diff options
Diffstat (limited to 'tests/shell/testcases/rule_management')
23 files changed, 732 insertions, 11 deletions
diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0 index 251cebb2..cd69a89d 100755 --- a/tests/shell/testcases/rule_management/0010replace_0 +++ b/tests/shell/testcases/rule_management/0010replace_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4 # ("netfilter: nf_tables: deactivate expressions in rule replecement routine") diff --git a/tests/shell/testcases/rule_management/0011destroy_0 b/tests/shell/testcases/rule_management/0011destroy_0 deleted file mode 100755 index 895c24a4..00000000 --- a/tests/shell/testcases/rule_management/0011destroy_0 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -set -e -$NFT add table t -$NFT add chain t c -$NFT insert rule t c accept # should have handle 2 - -$NFT destroy rule t c handle 2 diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 index 8d230796..33eadd9e 100755 --- a/tests/shell/testcases/rule_management/0011reset_0 +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule) + set -e echo "loading ruleset" diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0 index 1b61155e..a058150f 100755 --- a/tests/shell/testcases/rule_management/0012destroy_0 +++ b/tests/shell/testcases/rule_management/0012destroy_0 @@ -1,7 +1,14 @@ -#!/bin/bash +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) -set -e $NFT add table t $NFT add chain t c +# pass for non-existent rule $NFT destroy rule t c handle 3333 + +# successfully delete existing rule +handle=$($NFT -a -e insert rule t c accept | \ + sed -n 's/.*handle \([0-9]*\)$/\1/p') +$NFT destroy rule t c handle "$handle" diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft new file mode 100644 index 00000000..83dfee0d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft new file mode 100644 index 00000000..527d79d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft new file mode 100644 index 00000000..b3808ce2 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft new file mode 100644 index 00000000..b76cd930 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft new file mode 100644 index 00000000..9216cabf --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "set": [ + { + "range": [ + 3478, + 3497 + ] + }, + { + "range": [ + 16384, + 16387 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0011destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft index 1e0d1d60..1e0d1d60 100644 --- a/tests/shell/testcases/rule_management/dumps/0011destroy_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft new file mode 100644 index 00000000..bc242467 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft @@ -0,0 +1,257 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 1, + "bytes": 11 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} |