diff options
Diffstat (limited to 'tests/shell/testcases/chains')
23 files changed, 65 insertions, 32 deletions
diff --git a/tests/shell/testcases/chains/0002jumps_1 b/tests/shell/testcases/chains/0002jumps_1 index 4d163b05..aa70037f 100755 --- a/tests/shell/testcases/chains/0002jumps_1 +++ b/tests/shell/testcases/chains/0002jumps_1 @@ -20,5 +20,7 @@ done # this last jump should fail: too many links $NFT add chain t c$((MAX_JUMPS + 1)) -$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null + +$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null || exit 0 echo "E: max jumps ignored?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 index f74361f2..80e243f0 100755 --- a/tests/shell/testcases/chains/0003jump_loop_1 +++ b/tests/shell/testcases/chains/0003jump_loop_1 @@ -17,5 +17,6 @@ do done # this last jump should fail: loop -$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null +$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null || exit 0 echo "E: loop of jumps ignored?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0004busy_1 b/tests/shell/testcases/chains/0004busy_1 index cc9a0dad..e68d1baa 100755 --- a/tests/shell/testcases/chains/0004busy_1 +++ b/tests/shell/testcases/chains/0004busy_1 @@ -6,6 +6,8 @@ $NFT add table t $NFT add chain t c1 $NFT add chain t c2 $NFT add rule t c1 jump c2 + # kernel should return EBUSY -$NFT delete chain t c2 2>/dev/null +$NFT delete chain t c2 2>/dev/null || exit 0 echo "E: deleted a busy chain?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0005busy_map_1 b/tests/shell/testcases/chains/0005busy_map_1 index 93eca827..c800f193 100755 --- a/tests/shell/testcases/chains/0005busy_map_1 +++ b/tests/shell/testcases/chains/0005busy_map_1 @@ -6,6 +6,8 @@ $NFT add table t $NFT add chain t c1 $NFT add chain t c2 $NFT add rule t c1 tcp dport vmap { 1 : jump c2 } + # kernel should return EBUSY -$NFT delete chain t c2 2>/dev/null +$NFT delete chain t c2 2>/dev/null || exit 0 echo "E: deleted a busy chain?" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0007masquerade_1 b/tests/shell/testcases/chains/0007masquerade_1 index 4e98d106..4434c898 100755 --- a/tests/shell/testcases/chains/0007masquerade_1 +++ b/tests/shell/testcases/chains/0007masquerade_1 @@ -4,6 +4,8 @@ set -e $NFT add table t $NFT add chain t c1 {type filter hook output priority 0 \; } + # wrong hook output, only postrouting is valid -$NFT add rule t c1 masquerade 2>/dev/null +$NFT add rule t c1 masquerade 2>/dev/null || exit 0 echo "E: accepted masquerade in output hook" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0008masquerade_jump_1 b/tests/shell/testcases/chains/0008masquerade_jump_1 index 7754ed03..aee1475f 100755 --- a/tests/shell/testcases/chains/0008masquerade_jump_1 +++ b/tests/shell/testcases/chains/0008masquerade_jump_1 @@ -6,6 +6,8 @@ $NFT add table t $NFT add chain t output {type nat hook output priority 0 \; } $NFT add chain t c1 $NFT add rule t c1 masquerade + # kernel should return EOPNOTSUPP -$NFT add rule t output jump c1 2>/dev/null +$NFT add rule t output jump c1 2>/dev/null || exit 0 echo "E: accepted masquerade in output hook" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0009masquerade_jump_1 b/tests/shell/testcases/chains/0009masquerade_jump_1 index 684d4417..2b931eeb 100755 --- a/tests/shell/testcases/chains/0009masquerade_jump_1 +++ b/tests/shell/testcases/chains/0009masquerade_jump_1 @@ -6,6 +6,8 @@ $NFT add table t $NFT add chain t output {type nat hook output priority 0 \; } $NFT add chain t c1 $NFT add rule t c1 masquerade + # kernel should return EOPNOTSUPP -$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null +$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null || exit 0 echo "E: accepted masquerade in output hook in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1 index dba70e14..5d3ef239 100755 --- a/tests/shell/testcases/chains/0010endless_jump_loop_1 +++ b/tests/shell/testcases/chains/0010endless_jump_loop_1 @@ -4,6 +4,8 @@ set -e $NFT add table t $NFT add chain t c + # kernel should return ELOOP -$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null +$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0 echo "E: accepted endless jump loop in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1 index adbff8d4..d75932d7 100755 --- a/tests/shell/testcases/chains/0011endless_jump_loop_1 +++ b/tests/shell/testcases/chains/0011endless_jump_loop_1 @@ -10,5 +10,6 @@ $NFT add element t m {2 : jump c2} $NFT add rule t c1 tcp dport vmap @m # kernel should return ELOOP -$NFT add element t m {1 : jump c1} 2>/dev/null +$NFT add element t m {1 : jump c1} 2>/dev/null || exit 0 echo "E: accepted endless jump loop in a vmap" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0012reject_in_prerouting_1 b/tests/shell/testcases/chains/0012reject_in_prerouting_1 index 81cda0c4..0ee86c11 100755 --- a/tests/shell/testcases/chains/0012reject_in_prerouting_1 +++ b/tests/shell/testcases/chains/0012reject_in_prerouting_1 @@ -4,6 +4,8 @@ set -e $NFT add table t $NFT add chain t prerouting {type filter hook prerouting priority 0 \; } + # wrong hook prerouting, only input/forward/output is valid -$NFT add rule t prerouting reject 2>/dev/null +$NFT add rule t prerouting reject 2>/dev/null || exit 0 echo "E: accepted reject in prerouting hook" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0015check_jump_loop_1 b/tests/shell/testcases/chains/0015check_jump_loop_1 index ba40ddb9..a59bb3bf 100755 --- a/tests/shell/testcases/chains/0015check_jump_loop_1 +++ b/tests/shell/testcases/chains/0015check_jump_loop_1 @@ -7,5 +7,7 @@ $NFT add chain t c1 $NFT add chain t c2 $NFT add t c1 jump c2 # kernel should return ENOENT -$NFT add t c2 ip daddr vmap { 1 : jump c3 } + +$NFT add t c2 ip daddr vmap { 1 : jump c3 } || exit 0 echo "E: Jumped to non existing chain" >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0017masquerade_jump_1 b/tests/shell/testcases/chains/0017masquerade_jump_1 index a57675f5..209e6d48 100755 --- a/tests/shell/testcases/chains/0017masquerade_jump_1 +++ b/tests/shell/testcases/chains/0017masquerade_jump_1 @@ -6,5 +6,9 @@ $NFT add table t $NFT add chain t input {type filter hook input priority 4 \; } $NFT add chain t c1 $NFT add rule t input jump c1 + # kernel should return EOPNOTSUPP -$NFT add rule t c1 masquerade 2>/dev/null >&2 +$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0 + +echo "E: Accepted masquerade rule in non-nat type base chain" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1 index d1443dab..b87520f2 100755 --- a/tests/shell/testcases/chains/0018check_jump_loop_1 +++ b/tests/shell/testcases/chains/0018check_jump_loop_1 @@ -6,5 +6,8 @@ $NFT add table ip filter $NFT add chain ip filter ap1 $NFT add chain ip filter ap2 $NFT add rule ip filter ap1 jump ap2 + # kernel should return EOPNOTSUPP -$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 +$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 || exit 0 +echo "E: Accepted jump-to-self" +exit 1 diff --git a/tests/shell/testcases/chains/0019masquerade_jump_1 b/tests/shell/testcases/chains/0019masquerade_jump_1 index 4fe68c84..0ff1ac3f 100755 --- a/tests/shell/testcases/chains/0019masquerade_jump_1 +++ b/tests/shell/testcases/chains/0019masquerade_jump_1 @@ -6,5 +6,8 @@ $NFT add table t $NFT add chain t input {type filter hook input priority 4 \; } $NFT add chain t c1 $NFT add rule t input ip saddr vmap { 1.1.1.1 : jump c1 } + # kernel should return EOPNOTSUPP -$NFT add rule t c1 masquerade 2>/dev/null >&2 +$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0 +echo "E: accepted masquerade in chain from non-nat type basechain" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0020depth_1 b/tests/shell/testcases/chains/0020depth_1 index fa539c8f..23e1f826 100755 --- a/tests/shell/testcases/chains/0020depth_1 +++ b/tests/shell/testcases/chains/0020depth_1 @@ -1,7 +1,6 @@ #!/bin/bash set -e - $NFT add table ip filter $NFT add chain ip filter input { type filter hook input priority 0\; } @@ -19,4 +18,6 @@ for ((i=11;i<19;i++)); do $NFT add rule ip filter a$i jump a$((i+1)) done -$NFT add rule ip filter a10 jump a11 +$NFT add rule ip filter a10 jump a11 || exit 0 +echo "E: Expected 20th jump to fail due to jump stack exhaustion" 1>&2 +exit 1 diff --git a/tests/shell/testcases/chains/0022prio_dummy_1 b/tests/shell/testcases/chains/0022prio_dummy_1 index ecdd9456..66c44074 100755 --- a/tests/shell/testcases/chains/0022prio_dummy_1 +++ b/tests/shell/testcases/chains/0022prio_dummy_1 @@ -3,5 +3,7 @@ set -e $NFT add table ip x -$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null + +$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null || exit 0 echo "E: dummy should not be a valid priority." >&2 +exit 1 diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 index fa53f7a7..d2b1fa43 100755 --- a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 +++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 @@ -9,8 +9,8 @@ do if (($? == 0)) then echo "E: srcnat should not be a valid priority name in $family $hook chains." >&2 - exit 0 + exit 1 fi done done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 index a9a7264a..d112f2c9 100755 --- a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 +++ b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 @@ -9,8 +9,8 @@ do if (($? == 0)) then echo "E: dstnat should not be a valid priority name in $family $hook chains." >&2 - exit 0 + exit 1 fi done done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0025prio_arp_1 b/tests/shell/testcases/chains/0025prio_arp_1 index 8c671d55..1a172629 100755 --- a/tests/shell/testcases/chains/0025prio_arp_1 +++ b/tests/shell/testcases/chains/0025prio_arp_1 @@ -10,8 +10,8 @@ family=arp if (($? == 0)) then echo "E: $prioname should not be a valid priority name for arp family chains." >&2 - exit 0 + exit 1 fi done done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0026prio_netdev_1 b/tests/shell/testcases/chains/0026prio_netdev_1 index ae022830..aa902e9b 100755 --- a/tests/shell/testcases/chains/0026prio_netdev_1 +++ b/tests/shell/testcases/chains/0026prio_netdev_1 @@ -4,12 +4,12 @@ family=netdev hook=ingress for prioname in raw mangle dstnat security srcnat do - $NFT add table $family x + $NFT add table $family x || exit 1 $NFT add chain $family x y "{ type filter hook $hook device lo priority $prioname; }" &> /dev/null if (($? == 0)) then echo "E: $prioname should not be a valid priority name for netdev family chains." >&2 - exit 0 + exit 1 fi done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 index df0b6950..52c73e65 100755 --- a/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 +++ b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 @@ -9,7 +9,7 @@ family=bridge if (($? == 0)) then echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 - exit 0 + exit 1 fi done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0028prio_bridge_out_1 b/tests/shell/testcases/chains/0028prio_bridge_out_1 index 06fdbebb..63aa296c 100755 --- a/tests/shell/testcases/chains/0028prio_bridge_out_1 +++ b/tests/shell/testcases/chains/0028prio_bridge_out_1 @@ -9,7 +9,7 @@ family=bridge if (($? == 0)) then echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 - exit 0 + exit 1 fi done -exit 1 +exit 0 diff --git a/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 index 8896a7cf..38917119 100755 --- a/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 +++ b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 @@ -9,7 +9,7 @@ family=bridge if (($? == 0)) then echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2 - exit 0 + exit 1 fi done -exit 1 +exit 0 |