From fac10ea799fe9b6158d74f66d6ad46536d38a545 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 18 Mar 2009 04:55:00 +0100 Subject: Initial commit --- tests/dictionary | 52 +++++++++++++++++++++++++++++++++++++++ tests/expr-concat | 19 ++++++++++++++ tests/expr-ct | 26 ++++++++++++++++++++ tests/expr-meta | 40 ++++++++++++++++++++++++++++++ tests/family-bridge | 13 ++++++++++ tests/family-ipv4 | 10 ++++++++ tests/family-ipv6 | 10 ++++++++ tests/feat-adjancent-load-merging | 13 ++++++++++ tests/obj-chain | 22 +++++++++++++++++ tests/obj-table | 11 +++++++++ tests/payload-ll | 15 +++++++++++ tests/prefix | 5 ++++ tests/set | 14 +++++++++++ tests/stmt-log | 6 +++++ 14 files changed, 256 insertions(+) create mode 100755 tests/dictionary create mode 100755 tests/expr-concat create mode 100755 tests/expr-ct create mode 100755 tests/expr-meta create mode 100755 tests/family-bridge create mode 100755 tests/family-ipv4 create mode 100755 tests/family-ipv6 create mode 100755 tests/feat-adjancent-load-merging create mode 100755 tests/obj-chain create mode 100755 tests/obj-table create mode 100755 tests/payload-ll create mode 100755 tests/prefix create mode 100755 tests/set create mode 100755 tests/stmt-log (limited to 'tests') diff --git a/tests/dictionary b/tests/dictionary new file mode 100755 index 00000000..20d53570 --- /dev/null +++ b/tests/dictionary @@ -0,0 +1,52 @@ +#! nft -f +# +table add ip filter +chain add ip filter OUTPUT NF_INET_LOCAL_OUT 0 + +chain add ip filter chain1 +rule add ip filter chain1 handle 1 counter + +chain add ip filter chain2 +rule add ip filter chain2 handle 1 counter + +# must succeed: expr { expr, ... } +rule add ip filter OUTPUT ip protocol 6 tcp dport { \ + 22, \ + 23, \ +} + +# must fail: expr { type1, type2, ... } +rule add ip filter OUTPUT ip protocol 6 tcp dport { \ + 22, \ + 192.168.0.1, \ +} + +# must succeed: expr { expr => verdict, ... } +rule add ip filter OUTPUT ip protocol 6 tcp dport { \ + 22 => jump chain1, \ + 23 => jump chain2, \ +} + +# must fail: expr { expr => verdict, expr => expr, ... } +rule add ip filter OUTPUT ip protocol 6 tcp dport { \ + 22 => jump chain1, \ + 23 => 0x100, \ +} + +# must fail: expr { expr => expr, ...} +rule add ip filter OUTPUT ip protocol 6 tcp dport { \ + 22 => 0x100, \ + 23 => 0x200, \ +} + +# must succeed: expr MAP { expr => expr, ... } expr +rule add ip filter OUTPUT ip protocol 6 map tcp dport { \ + 22 => 1, \ + 23 => 2, \ +} 2 + +# must fail: expr MAP { expr => type1, expr => type2, .. } expr +rule add ip filter OUTPUT ip protocol 6 map tcp dport { \ + 22 => 1, \ + 23 => 192.168.0.1, \ +} 2 diff --git a/tests/expr-concat b/tests/expr-concat new file mode 100755 index 00000000..d9c553b6 --- /dev/null +++ b/tests/expr-concat @@ -0,0 +1,19 @@ +#! nft -f + +# Concat element mismatch +rule add ip filter output ip daddr . tcp sport . tcp dport { \ + 192.168.0.1 . 22, \ + 192.168.0.1 . 80, \ +} + +# Concat type mismatch +rule add ip filter output ip daddr . tcp dport { \ + 192.168.0.1 . 192.168.0.2, \ + 192.168.0.1 . 192.168.0.3, \ +} + +# Concat expression +rule add ip filter output ip daddr . tcp dport { \ + 192.168.0.1 . 22, \ + 192.168.0.1 . 