" + ], + [ + "10.0.22.4", + "10.0.22.4" + ], + [ + "10.0.22.5", + "10.0.22.5" + ], + [ + "10.0.22.6", + "10.0.22.6" + ], + [ + "10.0.22.7", + "10.0.22.7" + ], + [ + "10.0.22.8", + "10.0.22.8" + ], + [ + "10.0.22.9", + "10.0.22.9" + ], + [ + "10.0.22.10", + "10.0.22.10" + ], + [ + "10.0.22.11", + "10.0.22.11" + ], + [ + "10.0.22.12", + "10.0.22.12" + ], + [ + "10.0.22.13", + "10.0.22.13" + ], + [ + "10.0.22.14", + "10.0.22.14" + ], + [ + "10.0.22.15", + "10.0.22.15" + ], + [ + "10.0.22.16", + "10.0.22.16" + ], + [ + "10.0.22.17", + "10.0.22.17" + ], + [ + "10.0.22.18", + "10.0.22.18" + ], + [ + "10.0.22.19", + "10.0.22.19" + ], + [ + "10.0.22.20", + "10.0.22.20" + ], + [ + "10.0.22.21", + "10.0.22.21" + ], + [ + "10.0.22.22", + "10.0.22.22" + ], + [ + "10.0.22.23", + "10.0.22.23" + ], + [ + "10.0.22.24", + "10.0.22.24" + ], + [ + "10.0.22.25", + "10.0.22.25" + ], + [ + "10.0.22.26", + "10.0.22.26" + ], + [ + "10.0.22.27", + "10.0.22.27" + ], + [ + "10.0.22.28", + "10.0.22.28" + ], + [ + "10.0.22.29", + "10.0.22.29" + ], + [ + "10.0.22.30", + "10.0.22.30" + ], + [ + "10.0.22.31", + "10.0.22.31" + ], + [ + "10.0.23.1", + "10.0.23.1" + ], + [ + "10.0.23.2", + "10.0.23.2" + ], + [ + "10.0.23.3", + "10.0.23.3" + ], + [ + "10.0.23.4", + "10.0.23.4" + ], + [ + "10.0.23.5", + "10.0.23.5" + ], + [ + "10.0.23.6", + "10.0.23.6" + ], + [ + "10.0.23.7", + "10.0.23.7" + ], + [ + "10.0.23.8", + "10.0.23.8" + ], + [ + "10.0.23.9", + "10.0.23.9" + ], + [ + "10.0.23.10", + "10.0.23.10" + ], + [ + "10.0.23.11", + "10.0.23.11" + ], + [ + "10.0.23.12", + "10.0.23.12" + ], + [ + "10.0.23.13", + "10.0.23.13" + ], + [ + "10.0.23.14", + "10.0.23.14" + ], + [ + "10.0.23.15", + "10.0.23.15" + ], + [ + "10.0.23.16", + "10.0.23.16" + ], + [ + "10.0.23.17", + "10.0.23.17" + ], + [ + "10.0.23.18", + "10.0.23.18" + ], + [ + "10.0.23.19", + "10.0.23.19" + ], + [ + "10.0.23.20", + "10.0.23.20" + ], + [ + "10.0.23.21", + "10.0.23.21" + ], + [ + "10.0.23.22", + "10.0.23.22" + ], + [ + "10.0.23.23", + "10.0.23.23" + ], + [ + "10.0.23.24", + "10.0.23.24" + ], + [ + "10.0.23.25", + "10.0.23.25" + ], + [ + "10.0.23.26", + "10.0.23.26" + ], + [ + "10.0.23.27", + "10.0.23.27" + ], + [ + "10.0.23.28", + "10.0.23.28" + ], + [ + "10.0.23.29", + "10.0.23.29" + ], + [ + "10.0.23.30", + "10.0.23.30" + ], + [ + "10.0.23.31", + "10.0.23.31" + ], + [ + "10.0.24.1", + "10.0.24.1" + ], + [ + "10.0.24.2", + "10.0.24.2" + ], + [ + "10.0.24.3", + "10.0.24.3" + ], + [ + "10.0.24.4", + "10.0.24.4" + ], + [ + "10.0.24.5", + "10.0.24.5" + ], + [ + "10.0.24.6", + "10.0.24.6" + ], + [ + "10.0.24.7", + "10.0.24.7" + ], + [ + "10.0.24.8", + "10.0.24.8" + ], + [ + "10.0.24.9", + "10.0.24.9" + ], + [ + "10.0.24.10", + "10.0.24.10" + ], + [ + "10.0.24.11", + "10.0.24.11" + ], + [ + "10.0.24.12", + "10.0.24.12" + ], + [ + "10.0.24.13", + "10.0.24.13" + ], + [ + "10.0.24.14", + "10.0.24.14" + ], + [ + "10.0.24.15", + "10.0.24.15" + ], + [ + "10.0.24.16", + "10.0.24.16" + ], + [ + "10.0.24.17", + "10.0.24.17" + ], + [ + "10.0.24.18", + "10.0.24.18" + ], + [ + "10.0.24.19", + "10.0.24.19" + ], + [ + "10.0.24.20", + "10.0.24.20" + ], + [ + "10.0.24.21", + "10.0.24.21" + ], + [ + "10.0.24.22", + "10.0.24.22" + ], + [ + "10.0.24.23", + "10.0.24.23" + ], + [ + "10.0.24.24", + "10.0.24.24" + ], + [ + "10.0.24.25", + "10.0.24.25" + ], + [ + "10.0.24.26", + "10.0.24.26" + ], + [ + "10.0.24.27", + "10.0.24.27" + ], + [ + "10.0.24.28", + "10.0.24.28" + ], + [ + "10.0.24.29", + "10.0.24.29" + ], + [ + "10.0.24.30", + "10.0.24.30" + ], + [ + "10.0.24.31", + "10.0.24.31" + ], + [ + "10.0.25.1", + "10.0.25.1" + ], + [ + "10.0.25.2", + "10.0.25.2" + ], + [ + "10.0.25.3", + "10.0.25.3" + ], + [ + "10.0.25.4", + "10.0.25.4" + ], + [ + "10.0.25.5", + "10.0.25.5" + ], + [ + "10.0.25.6", + "10.0.25.6" + ], + [ + "10.0.25.7", + "10.0.25.7" + ], + [ + "10.0.25.8", + "10.0.25.8" + ], + [ + "10.0.25.9", + "10.0.25.9" + ], + [ + "10.0.25.10", + "10.0.25.10" + ], + [ + "10.0.25.11", + "10.0.25.11" + ], + [ + "10.0.25.12", + "10.0.25.12" + ], + [ + "10.0.25.13", + "10.0.25.13" + ], + [ + "10.0.25.14", + "10.0.25.14" + ], + [ + "10.0.25.15", + "10.0.25.15" + ], + [ + "10.0.25.16", + "10.0.25.16" + ], + [ + "10.0.25.17", + "10.0.25.17" + ], + [ + "10.0.25.18", + "10.0.25.18" + ], + [ + "10.0.25.19", + "10.0.25.19" + ], + [ + "10.0.25.20", + "10.0.25.20" + ], + [ + "10.0.25.21", + "10.0.25.21" + ], + [ + "10.0.25.22", + "10.0.25.22" + ], + [ + "10.0.25.23", + "10.0.25.23" + ], + [ + "10.0.25.24", + "10.0.25.24" + ], + [ + "10.0.25.25", + "10.0.25.25" + ], + [ + "10.0.25.26", + "10.0.25.26" + ], + [ + "10.0.25.27", + "10.0.25.27" + ], + [ + "10.0.25.28", + "10.0.25.28" + ], + [ + "10.0.25.29", + "10.0.25.29" + ], + [ + "10.0.25.30", + "10.0.25.30" + ], + [ + "10.0.25.31", + "10.0.25.31" + ], + [ + "10.0.26.1", + "10.0.26.1" + ], + [ + "10.0.26.2", + "10.0.26.2" + ], + [ + "10.0.26.3", + "10.0.26.3" + ], + [ + "10.0.26.4", + "10.0.26.4" + ], + [ + "10.0.26.5", + "10.0.26.5" + ], + [ + "10.0.26.6", + "10.0.26.6" + ], + [ + "10.0.26.7", + "10.0.26.7" + ], + [ + "10.0.26.8", + "10.0.26.8" + ], + [ + "10.0.26.9", + "10.0.26.9" + ], + [ + "10.0.26.10", + "10.0.26.10" + ], + [ + "10.0.26.11", + "10.0.26.11" + ], + [ + "10.0.26.12", + "10.0.26.12" + ], + [ + "10.0.26.13", + "10.0.26.13" + ], + [ + "10.0.26.14", + "10.0.26.14" + ], + [ + "10.0.26.15", + "10.0.26.15" + ], + [ + "10.0.26.16", + "10.0.26.16" + ], + [ + "10.0.26.17", + "10.0.26.17" + ], + [ + "10.0.26.18", + "10.0.26.18" + ], + [ + "10.0.26.19", + "10.0.26.19" + ], + [ + "10.0.26.20", + "10.0.26.20" + ], + [ + "10.0.26.21", + "10.0.26.21" + ], + [ + "10.0.26.22", + "10.0.26.22" + ], + [ + "10.0.26.23", + "10.0.26.23" + ], + [ + "10.0.26.24", + "10.0.26.24" + ], + [ + "10.0.26.25", + "10.0.26.25" + ], + [ + "10.0.26.26", + "10.0.26.26" + ], + [ + "10.0.26.27", + "10.0.26.27" + ], + [ + "10.0.26.28", + "10.0.26.28" + ], + [ + "10.0.26.29", + "10.0.26.29" + ], + [ + "10.0.26.30", + "10.0.26.30" + ], + [ + "10.0.26.31", + "10.0.26.31" + ], + [ + "10.0.27.1", + "10.0.27.1" + ], + [ + "10.0.27.2", + "10.0.27.2" + ], + [ + "10.0.27.3", + "10.0.27.3" + ], + [ + "10.0.27.4", + "10.0.27.4" + ], + [ + "10.0.27.5", + "10.0.27.5" + ], + [ + "10.0.27.6", + "10.0.27.6" + ], + [ + "10.0.27.7", + "10.0.27.7" + ], + [ + "10.0.27.8", + "10.0.27.8" + ], + [ + "10.0.27.9", + "10.0.27.9" + ], + [ + "10.0.27.10", + "10.0.27.10" + ], + [ + "10.0.27.11", + "10.0.27.11" + ], + [ + "10.0.27.12", + "10.0.27.12" + ], + [ + "10.0.27.13", + "10.0.27.13" + ], + [ + "10.0.27.14", + "10.0.27.14" + ], + [ + "10.0.27.15", + "10.0.27.15" + ], + [ + "10.0.27.16", + "10.0.27.16" + ], + [ + "10.0.27.17", + "10.0.27.17" + ], + [ + "10.0.27.18", + "10.0.27.18" + ], + [ + "10.0.27.19", + "10.0.27.19" + ], + [ + "10.0.27.20", + "10.0.27.20" + ], + [ + "10.0.27.21", + "10.0.27.21" + ], + [ + "10.0.27.22", + "10.0.27.22" + ], + [ + "10.0.27.23", + "10.0.27.23" + ], + [ + "10.0.27.24", + "10.0.27.24" + ], + [ + "10.0.27.25", + "10.0.27.25" + ], + [ + "10.0.27.26", + "10.0.27.26" + ], + [ + "10.0.27.27", + "10.0.27.27" + ], + [ + "10.0.27.28", + "10.0.27.28" + ], + [ + "10.0.27.29", + "10.0.27.29" + ], + [ + "10.0.27.30", + "10.0.27.30" + ], + [ + "10.0.27.31", + "10.0.27.31" + ], + [ + "10.0.28.1", + "10.0.28.1" + ], + [ + "10.0.28.2", + "10.0.28.2" + ], + [ + "10.0.28.3", + "10.0.28.3" + ], + [ + "10.0.28.4", + "10.0.28.4" + ], + [ + "10.0.28.5", + "10.0.28.5" + ], + [ + "10.0.28.6", + "10.0.28.6" + ], + [ + "10.0.28.7", + "10.0.28.7" + ], + [ + "10.0.28.8", + "10.0.28.8" + ], + [ + "10.0.28.9", + "10.0.28.9" + ], + [ + "10.0.28.10", + "10.0.28.10" + ], + [ + "10.0.28.11", + "10.0.28.11" + ], + [ + "10.0.28.12", + "10.0.28.12" + ], + [ + "10.0.28.13", + "10.0.28.13" + ], + [ + "10.0.28.14", + "10.0.28.14" + ], + [ + "10.0.28.15", + "10.0.28.15" + ], + [ + "10.0.28.16", + "10.0.28.16" + ], + [ + "10.0.28.17", + "10.0.28.17" + ], + [ + "10.0.28.18", + "10.0.28.18" + ], + [ + "10.0.28.19", + "10.0.28.19" + ], + [ + "10.0.28.20", + "10.0.28.20" + ], + [ + "10.0.28.21", + "10.0.28.21" + ], + [ + "10.0.28.22", + "10.0.28.22" + ], + [ + "10.0.28.23", + "10.0.28.23" + ], + [ + "10.0.28.24", + "10.0.28.24" + ], + [ + "10.0.28.25", + "10.0.28.25" + ], + [ + "10.0.28.26", + "10.0.28.26" + ], + [ + "10.0.28.27", + "10.0.28.27" + ], + [ + "10.0.28.28", + "10.0.28.28" + ], + [ + "10.0.28.29", + "10.0.28.29" + ], + [ + "10.0.28.30", + "10.0.28.30" + ], + [ + "10.0.28.31", + "10.0.28.31" + ], + [ + "10.0.29.1", + "10.0.29.1" + ], + [ + "10.0.29.2", + "10.0.29.2" + ], + [ + "10.0.29.3", + "10.0.29.3" + ], + [ + "10.0.29.4", + "10.0.29.4" + ], + [ + "10.0.29.5", + "10.0.29.5" + ], + [ + "10.0.29.6", + "10.0.29.6" + ], + [ + "10.0.29.7", + "10.0.29.7" + ], + [ + "10.0.29.8", + "10.0.29.8" + ], + [ + "10.0.29.9", + "10.0.29.9" + ], + [ + "10.0.29.10", + "10.0.29.10" + ], + [ + "10.0.29.11", + "10.0.29.11" + ], + [ + "10.0.29.12", + "10.0.29.12" + ], + [ + "10.0.29.13", + "10.0.29.13" + ], + [ + "10.0.29.14", + "10.0.29.14" + ], + [ + "10.0.29.15", + "10.0.29.15" + ], + [ + "10.0.29.16", + "10.0.29.16" + ], + [ + "10.0.29.17", + "10.0.29.17" + ], + [ + "10.0.29.18", + "10.0.29.18" + ], + [ + "10.0.29.19", + "10.0.29.19" + ], + [ + "10.0.29.20", + "10.0.29.20" + ], + [ + "10.0.29.21", + "10.0.29.21" + ], + [ + "10.0.29.22", + "10.0.29.22" + ], + [ + "10.0.29.23", + "10.0.29.23" + ], + [ + "10.0.29.24", + "10.0.29.24" + ], + [ + "10.0.29.25", + "10.0.29.25" + ], + [ + "10.0.29.26", + "10.0.29.26" + ], + [ + "10.0.29.27", + "10.0.29.27" + ], + [ + "10.0.29.28", + "10.0.29.28" + ], + [ + "10.0.29.29", + "10.0.29.29" + ], + [ + "10.0.29.30", + "10.0.29.30" + ], + [ + "10.0.29.31", + "10.0.29.31" + ], + [ + "10.0.30.1", + "10.0.30.1" + ], + [ + "10.0.30.2", + "10.0.30.2" + ], + [ + "10.0.30.3", + "10.0.30.3" + ], + [ + "10.0.30.4", + "10.0.30.4" + ], + [ + "10.0.30.5", + "10.0.30.5" + ], + [ + "10.0.30.6", + "10.0.30.6" + ], + [ + "10.0.30.7", + "10.0.30.7" + ], + [ + "10.0.30.8", + "10.0.30.8" + ], + [ + "10.0.30.9", + "10.0.30.9" + ], + [ + "10.0.30.10", + "10.0.30.10" + ], + [ + "10.0.30.11", + "10.0.30.11" + ], + [ + "10.0.30.12", + "10.0.30.12" + ], + [ + "10.0.30.13", + "10.0.30.13" + ], + [ + "10.0.30.14", + "10.0.30.14" + ], + [ + "10.0.30.15", + "10.0.30.15" + ], + [ + "10.0.30.16", + "10.0.30.16" + ], + [ + "10.0.30.17", + "10.0.30.17" + ], + [ + "10.0.30.18", + "10.0.30.18" + ], + [ + "10.0.30.19", + "10.0.30.19" + ], + [ + "10.0.30.20", + "10.0.30.20" + ], + [ + "10.0.30.21", + "10.0.30.21" + ], + [ + "10.0.30.22", + "10.0.30.22" + ], + [ + "10.0.30.23", + "10.0.30.23" + ], + [ + "10.0.30.24", + "10.0.30.24" + ], + [ + "10.0.30.25", + "10.0.30.25" + ], + [ + "10.0.30.26", + "10.0.30.26" + ], + [ + "10.0.30.27", + "10.0.30.27" + ], + [ + "10.0.30.28", + "10.0.30.28" + ], + [ + "10.0.30.29", + "10.0.30.29" + ], + [ + "10.0.30.30", + "10.0.30.30" + ], + [ + "10.0.30.31", + "10.0.30.31" + ], + [ + "10.0.31.1", + "10.0.31.1" + ], + [ + "10.0.31.2", + "10.0.31.2" + ], + [ + "10.0.31.3", + "10.0.31.3" + ], + [ + "10.0.31.4", + "10.0.31.4" + ], + [ + "10.0.31.5", + "10.0.31.5" + ], + [ + "10.0.31.6", + "10.0.31.6" + ], + [ + "10.0.31.7", + "10.0.31.7" + ], + [ + "10.0.31.8", + "10.0.31.8" + ], + [ + "10.0.31.9", + "10.0.31.9" + ], + [ + "10.0.31.10", + "10.0.31.10" + ], + [ + "10.0.31.11", + "10.0.31.11" + ], + [ + "10.0.31.12", + "10.0.31.12" + ], + [ + "10.0.31.13", + "10.0.31.13" + ], + [ + "10.0.31.14", + "10.0.31.14" + ], + [ + "10.0.31.15", + "10.0.31.15" + ], + [ + "10.0.31.16", + "10.0.31.16" + ], + [ + "10.0.31.17", + "10.0.31.17" + ], + [ + "10.0.31.18", + "10.0.31.18" + ], + [ + "10.0.31.19", + "10.0.31.19" + ], + [ + "10.0.31.20", + "10.0.31.20" + ], + [ + "10.0.31.21", + "10.0.31.21" + ], + [ + "10.0.31.22", + "10.0.31.22" + ], + [ + "10.0.31.23", + "10.0.31.23" + ], + [ + "10.0.31.24", + "10.0.31.24" + ], + [ + "10.0.31.25", + "10.0.31.25" + ], + [ + "10.0.31.26", + "10.0.31.26" + ], + [ + "10.0.31.27", + "10.0.31.27" + ], + [ + "10.0.31.28", + "10.0.31.28" + ], + [ + "10.0.31.29", + "10.0.31.29" + ], + [ + "10.0.31.30", + "10.0.31.30" + ], + [ + "10.0.31.31", + "10.0.31.31" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft new file mode 100644 index 00000000..c651af06 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft @@ -0,0 +1,486 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.0.1.1 : 10.0.1.1, 10.0.1.2 : 10.0.1.2, + 10.0.1.3 : 10.0.1.3, 10.0.1.4 : 10.0.1.4, + 10.0.1.5 : 10.0.1.5, 10.0.1.6 : 10.0.1.6, + 10.0.1.7 : 10.0.1.7, 10.0.1.8 : 10.0.1.8, + 10.0.1.9 : 10.0.1.9, 10.0.1.10 : 10.0.1.10, + 10.0.1.11 : 10.0.1.11, 10.0.1.12 : 10.0.1.12, + 10.0.1.13 : 10.0.1.13, 10.0.1.14 : 10.0.1.14, + 10.0.1.15 : 10.0.1.15, 10.0.1.16 : 10.0.1.16, + 10.0.1.17 : 10.0.1.17, 10.0.1.18 : 10.0.1.18, + 10.0.1.19 : 10.0.1.19, 10.0.1.20 : 10.0.1.20, + 10.0.1.21 : 10.0.1.21, 10.0.1.22 : 10.0.1.22, + 10.0.1.23 : 10.0.1.23, 10.0.1.24 : 10.0.1.24, + 10.0.1.25 : 10.0.1.25, 10.0.1.26 : 10.0.1.26, + 10.0.1.27 : 10.0.1.27, 10.0.1.28 : 10.0.1.28, + 10.0.1.29 : 10.0.1.29, 10.0.1.30 : 10.0.1.30, + 10.0.1.31 : 10.0.1.31, 10.0.2.1 : 10.0.2.1, + 10.0.2.2 : 10.0.2.2, 10.0.2.3 : 10.0.2.3, + 10.0.2.4 : 10.0.2.4, 10.0.2.5 : 10.0.2.5, + 10.0.2.6 : 10.0.2.6, 10.0.2.7 : 10.0.2.7, + 10.0.2.8 : 10.0.2.8, 10.0.2.9 : 10.0.2.9, + 10.0.2.10 : 10.0.2.10, 10.0.2.11 : 10.0.2.11, + 10.0.2.12 : 10.0.2.12, 10.0.2.13 : 10.0.2.13, + 10.0.2.14 : 10.0.2.14, 10.0.2.15 : 10.0.2.15, + 10.0.2.16 : 10.0.2.16, 10.0.2.17 : 10.0.2.17, + 10.0.2.18 : 10.0.2.18, 10.0.2.19 : 10.0.2.19, + 10.0.2.20 : 10.0.2.20, 10.0.2.21 : 10.0.2.21, + 10.0.2.22 : 10.0.2.22, 10.0.2.23 : 10.0.2.23, + 10.0.2.24 : 10.0.2.24, 10.0.2.25 : 10.0.2.25, + 10.0.2.26 : 10.0.2.26, 10.0.2.27 : 10.0.2.27, + 10.0.2.28 : 10.0.2.28, 10.0.2.29 : 10.0.2.29, + 10.0.2.30 : 10.0.2.30, 10.0.2.31 : 10.0.2.31, + 10.0.3.1 : 10.0.3.1, 10.0.3.2 : 10.0.3.2, + 10.0.3.3 : 10.0.3.3, 10.0.3.4 : 10.0.3.4, + 10.0.3.5 : 10.0.3.5, 10.0.3.6 : 10.0.3.6, + 10.0.3.7 : 10.0.3.7, 10.0.3.8 : 10.0.3.8, + 10.0.3.9 : 10.0.3.9, 10.0.3.10 : 10.0.3.10, + 10.0.3.11 : 10.0.3.11, 10.0.3.12 : 10.0.3.12, + 10.0.3.13 : 10.0.3.13, 10.0.3.14 : 10.0.3.14, + 10.0.3.15 : 10.0.3.15, 10.0.3.16 : 10.0.3.16, + 10.0.3.17 : 10.0.3.17, 10.0.3.18 : 10.0.3.18, + 10.0.3.19 : 10.0.3.19, 10.0.3.20 : 10.0.3.20, + 10.0.3.21 : 10.0.3.21, 10.0.3.22 : 10.0.3.22, + 10.0.3.23 : 10.0.3.23, 10.0.3.24 : 10.0.3.24, + 10.0.3.25 : 10.0.3.25, 10.0.3.26 : 10.0.3.26, + 10.0.3.27 : 10.0.3.27, 10.0.3.28 : 10.0.3.28, + 10.0.3.29 : 10.0.3.29, 10.0.3.30 : 10.0.3.30, + 10.0.3.31 : 10.0.3.31, 10.0.4.1 : 10.0.4.1, + 10.0.4.2 : 10.0.4.2, 10.0.4.3 : 10.0.4.3, + 10.0.4.4 : 10.0.4.4, 10.0.4.5 : 10.0.4.5, + 10.0.4.6 : 10.0.4.6, 10.0.4.7 : 10.0.4.7, + 10.0.4.8 : 10.0.4.8, 10.0.4.9 : 10.0.4.9, + 10.0.4.10 : 10.0.4.10, 10.0.4.11 : 10.0.4.11, + 10.0.4.12 : 10.0.4.12, 10.0.4.13 : 10.0.4.13, + 10.0.4.14 : 10.0.4.14, 10.0.4.15 : 10.0.4.15, + 10.0.4.16 : 10.0.4.16, 10.0.4.17 : 10.0.4.17, + 10.0.4.18 : 10.0.4.18, 10.0.4.19 : 10.0.4.19, + 10.0.4.20 : 10.0.4.20, 10.0.4.21 : 10.0.4.21, + 10.0.4.22 : 10.0.4.22, 10.0.4.23 : 10.0.4.23, + 10.0.4.24 : 10.0.4.24, 10.0.4.25 : 10.0.4.25, + 10.0.4.26 : 10.0.4.26, 10.0.4.27 : 10.0.4.27, + 10.0.4.28 : 10.0.4.28, 10.0.4.29 : 10.0.4.29, + 10.0.4.30 : 10.0.4.30, 10.0.4.31 : 10.0.4.31, + 10.0.5.1 : 10.0.5.1, 10.0.5.2 : 10.0.5.2, + 10.0.5.3 : 10.0.5.3, 10.0.5.4 : 10.0.5.4, + 10.0.5.5 : 10.0.5.5, 10.0.5.6 : 10.0.5.6, + 10.0.5.7 : 10.0.5.7, 10.0.5.8 : 10.0.5.8, + 10.0.5.9 : 10.0.5.9, 10.0.5.10 : 10.0.5.10, + 10.0.5.11 : 10.0.5.11, 10.0.5.12 : 10.0.5.12, + 10.0.5.13 : 10.0.5.13, 10.0.5.14 : 10.0.5.14, + 10.0.5.15 : 10.0.5.15, 10.0.5.16 : 10.0.5.16, + 10.0.5.17 : 10.0.5.17, 10.0.5.18 : 10.0.5.18, + 10.0.5.19 : 10.0.5.19, 10.0.5.20 : 10.0.5.20, + 10.0.5.21 : 10.0.5.21, 10.0.5.22 : 10.0.5.22, + 10.0.5.23 : 10.0.5.23, 10.0.5.24 : 10.0.5.24, + 10.0.5.25 : 10.0.5.25, 10.0.5.26 : 10.0.5.26, + 10.0.5.27 : 10.0.5.27, 10.0.5.28 : 10.0.5.28, + 10.0.5.29 : 10.0.5.29, 10.0.5.30 : 10.0.5.30, + 10.0.5.31 : 10.0.5.31, 10.0.6.1 : 10.0.6.1, + 10.0.6.2 : 10.0.6.2, 10.0.6.3 : 10.0.6.3, + 10.0.6.4 : 10.0.6.4, 10.0.6.5 : 10.0.6.5, + 10.0.6.6 : 10.0.6.6, 10.0.6.7 : 10.0.6.7, + 10.0.6.8 : 10.0.6.8, 10.0.6.9 : 10.0.6.9, + 10.0.6.10 : 10.0.6.10, 10.0.6.11 : 10.0.6.11, + 10.0.6.12 : 10.0.6.12, 10.0.6.13 : 10.0.6.13, + 10.0.6.14 : 10.0.6.14, 10.0.6.15 : 10.0.6.15, + 10.0.6.16 : 10.0.6.16, 10.0.6.17 : 10.0.6.17, + 10.0.6.18 : 10.0.6.18, 10.0.6.19 : 10.0.6.19, + 10.0.6.20 : 10.0.6.20, 10.0.6.21 : 10.0.6.21, + 10.0.6.22 : 10.0.6.22, 10.0.6.23 : 10.0.6.23, + 10.0.6.24 : 10.0.6.24, 10.0.6.25 : 10.0.6.25, + 10.0.6.26 : 10.0.6.26, 10.0.6.27 : 10.0.6.27, + 10.0.6.28 : 10.0.6.28, 10.0.6.29 : 10.0.6.29, + 10.0.6.30 : 10.0.6.30, 10.0.6.31 : 10.0.6.31, + 10.0.7.1 : 10.0.7.1, 10.0.7.2 : 10.0.7.2, + 10.0.7.3 : 10.0.7.3, 10.0.7.4 : 10.0.7.4, + 10.0.7.5 : 10.0.7.5, 10.0.7.6 : 10.0.7.6, + 10.0.7.7 : 10.0.7.7, 10.0.7.8 : 10.0.7.8, + 10.0.7.9 : 10.0.7.9, 10.0.7.10 : 10.0.7.10, + 10.0.7.11 : 10.0.7.11, 10.0.7.12 : 10.0.7.12, + 10.0.7.13 : 10.0.7.13, 10.0.7.14 : 10.0.7.14, + 10.0.7.15 : 10.0.7.15, 10.0.7.16 : 10.0.7.16, + 10.0.7.17 : 10.0.7.17, 10.0.7.18 : 10.0.7.18, + 10.0.7.19 : 10.0.7.19, 10.0.7.20 : 10.0.7.20, + 10.0.7.21 : 10.0.7.21, 10.0.7.22 : 10.0.7.22, + 10.0.7.23 : 10.0.7.23, 10.0.7.24 : 10.0.7.24, + 10.0.7.25 : 10.0.7.25, 10.0.7.26 : 10.0.7.26, + 10.0.7.27 : 10.0.7.27, 10.0.7.28 : 10.0.7.28, + 10.0.7.29 : 10.0.7.29, 10.0.7.30 : 10.0.7.30, + 10.0.7.31 : 10.0.7.31, 10.0.8.1 : 10.0.8.1, + 10.0.8.2 : 10.0.8.2, 10.0.8.3 : 10.0.8.3, + 10.0.8.4 : 10.0.8.4, 10.0.8.5 : 10.0.8.5, + 10.0.8.6 : 10.0.8.6, 10.0.8.7 : 10.0.8.7, + 10.0.8.8 : 10.0.8.8, 10.0.8.9 : 10.0.8.9, + 10.0.8.10 : 10.0.8.10, 10.0.8.11 : 10.0.8.11, + 10.0.8.12 : 10.0.8.12, 10.0.8.13 : 10.0.8.13, + 10.0.8.14 : 10.0.8.14, 10.0.8.15 : 10.0.8.15, + 10.0.8.16 : 10.0.8.16, 10.0.8.17 : 10.0.8.17, + 10.0.8.18 : 10.0.8.18, 10.0.8.19 : 10.0.8.19, + 10.0.8.20 : 10.0.8.20, 10.0.8.21 : 10.0.8.21, + 10.0.8.22 : 10.0.8.22, 10.0.8.23 : 10.0.8.23, + 10.0.8.24 : 10.0.8.24, 10.0.8.25 : 10.0.8.25, + 10.0.8.26 : 10.0.8.26, 10.0.8.27 : 10.0.8.27, + 10.0.8.28 : 10.0.8.28, 10.0.8.29 : 10.0.8.29, + 10.0.8.30 : 10.0.8.30, 10.0.8.31 : 10.0.8.31, + 10.0.9.1 : 10.0.9.1, 10.0.9.2 : 10.0.9.2, + 10.0.9.3 : 10.0.9.3, 10.0.9.4 : 10.0.9.4, + 10.0.9.5 : 10.0.9.5, 10.0.9.6 : 10.0.9.6, + 10.0.9.7 : 10.0.9.7, 10.0.9.8 : 10.0.9.8, + 10.0.9.9 : 10.0.9.9, 10.0.9.10 : 10.0.9.10, + 10.0.9.11 : 10.0.9.11, 10.0.9.12 : 10.0.9.12, + 10.0.9.13 : 10.0.9.13, 10.0.9.14 : 10.0.9.14, + 10.0.9.15 : 10.0.9.15, 10.0.9.16 : 10.0.9.16, + 10.0.9.17 : 10.0.9.17, 10.0.9.18 : 10.0.9.18, + 10.0.9.19 : 10.0.9.19, 10.0.9.20 : 10.0.9.20, + 10.0.9.21 : 10.0.9.21, 10.0.9.22 : 10.0.9.22, + 10.0.9.23 : 10.0.9.23, 10.0.9.24 : 10.0.9.24, + 10.0.9.25 : 10.0.9.25, 10.0.9.26 : 10.0.9.26, + 10.0.9.27 : 10.0.9.27, 10.0.9.28 : 10.0.9.28, + 10.0.9.29 : 10.0.9.29, 10.0.9.30 : 10.0.9.30, + 10.0.9.31 : 10.0.9.31, 10.0.10.1 : 10.0.10.1, + 10.0.10.2 : 10.0.10.2, 10.0.10.3 : 10.0.10.3, + 10.0.10.4 : 10.0.10.4, 10.0.10.5 : 10.0.10.5, + 10.0.10.6 : 10.0.10.6, 10.0.10.7 : 10.0.10.7, + 10.0.10.8 : 10.0.10.8, 10.0.10.9 : 10.0.10.9, + 10.0.10.10 : 10.0.10.10, 10.0.10.11 : 10.0.10.11, + 10.0.10.12 : 10.0.10.12, 10.0.10.13 : 10.0.10.13, + 10.0.10.14 : 10.0.10.14, 10.0.10.15 : 10.0.10.15, + 10.0.10.16 : 10.0.10.16, 10.0.10.17 : 10.0.10.17, + 10.0.10.18 : 10.0.10.18, 10.0.10.19 : 10.0.10.19, + 10.0.10.20 : 10.0.10.20, 10.0.10.21 : 10.0.10.21, + 10.0.10.22 : 10.0.10.22, 10.0.10.23 : 10.0.10.23, + 10.0.10.24 : 10.0.10.24, 10.0.10.25 : 10.0.10.25, + 10.0.10.26 : 10.0.10.26, 10.0.10.27 : 10.0.10.27, + 10.0.10.28 : 10.0.10.28, 10.0.10.29 : 10.0.10.29, + 10.0.10.30 : 10.0.10.30, 10.0.10.31 : 10.0.10.31, + 10.0.11.1 : 10.0.11.1, 10.0.11.2 : 10.0.11.2, + 10.0.11.3 : 10.0.11.3, 10.0.11.4 : 10.0.11.4, + 10.0.11.5 : 10.0.11.5, 10.0.11.6 : 10.0.11.6, + 10.0.11.7 : 10.0.11.7, 10.0.11.8 : 10.0.11.8, + 10.0.11.9 : 10.0.11.9, 10.0.11.10 : 10.0.11.10, + 10.0.11.11 : 10.0.11.11, 10.0.11.12 : 10.0.11.12, + 10.0.11.13 : 10.0.11.13, 10.0.11.14 : 10.0.11.14, + 10.0.11.15 : 10.0.11.15, 10.0.11.16 : 10.0.11.16, + 10.0.11.17 : 10.0.11.17, 10.0.11.18 : 10.0.11.18, + 10.0.11.19 : 10.0.11.19, 10.0.11.20 : 10.0.11.20, + 10.0.11.21 : 10.0.11.21, 10.0.11.22 : 10.0.11.22, + 10.0.11.23 : 10.0.11.23, 10.0.11.24 : 10.0.11.24, + 10.0.11.25 : 10.0.11.25, 10.0.11.26 : 10.0.11.26, + 10.0.11.27 : 10.0.11.27, 10.0.11.28 : 10.0.11.28, + 10.0.11.29 : 10.0.11.29, 10.0.11.30 : 10.0.11.30, + 10.0.11.31 : 10.0.11.31, 10.0.12.1 : 10.0.12.1, + 10.0.12.2 : 10.0.12.2, 10.0.12.3 : 10.0.12.3, + 10.0.12.4 : 10.0.12.4, 10.0.12.5 : 10.0.12.5, + 10.0.12.6 : 10.0.12.6, 10.0.12.7 : 10.0.12.7, + 10.0.12.8 : 10.0.12.8, 10.0.12.9 : 10.0.12.9, + 10.0.12.10 : 10.0.12.10, 10.0.12.11 : 10.0.12.11, + 10.0.12.12 : 10.0.12.12, 10.0.12.13 : 10.0.12.13, + 10.0.12.14 : 10.0.12.14, 10.0.12.15 : 10.0.12.15, + 10.0.12.16 : 10.0.12.16, 10.0.12.17 : 10.0.12.17, + 10.0.12.18 : 10.0.12.18, 10.0.12.19 : 10.0.12.19, + 10.0.12.20 : 10.0.12.20, 10.0.12.21 : 10.0.12.21, + 10.0.12.22 : 10.0.12.22, 10.0.12.23 : 10.0.12.23, + 10.0.12.24 : 10.0.12.24, 10.0.12.25 : 10.0.12.25, + 10.0.12.26 : 10.0.12.26, 10.0.12.27 : 10.0.12.27, + 10.0.12.28 : 10.0.12.28, 10.0.12.29 : 10.0.12.29, + 10.0.12.30 : 10.0.12.30, 10.0.12.31 : 10.0.12.31, + 10.0.13.1 : 10.0.13.1, 10.0.13.2 : 10.0.13.2, + 10.0.13.3 : 10.0.13.3, 10.0.13.4 : 10.0.13.4, + 10.0.13.5 : 10.0.13.5, 10.0.13.6 : 10.0.13.6, + 10.0.13.7 : 10.0.13.7, 10.0.13.8 : 10.0.13.8, + 10.0.13.9 : 10.0.13.9, 10.0.13.10 : 10.0.13.10, + 10.0.13.11 : 10.0.13.11, 10.0.13.12 : 10.0.13.12, + 10.0.13.13 : 10.0.13.13, 10.0.13.14 : 10.0.13.14, + 10.0.13.15 : 10.0.13.15, 10.0.13.16 : 10.0.13.16, + 10.0.13.17 : 10.0.13.17, 10.0.13.18 : 10.0.13.18, + 10.0.13.19 : 10.0.13.19, 10.0.13.20 : 10.0.13.20, + 10.0.13.21 : 10.0.13.21, 10.0.13.22 : 10.0.13.22, + 10.0.13.23 : 10.0.13.23, 10.0.13.24 : 10.0.13.24, + 10.0.13.25 : 10.0.13.25, 10.0.13.26 : 10.0.13.26, + 10.0.13.27 : 10.0.13.27, 10.0.13.28 : 10.0.13.28, + 10.0.13.29 : 10.0.13.29, 10.0.13.30 : 10.0.13.30, + 10.0.13.31 : 10.0.13.31, 10.0.14.1 : 10.0.14.1, + 10.0.14.2 : 10.0.14.2, 10.0.14.3 : 10.0.14.3, + 10.0.14.4 : 10.0.14.4, 10.0.14.5 : 10.0.14.5, + 10.0.14.6 : 10.0.14.6, 10.0.14.7 : 10.0.14.7, + 10.0.14.8 : 10.0.14.8, 10.0.14.9 : 10.0.14.9, + 10.0.14.10 : 10.0.14.10, 10.0.14.11 : 10.0.14.11, + 10.0.14.12 : 10.0.14.12, 10.0.14.13 : 10.0.14.13, + 10.0.14.14 : 10.0.14.14, 10.0.14.15 : 10.0.14.15, + 10.0.14.16 : 10.0.14.16, 10.0.14.17 : 10.0.14.17, + 10.0.14.18 : 10.0.14.18, 10.0.14.19 : 10.0.14.19, + 10.0.14.20 : 10.0.14.20, 10.0.14.21 : 10.0.14.21, + 10.0.14.22 : 10.0.14.22, 10.0.14.23 : 10.0.14.23, + 10.0.14.24 : 10.0.14.24, 10.0.14.25 : 10.0.14.25, + 10.0.14.26 : 10.0.14.26, 10.0.14.27 : 10.0.14.27, + 10.0.14.28 : 10.0.14.28, 10.0.14.29 : 10.0.14.29, + 10.0.14.30 : 10.0.14.30, 10.0.14.31 : 10.0.14.31, + 10.0.15.1 : 10.0.15.1, 10.0.15.2 : 10.0.15.2, + 10.0.15.3 : 10.0.15.3, 10.0.15.4 : 10.0.15.4, + 10.0.15.5 : 10.0.15.5, 10.0.15.6 : 10.0.15.6, + 10.0.15.7 : 10.0.15.7, 10.0.15.8 : 10.0.15.8, + 10.0.15.9 : 10.0.15.9, 10.0.15.10 : 10.0.15.10, + 10.0.15.11 : 10.0.15.11, 10.0.15.12 : 10.0.15.12, + 10.0.15.13 : 10.0.15.13, 10.0.15.14 : 10.0.15.14, + 10.0.15.15 : 10.0.15.15, 10.0.15.16 : 10.0.15.16, + 10.0.15.17 : 10.0.15.17, 10.0.15.18 : 10.0.15.18, + 10.0.15.19 : 10.0.15.19, 10.0.15.20 : 10.0.15.20, + 10.0.15.21 : 10.0.15.21, 10.0.15.22 : 10.0.15.22, + 10.0.15.23 : 10.0.15.23, 10.0.15.24 : 10.0.15.24, + 10.0.15.25 : 10.0.15.25, 10.0.15.26 : 10.0.15.26, + 10.0.15.27 : 10.0.15.27, 10.0.15.28 : 10.0.15.28, + 10.0.15.29 : 10.0.15.29, 10.0.15.30 : 10.0.15.30, + 10.0.15.31 : 10.0.15.31, 10.0.16.1 : 10.0.16.1, + 10.0.16.2 : 10.0.16.2, 10.0.16.3 : 10.0.16.3, + 10.0.16.4 : 10.0.16.4, 10.0.16.5 : 10.0.16.5, + 10.0.16.6 : 10.0.16.6, 10.0.16.7 : 10.0.16.7, + 10.0.16.8 : 10.0.16.8, 10.0.16.9 : 10.0.16.9, + 10.0.16.10 : 10.0.16.10, 10.0.16.11 : 10.0.16.11, + 10.0.16.12 : 10.0.16.12, 10.0.16.13 : 10.0.16.13, + 10.0.16.14 : 10.0.16.14, 10.0.16.15 : 10.0.16.15, + 10.0.16.16 : 10.0.16.16, 10.0.16.17 : 10.0.16.17, + 10.0.16.18 : 10.0.16.18, 10.0.16.19 : 10.0.16.19, + 10.0.16.20 : 10.0.16.20, 10.0.16.21 : 10.0.16.21, + 10.0.16.22 : 10.0.16.22, 10.0.16.23 : 10.0.16.23, + 10.0.16.24 : 10.0.16.24, 10.0.16.25 : 10.0.16.25, + 10.0.16.26 : 10.0.16.26, 10.0.16.27 : 10.0.16.27, + 10.0.16.28 : 10.0.16.28, 10.0.16.29 : 10.0.16.29, + 10.0.16.30 : 10.0.16.30, 10.0.16.31 : 10.0.16.31, + 10.0.17.1 : 10.0.17.1, 10.0.17.2 : 10.0.17.2, + 10.0.17.3 : 10.0.17.3, 10.0.17.4 : 10.0.17.4, + 10.0.17.5 : 10.0.17.5, 10.0.17.6 : 10.0.17.6, + 10.0.17.7 : 10.0.17.7, 10.0.17.8 : 10.0.17.8, + 10.0.17.9 : 10.0.17.9, 10.0.17.10 : 10.0.17.10, + 10.0.17.11 : 10.0.17.11, 10.0.17.12 : 10.0.17.12, + 10.0.17.13 : 10.0.17.13, 10.0.17.14 : 10.0.17.14, + 10.0.17.15 : 10.0.17.15, 10.0.17.16 : 10.0.17.16, + 10.0.17.17 : 10.0.17.17, 10.0.17.18 : 10.0.17.18, + 10.0.17.19 : 10.0.17.19, 10.0.17.20 : 10.0.17.20, + 10.0.17.21 : 10.0.17.21, 10.0.17.22 : 10.0.17.22, + 10.0.17.23 : 10.0.17.23, 10.0.17.24 : 10.0.17.24, + 10.0.17.25 : 10.0.17.25, 10.0.17.26 : 10.0.17.26, + 10.0.17.27 : 10.0.17.27, 10.0.17.28 : 10.0.17.28, + 10.0.17.29 : 10.0.17.29, 10.0.17.30 : 10.0.17.30, + 10.0.17.31 : 10.0.17.31, 10.0.18.1 : 10.0.18.1, + 10.0.18.2 : 10.0.18.2, 10.0.18.3 : 10.0.18.3, + 10.0.18.4 : 10.0.18.4, 10.0.18.5 : 10.0.18.5, + 10.0.18.6 : 10.0.18.6, 10.0.18.7 : 10.0.18.7, + 10.0.18.8 : 10.0.18.8, 10.0.18.9 : 10.0.18.9, + 10.0.18.10 : 10.0.18.10, 10.0.18.11 : 10.0.18.11, + 10.0.18.12 : 10.0.18.12, 10.0.18.13 : 10.0.18.13, + 10.0.18.14 : 10.0.18.14, 10.0.18.15 : 10.0.18.15, + 10.0.18.16 : 10.0.18.16, 10.0.18.17 : 10.0.18.17, + 10.0.18.18 : 10.0.18.18, 10.0.18.19 : 10.0.18.19, + 10.0.18.20 : 10.0.18.20, 10.0.18.21 : 10.0.18.21, + 10.0.18.22 : 10.0.18.22, 10.0.18.23 : 10.0.18.23, + 10.0.18.24 : 10.0.18.24, 10.0.18.25 : 10.0.18.25, + 10.0.18.26 : 10.0.18.26, 10.0.18.27 : 10.0.18.27, + 10.0.18.28 : 10.0.18.28, 10.0.18.29 : 10.0.18.29, + 10.0.18.30 : 10.0.18.30, 10.0.18.31 : 10.0.18.31, + 10.0.19.1 : 10.0.19.1, 10.0.19.2 : 10.0.19.2, + 10.0.19.3 : 10.0.19.3, 10.0.19.4 : 10.0.19.4, + 10.0.19.5 : 10.0.19.5, 10.0.19.6 : 10.0.19.6, + 10.0.19.7 : 10.0.19.7, 10.0.19.8 : 10.0.19.8, + 10.0.19.9 : 10.0.19.9, 10.0.19.10 : 10.0.19.10, + 10.0.19.11 : 10.0.19.11, 10.0.19.12 : 10.0.19.12, + 10.0.19.13 : 10.0.19.13, 10.0.19.14 : 10.0.19.14, + 10.0.19.15 : 10.0.19.15, 10.0.19.16 : 10.0.19.16, + 10.0.19.17 : 10.0.19.17, 10.0.19.18 : 10.0.19.18, + 10.0.19.19 : 10.0.19.19, 10.0.19.20 : 10.0.19.20, + 10.0.19.21 : 10.0.19.21, 10.0.19.22 : 10.0.19.22, + 10.0.19.23 : 10.0.19.23, 10.0.19.24 : 10.0.19.24, + 10.0.19.25 : 10.0.19.25, 10.0.19.26 : 10.0.19.26, + 10.0.19.27 : 10.0.19.27, 10.0.19.28 : 10.0.19.28, + 10.0.19.29 : 10.0.19.29, 10.0.19.30 : 10.0.19.30, + 10.0.19.31 : 10.0.19.31, 10.0.20.1 : 10.0.20.1, + 10.0.20.2 : 10.0.20.2, 10.0.20.3 : 10.0.20.3, + 10.0.20.4 : 10.0.20.4, 10.0.20.5 : 10.0.20.5, + 10.0.20.6 : 10.0.20.6, 10.0.20.7 : 10.0.20.7, + 10.0.20.8 : 10.0.20.8, 10.0.20.9 : 10.0.20.9, + 10.0.20.10 : 10.0.20.10, 10.0.20.11 : 10.0.20.11, + 10.0.20.12 : 10.0.20.12, 10.0.20.13 : 10.0.20.13, + 10.0.20.14 : 10.0.20.14, 10.0.20.15 : 10.0.20.15, + 10.0.20.16 : 10.0.20.16, 10.0.20.17 : 10.0.20.17, + 10.0.20.18 : 10.0.20.18, 10.0.20.19 : 10.0.20.19, + 10.0.20.20 : 10.0.20.20, 10.0.20.21 : 10.0.20.21, + 10.0.20.22 : 10.0.20.22, 10.0.20.23 : 10.0.20.23, + 10.0.20.24 : 10.0.20.24, 10.0.20.25 : 10.0.20.25, + 10.0.20.26 : 10.0.20.26, 10.0.20.27 : 10.0.20.27, + 10.0.20.28 : 10.0.20.28, 10.0.20.29 : 10.0.20.29, + 10.0.20.30 : 10.0.20.30, 10.0.20.31 : 10.0.20.31, + 10.0.21.1 : 10.0.21.1, 10.0.21.2 : 10.0.21.2, + 10.0.21.3 : 10.0.21.3, 10.0.21.4 : 10.0.21.4, + 10.0.21.5 : 10.0.21.5, 10.0.21.6 : 10.0.21.6, + 10.0.21.7 : 10.0.21.7, 10.0.21.8 : 10.0.21.8, + 10.0.21.9 : 10.0.21.9, 10.0.21.10 : 10.0.21.10, + 10.0.21.11 : 10.0.21.11, 10.0.21.12 : 10.0.21.12, + 10.0.21.13 : 10.0.21.13, 10.0.21.14 : 10.0.21.14, + 10.0.21.15 : 10.0.21.15, 10.0.21.16 : 10.0.21.16, + 10.0.21.17 : 10.0.21.17, 10.0.21.18 : 10.0.21.18, + 10.0.21.19 : 10.0.21.19, 10.0.21.20 : 10.0.21.20, + 10.0.21.21 : 10.0.21.21, 10.0.21.22 : 10.0.21.22, + 10.0.21.23 : 10.0.21.23, 10.0.21.24 : 10.0.21.24, + 10.0.21.25 : 10.0.21.25, 10.0.21.26 : 10.0.21.26, + 10.0.21.27 : 10.0.21.27, 10.0.21.28 : 10.0.21.28, + 10.0.21.29 : 10.0.21.29, 10.0.21.30 : 10.0.21.30, + 10.0.21.31 : 10.0.21.31, 10.0.22.1 : 10.0.22.1, + 10.0.22.2 : 10.0.22.2, 10.0.22.3 : 10.0.22.3, + 10.0.22.4 : 10.0.22.4, 10.0.22.5 : 10.0.22.5, + 10.0.22.6 : 10.0.22.6, 10.0.22.7 : 10.0.22.7, + 10.0.22.8 : 10.0.22.8, 10.0.22.9 : 10.0.22.9, + 10.0.22.10 : 10.0.22.10, 10.0.22.11 : 10.0.22.11, + 10.0.22.12 : 10.0.22.12, 10.0.22.13 : 10.0.22.13, + 10.0.22.14 : 10.0.22.14, 10.0.22.15 : 10.0.22.15, + 10.0.22.16 : 10.0.22.16, 10.0.22.17 : 10.0.22.17, + 10.0.22.18 : 10.0.22.18, 10.0.22.19 : 10.0.22.19, + 10.0.22.20 : 10.0.22.20, 10.0.22.21 : 10.0.22.21, + 10.0.22.22 : 10.0.22.22, 10.0.22.23 : 10.0.22.23, + 10.0.22.24 : 10.0.22.24, 10.0.22.25 : 10.0.22.25, + 10.0.22.26 : 10.0.22.26, 10.0.22.27 : 10.0.22.27, + 10.0.22.28 : 10.0.22.28, 10.0.22.29 : 10.0.22.29, + 10.0.22.30 : 10.0.22.30, 10.0.22.31 : 10.0.22.31, + 10.0.23.1 : 10.0.23.1, 10.0.23.2 : 10.0.23.2, + 10.0.23.3 : 10.0.23.3, 10.0.23.4 : 10.0.23.4, + 10.0.23.5 : 10.0.23.5, 10.0.23.6 : 10.0.23.6, + 10.0.23.7 : 10.0.23.7, 10.0.23.8 : 10.0.23.8, + 10.0.23.9 : 10.0.23.9, 10.0.23.10 : 10.0.23.10, + 10.0.23.11 : 10.0.23.11, 10.0.23.12 : 10.0.23.12, + 10.0.23.13 : 10.0.23.13, 10.0.23.14 : 10.0.23.14, + 10.0.23.15 : 10.0.23.15, 10.0.23.16 : 10.0.23.16, + 10.0.23.17 : 10.0.23.17, 10.0.23.18 : 10.0.23.18, + 10.0.23.19 : 10.0.23.19, 10.0.23.20 : 10.0.23.20, + 10.0.23.21 : 10.0.23.21, 10.0.23.22 : 10.0.23.22, + 10.0.23.23 : 10.0.23.23, 10.0.23.24 : 10.0.23.24, + 10.0.23.25 : 10.0.23.25, 10.0.23.26 : 10.0.23.26, + 10.0.23.27 : 10.0.23.27, 10.0.23.28 : 10.0.23.28, + 10.0.23.29 : 10.0.23.29, 10.0.23.30 : 10.0.23.30, + 10.0.23.31 : 10.0.23.31, 10.0.24.1 : 10.0.24.1, + 10.0.24.2 : 10.0.24.2, 10.0.24.3 : 10.0.24.3, + 10.0.24.4 : 10.0.24.4, 10.0.24.5 : 10.0.24.5, + 10.0.24.6 : 10.0.24.6, 10.0.24.7 : 10.0.24.7, + 10.0.24.8 : 10.0.24.8, 10.0.24.9 : 10.0.24.9, + 10.0.24.10 : 10.0.24.10, 10.0.24.11 : 10.0.24.11, + 10.0.24.12 : 10.0.24.12, 10.0.24.13 : 10.0.24.13, + 10.0.24.14 : 10.0.24.14, 10.0.24.15 : 10.0.24.15, + 10.0.24.16 : 10.0.24.16, 10.0.24.17 : 10.0.24.17, + 10.0.24.18 : 10.0.24.18, 10.0.24.19 : 10.0.24.19, + 10.0.24.20 : 10.0.24.20, 10.0.24.21 : 10.0.24.21, + 10.0.24.22 : 10.0.24.22, 10.0.24.23 : 10.0.24.23, + 10.0.24.24 : 10.0.24.24, 10.0.24.25 : 10.0.24.25, + 10.0.24.26 : 10.0.24.26, 10.0.24.27 : 10.0.24.27, + 10.0.24.28 : 10.0.24.28, 10.0.24.29 : 10.0.24.29, + 10.0.24.30 : 10.0.24.30, 10.0.24.31 : 10.0.24.31, + 10.0.25.1 : 10.0.25.1, 10.0.25.2 : 10.0.25.2, + 10.0.25.3 : 10.0.25.3, 10.0.25.4 : 10.0.25.4, + 10.0.25.5 : 10.0.25.5, 10.0.25.6 : 10.0.25.6, + 10.0.25.7 : 10.0.25.7, 10.0.25.8 : 10.0.25.8, + 10.0.25.9 : 10.0.25.9, 10.0.25.10 : 10.0.25.10, + 10.0.25.11 : 10.0.25.11, 10.0.25.12 : 10.0.25.12, + 10.0.25.13 : 10.0.25.13, 10.0.25.14 : 10.0.25.14, + 10.0.25.15 : 10.0.25.15, 10.0.25.16 : 10.0.25.16, + 10.0.25.17 : 10.0.25.17, 10.0.25.18 : 10.0.25.18, + 10.0.25.19 : 10.0.25.19, 10.0.25.20 : 10.0.25.20, + 10.0.25.21 : 10.0.25.21, 10.0.25.22 : 10.0.25.22, + 10.0.25.23 : 10.0.25.23, 10.0.25.24 : 10.0.25.24, + 10.0.25.25 : 10.0.25.25, 10.0.25.26 : 10.0.25.26, + 10.0.25.27 : 10.0.25.27, 10.0.25.28 : 10.0.25.28, + 10.0.25.29 : 10.0.25.29, 10.0.25.30 : 10.0.25.30, + 10.0.25.31 : 10.0.25.31, 10.0.26.1 : 10.0.26.1, + 10.0.26.2 : 10.0.26.2, 10.0.26.3 : 10.0.26.3, + 10.0.26.4 : 10.0.26.4, 10.0.26.5 : 10.0.26.5, + 10.0.26.6 : 10.0.26.6, 10.0.26.7 : 10.0.26.7, + 10.0.26.8 : 10.0.26.8, 10.0.26.9 : 10.0.26.9, + 10.0.26.10 : 10.0.26.10, 10.0.26.11 : 10.0.26.11, + 10.0.26.12 : 10.0.26.12, 10.0.26.13 : 10.0.26.13, + 10.0.26.14 : 10.0.26.14, 10.0.26.15 : 10.0.26.15, + 10.0.26.16 : 10.0.26.16, 10.0.26.17 : 10.0.26.17, + 10.0.26.18 : 10.0.26.18, 10.0.26.19 : 10.0.26.19, + 10.0.26.20 : 10.0.26.20, 10.0.26.21 : 10.0.26.21, + 10.0.26.22 : 10.0.26.22, 10.0.26.23 : 10.0.26.23, + 10.0.26.24 : 10.0.26.24, 10.0.26.25 : 10.0.26.25, + 10.0.26.26 : 10.0.26.26, 10.0.26.27 : 10.0.26.27, + 10.0.26.28 : 10.0.26.28, 10.0.26.29 : 10.0.26.29, + 10.0.26.30 : 10.0.26.30, 10.0.26.31 : 10.0.26.31, + 10.0.27.1 : 10.0.27.1, 10.0.27.2 : 10.0.27.2, + 10.0.27.3 : 10.0.27.3, 10.0.27.4 : 10.0.27.4, + 10.0.27.5 : 10.0.27.5, 10.0.27.6 : 10.0.27.6, + 10.0.27.7 : 10.0.27.7, 10.0.27.8 : 10.0.27.8, + 10.0.27.9 : 10.0.27.9, 10.0.27.10 : 10.0.27.10, + 10.0.27.11 : 10.0.27.11, 10.0.27.12 : 10.0.27.12, + 10.0.27.13 : 10.0.27.13, 10.0.27.14 : 10.0.27.14, + 10.0.27.15 : 10.0.27.15, 10.0.27.16 : 10.0.27.16, + 10.0.27.17 : 10.0.27.17, 10.0.27.18 : 10.0.27.18, + 10.0.27.19 : 10.0.27.19, 10.0.27.20 : 10.0.27.20, + 10.0.27.21 : 10.0.27.21, 10.0.27.22 : 10.0.27.22, + 10.0.27.23 : 10.0.27.23, 10.0.27.24 : 10.0.27.24, + 10.0.27.25 : 10.0.27.25, 10.0.27.26 : 10.0.27.26, + 10.0.27.27 : 10.0.27.27, 10.0.27.28 : 10.0.27.28, + 10.0.27.29 : 10.0.27.29, 10.0.27.30 : 10.0.27.30, + 10.0.27.31 : 10.0.27.31, 10.0.28.1 : 10.0.28.1, + 10.0.28.2 : 10.0.28.2, 10.0.28.3 : 10.0.28.3, + 10.0.28.4 : 10.0.28.4, 10.0.28.5 : 10.0.28.5, + 10.0.28.6 : 10.0.28.6, 10.0.28.7 : 10.0.28.7, + 10.0.28.8 : 10.0.28.8, 10.0.28.9 : 10.0.28.9, + 10.0.28.10 : 10.0.28.10, 10.0.28.11 : 10.0.28.11, + 10.0.28.12 : 10.0.28.12, 10.0.28.13 : 10.0.28.13, + 10.0.28.14 : 10.0.28.14, 10.0.28.15 : 10.0.28.15, + 10.0.28.16 : 10.0.28.16, 10.0.28.17 : 10.0.28.17, + 10.0.28.18 : 10.0.28.18, 10.0.28.19 : 10.0.28.19, + 10.0.28.20 : 10.0.28.20, 10.0.28.21 : 10.0.28.21, + 10.0.28.22 : 10.0.28.22, 10.0.28.23 : 10.0.28.23, + 10.0.28.24 : 10.0.28.24, 10.0.28.25 : 10.0.28.25, + 10.0.28.26 : 10.0.28.26, 10.0.28.27 : 10.0.28.27, + 10.0.28.28 : 10.0.28.28, 10.0.28.29 : 10.0.28.29, + 10.0.28.30 : 10.0.28.30, 10.0.28.31 : 10.0.28.31, + 10.0.29.1 : 10.0.29.1, 10.0.29.2 : 10.0.29.2, + 10.0.29.3 : 10.0.29.3, 10.0.29.4 : 10.0.29.4, + 10.0.29.5 : 10.0.29.5, 10.0.29.6 : 10.0.29.6, + 10.0.29.7 : 10.0.29.7, 10.0.29.8 : 10.0.29.8, + 10.0.29.9 : 10.0.29.9, 10.0.29.10 : 10.0.29.10, + 10.0.29.11 : 10.0.29.11, 10.0.29.12 : 10.0.29.12, + 10.0.29.13 : 10.0.29.13, 10.0.29.14 : 10.0.29.14, + 10.0.29.15 : 10.0.29.15, 10.0.29.16 : 10.0.29.16, + 10.0.29.17 : 10.0.29.17, 10.0.29.18 : 10.0.29.18, + 10.0.29.19 : 10.0.29.19, 10.0.29.20 : 10.0.29.20, + 10.0.29.21 : 10.0.29.21, 10.0.29.22 : 10.0.29.22, + 10.0.29.23 : 10.0.29.23, 10.0.29.24 : 10.0.29.24, + 10.0.29.25 : 10.0.29.25, 10.0.29.26 : 10.0.29.26, + 10.0.29.27 : 10.0.29.27, 10.0.29.28 : 10.0.29.28, + 10.0.29.29 : 10.0.29.29, 10.0.29.30 : 10.0.29.30, + 10.0.29.31 : 10.0.29.31, 10.0.30.1 : 10.0.30.1, + 10.0.30.2 : 10.0.30.2, 10.0.30.3 : 10.0.30.3, + 10.0.30.4 : 10.0.30.4, 10.0.30.5 : 10.0.30.5, + 10.0.30.6 : 10.0.30.6, 10.0.30.7 : 10.0.30.7, + 10.0.30.8 : 10.0.30.8, 10.0.30.9 : 10.0.30.9, + 10.0.30.10 : 10.0.30.10, 10.0.30.11 : 10.0.30.11, + 10.0.30.12 : 10.0.30.12, 10.0.30.13 : 10.0.30.13, + 10.0.30.14 : 10.0.30.14, 10.0.30.15 : 10.0.30.15, + 10.0.30.16 : 10.0.30.16, 10.0.30.17 : 10.0.30.17, + 10.0.30.18 : 10.0.30.18, 10.0.30.19 : 10.0.30.19, + 10.0.30.20 : 10.0.30.20, 10.0.30.21 : 10.0.30.21, + 10.0.30.22 : 10.0.30.22, 10.0.30.23 : 10.0.30.23, + 10.0.30.24 : 10.0.30.24, 10.0.30.25 : 10.0.30.25, + 10.0.30.26 : 10.0.30.26, 10.0.30.27 : 10.0.30.27, + 10.0.30.28 : 10.0.30.28, 10.0.30.29 : 10.0.30.29, + 10.0.30.30 : 10.0.30.30, 10.0.30.31 : 10.0.30.31, + 10.0.31.1 : 10.0.31.1, 10.0.31.2 : 10.0.31.2, + 10.0.31.3 : 10.0.31.3, 10.0.31.4 : 10.0.31.4, + 10.0.31.5 : 10.0.31.5, 10.0.31.6 : 10.0.31.6, + 10.0.31.7 : 10.0.31.7, 10.0.31.8 : 10.0.31.8, + 10.0.31.9 : 10.0.31.9, 10.0.31.10 : 10.0.31.10, + 10.0.31.11 : 10.0.31.11, 10.0.31.12 : 10.0.31.12, + 10.0.31.13 : 10.0.31.13, 10.0.31.14 : 10.0.31.14, + 10.0.31.15 : 10.0.31.15, 10.0.31.16 : 10.0.31.16, + 10.0.31.17 : 10.0.31.17, 10.0.31.18 : 10.0.31.18, + 10.0.31.19 : 10.0.31.19, 10.0.31.20 : 10.0.31.20, + 10.0.31.21 : 10.0.31.21, 10.0.31.22 : 10.0.31.22, + 10.0.31.23 : 10.0.31.23, 10.0.31.24 : 10.0.31.24, + 10.0.31.25 : 10.0.31.25, 10.0.31.26 : 10.0.31.26, + 10.0.31.27 : 10.0.31.27, 10.0.31.28 : 10.0.31.28, + 10.0.31.29 : 10.0.31.29, 10.0.31.30 : 10.0.31.30, + 10.0.31.31 : 10.0.31.31 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft new file mode 100644 index 00000000..d1a46295 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + "10.0.1.1" + ], + [ + { + "prefix": { + "addr": "10.1.2.0", + "len": 24 + } + }, + "10.0.1.2" + ], + [ + { + "prefix": { + "addr": "10.2.1.0", + "len": 24 + } + }, + "10.0.2.1" + ], + [ + { + "prefix": { + "addr": "10.2.2.0", + "len": 24 + } + }, + "10.0.2.2" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft new file mode 100644 index 00000000..1e983219 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + "10.0.0.1" + ], + [ + { + "prefix": { + "addr": "10.0.2.0", + "len": 24 + } + }, + "10.0.0.2" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft new file mode 100644 index 00000000..ef57a749 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "m1", + "table": "t", + "type": "ifname", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "eth0", + "1.1.1.1" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@m1" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "meta": { + "key": "oifname" + } + }, + "data": "@m1" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft new file mode 100644 index 00000000..bd3c6cc7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft @@ -0,0 +1,159 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "flags": [ + "interval" + ], + "elem": [ + [ + "127.0.0.2", + 2 + ], + [ + "127.0.0.3", + 3 + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": "@m" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 2 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 3 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft new file mode 100644 index 00000000..a470a340 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft @@ -0,0 +1,15 @@ +table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter packets 0 bytes 0 accept + meta mark 0x00000003 counter packets 0 bytes 0 accept + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft new file mode 100644 index 00000000..345a2c74 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft @@ -0,0 +1,117 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "lo", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft new file mode 100644 index 00000000..c37574ad --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft @@ -0,0 +1,13 @@ +table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft new file mode 100644 index 00000000..fcc23bb8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft @@ -0,0 +1,106 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "z", + "table": "x", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "1.1.1.1", + "tcp", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft new file mode 100644 index 00000000..2f796b51 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft @@ -0,0 +1,11 @@ +table inet x { + map z { + type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service + elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 } + } + + chain y { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip saddr . ip protocol . tcp dport map @z + } +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft new file mode 100644 index 00000000..8f07378a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft @@ -0,0 +1,145 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "elem": { + "val": 22, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "ssh_input" + } + } + ], + [ + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft new file mode 100644 index 00000000..4a72b5e7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft @@ -0,0 +1,19 @@ +table inet filter { + map portmap { + type inet_service : verdict + counter + elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } + } + + chain ssh_input { + } + + chain wan_input { + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/0012map_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_0.json-nft new file mode 100644 index 00000000..2892e11d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_0.json-nft @@ -0,0 +1,97 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ifname", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "lo", + { + "accept": null + } + ], + [ + "eth0", + { + "drop": null + } + ], + [ + "eth1", + { + "drop": null + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": { + "set": [ + [ + "lo", + { + "accept": null + } + ], + [ + "eth0", + { + "drop": null + } + ], + [ + "eth1", + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft new file mode 100644 index 00000000..e734fc1c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_0.nft @@ -0,0 +1,12 @@ +table ip x { + map z { + type ifname : verdict + elements = { "lo" : accept, + "eth0" : drop, + "eth1" : drop } + } + + chain y { + iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } + } +} diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft new file mode 100644 index 00000000..00052236 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft @@ -0,0 +1,132 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "k", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 1, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "w", + "table": "x", + "type": [ + "ipv4_addr", + "mark" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "elem": { + "val": { + "concat": [ + { + "range": [ + "127.0.0.1", + "127.0.0.4" + ] + }, + { + "range": [ + 1193012, + 11534626 + ] + } + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "k", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 1193012 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "k", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "data": "@w" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.nft new file mode 100644 index 00000000..6649d034 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.nft @@ -0,0 +1,14 @@ +table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x00123434 + ip saddr . meta mark vmap @w + } +} diff --git a/tests/shell/testcases/maps/dumps/0013map_0.json-nft b/tests/shell/testcases/maps/dumps/0013map_0.json-nft new file mode 100644 index 00000000..e91a269d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "map": { + "family": "ip", + "name": "forwport", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "elem": { + "val": { + "concat": [ + "10.133.89.138", + "tcp", + 8081 + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s8" + } + }, + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "data": "@forwport" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft new file mode 100644 index 00000000..1455877d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.nft @@ -0,0 +1,13 @@ +table ip filter { + map forwport { + type ipv4_addr . inet_proto . inet_service : verdict + flags interval + counter + elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept } + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft b/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.nft b/tests/shell/testcases/maps/dumps/0014destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft new file mode 100644 index 00000000..725498cd --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "elem": [ + [ + "1.1.1.1", + 2 + ], + [ + "*", + 3 + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "elem": [ + [ + "1.1.1.1", + 2 + ], + [ + "*", + 3 + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft new file mode 100644 index 00000000..796dd729 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft @@ -0,0 +1,11 @@ +table ip x { + map y { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } + + map z { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..aa2f6f8c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.nft index 2ffa4f2f..2ffa4f2f 100644 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.nft diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft new file mode 100644 index 00000000..64209842 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft @@ -0,0 +1,116 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "ct helper": { + "family": "inet", + "name": "sip-5060u", + "table": "filter", + "handle": 0, + "type": "sip", + "protocol": "udp", + "l3proto": "ip" + } + }, + { + "ct helper": { + "family": "inet", + "name": "sip-5060t", + "table": "filter", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "ct helper": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "udp", + { + "range": [ + 10000, + 20000 + ] + } + ] + }, + "sip-5060u" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + 10000, + 20000 + ] + } + ] + }, + "sip-5060t" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft new file mode 100644 index 00000000..23aca0a2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft @@ -0,0 +1,16 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + } + + ct helper sip-5060t { + type "sip" protocol tcp + l3proto ip + } + + chain input { + type filter hook input priority filter; policy accept; + ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft new file mode 100644 index 00000000..f4c55706 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft b/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft new file mode 100644 index 00000000..ed0ce0ed --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.nft b/tests/shell/testcases/maps/dumps/different_map_types_1.nft new file mode 100644 index 00000000..3c18b5c7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.nft @@ -0,0 +1,5 @@ +table ip filter { + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft new file mode 100644 index 00000000..49b8bb29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft new file mode 100644 index 00000000..37c48bf3 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft @@ -0,0 +1,4 @@ +table ip test { + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump b/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft new file mode 100644 index 00000000..a9d4c8e9 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "testmap", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "*", + { + "jump": { + "target": "testchain" + } + } + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft new file mode 100644 index 00000000..68958c40 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft @@ -0,0 +1,9 @@ +table ip test { + map testmap { + type ipv4_addr : verdict + elements = { * : jump testchain } + } + + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft new file mode 100644 index 00000000..97b7e94e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.nft b/tests/shell/testcases/maps/dumps/named_ct_objects.nft new file mode 100644 index 00000000..59f18932 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_ct_objects.nft @@ -0,0 +1,71 @@ +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + l3proto inet + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3s, close : 1s } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "sip", + "ftp" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { feed::17 . 