diff options
Diffstat (limited to 'tests/shell/testcases/json')
21 files changed, 578 insertions, 0 deletions
diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0 new file mode 100755 index 00000000..fc4941f4 --- /dev/null +++ b/tests/shell/testcases/json/0001set_statements_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "testt", "handle": 3}}, {"set": {"family": "ip", "name": "ssh_meter", "table": "testt", "type": "ipv4_addr", "handle": 2, "size": 65535}}, {"chain": {"family": "ip", "table": "testt", "name": "testc", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"rule": {"family": "ip", "table": "testt", "chain": "testc", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 22}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"set": {"op": "add", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "stmt": [{"limit": {"rate": 10, "burst": 5, "per": "second"}}], "set": "@ssh_meter"}}, {"accept": null}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0 new file mode 100755 index 00000000..a1e9f263 --- /dev/null +++ b/tests/shell/testcases/json/0002table_map_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "t", "handle": 4}}, {"map": {"family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [{"counter": {"packets": 0, "bytes": 0}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0 new file mode 100755 index 00000000..43f387a1 --- /dev/null +++ b/tests/shell/testcases/json/0003json_schema_version_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1 new file mode 100755 index 00000000..0f8d586f --- /dev/null +++ b/tests/shell/testcases/json/0004json_schema_version_1 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}' + +$NFT -j -f - <<< $RULESET && exit 1 + +exit 0 diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 new file mode 100755 index 00000000..5c44f093 --- /dev/null +++ b/tests/shell/testcases/json/0005secmark_objref_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/0006obj_comment_0 b/tests/shell/testcases/json/0006obj_comment_0 new file mode 100755 index 00000000..7ce859d2 --- /dev/null +++ b/tests/shell/testcases/json/0006obj_comment_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "t", "handle": 9}}, {"counter": {"family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft new file mode 100644 index 00000000..91db43e2 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft @@ -0,0 +1,100 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "testt", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "testt", + "name": "testc", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "ssh_meter", + "table": "testt", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "testt", + "chain": "testc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@ssh_meter", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft new file mode 100644 index 00000000..d80a4321 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft @@ -0,0 +1,12 @@ +table ip testt { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic + } + + chain testc { + type filter hook input priority filter; policy accept; + tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second burst 5 packets } accept + } +} diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.json-nft b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft new file mode 100644 index 00000000..78e3c8ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.nft b/tests/shell/testcases/json/dumps/0002table_map_0.nft new file mode 100644 index 00000000..357e92cc --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.nft @@ -0,0 +1,6 @@ +table ip t { + map m { + type ipv4_addr : mark + counter + } +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft new file mode 100644 index 00000000..3783c6b7 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft @@ -0,0 +1,233 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -225, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 225, + "policy": "accept" + } + }, + { + "secmark": { + "family": "inet", + "name": "ssh_server", + "table": "x", + "handle": 0, + "context": "system_u:object_r:ssh_server_packet_t:s0" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2222 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "secmark": "ssh_server" + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft new file mode 100644 index 00000000..4c218e93 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft @@ -0,0 +1,18 @@ +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } + + chain y { + type filter hook input priority -225; policy accept; + tcp dport 2222 ct state new meta secmark set "ssh_server" + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } + + chain z { + type filter hook output priority 225; policy accept; + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft new file mode 100644 index 00000000..208e13ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "mycounter", + "table": "t", + "handle": 0, + "comment": "my comment in counter", + "packets": 0, + "bytes": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft new file mode 100644 index 00000000..e52b21b4 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft @@ -0,0 +1,6 @@ +table inet t { + counter mycounter { + comment "my comment in counter" + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/json/dumps/netdev.json-nft b/tests/shell/testcases/json/dumps/netdev.json-nft new file mode 100644 index 00000000..e0d2bfb4 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "test_table", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft new file mode 100644 index 00000000..3c568ed3 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.nft @@ -0,0 +1,2 @@ +table netdev test_table { +} diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev new file mode 100755 index 00000000..8c16cf42 --- /dev/null +++ b/tests/shell/testcases/json/netdev @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy + +$NFT flush ruleset +$NFT add table inet test +$NFT add chain inet test c + +$NFT flush ruleset + +RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}' + +if [ "$NFT_TEST_HAVE_json" != n ]; then + $NFT -j -f - <<< $RULESET +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi |