diff options
Diffstat (limited to 'tests/shell/testcases/sets')
202 files changed, 11647 insertions, 208 deletions
diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0 index ba23f90f..c37b2f0d 100755 --- a/tests/shell/testcases/sets/0011add_many_elements_0 +++ b/tests/shell/testcases/sets/0011add_many_elements_0 @@ -3,6 +3,14 @@ # test adding many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -30,3 +38,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7e7beebd..64451604 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -31,3 +38,10 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 5774317b..c0925dd5 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements in two nft -f runs. HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -32,3 +39,10 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0 index 44d451a8..1df38326 100755 --- a/tests/shell/testcases/sets/0020comments_0 +++ b/tests/shell/testcases/sets/0020comments_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + # Test that comments are added to set elements in standard sets. # Explicitly test bitmap backend set implementation. diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0 index 6062913b..48f6875b 100755 --- a/tests/shell/testcases/sets/0022type_selective_flush_0 +++ b/tests/shell/testcases/sets/0022type_selective_flush_0 @@ -16,7 +16,7 @@ $NFT -f - <<< "$RULESET" # Commands that should be invalid declare -a cmds=( - "flush set t m" "flush set t f" + "flush set t m" "flush map t s" "flush map t f" "flush meter t s" "flush meter t m" ) diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0 deleted file mode 100755 index 6d21e388..00000000 --- a/tests/shell/testcases/sets/0024named_objects_0 +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -# This is the testscase: -# * creating valid named objects -# * referencing them from a valid rule - -RULESET=" -table inet x { - counter user123 { - packets 12 bytes 1433 - } - counter user321 { - packets 12 bytes 1433 - } - quota user123 { - over 2000 bytes - } - quota user124 { - over 2000 bytes - } - synproxy https-synproxy { - mss 1460 - wscale 7 - timestamp sack-perm - } - synproxy other-synproxy { - mss 1460 - wscale 5 - } - set y { - type ipv4_addr - } - map test { - type ipv4_addr : quota - elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"} - } - map test2 { - type ipv4_addr : synproxy - flags interval - elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } - } - chain y { - type filter hook input priority 0; policy accept; - counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"} - synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } - quota name ip saddr map @test drop - } -}" - -set -e -$NFT -f - <<< "$RULESET" - -EXPECTED="table inet x { - counter user321 { - packets 12 bytes 1433 - } -}" - -GET="$($NFT reset counter inet x user321)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0 new file mode 100755 index 00000000..0c7da572 --- /dev/null +++ b/tests/shell/testcases/sets/0024synproxy_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_synproxy) + +# * creating valid named objects +# * referencing them from a valid rule + +RULESET=" +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + synproxy other-synproxy { + mss 1460 + wscale 5 + } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + chain y { + type filter hook input priority 0; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 2dbcd22b..ea581406 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -40,6 +40,7 @@ EXPECTED="table inet t { chain c { iifname @s accept oifname @s accept + fib saddr oifname @s accept tcp dport . meta iifname @sc accept meta iifname . meta mark @nv accept } diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0 index 059ade9a..32a705bf 100755 --- a/tests/shell/testcases/sets/0030add_many_elements_interval_0 +++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0 @@ -1,6 +1,13 @@ #!/bin/bash HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -28,3 +35,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 index 3343529b..32375b9f 100755 --- a/tests/shell/testcases/sets/0034get_element_0 +++ b/tests/shell/testcases/sets/0034get_element_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + RC=0 check() { # (set, elems, expected) diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0 index 3097d077..d961ffd4 100755 --- a/tests/shell/testcases/sets/0036add_set_element_expiration_0 +++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0 @@ -1,15 +1,25 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_setelem_expiration) + set -e +drop_seconds() { + sed -E 's/m[0-9]*s([0-9]*ms)?/m/g' +} + RULESET="add table ip x +add set ip x y { type ipv4_addr; flags dynamic,timeout; } +add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }" + +EXPECTED="add table ip x add set ip x y { type ipv4_addr; flags dynamic,timeout; } -add element ip x y { 1.1.1.1 timeout 30s expires 15s }" +add element ip x y { 1.1.1.1 timeout 30m expires 15m }" -test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation') +test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds) -if [ "$test_output" != "$RULESET" ] ; then - $DIFF -u <(echo "$test_output") <(echo "$RULESET") +if [ "$test_output" != "$EXPECTED" ] ; then + $DIFF -u <(echo "$test_output") <(echo "$EXPECTED") exit 1 fi diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0 index e9e0f6fb..7c37c1d8 100755 --- a/tests/shell/testcases/sets/0038meter_list_0 +++ b/tests/shell/testcases/sets/0038meter_list_0 @@ -14,7 +14,12 @@ RULESET=" " expected_output="table ip t { - meter m { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + set m { type ipv4_addr size 128 flags dynamic diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0 index 11767373..a3dbf5bf 100755 --- a/tests/shell/testcases/sets/0043concatenated_ranges_0 +++ b/tests/shell/testcases/sets/0043concatenated_ranges_0 @@ -1,4 +1,7 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges # @@ -14,12 +17,7 @@ # - delete them # - make sure they can't be deleted again -if [ "$(ps -o comm= $PPID)" = "run-tests.sh" ]; then - # Skip some permutations on a full test suite run to keep it quick - TYPES="ipv4_addr ipv6_addr ether_addr inet_service" -else - TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" -fi +TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" RULESPEC_ipv4_addr="ip saddr" ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129" @@ -147,7 +145,7 @@ for ta in ${TYPES}; do eval add_b=\$ADD_${tb} eval add_c=\$ADD_${tc} ${NFT} add element inet filter test \ - "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" + "{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}" [ $(${NFT} list ${setmap} inet filter test | \ grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ] @@ -180,6 +178,10 @@ for ta in ${TYPES}; do continue fi + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv}}" + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" sleep 1 [ $(${NFT} list ${setmap} inet filter test | \ grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ] diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1 index bab189c5..bb3bf6b2 100755 --- a/tests/shell/testcases/sets/0043concatenated_ranges_1 +++ b/tests/shell/testcases/sets/0043concatenated_ranges_1 @@ -1,7 +1,9 @@ -#!/bin/sh -e +#!/bin/bash -e # # 0043concatenated_ranges_1 - Insert and list subnets of different sizes +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + check() { $NFT add element "${1}" t s "{ ${2} . ${3} }" [ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ] diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0 index face90f2..b0f51cc8 100755 --- a/tests/shell/testcases/sets/0044interval_overlap_0 +++ b/tests/shell/testcases/sets/0044interval_overlap_0 @@ -1,4 +1,6 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0044interval_overlap_0 - Add overlapping and non-overlapping intervals # @@ -115,7 +117,11 @@ add_elements() { IFS=' ' for t in ${intervals_simple} switch ${intervals_concat}; do +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then [ "${t}" = "switch" ] && set="c" && continue +else + break +fi [ -z "${pass}" ] && pass="${t}" && continue [ -z "${interval}" ] && interval="${t}" && continue unset IFS @@ -146,7 +152,9 @@ add_elements() { $NFT add table t $NFT add set t s '{ type inet_service ; flags interval ; }' -$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +fi add_elements $NFT flush ruleset @@ -155,7 +163,9 @@ estimate_timeout $NFT flush ruleset $NFT add table t $NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }" -$NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +fi add_elements sleep $((timeout * 3 / 2)) diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1 index eeea1943..cdd0c844 100755 --- a/tests/shell/testcases/sets/0044interval_overlap_1 +++ b/tests/shell/testcases/sets/0044interval_overlap_1 @@ -1,4 +1,6 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0044interval_overlap_1 - Single-sized intervals can never overlap partially # diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0 index 60bda401..7533623e 100755 --- a/tests/shell/testcases/sets/0046netmap_0 +++ b/tests/shell/testcases/sets/0046netmap_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netmap) + EXPECTED="table ip x { chain y { type nat hook postrouting priority srcnat; policy accept; diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0 index cb1d4d68..757605ee 100755 --- a/tests/shell/testcases/sets/0047nat_0 +++ b/tests/shell/testcases/sets/0047nat_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + EXPECTED="table ip x { map y { type ipv4_addr : interval ipv4_addr @@ -8,6 +10,12 @@ EXPECTED="table ip x { 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } } + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain y { type nat hook postrouting priority srcnat; policy accept; snat to ip saddr map @y @@ -18,3 +26,17 @@ EXPECTED="table ip x { set -e $NFT -f - <<< $EXPECTED $NFT add element x y { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } + +EXPECTED="table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2-192.168.4.3 } + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0 index e62d25df..95babdc9 100755 --- a/tests/shell/testcases/sets/0048set_counters_0 +++ b/tests/shell/testcases/sets/0048set_counters_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e EXPECTED="table ip x { diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 index 1d512f7b..756afdc1 100755 --- a/tests/shell/testcases/sets/0049set_define_0 +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -14,3 +14,15 @@ table inet filter { " $NFT -f - <<< "$EXPECTED" + +EXPECTED="define ip-block-4 = { 1.1.1.1 } + + create set inet filter ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = \$ip-block-4 + } +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0 index ea90e264..6e67a43c 100755 --- a/tests/shell/testcases/sets/0051set_interval_counter_0 +++ b/tests/shell/testcases/sets/0051set_interval_counter_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e EXPECTED="table ip x { diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 index 107bfb87..2aeba2c5 100755 --- a/tests/shell/testcases/sets/0059set_update_multistmt_0 +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + RULESET="table x { set y { type ipv4_addr diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 index 6bd147c3..8e17444e 100755 --- a/tests/shell/testcases/sets/0060set_multistmt_0 +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + RULESET="table x { set y { type ipv4_addr diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1 new file mode 100755 index 00000000..04ef047c --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_1 @@ -0,0 +1,40 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes } + } + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 2.2.2.2 counter quota 1000 bytes } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0 index 48d589fe..48aa6fce 100755 --- a/tests/shell/testcases/sets/0062set_connlimit_0 +++ b/tests/shell/testcases/sets/0062set_connlimit_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e RULESET="table ip x { @@ -24,3 +26,6 @@ RULESET="table ip x { }" $NFT -f - <<< $RULESET + +$NFT flush set ip x est-connlimit +$NFT flush set ip x new-connlimit diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0 index faca56a1..edd015d0 100755 --- a/tests/shell/testcases/sets/0063set_catchall_0 +++ b/tests/shell/testcases/sets/0063set_catchall_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + set -e RULESET="table ip x { diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0 index 43685160..fd289372 100755 --- a/tests/shell/testcases/sets/0064map_catchall_0 +++ b/tests/shell/testcases/sets/0064map_catchall_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + set -e RULESET="table ip x { diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 index 530771b0..81621957 100755 --- a/tests/shell/testcases/sets/0067nat_concat_interval_0 +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -1,21 +1,8 @@ #!