512 : "exp2", dead::beef . 123 : "exp2" } + ct helper set ip6 saddr map { 1c3::c01d : "myftp", dead::beef : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { 1ce::/64 : "dns", dead::beef : "dns" } + ct helper @helpname accept + ip saddr 192.168.1.1 ct timeout set "dns" + } +} diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft new file mode 100644 index 00000000..7fa12981 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft @@ -0,0 +1,328 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-pps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-bps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "kbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-1m", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-10m", + "table": "filter", + "handle": 0, + "rate": 10, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "set": { + "family": "inet", + "name": "tarpit4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "set": { + "family": "inet", + "name": "tarpit6", + "table": "filter", + "type": "ipv6_addr", + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "map": { + "family": "inet", + "name": "addr4limit", + "table": "filter", + "type": [ + "inet_proto", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": "limit", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-bps" + ], + [ + { + "concat": [ + "udp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "127.0.0.1", + "127.1.2.3" + ] + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 80 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 443 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "http-bulk-rl-10m" + ], + [ + { + "concat": [ + "tcp", + "10.0.2.1", + 22 + ] + }, + "http-bulk-rl-10m" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "saddr6limit", + "table": "filter", + "type": "ipv6_addr", + "handle": 0, + "map": "limit", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "range": [ + "dead::beef", + "dead::1:aced" + ] + }, + "tarpit-pps" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "sport" + } + } + ] + }, + "data": "@addr4limit" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@saddr6limit" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/named_limits.nft b/tests/shell/testcases/maps/dumps/named_limits.nft new file mode 100644 index 00000000..214df204 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_limits.nft @@ -0,0 +1,55 @@ +table inet filter { + limit tarpit-pps { + rate 1/second + } + + limit tarpit-bps { + rate 1 kbytes/second + } + + limit http-bulk-rl-1m { + rate 1 mbytes/second + } + + limit http-bulk-rl-10m { + rate 10 mbytes/second + } + + set tarpit4 { + typeof ip saddr + size 10000 + flags dynamic,timeout + timeout 1m + } + + set tarpit6 { + typeof ip6 saddr + size 10000 + flags dynamic,timeout + timeout 1m + } + + map addr4limit { + typeof meta l4proto . ip saddr . tcp sport : limit + flags interval + elements = { tcp . 192.168.0.0/16 . 1-65535 : "tarpit-bps", + udp . 192.168.0.0/16 . 1-65535 : "tarpit-pps", + tcp . 127.0.0.1-127.1.2.3 . 1-1024 : "tarpit-pps", + tcp . 10.0.0.1-10.0.0.255 . 80 : "http-bulk-rl-1m", + tcp . 10.0.0.1-10.0.0.255 . 443 : "http-bulk-rl-1m", + tcp . 10.0.1.0/24 . 1024-65535 : "http-bulk-rl-10m", + tcp . 10.0.2.1 . 22 : "http-bulk-rl-10m" } + } + + map saddr6limit { + typeof ip6 saddr : limit + flags interval + elements = { dead::beef-dead::1:aced : "tarpit-pps" } + } + + chain input { + type filter hook input priority filter; policy accept; + limit name meta l4proto . ip saddr . th sport map @addr4limit + limit name ip6 saddr map @saddr6limit + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft new file mode 100644 index 00000000..ad9eb36e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@m" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft new file mode 100644 index 00000000..c8493b3a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft @@ -0,0 +1,129 @@ +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y + dnat ip to ip saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2 + } +} +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + + map y { + type ipv6_addr : ipv6_addr . inet_service + } + + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y + dnat ip6 to ip6 saddr . tcp dport map @z + dnat to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2 + } +} +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + map x6 { + type ipv6_addr : ipv6_addr + } + + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat ip to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242 + meta l4proto tcp dnat ip to ip saddr map @y4 + dnat ip to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat ip6 to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242 + meta l4proto tcp dnat ip6 to ip6 saddr map @y6 + dnat ip6 to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6 + } +} diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft new file mode 100644 index 00000000..ef8c3930 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft @@ -0,0 +1,42 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "m", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft new file mode 100644 index 00000000..cca569ea --- /dev/null +++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft @@ -0,0 +1,9 @@ +table inet t { + map m { + type ipv4_addr . ipv4_addr : verdict + flags interval + } + + chain c { + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft new file mode 100644 index 00000000..19c24feb --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft @@ -0,0 +1,20 @@ +table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, + 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 30 . 0x1e : drop, + 20 . 0x24 : accept } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft index 4361ca3d..a5c0a609 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft @@ -9,8 +9,28 @@ table inet t { elements = { 1 : 0x00000001, 4095 : 0x00004095 } } + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { "eth0" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . "eth0" : accept } + } + chain c { ct mark set osf name map @m1 meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 } } diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft new file mode 100644 index 00000000..8130c46c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -0,0 +1,283 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "dynset", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "dynset", + "name": "test_ping", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "dynset", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "dynmark", + "table": "dynset", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "size": 64, + "flags": [ + "timeout" + ], + "timeout": 300, + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "should not increment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "map": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 1, + "map": "@dynmark" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "should increment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "map": { + "op": "delete", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 1, + "map": "@dynmark" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "delete should be instant but might fail under memory pressure", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "input", + "handle": 0, + "comment": "also check timeout-gc", + "expr": [ + { + "map": { + "op": "add", + "elem": { + "elem": { + "val": "10.2.3.4", + "timeout": 1 + } + }, + "data": 2, + "map": "@dynmark" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "icmp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.42" + } + }, + { + "jump": { + "target": "test_ping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft new file mode 100644 index 00000000..9134673c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -0,0 +1,22 @@ +table ip dynset { + map dynmark { + typeof ip daddr : meta mark + size 64 + counter + timeout 5m + } + + chain test_ping { + ip saddr @dynmark counter packets 0 bytes 0 comment "should not increment" + ip saddr != @dynmark add @dynmark { ip saddr : 0x00000001 } counter packets 1 bytes 84 + ip saddr @dynmark counter packets 1 bytes 84 comment "should increment" + ip saddr @dynmark delete @dynmark { ip saddr : 0x00000001 } + ip saddr @dynmark counter packets 0 bytes 0 comment "delete should be instant but might fail under memory pressure" + } + + chain input { + type filter hook input priority filter; policy accept; + add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft new file mode 100644 index 00000000..1ca98d81 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft @@ -0,0 +1,11 @@ +table netdev t { + map m { + typeof ether saddr . vlan id : meta mark + size 1234 + flags dynamic,timeout + } + + chain c { + ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft new file mode 100644 index 00000000..f8b574f4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft @@ -0,0 +1,13 @@ +table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft new file mode 100644 index 00000000..1d50477d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft @@ -0,0 +1,110 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "kube-nfproxy-v4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sticky-set-svc-M53CN2XYVUHRQ7UB", + "table": "kube-nfproxy-v4", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "size": 65535, + "flags": [ + "timeout" + ], + "timeout": 360 + } + }, + { + "map": { + "family": "ip", + "name": "sticky-set-svc-153CN2XYVUHRQ7UB", + "table": "kube-nfproxy-v4", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "size": 65535, + "flags": [ + "timeout" + ], + "timeout": 60 + } + }, + { + "rule": { + "family": "ip", + "table": "kube-nfproxy-v4", + "chain": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 2, + "map": "@sticky-set-svc-M53CN2XYVUHRQ7UB" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "kube-nfproxy-v4", + "chain": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 3, + "map": "@sticky-set-svc-153CN2XYVUHRQ7UB" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft new file mode 100644 index 00000000..698219cb --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft @@ -0,0 +1,21 @@ +table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } + } + + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft new file mode 100644 index 00000000..476169f2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft @@ -0,0 +1,13 @@ +table ip x { + map y { + typeof ip saddr . @ih,32,32 : verdict + elements = { 1.1.1.1 . 0x14 : accept, + 7.7.7.7 . 0x86 : accept, + 7.7.7.8 . 0x97 : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft new file mode 100644 index 00000000..df156411 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft @@ -0,0 +1,158 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "SET_ctmark_RPLYroute", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "c_o0_0", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o0", + "table": "x", + "type": "mark", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 0, + { + "jump": { + "target": "sctm_o0_0" + } + } + ], + [ + 1, + { + "jump": { + "target": "sctm_o0_1" + } + } + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o1", + "table": "x", + "type": "mark", + "handle": 0, + "map": "counter", + "elem": [ + [ + 0, + "c_o0_0" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o0" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o1" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft new file mode 100644 index 00000000..beb5ffb0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft @@ -0,0 +1,26 @@ +table ip x { + counter c_o0_0 { + packets 0 bytes 0 + } + + map sctm_o0 { + type mark : verdict + elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 } + } + + map sctm_o1 { + type mark : counter + elements = { 0x00000000 : "c_o0_0" } + } + + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft new file mode 100644 index 00000000..1c3aa590 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft @@ -0,0 +1,229 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "log_and_drop", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "other_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "portaddrmap", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + { + "concat": [ + "1.2.3.4", + 22 + ] + }, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "log_and_drop", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "other_input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "log_and_drop" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@portaddrmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.nft b/tests/shell/testcases/maps/dumps/vmap_timeout.nft new file mode 100644 index 00000000..095f894d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.nft @@ -0,0 +1,36 @@ +table inet filter { + map portmap { + type inet_service : verdict + flags timeout + gc-interval 10s + elements = { 22 : jump ssh_input } + } + + map portaddrmap { + typeof ip daddr . th dport : verdict + flags timeout + gc-interval 10s + elements = { 1.2.3.4 . 22 : jump ssh_input } + } + + chain ssh_input { + } + + chain log_and_drop { + drop + } + + chain other_input { + goto log_and_drop + } + + chain wan_input { + ip daddr . tcp dport vmap @portaddrmap + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_unary.nft b/tests/shell/testcases/maps/dumps/vmap_unary.nft new file mode 100644 index 00000000..46c538b7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_unary.nft @@ -0,0 +1,11 @@ +table ip filter { + map ipsec_in { + typeof ipsec in reqid . iif : verdict + flags interval + } + + chain INPUT { + type filter hook input priority filter; policy drop; + ipsec in reqid . iif vmap @ipsec_in + } +} diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate new file mode 100755 index 00000000..651c08a1 --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_deactivate @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr : verdict; }; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap; delete map ip test testmap" 2>/dev/null && exit 1 +$NFT "flush map ip test testmap; delete map ip test testmap; delete element ip test testmap { * : jump testchain }" 2>/dev/null && exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap" || exit 1 diff --git a/tests/shell/testcases/maps/map_catchall_double_free b/tests/shell/testcases/maps/map_catchall_double_free new file mode 100755 index 00000000..d101256c --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_free @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr . ipv4_addr: verdict; flags interval,timeout; timeout 1s;}; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +sleep 2 +$NFT "add element ip test testmap { 1.2.3.4 . 5.6.7.8: jump testchain }" || exit 1 +sleep 2 +$NFT "add element ip test testmap { 2.3.4.5 . 6.7.8.9 timeout 1m: jump testchain }" || exit 1 diff --git a/tests/shell/testcases/maps/map_catchall_double_free_2 b/tests/shell/testcases/maps/map_catchall_double_free_2 new file mode 100755 index 00000000..5842fcb5 --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_free_2 @@ -0,0 +1,27 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT -f /dev/stdin <<EOF +table ip test { + map testmap { + type ipv4_addr : verdict + elements = { * : jump testchain } + } + + chain testchain { } +} +EOF + +# second attempt to delete the catchall element +# musts trigger transaction abort +$NFT -f /dev/stdin <<EOF +delete element ip test testmap { * } +delete element ip test testmap { * } +EOF + +if [ $? -eq 1 ]; then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects new file mode 100755 index 00000000..61b87c1a --- /dev/null +++ b/tests/shell/testcases/maps/named_ct_objects @@ -0,0 +1,94 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) + +$NFT -f /dev/stdin <<EOF || exit 1 +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3, close : 1 } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "ftp", "sip" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { dead::beef . 123 : "exp2", feed::17 . 512 : "exp2" } + ct helper set ip6 saddr map { dead::beef : "myftp", 1c3::c01d : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { dead::beef : "dns", 1ce::/64 : "dns" } + ct helper @helpname accept + } +} +EOF + +must_fail() +{ + echo "Command should have failed: $1" + exit 111 +} + + +must_work() +{ + echo "Command should have succeeded: $1" + exit 111 +} + +$NFT 'add rule inet t y ip saddr 192.168.1.1 ct timeout set "dns"' || must_work "dns timeout" + +$NFT 'add rule inet t y ct helper set ip saddr map @helpobj' && must_fail "helper assignment, map key is ipv6_addr" +$NFT 'add rule inet t y ct helper set ip6 saddr map @helpname' && must_fail "helper assignment, not a map with objects" + +exit 0 diff --git a/tests/shell/testcases/maps/named_limits b/tests/shell/testcases/maps/named_limits new file mode 100755 index 00000000..ac8e434c --- /dev/null +++ b/tests/shell/testcases/maps/named_limits @@ -0,0 +1,61 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" || exit 1 + +add_add_then_create() +{ + cmd="$@" + + $NFT "add element inet filter $cmd" || exit 2 + + # again, kernel should suppress -EEXIST + $NFT "add element inet filter $cmd" || exit 3 + + # AGAIN, kernel should report -EEXIST + $NFT "create element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 4 +} + +add_create_dupe() +{ + cmd="$@" + + $NFT "add element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 10 + $NFT "create element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 11 +} + +delete() +{ + cmd="$@" + + $NFT "delete element inet filter $cmd" || exit 30 + $NFT "delete element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 31 + + # destroy should NOT report an error +# $NFT "destroy element inet filter $cmd" || exit 40 +} + +add_add_then_create 'saddr6limit { fee1::dead : "tarpit-pps" }' +add_add_then_create 'saddr6limit { c01a::/64 : "tarpit-bps" }' + +# test same with a diffent set type (concat + interval) +add_add_then_create 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "tarpit-pps" }' + +# now test duplicate key with *DIFFERENT* limiter, should fail +add_create_dupe 'saddr6limit { fee1::dead : "tarpit-bps" }' + +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 43 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.5 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-bps", tcp . 1.2.3.4 . 42 : "tarpit-pps" }' + +# delete keys again +delete 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 :"tarpit-pps" }' + +delete 'saddr6limit { fee1::dead : "tarpit-pps" }' +delete 'saddr6limit { c01a::/64 : "tarpit-bps" }' + +exit 0 diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port new file mode 100755 index 00000000..2804d48c --- /dev/null +++ b/tests/shell/testcases/maps/nat_addr_port @@ -0,0 +1,207 @@ +#!/bin/bash + +# skeleton +$NFT -f /dev/stdin <<EOF || exit 1 +table ip ipfoo { + map t1 { + typeof numgen inc mod 2 : ip daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip daddr . tcp dport + } + + map x { + type ipv4_addr : ipv4_addr + } + map y { + type ipv4_addr : ipv4_addr . inet_service + elements = { 192.168.7.2 : 10.1.1.1 . 4242 } + } + map z { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip daddr map @x + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z + dnat ip to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1 + +# skeleton 6 +$NFT -f /dev/stdin <<EOF || exit 1 +table ip6 ip6foo { + map t1 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x { + type ipv6_addr : ipv6_addr + } + map y { + type ipv6_addr : ipv6_addr . inet_service + } + map z { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat to ip6 daddr map @x + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z + dnat ip6 to numgen inc mod 2 map @t1 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2 + } +} +EOF + +# should fail: rule has no test for l4 protocol +$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1 + +# skeleton inet +$NFT -f /dev/stdin <<EOF || exit 1 +table inet inetfoo { + map t1v4 { + typeof numgen inc mod 2 : ip daddr + } + + map t2v4 { + typeof numgen inc mod 2 : ip daddr . tcp dport; + } + + map t1v6 { + typeof numgen inc mod 2 : ip6 daddr; + } + + map t2v6 { + typeof numgen inc mod 2 : ip6 daddr . tcp dport + } + + map x4 { + type ipv4_addr : ipv4_addr + } + map y4 { + type ipv4_addr : ipv4_addr . inet_service + } + map z4 { + type ipv4_addr . inet_service : ipv4_addr . inet_service + elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 } + } + map x6 { + type ipv6_addr : ipv6_addr + } + map y6 { + type ipv6_addr : ipv6_addr . inet_service + } + map z6 { + type ipv6_addr . inet_service : ipv6_addr . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta iifname != "foobar" accept + dnat ip to ip daddr map @x4 + ip saddr 10.1.1.1 dnat to 10.2.3.4 + ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242 + meta l4proto tcp dnat ip addr . port to ip saddr map @y4 + meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4 + dnat ip to numgen inc mod 2 map @t1v4 + meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4 + dnat ip6 to ip6 daddr map @x6 + ip6 saddr dead::1 dnat to feed::1 + ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6 + meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6 + dnat ip6 to numgen inc mod 2 map @t1v6 + meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6 + } +} +EOF + +# should fail: map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1 + +# should fail: map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1 + +# should fail: rule has no test for l4 protocol +$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 + +# should fail: rule has no test for l4 protocol, but map has inet_service +$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 4->6 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1 + +# should fail: rule has test for l4 protocol, but map has wrong family: 6->4 +$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1 + +# fail: inet_service, but expect ipv4_addr +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map a { + type ipv4_addr : inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: maps to inet_service . inet_service, not addr . service +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +# fail: only accept exactly two sub-expressions: 'addr . service' +$NFT -f /dev/stdin <<EOF && exit 1 +table inet inetfoo { + map b { + type ipv4_addr : inet_addr . inet_service . inet_service + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to ip saddr map @a + } +} +EOF + +exit 0 diff --git a/tests/shell/testcases/maps/pipapo_double_flush b/tests/shell/testcases/maps/pipapo_double_flush new file mode 100755 index 00000000..35ad0966 --- /dev/null +++ b/tests/shell/testcases/maps/pipapo_double_flush @@ -0,0 +1,25 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT add table inet t +$NFT add chain inet t c +$NFT 'add map inet t m { type ipv4_addr . ipv4_addr : verdict; flags interval;}' + +for i in $(seq 1 10); do + $NFT "add element inet t m { 10.0.0.1 . 1.2.$i.1 - 1.2.$i.10 : jump c }" +done + +$NFT -f /dev/stdin <<EOF +add element inet t m { 10.1.1.1 . 1.1.1.4 : accept } +add element inet t m { 10.1.1.6 . 1.1.1.4 : drop } +add element inet t m { 10.1.1.7 . 1.1.1.4 : jump c } +flush map inet t m +add element inet t m { 10.1.1.1 . 1.1.1.4 : accept } +add element inet t m { 10.1.1.6 . 1.1.1.4 : drop } +add element inet t m { 10.1.1.7 . 1.1.1.4 : jump c } +flush map inet t m +flush map inet t m +EOF diff --git a/tests/shell/testcases/maps/typeof_integer_0 b/tests/shell/testcases/maps/typeof_integer_0 new file mode 100755 index 00000000..e93604e8 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_integer_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +EXPECTED="table inet t { + map m1 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { 20 . 0x24 : accept, 30 . 0x1e : drop } + } + + chain c { + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } + } +}" + +$NFT add element inet t m1 { 90-100 . 40 : drop } +$NFT delete element inet t m2 { 20 . 20 : accept } + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0 index 950bbf1c..98517fd5 100755 --- a/tests/shell/testcases/maps/typeof_maps_0 +++ b/tests/shell/testcases/maps/typeof_maps_0 @@ -4,10 +4,23 @@ # without typeof, this is 'type string' and 'type integer', # but neither could be used because it lacks size information. -EXPECTED="table inet t { +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_CT=" + ct mark set osf name map @m1" +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + INPUT_OSF_CT= +fi + +INPUT="table inet t { map m1 { typeof osf name : ct mark - elements = { "Linux" : 0x00000001 } + elements = { Linux : 0x00000001 } } map m2 { @@ -16,12 +29,73 @@ EXPECTED="table inet t { 4095 : 0x4095 } } - chain c { - ct mark set osf name map @m1 + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { eth0 . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . meta iifname : verdict + elements = { 23 . eth0 : accept } + } + + chain c {$INPUT_OSF_CT ether type vlan meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . meta iifname vmap @m5 } }" -set -e -$NFT -f - <<< $EXPECTED +EXPECTED="table inet t { + map m1 { + typeof osf name : ct mark + elements = { \"Linux\" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { \"eth0\" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . \"eth0\" : accept } + } + + chain c {$INPUT_OSF_CT + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +}" + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete new file mode 100755 index 00000000..d2ac9f1c --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -0,0 +1,56 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_dynset_op_delete) + +CONDMATCH="ip saddr @dynmark" +NCONDMATCH="ip saddr != @dynmark" + +# use reduced feature set +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + CONDMATCH="" + NCONDMATCH="" +fi + +EXPECTED="table ip dynset { + map dynmark { + typeof ip daddr : meta mark + counter + size 64 + timeout 5m + } + + chain test_ping { + $CONDMATCH counter comment \"should not increment\" + $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter + $CONDMATCH counter comment \"should increment\" + $CONDMATCH delete @dynmark { ip saddr : 0x1 } + $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\" + } + + chain input { + type filter hook input priority 0; policy accept; + + add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT list ruleset + +ip link set lo up +ping -c 1 127.0.0.42 + +$NFT get element ip dynset dynmark { 10.2.3.4 } + +# wait so that 10.2.3.4 times out. +sleep 2 + +set +e +$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 + +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped." + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0 new file mode 100755 index 00000000..2a52ea0e --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# check update statement does print both concatentations (key and data). + +EXPECTED="table ip foo { + map pinned { + typeof ip saddr . ct original proto-dst : ip daddr . tcp dport + size 65535 + flags dynamic,timeout + timeout 6m + } + chain pr { + update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/maps/typeof_maps_update_0 b/tests/shell/testcases/maps/typeof_maps_update_0 new file mode 100755 index 00000000..c233b13f --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_update_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +# check update statement doesn't print "invalid dtype" on the data element. + +EXPECTED="table ip kube-nfproxy-v4 { + map sticky-set-svc-M53CN2XYVUHRQ7UB { + type ipv4_addr : mark + size 65535 + timeout 6m + } + + map sticky-set-svc-153CN2XYVUHRQ7UB { + typeof ip daddr : meta mark + size 65535 + timeout 1m + } + + chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 { + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2 } + } + chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 { + update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x3 } + } +}" + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0 new file mode 100755 index 00000000..bcd2c6d8 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_raw_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table ip x { + map y { + typeof ip saddr . @ih,32,32: verdict + elements = { 1.1.1.1 . 0x14 : accept, 2.2.2.2 . 0x1e : drop } + } + + chain y { + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element ip x y { 7.7.7.7 . 0x86 : accept, 7.7.7.8 . 0x97 : drop } +$NFT delete element ip x y { 2.2.2.2 . 0x1e : drop } diff --git a/tests/shell/testcases/maps/vmap_mark_bitwise_0 b/tests/shell/testcases/maps/vmap_mark_bitwise_0 new file mode 100755 index 00000000..2f305b27 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_mark_bitwise_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET="table ip x { + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + map sctm_o0 { + type mark : verdict + elements = { + 0x0 : jump sctm_o0_0, + 0x1 : jump sctm_o0_1, + } + } + + counter c_o0_0 {} + + map sctm_o1 { + type mark : counter + elements = { + 0x0 : \"c_o0_0\", + } + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + } + + chain SET_ctmark_RPLYroute { + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout new file mode 100755 index 00000000..0cd965f7 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_timeout @@ -0,0 +1,53 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f $dumpfile + +port=23 +for i in $(seq 1 100) ; do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + j=1 + + batched="{ $port timeout 3s : jump other_input " + batched_addr="{ 10.0.$((i%256)).$j . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + for j in $(seq 2 400); do + timeout=$((RANDOM%5)) + timeout=$((timeout+1)) + + batched="$batched, $port timeout ${timeout}s : jump other_input " + batched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port timeout ${timeout}s : jump other_input " + port=$((port + 1)) + done + + fail_addr="$batched_addr, 1.2.3.4 . 23 timeout 5m : jump other_input, + 1.2.3.4 . 23 timeout 3m : jump other_input }" + fail="$batched, 23 timeout 1m : jump other_input, 23 : jump other_input }" + + batched="$batched }" + batched_addr="$batched_addr }" + + if [ $i -gt 90 ]; then + # must fail, we create and $fail/$fail_addr contain one element twice. + $NFT create element inet filter portmap "$fail" && exit 111 + $NFT create element inet filter portaddrmap "$fail_addr" && exit 112 + fi + + $NFT add element inet filter portmap "$batched" + $NFT add element inet filter portaddrmap "$batched_addr" +done + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_catchall_element=n." +else + $NFT add element inet filter portaddrmap { "* timeout 2s : drop" } + $NFT add element inet filter portmap { "* timeout 3s : drop" } +fi + +# wait for elements to time out +sleep 5 diff --git a/tests/shell/testcases/maps/vmap_unary b/tests/shell/testcases/maps/vmap_unary new file mode 100755 index 00000000..f4e1f012 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_unary @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip filter { + map ipsec_in { + typeof ipsec in reqid . iif : verdict + flags interval + } + + chain INPUT { + type filter hook input priority 0; policy drop + ipsec in reqid . iif vmap @ipsec_in + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft diff --git a/tests/shell/testcases/netns/dumps/0003many_0.json-nft b/tests/shell/testcases/netns/dumps/0003many_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0003many_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0003many_0.nft b/tests/shell/testcases/netns/dumps/0003many_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0003many_0.nft diff --git a/tests/shell/testcases/nft-f/0011manydefines_0 b/tests/shell/testcases/nft-f/0011manydefines_0 index 84664f46..aac06706 100755 --- a/tests/shell/testcases/nft-f/0011manydefines_0 +++ b/tests/shell/testcases/nft-f/0011manydefines_0 @@ -4,6 +4,15 @@ HOWMANY=20000 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=2000 +fi + + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then echo "Failed to create tmp file" >&2 @@ -35,3 +44,10 @@ table t { set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 20000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0012different_defines_0 b/tests/shell/testcases/nft-f/0012different_defines_0 index 0bdbd1b5..fe228587 100755 --- a/tests/shell/testcases/nft-f/0012different_defines_0 +++ b/tests/shell/testcases/nft-f/0012different_defines_0 @@ -14,6 +14,8 @@ define d_ipv4_2 = 10.0.0.2 define d_ipv6 = fe0::1 define d_ipv6_2 = fe0::2 define d_ports = 100-222 +define d_qnum = 0 +define d_qnumr = 1-42 table inet t { chain c { @@ -29,6 +31,11 @@ table inet t { ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept } tcp dport \$d_ports udp dport vmap { \$d_ports : accept } + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2 + tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4 } }" diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 index 4f407793..cfb78950 100755 --- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 +++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) + EXPECTED='table ip filter { ct timeout cttime{ protocol tcp diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 index 4f9872f6..b288457c 100755 --- a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 +++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ctexpect) + EXPECTED='table ip filter { ct expectation ctexpect{ protocol tcp diff --git a/tests/shell/testcases/nft-f/0023check_1 b/tests/shell/testcases/nft-f/0023check_1 new file mode 100755 index 00000000..42793b6e --- /dev/null +++ b/tests/shell/testcases/nft-f/0023check_1 @@ -0,0 +1,12 @@ +#!/bin/bash + +RULESET="table ip foo { + chain bar { + type filter hook prerouting priority 0; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT -c add rule foo bar fib saddr . oif type local && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0024priority_0 b/tests/shell/testcases/nft-f/0024priority_0 new file mode 100755 index 00000000..586f5c3f --- /dev/null +++ b/tests/shell/testcases/nft-f/0024priority_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +RULESET=" +table inet statelessnat { + chain prerouting { + type filter hook prerouting priority -100; + ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8- 15 : 10.0.1.2 } + } + chain postrouting { + type filter hook postrouting priority 100 + } +}" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0 new file mode 100755 index 00000000..fbdb5793 --- /dev/null +++ b/tests/shell/testcases/nft-f/0025empty_dynset_0 @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e + +RULESET="table ip foo { + set inflows { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 counter packets 0 bytes 0 } + } + + set inflows6 { + type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service + flags dynamic + } + + set inflows_ratelimit { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 limit rate 1/second counter packets 0 bytes 0 } + } +}" + +$NFT -f - <<< "$RULESET" + +# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels. +if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then + echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0026listing_0 b/tests/shell/testcases/nft-f/0026listing_0 new file mode 100755 index 00000000..0f2f27c6 --- /dev/null +++ b/tests/shell/testcases/nft-f/0026listing_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# This is like "flush ruleset" except only flushes THIS ruleset, not ALL rulesets. +# In particular, it leaves the dynamic sshguard/fail2ban deny lists untouched. +RULESET="add table A +delete table A +table A { + chain B { + tcp dport {1,2} accept + } +} +list ruleset" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0027split_chains_0 b/tests/shell/testcases/nft-f/0027split_chains_0 new file mode 100755 index 00000000..de1e5a00 --- /dev/null +++ b/tests/shell/testcases/nft-f/0027split_chains_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + chain x { + } +} +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + jump x + } +}" + +$NFT -f - <<< "$RULESET" && exit 0 +exit 1 diff --git a/tests/shell/testcases/nft-f/0028variable_cmdline_0 b/tests/shell/testcases/nft-f/0028variable_cmdline_0 new file mode 100755 index 00000000..a2bbd5da --- /dev/null +++ b/tests/shell/testcases/nft-f/0028variable_cmdline_0 @@ -0,0 +1,17 @@ +#!/bin/bash + + +RULESET="table inet filter { + set whitelist_v4 { type ipv4_addr; } +} +add element inet filter whitelist_v4 \$whitelist_v4 +" + +# this is intentional: exercise error path +$NFT --define whitelist_v4="{ wrong }" -f - <<< "$RULESET" +$NFT --define whitelist_v4="{ 1.1.1.1, \$wrong }" -f - <<< "$RULESET" + +set -e + +$NFT --define whitelist_v4="{ 1.1.1.1, 2.2.2.2 }" -f - <<< "$RULESET" +$NFT --define x={5.5.5.5} --define whitelist_v4="{ 3.3.3.3, 4.4.4.4, \$x }" -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0029split_file_0 b/tests/shell/testcases/nft-f/0029split_file_0 new file mode 100755 index 00000000..0cc547ab --- /dev/null +++ b/tests/shell/testcases/nft-f/0029split_file_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set whitelist_v4 { + type ipv4_addr; + } + + chain prerouting { + type filter hook prerouting priority filter; + } +} +" + +$NFT -f - <<< "$RULESET" + +RULESET="table inet filter { + chain prerouting { + ip daddr @whitelist_v4 + } +} +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0030variable_reuse_0 b/tests/shell/testcases/nft-f/0030variable_reuse_0 new file mode 100755 index 00000000..8afc54aa --- /dev/null +++ b/tests/shell/testcases/nft-f/0030variable_reuse_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="define test = { 1.1.1.1 } + +table ip x { + set y { + type ipv4_addr + elements = { 2.2.2.2, \$test } + } + + set z { + type ipv4_addr + elements = { 3.3.3.3, \$test } + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0031vmap_string_0 b/tests/shell/testcases/nft-f/0031vmap_string_0 new file mode 100755 index 00000000..2af846a4 --- /dev/null +++ b/tests/shell/testcases/nft-f/0031vmap_string_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# Tests parse of corrupted verdicts + +set -e + +RULESET=" +table ip foo { + map bar { + type ipv4_addr : verdict + elements = { + 192.168.0.1 : ber + } + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 diff --git a/tests/shell/testcases/nft-f/0032pknock_0 b/tests/shell/testcases/nft-f/0032pknock_0 new file mode 100755 index 00000000..94fc8407 --- /dev/null +++ b/tests/shell/testcases/nft-f/0032pknock_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="define guarded_ports = {ssh} + +table inet portknock { + set clients_ipv4 { + type ipv4_addr + flags timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + flags timeout + } + + chain input { + type filter hook input priority -10; policy accept; + + tcp dport 10001 add @candidates_ipv4 {ip saddr . 