80, \ +} diff --git a/tests/expr-ct b/tests/expr-ct new file mode 100755 index 00000000..8391c3ec --- /dev/null +++ b/tests/expr-ct @@ -0,0 +1,26 @@ +#! nft -f + +table add ip filter +chain add ip filter output NF_INET_LOCAL_OUT 0 + +# ct: state +rule add ip filter output ct state 0 counter + +# ct: direction original/reply +rule add ip filter output ct direction 0 counter +rule add ip filter output ct direction 1 counter + +# ct: status +rule add ip filter output ct status 0 counter + +# ct: mark +rule add ip filter output ct mark 0 counter + +# ct: secmark +rule add ip filter output ct secmark 0 counter + +# ct: expiration +rule add ip filter output ct expiration 30 counter + +# ct: helper ftp +rule add ip filter output ct helper "ftp" counter diff --git a/tests/expr-meta b/tests/expr-meta new file mode 100755 index 00000000..122d2895 --- /dev/null +++ b/tests/expr-meta @@ -0,0 +1,40 @@ +#! nft -f + +table add ip filter +chain add ip filter output NF_INET_LOCAL_OUT 0 + +# meta: skb len +rule add ip filter output meta length 1000 counter + +# meta: skb protocol +rule add ip filter output meta protocol 0x0800 counter + +# meta: skb mark +rule add ip filter output meta mark 0 counter + +# meta: skb iif +rule add ip filter output meta iif 1 counter + +# meta: skb iifname +rule add ip filter output meta iifname "eth0" counter + +# meta: skb oif +rule add ip filter output meta oif 1 counter + +# meta: skb oifname +rule add ip filter output meta oifname "eth0" counter + +# meta: skb sk uid +rule add ip filter output meta skuid 1000 counter + +# meta: skb sk gid +rule add ip filter output meta skgid 1000 counter + +# meta: nftrace - broken, probably should be removed to avoid abuse +#rule add ip filter output meta nftrace 0 counter + +# meta: rtclassid +rule add ip filter output meta rtclassid 1 counter + +# meta: secmark +rule add ip filter output meta secmark 0 counter diff --git a/tests/family-bridge b/tests/family-bridge new file mode 100755 index 00000000..633211fb --- /dev/null +++ b/tests/family-bridge @@ -0,0 +1,13 @@ +#! nft -f + +table add bridge filter +chain add bridge filter output NF_INET_LOCAL_OUT 0 + +# LL protocol +rule add bridge filter output eth type 0x0800 counter + +# IP address +rule add bridge filter output eth type 0x0800 ip daddr 20.0.0.2 counter + +# IPv6 address +rule add bridge filter output eth type 0x86DD ip6 daddr 2001:6f8:974:3::2 counter diff --git a/tests/family-ipv4 b/tests/family-ipv4 new file mode 100755 index 00000000..7c28bb43 --- /dev/null +++ b/tests/family-ipv4 @@ -0,0 +1,10 @@ +#! nft -f + +table add ip filter +chain add ip filter output NF_INET_LOCAL_OUT 0 + +# IP address +rule add ip filter output ip daddr 192.168.0.1 counter + +# TCP ports +rule add ip filter output ip protocol 6 tcp dport 22 counter diff --git a/tests/family-ipv6 b/tests/family-ipv6 new file mode 100755 index 00000000..7cf54d6f --- /dev/null +++ b/tests/family-ipv6 @@ -0,0 +1,10 @@ +#! nft -f + +table add ip6 filter +chain add ip6 filter output NF_INET_LOCAL_OUT 0 + +# IP address +rule add ip6 filter output ip6 daddr 2001:6f8:974::1 counter + +# TCP ports +rule add ip6 filter output ip6 nexthdr 6 tcp dport 22 counter diff --git a/tests/feat-adjancent-load-merging b/tests/feat-adjancent-load-merging new file mode 100755 index 00000000..9c41f509 --- /dev/null +++ b/tests/feat-adjancent-load-merging @@ -0,0 +1,13 @@ +#! nft -f + +# adjacent payload expressions: 4 bytes in order +rule add filter output ip protocol 6 tcp sport 1024 tcp dport 22 counter + +# adjacent payload expressions: 8 bytes in order +rule add filter output ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter + +# adjacent payload expressions: 8 bytes in order +rule add filter output tcp sequence 0 tcp sport 1024 tcp dport 22 + +# adjacent payload expressions: 8 bytes in reverse order +rule add filter output tcp sport 1024 tcp dport 22 tcp sequence 0 diff --git a/tests/obj-chain b/tests/obj-chain new file mode 100755 index 00000000..8422f3a3 --- /dev/null +++ b/tests/obj-chain @@ -0,0 +1,22 @@ +#! nft -f + +table add filter + +# chains: add and delete chain +chain add filter testchain +chain delete filter testchain + +# chains: add and delete base chain +chain add filter input NF_INET_LOCAL_OUT 0 +chain delete filter input NF_INET_LOCAL_OUT 0 + +# chains: can not delete chain while referenced +chain add filter testchain +chain add filter testchain2 + +rule add filter testchain handle 1 jump testchain2 +chain delete filter testchain2 +rule delete filter testchain handle 1 + +chain delete filter testchain2 +chain delete filter testchain diff --git a/tests/obj-table b/tests/obj-table new file mode 100755 index 00000000..3c3e222a --- /dev/null +++ b/tests/obj-table @@ -0,0 +1,11 @@ +#! nft -f + +# table: add and delete table +table add filter +table delete filter + +# table: deleting table with chain must fail +# FIXME: not implemented +# table add filter +# chain add filter output +# table delete filter diff --git a/tests/payload-ll b/tests/payload-ll new file mode 100755 index 00000000..8d2480ac --- /dev/null +++ b/tests/payload-ll @@ -0,0 +1,15 @@ +#! nft -f + +table add ip filter +chain add ip filter input NF_INET_LOCAL_IN 0 + +# mac source +rule add ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter + +# mac dest +rule add ip filter input @ll,0,48 00:1b:21:02:6f:ad counter + +# mac source and mac dest +rule add ip filter input @ll,0,48 00:1b:21:02:6f:ad \ + @ll,48,48 00:15:e9:f0:10:f8 \ + counter diff --git a/tests/prefix b/tests/prefix new file mode 100755 index 00000000..139f13cc --- /dev/null +++ b/tests/prefix @@ -0,0 +1,5 @@ +rule add filter OUTPUT meta mark 123/0x000000ff +rule add filter OUTPUT ip daddr 192.168.0.0/24 +rule add filter OUTPUT ip daddr 192.168.0.0/255.255.255.0 +rule add filter OUTPUT ip saddr . ip daddr 192.168.0.0/24 . 192.168.0.0/24 +rule add filter OUTPUT ip daddr { 192.168.0.0/24, 192.168.1.0/24} diff --git a/tests/set b/tests/set new file mode 100755 index 00000000..17fb2183 --- /dev/null +++ b/tests/set @@ -0,0 +1,14 @@ +#! nft -f + +table add filter +chain add filter output NF_INET_LOCAL_OUT 0 + +# set: IP addresses +rule add filter output ip daddr { \ + 192.168.0.1, \ + 192.168.0.2, \ + 192.168.0.3, \ +} + +# set: tcp ports +rule add filter output ip protocol 6 tcp dport { 22, 23 } counter diff --git a/tests/stmt-log b/tests/stmt-log new file mode 100755 index 00000000..c2d0f868 --- /dev/null +++ b/tests/stmt-log @@ -0,0 +1,6 @@ +#! nft -f + +table add ip filter +chain add ip filter output NF_INET_LOCAL_OUT 0 + +rule add ip filter output log saddr "prefix" group 0 counter -- cgit v1.2.3