/bin/bash -set -e - -EXPECTED="table ip nat { - map ipportmap { - type ipv4_addr : interval ipv4_addr . inet_service - flags interval - elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } - } - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - ip protocol tcp dnat ip to ip saddr map @ipportmap - } -}" +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) -$NFT -f - <<< $EXPECTED -$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } +set -e EXPECTED="table ip nat { map ipportmap2 { @@ -42,3 +29,30 @@ EXPECTED="table ip nat { $NFT -f - <<< $EXPECTED $NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th + +EXPECTED="table ip nat { + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + dnat to iifname . ip saddr map @ipportmap4 + } +}" + +$NFT -f - <<< $EXPECTED +EXPECTED="table ip nat { + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/0067nat_interval_0 b/tests/shell/testcases/sets/0067nat_interval_0 new file mode 100755 index 00000000..c90203d0 --- /dev/null +++ b/tests/shell/testcases/sets/0067nat_interval_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 index 2cbc9868..e61010c7 100755 --- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 +++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 @@ -6,9 +6,18 @@ ruleset_file=$(mktemp) trap 'rm -f "$ruleset_file"' EXIT +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + { echo 'define big_set = {' - for ((i = 1; i < 255; i++)); do + for ((i = 1; i < $HOWMANY; i++)); do for ((j = 1; j < 255; j++)); do echo "10.0.$i.$j," done @@ -27,3 +36,10 @@ table inet test68_table { EOF ( ulimit -s 400 && $NFT -f "$ruleset_file" ) + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 new file mode 100755 index 00000000..79e3ca7d --- /dev/null +++ b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +RULESET=" +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 192.0.0.0/2, 10.0.0.0/8 } + } + set s2 { + type ipv6_addr + flags interval + elements = { ff00::/8, fe80::/10 } + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0 new file mode 100755 index 00000000..9886a9b0 --- /dev/null +++ b/tests/shell/testcases/sets/0072destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent set +$NFT destroy set x s + +# successfully delete existing set +$NFT add set x s '{type ipv4_addr; size 2;}' +$NFT destroy set x s diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set new file mode 100755 index 00000000..0630595f --- /dev/null +++ b/tests/shell/testcases/sets/0073flat_interval_set @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +EXPECTED="flush ruleset +add table inet filter +add map inet filter testmap { type ipv4_addr : counter; flags interval;} +add counter inet filter TEST +add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set new file mode 100755 index 00000000..e7f65fc5 --- /dev/null +++ b/tests/shell/testcases/sets/0074nested_interval_set @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 index c9fb6095..1dbac0b7 100755 --- a/tests/shell/testcases/sets/automerge_0 +++ b/tests/shell/testcases/sets/automerge_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + set -e RULESET="table inet x { @@ -10,14 +12,23 @@ RULESET="table inet x { } }" +HOWMANY=65535 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=5000 +fi + $NFT -f - <<< $RULESET tmpfile=$(mktemp) echo -n "add element inet x y { " > $tmpfile -for ((i=0;i<65535;i+=2)) +for ((i=0;i<$HOWMANY;i+=2)) do echo -n "$i, " >> $tmpfile - if [ $i -eq 65534 ] + if [ $i -eq $((HOWMANY-1)) ] then echo -n "$i" >> $tmpfile fi @@ -27,23 +38,28 @@ echo "}" >> $tmpfile $NFT -f $tmpfile tmpfile2=$(mktemp) -for ((i=1;i<65535;i+=2)) +for ((i=1;i<$HOWMANY;i+=2)) do echo "$i" >> $tmpfile2 done tmpfile3=$(mktemp) -shuf $tmpfile2 > $tmpfile3 +shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3" i=0 cat $tmpfile3 | while read line && [ $i -lt 10 ] do $NFT add element inet x y { $line } + if [ $? -ne 0 ] + then + echo "failed to add $line" + exit 1 + fi i=$((i+1)) done for ((i=0;i<10;i++)) do - from=$(($RANDOM%65535)) + from=$(($RANDOM%$HOWMANY)) to=$(($from+100)) $NFT add element inet x y { $from-$to } if [ $? -ne 0 ] @@ -51,14 +67,65 @@ do echo "failed to add $from-$to" exit 1 fi - $NFT get element inet x y { $from-$to } + + $NFT get element inet x y { $from-$to } 1>/dev/null if [ $? -ne 0 ] then echo "failed to get $from-$to" exit 1 fi + + # partial removals in the previous random range + from2=$(($from+10)) + to2=$(($to-10)) + $NFT delete element inet x y { $from, $to, $from2-$to2 } + if [ $? -ne 0 ] + then + echo "failed to delete $from, $to, $from2-$to2" + exit 1 + fi + + # check deletions are correct + from=$(($from+1)) + $NFT get element inet x y { $from } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from" + exit 1 + fi + + to=$(($to-1)) + $NFT get element inet x y { $to } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to" + exit 1 + fi + + from2=$(($from2-1)) + $NFT get element inet x y { $from2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $from2" + exit 1 + fi + to2=$(($to2+1)) + + $NFT get element inet x y { $to2 } 1>/dev/null + if [ $? -ne 0 ] + then + echo "failed to get $to2" + exit 1 + fi done rm -f $tmpfile rm -f $tmpfile2 rm -f $tmpfile3 + +if [ "$HOWMANY" != 65535 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 new file mode 100755 index 00000000..52a42c2f --- /dev/null +++ b/tests/shell/testcases/sets/collapse_elem_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table ip a { + set x { + type inet_service; + } +} +table ip6 a { + set x { + type inet_service; + } +} +add element ip a x { 1 } +add element ip a x { 2 } +add element ip6 a x { 2 }" + +$NFT -f - <<< $RULESET + +RULESET="define m = { 3, 4 } +add element ip a x \$m +add element ip a x { 5 }" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0 new file mode 100755 index 00000000..36138ae0 --- /dev/null +++ b/tests/shell/testcases/sets/concat_interval_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + elements = { 1.0.0.1 . udp . 53 } + } + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +}" + +$NFT -f - <<< $RULESET + +$NFT delete element t s { 1.0.0.1 . udp . 53} + +exit 0 diff --git a/tests/shell/testcases/sets/concat_nlmsg_overrun b/tests/shell/testcases/sets/concat_nlmsg_overrun new file mode 100755 index 00000000..69cefe90 --- /dev/null +++ b/tests/shell/testcases/sets/concat_nlmsg_overrun @@ -0,0 +1,734 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET='flush ruleset + +table ip filter { + set test_set { + type iface_index . ether_addr . ipv4_addr + flags interval + elements = { + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + } + } +}' + +$NFT -f - <<< $RULESET + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft new file mode 100644 index 00000000..b9c66a21 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft @@ -0,0 +1,261 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "10.0.0.0", + "11.0.0.0" + ] + }, + { + "prefix": { + "addr": "172.16.0.0", + "len": 16 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + }, + { + "range": [ + "fe11::", + "fe22::" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s3", + "table": "t", + "type": "inet_proto", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s4", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 0, + 1024 + ] + }, + { + "range": [ + 8080, + 8082 + ] + }, + { + "range": [ + 10000, + 40000 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@s4" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft new file mode 100644 index 00000000..4c0be670 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft new file mode 100644 index 00000000..c55858fa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft new file mode 100644 index 00000000..a75681f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 48 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft new file mode 100644 index 00000000..f5a9ac19 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft new file mode 100644 index 00000000..c6f5aa68 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft new file mode 100644 index 00000000..fa5dcb25 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "postrouting", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sourcemap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "100.123.10.2", + { + "jump": { + "target": "c" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@sourcemap" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft new file mode 100644 index 00000000..2418b39a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "timeout" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.json-nft b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft new file mode 100644 index 00000000..7ea3c602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "::1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft new file mode 100644 index 00000000..6268e216 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "blacklist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.json-nft b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft new file mode 100644 index 00000000..401a8f23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "elem": [ + { + "elem": { + "val": 22, + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft new file mode 100644 index 00000000..5ed089dc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "2.2.2.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "3.3.3.0", + "len": 24 + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft new file mode 100644 index 00000000..c6171392 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service" + } + }, + { + "set": { + "family": "ip", + "name": "f", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@f", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 5a6e3261..38987ded 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -7,7 +7,13 @@ table ip t { type ipv4_addr : inet_service } + set f { + type ipv4_addr + size 1024 + flags dynamic + } + chain c { - tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second } + tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets } } } diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..b4521333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft deleted file mode 100644 index 52d1bf64..00000000 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ /dev/null @@ -1,50 +0,0 @@ -table inet x { - counter user123 { - packets 12 bytes 1433 - } - - counter user321 { - packets 0 bytes 0 - } - - quota user123 { - over 2000 bytes - } - - quota user124 { - over 2000 bytes - } - - synproxy https-synproxy { - mss 1460 - wscale 7 - timestamp sack-perm - } - - synproxy other-synproxy { - mss 1460 - wscale 5 - } - - set y { - type ipv4_addr - } - - map test { - type ipv4_addr : quota - elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } - } - - map test2 { - type ipv4_addr : synproxy - flags interval - elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } - } - - chain y { - type filter hook input priority filter; policy accept; - counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } - synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } - quota name ip saddr map @test drop - } -} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft new file mode 100644 index 00000000..0af61333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft @@ -0,0 +1,131 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "synproxy": { + "family": "inet", + "name": "https-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 7, + "flags": [ + "timestamp", + "sack-perm" + ] + } + }, + { + "synproxy": { + "family": "inet", + "name": "other-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 5 + } + }, + { + "map": { + "family": "inet", + "name": "test2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "synproxy", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "synproxy": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft new file mode 100644 index 00000000..dd9a112a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft @@ -0,0 +1,24 @@ +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", + 192.168.2.0/24 : "other-synproxy" } + } + + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft new file mode 100644 index 00000000..9d56d025 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "doesntexist" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 23 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft new file mode 100644 index 00000000..5d21f26c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "ip", + "name": "http-traffic", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + "http-traffic" + ], + [ + 443, + "http-traffic" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft new file mode 100644 index 00000000..b9251ffa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft new file mode 100644 index 00000000..5968b2e0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "inet_proto", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s3" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft new file mode 100644 index 00000000..0c604927 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft @@ -0,0 +1,26 @@ +table ip t { + set s1 { + type inet_proto + size 65535 + flags dynamic + } + + set s2 { + type ipv4_addr + size 65535 + flags dynamic + } + + set s3 { + type ipv4_addr + size 1024 + flags dynamic + } + + chain c { + type filter hook input priority filter; policy accept; + iifname "foobar" add @s1 { ip protocol } + iifname "foobar" add @s2 { ip daddr } + iifname "foobar" add @s3 { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft new file mode 100644 index 00000000..96314141 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "flags": [ + "timeout" + ], + "timeout": 10845 + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "constant", + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft new file mode 100644 index 00000000..0f25c763 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft @@ -0,0 +1,15 @@ +table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft index 55cd4f26..6f9832a9 100644 --- a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -51,6 +51,7 @@ table inet t { chain c { iifname @s accept oifname @s accept + fib saddr oifname @s accept tcp dport . iifname @sc accept iifname . meta mark @nv accept } diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft new file mode 100644 index 00000000..4d194bff --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft new file mode 100644 index 00000000..16684438 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "timeout" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft new file mode 100644 index 00000000..d6174c51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft @@ -0,0 +1,11 @@ +table ip x { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft new file mode 100644 index 00000000..bfc0e4a0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 10, + { + "range": [ + 20, + 30 + ] + }, + 40, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "ips", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "10.0.0.1", + { + "range": [ + "10.0.0.5", + "10.0.0.8" + ] + }, + { + "prefix": { + "addr": "10.0.0.128", + "len": 25 + } + }, + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + "10.0.2.3", + "10.0.2.12" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "cs", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.0.0.1", + 22 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.1.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "10.2.0.1", + "10.2.0.8" + ] + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft new file mode 100644 index 00000000..1c1dd977 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft @@ -0,0 +1,23 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 10, 20-30, 40, 50-60 } + } + + set ips { + type ipv4_addr + flags interval + elements = { 10.0.0.1, 10.0.0.5-10.0.0.8, + 10.0.0.128/25, 10.0.1.0/24, + 10.0.2.3-10.0.2.12 } + } + + set cs { + type ipv4_addr . inet_service + flags interval + elements = { 10.0.0.1 . 22, + 10.1.0.0/16 . 1-1024, + 10.2.0.1-10.2.0.8 . 1024-65535 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft new file mode 100644 index 00000000..e4c77147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft new file mode 100644 index 00000000..ca69cee2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft new file mode 100644 index 00000000..1c3b559d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft @@ -0,0 +1,159 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "myset", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "192.168.0.113", + "tcp", + 22 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "udp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 80 + ] + }, + { + "concat": [ + "192.168.0.13", + "tcp", + 80 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": "@myset" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft new file mode 100644 index 00000000..5b13f59a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -0,0 +1,96 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 256, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 128, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@m", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft new file mode 100644 index 00000000..8037dfa5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -0,0 +1,17 @@ +table ip t { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + + set m { + type ipv4_addr + size 128 + flags dynamic + } + + chain c { + tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft new file mode 100644 index 00000000..d6e46aad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + "192.168.1.0", + "192.168.1.254" + ] + }, + "192.168.1.255" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft new file mode 100644 index 00000000..1fc76572 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft new file mode 100644 index 00000000..4b6cf03c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "mark", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "range": [ + 35, + 66 + ] + }, + 4919 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft new file mode 100644 index 00000000..f580c381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type mark + flags interval + elements = { 0x00000023-0x00000042, 0x00001337 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.json-nft b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft new file mode 100644 index 00000000..14a39330 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "192.168.2.196" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft new file mode 100644 index 00000000..222d4d74 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.196 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft new file mode 100644 index 00000000..bc1d4cc2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft @@ -0,0 +1,87 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set1", + "table": "t", + "type": "ether_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set2", + "table": "t", + "type": "ether_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "right": "@set1" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "set": "@set2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft new file mode 100644 index 00000000..56cc875e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft @@ -0,0 +1,15 @@ +table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft new file mode 100644 index 00000000..ffb76e2f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft @@ -0,0 +1,98 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "filter", + "type": [ + "mark", + "inet_service", + "inet_proto" + ], + "handle": 0, + "map": "mark", + "flags": [ + "interval", + "timeout" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "data": "@test" + } + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft new file mode 100644 index 00000000..f2077b91 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft @@ -0,0 +1,11 @@ +table inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type filter hook output priority filter; policy accept; + meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft new file mode 100644 index 00000000..92b59c86 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft @@ -0,0 +1,1723 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "s", + "table": "t", + "type": [ + "ipv6_addr", + "ipv6_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 32 + } + }, + { + "range": [ + "2001:db8:20::", + "2001:db8:20::20:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 33 + } + }, + { + "range": [ + "2001:db8:21::", + "2001:db8:21::21:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 34 + } + }, + { + "range": [ + "2001:db8:22::", + "2001:db8:22::22:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 35 + } + }, + { + "range": [ + "2001:db8:23::", + "2001:db8:23::23:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 36 + } + }, + { + "range": [ + "2001:db8:24::", + "2001:db8:24::24:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 37 + } + }, + { + "range": [ + "2001:db8:25::", + "2001:db8:25::25:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 38 + } + }, + { + "range": [ + "2001:db8:26::", + "2001:db8:26::26:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 39 + } + }, + { + "range": [ + "2001:db8:27::", + "2001:db8:27::27:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 40 + } + }, + { + "range": [ + "2001:db8:28::", + "2001:db8:28::28:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 41 + } + }, + { + "range": [ + "2001:db8:29::", + "2001:db8:29::29:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 42 + } + }, + { + "range": [ + "2001:db8:2a::", + "2001:db8:2a::2a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 43 + } + }, + { + "range": [ + "2001:db8:2b::", + "2001:db8:2b::2b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 44 + } + }, + { + "range": [ + "2001:db8:2c::", + "2001:db8:2c::2c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 45 + } + }, + { + "range": [ + "2001:db8:2d::", + "2001:db8:2d::2d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 46 + } + }, + { + "range": [ + "2001:db8:2e::", + "2001:db8:2e::2e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 47 + } + }, + { + "range": [ + "2001:db8:2f::", + "2001:db8:2f::2f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 48 + } + }, + { + "range": [ + "2001:db8:30::", + "2001:db8:30::30:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 49 + } + }, + { + "range": [ + "2001:db8:31::", + "2001:db8:31::31:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 50 + } + }, + { + "range": [ + "2001:db8:32::", + "2001:db8:32::32:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 51 + } + }, + { + "range": [ + "2001:db8:33::", + "2001:db8:33::33:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 52 + } + }, + { + "range": [ + "2001:db8:34::", + "2001:db8:34::34:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 53 + } + }, + { + "range": [ + "2001:db8:35::", + "2001:db8:35::35:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 54 + } + }, + { + "range": [ + "2001:db8:36::", + "2001:db8:36::36:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 55 + } + }, + { + "range": [ + "2001:db8:37::", + "2001:db8:37::37:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 56 + } + }, + { + "range": [ + "2001:db8:38::", + "2001:db8:38::38:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 57 + } + }, + { + "range": [ + "2001:db8:39::", + "2001:db8:39::39:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 58 + } + }, + { + "range": [ + "2001:db8:3a::", + "2001:db8:3a::3a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 59 + } + }, + { + "range": [ + "2001:db8:3b::", + "2001:db8:3b::3b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 60 + } + }, + { + "range": [ + "2001:db8:3c::", + "2001:db8:3c::3c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 61 + } + }, + { + "range": [ + "2001:db8:3d::", + "2001:db8:3d::3d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 62 + } + }, + { + "range": [ + "2001:db8:3e::", + "2001:db8:3e::3e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 63 + } + }, + { + "range": [ + "2001:db8:3f::", + "2001:db8:3f::3f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 64 + } + }, + { + "range": [ + "2001:db8:40::", + "2001:db8:40::40:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 65 + } + }, + { + "range": [ + "2001:db8:41::", + "2001:db8:41::41:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 66 + } + }, + { + "range": [ + "2001:db8:42::", + "2001:db8:42::42:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 67 + } + }, + { + "range": [ + "2001:db8:43::", + "2001:db8:43::43:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 68 + } + }, + { + "range": [ + "2001:db8:44::", + "2001:db8:44::44:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 69 + } + }, + { + "range": [ + "2001:db8:45::", + "2001:db8:45::45:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 70 + } + }, + { + "range": [ + "2001:db8:46::", + "2001:db8:46::46:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 71 + } + }, + { + "range": [ + "2001:db8:47::", + "2001:db8:47::47:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 72 + } + }, + { + "range": [ + "2001:db8:48::", + "2001:db8:48::48:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 73 + } + }, + { + "range": [ + "2001:db8:49::", + "2001:db8:49::49:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 74 + } + }, + { + "range": [ + "2001:db8:4a::", + "2001:db8:4a::4a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 75 + } + }, + { + "range": [ + "2001:db8:4b::", + "2001:db8:4b::4b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 76 + } + }, + { + "range": [ + "2001:db8:4c::", + "2001:db8:4c::4c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 77 + } + }, + { + "range": [ + "2001:db8:4d::", + "2001:db8:4d::4d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 78 + } + }, + { + "range": [ + "2001:db8:4e::", + "2001:db8:4e::4e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 79 + } + }, + { + "range": [ + "2001:db8:4f::", + "2001:db8:4f::4f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 80 + } + }, + { + "range": [ + "2001:db8:50::", + "2001:db8:50::50:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 81 + } + }, + { + "range": [ + "2001:db8:51::", + "2001:db8:51::51:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 82 + } + }, + { + "range": [ + "2001:db8:52::", + "2001:db8:52::52:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 83 + } + }, + { + "range": [ + "2001:db8:53::", + "2001:db8:53::53:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 84 + } + }, + { + "range": [ + "2001:db8:54::", + "2001:db8:54::54:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 85 + } + }, + { + "range": [ + "2001:db8:55::", + "2001:db8:55::55:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 86 + } + }, + { + "range": [ + "2001:db8:56::", + "2001:db8:56::56:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 87 + } + }, + { + "range": [ + "2001:db8:57::", + "2001:db8:57::57:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 88 + } + }, + { + "range": [ + "2001:db8:58::", + "2001:db8:58::58:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 89 + } + }, + { + "range": [ + "2001:db8:59::", + "2001:db8:59::59:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 90 + } + }, + { + "range": [ + "2001:db8:5a::", + "2001:db8:5a::5a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 91 + } + }, + { + "range": [ + "2001:db8:5b::", + "2001:db8:5b::5b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 92 + } + }, + { + "range": [ + "2001:db8:5c::", + "2001:db8:5c::5c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 93 + } + }, + { + "range": [ + "2001:db8:5d::", + "2001:db8:5d::5d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 94 + } + }, + { + "range": [ + "2001:db8:5e::", + "2001:db8:5e::5e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 95 + } + }, + { + "range": [ + "2001:db8:5f::", + "2001:db8:5f::5f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 96 + } + }, + { + "range": [ + "2001:db8:60::", + "2001:db8:60::60:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 97 + } + }, + { + "range": [ + "2001:db8:61::", + "2001:db8:61::61:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 98 + } + }, + { + "range": [ + "2001:db8:62::", + "2001:db8:62::62:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 99 + } + }, + { + "range": [ + "2001:db8:63::", + "2001:db8:63::63:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 100 + } + }, + { + "range": [ + "2001:db8:64::", + "2001:db8:64::64:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 101 + } + }, + { + "range": [ + "2001:db8:65::", + "2001:db8:65::65:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 102 + } + }, + { + "range": [ + "2001:db8:66::", + "2001:db8:66::66:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 103 + } + }, + { + "range": [ + "2001:db8:67::", + "2001:db8:67::67:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 104 + } + }, + { + "range": [ + "2001:db8:68::", + "2001:db8:68::68:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 105 + } + }, + { + "range": [ + "2001:db8:69::", + "2001:db8:69::69:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 106 + } + }, + { + "range": [ + "2001:db8:6a::", + "2001:db8:6a::6a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 107 + } + }, + { + "range": [ + "2001:db8:6b::", + "2001:db8:6b::6b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 108 + } + }, + { + "range": [ + "2001:db8:6c::", + "2001:db8:6c::6c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 109 + } + }, + { + "range": [ + "2001:db8:6d::", + "2001:db8:6d::6d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 110 + } + }, + { + "range": [ + "2001:db8:6e::", + "2001:db8:6e::6e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 111 + } + }, + { + "range": [ + "2001:db8:6f::", + "2001:db8:6f::6f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 112 + } + }, + { + "range": [ + "2001:db8:70::", + "2001:db8:70::70:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 113 + } + }, + { + "range": [ + "2001:db8:71::", + "2001:db8:71::71:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 114 + } + }, + { + "range": [ + "2001:db8:72::", + "2001:db8:72::72:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 115 + } + }, + { + "range": [ + "2001:db8:73::", + "2001:db8:73::73:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 116 + } + }, + { + "range": [ + "2001:db8:74::", + "2001:db8:74::74:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 117 + } + }, + { + "range": [ + "2001:db8:75::", + "2001:db8:75::75:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 118 + } + }, + { + "range": [ + "2001:db8:76::", + "2001:db8:76::76:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 119 + } + }, + { + "range": [ + "2001:db8:77::", + "2001:db8:77::77:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 120 + } + }, + { + "range": [ + "2001:db8:78::", + "2001:db8:78::78:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 121 + } + }, + { + "range": [ + "2001:db8:79::", + "2001:db8:79::79:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 122 + } + }, + { + "range": [ + "2001:db8:7a::", + "2001:db8:7a::7a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 123 + } + }, + { + "range": [ + "2001:db8:7b::", + "2001:db8:7b::7b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 124 + } + }, + { + "range": [ + "2001:db8:7c::", + "2001:db8:7c::7c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 125 + } + }, + { + "range": [ + "2001:db8:7d::", + "2001:db8:7d::7d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 126 + } + }, + { + "range": [ + "2001:db8:7e::", + "2001:db8:7e::7e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 127 + } + }, + { + "range": [ + "2001:db8:7f::", + "2001:db8:7f::7f:1" + ] + } + ] + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 24 + } + }, + { + "range": [ + "192.0.2.72", + "192.0.2.74" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 25 + } + }, + { + "range": [ + "192.0.2.75", + "192.0.2.77" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 26 + } + }, + { + "range": [ + "192.0.2.78", + "192.0.2.80" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 27 + } + }, + { + "range": [ + "192.0.2.81", + "192.0.2.83" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 28 + } + }, + { + "range": [ + "192.0.2.84", + "192.0.2.86" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 29 + } + }, + { + "range": [ + "192.0.2.87", + "192.0.2.89" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 30 + } + }, + { + "range": [ + "192.0.2.90", + "192.0.2.92" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 31 + } + }, + { + "range": [ + "192.0.2.93", + "192.0.2.95" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft new file mode 100644 index 00000000..19d08d3d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft @@ -0,0 +1,116 @@ +table ip6 t { + set s { + type ipv6_addr . ipv6_addr + flags interval + elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1, + 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1, + 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1, + 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1, + 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1, + 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1, + 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1, + 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1, + 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1, + 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1, + 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1, + 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1, + 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1, + 