diff options
Diffstat (limited to 'tests/shell/testcases/bogons')
54 files changed, 312 insertions, 0 deletions
diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures new file mode 100755 index 00000000..79099427 --- /dev/null +++ b/tests/shell/testcases/bogons/assert_failures @@ -0,0 +1,12 @@ +#!/bin/bash + +dir=$(dirname $0)/nft-f/ + +for f in $dir/*; do + $NFT --check -f "$f" + + if [ $? -ne 1 ]; then + echo "Bogus input file $f did not cause expected error code" 1>&2 + exit 111 + fi +done diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.json-nft b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.nft b/tests/shell/testcases/bogons/dumps/assert_failures.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.nft diff --git a/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash new file mode 100644 index 00000000..80a01b45 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash @@ -0,0 +1,11 @@ +table t { + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert new file mode 100644 index 00000000..e8436008 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + oifname set ip9dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert new file mode 100644 index 00000000..0e75e6f1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert @@ -0,0 +1,5 @@ +table inet t { + chain c { + udp length . @th,160,138 vmap { 47-63 . 0xe37313536313033&131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow new file mode 100644 index 00000000..01640528 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow @@ -0,0 +1,6 @@ +table inet x { + chain nat_dns_acme { + udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, } + drop + } +} diff --git a/tests/shell/testcases/bogons/nft-f/counter_objref_crash b/tests/shell/testcases/bogons/nft-f/counter_objref_crash new file mode 100644 index 00000000..3a4b981b --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/counter_objref_crash @@ -0,0 +1,5 @@ +table inet x { + chain y { + counter name ip saddr bytes 1.1.1. 1024 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow new file mode 100644 index 00000000..18eb25eb --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow @@ -0,0 +1,14 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + }5060t { + type "sip" protocol tcp + l3pownerip + } + + chain input { + type filtol/dev/stdinok input priority f)lser; policy accept; + ct helper set ip protocol . th dport map { udp . 1-20000 : "si60u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak new file mode 100644 index 00000000..014525a3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak @@ -0,0 +1,7 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { estabQisheestablished : 2m3s, cd : 2m3s, } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree new file mode 100644 index 00000000..28b1a211 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree @@ -0,0 +1,5 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { close : 12s } diff --git a/tests/shell/testcases/bogons/nft-f/define_policy_assert b/tests/shell/testcases/bogons/nft-f/define_policy_assert new file mode 100644 index 00000000..f1e58b55 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/define_policy_assert @@ -0,0 +1,3 @@ +chain y x { priority filter +define p = foo +policy $p diff --git a/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert new file mode 100644 index 00000000..b7a9a1cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert @@ -0,0 +1,6 @@ +table inet t { + chain c { + udp length . @th,160,118 vmap { 47-63 . 0xe3731353631303331313037353532/3 : accept } + jump noexist # only here so this fails to load after patch. + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges new file mode 100644 index 00000000..efaff9e5 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges @@ -0,0 +1,14 @@ +define dev = "1"-"2" + +table netdev t { + chain c { + fwd to 1-2 + dup to 1-2 + } +} + +table ip t { + chain c { + dup to 1-2 device $dev + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix new file mode 100644 index 00000000..23c2dc31 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport set ip daddr map { 192.168.0.1 : 0x000/0001 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert new file mode 100644 index 00000000..43d72c4d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert @@ -0,0 +1,5 @@ +table ip6 t { + chain c { + ip6 nexthdr comp udp dport 4789 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug new file mode 100644 index 00000000..e307e7cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug @@ -0,0 +1 @@ +add rule t c ip option ra set 0-1 diff --git a/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash new file mode 100644 index 00000000..8d1da726 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash @@ -0,0 +1,5 @@ +table t { + chain c { + meta oifname^a^b^c^d^e^f^g^h^i^j^k^l^m^n^o^p^q^r^s^t^u^v^w^x^y^z^A^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z^0^1^2^3^4^5^6^7^8^9 bar + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert new file mode 100644 index 00000000..161f867d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert @@ -0,0 +1,5 @@ +table inet x { + chain c { + udp length vmap { 1 : goto rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert new file mode 100644 index 00000000..3c2c0d3e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert @@ -0,0 +1,7 @@ +define huge = rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr + +table t { + chain d { + jump $huge + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_prio b/tests/shell/testcases/bogons/nft-f/huge_chain_prio new file mode 100644 index 00000000..41f8061a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_prio @@ -0,0 +1,5 @@ +table t { + chain c { + type filter hook input priority srcnDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD#DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD; policy accept; + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_shift_assert b/tests/shell/testcases/bogons/nft-f/huge_shift_assert new file mode 100644 index 00000000..7599f850 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_shift_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + counter name meta mark >> 88888888888888888888 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert new file mode 100644 index 00000000..1fc85b29 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert @@ -0,0 +1 @@ +rule t c reject with icmp 512 diff --git a/tests/shell/testcases/bogons/nft-f/include-device b/tests/shell/testcases/bogons/nft-f/include-device new file mode 100644 index 00000000..1eb79773 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/include-device @@ -0,0 +1 @@ +include "/dev/null" diff --git a/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert new file mode 100644 index 00000000..7205ff4f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert @@ -0,0 +1 @@ +xy mame ip saddr map h& p p diff --git a/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop new file mode 100644 index 00000000..514d6ffe --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop @@ -0,0 +1,12 @@ +table ip x { + map z { + type ipv4_addr : ipv4_addr + elements = { 1&.141.0.1 - 192.168.0.2} + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0, * : 192.168.0.4 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/map_without_key b/tests/shell/testcases/bogons/nft-f/map_without_key new file mode 100644 index 00000000..78f16b23 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/map_without_key @@ -0,0 +1,5 @@ +table t { + map m { + elements = { 0x00000023 : 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash new file mode 100644 index 00000000..9f7084c8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash @@ -0,0 +1 @@ +bla to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } bla diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error new file mode 100644 index 00000000..6f52658f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error @@ -0,0 +1,21 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + size 12 + l3proto ip + } . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priori + + chain c { + cttable inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priority filuer; policy
\ No newline at end of file diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath new file mode 100644 index 00000000..917e8bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath @@ -0,0 +1,5 @@ +table filter { + chain y { + meta seccark set ct secmark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert new file mode 100644 index 00000000..18c7edd1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert @@ -0,0 +1,7 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 } + } +} + diff --git a/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map new file mode 100644 index 00000000..b1302278 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map @@ -0,0 +1,10 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + snat ip to ip saddr map @y + } +} diff --git a/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert new file mode 100644 index 00000000..547b937f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert @@ -0,0 +1,6 @@ +table ip x { + map sctm_o1 { + type mark : counter + counter name meta mark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash new file mode 100644 index 00000000..16d3e41f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash @@ -0,0 +1 @@ +cPoR et ip dscp << 2>0 ,xl rt ipsec c0tt in tabl rt ipsec cl diff --git a/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert new file mode 100644 index 00000000..d880a377 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert @@ -0,0 +1,6 @@ +table t { + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "x*" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert new file mode 100644 index 00000000..64bd596a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert @@ -0,0 +1 @@ +x x comp nexthdr comp diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store new file mode 100644 index 00000000..c1358df4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store @@ -0,0 +1 @@ +add rule f i @th,1,128 set 1 diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert new file mode 100644 index 00000000..f85a04e7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert @@ -0,0 +1 @@ +add rule t c @th,0,0 0 diff --git a/tests/shell/testcases/bogons/nft-f/scope_underflow_assert b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert new file mode 100644 index 00000000..aee1dcbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert @@ -0,0 +1,6 @@ +table t { + chain c { + jump{ + jump { + jump + diff --git a/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert new file mode 100644 index 00000000..59ef1ab3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert @@ -0,0 +1,12 @@ +table inet testifsets { + map map_wild { elements = { "abcdex*", + "othername", + "ppp0" } + } + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdez*" : jump do_nothing, + "eth0" : jump do_nothing } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/set_without_key b/tests/shell/testcases/bogons/nft-f/set_without_key new file mode 100644 index 00000000..f194afbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_without_key @@ -0,0 +1,5 @@ +table ip t { + set s { + elements = { 0x00000023-0x00000142, 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr new file mode 100644 index 00000000..8b0d2744 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr @@ -0,0 +1,5 @@ +table t { + chain c { + udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr new file mode 100644 index 00000000..66bd6bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr @@ -0,0 +1,5 @@ +table t { + chain c { + @th,160,1272 gt 0 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow new file mode 100644 index 00000000..ea7186bf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow @@ -0,0 +1,6 @@ +table t { +map m { + type ipv4_addr : classid + elements = { 1.1.26.3 : ::a } +} +} diff --git a/tests/shell/testcases/bogons/nft-f/tcp_option_without_template b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template new file mode 100644 index 00000000..fd732fd3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template @@ -0,0 +1 @@ +add rule f i tcp option nop length . @ih,32,3 1 diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges new file mode 100644 index 00000000..1230860e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges @@ -0,0 +1,8 @@ +define range = 42-80 + +table t { + chain c { + tcp dport 42 tproxy to 192.168.0.1:$range + tcp dport 42 tproxy to 192.168.0.0/16 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert new file mode 100644 index 00000000..35eecf60 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport { tcp / 22, udp . 67 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map new file mode 100644 index 00000000..3da16ce1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map @@ -0,0 +1,5 @@ +table ip x { + chain y { + meta mark set ip protocol . th dport map { tcp / 22 : 1234, udp . 67 : 1234 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap new file mode 100644 index 00000000..f4dc273f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport vmap { tcp / 22 : accept, udp . 67 : drop } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert new file mode 100644 index 00000000..e6206736 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert @@ -0,0 +1,7 @@ +table ip x { + chain k { + meta mark set 0x001-3434 + ct mark set 0x001-3434 + tcp dport set 1-3 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal new file mode 100644 index 00000000..bb9632b0 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal @@ -0,0 +1,5 @@ +delete chain d iUi { +}} +delete chain d hUi { +delete chain o +c b icmpv6 id$i diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert new file mode 100644 index 00000000..fe416f85 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert @@ -0,0 +1,5 @@ +table netdev x { + chain Main_Ingress1 { + type filter hook ingress device "" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert new file mode 100644 index 00000000..84f33073 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert @@ -0,0 +1,5 @@ +table ip x { + chain Main_Ingress1 { + type filter hook ingress device""lo" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert new file mode 100644 index 00000000..2c3e6c3f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert @@ -0,0 +1,5 @@ +table t { + flowtable f { + devices = { """"lo } + } +} |