diff options
author | Phil Sutter <phil@nwl.cc> | 2019-06-07 19:21:21 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-07 23:54:51 +0200 |
commit | e5382c0d08e3c6d8246afa95b7380f0d6b8c1826 (patch) | |
tree | e7a6973c6354a9bfee9383476dbc7041fc2e27c9 /tests | |
parent | eecfd96ea3ca8207a1fc28cd1e845c177be59d85 (diff) |
src: Support intra-transaction rule references
A rule may be added before or after another one using index keyword. To
support for the other rule being added within the same batch, one has to
make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This
patch does just that among a few more crucial things:
* If cache is complete enough to contain rules, update cache when
evaluating rule commands so later index references resolve correctly.
* Reduce rule_translate_index() to its core code which is the actual
linking of rules and consequently rename the function. The removed
bits are pulled into the calling rule_evaluate() to reduce code
duplication in between cache updates with and without rule reference.
* Pass the current command op to rule_evaluate() as indicator whether to
insert before or after a referenced rule or at beginning or end of
chain in cache. Exploit this from chain_evaluate() to avoid adding
the chain's rules a second time.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
5 files changed, 59 insertions, 0 deletions
diff --git a/tests/shell/testcases/cache/0003_cache_update_0 b/tests/shell/testcases/cache/0003_cache_update_0 index fa9b5df3..05edc9c7 100755 --- a/tests/shell/testcases/cache/0003_cache_update_0 +++ b/tests/shell/testcases/cache/0003_cache_update_0 @@ -34,6 +34,9 @@ EOF # add rule ip t4 c meta l4proto icmp accept -> rule to reference in next step # add rule ip t4 c index 0 drop -> index 0 is not found due to rule cache not # being updated +# add rule ip t4 c index 2 drop -> index 2 is not found due to igmp rule being +# in same transaction and therefore not having +# an allocated handle $NFT -i >/dev/null <<EOF add table ip t4; add chain ip t4 c add rule ip t4 c meta l4proto icmp accept @@ -41,3 +44,7 @@ EOF $NFT -f - >/dev/null <<EOF add rule ip t4 c index 0 drop EOF +$NFT -f - >/dev/null <<EOF +add rule ip t4 c meta l4proto igmp accept +add rule ip t4 c index 2 drop +EOF diff --git a/tests/shell/testcases/transactions/0024rule_0 b/tests/shell/testcases/transactions/0024rule_0 new file mode 100755 index 00000000..4c1ac41d --- /dev/null +++ b/tests/shell/testcases/transactions/0024rule_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="flush ruleset +add table x +add chain x y +add rule x y accept comment rule1 +add rule x y accept comment rule4 +add rule x y index 0 accept comment rule2 +insert rule x y index 2 accept comment rule3" + +$NFT -f - <<< "$RULESET" && \ + $NFT -f - <<< "$RULESET" && \ + echo "$RULESET" | tr '\n' ';' | $NFT -i >/dev/null && \ + exit 0 +echo "E: intra-transaction rule reference failed" +exit 1 + diff --git a/tests/shell/testcases/transactions/0025rule_0 b/tests/shell/testcases/transactions/0025rule_0 new file mode 100755 index 00000000..d72d5cfc --- /dev/null +++ b/tests/shell/testcases/transactions/0025rule_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# make sure stored delete/replace rule commands are correctly applied + +set -e + +$NFT -f - <<EOF +flush ruleset +table x { + chain y { + accept + log + } +} +EOF + +$NFT -f - <<EOF +replace rule x y handle 2 log +delete rule x y handle 3 +add rule x y index 0 drop +EOF diff --git a/tests/shell/testcases/transactions/dumps/0024rule_0.nft b/tests/shell/testcases/transactions/dumps/0024rule_0.nft new file mode 100644 index 00000000..7860ff65 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0024rule_0.nft @@ -0,0 +1,8 @@ +table ip x { + chain y { + accept comment "rule1" + accept comment "rule2" + accept comment "rule3" + accept comment "rule4" + } +} diff --git a/tests/shell/testcases/transactions/dumps/0025rule_0.nft b/tests/shell/testcases/transactions/dumps/0025rule_0.nft new file mode 100644 index 00000000..dcb61ae6 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0025rule_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + log + drop + } +} |