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1, + 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1, + 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1, + 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1, + 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1, + 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1, + 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1, + 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1, + 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1, + 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1, + 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1, + 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1, + 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1, + 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1, + 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1, + 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1, + 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1, + 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1, + 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1, + 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1, + 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1, + 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1, + 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1, + 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1, + 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1, + 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1, + 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1, + 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1, + 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1, + 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1, + 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1, + 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1, + 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1, + 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1, + 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1, + 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1, + 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1, + 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1, + 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1, + 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1, + 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1, + 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1, + 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1, + 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1, + 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1, + 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1, + 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1, + 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1, + 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1, + 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1, + 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1, + 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1, + 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1, + 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1, + 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1, + 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1, + 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1, + 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1, + 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1, + 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1, + 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1, + 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1, + 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1, + 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1, + 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1, + 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1, + 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1, + 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1, + 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1, + 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1, + 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1, + 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1, + 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1, + 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1, + 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1, + 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1, + 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1, + 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1, + 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1, + 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1, + 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1, + 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1, + 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 } + } +} +table ip t { + set s { + type ipv4_addr . ipv4_addr + flags interval + elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74, + 192.0.2.0/25 . 192.0.2.75-192.0.2.77, + 192.0.2.0/26 . 192.0.2.78-192.0.2.80, + 192.0.2.0/27 . 192.0.2.81-192.0.2.83, + 192.0.2.0/28 . 192.0.2.84-192.0.2.86, + 192.0.2.0/29 . 192.0.2.87-192.0.2.89, + 192.0.2.0/30 . 192.0.2.90-192.0.2.92, + 192.0.2.0/31 . 192.0.2.93-192.0.2.95 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft new file mode 100644 index 00000000..f4aae383 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft @@ -0,0 +1,529 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 25, + 30, + 82, + 119, + 349, + 745, + 748, + 1165, + 1233, + 1476, + 1550, + 1562, + 1743, + 1745, + 1882, + 2070, + 2194, + 2238, + 2450, + 2455, + 2642, + 2671, + 2906, + 3093, + 3203, + 3287, + 3348, + 3411, + 3540, + 3892, + 3943, + 4133, + 4205, + 4317, + 4733, + 5095, + 5156, + 5223, + 5230, + 5432, + 5826, + 5828, + 6044, + 6377, + 6388, + 6491, + 6952, + 6986, + 7012, + 7187, + 7300, + 7305, + 7549, + 7664, + 8111, + 8206, + 8396, + 8782, + 8920, + 8981, + 9067, + 9216, + 9245, + 9315, + 9432, + 9587, + 9689, + 9844, + 9991, + 10045, + 10252, + 10328, + 10670, + 10907, + 11021, + 11337, + 11427, + 11497, + 11502, + 11523, + 11552, + 11577, + 11721, + 11943, + 12474, + 12718, + 12764, + 12794, + 12922, + 13186, + 13232, + 13383, + 13431, + 13551, + 13676, + 13685, + 13747, + 13925, + 13935, + 14015, + 14090, + 14320, + 14392, + 14515, + 14647, + 14911, + 15096, + 15105, + 15154, + 15440, + 15583, + 15623, + 15677, + 15710, + 15926, + 15934, + 15960, + 16068, + 16166, + 16486, + 16489, + 16528, + 16646, + 16650, + 16770, + 16882, + 17052, + 17237, + 17387, + 17431, + 17886, + 17939, + 17999, + 18092, + 18123, + 18238, + 18562, + 18698, + 19004, + 19229, + 19237, + 19585, + 19879, + 19938, + 19950, + 19958, + 20031, + 20138, + 20157, + 20205, + 20368, + 20682, + 20687, + 20873, + 20910, + 20919, + 21019, + 21068, + 21115, + 21188, + 21236, + 21319, + 21563, + 21734, + 21806, + 21810, + 21959, + 21982, + 22078, + 22181, + 22308, + 22480, + 22643, + 22854, + 22879, + 22961, + 23397, + 23534, + 23845, + 23893, + 24130, + 24406, + 24794, + 24997, + 25019, + 25143, + 25179, + 25439, + 25603, + 25718, + 25859, + 25949, + 26006, + 26022, + 26047, + 26170, + 26193, + 26725, + 26747, + 26924, + 27023, + 27040, + 27233, + 27344, + 27478, + 27593, + 27600, + 27664, + 27678, + 27818, + 27822, + 28003, + 28038, + 28709, + 28808, + 29010, + 29057, + 29228, + 29485, + 30132, + 30160, + 30415, + 30469, + 30673, + 30736, + 30776, + 30780, + 31450, + 31537, + 31669, + 31839, + 31873, + 32019, + 32229, + 32685, + 32879, + 33318, + 33337, + 33404, + 33517, + 33906, + 34214, + 34346, + 34416, + 34727, + 34848, + 35325, + 35400, + 35451, + 35501, + 35637, + 35653, + 35710, + 35761, + 35767, + 36238, + 36258, + 36279, + 36464, + 36586, + 36603, + 36770, + 36774, + 36805, + 36851, + 37079, + 37189, + 37209, + 37565, + 37570, + 37585, + 37832, + 37931, + 37954, + 38006, + 38015, + 38045, + 38109, + 38114, + 38200, + 38209, + 38214, + 38277, + 38306, + 38402, + 38606, + 38697, + 38960, + 39004, + 39006, + 39197, + 39217, + 39265, + 39319, + 39460, + 39550, + 39615, + 39871, + 39886, + 40088, + 40135, + 40244, + 40323, + 40339, + 40355, + 40385, + 40428, + 40538, + 40791, + 40848, + 40959, + 41003, + 41131, + 41349, + 41643, + 41710, + 41826, + 41904, + 42027, + 42148, + 42235, + 42255, + 42498, + 42680, + 42973, + 43118, + 43135, + 43233, + 43349, + 43411, + 43487, + 43840, + 43843, + 43870, + 44040, + 44204, + 44817, + 44883, + 44894, + 44958, + 45201, + 45259, + 45283, + 45357, + 45423, + 45473, + 45498, + 45519, + 45561, + 45611, + 45627, + 45831, + 46043, + 46105, + 46116, + 46147, + 46169, + 46349, + 47147, + 47252, + 47314, + 47335, + 47360, + 47546, + 47617, + 47648, + 47772, + 47793, + 47846, + 47913, + 47952, + 48095, + 48325, + 48334, + 48412, + 48419, + 48540, + 48569, + 48628, + 48751, + 48944, + 48971, + 49008, + 49025, + 49503, + 49505, + 49613, + 49767, + 49839, + 49925, + 50022, + 50028, + 50238, + 51057, + 51477, + 51617, + 51910, + 52044, + 52482, + 52550, + 52643, + 52832, + 53382, + 53690, + 53809, + 53858, + 54001, + 54198, + 54280, + 54327, + 54376, + 54609, + 54776, + 54983, + 54984, + 55019, + 55038, + 55094, + 55368, + 55737, + 55793, + 55904, + 55941, + 55960, + 55978, + 56063, + 56121, + 56314, + 56505, + 56548, + 56568, + 56696, + 56798, + 56855, + 57102, + 57236, + 57333, + 57334, + 57441, + 57574, + 57659, + 57987, + 58325, + 58404, + 58509, + 58782, + 58876, + 59116, + 59544, + 59685, + 59700, + 59750, + 59799, + 59866, + 59870, + 59894, + 59984, + 60343, + 60481, + 60564, + 60731, + 61075, + 61087, + 61148, + 61174, + 61655, + 61679, + 61691, + 61723, + 61730, + 61758, + 61824, + 62035, + 62056, + 62661, + 62768, + 62946, + 63059, + 63116, + 63338, + 63387, + 63672, + 63719, + 63881, + 63995, + 64197, + 64374, + 64377, + 64472, + 64606, + 64662, + 64777, + 64795, + 64906, + 65049, + 65122, + 65318 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft new file mode 100644 index 00000000..5b249a3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft @@ -0,0 +1,106 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 25, 30, 82, 119, 349, + 745, 748, 1165, 1233, 1476, + 1550, 1562, 1743, 1745, 1882, + 2070, 2194, 2238, 2450, 2455, + 2642, 2671, 2906, 3093, 3203, + 3287, 3348, 3411, 3540, 3892, + 3943, 4133, 4205, 4317, 4733, + 5095, 5156, 5223, 5230, 5432, + 5826, 5828, 6044, 6377, 6388, + 6491, 6952, 6986, 7012, 7187, + 7300, 7305, 7549, 7664, 8111, + 8206, 8396, 8782, 8920, 8981, + 9067, 9216, 9245, 9315, 9432, + 9587, 9689, 9844, 9991, 10045, + 10252, 10328, 10670, 10907, 11021, + 11337, 11427, 11497, 11502, 11523, + 11552, 11577, 11721, 11943, 12474, + 12718, 12764, 12794, 12922, 13186, + 13232, 13383, 13431, 13551, 13676, + 13685, 13747, 13925, 13935, 14015, + 14090, 14320, 14392, 14515, 14647, + 14911, 15096, 15105, 15154, 15440, + 15583, 15623, 15677, 15710, 15926, + 15934, 15960, 16068, 16166, 16486, + 16489, 16528, 16646, 16650, 16770, + 16882, 17052, 17237, 17387, 17431, + 17886, 17939, 17999, 18092, 18123, + 18238, 18562, 18698, 19004, 19229, + 19237, 19585, 19879, 19938, 19950, + 19958, 20031, 20138, 20157, 20205, + 20368, 20682, 20687, 20873, 20910, + 20919, 21019, 21068, 21115, 21188, + 21236, 21319, 21563, 21734, 21806, + 21810, 21959, 21982, 22078, 22181, + 22308, 22480, 22643, 22854, 22879, + 22961, 23397, 23534, 23845, 23893, + 24130, 24406, 24794, 24997, 25019, + 25143, 25179, 25439, 25603, 25718, + 25859, 25949, 26006, 26022, 26047, + 26170, 26193, 26725, 26747, 26924, + 27023, 27040, 27233, 27344, 27478, + 27593, 27600, 27664, 27678, 27818, + 27822, 28003, 28038, 28709, 28808, + 29010, 29057, 29228, 29485, 30132, + 30160, 30415, 30469, 30673, 30736, + 30776, 30780, 31450, 31537, 31669, + 31839, 31873, 32019, 32229, 32685, + 32879, 