diff options
Diffstat (limited to 'tests')
25 files changed, 554 insertions, 2 deletions
diff --git a/tests/shell/features/ip_options.nft b/tests/shell/features/ip_options.nft new file mode 100644 index 00000000..0b8cb09c --- /dev/null +++ b/tests/shell/features/ip_options.nft @@ -0,0 +1,8 @@ +# dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +# v5.3-rc1~140^2~153^2~1 + +table ip x { + chain y { + ip option ra value 255 + } +} diff --git a/tests/shell/features/ipsec.nft b/tests/shell/features/ipsec.nft new file mode 100644 index 00000000..e7252271 --- /dev/null +++ b/tests/shell/features/ipsec.nft @@ -0,0 +1,7 @@ +# 6c47260250fc ("netfilter: nf_tables: add xfrm expression") +# v4.20-rc1~14^2~125^2~25 +table ip x { + chain y { + ipsec in reqid 23 + } +} diff --git a/tests/shell/features/position_id.sh b/tests/shell/features/position_id.sh new file mode 100755 index 00000000..43ac97ac --- /dev/null +++ b/tests/shell/features/position_id.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule") +# v5.1-rc1~178^2~405^2~27 + +EXPECTED="table inet t { + chain c { + tcp dport 1234 accept + udp dport 4321 accept + accept + } +}" + +RULESET="add table inet t +add chain inet t c +add rule inet t c tcp dport 1234 accept +add rule inet t c accept +insert rule inet t c index 1 udp dport 4321 accept +" + +$NFT -f - <<< $RULESET + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0 index c9eb8683..76f2615d 100755 --- a/tests/shell/testcases/cache/0011_index_0 +++ b/tests/shell/testcases/cache/0011_index_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_position_id) + set -e RULESET="flush ruleset diff --git a/tests/shell/testcases/chains/netdev_chain_dormant_autoremove b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove new file mode 100755 index 00000000..3093ce25 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +ip link add dummy0 type dummy +ip link add dummy1 type dummy +$NFT add table netdev test { flags dormant\; } +$NFT add chain netdev test ingress { type filter hook ingress devices = { "dummy0", "dummy1" } priority 0\; policy drop\; } +ip link del dummy0 diff --git a/tests/shell/testcases/maps/0024named_objects_1 b/tests/shell/testcases/maps/0024named_objects_1 new file mode 100755 index 00000000..a861e9e2 --- /dev/null +++ b/tests/shell/testcases/maps/0024named_objects_1 @@ -0,0 +1,31 @@ +#!/bin/bash + +# This is the test-case: +# * creating valid named objects and using map variables in statements + +RULESET=' +define counter_map = { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123" } +define quota_map = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + +table inet x { + counter user123 { + packets 12 bytes 1433 + } + counter user321 { + packets 12 bytes 1433 + } + quota user123 { + over 2000 bytes + } + quota user124 { + over 2000 bytes + } + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map $counter_map + quota name ip saddr map $quota_map drop + } +}' + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/0024named_objects_2 b/tests/shell/testcases/maps/0024named_objects_2 new file mode 100755 index 00000000..584b5100 --- /dev/null +++ b/tests/shell/testcases/maps/0024named_objects_2 @@ -0,0 +1,23 @@ +#!/bin/bash + +# +# Test some error conditions for using variables to define maps +# + +set -e + +for m in "192.168.2.2" "{ 192.168.2.2, 1.1.1.1, 2.2.2.2 }"; do + + RULESET=" +define m = $m"' +table inet x { + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map $m + } +}' + + $NFT -f - <<< "$RULESET" || rc=$? + test $rc = 1 + +done diff --git a/tests/shell/testcases/maps/anonymous_snat_map_1 b/tests/shell/testcases/maps/anonymous_snat_map_1 new file mode 100755 index 00000000..031de0c1 --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_1 @@ -0,0 +1,16 @@ +#!/bin/bash + +# Variable containing anonymous map can be added to a snat rule + +set -e + +RULESET=' +define m = {1.1.1.1 : 2.2.2.2} +table nat { + chain postrouting { + snat ip saddr map $m + } +} +' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/anonymous_snat_map_2 b/tests/shell/testcases/maps/anonymous_snat_map_2 new file mode 100755 index 00000000..90e02038 --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_2 @@ -0,0 +1,23 @@ +#!/bin/bash + +# +# Test some error conditions for using variables to define maps +# + +set -e + +for m in "1.1.1.1" "{1.1.1.1}"; do + + RULESET=" +define m = $m"' +table nat { + chain postrouting { + snat ip saddr map $m + } +} +' + + $NFT -f - <<< "$RULESET" || rc=$? + test $rc = 1 + +done diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft new file mode 100644 index 00000000..e3fab16d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft @@ -0,0 +1,147 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_1.nft b/tests/shell/testcases/maps/dumps/0024named_objects_1.nft new file mode 100644 index 00000000..a8e99a3c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_1.nft @@ -0,0 +1,23 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + counter user321 { + packets 12 bytes 1433 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + chain y { + type filter hook input priority filter; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + quota name ip saddr map { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } drop + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft new file mode 100644 index 00000000..f4c55706 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft new file mode 100644 index 00000000..5009560c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects index 61b87c1a..518140b0 100755 --- a/tests/shell/testcases/maps/named_ct_objects +++ b/tests/shell/testcases/maps/named_ct_objects @@ -1,6 +1,7 @@ #!/bin/bash # NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ctexpect) $NFT -f /dev/stdin <<EOF || exit 1 table inet t { diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port index 2804d48c..703a2ad9 100755 --- a/tests/shell/testcases/maps/nat_addr_port +++ b/tests/shell/testcases/maps/nat_addr_port @@ -84,6 +84,11 @@ $NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 # should fail: rule has no test for l4 protocol, but map has inet_service $NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1 +if [ "$NFT_TEST_HAVE_inet_nat" = n ]; then + echo "Test partially skipped due to NFT_TEST_HAVE_inet_nat=n" + exit 77 +fi + # skeleton inet $NFT -f /dev/stdin <<EOF || exit 1 table inet inetfoo { diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0 index 98517fd5..764206d2 100755 --- a/tests/shell/testcases/maps/typeof_maps_0 +++ b/tests/shell/testcases/maps/typeof_maps_0 @@ -4,6 +4,8 @@ # without typeof, this is 'type string' and 'type integer', # but neither could be used because it lacks size information. +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ipsec) + set -e die() { diff --git a/tests/shell/testcases/optimizations/ruleset b/tests/shell/testcases/optimizations/ruleset index 2b2d80ff..f7c3b747 100755 --- a/tests/shell/testcases/optimizations/ruleset +++ b/tests/shell/testcases/optimizations/ruleset @@ -1,6 +1,7 @@ #!/bin/bash # NFT_TEST_REQUIRES(NFT_TEST_HAVE_prerouting_reject) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) RULESET="table inet uni { chain gtfo { diff --git a/tests/shell/testcases/packetpath/vlan_mangling b/tests/shell/testcases/packetpath/vlan_mangling new file mode 100755 index 00000000..b3f87c66 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_mangling @@ -0,0 +1,75 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 +ip -net "$ns2" link add vlan321 link veth0 type vlan id 321 + + +for dev in veth0 ; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done +ip -net "$ns1" link set vlan123 up +ip -net "$ns2" link set vlan321 up + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan321 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain in_update_vlan { + vlan type arp vlan id set 321 counter + ip saddr 10.1.1.1 icmp type echo-request vlan id set 321 counter + } + + chain in { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 vlan id 123 jump in_update_vlan + } + + chain out_update_vlan { + vlan type arp vlan id set 123 counter + ip daddr 10.1.1.1 icmp type echo-reply vlan id set 123 counter + } + + chain out { + type filter hook egress device veth0 priority filter; + ether daddr da:d3:00:01:02:03 vlan id 321 jump out_update_vlan + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +set +e + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list table netdev t | grep 'counter packets' | grep 'counter packets 0 bytes 0' +if [ $? -eq 1 ] +then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/packetpath/vlan_qinq b/tests/shell/testcases/packetpath/vlan_qinq new file mode 100755 index 00000000..28655766 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_qinq @@ -0,0 +1,73 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns1" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +ip -net "$ns2" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns2" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +for dev in veth0 vlan10 vlan10.100; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan10.100 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan10.100 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c1 { + type filter hook ingress device veth0 priority filter; + ether type 8021ad vlan id 10 vlan type 8021q vlan id 100 vlan type ip counter + } + + chain c2 { + type filter hook ingress device vlan10 priority filter; + vlan id 100 ip daddr 10.1.1.2 counter + } + + chain c3 { + type filter hook ingress device vlan10.100 priority filter; + ip daddr 10.1.1.2 counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 +ip netns exec "$ns2" $NFT list ruleset + +set +e + +ip netns exec "$ns2" $NFT list chain netdev t c1 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c2 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c3 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +exit 0 diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 index 7699e9da..52a42c2f 100755 --- a/tests/shell/testcases/sets/collapse_elem_0 +++ b/tests/shell/testcases/sets/collapse_elem_0 @@ -17,3 +17,9 @@ add element ip a x { 2 } add element ip6 a x { 2 }" $NFT -f - <<< $RULESET + +RULESET="define m = { 3, 4 } +add element ip a x \$m +add element ip a x { 5 }" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft index c713828d..c8ff4347 100644 --- a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft @@ -23,7 +23,10 @@ "handle": 0, "elem": [ 1, - 2 + 2, + 3, + 4, + 5 ] } }, diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft index a3244fc6..775f0ab1 100644 --- a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -1,7 +1,7 @@ table ip a { set x { type inet_service - elements = { 1, 2 } + elements = { 1, 2, 3, 4, 5 } } } table ip6 a { diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 index 016227da..a105acff 100755 --- a/tests/shell/testcases/sets/typeof_sets_0 +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -4,6 +4,8 @@ # s1 and s2 are identical, they just use different # ways for declaration. +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ip_options) + set -e die() { diff --git a/tests/shell/testcases/transactions/0024rule_0 b/tests/shell/testcases/transactions/0024rule_0 index 4c1ac41d..645319e2 100755 --- a/tests/shell/testcases/transactions/0024rule_0 +++ b/tests/shell/testcases/transactions/0024rule_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_position_id) + RULESET="flush ruleset add table x add chain x y diff --git a/tests/shell/testcases/transactions/0049huge_0 b/tests/shell/testcases/transactions/0049huge_0 index f66953c2..698716b2 100755 --- a/tests/shell/testcases/transactions/0049huge_0 +++ b/tests/shell/testcases/transactions/0049huge_0 @@ -42,6 +42,11 @@ if [ "$NFT_TEST_HAVE_json" != n ]; then test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 fi +if [ "$NFT_TEST_HAVE_inet_nat" = n ]; then + echo "Test partially skipped due to missing inet nat support." + exit 77 +fi + # Now an example from firewalld's testsuite # $NFT flush ruleset |