From 77906e68f3c22de8ae74106ed59552a236970d83 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Fri, 1 Mar 2024 13:59:38 +0100 Subject: tests: add test case for named ct objects Add a dedicated test for named conntrack objects: timeouts, helpers and expectations. A json dump file is not added because the json input code does not support "typeof" declarations for sets/maps. Signed-off-by: Florian Westphal --- .../testcases/maps/dumps/named_ct_objects.nft | 71 ++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 tests/shell/testcases/maps/dumps/named_ct_objects.nft (limited to 'tests/shell/testcases/maps/dumps/named_ct_objects.nft') diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.nft b/tests/shell/testcases/maps/dumps/named_ct_objects.nft new file mode 100644 index 00000000..59f18932 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_ct_objects.nft @@ -0,0 +1,71 @@ +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + l3proto inet + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3s, close : 1s } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "sip", + "ftp" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { feed::17 . 512 : "exp2", dead::beef . 123 : "exp2" } + ct helper set ip6 saddr map { 1c3::c01d : "myftp", dead::beef : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { 1ce::/64 : "dns", dead::beef : "dns" } + ct helper @helpname accept + ip saddr 192.168.1.1 ct timeout set "dns" + } +} -- cgit v1.2.3