33318, 33337, 33404, 33517, + 33906, 34214, 34346, 34416, 34727, + 34848, 35325, 35400, 35451, 35501, + 35637, 35653, 35710, 35761, 35767, + 36238, 36258, 36279, 36464, 36586, + 36603, 36770, 36774, 36805, 36851, + 37079, 37189, 37209, 37565, 37570, + 37585, 37832, 37931, 37954, 38006, + 38015, 38045, 38109, 38114, 38200, + 38209, 38214, 38277, 38306, 38402, + 38606, 38697, 38960, 39004, 39006, + 39197, 39217, 39265, 39319, 39460, + 39550, 39615, 39871, 39886, 40088, + 40135, 40244, 40323, 40339, 40355, + 40385, 40428, 40538, 40791, 40848, + 40959, 41003, 41131, 41349, 41643, + 41710, 41826, 41904, 42027, 42148, + 42235, 42255, 42498, 42680, 42973, + 43118, 43135, 43233, 43349, 43411, + 43487, 43840, 43843, 43870, 44040, + 44204, 44817, 44883, 44894, 44958, + 45201, 45259, 45283, 45357, 45423, + 45473, 45498, 45519, 45561, 45611, + 45627, 45831, 46043, 46105, 46116, + 46147, 46169, 46349, 47147, 47252, + 47314, 47335, 47360, 47546, 47617, + 47648, 47772, 47793, 47846, 47913, + 47952, 48095, 48325, 48334, 48412, + 48419, 48540, 48569, 48628, 48751, + 48944, 48971, 49008, 49025, 49503, + 49505, 49613, 49767, 49839, 49925, + 50022, 50028, 50238, 51057, 51477, + 51617, 51910, 52044, 52482, 52550, + 52643, 52832, 53382, 53690, 53809, + 53858, 54001, 54198, 54280, 54327, + 54376, 54609, 54776, 54983, 54984, + 55019, 55038, 55094, 55368, 55737, + 55793, 55904, 55941, 55960, 55978, + 56063, 56121, 56314, 56505, 56548, + 56568, 56696, 56798, 56855, 57102, + 57236, 57333, 57334, 57441, 57574, + 57659, 57987, 58325, 58404, 58509, + 58782, 58876, 59116, 59544, 59685, + 59700, 59750, 59799, 59866, 59870, + 59894, 59984, 60343, 60481, 60564, + 60731, 61075, 61087, 61148, 61174, + 61655, 61679, 61691, 61723, 61730, + 61758, 61824, 62035, 62056, 62661, + 62768, 62946, 63059, 63116, 63338, + 63387, 63672, 63719, 63881, 63995, + 64197, 64374, 64377, 64472, 64606, + 64662, 64777, 64795, 64906, 65049, + 65122, 65318 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft new file mode 100644 index 00000000..8473c333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65536, + "flags": [ + "timeout", + "dynamic" + ], + "elem": [ + { + "concat": [ + "192.168.7.1", + 22 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 22 + ] + }, + "timeout": 60 + } + }, + "set": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft new file mode 100644 index 00000000..55f1a2ad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.12.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "2001:db8:1111::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2001:db8:2222::", + "len": 64 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft index e7968054..86dbb708 100644 --- a/tests/shell/testcases/sets/dumps/0047nat_0.nft +++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft @@ -2,12 +2,30 @@ table ip x { map y { type ipv4_addr : interval ipv4_addr flags interval - elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31, + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, + 10.141.11.0/24 : 192.168.4.2/31, 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } } + chain x { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain y { type nat hook postrouting priority srcnat; policy accept; snat ip to ip saddr map @y } } +table inet x { + chain x { + type nat hook prerouting priority dstnat; policy accept; + dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 } + } + + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft new file mode 100644 index 00000000..4be4112b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "elem": [ + { + "elem": { + "val": "192.168.10.35", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.101", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.135", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft index 2145f6b1..d6247868 100644 --- a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft @@ -2,7 +2,8 @@ table ip x { set y { typeof ip saddr counter - elements = { 192.168.10.35 counter packets 0 bytes 0, 192.168.10.101 counter packets 0 bytes 0, + elements = { 192.168.10.35 counter packets 0 bytes 0, + 192.168.10.101 counter packets 0 bytes 0, 192.168.10.135 counter packets 0 bytes 0 } } diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft new file mode 100644 index 00000000..f8495bab --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "ip-block-4-test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 80, + 443 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft index 998b387a..d654420c 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -1,4 +1,11 @@ table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + chain input { type filter hook input priority filter; policy drop; tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft new file mode 100644 index 00000000..b468b5f9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft new file mode 100644 index 00000000..96d5fbcc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "w_all", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + "10.10.10.10", + "10.10.10.253" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.json-nft b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft new file mode 100644 index 00000000..12a5c4b4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "192.168.100.62" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2001 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft new file mode 100644 index 00000000..3fd6d37e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft @@ -0,0 +1,45 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "test", + "flags": [ + "interval" + ] + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "another test", + "map": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft new file mode 100644 index 00000000..e37139f3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -0,0 +1,138 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "tcp_good_flags", + "table": "test", + "type": "tcp_flag", + "handle": 0, + "flags": [ + "constant" + ], + "elem": [ + { + "|": [ + "fin", + "ack" + ] + }, + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "fin", + "psh", + "ack", + "urg" + ] + }, + "syn", + { + "|": [ + "syn", + "ack" + ] + }, + { + "|": [ + "syn", + "ack", + "urg" + ] + }, + { + "|": [ + "syn", + "psh", + "ack" + ] + }, + { + "|": [ + "syn", + "psh", + "ack", + "urg" + ] + }, + "rst", + { + "|": [ + "rst", + "ack" + ] + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + }, + { + "|": [ + "rst", + "psh", + "ack" + ] + }, + { + "|": [ + "rst", + "psh", + "ack", + "urg" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack", + "urg" + ] + }, + "ack", + { + "|": [ + "ack", + "urg" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft index ffed5426..22bf5c46 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -2,9 +2,9 @@ table ip test { set tcp_good_flags { type tcp_flag flags constant - elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, - syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, - rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, - psh | ack, ack | urg, ack } + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } } } diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft new file mode 100644 index 00000000..79d7257e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft new file mode 100644 index 00000000..de43d565 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft @@ -0,0 +1,7 @@ +table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft new file mode 100644 index 00000000..ac8d8bef --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ssh_meter", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 2592000 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 2592000 + } + }, + "set": "@ssh_meter" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft new file mode 100644 index 00000000..16ecdb2a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft @@ -0,0 +1,79 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 3600 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y", + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft index 1b0ffae4..c1cc3b51 100644 --- a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -8,6 +8,6 @@ table ip x { chain z { type filter hook output priority filter; policy accept; - update @y { ip daddr limit rate 1/second counter } + update @y { ip daddr limit rate 1/second burst 5 packets counter } } } diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft new file mode 100644 index 00000000..1aede147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "4.4.4.4", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "5.5.5.5", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft index f23db534..8521e3f7 100644 --- a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -1,9 +1,10 @@ table ip x { set y { type ipv4_addr - limit rate 1/second counter - elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0, - 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + limit rate 1/second burst 5 packets counter + elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } } chain y { diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft new file mode 100644 index 00000000..6098dc56 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "1.2.3.4", + "counter": { + "packets": 9, + "bytes": 756 + } + } + }, + { + "elem": { + "val": "2.2.2.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + }, + { + "quota": { + "val": 500, + "val_unit": "bytes" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft new file mode 100644 index 00000000..befc2f75 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft @@ -0,0 +1,16 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic + counter quota 500 bytes + elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, + 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, + 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes } + } + + chain y { + type filter hook output priority filter; policy accept; + update @y { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft new file mode 100644 index 00000000..c5591505 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "range": [ + "1.1.1.1", + "1.1.1.2" + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft new file mode 100644 index 00000000..c5e60e36 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "est-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "new-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ], + "stmt": [ + { + "ct count": { + "val": 20, + "inv": true + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft new file mode 100644 index 00000000..13bbb953 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft @@ -0,0 +1,14 @@ +table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + } + + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + } +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft new file mode 100644 index 00000000..3006f75a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft index f0d42cc2..faa984bd 100644 --- a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft @@ -2,13 +2,15 @@ table ip x { set y { type ipv4_addr counter - elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + elements = { 1.1.1.1 counter packets 0 bytes 0, + * counter packets 0 bytes 0 } } set z { type ipv4_addr flags interval counter - elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + elements = { 1.1.1.0/24 counter packets 0 bytes 0, + * counter packets 0 bytes 0 } } } diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft new file mode 100644 index 00000000..64dd2667 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.141.0.1", + "192.168.0.2" + ], + [ + "*", + "192.168.0.4" + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + ] + }, + "192.168.0.2" + ], + [ + { + "concat": [ + { + "prefix": { + "addr": "192.168.