From 1b25bfa4b2f6b14dbee569ff467ea4d495abcc81 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 22 Jun 2016 13:18:56 +0200 Subject: tests: shell: cover transactions via nft -f using flat syntax This patch covers transactions using the flat syntax representation, eg. add table x add chain x y { type filter hook forward priority 0; } add chain x y { policy drop; } This also covers things like: add element x whitelist { 1.1.1.1 } delete element x whitelist { 1.1.1.1 } The one above may look silly from a human behaviour point of view, but silly robots may very well behave like this. These tests require several kernel patches though in order to pass successfully. Signed-off-by: Pablo Neira Ayuso Acked-by: Arturo Borrero Gonzalez --- tests/shell/testcases/transactions/0001table_0 | 36 +++++++++++++++++++++ tests/shell/testcases/transactions/0002table_0 | 35 +++++++++++++++++++++ tests/shell/testcases/transactions/0003table_0 | 32 +++++++++++++++++++ tests/shell/testcases/transactions/0010chain_0 | 37 ++++++++++++++++++++++ tests/shell/testcases/transactions/0011chain_0 | 38 +++++++++++++++++++++++ tests/shell/testcases/transactions/0012chain_0 | 42 +++++++++++++++++++++++++ tests/shell/testcases/transactions/0013chain_0 | 43 ++++++++++++++++++++++++++ tests/shell/testcases/transactions/0014chain_1 | 20 ++++++++++++ tests/shell/testcases/transactions/0020rule_0 | 33 ++++++++++++++++++++ tests/shell/testcases/transactions/0021rule_0 | 40 ++++++++++++++++++++++++ tests/shell/testcases/transactions/0022rule_1 | 21 +++++++++++++ tests/shell/testcases/transactions/0023rule_1 | 20 ++++++++++++ tests/shell/testcases/transactions/0030set_0 | 34 ++++++++++++++++++++ tests/shell/testcases/transactions/0031set_0 | 37 ++++++++++++++++++++++ tests/shell/testcases/transactions/0032set_0 | 38 +++++++++++++++++++++++ tests/shell/testcases/transactions/0033set_0 | 33 ++++++++++++++++++++ tests/shell/testcases/transactions/0034set_0 | 37 ++++++++++++++++++++++ tests/shell/testcases/transactions/0035set_0 | 40 ++++++++++++++++++++++++ tests/shell/testcases/transactions/0036set_1 | 22 +++++++++++++ tests/shell/testcases/transactions/0037set_0 | 38 +++++++++++++++++++++++ tests/shell/testcases/transactions/0038set_0 | 41 ++++++++++++++++++++++++ tests/shell/testcases/transactions/0039set_0 | 41 ++++++++++++++++++++++++ 22 files changed, 758 insertions(+) create mode 100755 tests/shell/testcases/transactions/0001table_0 create mode 100755 tests/shell/testcases/transactions/0002table_0 create mode 100755 tests/shell/testcases/transactions/0003table_0 create mode 100755 tests/shell/testcases/transactions/0010chain_0 create mode 100755 tests/shell/testcases/transactions/0011chain_0 create mode 100755 tests/shell/testcases/transactions/0012chain_0 create mode 100755 tests/shell/testcases/transactions/0013chain_0 create mode 100755 tests/shell/testcases/transactions/0014chain_1 create mode 100755 tests/shell/testcases/transactions/0020rule_0 create mode 100755 tests/shell/testcases/transactions/0021rule_0 create mode 100755 tests/shell/testcases/transactions/0022rule_1 create mode 100755 tests/shell/testcases/transactions/0023rule_1 create mode 100755 tests/shell/testcases/transactions/0030set_0 create mode 100755 tests/shell/testcases/transactions/0031set_0 create mode 100755 tests/shell/testcases/transactions/0032set_0 create mode 100755 tests/shell/testcases/transactions/0033set_0 create mode 100755 tests/shell/testcases/transactions/0034set_0 create mode 100755 tests/shell/testcases/transactions/0035set_0 create mode 100755 tests/shell/testcases/transactions/0036set_1 create mode 100755 tests/shell/testcases/transactions/0037set_0 create mode 100755 tests/shell/testcases/transactions/0038set_0 create mode 100755 tests/shell/testcases/transactions/0039set_0 diff --git a/tests/shell/testcases/transactions/0001table_0 b/tests/shell/testcases/transactions/0001table_0 new file mode 100755 index 00000000..0bde1018 --- /dev/null +++ b/tests/shell/testcases/transactions/0001table_0 @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +delete table x +add table x +add table y" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { +} +table ip y { +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0 new file mode 100755 index 00000000..c5f319e4 --- /dev/null +++ b/tests/shell/testcases/transactions/0002table_0 @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +delete table x +add table x +add table x { flags dormant; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + flags dormant +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0 new file mode 100755 index 00000000..f17285e5 --- /dev/null +++ b/tests/shell/testcases/transactions/0003table_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add table y +flush ruleset" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0010chain_0 b/tests/shell/testcases/transactions/0010chain_0 new file mode 100755 index 00000000..f4c1fbd1 --- /dev/null +++ b/tests/shell/testcases/transactions/0010chain_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +flush ruleset +add table w +add chain w y" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip w { + chain y { + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0011chain_0 b/tests/shell/testcases/transactions/0011chain_0 new file mode 100755 index 00000000..71afa6ed --- /dev/null +++ b/tests/shell/testcases/transactions/0011chain_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +delete chain x y +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + chain y { + type filter hook input priority 0; policy drop; + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0012chain_0 b/tests/shell/testcases/transactions/0012chain_0 new file mode 100755 index 00000000..757bc750 --- /dev/null +++ b/tests/shell/testcases/transactions/0012chain_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +flush ruleset +add table x +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; } +flush ruleset +add table w +add chain w y { type filter hook output priority 0; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0013chain_0 b/tests/shell/testcases/transactions/0013chain_0 new file mode 100755 index 00000000..2c75bd4f --- /dev/null +++ b/tests/shell/testcases/transactions/0013chain_0 @@ -0,0 +1,43 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +delete chain x y +delete table x +add table x +add chain x y { type filter hook input priority 0; } +add chain x y { policy drop; } +flush ruleset +add table w +add chain w y { type filter hook output priority 0; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0014chain_1 b/tests/shell/testcases/transactions/0014chain_1 new file mode 100755 index 00000000..a03ef126 --- /dev/null +++ b/tests/shell/testcases/transactions/0014chain_1 @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +delete chain x y +delete chain x y" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +echo "E: allowing double-removal of chain" >&2 diff --git a/tests/shell/testcases/transactions/0020rule_0 b/tests/shell/testcases/transactions/0020rule_0 new file mode 100755 index 00000000..1ad43625 --- /dev/null +++ b/tests/shell/testcases/transactions/0020rule_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +add rule x y ip saddr 1.1.1.1 counter +flush ruleset" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0021rule_0 b/tests/shell/testcases/transactions/0021rule_0 new file mode 100755 index 00000000..2467124f --- /dev/null +++ b/tests/shell/testcases/transactions/0021rule_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +add rule x y ip saddr 1.1.1.1 counter +flush ruleset +add table x +add chain x y +add rule x y ip saddr 2.2.2.2 counter" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + chain y { + ip saddr 2.2.2.2 counter packets 0 bytes 0 + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0022rule_1 b/tests/shell/testcases/transactions/0022rule_1 new file mode 100755 index 00000000..5b937acd --- /dev/null +++ b/tests/shell/testcases/transactions/0022rule_1 @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +delete chain x y +add rule x y jump y" + +echo "$RULESET" > $tmpfile +# kernel must return ENOENT +$NFT -f $tmpfile 2>/dev/null +echo "E: allowing jump loop to unexisting chain" diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1 new file mode 100755 index 00000000..4c4e24cd --- /dev/null +++ b/tests/shell/testcases/transactions/0023rule_1 @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add chain x y +add rule x y jump y" + +echo "$RULESET" > $tmpfile +# kernel must return ELOOP +$NFT -f $tmpfile 2>/dev/null +echo "E: allowing jump to chain loop" diff --git