summaryrefslogtreecommitdiffstats
path: root/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0
blob: c8cee8aef1b94e26c0e7c6efeca32a4d718d8d92 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

#!/bin/bash

[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }

set -e

# reduce noise in debug output
$XT_MULTI iptables -t raw -A OUTPUT
$XT_MULTI iptables -t raw -F

# add all the things which were "optimized" here
RULE='-t raw -A OUTPUT'

# prefix matches on class (actually: byte) boundaries no longer need a bitwise
RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16'

# these were turned into native matches meanwhile
# (plus -m tcp, but it conflicts with -m udp)
RULE+=' -m limit --limit 1/min'
RULE+=' -p udp -m udp --sport 1024:65535'
RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe'
RULE+=' -j TRACE'

EXPECT_COMMON='TRACE  udp opt -- in * out *  10.0.0.0/8  -> 192.168.0.0/16   limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe
ip raw OUTPUT'

EXPECT="$EXPECT_COMMON
  [ payload load 1b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 2b @ network header + 16 => reg 1 ]
  [ cmp eq reg 1 0x0000a8c0 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000011 ]
  [ limit rate 1/minute burst 5 type packets flags 0x0 ]
  [ payload load 2b @ transport header + 0 => reg 1 ]
  [ range eq reg 1 0x00000004 0x0000ffff ]
  [ meta load mark => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ]
  [ cmp eq reg 1 0xfeedcafe ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 9 0x00000001 ]
  [ meta set nftrace with reg 9 ]
"

diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE)

EXPECT="$EXPECT_COMMON
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 4b @ network header + 16 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x0000a8c0 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000011 ]
  [ match name limit rev 0 ]
  [ match name udp rev 0 ]
  [ match name mark rev 1 ]
  [ counter pkts 0 bytes 0 ]
  [ target name TRACE rev 0 ]
"

diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE)