diff options
| author | Laura Garcia Liebana <nevola@gmail.com> | 2018-03-07 22:51:10 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-09 12:45:16 +0100 |
| commit | 7d93e2c2fbc77f05fd7acb63a2acf9874c9ad58f (patch) | |
| tree | 6773a61dcd261a25d525457bf8b6049787345424 /tests/shell/testcases/nft-f | |
| parent | 1870165e0241bd06f96da43edbee0e0e82bfa09d (diff) | |
tests: shell: autogenerate dump verification
Complete the automated shell tests with the verification of
the test file dump, only for positive tests and if the test
execution was successful.
It's able to generate the dump file with the -g option.
Example:
# ./run-tests.sh -g testcases/chains/0001jumps_0
The dump files are generated in the same path in the folder named
dumps/ with .nft extension.
It has been avoided the dump verification code in every test
file.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/nft-f')
13 files changed, 103 insertions, 59 deletions
diff --git a/tests/shell/testcases/nft-f/0002rollback_rule_0 b/tests/shell/testcases/nft-f/0002rollback_rule_0 index ddeb5423..19690544 100755 --- a/tests/shell/testcases/nft-f/0002rollback_rule_0 +++ b/tests/shell/testcases/nft-f/0002rollback_rule_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0003rollback_jump_0 b/tests/shell/testcases/nft-f/0003rollback_jump_0 index 6c43df9d..f53fd238 100755 --- a/tests/shell/testcases/nft-f/0003rollback_jump_0 +++ b/tests/shell/testcases/nft-f/0003rollback_jump_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0004rollback_set_0 b/tests/shell/testcases/nft-f/0004rollback_set_0 index 1dea85ec..7674106f 100755 --- a/tests/shell/testcases/nft-f/0004rollback_set_0 +++ b/tests/shell/testcases/nft-f/0004rollback_set_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0005rollback_map_0 b/tests/shell/testcases/nft-f/0005rollback_map_0 index 777cc717..ba1fcc59 100755 --- a/tests/shell/testcases/nft-f/0005rollback_map_0 +++ b/tests/shell/testcases/nft-f/0005rollback_map_0 @@ -51,13 +51,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0 index dd03545b..b244d14e 100755 --- a/tests/shell/testcases/nft-f/0008split_tables_0 +++ b/tests/shell/testcases/nft-f/0008split_tables_0 @@ -29,22 +29,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table inet filter { - chain ssh { - type filter hook input priority 0; policy accept; - tcp dport ssh accept - } - - chain input { - type filter hook input priority 1; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft new file mode 100644 index 00000000..f6f26158 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft new file mode 100644 index 00000000..1211411f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -0,0 +1,10 @@ +table inet filter { + chain ssh { + type filter hook input priority 0; policy accept; + tcp dport ssh accept + } + + chain input { + type filter hook input priority 1; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft new file mode 100644 index 00000000..a793751b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -0,0 +1,7 @@ +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = { 10.10.10.10 . smtp, + 10.10.10.10 . imap2 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft new file mode 100644 index 00000000..1f3d05e8 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft @@ -0,0 +1,6 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft new file mode 100644 index 00000000..e9eef4b1 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -0,0 +1,16 @@ +table inet t { + chain c { + iifname "whatever" oifname "whatever" iif "lo" oif "lo" + iifname { "whatever" } iif { "lo" } mark 0x0000007b + ct state established,related,new + ct state != established | related | new + ip saddr 10.0.0.0 ip saddr 10.0.0.0 ip daddr 10.0.0.2 + ip6 daddr fe0::1 ip6 saddr fe0::2 + ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } + ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } + ip6 saddr . ip6 nexthdr { fe0::1 . udp, fe0::2 . tcp } + ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } + tcp dport 100-222 + udp dport vmap { 100-222 : accept } + } +} |