a/tests/shell/testcases/transactions/0030set_0 b/tests/shell/testcases/transactions/0030set_0 new file mode 100755 index 00000000..1fefb944 --- /dev/null +++ b/tests/shell/testcases/transactions/0030set_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +flush ruleset +add table x" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0031set_0 b/tests/shell/testcases/transactions/0031set_0 new file mode 100755 index 00000000..87848b4b --- /dev/null +++ b/tests/shell/testcases/transactions/0031set_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +delete set x y +add set x y { type ipv4_addr; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0032set_0 b/tests/shell/testcases/transactions/0032set_0 new file mode 100755 index 00000000..d4d7e7ed --- /dev/null +++ b/tests/shell/testcases/transactions/0032set_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +flush ruleset +add table w +add set w y { type ipv4_addr; }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip w { + set y { + type ipv4_addr + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0033set_0 b/tests/shell/testcases/transactions/0033set_0 new file mode 100755 index 00000000..b73b6fc8 --- /dev/null +++ b/tests/shell/testcases/transactions/0033set_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +delete set x y" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0034set_0 b/tests/shell/testcases/transactions/0034set_0 new file mode 100755 index 00000000..25e65007 --- /dev/null +++ b/tests/shell/testcases/transactions/0034set_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1 } +delete element x y { 1.1.1.1 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0035set_0 b/tests/shell/testcases/transactions/0035set_0 new file mode 100755 index 00000000..a014a69e --- /dev/null +++ b/tests/shell/testcases/transactions/0035set_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1, 2.2.2.2 } +delete element x y { 1.1.1.1 } +delete element x y { 2.2.2.2 } +add element x y { 3.3.3.3 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + elements = { 3.3.3.3} + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0036set_1 b/tests/shell/testcases/transactions/0036set_1 new file mode 100755 index 00000000..46f94573 --- /dev/null +++ b/tests/shell/testcases/transactions/0036set_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; } +add element x y { 1.1.1.1, 2.2.2.2 } +delete element x y { 1.1.1.1 } +delete element x y { 1.1.1.1 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile 2> /dev/null +# Kernel must return ENOENT +echo "E: allowing double-removal of element" diff --git a/tests/shell/testcases/transactions/0037set_0 b/tests/shell/testcases/transactions/0037set_0 new file mode 100755 index 00000000..3e48c801 --- /dev/null +++ b/tests/shell/testcases/transactions/0037set_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 1.1.1.0/24 } +delete element x y { 1.1.1.0/24 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + flags interval + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0038set_0 b/tests/shell/testcases/transactions/0038set_0 new file mode 100755 index 00000000..2e36fa31 --- /dev/null +++ b/tests/shell/testcases/transactions/0038set_0 @@ -0,0 +1,41 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 192.168.0.0/24, 192.168.2.0/24 } +delete element x y { 192.168.0.0/24 } +delete element x y { 192.168.2.0/24 } +add element x y { 192.168.4.0/24 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24} + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/transactions/0039set_0 b/tests/shell/testcases/transactions/0039set_0 new file mode 100755 index 00000000..2e36fa31 --- /dev/null +++ b/tests/shell/testcases/transactions/0039set_0 @@ -0,0 +1,41 @@ +#!/bin/bash + +set -e + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="add table x +add set x y { type ipv4_addr; flags interval;} +add element x y { 192.168.0.0/24, 192.168.2.0/24 } +delete element x y { 192.168.0.0/24 } +delete element x y { 192.168.2.0/24 } +add element x y { 192.168.4.0/24 }" + +echo "$RULESET" > $tmpfile +$NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load good ruleset" >&2 + exit 1 +fi + +EXPECTED="table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24} + } +}" + +GET="$($NFT list ruleset)" + +if [ "$EXPECTED" != "$GET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi -- cgit v1.2.3