From 531a630f9666c495c0a2588609a8f4912a4880b9 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sat, 9 Mar 2024 00:26:07 +0100 Subject: tests: shell: Add missing json-nft dumps Given that a bunch of issues got fixed, add some more dumps. Also add tests/shell/testcases/owner/dumps/0002-persist.nft while at it, even though it's really small. Signed-off-by: Phil Sutter --- .../testcases/maps/dumps/0010concat_map_0.json-nft | 106 ++++++++++ .../shell/testcases/maps/dumps/0011vmap_0.json-nft | 145 +++++++++++++ .../maps/dumps/0024named_objects_0.json-nft | 165 +++++++++++++++ .../maps/dumps/map_catchall_double_free_2.json-nft | 46 +++++ .../maps/dumps/vmap_mark_bitwise_0.json-nft | 158 ++++++++++++++ .../testcases/maps/dumps/vmap_timeout.json-nft | 229 +++++++++++++++++++++ 6 files changed, 849 insertions(+) create mode 100644 tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0011vmap_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft create mode 100644 tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/vmap_timeout.json-nft (limited to 'tests/shell/testcases/maps') diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft new file mode 100644 index 00000000..fcc23bb8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft @@ -0,0 +1,106 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "z", + "table": "x", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "1.1.1.1", + "tcp", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft new file mode 100644 index 00000000..8f07378a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft @@ -0,0 +1,145 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "elem": { + "val": 22, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "ssh_input" + } + } + ], + [ + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..aa2f6f8c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft new file mode 100644 index 00000000..a9d4c8e9 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "testmap", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "*", + { + "jump": { + "target": "testchain" + } + } + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft new file mode 100644 index 00000000..df156411 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft @@ -0,0 +1,158 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "SET_ctmark_RPLYroute", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "c_o0_0", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o0", + "table": "x", + "type": "mark", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 0, + { + "jump": { + "target": "sctm_o0_0" + } + } + ], + [ + 1, + { + "jump": { + "target": "sctm_o0_1" + } + } + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o1", + "table": "x", + "type": "mark", + "handle": 0, + "map": "counter", + "elem": [ + [ + 0, + "c_o0_0" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o0" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o1" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft new file mode 100644 index 00000000..1c3aa590 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft @@ -0,0 +1,229 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "log_and_drop", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "other_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "portaddrmap", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + { + "concat": [ + "1.2.3.4", + 22 + ] + }, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "log_and_drop", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "other_input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "log_and_drop" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@portaddrmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} -- cgit v1.2.3