diff options
Diffstat (limited to 'tests/shell/testcases/maps/named_ct_objects')
-rwxr-xr-x | tests/shell/testcases/maps/named_ct_objects | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects new file mode 100755 index 00000000..518140b0 --- /dev/null +++ b/tests/shell/testcases/maps/named_ct_objects @@ -0,0 +1,95 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ctexpect) + +$NFT -f /dev/stdin <<EOF || exit 1 +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3, close : 1 } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "ftp", "sip" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { dead::beef . 123 : "exp2", feed::17 . 512 : "exp2" } + ct helper set ip6 saddr map { dead::beef : "myftp", 1c3::c01d : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { dead::beef : "dns", 1ce::/64 : "dns" } + ct helper @helpname accept + } +} +EOF + +must_fail() +{ + echo "Command should have failed: $1" + exit 111 +} + + +must_work() +{ + echo "Command should have succeeded: $1" + exit 111 +} + +$NFT 'add rule inet t y ip saddr 192.168.1.1 ct timeout set "dns"' || must_work "dns timeout" + +$NFT 'add rule inet t y ct helper set ip saddr map @helpobj' && must_fail "helper assignment, map key is ipv6_addr" +$NFT 'add rule inet t y ct helper set ip6 saddr map @helpname' && must_fail "helper assignment, not a map with objects" + +exit 0 |