10002 timeout 1s} + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10003 timeout 1s} + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10004 timeout 1s} + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10005 timeout 1s} + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 600s} log prefix \"Successful portknock: \" + + tcp dport \$guarded_ports ip saddr @clients_ipv4 counter accept + tcp dport \$guarded_ports ct state established,related counter accept + + tcp dport \$guarded_ports reject with tcp reset + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft new file mode 100644 index 00000000..05ebed5a --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 1, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "ssh", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft new file mode 100644 index 00000000..41236dbe --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "forward", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "concat-set-variable", + "table": "forward", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.10.10.10", + 25 + ] + }, + { + "concat": [ + "10.10.10.10", + 143 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft new file mode 100644 index 00000000..4b4ec4fb --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft new file mode 100644 index 00000000..1b2e3420 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft @@ -0,0 +1,778 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "whatever" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "whatever" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "whatever" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": { + "set": [ + "lo" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 123 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related", + "new" + ] + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "|": [ + "established", + "related", + "new" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.0.0.0" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "10.0.0.2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.0.0.0" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "fe0::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "fe0::2" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "10.0.0.0", + { + "drop": null + } + ], + [ + "10.0.0.2", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "fe0::1", + { + "drop": null + } + ], + [ + "fe0::2", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "fe0::2", + "tcp" + ] + }, + { + "concat": [ + "fe0::1", + "udp" + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "10.0.0.0", + "lo" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 100, + 222 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + { + "range": [ + 100, + 222 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": 0, + "flags": "bypass" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "range": [ + 1, + 42 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "range": [ + 1, + 42 + ] + }, + "flags": [ + "bypass", + "fanout" + ] + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "symhash": { + "mod": 2 + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "jhash": { + "mod": 4, + "expr": { + "concat": [ + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + } + } + }, + "flags": "bypass" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft index 7abced86..4734b2fd 100644 --- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -8,9 +8,14 @@ table inet t { ip6 daddr fe0::1 ip6 saddr fe0::2 ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } - ip6 saddr . ip6 nexthdr { fe0::1 . udp, fe0::2 . tcp } + ip6 saddr . ip6 nexthdr { fe0::2 . tcp, fe0::1 . udp } ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } tcp dport 100-222 udp dport vmap { 100-222 : accept } + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to 0 + tcp sport 1 tcp dport 1 oifname "foobar" queue to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4 } } diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft new file mode 100644 index 00000000..40cdb000 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft @@ -0,0 +1,80 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "1.1.1.1", + "2.2.2.2" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft new file mode 100644 index 00000000..65b7f491 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1, 2.2.2.2 } + ip saddr { 3.3.3.3, 4.4.4.4 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft new file mode 100644 index 00000000..b56240ea --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "filter", + "handle": 0, + "protocol": "tcp", + "l3proto": "ip", + "policy": { + "established": 123, + "close": 12 + } + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "c", + "handle": 0, + "expr": [ + { + "ct timeout": "cttime" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft index 7cff1ed5..c5d9649e 100644 --- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft @@ -2,7 +2,7 @@ table ip filter { ct timeout cttime { protocol tcp l3proto ip - policy = { established : 123, close : 12 } + policy = { established : 2m3s, close : 12s } } chain c { diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft new file mode 100644 index 00000000..21c97970 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, + { + "ct expectation": { + "family": "ip", + "name": "ctexpect", + "table": "filter", + "handle": 0, + "protocol": "tcp", + "dport": 9876, + "timeout": 60000, + "size": 12, + "l3proto": "ip" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "c", + "handle": 0, + "expr": [ + { + "ct expectation": "ctexpect" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft new file mode 100644 index 00000000..396185eb --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft @@ -0,0 +1,13 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft new file mode 100644 index 00000000..f62b48a3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "ber", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "jump": { + "target": "ber" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft new file mode 100644 index 00000000..f41b1b04 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -50, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft b/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft deleted file mode 100644 index 2e944599..00000000 --- a/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft +++ /dev/null @@ -1,5 +0,0 @@ -table inet global { - chain prerouting { - type filter hook prerouting priority filter + 10; policy accept; - } -} diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft new file mode 100644 index 00000000..09a4c1e3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft @@ -0,0 +1,115 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@y" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft new file mode 100644 index 00000000..d30f4d53 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + chain z { + type filter hook input priority filter; policy accept; + add @y { ip saddr } + update @y { ip saddr timeout 30s } + ip saddr @y + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft b/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft new file mode 100644 index 00000000..ddb2a057 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.nft b/tests/shell/testcases/nft-f/dumps/0023check_1.nft new file mode 100644 index 00000000..04b9e70f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.nft @@ -0,0 +1,5 @@ +table ip foo { + chain bar { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft new file mode 100644 index 00000000..cdc4b9d9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "statelessnat", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "statelessnat", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "statelessnat", + "name": "postrouting", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "statelessnat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 16, + "offset": 0 + } + }, + "data": { + "set": [ + [ + { + "range": [ + 0, + 7 + ] + }, + "10.0.1.1" + ], + [ + { + "range": [ + 8, + 15 + ] + }, + "10.0.1.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft new file mode 100644 index 00000000..cd7fc504 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft @@ -0,0 +1,10 @@ +table inet statelessnat { + chain prerouting { + type filter hook prerouting priority dstnat; policy accept; + ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8-15 : 10.0.1.2 } + } + + chain postrouting { + type filter hook postrouting priority srcnat; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft new file mode 100644 index 00000000..0cde23b0 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft @@ -0,0 +1,111 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "inflows", + "table": "foo", + "type": [ + "ipv4_addr", + "inet_service", + "ifname", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": { + "concat": [ + "10.1.0.3", + 39466, + "veth1", + "10.3.0.99", + 5201 + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "inflows6", + "table": "foo", + "type": [ + "ipv6_addr", + "inet_service", + "ifname", + "ipv6_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "inflows_ratelimit", + "table": "foo", + "type": [ + "ipv4_addr", + "inet_service", + "ifname", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": { + "concat": [ + "10.1.0.3", + 39466, + "veth1", + "10.3.0.99", + 5201 + ] + }, + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft new file mode 100644 index 00000000..33b9e4ff --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft @@ -0,0 +1,18 @@ +table ip foo { + set inflows { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 counter packets 0 bytes 0 } + } + + set inflows6 { + type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service + flags dynamic + } + + set inflows_ratelimit { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft new file mode 100644 index 00000000..8acdcdf4 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft @@ -0,0 +1,56 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "A", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "A", + "name": "B", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "A", + "chain": "B", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 1, + 2 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft new file mode 100644 index 00000000..fd0bb686 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft @@ -0,0 +1,5 @@ +table ip A { + chain B { + tcp dport { 1, 2 } accept + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft new file mode 100644 index 00000000..bda8bfc9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "x" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft new file mode 100644 index 00000000..39198be1 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft @@ -0,0 +1,9 @@ +table inet filter { + chain x { + } + + chain input { + type filter hook input priority filter; policy accept; + jump x + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft new file mode 100644 index 00000000..69d826df --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "2.2.2.2", + "3.3.3.3", + "4.4.4.4", + "5.5.5.5" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft new file mode 100644 index 00000000..aa081122 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft @@ -0,0 +1,8 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2, + 3.3.3.3, 4.4.4.4, + 5.5.5.5 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft new file mode 100644 index 00000000..ab680af8 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft @@ -0,0 +1,61 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@whitelist_v4" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft new file mode 100644 index 00000000..32d5c0e9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft @@ -0,0 +1,10 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + ip daddr @whitelist_v4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft new file mode 100644 index 00000000..e0704b7d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "2.2.2.2" + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "3.3.3.3" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft new file mode 100644 index 00000000..635901f4 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft @@ -0,0 +1,11 @@ +table ip x { + set y { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2 } + } + + set z { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft new file mode 100644 index 00000000..4c7d2bbe --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft @@ -0,0 +1,484 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "portknock", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "portknock", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "clients_ipv4", + "table": "portknock", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "inet", + "name": "candidates_ipv4", + "table": "portknock", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10001 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10002 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10002 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10003 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10003 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10004 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10004 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10005 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10005 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 600 + } + }, + "set": "@clients_ipv4" + } + }, + { + "log": { + "prefix": "Successful portknock: " + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@clients_ipv4" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft new file mode 100644 index 00000000..f29dfb28 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft @@ -0,0 +1,25 @@ +table inet portknock { + set clients_ipv4 { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + type filter hook input priority filter - 10; policy accept; + tcp dport 10001 add @candidates_ipv4 { ip saddr . 10002 timeout 1s } + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10003 timeout 1s } + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10004 timeout 1s } + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10005 timeout 1s } + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10m } log prefix "Successful portknock: " + tcp dport 22 ip saddr @clients_ipv4 counter packets 0 bytes 0 accept + tcp dport 22 ct state established,related counter packets 0 bytes 0 accept + tcp dport 22 reject with tcp reset + } +} diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft new file mode 100644 index 00000000..1a9f4e7a --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -0,0 +1,239 @@ +table inet filter { + map if_input { + type ifname : verdict + elements = { "eth0" : jump public_input, + "eth1" : jump home_input, + "eth2.10" : jump home_input, + "eth2.20" : jump home_input } + } + + map if_forward { + type ifname : verdict + elements = { "eth0" : jump public_forward, + "eth1" : jump trusted_forward, + "eth2.10" : jump voip_forward, + "eth2.20" : jump guest_forward } + } + + map if_output { + type ifname : verdict + elements = { "eth0" : jump public_output, + "eth1" : jump home_output, + "eth2.10" : jump home_output, + "eth2.20" : jump home_output } + } + + set ipv4_blacklist { + type ipv4_addr + flags interval + auto-merge + } + + set ipv6_blacklist { + type ipv6_addr + flags interval + auto-merge + } + + set limit_src_ip { + type ipv4_addr + size 1024 + flags dynamic,timeout + } + + set limit_src_ip6 { + type ipv6_addr + size 1024 + flags dynamic,timeout + } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; policy accept; + meta l4proto != { icmp, tcp, udp, ipv6-icmp } counter packets 0 bytes 0 drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter packets 0 bytes 0 drop + tcp sport 0 counter packets 0 bytes 0 drop + } + rt type 0 counter packets 0 bytes 0 drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; policy accept; + ct state vmap { invalid : jump ct_invalid_pre, related : jump rpfilter, new : jump ct_new_pre, untracked : jump ct_untracked_pre } + } + + chain ct_invalid_pre { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_pre { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain ct_new_pre { + jump rpfilter + tcp flags & (fin | syn | rst | ack) != syn counter packets 0 bytes 0 drop + iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 return + ip6 saddr :: ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + fib saddr . iif oif 0 counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv4 { + ip saddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } counter packets 0 bytes 0 drop + ip saddr @ipv4_blacklist counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv6 { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport 547 ip6 saddr fe80::/64 return + ip6 saddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } counter packets 0 bytes 0 drop + ip6 saddr @ipv6_blacklist counter packets 0 bytes 0 drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + iif "lo" accept + ct state established,related accept + iifname vmap @if_input + log prefix "NFT REJECT IN " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + counter packets 0 bytes 0 drop + } + + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 68 udp dport 67 accept + udp sport 546 udp dport 547 iifname { "eth1", "eth2.10", "eth2.20" } accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + icmp type echo-request accept + icmpv6 type echo-request accept + tcp dport 22 iifname "eth1" accept + meta l4proto { tcp, udp } th dport 53 jump { + ip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable + accept + } + udp dport 123 accept + tcp dport 8443 accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; policy accept; + oifname "eth0" jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu + } + } + + chain blacklist_output_ipv4 { + ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16 } return + udp dport 547 ip6 daddr ff02::1:2 return + ip6 daddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ip options flags ether limit rate 5/minute burst 10 packets drop + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + iifname vmap @if_forward + log prefix "NFT REJECT FWD " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_forward { + udp dport { 5060, 7078-7097 } oifname "eth2.10" jump { + ip6 saddr { 2001:db8::1-2001:db8::2 } accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ip options flags ether limit rate 5/second burst 10 packets drop + } + counter packets 0 bytes 0 drop + } + + chain trusted_forward { + oifname "eth0" accept + icmp type echo-request accept + icmpv6 type echo-request accept + ip daddr { 192.168.3.30, 192.168.4.40 } tcp dport vmap { 22 : accept, 80 : drop, 443 : accept } + ip daddr 192.168.2.20 jump { + tcp dport { 80, 443, 515, 631, 9100 } accept + udp dport 161 accept + } + } + + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname "eth0" accept + ip6 daddr { 2001:db8::1-2001:db8::2 } jump { + udp dport { 3478, 5060 } accept + udp sport 7078-7097 accept + tcp dport 5061 accept + } + tcp dport 587 ip daddr 10.0.0.1 accept + tcp dport 80 oifname "eth0" counter packets 0 bytes 0 reject + } + + chain guest_forward { + oifname "eth0" accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + oif "lo" accept + ct state vmap { invalid : jump ct_invalid_out, established : accept, related : accept, untracked : jump ct_untracked_out } + oifname vmap @if_output + log prefix "NFT REJECT OUT " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain ct_invalid_out { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_out { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp dport 547 ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + udp dport { 53, 123 } accept + tcp dport { 443, 587, 853 } accept + } + + chain home_output { + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 oifname { "eth1", "eth2.10", "eth2.20" } accept + udp sport 67 udp dport 68 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept + tcp dport 22 ip daddr 192.168.1.10 accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.1.0-192.168.4.255 } oifname "eth0" masquerade + } +} diff --git a/tests/shell/testcases/nft-f/sample-ruleset b/tests/shell/testcases/nft-f/sample-ruleset new file mode 100755 index 00000000..763e41a1 --- /dev/null +++ b/tests/shell/testcases/nft-f/sample-ruleset @@ -0,0 +1,262 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +$NFT -f /dev/stdin <<"EOF" +define public_if = eth0 +define trusted_if = eth1 +define voip_if = eth2.10 +define guest_if = eth2.20 +define home_if = { $trusted_if, $voip_if, $guest_if } +define home_ipv6_if = { $trusted_if, $voip_if, $guest_if } + +define masq_ip = { 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 } +define masq_if = $public_if + +define host1_ip = 192.168.1.10 +define host2_ip = 192.168.2.20 +define host3_ip = 192.168.3.30 +define host4_ip = 192.168.4.40 + +define proxy_port = 8443 + +define private_ip = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } +define private_ip6 = { fe80::/64, fd00::/8 } +define bogons_ip = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } +define bogons_ip6 = { ::/3, 2001:0002::/48, 2001:0003::/32, 2001:10::/28, 2001:20::/28, 2001::/32, 2001:db8::/32, 2002::/16, 3000::/4, 4000::/2, 8000::/1 } + +define sip_whitelist_ip6 = { 2001:db8::1/128, 2001:db8::2/128 } +define smtps_whitelist_ip = 10.0.0.1 +define protocol_whitelist = { tcp, udp, icmp, ipv6-icmp } + +table inet filter { + map if_input { + type ifname : verdict; + elements = { $public_if : jump public_input, $trusted_if : jump home_input, $voip_if : jump home_input, $guest_if : jump home_input } + } + map if_forward { + type ifname : verdict; + elements = { $public_if : jump public_forward, $trusted_if : jump trusted_forward, $voip_if : jump voip_forward, $guest_if : jump guest_forward } + } + map if_output { + type ifname : verdict; + elements = { $public_if : jump public_output, $trusted_if : jump home_output, $voip_if : jump home_output, $guest_if : jump home_output } + } + + set ipv4_blacklist { type ipv4_addr; flags interval; auto-merge; } + set ipv6_blacklist { type ipv6_addr; flags interval; auto-merge; } + set limit_src_ip { type ipv4_addr; flags dynamic, timeout; size 1024; } + set limit_src_ip6 { type ipv6_addr; flags dynamic, timeout; size 1024; } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; + + meta l4proto != $protocol_whitelist counter drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter drop + tcp sport 0 counter drop + } + rt type 0 counter drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; + + ct state vmap { invalid : jump ct_invalid_pre, untracked : jump ct_untracked_pre, new : jump ct_new_pre, related : jump rpfilter } + } + chain ct_invalid_pre { + counter drop + } + chain ct_untracked_pre { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain ct_new_pre { + jump rpfilter + + tcp flags & (fin|syn|rst|ack) != syn counter drop + + iifname $public_if meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp dport bootps return + ip6 saddr ::/128 ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + + fib saddr . iif oif eq 0 counter drop + } + chain blacklist_input_ipv4{ + ip saddr $bogons_ip counter drop + ip saddr @ipv4_blacklist counter drop + } + chain blacklist_input_ipv6{ + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport dhcpv6-server ip6 saddr fe80::/64 return + + ip6 saddr $bogons_ip6 counter drop + ip6 saddr @ipv6_blacklist counter drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + + iif lo accept + + ct state established,related accept + + iifname vmap @if_input + + log prefix "NFT REJECT IN " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 accept + fib daddr type { broadcast, multicast, anycast } counter drop + + counter drop + } + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport bootpc udp dport bootps accept + udp sport dhcpv6-client udp dport dhcpv6-server iifname $home_ipv6_if accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + icmp type echo-request accept + icmpv6 type echo-request accept + + tcp dport ssh iifname $trusted_if accept + + meta l4proto { tcp, udp } th dport domain jump { + ip6 saddr != $private_ip6 counter reject + accept + } + + udp dport ntp accept + + tcp dport $proxy_port accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; + + oifname $public_if jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu + } + } + chain blacklist_output_ipv4 { + ip daddr $bogons_ip goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2/128, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1/128, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16/128 } return + udp dport dhcpv6-server ip6 daddr ff02::1:2 return + + ip6 daddr $bogons_ip6 goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ether flags ip options limit rate 5/minute burst 10 packets drop + counter drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + + ct state established,related accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + iifname vmap @if_forward + + log prefix "NFT REJECT FWD " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_forward { + udp dport { 5060, 7078-7097 } oifname $voip_if jump { + ip6 saddr $sip_whitelist_ip6 accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ether flags ip options limit rate 5/second burst 10 packets drop + } + + counter drop + } + chain trusted_forward { + oifname $public_if accept + + icmp type echo-request accept + icmpv6 type echo-request accept + + ip daddr { $host3_ip, $host4_ip } tcp dport vmap { ssh : accept, https : accept, http : drop } + + ip daddr $host2_ip jump { + tcp dport { http, https, printer, ipp, 9100 } accept + udp dport snmp accept + } + } + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname $public_if accept + + ip6 daddr $sip_whitelist_ip6 jump { + udp dport { 3478, 5060 } accept + udp sport { 7078-7097 } accept + tcp dport 5061 accept + } + + tcp dport 587 ip daddr $smtps_whitelist_ip accept + tcp dport http oifname $public_if counter reject + } + chain guest_forward { + oifname $public_if accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + + oif lo accept + + ct state vmap { established : accept, related : accept, invalid : jump ct_invalid_out, untracked : jump ct_untracked_out } + + oifname vmap @if_output + + log prefix "NFT REJECT OUT " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain ct_invalid_out { + counter drop + } + chain ct_untracked_out { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp dport dhcpv6-server ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + + udp dport { domain, ntp } accept + tcp dport { https, 587, domain-s } accept + } + chain home_output { + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 oifname $home_ipv6_if accept + udp sport bootps udp dport bootpc ip saddr $private_ip accept + tcp dport ssh ip daddr $host1_ip accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; + + meta nfproto ipv4 ip saddr $masq_ip oifname $masq_if masquerade + } +} +EOF diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft b/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.nft b/tests/shell/testcases/nft-i/dumps/0001define_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/0001define_0.nft diff --git a/tests/shell/testcases/optimizations/dependency_kill b/tests/shell/testcases/optimizations/dependency_kill new file mode 100755 index 00000000..904eecf8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dependency_kill @@ -0,0 +1,48 @@ +#!/bin/bash + +set -e + +RULESET="table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft new file mode 100644 index 00000000..712182e9 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft @@ -0,0 +1,776 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "netdev", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft new file mode 100644 index 00000000..1781f7be --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft @@ -0,0 +1,42 @@ +table bridge foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip foo { + chain bar { + udp dport 67 + meta protocol ip6 udp dport 67 + udp dport 67 + ether type ip6 udp dport 67 + } +} +table ip6 foo { + chain bar { + meta protocol ip udp dport 67 + udp dport 67 + ether type ip udp dport 67 + udp dport 67 + } +} +table netdev foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + } +} +table inet foo { + chain bar { + meta protocol ip udp dport 67 + meta protocol ip6 udp dport 67 + ether type ip udp dport 67 + ether type ip6 udp dport 67 + meta nfproto ipv4 udp dport 67 + meta nfproto ipv6 udp dport 67 + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft new file mode 100644 index 00000000..a6cf1bfc --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft @@ -0,0 +1,379 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test1", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "4.4.4.4", + "1.1.1.1" + ], + [ + "5.5.5.5", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test2", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "concat": [ + "1.1.1.1", + 8001 + ] + } + ], + [ + 81, + { + "concat": [ + "2.2.2.2", + 9001 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + } + ] + } + } + }, + { + "masquerade": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test4", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 80 + ] + }, + { + "concat": [ + "4.4.4.4", + 8000 + ] + } + ], + [ + { + "concat": [ + "2.2.2.2", + 81 + ] + }, + { + "concat": [ + "3.3.3.3", + 9000 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "redirect": { + "port": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 83, + 8083 + ], + [ + 84, + 8084 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 85 + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft new file mode 100644 index 00000000..f6c119ec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -0,0 +1,21 @@ +table ip test1 { + chain y { + oif "lo" accept + dnat to ip saddr map { 4.4.4.4 : 1.1.1.1, 5.5.5.5 : 2.2.2.2 } + } +} +table ip test2 { + chain y { + oif "lo" accept + dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } + ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade + } +} +table ip test4 { + chain y { + oif "lo" accept + dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } + redirect to :tcp dport map { 83 : 8083, 84 : 8084 } + tcp dport 85 redirect + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft new file mode 100644 index 00000000..dc67feec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft @@ -0,0 +1,200 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test3", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "3.3.3.3" + ], + [ + { + "concat": [ + "2.2.2.2", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "4.4.4.4" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp2s0" + } + }, + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + { + "range": [ + "72.2.3.66", + "72.2.3.78" + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 8888, + 9999 + ] + } + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft new file mode 100644 index 00000000..0faddfd1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft @@ -0,0 +1,8 @@ +table ip test3 { + chain y { + oif "lo" accept + snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } + oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport { 8888, 9999 } redirect + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft new file mode 100644 index 00000000..99930f11 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft @@ -0,0 +1,208 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "prerouting", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "72.2.3.70", + 80 + ] + }, + { + "concat": [ + "10.1.1.52", + 80 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 53122 + ] + }, + { + "concat": [ + "10.1.1.10", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 443 + ] + }, + { + "concat": [ + "10.1.1.52", + 443 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "72.2.3.66", + "10.2.2.2" + ], + [ + "72.2.3.67", + "10.2.3.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft new file mode 100644 index 00000000..a1a11354 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft @@ -0,0 +1,11 @@ +table inet nat { + chain prerouting { + oif "lo" accept + dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 } + } + + chain postrouting { + oif "lo" accept + snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft new file mode 100644 index 00000000..46ed0677 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft @@ -0,0 +1,320 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.33.70" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "172.30.238.117", + 8080 + ] + }, + { + "concat": [ + "tcp", + "172.30.33.71", + 3306 + ] + }, + { + "concat": [ + "tcp", + "172.30.254.251", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmp", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.254.252" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "aaaa::3", + 8080 + ] + }, + { + "concat": [ + "tcp", + "aaaa::2", + 3306 + ] + }, + { + "concat": [ + "tcp", + "aaaa::4", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "aaaa::5" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.nft b/tests/shell/testcases/optimizations/dumps/merge_reject.nft new file mode 100644 index 00000000..c29ad6d5 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop + meta l4proto . ip daddr . tcp dport { tcp . 172.30.238.117 . 8080, tcp . 172.30.33.71 . 3306, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject + ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} +table ip6 x { + chain y { + meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject + ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft new file mode 100644 index 00000000..c392b76a --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft @@ -0,0 +1,63 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft new file mode 100644 index 00000000..b56ea3ed --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft new file mode 100644 index 00000000..267d84ef --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -0,0 +1,374 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c3", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "eth1", + "1.1.1.1", + "2.2.2.3" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + "2.2.2.4" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "prefix": { + "addr": "2.2.3.0", + "len": 24 + } + } + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "range": [ + "2.2.4.0", + "2.2.4.10" + ] + } + ] + }, + { + "concat": [ + "eth2", + "1.1.1.3", + "2.2.2.5" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + 22 + ] + }, + { + "concat": [ + "udp", + 67 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c3", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + }, + { + "concat": [ + 100, + "test" + ] + }, + { + "concat": [ + 51820, + "test" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft new file mode 100644 index 00000000..f56cea1c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -0,0 +1,18 @@ +table ip x { + chain y { + iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept + ip protocol . th dport { tcp . 22, udp . 67 } + } + + chain c1 { + udp dport . iifname { 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c2 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar" } accept + } + + chain c3 { + udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar", 100 . "test", 51820 . "test" } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft new file mode 100644 index 00000000..5dfa40a8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "meta": { + "key": "pkttype" + } + }, + { + "payload": { + "protocol": "udp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "broadcast", + 547 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "broadcast", + 67 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "multicast", + 1900 + ] + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + { + "drop": null + } + ], + [ + { + "concat": [ + "4.4.4.4", + "5.5.5.5" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft new file mode 100644 index 00000000..780aa09a --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft @@ -0,0 +1,9 @@ +table ip x { + chain x { + meta pkttype . udp dport vmap { broadcast . 547 : accept, broadcast . 67 : accept, multicast . 1900 : drop } + } + + chain y { + ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop, 4.4.4.4 . 5.5.5.5 : accept } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft new file mode 100644 index 00000000..17d57b8f --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft @@ -0,0 +1,182 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "w", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + "invalid", + { + "drop": null + } + ], + [ + "established", + { + "accept": null + } + ], + [ + "related", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "accept": null + } + ], + [ + { + "range": [ + 2, + 3 + ] + }, + { + "drop": null + } + ], + [ + 4, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "w", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "1.1.1.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft new file mode 100644 index 00000000..8ecbd927 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft @@ -0,0 +1,13 @@ +table ip x { + chain y { + ct state vmap { invalid : drop, established : accept, related : accept } + } + + chain z { + tcp dport vmap { 1 : accept, 2-3 : drop, 4 : accept } + } + + chain w { + ip saddr vmap { 1.1.1.1 counter packets 0 bytes 0 : accept, 1.1.1.2 counter packets 0 bytes 0 : drop } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft new file mode 100644 index 00000000..b8ad126c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft @@ -0,0 +1,438 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_dnstc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_this_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5302", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5303", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_acme", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5300 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5302 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5303 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "th", + "offset": 160, + "len": 128 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "goto": { + "target": "nat_dns_dnstc" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31393032383939353831343037320e" + ] + }, + { + "goto": { + "target": "nat_dns_this_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31363436323733373931323934300e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe32393535373539353636383732310e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5302" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe38353439353637323038363633390e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5303" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft new file mode 100644 index 00000000..18847116 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft @@ -0,0 +1,31 @@ +table inet x { + chain nat_dns_dnstc { + meta l4proto udp redirect to :5300 + drop + } + + chain nat_dns_this_5301 { + meta l4proto udp redirect to :5301 + drop + } + + chain nat_dns_saturn_5301 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5301 + drop + } + + chain nat_dns_saturn_5302 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5302 + drop + } + + chain nat_dns_saturn_5303 { + meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5303 + drop + } + + chain nat_dns_acme { + udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0xe31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0xe31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0xe32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0xe38353439353637323038363633390e : goto nat_dns_saturn_5303 } + drop + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft new file mode 100644 index 00000000..e87f1c4c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft @@ -0,0 +1,205 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_tcp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_udp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s", + "stmt": [ + { + "limit": { + "rate": 12, + "burst": 30, + "per": "minute" + } + } + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "accept": null + } + ], + [ + 81, + { + "accept": null + } + ], + [ + 443, + { + "accept": null + } + ], + [ + { + "range": [ + 8000, + 8100 + ] + }, + { + "accept": null + } + ], + [ + { + "range": [ + 24000, + 25000 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "l4proto" + } + }, + "data": { + "set": [ + [ + "tcp", + { + "goto": { + "target": "filter_in_tcp" + } + } + ], + [ + "udp", + { + "goto": { + "target": "filter_in_udp" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft new file mode 100644 index 00000000..c981acf0 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft @@ -0,0 +1,20 @@ +table ip x { + set s { + type ipv4_addr + size 65535 + flags dynamic + } + + chain filter_in_tcp { + } + + chain filter_in_udp { + } + + chain y { + update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } + meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } + log + } +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft new file mode 100644 index 00000000..8e64ba1e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "version" + } + }, + "data": { + "set": [ + [ + 4, + { + "jump": { + "target": "t3" + } + } + ], + [ + 6, + { + "jump": { + "target": "t4" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft new file mode 100644 index 00000000..02b89207 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft @@ -0,0 +1,19 @@ +table ip x { + chain t1 { + } + + chain t2 { + } + + chain t3 { + } + + chain t4 { + } + + chain y { + counter packets 0 bytes 0 jump t1 + counter packets 0 bytes 0 jump t2 + ip version vmap { 4 : jump t3, 6 : jump t4 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.json-nft b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.nft b/tests/shell/testcases/optimizations/dumps/ruleset.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.nft diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft new file mode 100644 index 00000000..26634134 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft @@ -0,0 +1,360 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "127.0.0.0", + "len": 8 + } + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "range": [ + "127.0.0.1", + "192.168.7.3" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "range": [ + 1, + 1023 + ] + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.7.1", + "192.168.7.5" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "192.168.0.1", + 22 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "192.168.0.1", + 1 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft new file mode 100644 index 00000000..35e3f36e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft @@ -0,0 +1,15 @@ +table ip test { + chain test { + ip saddr 127.0.0.1 accept + iif "lo" accept + tcp dport != 22 drop + ip saddr 127.0.0.0/8 accept + ip saddr 127.0.0.1-192.168.7.3 accept + tcp sport 1-1023 drop + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + meta mark set ip daddr map { 192.168.0.1 : 0x00000001 } + ct state { established, related } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft new file mode 100644 index 00000000..c8adddb1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft @@ -0,0 +1,59 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + { + "elem": { + "val": 10, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft new file mode 100644 index 00000000..54880b92 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + meta mark { 0x0000000a counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft new file mode 100644 index 00000000..7bb6c656 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft @@ -0,0 +1,235 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "udp_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tcp_input", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "udp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 500, + 4500 + ] + } + }, + { + "set": { + "family": "inet", + "name": "tcp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 80, + 443 + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1, + 128 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": "@udp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + { + "range": [ + 1, + 128 + ] + }, + { + "range": [ + 8888, + 9999 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@tcp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1024, + 65535 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.nft b/tests/shell/testcases/optimizations/dumps/skip_merge.nft new file mode 100644 index 00000000..9c10b74b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.nft @@ -0,0 +1,23 @@ +table inet filter { + set udp_accepted { + type inet_service + elements = { 500, 4500 } + } + + set tcp_accepted { + type inet_service + elements = { 80, 443 } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport 53 accept + } + + chain tcp_input { + tcp dport { 1-128, 8888-9999 } accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft new file mode 100644 index 00000000..19296d02 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft @@ -0,0 +1,108 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft new file mode 100644 index 00000000..6df38655 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft @@ -0,0 +1,6 @@ +table inet x { + chain y { + iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept + iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft new file mode 100644 index 00000000..d6347b1e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft @@ -0,0 +1,256 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "GEOIP_CC_wan-lan_120", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.32.128.0", + "len": 18 + } + }, + { + "range": [ + "1.32.200.0", + "1.32.204.128" + ] + }, + { + "prefix": { + "addr": "1.32.207.0", + "len": 24 + } + }, + { + "range": [ + "1.32.216.118", + "1.32.216.255" + ] + }, + { + "range": [ + "1.32.219.0", + "1.32.222.255" + ] + }, + { + "prefix": { + "addr": "1.32.226.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.231.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.233.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.238.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.240.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "223.223.220.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "223.255.254.0", + "len": 24 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 10 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 81 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 11 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.2.3.5", + 81 + ] + }, + { + "concat": [ + "1.2.3.5", + 82 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft new file mode 100644 index 00000000..f24855e7 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft @@ -0,0 +1,18 @@ +table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + + chain y { + ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept + ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept + ip saddr . tcp dport { 1.2.3.5 . 81, 1.2.3.5 . 82 } accept + } +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.json-nft b/tests/shell/testcases/optimizations/dumps/variables.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.nft b/tests/shell/testcases/optimizations/dumps/variables.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.nft diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat new file mode 100755 index 00000000..3ffcbd57 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip test1 { + chain y { + oif lo accept + ip saddr 4.4.4.4 dnat to 1.1.1.1 + ip saddr 5.5.5.5 dnat to 2.2.2.2 + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test2 { + chain y { + oif lo accept + tcp dport 80 dnat to 1.1.1.1:8001 + tcp dport 81 dnat to 2.2.2.2:9001 + ip saddr 10.141.11.0/24 masquerade + ip saddr 10.141.13.0/24 masquerade + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test4 { + chain y { + oif lo accept + ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000 + ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000 + tcp dport 83 redirect to :8083 + tcp dport 84 redirect to :8084 + tcp dport 85 redirect + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_nat_concat b/tests/shell/testcases/optimizations/merge_nat_concat new file mode 100755 index 00000000..2e0a91a3 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat_concat @@ -0,0 +1,18 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip test3 { + chain y { + oif lo accept + ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 + ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 + oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport 8888 redirect + tcp dport 9999 redirect + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_nat_inet b/tests/shell/testcases/optimizations/merge_nat_inet new file mode 100755 index 00000000..ff1916d3 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat_inet @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) + +set -e + +RULESET="table inet nat { + chain prerouting { + oif lo accept + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22 + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443 + iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80 + } + chain postrouting { + oif lo accept + ip daddr 72.2.3.66 snat to 10.2.2.2 + ip daddr 72.2.3.67 snat to 10.2.3.3 + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_reject b/tests/shell/testcases/optimizations/merge_reject new file mode 100755 index 00000000..c0ef9cac --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_reject @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + meta l4proto tcp ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop + meta l4proto tcp ip daddr 172.30.33.71 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.238.117 tcp dport 8080 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.254.251 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip6 x { + chain y { + meta l4proto tcp ip6 daddr aaaa::2 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::3 tcp dport 8080 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::4 tcp dport 3306 counter packets 0 bytes 0 reject + meta l4proto tcp ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts b/tests/shell/testcases/optimizations/merge_stmts new file mode 100755 index 00000000..ec7a9dd6 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + ip daddr 192.168.0.1 counter accept comment "test1" + ip daddr 192.168.0.2 counter accept comment "test2" + ip daddr 192.168.0.3 counter accept comment "test3" + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat new file mode 100755 index 00000000..4db4a6f9 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -0,0 +1,37 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip x { + chain y { + meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept + meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept + meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept + ip protocol . th dport { tcp . 22, udp . 67 } + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip x { + chain c1 { + udp dport 51820 iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c2 { + udp dport { 51820, 100 } iifname "foo" accept + udp dport { 67, 514 } iifname "bar" accept + } + + chain c3 { + udp dport { 51820, 100 } iifname { "foo", "test" } accept + udp dport { 67, 514 } iifname "bar" accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap new file mode 100755 index 00000000..657d0aea --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain x { + meta pkttype broadcast udp dport { 67, 547 } accept + meta pkttype multicast udp dport 1900 drop + } + chain y { + ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept + ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept + ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_vmap b/tests/shell/testcases/optimizations/merge_stmts_vmap new file mode 100755 index 00000000..e5357c0f --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_stmts_vmap @@ -0,0 +1,23 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +RULESET="table ip x { + chain y { + ct state invalid drop + ct state established,related accept + } + chain z { + tcp dport { 1 } accept + tcp dport 2-3 drop + tcp dport 4 accept + } + chain w { + ip saddr 1.1.1.1 counter accept + ip saddr 1.1.1.2 counter drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_vmap_raw b/tests/shell/testcases/optimizations/merge_vmap_raw new file mode 100755 index 00000000..eb04bec3 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_vmap_raw @@ -0,0 +1,34 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table inet x { + chain nat_dns_dnstc { meta l4proto udp redirect to :5300 ; drop ; } + chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; } + chain nat_dns_saturn_5301 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; } + chain nat_dns_saturn_5302 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; } + chain nat_dns_saturn_5303 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; } + + chain nat_dns_acme { + udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \ + goto nat_dns_dnstc + + udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \ + goto nat_dns_this_5301 + + udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \ + goto nat_dns_saturn_5301 + + udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \ + goto nat_dns_saturn_5302 + + udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \ + goto nat_dns_saturn_5303 + + drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_vmaps b/tests/shell/testcases/optimizations/merge_vmaps new file mode 100755 index 00000000..e2e4be15 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_vmaps @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + set s { + type ipv4_addr + flags dynamic + } + chain filter_in_tcp { + } + chain filter_in_udp { + } + chain y { + update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { + 80 : accept, + 81 : accept, + 443 : accept, + } + tcp dport vmap { + 8000-8100 : accept, + 24000-25000 : accept, + } + meta l4proto tcp goto filter_in_tcp + meta l4proto udp goto filter_in_udp + log + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/not_mergeable b/tests/shell/testcases/optimizations/not_mergeable new file mode 100755 index 00000000..ddb2f0fd --- /dev/null +++ b/tests/shell/testcases/optimizations/not_mergeable @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain t1 { + } + chain t2 { + } + chain t3 { + } + chain t4 { + } + chain y { + counter jump t1 + counter jump t2 + ip version 4 jump t3 + ip version 6 jump t4 + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/ruleset b/tests/shell/testcases/optimizations/ruleset new file mode 100755 index 00000000..2b2d80ff --- /dev/null +++ b/tests/shell/testcases/optimizations/ruleset @@ -0,0 +1,170 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_prerouting_reject) + +RULESET="table inet uni { + chain gtfo { + reject with icmpx type host-unreachable + drop + } + + chain filter_in_tcp { + tcp dport vmap { + 80 : accept, + 81 : accept, + 443 : accept, + 931 : accept, + 5001 : accept, + 5201 : accept, + } + tcp dport vmap { + 6800-6999 : accept, + 33434-33499 : accept, + } + + drop + } + + chain filter_in_udp { + udp dport vmap { + 53 : accept, + 123 : accept, + 846 : accept, + 849 : accept, + 5001 : accept, + 5201 : accept, + } + udp dport vmap { + 5300-5399 : accept, + 6800-6999 : accept, + 33434-33499 : accept, + } + + drop + } + + chain filter_in { + type filter hook input priority 0; policy drop; + + ct state vmap { + invalid : drop, + established : accept, + related : accept, + untracked : accept, + } + + ct status vmap { + dnat : accept, + snat : accept, + } + + iif lo accept + + meta iifgroup {100-199} accept + + meta l4proto tcp goto filter_in_tcp + meta l4proto udp goto filter_in_udp + + icmp type vmap { + echo-request : accept, + } + ip6 nexthdr icmpv6 icmpv6 type vmap { + echo-request : accept, + } + } + + chain filter_fwd_ifgroup { + meta iifgroup . oifgroup vmap { + 100 . 10 : accept, + 100 . 100 : accept, + 100 . 101 : accept, + 101 . 101 : accept, + } + goto gtfo + } + + chain filter_fwd { + type filter hook forward priority 0; policy drop; + + fib daddr type broadcast drop + + ct state vmap { + invalid : drop, + established : accept, + related : accept, + untracked : accept, + } + + ct status vmap { + dnat : accept, + snat : accept, + } + + meta iifgroup {100-199} goto filter_fwd_ifgroup + } + + chain nat_fwd_tun { + meta l4proto tcp redirect to :15 + udp dport 53 redirect to :13 + goto gtfo + } + + chain nat_dns_dnstc { meta l4proto udp redirect to :5300 ; drop ; } + chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; } + chain nat_dns_moon_5301 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; } + chain nat_dns_moon_5302 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; } + chain nat_dns_moon_5303 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; } + + chain nat_dns_acme { + udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \ + goto nat_dns_dnstc + + udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \ + goto nat_dns_this_5301 + + udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \ + goto nat_dns_moon_5301 + + udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \ + goto nat_dns_moon_5302 + + udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \ + goto nat_dns_moon_5303 + + drop + } + + chain nat_prerouting { + type nat hook prerouting priority -100; policy accept; + + iifgroup 10 udp dport 53 goto nat_dns_acme + iifgroup 10 accept + + ip daddr 198.19.0.0/16 goto nat_fwd_tun + ip6 daddr fc00::/8 goto nat_fwd_tun + + tcp dport 53 redirect to :25302 + udp dport 53 redirect to :25302 + } + + chain nat_output { + type nat hook output priority -100; policy accept; + + ip daddr 198.19.0.0/16 goto nat_fwd_tun + ip6 daddr fc00::/8 goto nat_fwd_tun + } + + chain nat_postrouting { + type nat hook postrouting priority 100; policy accept; + + oif != lo masquerade + } + + chain mangle_forward { + type filter hook forward priority -150; policy accept; + + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu + } +}" + +$NFT -o -c -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set new file mode 100755 index 00000000..632e965f --- /dev/null +++ b/tests/shell/testcases/optimizations/single_anon_set @@ -0,0 +1,53 @@ +#!/bin/bash + +set -e + +test -d "$NFT_TEST_TESTTMPDIR" + +# Input file contains rules with anon sets that contain +# one element, plus extra rule with two elements (that should be +# left alone). + +# Dump file has the simplified rules where anon sets have been +# replaced by equality tests where possible. +file_input1="$NFT_TEST_TESTTMPDIR/input1.nft" + +cat <<EOF > "$file_input1" +table ip test { + chain test { + # Test cases where anon set can be removed: + ip saddr { 127.0.0.1 } accept + iif { "lo" } accept + + # negation, can change to != 22. + tcp dport != { 22 } drop + + # single prefix, can remove anon set. + ip saddr { 127.0.0.0/8 } accept + + # range, can remove anon set. + ip saddr { 127.0.0.1-192.168.7.3 } accept + tcp sport { 1-1023 } drop + + # Test cases where anon set must be kept. + + # 2 elements, cannot remove the anon set. + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + + # single element, but concatenation which is not + # supported outside of set/map context at this time. + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + + # single element, but a map. + meta mark set ip daddr map { 192.168.0.1 : 1 } + + # 2 elements. This could be converted because + # ct state cannot be both established and related + # at the same time, but this needs extra work. + ct state { established, related } accept + } +} +EOF + +$NFT -f "$file_input1" diff --git a/tests/shell/testcases/optimizations/single_anon_set_expr b/tests/shell/testcases/optimizations/single_anon_set_expr new file mode 100755 index 00000000..81b7ceba --- /dev/null +++ b/tests/shell/testcases/optimizations/single_anon_set_expr @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +test -d "$NFT_TEST_TESTTMPDIR" + +# Input file contains rules with anon sets that contain +# one element, plus extra rule with two elements (that should be +# left alone). + +# Dump file has the simplified rules where anon sets have been +# replaced by equality tests where possible. +file_input1="$NFT_TEST_TESTTMPDIR/input1.nft" + +cat <<EOF > "$file_input1" +table ip test { + chain test { + # with stateful statement + meta mark { 0x0000000a counter } + } +} +EOF + +$NFT -f "$file_input1" diff --git a/tests/shell/testcases/optimizations/skip_merge b/tests/shell/testcases/optimizations/skip_merge new file mode 100755 index 00000000..8af976ca --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_merge @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set udp_accepted { + type inet_service; + elements = { + isakmp, ipsec-nat-t + } + } + + set tcp_accepted { + type inet_service; + elements = { + http, https + } + } + + chain udp_input { + udp dport 1-128 accept + udp dport @udp_accepted accept + udp dport domain accept + } + + chain tcp_input { + tcp dport 1-128 accept + tcp dport 8888-9999 accept + tcp dport @tcp_accepted accept + tcp dport 1024-65535 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/skip_non_eq b/tests/shell/testcases/optimizations/skip_non_eq new file mode 100755 index 00000000..431ed0ad --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_non_eq @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +RULESET="table inet x { + chain y { + iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept + iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported new file mode 100755 index 00000000..6baa8280 --- /dev/null +++ b/tests/shell/testcases/optimizations/skip_unsupported @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + + chain y { + ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept + ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept + ip saddr 1.2.3.5 tcp dport 81 accept comment \"test\" + ip saddr 1.2.3.5 tcp dport 82 accept + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables new file mode 100755 index 00000000..fa986065 --- /dev/null +++ b/tests/shell/testcases/optimizations/variables @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +RULESET="define addrv4_vpnnet = 10.1.0.0/16 + +table ip nat { + chain postrouting { + type nat hook postrouting priority 0; policy accept; + + ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\" + } +}" + +$NFT -c -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0 new file mode 100755 index 00000000..1a84cfa6 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_chain_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +EXPECTED='table ip test_table { + chain test_chain { + comment "test" + } +} +' + +set -e + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/optionals/comments_objects_0 b/tests/shell/testcases/optionals/comments_objects_0 new file mode 100755 index 00000000..28041ebd --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_0 @@ -0,0 +1,58 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +set -e + +COMMENT128="12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" + +# test for pass with comment that is 128 bytes long. +rc=0 +$NFT add table ip filter \{ quota foo1 \{ comment "\"${COMMENT128}\"" \}\; \}\; || rc="$?" +test "$rc" = 0 + +# test for failure with comment that is 128+1 bytes long. +rc=0 +$NFT add table ip filter \{ quota foo2 \{ comment "\"${COMMENT128}x\"" \}\; \}\; || rc="$?" +test "$rc" = 1 + +RULESET='table ip filter { + quota q { + over 1200 bytes + comment "'"$COMMENT128"'" + } + + counter c { + packets 0 bytes 0 + comment "test2" + } + + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + } + + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + } + + limit l { + rate 400/hour + comment "test5" + } + + synproxy s { + mss 1460 + wscale 2 + comment "test6" + } +} +' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optionals/comments_objects_dup_0 b/tests/shell/testcases/optionals/comments_objects_dup_0 new file mode 100755 index 00000000..79d975a2 --- /dev/null +++ b/tests/shell/testcases/optionals/comments_objects_dup_0 @@ -0,0 +1,97 @@ +#!/bin/bash + +EXPECTED='table ip filter { + quota q { + over 1200 bytes + comment "test1" + comment "test1" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + counter c { + packets 0 bytes 0 + comment "test2" + comment "test2" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct helper h { + type "sip" protocol tcp + l3proto ip + comment "test3" + comment "test3" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + ct expectation e { + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + comment "test4" + comment "test4" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + limit l { + rate 400/hour + comment "test5" + comment "test5" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi + +EXPECTED='table ip filter { + synproxy s { + mss 1460 + wscale 2 + comment "test6" + comment "test6" + } +} +' + +$NFT -f - <<< "$EXPECTED" +if [ $? -eq 0 ] +then + exit 1 +fi diff --git a/tests/shell/testcases/optionals/comments_table_0 b/tests/shell/testcases/optionals/comments_table_0 new file mode 100755 index 00000000..56bb206b --- /dev/null +++ b/tests/shell/testcases/optionals/comments_table_0 @@ -0,0 +1,7 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +# comments are shown + +$NFT add table test { comment \"test_comment\"\; } diff --git a/tests/shell/testcases/optionals/dumps/comments_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_0.json-nft new file mode 100644 index 00000000..aef4b3e4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "comment": "test_comment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft new file mode 100644 index 00000000..4c752e80 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test_table", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test_table", + "name": "test_chain", + "handle": 0, + "comment": "test" + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft new file mode 100644 index 00000000..be3d8f33 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft @@ -0,0 +1,5 @@ +table ip test_table { + chain test_chain { + comment "test" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft new file mode 100644 index 00000000..aef4b3e4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "comment": "test_comment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft new file mode 100644 index 00000000..b5359d8b --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "foo1", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 0, + "used": 0, + "inv": false + } + }, + { + "quota": { + "family": "ip", + "name": "q", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 1200, + "used": 0, + "inv": true + } + }, + { + "counter": { + "family": "ip", + "name": "c", + "table": "filter", + "handle": 0, + "comment": "test2", + "packets": 0, + "bytes": 0 + } + }, + { + "ct helper": { + "family": "ip", + "name": "h", + "table": "filter", + "handle": 0, + "comment": "test3", + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct expectation": { + "family": "ip", + "name": "e", + "table": "filter", + "handle": 0, + "comment": "test4", + "protocol": "tcp", + "dport": 666, + "timeout": 100, + "size": 96, + "l3proto": "ip" + } + }, + { + "limit": { + "family": "ip", + "name": "l", + "table": "filter", + "handle": 0, + "comment": "test5", + "rate": 400, + "per": "hour", + "burst": 5 + } + }, + { + "synproxy": { + "family": "ip", + "name": "s", + "table": "filter", + "handle": 0, + "comment": "test6", + "mss": 1460, + "wscale": 2 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft new file mode 100644 index 00000000..13822209 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft @@ -0,0 +1,42 @@ +table ip filter { + quota foo1 { + comment "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" + 0 bytes + } + + quota q { + comment "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" + over 1200 bytes + } + + counter c { + comment "test2" + packets 0 bytes 0 + } + + ct helper h { + comment "test3" + type "sip" protocol tcp + l3proto ip + } + + ct expectation e { + comment "test4" + protocol tcp + dport 666 + timeout 100ms + size 96 + l3proto ip + } + + limit l { + comment "test5" + rate 400/hour + } + + synproxy s { + comment "test6" + mss 1460 + wscale 2 + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft new file mode 100644 index 00000000..8512c7de --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft @@ -0,0 +1,19 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0, + "comment": "test_comment" + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.nft b/tests/shell/testcases/optionals/dumps/comments_table_0.nft new file mode 100644 index 00000000..32ae3c2d --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_table_0.nft @@ -0,0 +1,3 @@ +table ip test { + comment "test_comment" +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft new file mode 100644 index 00000000..583ce528 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test-ip", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "map": { + "family": "ip", + "name": "ports", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "map": "quota" + } + }, + { + "table": { + "family": "ip6", + "name": "test-ip6", + "handle": 0 + } + }, + { + "quota": { + "family": "ip6", + "name": "http-quota", + "table": "test-ip6", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": true + } + }, + { + "counter": { + "family": "ip6", + "name": "http-traffic", + "table": "test-ip6", + "handle": 0, + "packets": 0, + "bytes": 0 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft new file mode 100644 index 00000000..aac03cc5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft @@ -0,0 +1,18 @@ +table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.json-nft b/tests/shell/testcases/optionals/dumps/handles_0.json-nft new file mode 100644 index 00000000..ff06af30 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.json-nft b/tests/shell/testcases/optionals/dumps/handles_1.json-nft new file mode 100644 index 00000000..ff06af30 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.nft b/tests/shell/testcases/optionals/dumps/handles_1.nft new file mode 100644 index 00000000..085c6cf1 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft new file mode 100644 index 00000000..161a58d4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "log": { + "prefix": "invalid state match, logging:" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft new file mode 100644 index 00000000..8c11d697 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ct state invalid log prefix "invalid state match, logging:" + } +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft new file mode 100644 index 00000000..ba78f8d7 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "traffic-counter", + "table": "test-ip", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "traffic-quota", + "table": "test-ip", + "handle": 0, + "bytes": 52428800, + "used": 0, + "inv": false + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft new file mode 100644 index 00000000..f391b631 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft @@ -0,0 +1,9 @@ +table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +} diff --git a/tests/shell/testcases/optionals/log_prefix_0 b/tests/shell/testcases/optionals/log_prefix_0 new file mode 100755 index 00000000..513a9e74 --- /dev/null +++ b/tests/shell/testcases/optionals/log_prefix_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +TMP=$(mktemp) + +RULESET='define test = "state" +define foo = "match, logging" + +table x { + chain y { + ct state invalid log prefix "invalid $test $foo:" + } +}' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 index 8b12b8c5..ccd96779 100755 --- a/tests/shell/testcases/optionals/update_object_handles_0 +++ b/tests/shell/testcases/optionals/update_object_handles_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_stateful_object_update) + set -e $NFT add table test-ip $NFT add counter test-ip traffic-counter diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf new file mode 100755 index 00000000..c07e8d6a --- /dev/null +++ b/tests/shell/testcases/owner/0001-flowtable-uaf @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) + +set -e + +$NFT -f - <<EOF +table t { + flags owner + flowtable f { + hook ingress priority 0 + devices = { lo } + } +} +EOF + +# trigger uaf. +$NFT -f - <<EOF +table t { + flags owner + flowtable f { + hook ingress priority 0 + devices = { lo } + } +} +EOF diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist new file mode 100755 index 00000000..cf4b8f13 --- /dev/null +++ b/tests/shell/testcases/owner/0002-persist @@ -0,0 +1,36 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist) + +die() { + echo "$@" + exit 1 +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "table add failed" +} + +$NFT list ruleset | grep -q 'table ip t' || { + die "table does not persist" +} +$NFT list ruleset | grep -q 'flags persist$' || { + die "unexpected flags in orphaned table" +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "retake ownership failed" +} + +exit 0 diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft diff --git a/tests/shell/testcases/owner/dumps/0002-persist.json-nft b/tests/shell/testcases/owner/dumps/0002-persist.json-nft new file mode 100644 index 00000000..f0c336a8 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.json-nft @@ -0,0 +1,19 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0, + "flags": "persist" + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0002-persist.nft b/tests/shell/testcases/owner/dumps/0002-persist.nft new file mode 100644 index 00000000..b47027d3 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.nft @@ -0,0 +1,3 @@ +table ip t { + flags persist +} diff --git a/tests/shell/testcases/packetpath/dumps/payload.nodump b/tests/shell/testcases/packetpath/dumps/payload.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/payload.nodump diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft new file mode 100644 index 00000000..24363f90 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft @@ -0,0 +1,674 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "127.0.0.1", + "lo" + ] + }, + { + "concat": [ + "127.0.0.2", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.1", + "lo" + ] + }, + { + "concat": [ + "127.0.0.2", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "iface_index", + "handle": 0, + "elem": [ + "lo" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s4", + "table": "t", + "type": "iface_index", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "lo" + ] + } + }, + { + "set": { + "family": "ip", + "name": "nomatch", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.3", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "nomatch2", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.2", + "90000" + ] + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "@s3" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "@s4" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@nomatch" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@nomatch2" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.nft b/tests/shell/testcases/packetpath/dumps/set_lookups.nft new file mode 100644 index 00000000..7566f557 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.nft @@ -0,0 +1,51 @@ +table ip t { + set s { + type ipv4_addr . iface_index + flags interval + elements = { 127.0.0.1 . "lo", + 127.0.0.2 . "lo" } + } + + set s2 { + typeof ip saddr . iif + elements = { 127.0.0.1 . "lo", + 127.0.0.2 . "lo" } + } + + set s3 { + type iface_index + elements = { "lo" } + } + + set s4 { + type iface_index + flags interval + elements = { "lo" } + } + + set nomatch { + typeof ip saddr . iif + elements = { 127.0.0.3 . "lo" } + } + + set nomatch2 { + type ipv4_addr . iface_index + elements = { 127.0.0.2 . 90000 } + } + + chain c { + type filter hook input priority filter; policy accept; + icmp type echo-request ip saddr . iif @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . iif @s2 counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request ip daddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip daddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request iif @s3 counter packets 1 bytes 84 + icmp type echo-request iif @s4 counter packets 1 bytes 84 + ip daddr . "lo" @nomatch counter packets 0 bytes 0 drop + ip daddr . iif @nomatch2 counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_options.nodump b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump diff --git a/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables new file mode 100755 index 00000000..ec7dfeb7 --- /dev/null +++ b/tests/shell/testcases/packetpath/flowtables @@ -0,0 +1,96 @@ +#! /bin/bash -x + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +rnd=$(mktemp -u XXXXXXXX) +R="flowtable-router-$rnd" +C="flowtable-client-$rnd" +S="flowtbale-server-$rnd" + +cleanup() +{ + for i in $R $C $S;do + kill $(ip netns pid $i) 2>/dev/null + ip netns del $i + done +} + +trap cleanup EXIT + +ip netns add $R +ip netns add $S +ip netns add $C + +ip link add s_r netns $S type veth peer name r_s netns $R +ip netns exec $S ip link set s_r up +ip netns exec $R ip link set r_s up +ip link add c_r netns $C type veth peer name r_c netns $R +ip netns exec $R ip link set r_c up +ip netns exec $C ip link set c_r up + +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1 +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r +ip netns exec $S ethtool -K s_r tso off +ip netns exec $C ethtool -K c_r tso off + +sleep 3 +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1 + +ip netns exec $R nft -f - <<EOF +table ip6 filter { + flowtable f1 { + hook ingress priority -100 + devices = { r_c, r_s } + } + + chain forward { + type filter hook forward priority filter; policy accept; + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0 + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop + tcp flags fin,rst counter packets 0 bytes 0 accept + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept + ip6 nexthdr tcp counter packets 0 bytes 0 log drop + } +} +EOF + +if [ ! -r /proc/net/nf_conntrack ] +then + echo "E: nf_conntrack unreadable, skipping" >&2 + exit 77 +fi + +ip netns exec $R nft list ruleset +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || { + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2 + exit 77 +} +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || { + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2 + exit 77 + +} + +# A trick to control the timing to send a packet +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof & +sleep 1 +ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & +sleep 1 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } +ip netns exec $R cat /proc/net/nf_conntrack +sleep 6 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } +ip netns exec $C sleep 3 +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd +ip netns exec $C sleep 3 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } + +exit 0 diff --git a/tests/shell/testcases/packetpath/payload b/tests/shell/testcases/packetpath/payload new file mode 100755 index 00000000..4c5c42da --- /dev/null +++ b/tests/shell/testcases/packetpath/payload @@ -0,0 +1,182 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1payload-$rnd" +ns2="nft2payload-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +run_test() +{ + ns1_addr=$2 + ns2_addr=$3 + cidr=$4 + + # socat needs square brackets, ie. [abcd::2] + if [ $1 -eq 6 ]; then + nsx1_addr="["$ns1_addr"]" + nsx2_addr="["$ns2_addr"]" + else + nsx1_addr="$ns1_addr" + nsx2_addr="$ns2_addr" + fi + + ip netns add "$ns1" || exit 111 + ip netns add "$ns2" || exit 111 + + ip -net "$ns1" link set lo up + ip -net "$ns2" link set lo up + + ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + + ip -net "$ns1" link set veth0 up + ip -net "$ns2" link set veth0 up + ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0 + ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0 + +RULESET="table netdev payload_netdev { + counter ingress {} + counter egress {} + counter mangle_ingress {} + counter mangle_egress {} + counter mangle_ingress_match {} + counter mangle_egress_match {} + + chain ingress { + type filter hook ingress device veth0 priority 0; + tcp dport 7777 counter name ingress + tcp dport 7778 tcp dport set 7779 counter name mangle_ingress + tcp dport 7779 counter name mangle_ingress_match + } + + chain egress { + type filter hook egress device veth0 priority 0; + tcp dport 8887 counter name egress + tcp dport 8888 tcp dport set 8889 counter name mangle_egress + tcp dport 8889 counter name mangle_egress_match + } +} + +table inet payload_inet { + counter input {} + counter output {} + counter mangle_input {} + counter mangle_output {} + counter mangle_input_match {} + counter mangle_output_match {} + + chain in { + type filter hook input priority 0; + tcp dport 7770 counter name input + tcp dport 7771 tcp dport set 7772 counter name mangle_input + tcp dport 7772 counter name mangle_input_match + } + + chain out { + type filter hook output priority 0; + tcp dport 8880 counter name output + tcp dport 8881 tcp dport set 8882 counter name mangle_output + tcp dport 8882 counter name mangle_output_match + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8887,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8888,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7777,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7778,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress_match | grep -v "packets 0" > /dev/null || exit 1 + + ip netns exec "$ns1" $NFT list counter inet payload_inet input | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet output | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output_match | grep -v "packets 0" > /dev/null || exit 1 + + # + # ... next stage + # + + ip netns exec "$ns1" $NFT flush ruleset + + # + # bridge + # + + ip -net "$ns1" addr del $ns1_addr/$cidr dev veth0 + + ip -net "$ns1" link add name br0 type bridge + ip -net "$ns1" link set veth0 master br0 + ip -net "$ns1" addr add $ns1_addr/$cidr dev br0 + ip -net "$ns1" link set up dev br0 + +RULESET="table bridge payload_bridge { + counter input {} + counter output {} + counter mangle_input {} + counter mangle_output {} + counter mangle_input_match {} + counter mangle_output_match {} + + chain in { + type filter hook input priority 0; + tcp dport 7770 counter name input + tcp dport 7771 tcp dport set 7772 counter name mangle_input + tcp dport 7772 counter name mangle_input_match + } + + chain out { + type filter hook output priority 0; + tcp dport 8880 counter name output + tcp dport 8881 tcp dport set 8882 counter name mangle_output + tcp dport 8882 counter name mangle_output_match + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=2 < /dev/null > /dev/null + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output_match | grep -v "packets 0" > /dev/null || exit 1 +} + +run_test "4" "10.141.10.2" "10.141.10.3" "24" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" +# trap calls cleanup diff --git a/tests/shell/testcases/packetpath/set_lookups b/tests/shell/testcases/packetpath/set_lookups new file mode 100755 index 00000000..85159858 --- /dev/null +++ b/tests/shell/testcases/packetpath/set_lookups @@ -0,0 +1,66 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<"EOF" +table ip t { + set s { + type ipv4_addr . iface_index + flags interval + elements = { 127.0.0.1 . 1 } + } + + set s2 { + typeof ip saddr . meta iif + elements = { 127.0.0.1 . 1 } + } + + set s3 { + type iface_index + elements = { "lo" } + } + + set s4 { + type iface_index + flags interval + elements = { "lo" } + } + + set nomatch { + typeof ip saddr . meta iif + elements = { 127.0.0.3 . 1 } + } + + set nomatch2 { + type ipv4_addr . iface_index + elements = { 127.0.0.2 . 90000 } + } + + chain c { + type filter hook input priority filter; + icmp type echo-request ip saddr . meta iif @s counter + icmp type echo-request ip saddr . 1 @s counter + icmp type echo-request ip saddr . "lo" @s counter + icmp type echo-request ip saddr . meta iif @s2 counter + icmp type echo-request ip saddr . 1 @s2 counter + icmp type echo-request ip saddr . "lo" @s2 counter + + icmp type echo-request ip daddr . "lo" @s counter + icmp type echo-request ip daddr . "lo" @s2 counter + + icmp type echo-request meta iif @s3 counter + icmp type echo-request meta iif @s4 counter + + ip daddr . 1 @nomatch counter drop + ip daddr . meta iif @nomatch2 counter drop + } +} +EOF + +$NFT add element t s { 127.0.0.2 . 1 } +$NFT add element t s2 { 127.0.0.2 . "lo" } + +ip link set lo up +ping -q -c 1 127.0.0.2 > /dev/null diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options new file mode 100755 index 00000000..57e228c5 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_options @@ -0,0 +1,57 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_tcp_options) + +have_socat="no" +socat -h > /dev/null && have_socat="yes" + +ip link set lo up + +$NFT -f /dev/stdin <<EOF +table inet t { + counter nomatchc {} + counter sackpermc {} + counter maxsegc {} + counter nopc {} + + chain c { + type filter hook output priority 0; + tcp dport != 22345 accept + tcp flags & (fin | syn | rst | ack ) == syn tcp option 254 length ge 4 counter name nomatchc drop + tcp flags & (fin | syn | rst | ack ) == syn tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc + tcp flags & (fin | syn | rst | ack ) == syn tcp option sack-perm missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option sack-perm exists counter name sackpermc + tcp flags & (fin | syn | rst | ack) == syn tcp option maxseg size gt 1400 counter name maxsegc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop exists counter name nopc + tcp flags & (fin | syn | rst | ack) == syn drop + } +} +EOF + +if [ $? -ne 0 ]; then + exit 1 +fi + +if [ $have_socat != "yes" ]; then + echo "Ran partial test, socat not available (skipped)" + exit 77 +fi + +# This will fail (drop in output -> connect fails with eperm) +socat -u STDIN TCP:127.0.0.1:22345,connect-timeout=1 < /dev/null > /dev/null + +# can't validate via dump file, syn rexmit can cause counters to be > 1 in rare cases. + +$NFT list counter inet t nomatchc + +# nomatchc must be 0. +$NFT list counter inet t nomatchc | grep -q "packets 0" || exit 1 + +# these counters must not be 0. +for nz in sackpermc maxsegc nopc; do + $NFT list counter inet t $nz + $NFT list counter inet t $nz | grep -q "packets 0" && exit 1 +done + +exit 0 diff --git a/tests/shell/testcases/packetpath/vlan_8021ad_tag b/tests/shell/testcases/packetpath/vlan_8021ad_tag new file mode 100755 index 00000000..379a5710 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_8021ad_tag @@ -0,0 +1,50 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 proto 802.1ad +ip -net "$ns2" link add vlan123 link veth0 type vlan id 123 proto 802.1ad + + +for dev in veth0 vlan123; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan123 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 ether type 8021ad vlan id 123 ip daddr 10.1.1.2 icmp type echo-request counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list chain netdev t c | grep 'counter packets 1 bytes 84' diff --git a/tests/shell/testcases/parsing/describe b/tests/shell/testcases/parsing/describe new file mode 100755 index 00000000..2ee072e8 --- /dev/null +++ b/tests/shell/testcases/parsing/describe @@ -0,0 +1,7 @@ +#!/bin/bash + +errmsg='Error: unknown ip option type/field' + +str=$($NFT describe ip option rr value 2>&1 | head -n 1) + +[ "$str" = "$errmsg" ] && exit 0 diff --git a/tests/shell/testcases/parsing/dumps/describe.json-nft b/tests/shell/testcases/parsing/dumps/describe.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/describe.nft b/tests/shell/testcases/parsing/dumps/describe.