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.10.0", + "len": 24 + } + } + ] + }, + "192.168.0.4" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft index 890ed2aa..a1bba842 100644 --- a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft @@ -1,13 +1,15 @@ table ip x { map y { type ipv4_addr : ipv4_addr - elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 } + elements = { 10.141.0.1 : 192.168.0.2, + * : 192.168.0.4 } } map z { type ipv4_addr : ipv4_addr flags interval - elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + elements = { 10.141.0.0/24 : 192.168.0.2, + * : 192.168.0.3 } } chain y { diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft new file mode 100644 index 00000000..f470adf3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "id" + } + }, + "right": 42 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft new file mode 100644 index 00000000..461c7a73 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft @@ -0,0 +1,6 @@ +table ip x { + chain foo { + accept + icmp type { echo-reply, echo-request } icmp id 42 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft index 3226da15..9ac3774a 100644 --- a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -1,10 +1,4 @@ table ip nat { - map ipportmap { - type ipv4_addr : interval ipv4_addr . inet_service - flags interval - elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } - } - map ipportmap2 { type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service flags interval @@ -17,10 +11,25 @@ table ip nat { elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } } + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, + "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + chain prerouting { type nat hook prerouting priority dstnat; policy accept; - ip protocol tcp dnat ip to ip saddr map @ipportmap ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th + dnat ip to iifname . ip saddr map @ipportmap4 + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 } } diff --git a/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft new file mode 100644 index 00000000..3e1584a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft @@ -0,0 +1,13 @@ +table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, + 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +} diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft new file mode 100644 index 00000000..d7b32f8c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "auto-merge": true, + "elem": [ + { + "range": [ + "1.2.3.0", + "1.2.4.255" + ] + }, + { + "range": [ + "3.3.3.3", + "3.3.3.6" + ] + }, + { + "range": [ + "4.4.4.0", + "4.4.5.0" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft new file mode 100644 index 00000000..6b579a2e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "prefix": { + "addr": "192.0.0.0", + "len": 2 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + }, + { + "prefix": { + "addr": "ff00::", + "len": 8 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft new file mode 100644 index 00000000..4eed94c2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft @@ -0,0 +1,19 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0/8, 192.0.0.0/2 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe80::/10, + ff00::/8 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft new file mode 100644 index 00000000..e2fb6214 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft new file mode 100644 index 00000000..c8ff4347 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 1, + 2, + 3, + 4, + 5 + ] + } + }, + { + "table": { + "family": "ip6", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 2 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft new file mode 100644 index 00000000..775f0ab1 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -0,0 +1,12 @@ +table ip a { + set x { + type inet_service + elements = { 1, 2, 3, 4, 5 } + } +} +table ip6 a { + set x { + type inet_service + elements = { 2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft new file mode 100644 index 00000000..d65065e4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "flags": [ + "interval" + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": [ + "ipv4_addr", + "mark" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.10.10.10", + 256 + ] + }, + { + "concat": [ + "20.20.20.20", + 512 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft new file mode 100644 index 00000000..61547c5e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft @@ -0,0 +1,14 @@ +table ip t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval + counter + } + + set s2 { + type ipv4_addr . mark + flags interval + elements = { 10.10.10.10 . 0x00000100, + 20.20.20.20 . 0x00000200 } + } +} diff --git a/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft new file mode 100644 index 00000000..01d76b90 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type iface_index . ether_addr . ipv4_addr + flags interval + elements = { "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890" } + } +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft new file mode 100644 index 00000000..ad8a7cc0 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft @@ -0,0 +1,83 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "dlist", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "output", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@dlist" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/elem_limit_0.nft b/tests/shell/testcases/sets/dumps/elem_limit_0.nft new file mode 100644 index 00000000..ca5b2b54 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_limit_0.nft @@ -0,0 +1,7 @@ +table netdev filter { + set test123 { + typeof ip saddr + limit rate over 1 mbytes/second + elements = { 1.2.3.4 limit rate over 1 mbytes/second } + } +} diff --git a/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump diff --git a/tests/shell/testcases/sets/dumps/errors_0.json-nft b/tests/shell/testcases/sets/dumps/errors_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.nft diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft new file mode 100644 index 00000000..958d1e5c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft @@ -0,0 +1,110 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.0.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.0.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.0.8.0", + "len": 21 + } + }, + { + "prefix": { + "addr": "1.0.32.0", + "len": 19 + } + }, + { + "prefix": { + "addr": "1.1.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.4.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.8.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.10.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.12.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.16.0", + "len": 20 + } + }, + { + "prefix": { + "addr": "1.1.32.0", + "len": 19 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft new file mode 100644 index 00000000..c903e3fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.0.1.0/24, 1.0.2.0/23, + 1.0.8.0/21, 1.0.32.0/19, + 1.1.0.0/24, 1.1.2.0/23, + 1.1.4.0/22, 1.1.8.0/24, + 1.1.9.0/24, 1.1.10.0/23, + 1.1.12.0/22, 1.1.16.0/20, + 1.1.32.0/19 } + } +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft new file mode 100644 index 00000000..e5dc198f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -0,0 +1,231 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "x", + "table": "x", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + } + }, + "handle": 0, + "elem": [ + { + "concat": [ + "3.3.3.3", + "4.4.4.4" + ] + } + ] + } + }, + { + "set": { + "family": "netdev", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": "@x" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft new file mode 100644 index 00000000..925ca777 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.nft @@ -0,0 +1,18 @@ +table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { 3.3.3.3 . 4.4.4.4 } + } + + set y { + typeof vxlan ip saddr + size 65535 + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0 + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0 + udp dport 4789 update @y { vxlan ip saddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.json-nft b/tests/shell/testcases/sets/dumps/meter_0.json-nft new file mode 100644 index 00000000..c318e4f2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out", + "table": "test", + "type": [ + "iface_index", + "ipv6_addr" + ], + "handle": 0, + "size": 4096, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out2", + "table": "test", + "type": [ + "ipv6_addr", + "iface_index" + ], + "handle": 0, + "size": 12345, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "meta": { + "key": "iif" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "xyz", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 8192, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@xyz", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.nft b/tests/shell/testcases/sets/dumps/meter_0.nft new file mode 100644 index 00000000..3843f9a9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.nft @@ -0,0 +1,29 @@ +table ip6 test { + set acct_out { + type iface_index . ipv6_addr + size 4096 + flags dynamic,timeout + } + + set acct_out2 { + type ipv6_addr . iface_index + size 12345 + flags dynamic,timeout + } + + chain test { + update @acct_out { iif . ip6 saddr timeout 10m counter } + update @acct_out2 { ip6 saddr . iif timeout 10m counter } + } +} +table ip test { + set xyz { + type ipv4_addr + size 8192 + flags dynamic,timeout + } + + chain test { + update @xyz { ip saddr timeout 30s counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft new file mode 100644 index 00000000..ab4ac061 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "http1", + "table": "filter", + "type": [ + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "concat": [ + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + ] + }, + "set": "@http1", + "stmt": [ + { + "limit": { + "rate": 200, + "burst": 5, + "per": "second", + "inv": true + } + } + ] + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft new file mode 100644 index 00000000..f911acaf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft @@ -0,0 +1,11 @@ +table ip filter { + set http1 { + type inet_service . ipv4_addr + size 65535 + flags dynamic + } + + chain input { + tcp dport 80 add @http1 { tcp dport . ip saddr limit rate over 200/second burst 5 packets } counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft new file mode 100644 index 00000000..c4682475 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "X", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + 10, + 30, + 35 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft new file mode 100644 index 00000000..78979e9e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft @@ -0,0 +1,7 @@ +table ip t { + set X { + type inet_service + flags interval + elements = { 10, 30, 35 } + } +} diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft new file mode 100644 index 00000000..d92d8d7a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft @@ -0,0 +1,50 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "base", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "flags": [ + "timeout" + ], + "timeout": 60 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft new file mode 100644 index 00000000..1edd2ec7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft @@ -0,0 +1,10 @@ +table ip t { + set s { + typeof ip saddr + timeout 1m + } + + chain base { + type filter hook input priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft new file mode 100644 index 