diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-03-28 17:53:39 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-03-29 10:33:40 +0200 |
commit | 64bb3f43bb96bb43a478f695f5aea5f4ab50fd4b (patch) | |
tree | 3da0c0f453a9842bbd74adca383637773f0efca6 /tests/shell | |
parent | ff0f30e35db56da4282a477df0f334ce636915ba (diff) |
src: allow to use typeof of raw expressions in set declaration
Use the dynamic datatype to allocate an instance of TYPE_INTEGER and set
length and byteorder. Add missing information to the set userdata area
for raw payload expressions which allows to rebuild the set typeof from
the listing path.
A few examples:
- With anonymous sets:
nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
- With named sets:
table x {
set y {
typeof ip saddr . @ih,32,32
elements = { 1.1.1.1 . 0x14 }
}
}
Incremental updates are also supported, eg.
nft add element x y { 3.3.3.3 . 0x28 }
expr_evaluate_concat() is used to evaluate both set key definitions
and set key values, using two different function might help to simplify
this code in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
-rw-r--r-- | tests/shell/testcases/maps/dumps/typeof_raw_0.nft | 13 | ||||
-rwxr-xr-x | tests/shell/testcases/maps/typeof_raw_0 | 18 | ||||
-rw-r--r-- | tests/shell/testcases/sets/dumps/typeof_raw_0.nft | 12 | ||||
-rwxr-xr-x | tests/shell/testcases/sets/typeof_raw_0 | 17 |
4 files changed, 60 insertions, 0 deletions
diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft new file mode 100644 index 00000000..e876425b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft @@ -0,0 +1,13 @@ +table ip x { + map y { + typeof ip saddr . @ih,32,32 : verdict + elements = { 1.1.1.1 . 0x14 : accept, + 7.7.7.7 . 0x86 : accept, + 7.7.7.8 . 0x97 : drop } + } + + chain y { + ip saddr . @ih,32,32 vmap @y + ip saddr . @ih,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } + } +} diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0 new file mode 100755 index 00000000..e3da7825 --- /dev/null +++ b/tests/shell/testcases/maps/typeof_raw_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED="table ip x { + map y { + typeof ip saddr . @ih,32,32: verdict + elements = { 1.1.1.1 . 0x14 : accept, 2.2.2.2 . 0x1e : drop } + } + + chain y { + ip saddr . @ih,32,32 vmap @y + ip saddr . @ih,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT add element ip x y { 7.7.7.7 . 0x86 : accept, 7.7.7.8 . 0x97 : drop } +$NFT delete element ip x y { 2.2.2.2 . 0x1e : drop } diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft new file mode 100644 index 00000000..499ff167 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -0,0 +1,12 @@ +table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, + 2.2.2.2 . 0x20 } + } + + chain y { + ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @ih,32,32 @y + } +} diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0 new file mode 100755 index 00000000..36396b5c --- /dev/null +++ b/tests/shell/testcases/sets/typeof_raw_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +EXPECTED="table inet t { + set y { + typeof ip daddr . @ih,32,32 + elements = { 1.1.1.1 . 0x14, 2.2.2.2 . 0x20} + } + + chain y { + ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @ih,32,32 @y + } +}" + +set -e +$NFT -f - <<< $EXPECTED + |