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.nft diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft new file mode 100644 index 00000000..bf5dc65f --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft @@ -0,0 +1,4079 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "nd-router-advert", + "nd-neighbor-solicit" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "oif", + "flags": [ + "saddr", + "iif" + ] + } + }, + "right": false + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "raw_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "raw_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "mangle_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "mangle_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_IN_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_IN_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDI_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDI_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDO_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDO_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "netbios-ns" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "224.0.0.251" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "ff02::fb" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 138 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 139 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 445 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_allow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft new file mode 100644 index 00000000..15832752 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft @@ -0,0 +1,561 @@ +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport 137 ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + tcp dport 139 ct state new,untracked accept + tcp dport 445 ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +} diff --git a/tests/shell/testcases/parsing/dumps/log.json-nft b/tests/shell/testcases/parsing/dumps/log.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/log.nft b/tests/shell/testcases/parsing/dumps/log.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.nft diff --git a/tests/shell/testcases/parsing/dumps/octal.json-nft b/tests/shell/testcases/parsing/dumps/octal.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/octal.nft b/tests/shell/testcases/parsing/dumps/octal.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.nft diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe new file mode 100755 index 00000000..b6760c01 --- /dev/null +++ b/tests/shell/testcases/parsing/large_rule_pipe @@ -0,0 +1,571 @@ +#!/bin/bash + +set -e + +RULESET="#!/sbin/nft -f +flush ruleset; +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority -290; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority -140; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport netbios-ns ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport ssh ct state new,untracked accept + ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept + ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + udp dport netbios-ns ct state new,untracked accept + udp dport netbios-dgm ct state new,untracked accept + tcp dport netbios-ssn ct state new,untracked accept + tcp dport microsoft-ds ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +}" + +( echo "flush ruleset;"; echo "${RULESET}" ) | $NFT -f - + +exit 0 diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log new file mode 100755 index 00000000..0b89d589 --- /dev/null +++ b/tests/shell/testcases/parsing/log @@ -0,0 +1,10 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 +$NFT delete table t || exit 1 + +exit 0 + diff --git a/tests/shell/testcases/parsing/octal b/tests/shell/testcases/parsing/octal new file mode 100755 index 00000000..09ac26e7 --- /dev/null +++ b/tests/shell/testcases/parsing/octal @@ -0,0 +1,13 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'ip saddr 01 continue comment "0.0.0.1"' || exit 1 +$NFT add rule t c 'ip saddr 08 continue comment "error"' && { + echo "'"ip saddr 08"'" not rejected 1>&2 + exit 1 +} +$NFT delete table t || exit 1 + +exit 0 + diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 index 329ccc20..c343d579 100755 --- a/tests/shell/testcases/rule_management/0003insert_0 +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -9,3 +9,7 @@ $NFT add chain t c $NFT insert rule t c accept $NFT insert rule t c drop $NFT insert rule t c masquerade + +# check 'evaluate: un-break rule insert with intervals' + +$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 } diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0 index 251cebb2..cd69a89d 100755 --- a/tests/shell/testcases/rule_management/0010replace_0 +++ b/tests/shell/testcases/rule_management/0010replace_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4 # ("netfilter: nf_tables: deactivate expressions in rule replecement routine") diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 new file mode 100755 index 00000000..33eadd9e --- /dev/null +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -0,0 +1,170 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule) + +set -e + +echo "loading ruleset" +$NFT -f - <<EOF +table ip t { + set s { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + chain c { + counter packets 1 bytes 11 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +} +EOF + +echo "resetting specific rule" +handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p') +$NFT reset rule t c handle $handle +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT list ruleset) + +echo "resetting specific chain" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c2 { + counter packets 3 bytes 13 accept + counter packets 4 bytes 14 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2) + +echo "resetting specific table" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 2 bytes 12 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t) + +echo "resetting specific family" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 7 bytes 17 accept + counter packets 8 bytes 18 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip) + +echo "resetting whole ruleset" +EXPECT='table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 5 bytes 15 accept + counter packets 6 bytes 16 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT reset rules) diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0 new file mode 100755 index 00000000..a058150f --- /dev/null +++ b/tests/shell/testcases/rule_management/0012destroy_0 @@ -0,0 +1,14 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t +$NFT add chain t c + +# pass for non-existent rule +$NFT destroy rule t c handle 3333 + +# successfully delete existing rule +handle=$($NFT -a -e insert rule t c accept | \ + sed -n 's/.*handle \([0-9]*\)$/\1/p') +$NFT destroy rule t c handle "$handle" diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft new file mode 100644 index 00000000..83dfee0d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft new file mode 100644 index 00000000..527d79d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft new file mode 100644 index 00000000..b3808ce2 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft new file mode 100644 index 00000000..b76cd930 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft new file mode 100644 index 00000000..9216cabf --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "set": [ + { + "range": [ + 3478, + 3497 + ] + }, + { + "range": [ + 16384, + 16387 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft index 9421f4ae..b1875aba 100644 --- a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft @@ -1,5 +1,6 @@ table ip t { chain c { + tcp sport { 3478-3497, 16384-16387 } masquerade drop accept diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft new file mode 100644 index 00000000..bc242467 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft @@ -0,0 +1,257 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 1, + "bytes": 11 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft new file mode 100644 index 00000000..3b4f5a11 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft @@ -0,0 +1,31 @@ +table ip t { + set s { + type ipv4_addr + size 65535 + flags dynamic + counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } + } + + chain c { + counter packets 0 bytes 0 update @s { ip saddr } accept + counter packets 0 bytes 0 drop + } + + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table inet t { + chain c { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} +table ip t2 { + chain c2 { + counter packets 0 bytes 0 accept + counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0 index ba23f90f..c37b2f0d 100755 --- a/tests/shell/testcases/sets/0011add_many_elements_0 +++ b/tests/shell/testcases/sets/0011add_many_elements_0 @@ -3,6 +3,14 @@ # test adding many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -30,3 +38,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7e7beebd..64451604 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -31,3 +38,10 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 5774317b..c0925dd5 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements in two nft -f runs. HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -32,3 +39,10 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0 index 44d451a8..1df38326 100755 --- a/tests/shell/testcases/sets/0020comments_0 +++ b/tests/shell/testcases/sets/0020comments_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + # Test that comments are added to set elements in standard sets. # Explicitly test bitmap backend set implementation. diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0 index 6062913b..48f6875b 100755 --- a/tests/shell/testcases/sets/0022type_selective_flush_0 +++ b/tests/shell/testcases/sets/0022type_selective_flush_0 @@ -16,7 +16,7 @@ $NFT -f - <<< "$RULESET" # Commands that should be invalid declare -a cmds=( - "flush set t m" "flush set t f" + "flush set t m" "flush map t s" "flush map t f" "flush meter t s" "flush meter t m" ) diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0 new file mode 100755 index 00000000..0c7da572 --- /dev/null +++ b/tests/shell/testcases/sets/0024synproxy_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_synproxy) + +# * creating valid named objects +# * referencing them from a valid rule + +RULESET=" +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + synproxy other-synproxy { + mss 1460 + wscale 5 + } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + chain y { + type filter hook input priority 0; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0025anonymous_set_0 b/tests/shell/testcases/sets/0025anonymous_set_0 index 93a7c022..74777d8e 100755 --- a/tests/shell/testcases/sets/0025anonymous_set_0 +++ b/tests/shell/testcases/sets/0025anonymous_set_0 @@ -14,4 +14,4 @@ $NFT add rule t c ip daddr { \ } #set : tcp ports -$NFT add rule t c tcp dport { 22, 23 } counter +$NFT add rule t c meta oifname \"doesntexist\" tcp dport { 22, 23 } counter diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 39b3c90c..2dbcd22b 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -13,12 +13,53 @@ EXPECTED="table inet t { elements = { \"ssh\" . \"eth0\" } } + set nv { + type ifname . mark + } + + set z { + typeof ct zone + elements = { 1 } + } + + set m { + typeof meta mark + elements = { 1 } + } + + map cz { + typeof meta iifname : ct zone + elements = { \"veth4\" : 1 } + } + + map cm { + typeof meta iifname : ct mark + elements = { \"veth4\" : 1 } + } + chain c { iifname @s accept oifname @s accept tcp dport . meta iifname @sc accept + meta iifname . meta mark @nv accept } }" set -e $NFT -f - <<< "$EXPECTED" +$NFT add element inet t s '{ "eth1" }' +$NFT add element inet t s '{ "eth2", "eth3", "veth1" }' + +$NFT add element inet t sc '{ 80 . "eth0" }' +$NFT add element inet t sc '{ 80 . "eth0" }' || true +$NFT add element inet t sc '{ 80 . "eth1" }' +$NFT add element inet t sc '{ 81 . "eth0" }' + +$NFT add element inet t nv '{ "eth0" . 1 }' +$NFT add element inet t nv '{ "eth0" . 2 }' + +$NFT add element inet t z '{ 2, 3, 4, 5, 6 }' +$NFT add element inet t cz '{ "eth0" : 1, "eth1" : 2 }' + +$NFT add element inet t m '{ 2, 3, 4, 5, 6 }' +$NFT add element inet t cm '{ "eth0" : 1, "eth1" : 2 }' diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0 index 059ade9a..32a705bf 100755 --- a/tests/shell/testcases/sets/0030add_many_elements_interval_0 +++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0 @@ -1,6 +1,13 @@ #!/bin/bash HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -28,3 +35,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0 index 9edd5f6f..9a4a27f6 100755 --- a/tests/shell/testcases/sets/0031set_timeout_size_0 +++ b/tests/shell/testcases/sets/0031set_timeout_size_0 @@ -3,10 +3,10 @@ RULESET="add table x add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; } add chain x test -add rule x test set update ip saddr timeout 1d2h3m4s8ms @y +add rule x test set update ip saddr timeout 1d2h3m4s10ms @y add rule x test set update ip daddr timeout 100ms @y" set -e $NFT -f - <<< "$RULESET" -$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s8ms }' +$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s\(10\|8\)ms }' $NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }' diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 index c7e7298a..32375b9f 100755 --- a/tests/shell/testcases/sets/0034get_element_0 +++ b/tests/shell/testcases/sets/0034get_element_0 @@ -1,44 +1,72 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + RC=0 -check() { # (elems, expected) - out=$($NFT get element ip t s "{ $1 }" 2>/dev/null) +check() { # (set, elems, expected) + out=$($NFT get element ip t $1 "{ $2 }") out=$(grep "elements =" <<< "$out") out="${out#* \{ }" out="${out% \}}" - [[ "$out" == "$2" ]] && return - echo "ERROR: asked for '$1', expecting '$2' but got '$out'" + [[ "$out" == "$3" ]] && return + echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'" ((RC++)) } RULESET="add table ip t add set ip t s { type inet_service; flags interval; } add element ip t s { 10, 20-30, 40, 50-60 } +add set ip t ips { type ipv4_addr; flags interval; } +add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 } +add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 } +add set ip t cs { type ipv4_addr . inet_service; flags interval; } +add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 } +add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 } " $NFT -f - <<< "$RULESET" # simple cases, (non-)existing values and ranges -check 10 10 -check 11 "" -check 20-30 20-30 -check 15-18 "" +check s 10 10 +check s 11 "" +check s 20-30 20-30 +check s 15-18 "" # multiple single elements, ranges smaller than present -check "10, 40" "10, 40" -check "22-24, 26-28" "20-30, 20-30" -check 21-29 20-30 +check s "10, 40" "10, 40" +check s "22-24, 26-28" "20-30, 20-30" +check s 21-29 20-30 # mixed single elements and ranges -check "10, 20" "10, 20-30" -check "10, 22" "10, 20-30" -check "10, 22-24" "10, 20-30" +check s "10, 20" "10, 20-30" +check s "10, 22" "10, 20-30" +check s "10, 22-24" "10, 20-30" # non-existing ranges matching elements -check 10-40 "" -check 10-20 "" -check 10-25 "" -check 25-55 "" +check s 10-40 "" +check s 10-20 "" +check s 10-25 "" +check s 25-55 "" + +# playing with IPs, ranges and prefixes +check ips 10.0.0.1 10.0.0.1 +check ips 10.0.0.2 "" +check ips 10.0.1.0/24 10.0.1.0/24 +check ips 10.0.1.2/31 10.0.1.0/24 +check ips 10.0.1.0 10.0.1.0/24 +check ips 10.0.1.3 10.0.1.0/24 +check ips 10.0.1.255 10.0.1.0/24 +check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12 +check ips 10.0.2.10 10.0.2.3-10.0.2.12 +check ips 10.0.2.12 10.0.2.3-10.0.2.12 + +# test concatenated ranges, i.e. Pi, Pa and Po +check cs "10.0.0.1 . 22" "10.0.0.1 . 22" +check cs "10.0.0.1 . 23" "" +check cs "10.0.0.2 . 22" "" +check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024" +check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024" +check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535" exit $RC diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0 index 51ed0f2c..d961ffd4 100755 --- a/tests/shell/testcases/sets/0036add_set_element_expiration_0 +++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0 @@ -1,15 +1,25 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_setelem_expiration) + set -e +drop_seconds() { + sed -E 's/m[0-9]*s([0-9]*ms)?/m/g' +} + RULESET="add table ip x +add set ip x y { type ipv4_addr; flags dynamic,timeout; } +add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }" + +EXPECTED="add table ip x add set ip x y { type ipv4_addr; flags dynamic,timeout; } -add element ip x y { 1.1.1.1 timeout 30s expires 15s }" +add element ip x y { 1.1.1.1 timeout 30m expires 15m }" -test_output=$($NFT -e -f - <<< "$RULESET" 2>&1) +test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds) -if [ "$test_output" != "$RULESET" ] ; then - $DIFF -u <(echo "$test_output") <(echo "$RULESET") +if [ "$test_output" != "$EXPECTED" ] ; then + $DIFF -u <(echo "$test_output") <(echo "$EXPECTED") exit 1 fi diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0 index e9e0f6fb..7c37c1d8 100755 --- a/tests/shell/testcases/sets/0038meter_list_0 +++ b/tests/shell/testcases/sets/0038meter_list_0 @@ -14,7 +14,12 @@ RULESET=" " expected_output="table ip t { - meter m { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + set m { type ipv4_addr size 128 flags dynamic diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0 new file mode 100755 index 00000000..a3dbf5bf --- /dev/null +++ b/tests/shell/testcases/sets/0043concatenated_ranges_0 @@ -0,0 +1,195 @@ +#!/bin/bash -e +# +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges +# +# Cycle over supported data types, forming concatenations of three fields, for +# all possible permutations, and: +# - add entries to set +# - list them +# - get entries by specifying a value matching ranges for all fields +# - delete them +# - check that they can't be deleted again +# - add them with 1s timeout +# - check that they are not listed after 1s, just once, for the first entry +# - delete them +# - make sure they can't be deleted again + +TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" + +RULESPEC_ipv4_addr="ip saddr" +ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129" +ADD_ipv4_addr="192.0.2.252/31" +GET_ipv4_addr="198.51.100.127 198.51.100.0/25" + +RULESPEC_ipv6_addr="ip6 daddr" +ELEMS_ipv6_addr="2001:db8:c0c:c0de::1-2001:db8:cacc::a 2001:db8::1 2001:db8:dada:da::/64" +ADD_ipv6_addr="2001:db8::d1ca:d1ca" +GET_ipv6_addr="2001:db8::1 2001:db8::1" + +RULESPEC_ether_addr="ether saddr" +ELEMS_ether_addr="00:0a:c1:d1:f1:ed-00:0a:c1:dd:ec:af 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 f0:ca:cc:1a:b0:1a" +ADD_ether_addr="00:be:1d:ed:ab:e1" +GET_ether_addr="ac:c1:ac:c0:ce:c0 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00" + +RULESPEC_inet_proto="meta l4proto" +ELEMS_inet_proto="tcp udp icmp" +ADD_inet_proto="sctp" +GET_inet_proto="udp udp" + +RULESPEC_inet_service="tcp dport" +ELEMS_inet_service="22-23 1024-32768 31337" +ADD_inet_service="32769-65535" +GET_inet_service="32768 1024-32768" + +RULESPEC_mark="mark" +ELEMS_mark="0x00000064-0x000000c8 0x0000006f 0x0000fffd-0x0000ffff" +ADD_mark="0x0000002a" +GET_mark="0x0000006f 0x0000006f" + +tmp="$(mktemp)" +trap "rm -f ${tmp}" EXIT + +render() { + eval "echo \"$(cat ${1})\"" +} + +cat <<'EOF' > "${tmp}" +flush ruleset + +table inet filter { + ${setmap} test { + type ${ta} . ${tb} . ${tc} ${mapt} + flags interval,timeout + elements = { ${a1} . ${b1} . ${c1} ${mapv}, + ${a2} . ${b2} . ${c2} ${mapv}, + ${a3} . ${b3} . ${c3} ${mapv}, } + } + + chain output { + type filter hook output priority 0; policy accept; + ${rule} @test counter + } +} +EOF + +timeout_tested=0 +run_test() +{ +setmap="$1" +for ta in ${TYPES}; do + eval a=\$ELEMS_${ta} + a1=${a%% *}; a2=$(expr "$a" : ".* \(.*\) .*"); a3=${a##* } + eval sa=\$RULESPEC_${ta} + + mark=0 + for tb in ${TYPES}; do + [ "${tb}" = "${ta}" ] && continue + if [ "${tb}" = "ipv6_addr" ]; then + [ "${ta}" = "ipv4_addr" ] && continue + elif [ "${tb}" = "ipv4_addr" ]; then + [ "${ta}" = "ipv6_addr" ] && continue + fi + + eval b=\$ELEMS_${tb} + b1=${b%% *}; b2=$(expr "$b" : ".* \(.*\) .*"); b3=${b##* } + eval sb=\$RULESPEC_${tb} + + for tc in ${TYPES}; do + [ "${tc}" = "${ta}" ] && continue + [ "${tc}" = "${tb}" ] && continue + if [ "${tc}" = "ipv6_addr" ]; then + [ "${ta}" = "ipv4_addr" ] && continue + [ "${tb}" = "ipv4_addr" ] && continue + elif [ "${tc}" = "ipv4_addr" ]; then + [ "${ta}" = "ipv6_addr" ] && continue + [ "${tb}" = "ipv6_addr" ] && continue + fi + + echo "$setmap TYPE: ${ta} ${tb} ${tc}" + + eval c=\$ELEMS_${tc} + c1=${c%% *}; c2=$(expr "$c" : ".* \(.*\) .*"); c3=${c##* } + eval sc=\$RULESPEC_${tc} + + case "${setmap}" in + "set") + mapt="" + mapv="" + rule="${sa} . ${sb} . ${sc}" + ;; + "map") + mapt=": mark" + mark=42 + mapv=$(printf " : 0x%08x" ${mark}) + rule="meta mark set ${sa} . ${sb} . ${sc} map" + ;; + esac + + render ${tmp} | ${NFT} -f - + + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c -e "${a1} . ${b1} . ${c1}${mapv}" \ + -e "${a2} . ${b2} . ${c2}${mapv}" \ + -e "${a3} . ${b3} . ${c3}${mapv}") -eq 3 ] + + ${NFT} delete element inet filter test \ + "{ ${a1} . ${b1} . ${c1}${mapv} }" + ${NFT} delete element inet filter test \ + "{ ${a1} . ${b1} . ${c1}${mapv} }" \ + 2>/dev/null && exit 1 + + eval add_a=\$ADD_${ta} + eval add_b=\$ADD_${tb} + eval add_c=\$ADD_${tc} + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}" + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ] + + eval get_a=\$GET_${ta} + eval get_b=\$GET_${tb} + eval get_c=\$GET_${tc} + exp_a=${get_a##* }; get_a=${get_a%% *} + exp_b=${get_b##* }; get_b=${get_b%% *} + exp_c=${get_c##* }; get_c=${get_c%% *} + [ $(${NFT} get element inet filter test \ + "{ ${get_a} . ${get_b} . ${get_c}${mapv} }" | \ + grep -c "${exp_a} . ${exp_b} . ${exp_c}") -eq 1 ] + + ${NFT} "delete element inet filter test \ + { ${a2} . ${b2} . ${c2}${mapv} }; + delete element inet filter test \ + { ${a3} . ${b3} . ${c3}${mapv} }" + ${NFT} "delete element inet filter test \ + { ${a2} . ${b2} . ${c2}${mapv} }; + delete element inet filter test \ + { ${a3} . ${b3} . ${c3} ${mapv} }" \ + 2>/dev/null && exit 1 + + if [ ${timeout_tested} -eq 1 ]; then + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv} }" + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv} }" \ + 2>/dev/null && exit 1 + continue + fi + + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv}}" + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" + sleep 1 + [ $(${NFT} list ${setmap} inet filter test | \ + grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ] + timeout_tested=1 + done + done +done +} + +run_test "set" +run_test "map" diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1 new file mode 100755 index 00000000..bb3bf6b2 --- /dev/null +++ b/tests/shell/testcases/sets/0043concatenated_ranges_1 @@ -0,0 +1,25 @@ +#!/bin/bash -e +# +# 0043concatenated_ranges_1 - Insert and list subnets of different sizes + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +check() { + $NFT add element "${1}" t s "{ ${2} . ${3} }" + [ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ] +} + +$NFT add table ip6 t +$NFT add table ip t + +$NFT add set ip6 t s '{ type ipv6_addr . ipv6_addr ; flags interval ; }' +$NFT add set ip t s '{ type ipv4_addr . ipv4_addr ; flags interval ; }' + +for n in $(seq 32 127); do + h="$(printf %x "${n}")" + check ip6 "2001:db8::/${n}" "2001:db8:${h}::-2001:db8:${h}::${h}:1" +done + +for n in $(seq 24 31); do + check ip "192.0.2.0/${n}" "192.0.2.$((n * 3))-192.0.2.$((n * 3 + 2))" +done diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0 new file mode 100755 index 00000000..b0f51cc8 --- /dev/null +++ b/tests/shell/testcases/sets/0044interval_overlap_0 @@ -0,0 +1,174 @@ +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0044interval_overlap_0 - Add overlapping and non-overlapping intervals +# +# Check that adding overlapping intervals to a set returns an error, unless: +# - the inserted element overlaps entirely, that is, it's identical to an +# existing one +# - for concatenated ranges, the new element is less specific than any existing +# overlapping element, as elements are evaluated in order of insertion +# +# Then, repeat the test with a set configured with a timeout, checking that: +# - we can insert all the elements as described above +# - once the timeout has expired, we can insert all the elements again, and old +# elements are not present +# - before the timeout expires again, we can re-add elements that are not +# expected to fail, but old elements might be present +# +# If $NFT points to a libtool wrapper, and we're running on a slow machine or +# kernel (e.g. KASan enabled), it might not be possible to execute hundreds of +# commands within an otherwise reasonable 1 second timeout. Estimate a usable +# timeout first, by counting commands and measuring against one nft rule timeout +# itself, so that we can keep this fast for a binary $NFT on a reasonably fast +# kernel. + +# Accept Interval List +intervals_simple=" + y 0 - 2 0-2 + y 0 - 2 0-2 + n 0 - 1 0-2 + n 0 - 3 0-2 + y 3 - 10 0-2, 3-10 + n 3 - 9 0-2, 3-10 + n 4 - 10 0-2, 3-10 + n 4 - 9 0-2, 3-10 + y 20 - 30 0-2, 3-10, 20-30 + y 11 - 12 0-2, 3-10, 11-12, 20-30 + y 13 - 19 0-2, 3-10, 11-12, 13-19, 20-30 + n 25 - 40 0-2, 3-10, 11-12, 13-19, 20-30 + y 50 - 60 0-2, 3-10, 11-12, 13-19, 20-30, 50-60 + y 31 - 49 0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60 + n 59 - 60 0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60 +" + +intervals_concat=" + y 0-2 . 0-3 0-2 . 0-3 + y 0-2 . 0-3 0-2 . 0-3 + n 0-1 . 0-2 0-2 . 0-3 + y 10-20 . 30-40 0-2 . 0-3, 10-20 . 30-40 + y 15-20 . 50-60 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60 + y 3-9 . 4-29 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + y 3-9 . 4-29 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + n 11-19 . 30-40 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29 + y 15-20 . 49-61 0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29, 15-20 . 49-61 +" + +count_elements() { + pass= + interval= + elements=0 + for t in ${intervals_simple} ${intervals_concat}; do + [ -z "${pass}" ] && pass="${t}" && continue + [ -z "${interval}" ] && interval="${t}" && continue + unset IFS + + elements=$((elements + 1)) + + IFS=' +' + done + unset IFS +} + +match_elements() { + skip=0 + n=0 + out= + for a in $($NFT list set t ${1})}; do + [ ${n} -eq 0 ] && { [ "${a}" = "elements" ] && n=1; continue; } + [ ${n} -eq 1 ] && { [ "${a}" = "=" ] && n=2; continue; } + [ ${n} -eq 2 ] && { [ "${a}" = "{" ] && n=3; continue; } + + [ "${a}" = "}" ] && break + + [ ${skip} -eq 1 ] && skip=0 && out="${out}," && continue + [ "${a}" = "expires" ] && skip=1 && continue + + [ -n "${out}" ] && out="${out} ${a}" || out="${a}" + + done + + if [ "${out%,}" != "${2}" ]; then + echo "Expected: ${2}, got: ${out%,}" + return 1 + fi +} + +estimate_timeout() { + count_elements + + $NFT add table t + $NFT add set t s '{ type inet_service ; flags timeout; timeout 1s; gc-interval 1s; }' + execs_1s=1 + $NFT add element t s "{ 0 }" + while match_elements s "0" >/dev/null; do + execs_1s=$((execs_1s + 1)) + done + + timeout="$((elements / execs_1s * 3 / 2 + 1))" +} + +add_elements() { + set="s" + pass= + interval= + IFS=' +' + for t in ${intervals_simple} switch ${intervals_concat}; do +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + [ "${t}" = "switch" ] && set="c" && continue +else + break +fi + [ -z "${pass}" ] && pass="${t}" && continue + [ -z "${interval}" ] && interval="${t}" && continue + unset IFS + + if [ "${pass}" = "y" ]; then + if ! $NFT add element t ${set} "{ ${interval} }"; then + echo "Failed to insert ${interval} given:" + $NFT list ruleset + exit 1 + fi + else + if $NFT add element t ${set} "{ ${interval} }" 2>/dev/null; then + echo "Could insert ${interval} given:" + $NFT list ruleset + exit 1 + fi + fi + + [ "${1}" != "nomatch" ] && match_elements "${set}" "${t}" + + pass= + interval= + IFS=' +' + done + unset IFS +} + +$NFT add table t +$NFT add set t s '{ type inet_service ; flags interval ; }' +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +fi +add_elements + +$NFT flush ruleset +estimate_timeout + +$NFT flush ruleset +$NFT add table t +$NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }" +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +fi +add_elements + +sleep $((timeout * 3 / 2)) +add_elements + +add_elements nomatch diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1 new file mode 100755 index 00000000..cdd0c844 --- /dev/null +++ b/tests/shell/testcases/sets/0044interval_overlap_1 @@ -0,0 +1,38 @@ +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +# +# 0044interval_overlap_1 - Single-sized intervals can never overlap partially +# +# Check that inserting, deleting, and inserting single-sized intervals again +# never leads to a partial overlap. Specifically trigger rbtree rebalancing in +# the process, to ensure different tree shapes of equivalent sets don't lead to +# false positives, by deleting every second inserted item. + +xorshift() { + # Adaptation of Xorshift algorithm from: + # Marsaglia, G. (2003). Xorshift RNGs. + # Journal of Statistical Software, 8(14), 1 - 6. + # doi:http://dx.doi.org/10.18637/jss.v008.i14 + # with triplet (5, 3, 1), suitable for 16-bit ranges. + + : $((port ^= port << 5)) + : $((port ^= port >> 3)) + : $((port ^= port << 1)) +} + +$NFT add table t +$NFT add set t s '{ type inet_service ; flags interval ; }' + +for op in add delete add; do + port=1 + skip=0 + for i in $(seq 1 500); do + xorshift + if [ "${op}" = "delete" ]; then + [ ${skip} -eq 0 ] && skip=1 && continue + skip=0 + fi + $NFT ${op} element t s "{ { $((port % 32768 + 32768)) } }" + done +done diff --git a/tests/shell/testcases/sets/0045concat_ipv4_service b/tests/shell/testcases/sets/0045concat_ipv4_service new file mode 100755 index 00000000..5b40f973 --- /dev/null +++ b/tests/shell/testcases/sets/0045concat_ipv4_service @@ -0,0 +1,16 @@ +#!/bin/bash + +$NFT -f - <<EOF +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 60s } + } +} +EOF diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0 new file mode 100755 index 00000000..7533623e --- /dev/null +++ b/tests/shell/testcases/sets/0046netmap_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netmap) + +EXPECTED="table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, + 10.141.12.0/24 : 192.168.3.0/24, + 10.141.13.0/24 : 192.168.4.0/24 } + } + } + table ip6 x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 } + } + } +" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0 new file mode 100755 index 00000000..757605ee --- /dev/null +++ b/tests/shell/testcases/sets/0047nat_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +EXPECTED="table ip x { + map y { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, + 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } + } + + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat to ip saddr map @y + } + } +" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element x y { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } + +EXPECTED="table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0 new file mode 100755 index 00000000..95babdc9 --- /dev/null +++ b/tests/shell/testcases/sets/0048set_counters_0 @@ -0,0 +1,20 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +EXPECTED="table ip x { + set y { + typeof ip saddr + counter + elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } + } + + chain z { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 new file mode 100755 index 00000000..756afdc1 --- /dev/null +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} +define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS, \$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept + } +} +" + +$NFT -f - <<< "$EXPECTED" + +EXPECTED="define ip-block-4 = { 1.1.1.1 } + + create set inet filter ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = \$ip-block-4 + } +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0050set_define_1 b/tests/shell/testcases/sets/0050set_define_1 new file mode 100755 index 00000000..c12de177 --- /dev/null +++ b/tests/shell/testcases/sets/0050set_define_1 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {} + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept + } +} +" + +$NFT -f - <<< "$EXPECTED" &> /dev/null || exit 0 +echo "E: Accepted empty set" 1>&2 +exit 1 diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0 new file mode 100755 index 00000000..6e67a43c --- /dev/null +++ b/tests/shell/testcases/sets/0051set_interval_counter_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +EXPECTED="table ip x { + set s { + type ipv4_addr + flags interval + counter + elements = { 192.168.2.0/24 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @s + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0052overlap_0 b/tests/shell/testcases/sets/0052overlap_0 new file mode 100755 index 00000000..c2960945 --- /dev/null +++ b/tests/shell/testcases/sets/0052overlap_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="add table ip filter +add set ip filter w_all {type ipv4_addr; flags interval; auto-merge} +add element ip filter w_all {10.10.10.10, 10.10.10.11} +" + +$NFT -f - <<< "$EXPECTED" + +EXPECTED="flush set ip filter w_all +add element ip filter w_all {10.10.10.10, 10.10.10.253} +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0 new file mode 100755 index 00000000..6bb03c28 --- /dev/null +++ b/tests/shell/testcases/sets/0053echo_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="add table inet filter +delete table inet filter + +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept + } +} +" + +$NFT -ef - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0054comments_set_0 b/tests/shell/testcases/sets/0054comments_set_0 new file mode 100755 index 00000000..9c8f7875 --- /dev/null +++ b/tests/shell/testcases/sets/0054comments_set_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Test that comments are added to sets + +$NFT add table t +$NFT add set t s {type ipv4_addr \; flags interval \; comment "test" \;} +$NFT add map t m {type ipv4_addr : ipv4_addr \; flags interval \; comment \"another test\" \;} diff --git a/tests/shell/testcases/sets/0055tcpflags_0 b/tests/shell/testcases/sets/0055tcpflags_0 new file mode 100755 index 00000000..a2b24eb2 --- /dev/null +++ b/tests/shell/testcases/sets/0055tcpflags_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +EXPECTED="add table ip test + +add set ip test tcp_good_flags { type tcp_flag ; flags constant ; elements = { + ( 0 | 0 | 0 |ack| 0 | 0 ), \ + ( 0 | 0 | 0 |ack| 0 |urg), \ + ( 0 | 0 | 0 |ack|psh| 0 ), \ + ( 0 | 0 | 0 |ack|psh|urg), \ + ( 0 | 0 |rst| 0 | 0 | 0 ), \ + ( 0 | 0 |rst|ack| 0 | 0 ), \ + ( 0 | 0 |rst|ack| 0 |urg), \ + ( 0 | 0 |rst|ack|psh| 0 ), \ + ( 0 | 0 |rst|ack|psh|urg), \ + ( 0 |syn| 0 | 0 | 0 | 0 ), \ + ( 0 |syn| 0 |ack| 0 | 0 ), \ + ( 0 |syn| 0 |ack| 0 |urg), \ + ( 0 |syn| 0 |ack|psh| 0 ), \ + ( 0 |syn| 0 |ack|psh|urg), \ + (fin| 0 | 0 |ack| 0 | 0 ), \ + (fin| 0 | 0 |ack| 0 |urg), \ + (fin| 0 | 0 |ack|psh| 0 ), \ + (fin| 0 | 0 |ack|psh|urg) \ +} ; }" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0056dynamic_limit_0 b/tests/shell/testcases/sets/0056dynamic_limit_0 new file mode 100755 index 00000000..21fa0bff --- /dev/null +++ b/tests/shell/testcases/sets/0056dynamic_limit_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +RULESET="table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1m + elements = { 127.0.0.1 expires 52s44ms limit rate over 1/minute } + } + + chain output { + type filter hook output priority filter; policy accept; + ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit rate over 1/minute } + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0057set_create_fails_0 b/tests/shell/testcases/sets/0057set_create_fails_0 new file mode 100755 index 00000000..5f0149a3 --- /dev/null +++ b/tests/shell/testcases/sets/0057set_create_fails_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +RULESET="table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +}" + +$NFT -f - <<< $RULESET + +CMD="create element inet filter test { 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 1.1.1.9, 1.1.1.10, 1.1.1.11, 1.1.1.12, 1.1.1.13, 1.1.1.14, 1.1.1.15, 1.1.1.16, 1.1.1.17, 1.1.1.18, 1.1.1.19, 1.1.1.20, 1.1.1.21, 1.1.1.22, 1.1.1.23, 1.1.1.24, 1.1.1.25, 1.1.1.26, 1.1.1.27, 1.1.1.28, 1.1.1.29, 1.1.1.30, 1.1.1.31, 1.1.1.32, 1.1.1.33, 1.1.1.34, 1.1.1.35, 1.1.1.36, 1.1.1.37, 1.1.1.38, 1.1.1.39, 1.1.1.40, 1.1.1.41, 1.1.1.42, 1.1.1.43, 1.1.1.44, 1.1.1.45, 1.1.1.46, 1.1.1.47, 1.1.1.48, 1.1.1.49, 1.1.1.50, 1.1.1.51, 1.1.1.52, 1.1.1.53, 1.1.1.54, 1.1.1.55, 1.1.1.56, 1.1.1.57, 1.1.1.58, 1.1.1.59, 1.1.1.60, 1.1.1.61, 1.1.1.62, 1.1.1.63, 1.1.1.64, 1.1.1.65, 1.1.1.66, 1.1.1.67, 1.1.1.68, 1.1.1.69, 1.1.1.70, 1.1.1.71, 1.1.1.72, 1.1.1.73, 1.1.1.74, 1.1.1.75, 1.1.1.76, 1.1.1.77, 1.1.1.78, 1.1.1.79, 1.1.1.80, 1.1.1.81, 1.1.1.82, 1.1.1.83, 1.1.1.84, 1.1.1.85, 1.1.1.86, 1.1.1.87, 1.1.1.88, 1.1.1.89, 1.1.1.90, 1.1.1.91, 1.1.1.92, 1.1.1.93, 1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.1.98, 1.1.1.99, 1.1.1.100, 1.1.1.101, 1.1.1.102, 1.1.1.103, 1.1.1.104, 1.1.1.105, 1.1.1.106, 1.1.1.107, 1.1.1.108, 1.1.1.109, 1.1.1.110, 1.1.1.111, 1.1.1.112, 1.1.1.113, 1.1.1.114, 1.1.1.115, 1.1.1.116, 1.1.1.117, 1.1.1.118, 1.1.1.119, 1.1.1.120, 1.1.1.121, 1.1.1.122, 1.1.1.123, 1.1.1.124, 1.1.1.125, 1.1.1.126, 1.1.1.127, 1.1.1.128, 1.1.1.129, 1.1.1.130, 1.1.1.131, 1.1.1.132, 1.1.1.133, 1.1.1.134, 1.1.1.135, 1.1.1.136, 1.1.1.137, 1.1.1.138, 1.1.1.139, 1.1.1.140, 1.1.1.141, 1.1.1.142, 1.1.1.143, 1.1.1.144, 1.1.1.145, 1.1.1.146, 1.1.1.147, 1.1.1.148, 1.1.1.149, 1.1.1.150, 1.1.1.151, 1.1.1.152, 1.1.1.153, 1.1.1.154, 1.1.1.155, 1.1.1.156, 1.1.1.157, 1.1.1.158, 1.1.1.159, 1.1.1.160, 1.1.1.161, 1.1.1.162, 1.1.1.163, 1.1.1.164, 1.1.1.165, 1.1.1.166, 1.1.1.167, 1.1.1.168, 1.1.1.169, 1.1.1.170, 1.1.1.171, 1.1.1.172, 1.1.1.173, 1.1.1.174, 1.1.1.175, 1.1.1.176, 1.1.1.177, 1.1.1.178, 1.1.1.179, 1.1.1.180, 1.1.1.181, 1.1.1.182, 1.1.1.183, 1.1.1.184, 1.1.1.185, 1.1.1.186, 1.1.1.187, 1.1.1.188, 1.1.1.189, 1.1.1.190, 1.1.1.191, 1.1.1.192, 1.1.1.193, 1.1.1.194, 1.1.1.195, 1.1.1.196, 1.1.1.197, 1.1.1.198, 1.1.1.199, 1.1.1.200, 1.1.1.201, 1.1.1.202, 1.1.1.203, 1.1.1.204, 1.1.1.205, 1.1.1.206, 1.1.1.207, 1.1.1.208, 1.1.1.209, 1.1.1.210, 1.1.1.211, 1.1.1.212, 1.1.1.213, 1.1.1.214, 1.1.1.215, 1.1.1.216, 1.1.1.217, 1.1.1.218, 1.1.1.219, 1.1.1.220, 1.1.1.221, 1.1.1.222, 1.1.1.223, 1.1.1.224, 1.1.1.225, 1.1.1.226, 1.1.1.227, 1.1.1.228, 1.1.1.229, 1.1.1.230, 1.1.1.231, 1.1.1.232, 1.1.1.233, 1.1.1.234, 1.1.1.235, 1.1.1.236, 1.1.1.237, 1.1.1.238, 1.1.1.239, 1.1.1.240, 1.1.1.241, 1.1.1.242, 1.1.1.243, 1.1.1.244, 1.1.1.245, 1.1.1.246, 1.1.1.247, 1.1.1.248, 1.1.1.249, 1.1.1.250, 1.1.1.251, 1.1.1.252, 1.1.1.253 }" + +# If this returns ENOSPC, then nft is sending a netlink message that is larger +# than NFT_MNL_ACK_MAXSIZE. Make sure this returns EEXIST. +$NFT -f - <<< $CMD 2>&1 >/dev/null | grep "File exists" +[ "$?" -eq 0 ] && exit 0 diff --git a/tests/shell/testcases/sets/0058_setupdate_timeout_0 b/tests/shell/testcases/sets/0058_setupdate_timeout_0 new file mode 100755 index 00000000..52a658e1 --- /dev/null +++ b/tests/shell/testcases/sets/0058_setupdate_timeout_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + } + + chain test { + add @ssh_meter { ip saddr timeout 30d } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 new file mode 100755 index 00000000..2aeba2c5 --- /dev/null +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + chain z { + type filter hook output priority 0; + update @y { ip daddr limit rate 1/second counter } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 new file mode 100755 index 00000000..8e17444e --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -0,0 +1,52 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 limit rate 1/second counter } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 2.2.2.2 limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 3.3.3.3 counter limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 4.4.4.4 } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1 new file mode 100755 index 00000000..04ef047c --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_1 @@ -0,0 +1,40 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes } + } + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 2.2.2.2 counter quota 1000 bytes } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/0061anonymous_automerge_0 b/tests/shell/testcases/sets/0061anonymous_automerge_0 new file mode 100755 index 00000000..2dfb800e --- /dev/null +++ b/tests/shell/testcases/sets/0061anonymous_automerge_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0 new file mode 100755 index 00000000..48aa6fce --- /dev/null +++ b/tests/shell/testcases/sets/0062set_connlimit_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +RULESET="table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + elements = { 84.245.120.167 ct count over 20 } + } +}" + +$NFT -f - <<< $RULESET + +RULESET="table ip x { + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + elements = { 84.245.120.167 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT flush set ip x est-connlimit +$NFT flush set ip x new-connlimit diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0 new file mode 100755 index 00000000..edd015d0 --- /dev/null +++ b/tests/shell/testcases/sets/0063set_catchall_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +set -e + +RULESET="table ip x { + set y { + type ipv4_addr + counter + elements = { 1.1.1.1, * } + } + set z { + type ipv4_addr + flags interval + counter + elements = { 1.1.1.0/24 , * } + } +}" + +$NFT -f - <<< $RULESET +$NFT delete element x y { \* } +$NFT add element x y { \* } diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0 new file mode 100755 index 00000000..fd289372 --- /dev/null +++ b/tests/shell/testcases/sets/0064map_catchall_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +set -e + +RULESET="table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.3 } + } + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + } +}" + +$NFT -f - <<< $RULESET +$NFT delete element x y { \* : 192.168.0.3 } +$NFT add element x y { \* : 192.168.0.4 } + +$NFT add chain x y +$NFT add rule x y snat to ip saddr map @z +$NFT 'add rule x y snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }' +$NFT 'add rule x y snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 }' diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing new file mode 100755 index 00000000..f838c3ef --- /dev/null +++ b/tests/shell/testcases/sets/0065_icmp_postprocessing @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain foo { + icmp id 42 + } +}" + +$NFT -f - <<< $RULESET + +$NFT insert rule ip x foo index 0 accept diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 new file mode 100755 index 00000000..81621957 --- /dev/null +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -0,0 +1,58 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +EXPECTED="table ip nat { + map ipportmap2 { + type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.1/8 . 42 - 43 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + } +}" + +$NFT -f - <<< $EXPECTED + +EXPECTED="table ip nat { + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th + +EXPECTED="table ip nat { + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + dnat to iifname . ip saddr map @ipportmap4 + } +}" + +$NFT -f - <<< $EXPECTED +EXPECTED="table ip nat { + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0067nat_interval_0 b/tests/shell/testcases/sets/0067nat_interval_0 new file mode 100755 index 00000000..c90203d0 --- /dev/null +++ b/tests/shell/testcases/sets/0067nat_interval_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 new file mode 100755 index 00000000..e61010c7 --- /dev/null +++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 @@ -0,0 +1,45 @@ +#!/bin/bash + +set -e + +ruleset_file=$(mktemp) + +trap 'rm -f "$ruleset_file"' EXIT + +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + +{ + echo 'define big_set = {' + for ((i = 1; i < $HOWMANY; i++)); do + for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done + echo '10.1.0.0/24 }' +} >"$ruleset_file" + +cat >>"$ruleset_file" <<\EOF +table inet test68_table { + set test68_set { + type ipv4_addr + flags interval + elements = { $big_set } + } +} +EOF + +( ulimit -s 400 && $NFT -f "$ruleset_file" ) + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0069interval_merge_0 b/tests/shell/testcases/sets/0069interval_merge_0 new file mode 100755 index 00000000..edb6422a --- /dev/null +++ b/tests/shell/testcases/sets/0069interval_merge_0 @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8, 3.3.3.4, 3.3.3.5 } + } +}" + +$NFT -f - <<< $RULESET + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.4.0, 3.3.3.6, 4.4.4.0/24 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.4.1 } +$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.5.0 } diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/sets/0070stacked_l2_headers @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 new file mode 100755 index 00000000..79e3ca7d --- /dev/null +++ b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +RULESET=" +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 192.0.0.0/2, 10.0.0.0/8 } + } + set s2 { + type ipv6_addr + flags interval + elements = { ff00::/8, fe80::/10 } + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0 new file mode 100755 index 00000000..9886a9b0 --- /dev/null +++ b/tests/shell/testcases/sets/0072destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent set +$NFT destroy set x s + +# successfully delete existing set +$NFT add set x s '{type ipv4_addr; size 2;}' +$NFT destroy set x s diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set new file mode 100755 index 00000000..0630595f --- /dev/null +++ b/tests/shell/testcases/sets/0073flat_interval_set @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +EXPECTED="flush ruleset +add table inet filter +add map inet filter testmap { type ipv4_addr : counter; flags interval;} +add counter inet filter TEST +add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set new file mode 100755 index 00000000..e7f65fc5 --- /dev/null +++ b/tests/shell/testcases/sets/0074nested_interval_set @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 new file mode 100755 index 00000000..1dbac0b7 --- /dev/null +++ b/tests/shell/testcases/sets/automerge_0 @@ -0,0 +1,131 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table inet x { + set y { + type inet_service + flags interval + auto-merge + } +}" + +HOWMANY=65535 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=5000 +fi + +$NFT -f - <<< $RULESET + +tmpfile=$(mktemp) +echo -n "add element inet x y { " > $tmpfile +for ((i=0;i<$HOWMANY;i+=2)) +do + echo -n "$i, " >> $tmpfile + if [ $i -eq $((HOWMANY-1)) ] + then + echo -n "$i" >> $tmpfile + fi +done +echo "}" >> $tmpfile + +$NFT -f $tmpfile + +tmpfile2=$(mktemp) +for ((i=1;i<$HOWMANY;i+=2)) +do + echo "$i" >> $tmpfile2 +done + +tmpfile3=$(mktemp) +shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3" +i=0 +cat $tmpfile3 | while read line && [ $i -lt 10 ] +do + $NFT add element inet x y { $line } + if [ $? -ne 0 ] + then + echo "failed to add $line" + exit 1 + fi + i=$((i+1)) +done + +for ((i=0;i<10;i++)) +do + from=$(($RANDOM%$HOWMANY)) + to=$(($from+100)) + $NFT add element inet x y { $from-$to } + if [ $? -ne 0 ] + then + echo "failed to add $from-$to" + exit 1 + fi + + $NFT get element inet x y { $from-$to } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from-$to" + exit 1 + fi + + # partial removals in the previous random range + from2=$(($from+10)) + to2=$(($to-10)) + $NFT delete element inet x y { $from, $to, $from2-$to2 } + if [ $? -ne 0 ] + then + echo "failed to delete $from, $to, $from2-$to2" + exit 1 + fi + + # check deletions are correct + from=$(($from+1)) + $NFT get element inet x y { $from } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from" + exit 1 + fi + + to=$(($to-1)) + $NFT get element inet x y { $to } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to" + exit 1 + fi + + from2=$(($from2-1)) + $NFT get element inet x y { $from2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from2" + exit 1 + fi + to2=$(($to2+1)) + + $NFT get element inet x y { $to2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to2" + exit 1 + fi +done + +rm -f $tmpfile +rm -f $tmpfile2 +rm -f $tmpfile3 + +if [ "$HOWMANY" != 65535 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 new file mode 100755 index 00000000..7699e9da --- /dev/null +++ b/tests/shell/testcases/sets/collapse_elem_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="table ip a { + set x { + type inet_service; + } +} +table ip6 a { + set x { + type inet_service; + } +} +add element ip a x { 1 } +add element ip a x { 2 } +add element ip6 a x { 2 }" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0 new file mode 100755 index 00000000..36138ae0 --- /dev/null +++ b/tests/shell/testcases/sets/concat_interval_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + elements = { 1.0.0.1 . udp . 53 } + } + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT delete element t s { 1.0.0.1 . udp . 53} + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft new file mode 100644 index 00000000..b9c66a21 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft @@ -0,0 +1,261 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "10.0.0.0", + "11.0.0.0" + ] + }, + { + "prefix": { + "addr": "172.16.0.0", + "len": 16 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + }, + { + "range": [ + "fe11::", + "fe22::" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s3", + "table": "t", + "type": "inet_proto", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s4", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 0, + 1024 + ] + }, + { + "range": [ + 8080, + 8082 + ] + }, + { + "range": [ + 10000, + 40000 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@s4" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft new file mode 100644 index 00000000..4c0be670 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft new file mode 100644 index 00000000..c55858fa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft new file mode 100644 index 00000000..a75681f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 48 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft new file mode 100644 index 00000000..f5a9ac19 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft new file mode 100644 index 00000000..c6f5aa68 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft new file mode 100644 index 00000000..fa5dcb25 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "postrouting", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sourcemap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "100.123.10.2", + { + "jump": { + "target": "c" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@sourcemap" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft new file mode 100644 index 00000000..2418b39a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "timeout" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.json-nft b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft new file mode 100644 index 00000000..7ea3c602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "::1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft new file mode 100644 index 00000000..6268e216 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "blacklist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.json-nft b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft new file mode 100644 index 00000000..401a8f23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "elem": [ + { + "elem": { + "val": 22, + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft new file mode 100644 index 00000000..5ed089dc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "2.2.2.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "3.3.3.0", + "len": 24 + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft new file mode 100644 index 00000000..c6171392 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service" + } + }, + { + "set": { + "family": "ip", + "name": "f", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@f", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 5a6e3261..38987ded 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -7,7 +7,13 @@ table ip t { type ipv4_addr : inet_service } + set f { + type ipv4_addr + size 1024 + flags dynamic + } + chain c { - tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second } + tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets } } } diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..b4521333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft new file mode 100644 index 00000000..0af61333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft @@ -0,0 +1,131 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "synproxy": { + "family": "inet", + "name": "https-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 7, + "flags": [ + "timestamp", + "sack-perm" + ] + } + }, + { + "synproxy": { + "family": "inet", + "name": "other-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 5 + } + }, + { + "map": { + "family": "inet", + "name": "test2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "synproxy", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "synproxy": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft new file mode 100644 index 00000000..e0ee86db --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft @@ -0,0 +1,23 @@ +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft new file mode 100644 index 00000000..9d56d025 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "doesntexist" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 23 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft index 6204b00c..59636994 100644 --- a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -2,6 +2,6 @@ table ip t { chain c { type filter hook output priority filter; policy accept; ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } - tcp dport { 22, 23 } counter packets 0 bytes 0 + oifname "doesntexist" tcp dport { 22, 23 } counter packets 0 bytes 0 } } diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft new file mode 100644 index 00000000..5d21f26c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "ip", + "name": "http-traffic", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + "http-traffic" + ], + [ + 443, + "http-traffic" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft new file mode 100644 index 00000000..b9251ffa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft new file mode 100644 index 00000000..5968b2e0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "inet_proto", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s3" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft new file mode 100644 index 00000000..0c604927 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft @@ -0,0 +1,26 @@ +table ip t { + set s1 { + type inet_proto + size 65535 + flags dynamic + } + + set s2 { + type ipv4_addr + size 65535 + flags dynamic + } + + set s3 { + type ipv4_addr + size 1024 + flags dynamic + } + + chain c { + type filter hook input priority filter; policy accept; + iifname "foobar" add @s1 { ip protocol } + iifname "foobar" add @s2 { ip daddr } + iifname "foobar" add @s3 { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft new file mode 100644 index 00000000..96314141 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "flags": [ + "timeout" + ], + "timeout": 10845 + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "constant", + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft new file mode 100644 index 00000000..0f25c763 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft @@ -0,0 +1,15 @@ +table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft index 23ff89bb..55cd4f26 100644 --- a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -1,17 +1,57 @@ table inet t { set s { type ifname - elements = { "eth0" } + elements = { "eth0", + "eth1", + "eth2", + "eth3", + "veth1" } } set sc { type inet_service . ifname - elements = { 22 . "eth0" } + elements = { 22 . "eth0", + 80 . "eth0", + 81 . "eth0", + 80 . "eth1" } + } + + set nv { + type ifname . mark + elements = { "eth0" . 0x00000001, + "eth0" . 0x00000002 } + } + + set z { + typeof ct zone + elements = { 1, 2, 3, 4, 5, + 6 } + } + + set m { + typeof meta mark + elements = { 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, + 0x00000006 } + } + + map cz { + typeof iifname : ct zone + elements = { "eth0" : 1, + "eth1" : 2, + "veth4" : 1 } + } + + map cm { + typeof iifname : ct mark + elements = { "eth0" : 0x00000001, + "eth1" : 0x00000002, + "veth4" : 0x00000001 } } chain c { iifname @s accept oifname @s accept tcp dport . iifname @sc accept + iifname . meta mark @nv accept } } diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft new file mode 100644 index 00000000..4d194bff --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft new file mode 100644 index 00000000..16684438 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft new file mode 100644 index 00000000..d6174c51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft @@ -0,0 +1,11 @@ +table ip x { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft new file mode 100644 index 00000000..bfc0e4a0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 10, + { + "range": [ + 20, + 30 + ] + }, + 40, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "ips", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "10.0.0.1", + { + "range": [ + "10.0.0.5", + "10.0.0.8" + ] + }, + { + "prefix": { + "addr": "10.0.0.128", + "len": 25 + } + }, + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + "10.0.2.3", + "10.0.2.12" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "cs", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.0.0.1", + 22 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.1.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "10.2.0.1", + "10.2.0.8" + ] + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft new file mode 100644 index 00000000..1c1dd977 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft @@ -0,0 +1,23 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 10, 20-30, 40, 50-60 } + } + + set ips { + type ipv4_addr + flags interval + elements = { 10.0.0.1, 10.0.0.5-10.0.0.8, + 10.0.0.128/25, 10.0.1.0/24, + 10.0.2.3-10.0.2.12 } + } + + set cs { + type ipv4_addr . inet_service + flags interval + elements = { 10.0.0.1 . 22, + 10.1.0.0/16 . 1-1024, + 10.2.0.1-10.2.0.8 . 1024-65535 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft new file mode 100644 index 00000000..e4c77147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft new file mode 100644 index 00000000..ca69cee2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft new file mode 100644 index 00000000..1c3b559d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft @@ -0,0 +1,159 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "myset", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "192.168.0.113", + "tcp", + 22 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "udp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 80 + ] + }, + { + "concat": [ + "192.168.0.13", + "tcp", + 80 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": "@myset" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft index 0e85f7c2..68b1f7be 100644 --- a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft @@ -1,11 +1,11 @@ table inet filter { set myset { type ipv4_addr . inet_proto . inet_service - elements = { 192.168.0.12 . tcp . 53, - 192.168.0.12 . tcp . 80, + elements = { 192.168.0.113 . tcp . 22, + 192.168.0.12 . tcp . 53, 192.168.0.12 . udp . 53, - 192.168.0.13 . tcp . 80, - 192.168.0.113 . tcp . 22 } + 192.168.0.12 . tcp . 80, + 192.168.0.13 . tcp . 80 } } chain forward { diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft new file mode 100644 index 00000000..5b13f59a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -0,0 +1,96 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 256, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 128, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@m", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft new file mode 100644 index 00000000..8037dfa5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -0,0 +1,17 @@ +table ip t { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + + set m { + type ipv4_addr + size 128 + flags dynamic + } + + chain c { + tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft new file mode 100644 index 00000000..d6e46aad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "192.168.1.0", + "192.168.1.254" + ] + }, + "192.168.1.255" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft new file mode 100644 index 00000000..1fc76572 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft new file mode 100644 index 00000000..4b6cf03c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "mark", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 35, + 66 + ] + }, + 4919 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft new file mode 100644 index 00000000..f580c381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type mark + flags interval + elements = { 0x00000023-0x00000042, 0x00001337 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.json-nft b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft new file mode 100644 index 00000000..14a39330 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "192.168.2.196" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft new file mode 100644 index 00000000..222d4d74 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.196 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft new file mode 100644 index 00000000..bc1d4cc2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft @@ -0,0 +1,87 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set1", + "table": "t", + "type": "ether_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set2", + "table": "t", + "type": "ether_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "right": "@set1" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "set": "@set2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft new file mode 100644 index 00000000..56cc875e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft @@ -0,0 +1,15 @@ +table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft new file mode 100644 index 00000000..ffb76e2f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft @@ -0,0 +1,98 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "filter", + "type": [ + "mark", + "inet_service", + "inet_proto" + ], + "handle": 0, + "map": "mark", + "flags": [ + "interval", + "timeout" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "data": "@test" + } + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft new file mode 100644 index 00000000..f2077b91 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft @@ -0,0 +1,11 @@ +table inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type filter hook output priority filter; policy accept; + meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft new file mode 100644 index 00000000..92b59c86 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft @@ -0,0 +1,1723 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "s", + "table": "t", + "type": [ + "ipv6_addr", + "ipv6_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 32 + } + }, + { + "range": [ + "2001:db8:20::", + "2001:db8:20::20:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 33 + } + }, + { + "range": [ + "2001:db8:21::", + "2001:db8:21::21:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 34 + } + }, + { + "range": [ + "2001:db8:22::", + "2001:db8:22::22:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 35 + } + }, + { + "range": [ + "2001:db8:23::", + "2001:db8:23::23:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 36 + } + }, + { + "range": [ + "2001:db8:24::", + "2001:db8:24::24:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 37 + } + }, + { + "range": [ + "2001:db8:25::", + "2001:db8:25::25:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 38 + } + }, + { + "range": [ + "2001:db8:26::", + "2001:db8:26::26:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 39 + } + }, + { + "range": [ + "2001:db8:27::", + "2001:db8:27::27:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 40 + } + }, + { + "range": [ + "2001:db8:28::", + "2001:db8:28::28:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 41 + } + }, + { + "range": [ + "2001:db8:29::", + "2001:db8:29::29:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 42 + } + }, + { + "range": [ + "2001:db8:2a::", + "2001:db8:2a::2a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 43 + } + }, + { + "range": [ + "2001:db8:2b::", + "2001:db8:2b::2b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 44 + } + }, + { + "range": [ + "2001:db8:2c::", + "2001:db8:2c::2c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 45 + } + }, + { + "range": [ + "2001:db8:2d::", + "2001:db8:2d::2d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 46 + } + }, + { + "range": [ + "2001:db8:2e::", + "2001:db8:2e::2e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 47 + } + }, + { + "range": [ + "2001:db8:2f::", + "2001:db8:2f::2f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 48 + } + }, + { + "range": [ + "2001:db8:30::", + "2001:db8:30::30:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 49 + } + }, + { + "range": [ + "2001:db8:31::", + "2001:db8:31::31:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 50 + } + }, + { + "range": [ + "2001:db8:32::", + "2001:db8:32::32:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 51 + } + }, + { + "range": [ + "2001:db8:33::", + "2001:db8:33::33:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 52 + } + }, + { + "range": [ + "2001:db8:34::", + "2001:db8:34::34:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 53 + } + }, + { + "range": [ + "2001:db8:35::", + "2001:db8:35::35:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 54 + } + }, + { + "range": [ + "2001:db8:36::", + "2001:db8:36::36:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 55 + } + }, + { + "range": [ + "2001:db8:37::", + "2001:db8:37::37:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 56 + } + }, + { + "range": [ + "2001:db8:38::", + "2001:db8:38::38:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 57 + } + }, + { + "range": [ + "2001:db8:39::", + "2001:db8:39::39:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 58 + } + }, + { + "range": [ + "2001:db8:3a::", + "2001:db8:3a::3a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 59 + } + }, + { + "range": [ + "2001:db8:3b::", + "2001:db8:3b::3b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 60 + } + }, + { + "range": [ + "2001:db8:3c::", + "2001:db8:3c::3c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 61 + } + }, + { + "range": [ + "2001:db8:3d::", + "2001:db8:3d::3d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 62 + } + }, + { + "range": [ + "2001:db8:3e::", + "2001:db8:3e::3e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 63 + } + }, + { + "range": [ + "2001:db8:3f::", + "2001:db8:3f::3f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 64 + } + }, + { + "range": [ + "2001:db8:40::", + "2001:db8:40::40:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 65 + } + }, + { + "range": [ + "2001:db8:41::", + "2001:db8:41::41:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 66 + } + }, + { + "range": [ + "2001:db8:42::", + "2001:db8:42::42:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 67 + } + }, + { + "range": [ + "2001:db8:43::", + "2001:db8:43::43:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 68 + } + }, + { + "range": [ + "2001:db8:44::", + "2001:db8:44::44:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 69 + } + }, + { + "range": [ + "2001:db8:45::", + "2001:db8:45::45:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 70 + } + }, + { + "range": [ + "2001:db8:46::", + "2001:db8:46::46:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 71 + } + }, + { + "range": [ + "2001:db8:47::", + "2001:db8:47::47:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 72 + } + }, + { + "range": [ + "2001:db8:48::", + "2001:db8:48::48:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 73 + } + }, + { + "range": [ + "2001:db8:49::", + "2001:db8:49::49:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 74 + } + }, + { + "range": [ + "2001:db8:4a::", + "2001:db8:4a::4a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 75 + } + }, + { + "range": [ + "2001:db8:4b::", + "2001:db8:4b::4b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 76 + } + }, + { + "range": [ + "2001:db8:4c::", + "2001:db8:4c::4c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 77 + } + }, + { + "range": [ + "2001:db8:4d::", + "2001:db8:4d::4d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 78 + } + }, + { + "range": [ + "2001:db8:4e::", + "2001:db8:4e::4e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 79 + } + }, + { + "range": [ + "2001:db8:4f::", + "2001:db8:4f::4f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 80 + } + }, + { + "range": [ + "2001:db8:50::", + "2001:db8:50::50:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 81 + } + }, + { + "range": [ + "2001:db8:51::", + "2001:db8:51::51:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 82 + } + }, + { + "range": [ + "2001:db8:52::", + "2001:db8:52::52:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 83 + } + }, + { + "range": [ + "2001:db8:53::", + "2001:db8:53::53:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 84 + } + }, + { + "range": [ + "2001:db8:54::", + "2001:db8:54::54:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 85 + } + }, + { + "range": [ + "2001:db8:55::", + "2001:db8:55::55:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 86 + } + }, + { + "range": [ + "2001:db8:56::", + "2001:db8:56::56:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 87 + } + }, + { + "range": [ + "2001:db8:57::", + "2001:db8:57::57:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 88 + } + }, + { + "range": [ + "2001:db8:58::", + "2001:db8:58::58:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 89 + } + }, + { + "range": [ + "2001:db8:59::", + "2001:db8:59::59:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 90 + } + }, + { + "range": [ + "2001:db8:5a::", + "2001:db8:5a::5a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 91 + } + }, + { + "range": [ + "2001:db8:5b::", + "2001:db8:5b::5b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 92 + } + }, + { + "range": [ + "2001:db8:5c::", + "2001:db8:5c::5c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 93 + } + }, + { + "range": [ + "2001:db8:5d::", + "2001:db8:5d::5d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 94 + } + }, + { + "range": [ + "2001:db8:5e::", + "2001:db8:5e::5e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 95 + } + }, + { + "range": [ + "2001:db8:5f::", + "2001:db8:5f::5f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 96 + } + }, + { + "range": [ + "2001:db8:60::", + "2001:db8:60::60:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 97 + } + }, + { + "range": [ + "2001:db8:61::", + "2001:db8:61::61:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 98 + } + }, + { + "range": [ + "2001:db8:62::", + "2001:db8:62::62:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 99 + } + }, + { + "range": [ + "2001:db8:63::", + "2001:db8:63::63:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 100 + } + }, + { + "range": [ + "2001:db8:64::", + "2001:db8:64::64:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 101 + } + }, + { + "range": [ + "2001:db8:65::", + "2001:db8:65::65:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 102 + } + }, + { + "range": [ + "2001:db8:66::", + "2001:db8:66::66:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 103 + } + }, + { + "range": [ + "2001:db8:67::", + "2001:db8:67::67:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 104 + } + }, + { + "range": [ + "2001:db8:68::", + "2001:db8:68::68:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 105 + } + }, + { + "range": [ + "2001:db8:69::", + "2001:db8:69::69:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 106 + } + }, + { + "range": [ + "2001:db8:6a::", + "2001:db8:6a::6a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 107 + } + }, + { + "range": [ + "2001:db8:6b::", + "2001:db8:6b::6b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 108 + } + }, + { + "range": [ + "2001:db8:6c::", + "2001:db8:6c::6c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 109 + } + }, + { + "range": [ + "2001:db8:6d::", + "2001:db8:6d::6d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 110 + } + }, + { + "range": [ + "2001:db8:6e::", + "2001:db8:6e::6e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 111 + } + }, + { + "range": [ + "2001:db8:6f::", + "2001:db8:6f::6f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 112 + } + }, + { + "range": [ + "2001:db8:70::", + "2001:db8:70::70:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 113 + } + }, + { + "range": [ + "2001:db8:71::", + "2001:db8:71::71:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 114 + } + }, + { + "range": [ + "2001:db8:72::", + "2001:db8:72::72:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 115 + } + }, + { + "range": [ + "2001:db8:73::", + "2001:db8:73::73:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 116 + } + }, + { + "range": [ + "2001:db8:74::", + "2001:db8:74::74:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 117 + } + }, + { + "range": [ + "2001:db8:75::", + "2001:db8:75::75:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 118 + } + }, + { + "range": [ + "2001:db8:76::", + "2001:db8:76::76:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 119 + } + }, + { + "range": [ + "2001:db8:77::", + "2001:db8:77::77:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 120 + } + }, + { + "range": [ + "2001:db8:78::", + "2001:db8:78::78:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 121 + } + }, + { + "range": [ + "2001:db8:79::", + "2001:db8:79::79:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 122 + } + }, + { + "range": [ + "2001:db8:7a::", + "2001:db8:7a::7a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 123 + } + }, + { + "range": [ + "2001:db8:7b::", + "2001:db8:7b::7b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 124 + } + }, + { + "range": [ + "2001:db8:7c::", + "2001:db8:7c::7c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 125 + } + }, + { + "range": [ + "2001:db8:7d::", + "2001:db8:7d::7d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 126 + } + }, + { + "range": [ + "2001:db8:7e::", + "2001:db8:7e::7e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 127 + } + }, + { + "range": [ + "2001:db8:7f::", + "2001:db8:7f::7f:1" + ] + } + ] + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 24 + } + }, + { + "range": [ + "192.0.2.72", + "192.0.2.74" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 25 + } + }, + { + "range": [ + "192.0.2.75", + "192.0.2.77" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 26 + } + }, + { + "range": [ + "192.0.2.78", + "192.0.2.80" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 27 + } + }, + { + "range": [ + "192.0.2.81", + "192.0.2.83" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 28 + } + }, + { + "range": [ + "192.0.2.84", + "192.0.2.86" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 29 + } + }, + { + "range": [ + "192.0.2.87", + "192.0.2.89" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 30 + } + }, + { + "range": [ + "192.0.2.90", + "192.0.2.92" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 31 + } + }, + { + "range": [ + "192.0.2.93", + "192.0.2.95" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft new file mode 100644 index 00000000..19d08d3d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft @@ -0,0 +1,116 @@ +table ip6 t { + set s { + type ipv6_addr . ipv6_addr + flags interval + elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1, + 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1, + 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1, + 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1, + 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1, + 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1, + 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1, + 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1, + 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1, + 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1, + 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1, + 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1, + 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1, + 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1, + 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1, + 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1, + 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1, + 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1, + 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1, + 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1, + 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1, + 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1, + 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1, + 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1, + 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1, + 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1, + 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1, + 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1, + 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1, + 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1, + 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1, + 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1, + 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1, + 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1, + 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1, + 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1, + 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1, + 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1, + 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1, + 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1, + 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1, + 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1, + 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1, + 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1, + 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1, + 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1, + 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1, + 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1, + 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1, + 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1, + 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1, + 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1, + 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1, + 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1, + 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1, + 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1, + 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1, + 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1, + 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1, + 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1, + 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1, + 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1, + 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1, + 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1, + 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1, + 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1, + 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1, + 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1, + 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1, + 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1, + 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1, + 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1, + 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1, + 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1, + 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1, + 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1, + 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1, + 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1, + 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1, + 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1, + 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1, + 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1, + 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1, + 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1, + 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1, + 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1, + 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1, + 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1, + 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1, + 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1, + 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1, + 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1, + 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1, + 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1, + 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1, + 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 } + } +} +table ip t { + set s { + type ipv4_addr . ipv4_addr + flags interval + elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74, + 192.0.2.0/25 . 192.0.2.75-192.0.2.77, + 192.0.2.0/26 . 192.0.2.78-192.0.2.80, + 192.0.2.0/27 . 192.0.2.81-192.0.2.83, + 192.0.2.0/28 . 192.0.2.84-192.0.2.86, + 192.0.2.0/29 . 192.0.2.87-192.0.2.89, + 192.0.2.0/30 . 192.0.2.90-192.0.2.92, + 192.0.2.0/31 . 192.0.2.93-192.0.2.95 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft new file mode 100644 index 00000000..f4aae383 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft @@ -0,0 +1,529 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 25, + 30, + 82, + 119, + 349, + 745, + 748, + 1165, + 1233, + 1476, + 1550, + 1562, + 1743, + 1745, + 1882, + 2070, + 2194, + 2238, + 2450, + 2455, + 2642, + 2671, + 2906, + 3093, + 3203, + 3287, + 3348, + 3411, + 3540, + 3892, + 3943, + 4133, + 4205, + 4317, + 4733, + 5095, + 5156, + 5223, + 5230, + 5432, + 5826, + 5828, + 6044, + 6377, + 6388, + 6491, + 6952, + 6986, + 7012, + 7187, + 7300, + 7305, + 7549, + 7664, + 8111, + 8206, + 8396, + 8782, + 8920, + 8981, + 9067, + 9216, + 9245, + 9315, + 9432, + 9587, + 9689, + 9844, + 9991, + 10045, + 10252, + 10328, + 10670, + 10907, + 11021, + 11337, + 11427, + 11497, + 11502, + 11523, + 11552, + 11577, + 11721, + 11943, + 12474, + 12718, + 12764, + 12794, + 12922, + 13186, + 13232, + 13383, + 13431, + 13551, + 13676, + 13685, + 13747, + 13925, + 13935, + 14015, + 14090, + 14320, + 14392, + 14515, + 14647, + 14911, + 15096, + 15105, + 15154, + 15440, + 15583, + 15623, + 15677, + 15710, + 15926, + 15934, + 15960, + 16068, + 16166, + 16486, + 16489, + 16528, + 16646, + 16650, + 16770, + 16882, + 17052, + 17237, + 17387, + 17431, + 17886, + 17939, + 17999, + 18092, + 18123, + 18238, + 18562, + 18698, + 19004, + 19229, + 19237, + 19585, + 19879, + 19938, + 19950, + 19958, + 20031, + 20138, + 20157, + 20205, + 20368, + 20682, + 20687, + 20873, + 20910, + 20919, + 21019, + 21068, + 21115, + 21188, + 21236, + 21319, + 21563, + 21734, + 21806, + 21810, + 21959, + 21982, + 22078, + 22181, + 22308, + 22480, + 22643, + 22854, + 22879, + 22961, + 23397, + 23534, + 23845, + 23893, + 24130, + 24406, + 24794, + 24997, + 25019, + 25143, + 25179, + 25439, + 25603, + 25718, + 25859, + 25949, + 26006, + 26022, + 26047, + 26170, + 26193, + 26725, + 26747, + 26924, + 27023, + 27040, + 27233, + 27344, + 27478, + 27593, + 27600, + 27664, + 27678, + 27818, + 27822, + 28003, + 28038, + 28709, + 28808, + 29010, + 29057, + 29228, + 29485, + 30132, + 30160, + 30415, + 30469, + 30673, + 30736, + 30776, + 30780, + 31450, + 31537, + 31669, + 31839, + 31873, + 32019, + 32229, + 32685, + 32879, + 33318, + 33337, + 33404, + 33517, + 33906, + 34214, + 34346, + 34416, + 34727, + 34848, + 35325, + 35400, + 35451, + 35501, + 35637, + 35653, + 35710, + 35761, + 35767, + 36238, + 36258, + 36279, + 36464, + 36586, + 36603, + 36770, + 36774, + 36805, + 36851, + 37079, + 37189, + 37209, + 37565, + 37570, + 37585, + 37832, + 37931, + 37954, + 38006, + 38015, + 38045, + 38109, + 38114, + 38200, + 38209, + 38214, + 38277, + 38306, + 38402, + 38606, + 38697, + 38960, + 39004, + 39006, + 39197, + 39217, + 39265, + 39319, + 39460, + 39550, + 39615, + 39871, + 39886, + 40088, + 40135, + 40244, + 40323, + 40339, + 40355, + 40385, + 40428, + 40538, + 40791, + 40848, + 40959, + 41003, + 41131, + 41349, + 41643, + 41710, + 41826, + 41904, + 42027, + 42148, + 42235, + 42255, + 42498, + 42680, + 42973, + 43118, + 43135, + 43233, + 43349, + 43411, + 43487, + 43840, + 43843, + 43870, + 44040, + 44204, + 44817, + 44883, + 44894, + 44958, + 45201, + 45259, + 45283, + 45357, + 45423, + 45473, + 45498, + 45519, + 45561, + 45611, + 45627, + 45831, + 46043, + 46105, + 46116, + 46147, + 46169, + 46349, + 47147, + 47252, + 47314, + 47335, + 47360, + 47546, + 47617, + 47648, + 47772, + 47793, + 47846, + 47913, + 47952, + 48095, + 48325, + 48334, + 48412, + 48419, + 48540, + 48569, + 48628, + 48751, + 48944, + 48971, + 49008, + 49025, + 49503, + 49505, + 49613, + 49767, + 49839, + 49925, + 50022, + 50028, + 50238, + 51057, + 51477, + 51617, + 51910, + 52044, + 52482, + 52550, + 52643, + 52832, + 53382, + 53690, + 53809, + 53858, + 54001, + 54198, + 54280, + 54327, + 54376, + 54609, + 54776, + 54983, + 54984, + 55019, + 55038, + 55094, + 55368, + 55737, + 55793, + 55904, + 55941, + 55960, + 55978, + 56063, + 56121, + 56314, + 56505, + 56548, + 56568, + 56696, + 56798, + 56855, + 57102, + 57236, + 57333, + 57334, + 57441, + 57574, + 57659, + 57987, + 58325, + 58404, + 58509, + 58782, + 58876, + 59116, + 59544, + 59685, + 59700, + 59750, + 59799, + 59866, + 59870, + 59894, + 59984, + 60343, + 60481, + 60564, + 60731, + 61075, + 61087, + 61148, + 61174, + 61655, + 61679, + 61691, + 61723, + 61730, + 61758, + 61824, + 62035, + 62056, + 62661, + 62768, + 62946, + 63059, + 63116, + 63338, + 63387, + 63672, + 63719, + 63881, + 63995, + 64197, + 64374, + 64377, + 64472, + 64606, + 64662, + 64777, + 64795, + 64906, + 65049, + 65122, + 65318 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft new file mode 100644 index 00000000..5b249a3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft @@ -0,0 +1,106 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 25, 30, 82, 119, 349, + 745, 748, 1165, 1233, 1476, + 1550, 1562, 1743, 1745, 1882, + 2070, 2194, 2238, 2450, 2455, + 2642, 2671, 2906, 3093, 3203, + 3287, 3348, 3411, 3540, 3892, + 3943, 4133, 4205, 4317, 4733, + 5095, 5156, 5223, 5230, 5432, + 5826, 5828, 6044, 6377, 6388, + 6491, 6952, 6986, 7012, 7187, + 7300, 7305, 7549, 7664, 8111, + 8206, 8396, 8782, 8920, 8981, + 9067, 9216, 9245, 9315, 9432, + 9587, 9689, 9844, 9991, 10045, + 10252, 10328, 10670, 10907, 11021, + 11337, 11427, 11497, 11502, 11523, + 11552, 11577, 11721, 11943, 12474, + 12718, 12764, 12794, 12922, 13186, + 13232, 13383, 13431, 13551, 13676, + 13685, 13747, 13925, 13935, 14015, + 14090, 14320, 14392, 14515, 14647, + 14911, 15096, 15105, 15154, 15440, + 15583, 15623, 15677, 15710, 15926, + 15934, 15960, 16068, 16166, 16486, + 16489, 16528, 16646, 16650, 16770, + 16882, 17052, 17237, 17387, 17431, + 17886, 17939, 17999, 18092, 18123, + 18238, 18562, 18698, 19004, 19229, + 19237, 19585, 19879, 19938, 19950, + 19958, 20031, 20138, 20157, 20205, + 20368, 20682, 20687, 20873, 20910, + 20919, 21019, 21068, 21115, 21188, + 21236, 21319, 21563, 21734, 21806, + 21810, 21959, 21982, 22078, 22181, + 22308, 22480, 22643, 22854, 22879, + 22961, 23397, 23534, 23845, 23893, + 24130, 24406, 24794, 24997, 25019, + 25143, 25179, 25439, 25603, 25718, + 25859, 25949, 26006, 26022, 26047, + 26170, 26193, 26725, 26747, 26924, + 27023, 27040, 27233, 27344, 27478, + 27593, 27600, 27664, 27678, 27818, + 27822, 28003, 28038, 28709, 28808, + 29010, 29057, 29228, 29485, 30132, + 30160, 30415, 30469, 30673, 30736, + 30776, 30780, 31450, 31537, 31669, + 31839, 31873, 32019, 32229, 32685, + 32879, 33318, 33337, 33404, 33517, + 33906, 34214, 34346, 34416, 34727, + 34848, 35325, 35400, 35451, 35501, + 35637, 35653, 35710, 35761, 35767, + 36238, 36258, 36279, 36464, 36586, + 36603, 36770, 36774, 36805, 36851, + 37079, 37189, 37209, 37565, 37570, + 37585, 37832, 37931, 37954, 38006, + 38015, 38045, 38109, 38114, 38200, + 38209, 38214, 38277, 38306, 38402, + 38606, 38697, 38960, 39004, 39006, + 39197, 39217, 39265, 39319, 39460, + 39550, 39615, 39871, 39886, 40088, + 40135, 40244, 40323, 40339, 40355, + 40385, 40428, 40538, 40791, 40848, + 40959, 41003, 41131, 41349, 41643, + 41710, 41826, 41904, 42027, 42148, + 42235, 42255, 42498, 42680, 42973, + 43118, 43135, 43233, 43349, 43411, + 43487, 43840, 43843, 43870, 44040, + 44204, 44817, 44883, 44894, 44958, + 45201, 45259, 45283, 45357, 45423, + 45473, 45498, 45519, 45561, 45611, + 45627, 45831, 46043, 46105, 46116, + 46147, 46169, 46349, 47147, 47252, + 47314, 47335, 47360, 47546, 47617, + 47648, 47772, 47793, 47846, 47913, + 47952, 48095, 48325, 48334, 48412, + 48419, 48540, 48569, 48628, 48751, + 48944, 48971, 49008, 49025, 49503, + 49505, 49613, 49767, 49839, 49925, + 50022, 50028, 50238, 51057, 51477, + 51617, 51910, 52044, 52482, 52550, + 52643, 52832, 53382, 53690, 53809, + 53858, 54001, 54198, 54280, 54327, + 54376, 54609, 54776, 54983, 54984, + 55019, 55038, 55094, 55368, 55737, + 55793, 55904, 55941, 55960, 55978, + 56063, 56121, 56314, 56505, 56548, + 56568, 56696, 56798, 56855, 57102, + 57236, 57333, 57334, 57441, 57574, + 57659, 57987, 58325, 58404, 58509, + 58782, 58876, 59116, 59544, 59685, + 59700, 59750, 59799, 59866, 59870, + 59894, 59984, 60343, 60481, 60564, + 60731, 61075, 61087, 61148, 61174, + 61655, 61679, 61691, 61723, 61730, + 61758, 61824, 62035, 62056, 62661, + 62768, 62946, 63059, 63116, 63338, + 63387, 63672, 63719, 63881, 63995, + 64197, 64374, 64377, 64472, 64606, + 64662, 64777, 64795, 64906, 65049, + 65122, 65318 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft new file mode 100644 index 00000000..8473c333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65536, + "flags": [ + "timeout", + "dynamic" + ], + "elem": [ + { + "concat": [ + "192.168.7.1", + 22 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 22 + ] + }, + "timeout": 60 + } + }, + "set": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft new file mode 100644 index 00000000..e548a17a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft @@ -0,0 +1,12 @@ +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 1m } + } +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft new file mode 100644 index 00000000..55f1a2ad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.12.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "2001:db8:1111::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2001:db8:2222::", + "len": 64 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.nft b/tests/shell/testcases/sets/dumps/0046netmap_0.nft new file mode 100644 index 00000000..5ac6b346 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.nft @@ -0,0 +1,12 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.0/24 : 192.168.3.0/24, 10.141.13.0/24 : 192.168.4.0/24 } + } +} +table ip6 x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft new file mode 100644 index 00000000..9fa9fc74 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft @@ -0,0 +1,30 @@ +table ip x { + map y { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31, + 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } + } + + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map @y + } +} +table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft new file mode 100644 index 00000000..62a6a177 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "192.168.10.35", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.101", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.135", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft new file mode 100644 index 00000000..2145f6b1 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + typeof ip saddr + counter + elements = { 192.168.10.35 counter packets 0 bytes 0, 192.168.10.101 counter packets 0 bytes 0, + 192.168.10.135 counter packets 0 bytes 0 } + } + + chain z { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft new file mode 100644 index 00000000..f8495bab --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "ip-block-4-test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 80, + 443 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft new file mode 100644 index 00000000..d654420c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -0,0 +1,13 @@ +table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + + chain input { + type filter hook input priority filter; policy drop; + tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft new file mode 100644 index 00000000..b468b5f9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft new file mode 100644 index 00000000..fd488a76 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft @@ -0,0 +1,13 @@ +table ip x { + set s { + type ipv4_addr + flags interval + counter + elements = { 192.168.2.0/24 counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @s + } +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft new file mode 100644 index 00000000..96d5fbcc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "w_all", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "10.10.10.10", + "10.10.10.253" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.nft b/tests/shell/testcases/sets/dumps/0052overlap_0.nft new file mode 100644 index 00000000..1cc02ada --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.nft @@ -0,0 +1,8 @@ +table ip filter { + set w_all { + type ipv4_addr + flags interval + auto-merge + elements = { 10.10.10.10, 10.10.10.253 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.json-nft b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft new file mode 100644 index 00000000..12a5c4b4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "192.168.100.62" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2001 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft new file mode 100644 index 00000000..bb7c5513 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft @@ -0,0 +1,6 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft new file mode 100644 index 00000000..3fd6d37e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft @@ -0,0 +1,45 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "test", + "flags": [ + "interval" + ] + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "another test", + "map": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft new file mode 100644 index 00000000..79299241 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + comment "test" + } + + map m { + type ipv4_addr : ipv4_addr + flags interval + comment "another test" + } +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft new file mode 100644 index 00000000..e37139f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -0,0 +1,138 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "tcp_good_flags", + "table": "test", + "type": "tcp_flag", + "handle": 0, + "flags": [ + "constant" + ], + "elem": [ + { + "|": [ + "fin", + "ack" + ] + }, + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "fin", + "psh", + "ack", + "urg" + ] + }, + "syn", + { + "|": [ + "syn", + "ack" + ] + }, + { + "|": [ + "syn", + "ack", + "urg" + ] + }, + { + "|": [ + "syn", + "psh", + "ack" + ] + }, + { + "|": [ + "syn", + "psh", + "ack", + "urg" + ] + }, + "rst", + { + "|": [ + "rst", + "ack" + ] + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + }, + { + "|": [ + "rst", + "psh", + "ack" + ] + }, + { + "|": [ + "rst", + "psh", + "ack", + "urg" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack", + "urg" + ] + }, + "ack", + { + "|": [ + "ack", + "urg" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft new file mode 100644 index 00000000..22bf5c46 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -0,0 +1,10 @@ +table ip test { + set tcp_good_flags { + type tcp_flag + flags constant + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } + } +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft new file mode 100644 index 00000000..79d7257e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft new file mode 100644 index 00000000..de43d565 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft @@ -0,0 +1,7 @@ +table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft new file mode 100644 index 00000000..ac8d8bef --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ssh_meter", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 2592000 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 2592000 + } + }, + "set": "@ssh_meter" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft new file mode 100644 index 00000000..873adc63 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + } + + chain test { + add @ssh_meter { ip saddr timeout 30d } + } +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft new file mode 100644 index 00000000..16ecdb2a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft @@ -0,0 +1,79 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 3600 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y", + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft new file mode 100644 index 00000000..c1cc3b51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + + chain z { + type filter hook output priority filter; policy accept; + update @y { ip daddr limit rate 1/second burst 5 packets counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft new file mode 100644 index 00000000..1aede147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "4.4.4.4", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "5.5.5.5", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft new file mode 100644 index 00000000..df68fcdf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + limit rate 1/second burst 5 packets counter + elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft new file mode 100644 index 00000000..6098dc56 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "1.2.3.4", + "counter": { + "packets": 9, + "bytes": 756 + } + } + }, + { + "elem": { + "val": "2.2.2.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + }, + { + "quota": { + "val": 500, + "val_unit": "bytes" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft new file mode 100644 index 00000000..ac1bd26b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft @@ -0,0 +1,15 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, + 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes } + } + + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft new file mode 100644 index 00000000..c5591505 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "range": [ + "1.1.1.1", + "1.1.1.2" + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft new file mode 100644 index 00000000..04361f4c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1-1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft new file mode 100644 index 00000000..c5e60e36 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "est-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "new-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "stmt": [ + { + "ct count": { + "val": 20, + "inv": true + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft new file mode 100644 index 00000000..13bbb953 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft @@ -0,0 +1,14 @@ +table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + } + + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + } +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft new file mode 100644 index 00000000..3006f75a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft new file mode 100644 index 00000000..f0d42cc2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + counter + elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } + + set z { + type ipv4_addr + flags interval + counter + elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft new file mode 100644 index 00000000..64dd2667 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.141.0.1", + "192.168.0.2" + ], + [ + "*", + "192.168.0.4" + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + ] + }, + "192.168.0.2" + ], + [ + { + "concat": [ + { + "prefix": { + "addr": "192.168.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.10.0", + "len": 24 + } + } + ] + }, + "192.168.0.4" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft new file mode 100644 index 00000000..890ed2aa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft @@ -0,0 +1,18 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 } + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + } + + chain y { + snat to ip saddr map @z + snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft new file mode 100644 index 00000000..f470adf3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "id" + } + }, + "right": 42 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft new file mode 100644 index 00000000..461c7a73 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft @@ -0,0 +1,6 @@ +table ip x { + chain foo { + accept + icmp type { echo-reply, echo-request } icmp id 42 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft new file mode 100644 index 00000000..9ac3774a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -0,0 +1,35 @@ +table ip nat { + map ipportmap2 { + type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 } + } + + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } + + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th + dnat ip to iifname . ip saddr map @ipportmap4 + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft new file mode 100644 index 00000000..b6d07fcd --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft @@ -0,0 +1,12 @@ +table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +} diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft new file mode 100644 index 00000000..d7b32f8c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + { + "range": [ + "1.2.3.0", + "1.2.4.255" + ] + }, + { + "range": [ + "3.3.3.3", + "3.3.3.6" + ] + }, + { + "range": [ + "4.4.4.0", + "4.4.5.0" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft new file mode 100644 index 00000000..2d4e1706 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft @@ -0,0 +1,9 @@ +table ip x { + set y { + type ipv4_addr + flags interval + auto-merge + elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, + 4.4.4.0-4.4.5.0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft new file mode 100644 index 00000000..0057e9c6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft @@ -0,0 +1,28 @@ +table netdev nt { + set vlanidset { + typeof vlan id + size 1024 + flags dynamic,timeout + } + + set macset { + typeof ether saddr . vlan id + size 1024 + flags dynamic,timeout + } + + set ipset { + typeof vlan id . ip saddr + size 1024 + flags dynamic,timeout + } + + chain nc { + update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 + ether saddr . vlan id @macset + vlan pcp 1 + ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 + update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0 + update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft new file mode 100644 index 00000000..6b579a2e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "prefix": { + "addr": "192.0.0.0", + "len": 2 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + }, + { + "prefix": { + "addr": "ff00::", + "len": 8 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft new file mode 100644 index 00000000..4eed94c2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft @@ -0,0 +1,19 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0/8, 192.0.0.0/2 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe80::/10, + ff00::/8 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft new file mode 100644 index 00000000..c713828d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft @@ -0,0 +1,50 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 1, + 2 + ] + } + }, + { + "table": { + "family": "ip6", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 2 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft new file mode 100644 index 00000000..a3244fc6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -0,0 +1,12 @@ +table ip a { + set x { + type inet_service + elements = { 1, 2 } + } +} +table ip6 a { + set x { + type inet_service + elements = { 2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft new file mode 100644 index 00000000..d65065e4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": [ + "ipv4_addr", + "mark" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.10.10.10", + 256 + ] + }, + { + "concat": [ + "20.20.20.20", + 512 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft new file mode 100644 index 00000000..61547c5e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft @@ -0,0 +1,14 @@ +table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + } + + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft new file mode 100644 index 00000000..ad8a7cc0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft @@ -0,0 +1,83 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "dlist", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "output", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@dlist" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft new file mode 100644 index 00000000..6c8ed323 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft @@ -0,0 +1,12 @@ +table ip test { + set dlist { + type ipv4_addr + size 65535 + flags dynamic + } + + chain output { + type filter hook output priority filter; policy accept; + udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump diff --git a/tests/shell/testcases/sets/dumps/errors_0.json-nft b/tests/shell/testcases/sets/dumps/errors_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.nft diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft new file mode 100644 index 00000000..958d1e5c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft @@ -0,0 +1,110 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.0.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.0.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.0.8.0", + "len": 21 + } + }, + { + "prefix": { + "addr": "1.0.32.0", + "len": 19 + } + }, + { + "prefix": { + "addr": "1.1.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.4.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.8.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.10.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.12.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.16.0", + "len": 20 + } + }, + { + "prefix": { + "addr": "1.1.32.0", + "len": 19 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft new file mode 100644 index 00000000..c903e3fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.0.1.0/24, 1.0.2.0/23, + 1.0.8.0/21, 1.0.32.0/19, + 1.1.0.0/24, 1.1.2.0/23, + 1.1.4.0/22, 1.1.8.0/24, + 1.1.9.0/24, 1.1.10.0/23, + 1.1.12.0/22, 1.1.16.0/20, + 1.1.32.0/19 } + } +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft new file mode 100644 index 00000000..8d84e1cc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -0,0 +1,207 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "x", + "table": "x", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "3.3.3.3", + "4.4.4.4" + ] + } + ] + } + }, + { + "set": { + "family": "netdev", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": "@x" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft new file mode 100644 index 00000000..925ca777 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.nft @@ -0,0 +1,18 @@ +table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { 3.3.3.3 . 4.4.4.4 } + } + + set y { + typeof vxlan ip saddr + size 65535 + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0 + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0 + udp dport 4789 update @y { vxlan ip saddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.json-nft b/tests/shell/testcases/sets/dumps/meter_0.json-nft new file mode 100644 index 00000000..c318e4f2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out", + "table": "test", + "type": [ + "iface_index", + "ipv6_addr" + ], + "handle": 0, + "size": 4096, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out2", + "table": "test", + "type": [ + "ipv6_addr", + "iface_index" + ], + "handle": 0, + "size": 12345, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "meta": { + "key": "iif" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "xyz", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 8192, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@xyz", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.nft b/tests/shell/testcases/sets/dumps/meter_0.nft new file mode 100644 index 00000000..3843f9a9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.nft @@ -0,0 +1,29 @@ +table ip6 test { + set acct_out { + type iface_index . ipv6_addr + size 4096 + flags dynamic,timeout + } + + set acct_out2 { + type ipv6_addr . iface_index + size 12345 + flags dynamic,timeout + } + + chain test { + update @acct_out { iif . ip6 saddr timeout 10m counter } + update @acct_out2 { ip6 saddr . iif timeout 10m counter } + } +} +table ip test { + set xyz { + type ipv4_addr + size 8192 + flags dynamic,timeout + } + + chain test { + update @xyz { ip saddr timeout 30s counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft new file mode 100644 index 00000000..6f692381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "prerouting", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "set_with_interval", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 443 + } + }, + { + "dnat": { + "addr": "10.0.0.1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft new file mode 100644 index 00000000..a45462b8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft @@ -0,0 +1,11 @@ +table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft new file mode 100644 index 00000000..ac428429 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft @@ -0,0 +1,551 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testifsets", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmp", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmpc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "do_nothing", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "simple", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "elem": [ + "abcdef0", + "abcdef1", + "othername" + ] + } + }, + { + "set": { + "family": "inet", + "name": "simple_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "abcdef*", + "othername", + "ppp0" + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + }, + { + "concat": [ + "10.1.2.2", + "abcdef1" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat_wild", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + }, + { + "concat": [ + "10.1.2.1", + "bar" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "1.1.2.0", + "len": 24 + } + }, + "abcdef0" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "12.2.2.0", + "len": 24 + } + }, + "abcdef*" + ] + } + ] + } + }, + { + "map": { + "family": "inet", + "name": "map_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + "abcdef*", + { + "jump": { + "target": "do_nothing" + } + } + ], + [ + "eth0", + { + "jump": { + "target": "do_nothing" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "eth0", + "abcdef0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "abcdef*", + "eth0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@map_wild" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "jump": { + "target": "v4icmp" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "goto": { + "target": "v4icmpc" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft new file mode 100644 index 00000000..77a8baf5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft @@ -0,0 +1,62 @@ +table inet testifsets { + set simple { + type ifname + elements = { "abcdef0", + "abcdef1", + "othername" } + } + + set simple_wild { + type ifname + flags interval + elements = { "abcdef*", + "othername", + "ppp0" } + } + + set concat { + type ipv4_addr . ifname + elements = { 10.1.2.2 . "abcdef0", + 10.1.2.2 . "abcdef1" } + } + + set concat_wild { + type ipv4_addr . ifname + flags interval + elements = { 10.1.2.2 . "abcdef*", + 10.1.2.1 . "bar", + 1.1.2.0/24 . "abcdef0", + 12.2.2.0/24 . "abcdef*" } + } + + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdef*" : jump do_nothing, + "eth0" : jump do_nothing } + } + + chain v4icmp { + iifname @simple counter packets 0 bytes 0 + iifname @simple_wild counter packets 0 bytes 0 + iifname { "eth0", "abcdef0" } counter packets 0 bytes 0 + iifname { "abcdef*", "eth0" } counter packets 0 bytes 0 + iifname vmap @map_wild + } + + chain v4icmpc { + ip saddr . iifname @concat counter packets 0 bytes 0 + ip saddr . iifname @concat_wild counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef0" } counter packets 0 bytes 0 + ip saddr . iifname { 10.1.2.2 . "abcdef*" } counter packets 0 bytes 0 + } + + chain input { + type filter hook input priority filter; policy accept; + ip protocol icmp jump v4icmp + ip protocol icmp goto v4icmpc + } + + chain do_nothing { + } +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft new file mode 100644 index 00000000..e22213ea --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft @@ -0,0 +1,114 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 10800 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "10.180.0.4", + 80 + ] + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "1.2.3.4", + 80 + ] + }, + "right": "@s1" + } + }, + { + "goto": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft new file mode 100644 index 00000000..21209f6d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft @@ -0,0 +1,16 @@ +table ip t { + set s1 { + type ipv4_addr . ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + timeout 3h + } + + chain c1 { + update @s1 { ip saddr . 10.180.0.4 . 80 } + } + + chain c2 { + ip saddr . 1.2.3.4 . 80 @s1 goto c1 + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft new file mode 100644 index 00000000..4d6abaaa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -0,0 +1,12 @@ +table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, + 2.2.2.2 . 0x20 } + } + + chain y { + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft index 44e11202..63fc5b14 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -9,6 +9,57 @@ table inet t { elements = { 2, 3, 103 } } + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } + + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + + set s8 { + typeof ip version + elements = { 4, 6 } + } + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { "eth0" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { "eth0" . 10.1.1.2 . exists } + } + chain c1 { osf name @s1 accept } @@ -16,4 +67,40 @@ table inet t { chain c2 { vlan id @s2 accept } + + chain c4 { + frag frag-off @s4 accept + } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } + + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } + + chain c8 { + ip version @s8 accept + } + + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + vlan id . ip saddr @s11 accept + } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft new file mode 100644 index 00000000..89cbc835 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft @@ -0,0 +1,15 @@ +table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft new file mode 100644 index 00000000..348b5848 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft @@ -0,0 +1,23 @@ +table netdev t { + set s { + typeof ether saddr . vlan id + size 2048 + flags dynamic,timeout + } + + chain c { + ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return + ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return + } +} +table ip t { + set s { + typeof ipsec in reqid . iif + size 16 + flags interval + } + + chain c2 { + ipsec in reqid . "lo" @s + } +} diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing new file mode 100755 index 00000000..fdf5f49e --- /dev/null +++ b/tests/shell/testcases/sets/dynset_missing @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +$NFT -f /dev/stdin <<EOF +table ip test { + chain output { type filter hook output priority 0; + } +} +EOF + +# misses 'flags dynamic' +$NFT 'add set ip test dlist {type ipv4_addr; }' + +# picks rhash backend because 'size' was also missing. +$NFT 'add rule ip test output udp dport 1234 update @dlist { ip daddr } counter' + +tmpfile=$(mktemp) + +trap "rm -rf $tmpfile" EXIT + +# kernel has forced an 64k upper size, i.e. this restore file +# has 'size 65536' but no 'flags dynamic'. +$NFT list ruleset > $tmpfile + +# this restore works, because set is still the rhash backend. +$NFT -f $tmpfile # success +$NFT flush ruleset + +# fails without commit 'attempt to set_eval flag if dynamic updates requested', +# because set in $tmpfile has 'size x' but no 'flags dynamic'. +$NFT -f $tmpfile diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0 new file mode 100755 index 00000000..7563773e --- /dev/null +++ b/tests/shell/testcases/sets/elem_opts_compat_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +# ordering of element options and expressions has changed, make sure parser +# accepts both ways + +set -e + +$NFT -f - <<EOF +table t { + set s { + type inet_service + counter; + timeout 30s; + } +} +EOF + +check() { + out=$($NFT list ruleset) + secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out") + [[ $secs -lt 11 ]] + grep -q 'counter packets 10 bytes 20' <<< "$out" +} + +$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }' +check +$NFT flush set t s +$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }' +check diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 new file mode 100755 index 00000000..27f65df3 --- /dev/null +++ b/tests/shell/testcases/sets/errors_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + } +} + +delete element ip x y { 2.3.4.5 }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="table ip x { + set y { + type ipv4_addr + flags interval + } +} + +add element x y { 1.1.1.1/24 } +delete element x y { 1.1.1.1/24 } +add element x y { 1.1.1.1/24 } +delete element x y { 2.2.2.2/24 }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="flush ruleset +create table inet filter +set inet filter foo {} +add element inet filter foo { foobar }" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="table ip x { + map x { + type ifname . ipv4_addr : verdict + elements = { if2 . 10.0.0.2 : jump chain2, + if2 . 192.168.0.0/24 : jump chain2 } + } + + chain chain2 {} +}" + +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="add set inet filter myset { type ipv4_addr; flags interval; auto-merge } +add element inet filter myset { 192.168.0.0/24 } +add element inet filter myset { 192.168.0.2 } +add element inet filter myset { 192.168.1.0/24 } +add element inet filter myset { 192.168.1.100 }" + +$NFT -f - <<< $RULESET || exit 0 diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0 new file mode 100755 index 00000000..1ce9304a --- /dev/null +++ b/tests/shell/testcases/sets/exact_overlap_0 @@ -0,0 +1,22 @@ +#!/bin/bash + +RULESET="add table t +add set t s { type ipv4_addr; flags interval; } +add element t s { 1.0.1.0/24 } +add element t s { 1.0.2.0/23 } +add element t s { 1.0.8.0/21 } +add element t s { 1.0.32.0/19 } +add element t s { 1.1.0.0/24 } +add element t s { 1.1.2.0/23 } +add element t s { 1.1.4.0/22 } +add element t s { 1.1.8.0/24 } +add element t s { 1.1.9.0/24 } +add element t s { 1.1.10.0/23 } +add element t s { 1.1.12.0/22 } +add element t s { 1.1.16.0/20 } +add element t s { 1.1.32.0/19 } +add element t s { 1.0.1.0/24 }" + +$NFT -f - <<< $RULESET || exit 1 + +$NFT add element t s { 1.0.1.0/24 } diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0 new file mode 100755 index 00000000..39d91bd9 --- /dev/null +++ b/tests/shell/testcases/sets/inner_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching) + +set -e + +RULESET="table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { + 3.3.3.3 . 4.4.4.4, + } + } + + set y { + typeof vxlan ip saddr + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter + udp dport 4789 update @y { vxlan ip saddr } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/meter_0 b/tests/shell/testcases/sets/meter_0 new file mode 100755 index 00000000..82e6f20a --- /dev/null +++ b/tests/shell/testcases/sets/meter_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +RULESET="table ip6 test { + chain test { + meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } + meter acct_out2 size 12345 { ip6 saddr . meta iif timeout 600s counter } + } +} + +table ip test { + chain test { + meter xyz size 8192 { ip saddr timeout 30s counter} + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 new file mode 100755 index 00000000..d38ddb3f --- /dev/null +++ b/tests/shell/testcases/sets/reset_command_0 @@ -0,0 +1,87 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set) + +set -e + +trap '[[ $? -eq 0 ]] || echo FAIL' EXIT + +RULESET="table t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + map m { + type ipv4_addr : ipv4_addr + quota 50 bytes + elements = { + 1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4, + 5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8 + } + } +}" + +echo -n "applying test ruleset: " +$NFT -f - <<< "$RULESET" +echo OK + +drop_seconds() { + sed 's/[0-9]\+m\?s//g' +} +expires_minutes() { + sed -n 's/.*expires \([0-9]*\)m.*/\1/p' +} + +echo -n "get set elem matches reset set elem: " +elem='element t s { 1.0.0.1 . udp . 53 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] +echo OK + +echo -n "counters are reset, expiry left alone: " +NEW=$($NFT "get $elem") +grep -q 'counter packets 0 bytes 0' <<< "$NEW" +[[ $(expires_minutes <<< "$NEW") -lt 20 ]] +echo OK + +echo -n "get map elem matches reset map elem: " +elem='element t m { 1.2.3.4 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | uniq | wc -l) == 1 ]] +echo OK + +echo -n "quota value is reset: " +$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4' +echo OK + +echo -n "other elements remain the same: " +OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }') +grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT" +VAL=$(expires_minutes <<< "$OUT") +[[ $val -lt 10 ]] +$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes' +echo OK + +echo -n "list set matches reset set: " +EXP=$($NFT list set t s | drop_seconds) +OUT=$($NFT reset set t s | drop_seconds) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "list map matches reset map: " +EXP=$($NFT list map t m) +OUT=$($NFT reset map t m) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "remaining elements are reset: " +OUT=$($NFT list ruleset) +grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT" +echo OK diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0 new file mode 100755 index 00000000..82b6d3bc --- /dev/null +++ b/tests/shell/testcases/sets/set_eval_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames new file mode 100755 index 00000000..a4bc5072 --- /dev/null +++ b/tests/shell/testcases/sets/sets_with_ifnames @@ -0,0 +1,152 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +[ -z "$NFT" ] && exit 111 + +$NFT -f "$dumpfile" || exit 1 + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +# check a given element is (not) present in the set. +lookup_elem() +{ + local setname=$1 + local value=$2 + local fail=$3 + local expect_result=$4 + local msg=$5 + + result=$(ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" } 2>/dev/null | grep "$expect_result" ) + + if [ -z "$result" ] && [ $fail -ne 1 ] ; then + echo "empty result, expected $expect_result $msg" + ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" } + exit 1 + fi +} + +check_elem_get() +{ + local setname=$1 + local value=$2 + local fail=$3 + local expect_result=$4 + + # when query is 'abcde', and set has 'abc*', result is + # 'abc*', not 'abcde', so returned element can be different. + if [ -z "$expect_result" ]; then + expect_result=$ifname + fi + + lookup_elem "$setname" "$value" "$fail" "$expect_result" "" +} + +# same, but also delete and re-add the element. +check_elem() +{ + local setname=$1 + local value=$2 + + lookup_elem "$setname" "$value" "0" "$value" "initial check" + + ip netns exec "$ns1" $NFT delete element inet testifsets $setname { "$value" } + if [ $? -ne 0 ]; then + ip netns exec "$ns1" $NFT list ruleset + echo "delete element $setname { $value } failed" + exit 1 + fi + + ip netns exec "$ns1" $NFT add element inet testifsets $setname { "$value" } + + lookup_elem "$setname" "$value" "0" "$value" "check after add/del" +} + +# send pings, check all rules with sets that contain abcdef1 match. +# there are 4 rules in this chain, 4 should match. +check_matching_icmp_ppp() +{ + pkt=$((RANDOM%10)) + pkt=$((pkt+1)) + ip netns exec "$ns1" ping -f -c $pkt 10.1.2.2 + + # replies should arrive via 'abcdeg', so, should NOT increment any counters. + ip netns exec "$ns1" ping -f -c 100 10.2.2.2 + + matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmp | grep "counter packets $pkt " | wc -l) + want=3 + + if [ "$matches" -ne $want ] ;then + ip netns exec "$ns1" $NFT list ruleset + echo "Expected $want matching rules, got $matches, packets $pkt in v4icmp" + exit 1 + fi + + # same, for concat set type. + + matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmpc | grep "counter packets $pkt " | wc -l) + + if [ "$matches" -ne $want ] ;then + ip netns exec "$ns1" $NFT list ruleset + echo "Expected $want matching rules, got $matches, packets $pkt in v4icmpc" + exit 1 + fi +} + +ip netns add "$ns1" || exit 111 +ip netns add "$ns2" || exit 111 +ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3 + +for n in abcdef0 abcdef1 othername;do + check_elem simple $n +done + +check_elem_get simple foo 1 + +for n in ppp0 othername;do + check_elem simple_wild $n +done + +check_elem_get simple_wild enoent 1 +check_elem simple_wild ppp0 +check_elem_get simple_wild abcdefghijk 0 'abcdef\*' + +check_elem_get concat '1.2.3.4 . "enoent"' 1 +check_elem_get concat '10.1.2.2 . "abcdef"' 1 +check_elem_get concat '10.1.2.1 . "abcdef1"' 1 + +check_elem concat '10.1.2.2 . "abcdef0"' +check_elem concat '10.1.2.2 . "abcdef1"' + +set -e +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up +ip netns exec "$ns1" ping -f -c 10 127.0.0.1 + +ip link add abcdef1 netns $ns1 type veth peer name veth0 netns $ns2 +ip link add abcdeg netns $ns1 type veth peer name veth1 netns $ns2 + +ip -net "$ns1" link set abcdef1 up +ip -net "$ns2" link set veth0 up +ip -net "$ns1" link set abcdeg up +ip -net "$ns2" link set veth1 up + +ip -net "$ns1" addr add 10.1.2.1/24 dev abcdef1 +ip -net "$ns1" addr add 10.2.2.1/24 dev abcdeg + +ip -net "$ns2" addr add 10.1.2.2/24 dev veth0 +ip -net "$ns2" addr add 10.2.2.2/24 dev veth1 + +check_matching_icmp_ppp diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/sets/type_set_symbol @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0 new file mode 100755 index 00000000..66042eb4 --- /dev/null +++ b/tests/shell/testcases/sets/typeof_raw_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +EXPECTED="table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, 2.2.2.2 . 0x20} + } + + chain y { + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y + } +}" + +set -e +$NFT -f - <<< $EXPECTED + diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 index 2a8b21c7..016227da 100755 --- a/tests/shell/testcases/sets/typeof_sets_0 +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -4,26 +4,240 @@ # s1 and s2 are identical, they just use different # ways for declaration. -EXPECTED="table inet t { +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_SET=" set s1 { typeof osf name elements = { \"Linux\" } } +" + +INPUT_FRAG_SET=" + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } +" + +INPUT_VERSION_SET=" + set s8 { + typeof ip version + elements = { 4, 6 } + } +" + +INPUT_OSF_CHAIN=" + chain c1 { + osf name @s1 accept + } +" + +INPUT_FRAG_CHAIN=" + chain c4 { + frag frag-off @s4 accept + } +" + +INPUT_SCTP_CHAIN=" + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } +" +INPUT_VERSION_CHAIN=" + chain c8 { + ip version @s8 accept + } +" + +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + INPUT_SCTP_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + INPUT_FRAG_CHAIN= + INPUT_VERSION_CHAIN= +fi +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + if [ "$((RANDOM % 2))" -eq 1 ] ; then + # Regardless of $NFT_TEST_HAVE_osf, we can define the set. + # Randomly do so. + INPUT_OSF_SET= + fi + INPUT_OSF_CHAIN= +fi + +INPUT="table inet t {$INPUT_OSF_SET set s2 { typeof vlan id elements = { 2, 3, 103 } } - chain c1 { - osf name @s1 accept + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + }$INPUT_FRAG_SET + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + }$INPUT_VERSION_SET + + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, 15 } + } + + set s10 { + typeof meta iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } } + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + set s12 { + typeof meta iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . 1 } + } +$INPUT_OSF_CHAIN chain c2 { ether type vlan vlan id @s2 accept } +$INPUT_FRAG_CHAIN + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN +$INPUT_VERSION_CHAIN + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + meta iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + ether type vlan vlan id . ip saddr @s11 accept + } + + chain c12 { + meta iifname . ip saddr . meta ipsec @s12 accept + } }" -set -e -$NFT -f - <<< $EXPECTED +EXPECTED="table inet t {$INPUT_OSF_SET + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } +$INPUT_FRAG_SET + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } +$INPUT_VERSION_SET + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . exists } + } +$INPUT_OSF_CHAIN + chain c2 { + vlan id @s2 accept + } +$INPUT_FRAG_CHAIN + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN$INPUT_VERSION_CHAIN + chain c9 { + ip hdrlength @s9 accept + } + + chain c10 { + iifname . ip saddr . ipsec in reqid @s10 accept + } + + chain c11 { + vlan id . ip saddr @s11 accept + } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } +}" + + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_bitshift=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1 new file mode 100755 index 00000000..e520270c --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +# regression test for corner case in netlink_delinearize + +EXPECTED="table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat new file mode 100755 index 00000000..34465f1d --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -0,0 +1,8 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0 index 246b1092..c5f31a6f 100755 --- a/tests/shell/testcases/transactions/0002table_0 +++ b/tests/shell/testcases/transactions/0002table_0 @@ -5,6 +5,7 @@ set -e RULESET="add table x delete table x add table x +add chain x y { type nat hook prerouting priority 0; policy accept; } add table x { flags dormant; }" $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/transactions/0049huge_0 b/tests/shell/testcases/transactions/0049huge_0 index 684d27a1..f66953c2 100755 --- a/tests/shell/testcases/transactions/0049huge_0 +++ b/tests/shell/testcases/transactions/0049huge_0 @@ -7,6 +7,15 @@ $NFT add table inet test $NFT add chain inet test c RULE_COUNT=3000 + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/rmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + RULE_COUNT=500 +fi + RULESET=$( for ((i = 0; i < ${RULE_COUNT}; i++)); do echo "add rule inet test c accept comment rule$i" @@ -28,7 +37,10 @@ done echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$((${RULE_COUNT} - 1))'"}}}' echo ']}' ) -test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 + +if [ "$NFT_TEST_HAVE_json" != n ]; then + test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 +fi # Now an example from firewalld's testsuite # @@ -38,4 +50,18 @@ RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -290}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"jump": {"target": "raw_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -140}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT", "type": "filter", "hook": "input", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD", "type": "filter", "hook": "forward", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT", "type": "filter", "hook": "output", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_IN_ZONES"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_OUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_IN_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_OUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"fib": {"flags": ["saddr", "iif"], "result": "oif"}}, "op": "==", "right": false}}, {"drop": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "index": 0, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "index": 2, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"goto": {"target": "filter_IN_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"goto": {"target": "filter_FWDO_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "raw_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "raw_PRE_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "mangle_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_IN_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDI_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDO_work"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}]}' -test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')" +if [ "$NFT_TEST_HAVE_json" != n ]; then + test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')" +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi + +if [ "$RULE_COUNT" != 3000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/rmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/transactions/0051map_0 b/tests/shell/testcases/transactions/0051map_0 new file mode 100755 index 00000000..9ea5cd4c --- /dev/null +++ b/tests/shell/testcases/transactions/0051map_0 @@ -0,0 +1,122 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1trans-$rnd" + +# +# dependency tracking for implicit set +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + ip saddr vmap { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for map in implicit chain +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + meta iifname \"eno1\" jump { + ip saddr vmap { 1.1.1.1 : jump w, 3.3.3.3 : goto m } + } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for explicit map +# +RULESET="table ip x { + chain w {} + chain m {} + + map y { + type ipv4_addr : verdict + elements = { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="delete set ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } ip saddr vmap { 1.1.1.1 : jump z } counter flow add @nonexisting + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } jump { + ip saddr vmap { 1.1.1.1 : jump z } + } + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT flush table inet filter || exit 0 diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress new file mode 100755 index 00000000..e92b9226 --- /dev/null +++ b/tests/shell/testcases/transactions/30s-stress @@ -0,0 +1,683 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +runtime=30 + +# allow stand-alone execution as well, e.g. '$0 3600' +if [ x"$1" != "x" ] ;then + if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ]; then + NFT_TEST_HAVE_chain_binding=y + fi + if [ -z "${NFT_TEST_HAVE_pipapo+x}" ]; then + NFT_TEST_HAVE_pipapo=y + fi + echo "running standalone with:" + echo "NFT_TEST_HAVE_chain_binding="$NFT_TEST_HAVE_chain_binding + echo "NFT_TEST_HAVE_pipapo="$NFT_TEST_HAVE_pipapo + if [ $1 -ge 0 ]; then + runtime="$1" + else + echo "Invalid runtime $1" + exit 1 + fi +fi + +if [ x = x"$NFT" ] ; then + NFT=nft +fi + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Skip it. You may ensure that the limits are suitable and rerun + # with NFT_TEST_HAS_SOCKET_LIMITS=n. + exit 77 +fi + +if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then + NFT_TEST_HAVE_chain_binding=n + mydir="$(dirname "$0")" + $NFT --check -f "$mydir/../../features/chain_binding.nft" + if [ $? -eq 0 ];then + NFT_TEST_HAVE_chain_binding=y + else + echo "Assuming anonymous chains are not supported" + fi +fi + +if [ "$NFT_TEST_HAVE_pipapo" != y ] ;then + echo "Skipping pipapo set backend, kernel does not support it" +fi + +testns=testns-$(mktemp -u "XXXXXXXX") +tmp="" + +faultname="/proc/self/make-it-fail" +tables="foo bar" + +failslab_defaults() { + test -w $faultname || return + + # Disable fault injection unless process has 'make-it-fail' set + echo Y > /sys/kernel/debug/failslab/task-filter + + # allow all slabs to fail (if process is tagged). + find /sys/kernel/slab/ -wholename '*/kmalloc-[0-9]*/failslab' -type f -exec sh -c 'echo 1 > {}' \; + + # no limit on the number of failures, or clause works around old kernels that reject negative integer. + echo -1 > /sys/kernel/debug/failslab/times 2>/dev/null || printf '%#x -1' > /sys/kernel/debug/failslab/times + + # Set to 2 for full dmesg traces for each injected error + echo 0 > /sys/kernel/debug/failslab/verbose +} + +failslab_random() +{ + r=$((RANDOM%2)) + + if [ $r -eq 0 ]; then + echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait + else + echo N > /sys/kernel/debug/failslab/ignore-gfp-wait + fi + + r=$((RANDOM%5)) + echo $r > /sys/kernel/debug/failslab/probability + r=$((RANDOM%100)) + echo $r > /sys/kernel/debug/failslab/interval + + # allow a small initial 'success budget'. + # failures only appear after this many allocated bytes. + r=$((RANDOM%16384)) + echo $r > /sys/kernel/debug/$FAILTYPE/space +} + +netns_del() { + ip netns pids "$testns" | xargs kill 2>/dev/null + ip netns del "$testns" +} + +netns_add() +{ + ip netns add "$testns" + ip -netns "$testns" link set lo up +} + +cleanup() { + [ "$tmp" = "" ] || rm -f "$tmp" + netns_del +} + +nft_with_fault_inject() +{ + file="$1" + + if [ -w "$faultname" ]; then + failslab_random + + ip netns exec "$testns" bash -c "echo 1 > $faultname ; exec $NFT -f $file" + fi + + ip netns exec "$testns" $NFT -f "$file" +} + +trap cleanup EXIT +tmp=$(mktemp) + +jump_or_goto() +{ + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo -n "jump" + else + echo -n "goto" + fi +} + +random_verdict() +{ + max="$1" + + if [ $max -eq 0 ]; then + max=1 + fi + + rnd=$((RANDOM%max)) + + if [ $rnd -gt 0 ];then + jump_or_goto + printf " chain%03u" "$((rnd+1))" + return + fi + + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo "accept" + else + echo "drop" + fi +} + +randsleep() +{ + local s=$((RANDOM%1)) + local ms=$((RANDOM%1000)) + sleep $s.$ms +} + +randlist() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT list ruleset > /dev/null + done +} + +randflush() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT flush ruleset > /dev/null + done +} + +randdeltable() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete table inet $t + randsleep + fi + done + done +} + +randdelset() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + s=$((RANDOM%10)) + + case $r in + 0) + setname=set_$s + ;; + 1) + setname=sett${s} + ;; + 2) + setname=dmap_${s} + ;; + 3) + setname=dmapt${s} + ;; + 4) + setname=vmap_${s} + ;; + 5) + setname=vmapt${s} + ;; + *) + continue + ;; + esac + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete set inet $t $setname + fi + done + done +} + +randdelchain() +{ + while [ -r $tmp ]; do + for t in $tables; do + local c=$((RANDOM%100)) + randsleep + chain=$(printf "chain%03u" "$c") + + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + # chain can be invalid/unknown. + ip netns exec $testns $NFT delete chain inet $t $chain + fi + done + done +} + +randdisable() +{ + while [ -r $tmp ]; do + for t in $tables; do + randsleep + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + ip netns exec $testns $NFT add table inet $t '{flags dormant; }' + randsleep + ip netns exec $testns $NFT add table inet $t '{ }' + fi + done + done +} + +randdelns() +{ + while [ -r $tmp ]; do + randsleep + netns_del + netns_add + randsleep + done +} + +available_flags() +{ + local -n available_flags=$1 + selected_key=$2 + if [ "$selected_key" == "single" ] ;then + available_flags+=("interval") + elif [ "$selected_key" == "concat" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + available_flags+=("interval") + fi + fi +} + +random_element_string="" + +# create a random element. Could cause any of the following: +# 1. Invalid set/map +# 2. Element already exists in set/map w. create +# 3. Element is new but wants to jump to unknown chain +# 4. Element already exsists in set/map w. add, but verdict (map data) differs +# 5. Element is created/added/deleted from 'flags constant' set. +random_elem() +{ + tr=$((RANDOM%2)) + t=0 + + for table in $tables; do + if [ $t -ne $tr ]; then + t=$((t+1)) + continue + fi + + kr=$((RANDOM%2)) + k=0 + cnt=0 + for key in "single" "concat"; do + if [ $k -ne $kr ] ;then + cnt=$((cnt+2)) + k=$((k+1)) + continue + fi + + fr=$((RANDOM%2)) + f=0 + + FLAGS=("") + available_flags FLAGS $key + for flags in "${FLAGS[@]}" ; do + cnt=$((cnt+1)) + if [ $f -ne fkr ] ;then + f=$((f+1)) + continue + fi + + want="${key}${flags}" + + e=$((RANDOM%256)) + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) echo "bogus key $want" + exit 111 + ;; + esac + + # This may result in invalid jump, but thats what we want. + count=$(($RANDOM%100)) + + r=$((RANDOM%7)) + case "$r" in + 0) + random_element_string=" inet $table set_${cnt} { $element }" + ;; + 1) random_element_string="inet $table sett${cnt} { $element timeout $((RANDOM%60))s }" + ;; + 2) random_element_string="inet $table dmap_${cnt} { $element : $RANDOM }" + ;; + 3) random_element_string="inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }" + ;; + 4) random_element_string="inet $table vmap_${cnt} { $element : `random_verdict $count` }" + ;; + 5) random_element_string="inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }" + ;; + 6) random_element_string="inet $table setc${cnt} { $element }" + ;; + esac + + return + done + done + done +} + +randload() +{ + while [ -r $tmp ]; do + random_element_string="" + r=$((RANDOM%10)) + + what="" + case $r in + 1) + (echo "flush ruleset"; cat "$tmp" + echo "insert rule inet foo INPUT meta nftrace set 1" + echo "insert rule inet foo OUTPUT meta nftrace set 1" + ) | nft_with_fault_inject "/dev/stdin" + ;; + 2) what="add" + ;; + 3) what="create" + ;; + 4) what="delete" + ;; + 5) what="destroy" + ;; + 6) what="get" + ;; + *) + randsleep + ;; + esac + + if [ x"$what" = "x" ]; then + nft_with_fault_inject "$tmp" + else + # This can trigger abort path, for various reasons: + # invalid set name + # key mismatches set specification (concat vs. single value) + # attempt to delete non-existent key + # attempt to create dupliacte key + # attempt to add duplicate key with non-matching value (data) + # attempt to add new uniqeue key with a jump to an unknown chain + random_elem + ( cat "$tmp"; echo "$what element $random_element_string") | nft_with_fault_inject "/dev/stdin" + fi + done +} + +randmonitor() +{ + while [ -r $tmp ]; do + randsleep + timeout=$((RANDOM%16)) + timeout $((timeout+1)) $NFT monitor > /dev/null + done +} + +floodping() { + cpunum=$(grep -c processor /proc/cpuinfo) + cpunum=$((cpunum+1)) + + while [ -r $tmp ]; do + spawn=$((RANDOM%$cpunum)) + + # spawn at most $cpunum processes. Or maybe none at all. + i=0 + while [ $i -lt $spawn ]; do + mask=$(printf 0x%x $((1<<$i))) + timeout 3 ip netns exec "$testns" taskset $mask ping -4 -fq 127.0.0.1 > /dev/null & + timeout 3 ip netns exec "$testns" taskset $mask ping -6 -fq ::1 > /dev/null & + i=$((i+1)) + done + + wait + randsleep + done +} + +stress_all() +{ + # if fault injection is enabled, first a quick test to trigger + # abort paths without any parallel deletes/flushes. + if [ -w $faultname ] ;then + for i in $(seq 1 10);do + nft_with_fault_inject "$tmp" + done + fi + + randlist & + randflush & + randdeltable & + randdisable & + randdelchain & + randdelset & + randdelns & + randload & + randmonitor & +} + +gen_anon_chain_jump() +{ + echo -n "insert rule inet $@ " + jump_or_goto + + if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo " defaultchain" + return + fi + + echo -n " { " + jump_or_goto + echo " defaultchain; counter; }" +} + +gen_ruleset() { +echo > "$tmp" +for table in $tables; do + count=$((RANDOM % 100)) + if [ $count -lt 1 ];then + count=1 + fi + + echo add table inet "$table" >> "$tmp" + echo flush table inet "$table" >> "$tmp" + + echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" + echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + echo "add chain inet $table $chain" >> "$tmp" + done + + echo "add chain inet $table defaultchain" >> "$tmp" + + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + for BASE in INPUT OUTPUT; do + echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" + done + if [ $((RANDOM%10)) -eq 1 ];then + echo "add rule inet $table $chain counter jump defaultchain" >> "$tmp" + else + echo "add rule inet $table $chain counter return" >> "$tmp" + fi + done + + cnt=0 + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi + + # add constant/immutable sets + size=$((RANDOM%5120000)) + size=$((size+2)) + echo "add set inet $table setc1 { typeof tcp dport; size $size; flags constant; elements = { 22, 44 } }" >> "$tmp" + echo "add set inet $table setc2 { typeof ip saddr; size $size; flags constant; elements = { 1.2.3.4, 5.6.7.8 } }" >> "$tmp" + echo "add set inet $table setc3 { typeof ip6 daddr; size $size; flags constant; elements = { ::1, dead::1 } }" >> "$tmp" + echo "add set inet $table setc4 { typeof tcp dport; size $size; flags interval,constant; elements = { 22-44, 55-66 } }" >> "$tmp" + echo "add set inet $table setc5 { typeof ip saddr; size $size; flags interval,constant; elements = { 1.2.3.4-5.6.7.8, 10.1.1.1 } }" >> "$tmp" + echo "add set inet $table setc6 { typeof ip6 daddr; size $size; flags interval,constant; elements = { ::1, dead::1-dead::3 } }" >> "$tmp" + + # add named sets with various combinations (plain value, range, concatenated values, concatenated ranges, with timeouts, with data ...) + for key in "ip saddr" "ip saddr . tcp dport"; do + FLAGS=("") + if [ "$key" == "ip saddr" ] ;then + FLAGS+=("flags interval;") + elif [ "$key" == "ip saddr . tcp dport" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + FLAGS+=("flags interval;") + fi + fi + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do + timeout=$((RANDOM%10)) + timeout=$((timeout+1)) + timeout="timeout ${timeout}s" + + cnt=$((cnt+1)) + flags=${FLAGS[$i]} + echo "add set inet $table set_${cnt} { typeof ${key} ; ${flags} }" >> "$tmp" + echo "add set inet $table sett${cnt} { typeof ${key} ; $timeout; ${flags} }" >> "$tmp" + echo "add map inet $table dmap_${cnt} { typeof ${key} : meta mark ; ${flags} }" >> "$tmp" + echo "add map inet $table dmapt${cnt} { typeof ${key} : meta mark ; $timeout ; ${flags} }" >> "$tmp" + echo "add map inet $table vmap_${cnt} { typeof ${key} : verdict ; ${flags} }" >> "$tmp" + echo "add map inet $table vmapt${cnt} { typeof ${key} : verdict; $timeout ; ${flags} }" >> "$tmp" + done + done + + cnt=0 + for key in "single" "concat"; do + FLAGS=("") + available_flags FLAGS $key + + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do + flags=${FLAGS[$i]} + want="${key}${flags}" + cnt=$((cnt+1)) + maxip=$((RANDOM%256)) + + if [ $maxip -eq 0 ];then + maxip=1 + fi + + for e in $(seq 1 $maxip);do + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") + element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") + element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") + element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) + echo "bogus key $want" + exit 111 + ;; + esac + + echo "add element inet $table set_${cnt} { $element }" >> "$tmp" + echo "add element inet $table sett${cnt} { $element timeout $((RANDOM%60))s }" >> "$tmp" + echo "add element inet $table dmap_${cnt} { $element : $RANDOM }" >> "$tmp" + echo "add element inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }" >> "$tmp" + echo "add element inet $table vmap_${cnt} { $element : `random_verdict $count` }" >> "$tmp" + echo "add element inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }" >> "$tmp" + done + done + done +done +} + +run_test() +{ + local time_now=$(date +%s) + local time_stop=$((time_now + $runtime)) + local regen=30 + + while [ $time_now -lt $time_stop ]; do + if [ $regen -gt 0 ];then + sleep 1 + time_now=$(date +%s) + regen=$((regen-1)) + continue + fi + + # This clobbers the previously generated ruleset, this is intentional. + gen_ruleset + regen=$((RANDOM%60)) + regen=$((regen+2)) + time_now=$(date +%s) + done +} + +netns_add + +gen_ruleset +ip netns exec "$testns" $NFT -f "$tmp" || exit 1 + +failslab_defaults + +stress_all 2>/dev/null & + +randsleep + +floodping 2> /dev/null & + +run_test + +# this stops stress_all +rm -f "$tmp" +tmp="" +sleep 4 + +if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_chain_binding=n" +fi diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop new file mode 100755 index 00000000..2fd61810 --- /dev/null +++ b/tests/shell/testcases/transactions/anon_chain_loop @@ -0,0 +1,19 @@ +#!/bin/bash + +# anon chains with c1 -> c2 recursive jump, expect failure +$NFT -f - <<EOF +table ip t { + chain c2 { } + chain c1 { } +} + +add t c1 ip saddr 127.0.0.1 jump { jump c2; } +add t c2 ip saddr 127.0.0.1 jump { jump c1; } +EOF + +if [ $? -eq 0 ] ; then + echo "E: able to load bad ruleset" >&2 + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/transactions/bad_expression b/tests/shell/testcases/transactions/bad_expression new file mode 100755 index 00000000..794b6258 --- /dev/null +++ b/tests/shell/testcases/transactions/bad_expression @@ -0,0 +1,38 @@ +#!/bin/bash + +# table with invalid expression (masquerade called from filter table). +# nft must return an error. Also catch nfnetlink retry loops that +# cause nft or kernel to spin. +timeout 3 $NFT -f - <<EOF +table ip t0 { + chain c { } + chain input { + type filter hook input priority 0; + jump c + } +} + +table ip t1 { + chain a { + masquerade + } + chain input { + type filter hook input priority 1; + jump a + } +} +EOF + +rc=$? +if [ $rc -eq 0 ]; then + echo "Ruleset should have failed" 1>&2 + exit 111 +fi + +# 124 means 'command timed out', fail if this +# happens. Else, pass, failure is wanted here. +if [ $rc -ne 124 ]; then + exit 0 +fi + +exit $rc diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort new file mode 100755 index 00000000..b2bbe37b --- /dev/null +++ b/tests/shell/testcases/transactions/concat_range_abort @@ -0,0 +1,28 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<EOF +table ip x { + map m { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo, + } + } + + chain foo { + accept + } +} +EOF + +$NFT -f /dev/stdin <<EOF +add chain ip x bar +add element ip x m { 1.2.3.4 . 42 : jump bar } +delete set ip x m +EOF diff --git a/tests/shell/testcases/transactions/doubled-set b/tests/shell/testcases/transactions/doubled-set new file mode 100755 index 00000000..50b568eb --- /dev/null +++ b/tests/shell/testcases/transactions/doubled-set @@ -0,0 +1,22 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +$NFT -f /dev/stdin <<EOF +table t { + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + } + + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + + } +} +EOF + +# run-tests.sh will validate dumpfile. diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.json-nft b/tests/shell/testcases/transactions/dumps/0001table_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0001table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.json-nft b/tests/shell/testcases/transactions/dumps/0002table_0.json-nft new file mode 100644 index 00000000..b1fefc31 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0002table_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0, + "flags": "dormant" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.nft b/tests/shell/testcases/transactions/dumps/0002table_0.nft index 6eb70726..429cbc34 100644 --- a/tests/shell/testcases/transactions/dumps/0002table_0.nft +++ b/tests/shell/testcases/transactions/dumps/0002table_0.nft @@ -1,3 +1,7 @@ table ip x { flags dormant + + chain y { + type nat hook prerouting priority filter; policy accept; + } } diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.json-nft b/tests/shell/testcases/transactions/dumps/0003table_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0003table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.nft b/tests/shell/testcases/transactions/dumps/0003table_0.nft new file mode 100644 index 00000000..e4e5f9b1 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0003table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft new file mode 100644 index 00000000..85947674 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft new file mode 100644 index 00000000..12cf0bbf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft new file mode 100644 index 00000000..dc5eaa61 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft new file mode 100644 index 00000000..dc5eaa61 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft b/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.nft b/tests/shell/testcases/transactions/dumps/0014chain_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0014chain_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.nft b/tests/shell/testcases/transactions/dumps/0015chain_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0015chain_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.nft b/tests/shell/testcases/transactions/dumps/0020rule_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0020rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft new file mode 100644 index 00000000..4c5500cc --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft @@ -0,0 +1,54 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "2.2.2.2" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.nft b/tests/shell/testcases/transactions/dumps/0022rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0022rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.nft b/tests/shell/testcases/transactions/dumps/0023rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0023rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft new file mode 100644 index 00000000..1e37f7d9 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft @@ -0,0 +1,82 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule1", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule2", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule3", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule4", + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft new file mode 100644 index 00000000..623d9765 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.json-nft b/tests/shell/testcases/transactions/dumps/0030set_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0030set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.json-nft b/tests/shell/testcases/transactions/dumps/0031set_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0031set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.json-nft b/tests/shell/testcases/transactions/dumps/0032set_0.json-nft new file mode 100644 index 00000000..66bbf0eb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0032set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "w", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.json-nft b/tests/shell/testcases/transactions/dumps/0033set_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0033set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.json-nft b/tests/shell/testcases/transactions/dumps/0034set_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0034set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.json-nft b/tests/shell/testcases/transactions/dumps/0035set_0.json-nft new file mode 100644 index 00000000..6b8f671c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0035set_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "3.3.3.3" + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.json-nft b/tests/shell/testcases/transactions/dumps/0036set_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0036set_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.nft b/tests/shell/testcases/transactions/dumps/0036set_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0036set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.json-nft b/tests/shell/testcases/transactions/dumps/0037set_0.json-nft new file mode 100644 index 00000000..e4c77147 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0037set_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.json-nft b/tests/shell/testcases/transactions/dumps/0038set_0.json-nft new file mode 100644 index 00000000..0a36f4a8 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0038set_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.json-nft b/tests/shell/testcases/transactions/dumps/0039set_0.json-nft new file mode 100644 index 00000000..0a36f4a8 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0039set_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft new file mode 100644 index 00000000..1718a5b9 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft @@ -0,0 +1,84 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "client_to_any", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "client_to_any", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 0, + "expr": [ + { + "goto": { + "target": "client_to_any" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "client_to_any", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@client_to_any" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft new file mode 100644 index 00000000..32fce943 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft new file mode 100644 index 00000000..b7180012 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type nat hook postrouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft new file mode 100644 index 00000000..ea3b5d3c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m1", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft new file mode 100644 index 00000000..e5cc63f2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft @@ -0,0 +1,5 @@ +table ip filter { + map m1 { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.json-nft b/tests/shell/testcases/transactions/dumps/0043set_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0043set_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.nft b/tests/shell/testcases/transactions/dumps/0043set_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0043set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.nft b/tests/shell/testcases/transactions/dumps/0044rule_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0044rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.json-nft b/tests/shell/testcases/transactions/dumps/0046set_0.json-nft new file mode 100644 index 00000000..f9b488e7 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0046set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.nft b/tests/shell/testcases/transactions/dumps/0046set_0.nft new file mode 100644 index 00000000..eb39c44f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0046set_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.json-nft b/tests/shell/testcases/transactions/dumps/0047set_0.json-nft new file mode 100644 index 00000000..a7e677b2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0047set_0.json-nft @@ -0,0 +1,73 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "group_10060", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "classid", + "flags": [ + "interval" + ], + "elem": [ + [ + "10.1.26.2", + "1:bbf8" + ], + [ + "10.1.26.3", + "1:c1ad" + ], + [ + "10.1.26.4", + "1:b2d7" + ], + [ + "10.1.26.5", + "1:f705" + ], + [ + "10.1.26.6", + "1:b895" + ], + [ + "10.1.26.7", + "1:ec4c" + ], + [ + "10.1.26.8", + "1:de78" + ], + [ + "10.1.26.9", + "1:b4f3" + ], + [ + "10.1.26.10", + "1:dec6" + ], + [ + "10.1.26.11", + "1:b4c0" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.nft b/tests/shell/testcases/transactions/dumps/0047set_0.nft new file mode 100644 index 00000000..4da397b2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0047set_0.nft @@ -0,0 +1,11 @@ +table ip filter { + map group_10060 { + type ipv4_addr : classid + flags interval + elements = { 10.1.26.2 : 1:bbf8, 10.1.26.3 : 1:c1ad, + 10.1.26.4 : 1:b2d7, 10.1.26.5 : 1:f705, + 10.1.26.6 : 1:b895, 10.1.26.7 : 1:ec4c, + 10.1.26.8 : 1:de78, 10.1.26.9 : 1:b4f3, + 10.1.26.10 : 1:dec6, 10.1.26.11 : 1:b4c0 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft new file mode 100644 index 00000000..f9b488e7 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft new file mode 100644 index 00000000..eb39c44f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft b/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft new file mode 100644 index 00000000..456ada94 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft @@ -0,0 +1,5121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_OUTPUT", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "nd-router-advert", + "nd-neighbor-solicit" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "oif", + "flags": [ + "saddr", + "iif" + ] + } + }, + "right": false + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "raw_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "raw_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "raw_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "mangle_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "mangle_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "mangle_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "status" + } + }, + "right": "dnat" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "status" + } + }, + "right": "dnat" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "::", + "len": 96 + } + }, + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + }, + { + "prefix": { + "addr": "2002::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:7f00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a9fe::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:ac10::", + "len": 28 + } + }, + { + "prefix": { + "addr": "2002:c0a8::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:e000::", + "len": 19 + } + } + ] + } + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "addr-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_OUTPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_OUTPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "::", + "len": 96 + } + }, + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + }, + { + "prefix": { + "addr": "2002::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:7f00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a9fe::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:ac10::", + "len": 28 + } + }, + { + "prefix": { + "addr": "2002:c0a8::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:e000::", + "len": 19 + } + } + ] + } + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "addr-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_IN_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_IN_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_IN_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_FWDI_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_FWDI_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDI_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_FWDO_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_FWDO_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDO_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_post" + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_POST_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_POST_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_post" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_POST_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_POST_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_post" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.nft b/tests/shell/testcases/transactions/dumps/0049huge_0.nft new file mode 100644 index 00000000..96f5a387 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0049huge_0.nft @@ -0,0 +1,749 @@ +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES { + iifname "perm_dummy" goto raw_PRE_work + iifname "perm_dummy2" goto raw_PRE_trusted + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES { + iifname "perm_dummy" goto mangle_PRE_work + iifname "perm_dummy2" goto mangle_PRE_trusted + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_OUTPUT { + type filter hook output priority filter + 10; policy accept; + oifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + } + + chain filter_INPUT_ZONES { + iifname "perm_dummy" goto filter_IN_work + iifname "perm_dummy2" goto filter_IN_trusted + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES { + iifname "perm_dummy" goto filter_FWDI_work + iifname "perm_dummy2" goto filter_FWDI_trusted + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES { + oifname "perm_dummy" goto filter_FWDO_work + oifname "perm_dummy2" goto filter_FWDO_trusted + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_pre + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + jump raw_PRE_public_post + } + + chain raw_PRE_public_pre { + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain raw_PRE_public_post { + } + + chain filter_IN_public { + jump filter_IN_public_pre + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + jump filter_IN_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_pre { + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_public_post { + } + + chain filter_FWDI_public { + jump filter_FWDI_public_pre + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + jump filter_FWDI_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_pre { + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain filter_FWDI_public_post { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_pre + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + jump mangle_PRE_public_post + } + + chain mangle_PRE_public_pre { + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain mangle_PRE_public_post { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_pre + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + jump filter_FWDO_public_post + } + + chain filter_FWDO_public_pre { + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain filter_FWDO_public_post { + } + + chain raw_PRE_trusted { + jump raw_PRE_trusted_pre + jump raw_PRE_trusted_log + jump raw_PRE_trusted_deny + jump raw_PRE_trusted_allow + jump raw_PRE_trusted_post + } + + chain raw_PRE_trusted_pre { + } + + chain raw_PRE_trusted_log { + } + + chain raw_PRE_trusted_deny { + } + + chain raw_PRE_trusted_allow { + } + + chain raw_PRE_trusted_post { + } + + chain mangle_PRE_trusted { + jump mangle_PRE_trusted_pre + jump mangle_PRE_trusted_log + jump mangle_PRE_trusted_deny + jump mangle_PRE_trusted_allow + jump mangle_PRE_trusted_post + } + + chain mangle_PRE_trusted_pre { + } + + chain mangle_PRE_trusted_log { + } + + chain mangle_PRE_trusted_deny { + } + + chain mangle_PRE_trusted_allow { + } + + chain mangle_PRE_trusted_post { + } + + chain filter_IN_trusted { + jump filter_IN_trusted_pre + jump filter_IN_trusted_log + jump filter_IN_trusted_deny + jump filter_IN_trusted_allow + jump filter_IN_trusted_post + accept + } + + chain filter_IN_trusted_pre { + } + + chain filter_IN_trusted_log { + } + + chain filter_IN_trusted_deny { + } + + chain filter_IN_trusted_allow { + } + + chain filter_IN_trusted_post { + } + + chain filter_FWDI_trusted { + jump filter_FWDI_trusted_pre + jump filter_FWDI_trusted_log + jump filter_FWDI_trusted_deny + jump filter_FWDI_trusted_allow + jump filter_FWDI_trusted_post + accept + } + + chain filter_FWDI_trusted_pre { + } + + chain filter_FWDI_trusted_log { + } + + chain filter_FWDI_trusted_deny { + } + + chain filter_FWDI_trusted_allow { + } + + chain filter_FWDI_trusted_post { + } + + chain filter_FWDO_trusted { + jump filter_FWDO_trusted_pre + jump filter_FWDO_trusted_log + jump filter_FWDO_trusted_deny + jump filter_FWDO_trusted_allow + jump filter_FWDO_trusted_post + accept + } + + chain filter_FWDO_trusted_pre { + } + + chain filter_FWDO_trusted_log { + } + + chain filter_FWDO_trusted_deny { + } + + chain filter_FWDO_trusted_allow { + } + + chain filter_FWDO_trusted_post { + } + + chain raw_PRE_work { + jump raw_PRE_work_pre + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + jump raw_PRE_work_post + } + + chain raw_PRE_work_pre { + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain raw_PRE_work_post { + } + + chain filter_IN_work { + jump filter_IN_work_pre + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + jump filter_IN_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_pre { + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_work_post { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_pre + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + jump mangle_PRE_work_post + } + + chain mangle_PRE_work_pre { + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain mangle_PRE_work_post { + } + + chain filter_FWDI_work { + jump filter_FWDI_work_pre + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + jump filter_FWDI_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_pre { + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain filter_FWDI_work_post { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_pre + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + jump filter_FWDO_work_post + } + + chain filter_FWDO_work_pre { + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } + + chain filter_FWDO_work_post { + } +} +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.nft b/tests/shell/testcases/transactions/dumps/0050rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0050rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0051map_0.nodump b/tests/shell/testcases/transactions/dumps/0051map_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0051map_0.nodump diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.json-nft b/tests/shell/testcases/transactions/dumps/30s-stress.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/30s-stress.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.nft b/tests/shell/testcases/transactions/dumps/30s-stress.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/30s-stress.nft diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.json-nft b/tests/shell/testcases/transactions/dumps/bad_expression.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_expression.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.nft b/tests/shell/testcases/transactions/dumps/bad_expression.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_expression.nft diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft new file mode 100644 index 00000000..8db71894 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft new file mode 100644 index 00000000..06adca7a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft @@ -0,0 +1,8 @@ +table ip x { + chain foo { + accept + } + + chain bar { + } +} diff --git a/tests/shell/testcases/transactions/dumps/doubled-set.json-nft b/tests/shell/testcases/transactions/dumps/doubled-set.json-nft new file mode 100644 index 00000000..2dced124 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/doubled-set.json-nft @@ -0,0 +1,41 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "1.2.3.4", + "foo" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/doubled-set.nft b/tests/shell/testcases/transactions/dumps/doubled-set.nft new file mode 100644 index 00000000..48a322eb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/doubled-set.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + } +} diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.json-nft b/tests/shell/testcases/transactions/dumps/table_onoff.json-nft new file mode 100644 index 00000000..a7583e8c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/table_onoff.json-nft @@ -0,0 +1,59 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0, + "flags": "dormant" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.42" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.nft b/tests/shell/testcases/transactions/dumps/table_onoff.nft new file mode 100644 index 00000000..038be1c0 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/table_onoff.nft @@ -0,0 +1,8 @@ +table ip t { + flags dormant + + chain c { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.42 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/table_onoff b/tests/shell/testcases/transactions/table_onoff new file mode 100755 index 00000000..831d4614 --- /dev/null +++ b/tests/shell/testcases/transactions/table_onoff @@ -0,0 +1,44 @@ +#!/bin/bash + +# attempt to re-awaken a table that is flagged dormant within +# same transaction +$NFT -f - <<EOF +add table ip t +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add table ip t +delete table ip t +EOF + +if [ $? -eq 0 ]; then + exit 1 +fi + +set -e + +ip link set lo up + +# add a dormant table, then wake it up in same +# transaction. +$NFT -f - <<EOF +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t +EOF + +# check table is indeed active. +ping -c 1 127.0.0.42 +$NFT list chain ip t c | grep "counter packets 1" +$NFT delete table ip t + +# allow to flag table dormant. +$NFT -f - <<EOF +add table ip t +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t { flags dormant; } +EOF + +ping -c 1 127.0.0.42 +# expect run-tests.sh to complain if counter isn't 0. |