00000000..6f692381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "prerouting", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "set_with_interval", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 443 + } + }, + { + "dnat": { + "addr": "10.0.0.1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_stmt.nft b/tests/shell/testcases/sets/dumps/set_stmt.nft new file mode 100644 index 00000000..71ba7996 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_stmt.nft @@ -0,0 +1,66 @@ +table ip x { + set y0 { + type ipv4_addr + counter + elements = { 2.2.2.0 counter packets 3 bytes 4, + 3.3.3.0 counter packets 1 bytes 2, + 5.5.5.0 counter packets 1 bytes 2, + 6.6.6.0 counter packets 3 bytes 4 } + } + + set y1 { + type ipv4_addr + limit rate 1/second burst 5 packets + elements = { 2.2.2.1 limit rate 5/second burst 5 packets, + 3.3.3.1 limit rate 1/second burst 5 packets, + 5.5.5.1 limit rate 1/second burst 5 packets, + 6.6.6.1 limit rate 5/second burst 5 packets } + } + + set y2 { + type ipv4_addr + ct count over 2 + elements = { 2.2.2.2 ct count over 5, + 3.3.3.2 ct count over 2, + 5.5.5.2 ct count over 2, + 6.6.6.2 ct count over 5 } + } + + set y3 { + type ipv4_addr + last + elements = { 2.2.2.3 last used never, + 3.3.3.3 last used never, + 5.5.5.3 last used never, + 6.6.6.3 last used never } + } + + set y4 { + type ipv4_addr + quota over 1000 bytes + elements = { 2.2.2.4 quota over 30000 bytes used 1000 bytes, + 3.3.3.4 quota over 1000 bytes, + 5.5.5.4 quota over 1000 bytes, + 6.6.6.4 quota over 30000 bytes used 1000 bytes } + } + + chain y0 { + ip daddr @y0 + } + + chain y1 { + ip daddr @y1 + } + + chain y2 { + ip daddr @y2 + } + + chain y3 { + ip daddr @y3 + } + + chain y4 { + ip daddr @y4 + } +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft new file mode 100644 index 00000000..ac428429 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft @@ -0,0 +1,551 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testifsets", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmp", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmpc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "do_nothing", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "simple", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "elem": [ + "abcdef0", + "abcdef1", + "othername" + ] + } + }, + { + "set": { + "family": "inet", + "name": "simple_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "abcdef*", + "othername", + "ppp0" + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + }, + { + "concat": [ + "10.1.2.2", + "abcdef1" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat_wild", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + }, + { + "concat": [ + "10.1.2.1", + "bar" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "1.1.2.0", + "len": 24 + } + }, + "abcdef0" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "12.2.2.0", + "len": 24 + } + }, + "abcdef*" + ] + } + ] + } + }, + { + "map": { + "family": "inet", + "name": "map_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + "abcdef*", + { + "jump": { + "target": "do_nothing" + } + } + ], + [ + "eth0", + { + "jump": { + "target": "do_nothing" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "eth0", + "abcdef0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "abcdef*", + "eth0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@map_wild" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "jump": { + "target": "v4icmp" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "goto": { + "target": "v4icmpc" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft new file mode 100644 index 00000000..e22213ea --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft @@ -0,0 +1,114 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 10800 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "10.180.0.4", + 80 + ] + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "1.2.3.4", + 80 + ] + }, + "right": "@s1" + } + }, + { + "goto": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft new file mode 100644 index 00000000..21209f6d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft @@ -0,0 +1,16 @@ +table ip t { + set s1 { + type ipv4_addr . ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + timeout 3h + } + + chain c1 { + update @s1 { ip saddr . 10.180.0.4 . 80 } + } + + chain c2 { + ip saddr . 1.2.3.4 . 80 @s1 goto c1 + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft index 499ff167..4d6abaaa 100644 --- a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -6,7 +6,7 @@ table inet t { } chain y { - ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - ip daddr . @ih,32,32 @y + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft index 6f5b83af..34aaab60 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -55,6 +55,22 @@ table inet t { elements = { 3567 . 1.2.3.4 } } + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { "eth0" . 10.1.1.2 . exists } + } + + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } + } + + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, + mp-join . 10.1.1.2 } + } + chain c1 { osf name @s1 accept } @@ -94,4 +110,16 @@ table inet t { chain c11 { vlan id . ip saddr @s11 accept } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } + + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept + } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft new file mode 100644 index 00000000..89cbc835 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft @@ -0,0 +1,15 @@ +table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft new file mode 100644 index 00000000..348b5848 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft @@ -0,0 +1,23 @@ +table netdev t { + set s { + typeof ether saddr . vlan id + size 2048 + flags dynamic,timeout + } + + chain c { + ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return + ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return + } +} +table ip t { + set s { + typeof ipsec in reqid . iif + size 16 + flags interval + } + + chain c2 { + ipsec in reqid . "lo" @s + } +} diff --git a/tests/shell/testcases/sets/elem_limit_0 b/tests/shell/testcases/sets/elem_limit_0 new file mode 100755 index 00000000..b57f9274 --- /dev/null +++ b/tests/shell/testcases/sets/elem_limit_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +## requires EXPR + +set -e + +RULESET="table netdev filter { + set test123 { + typeof ip saddr + limit rate over 1024 kbytes/second + elements = { 1.2.3.4 limit rate over 1024 kbytes/second } + } +}" + +$NFT -f - <<< $RULESET + +(echo "flush ruleset netdev"; $NFT --stateless list ruleset netdev) | $NFT -f - diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0 new file mode 100755 index 00000000..7563773e --- /dev/null +++ b/tests/shell/testcases/sets/elem_opts_compat_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +# ordering of element options and expressions has changed, make sure parser +# accepts both ways + +set -e + +$NFT -f - <<EOF +table t { + set s { + type inet_service + counter; + timeout 30s; + } +} +EOF + +check() { + out=$($NFT list ruleset) + secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out") + [[ $secs -lt 11 ]] + grep -q 'counter packets 10 bytes 20' <<< "$out" +} + +$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }' +check +$NFT flush set t s +$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }' +check diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0 new file mode 100755 index 00000000..39d91bd9 --- /dev/null +++ b/tests/shell/testcases/sets/inner_0 @@ -0,0 +1,27 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching) + +set -e + +RULESET="table netdev x { + set x { + typeof vxlan ip saddr . vxlan ip daddr + elements = { + 3.3.3.3 . 4.4.4.4, + } + } + + set y { + typeof vxlan ip saddr + flags dynamic + } + + chain y { + udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter + udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter + udp dport 4789 update @y { vxlan ip saddr } + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/interval_size b/tests/shell/testcases/sets/interval_size new file mode 100755 index 00000000..55a6cd49 --- /dev/null +++ b/tests/shell/testcases/sets/interval_size @@ -0,0 +1,44 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_rbtree_size_limit) + +RULESET="table inet x { + set x { + typeof ip saddr + flags interval + auto-merge + size 1 + } + + set y { + typeof ip saddr + flags interval + size 1 + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element inet x x '{ 0.0.0.0, 255.255.255.255 }' && exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' && exit 1 +$NFT delete element inet x x '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' && exit 1 +$NFT add element inet x x '{ 0.0.0.0-255.255.255.0 }' || exit 1 +$NFT delete element inet x x '{ 1.1.1.1 }' && exit 1 +$NFT delete element inet x x '{ 0.0.0.0/0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' && exit 1 + +$NFT add element inet x y '{ 0.0.0.0, 255.255.255.255 }' && exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.0/24 }' && exit 1 +$NFT delete element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' && exit 1 +$NFT add element inet x y '{ 0.0.0.0-255.255.255.0 }' && exit 1 +$NFT delete element inet x y '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.255 }' && exit 1 +exit 0 diff --git a/tests/shell/testcases/sets/interval_size_random b/tests/shell/testcases/sets/interval_size_random new file mode 100755 index 00000000..3320b512 --- /dev/null +++ b/tests/shell/testcases/sets/interval_size_random @@ -0,0 +1,115 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_rbtree_size_limit) + +generate_ip() { + local first=($1) + echo -n "$first.$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))" +} + +ip_to_int() { + local IFS='.' + local ip=($1) + printf '%d' "$((${ip[0]}<<24 | ${ip[1]}<<16 | ${ip[2]}<<8 | ${ip[3]}))" +} + +compare_ips() { + local ip1=$(ip_to_int $1) + local ip2=$(ip_to_int $2) + if [ "$ip1" -lt "$ip2" ]; then + echo "$1" + elif [ "$ip1" -gt "$ip2" ]; then + echo "$2" + else + echo "$1" + fi +} + +generate_range() { + start=$(generate_ip $1) + end=$(generate_ip $1) + result=$(compare_ips $start $end) + if [[ "$result" != "$start" ]] + then + temp=$start + start=$end + end=$temp + fi + echo -n "$start-$end" +} + +generate_prefix() { + prefix=$(generate_ip $1 | cut -d. -f1-3) + echo -n "$prefix.0/24" +} + +generate_intervals() { + echo "define x = {" + # not so random, first octet in IP address is $i, this cannot go over 255 + iter=$((RANDOM % 255 + 1)) + + [ $(($RANDOM % 2)) -eq 0 ] && echo "0.0.0.0," + + for ((i=0; i<iter; i++)); do + case $((RANDOM % 3)) in + 0) generate_ip $i;; + 1) generate_range $i;; + 2) generate_prefix $i;; + esac + echo "," + done + + [ $(($RANDOM % 2)) -eq 0 ] && echo "255.255.255.255," + + echo "}" +} + +run_test() { + local count=($1) + local elems=($2) + local ruleset=($3) + echo "table inet x { + set y { + include \"$elems\" + typeof ip saddr + flags interval + size $count + elements = { \$x } + } + }" > $ruleset +} + +count_elems() { + local elems=($2) + count=$(wc -l $elems_file | cut -f1 -d' ') + # subtract enclosing define lines + count=$(($count-2)) + echo $count +} + +elems_file=$(mktemp /tmp/elems-XXXXX.nft) +ruleset_file=$(mktemp /tmp/ruleset-XXXXX.nft) + +if [ ! -w "$elems_file" ] ; then + # cwd might be readonly, mark as skip. + echo "Failed to create tmp file" >&2 + exit 77 +fi + +trap "rm -rf $elems_file $ruleset_file" EXIT + +generate_intervals > $elems_file +count=$(count_elems $elems_file) + +run_test $count $elems_file $ruleset_file +$NFT -f $ruleset_file || exit 1 + +$NFT flush ruleset + +# subtract 1 to size, too small, it should fail +count=$(($count-1)) + +run_test $count $elems_file $ruleset_file +$NFT -f $ruleset_file && exit 1 + +exit 0 diff --git a/tests/shell/testcases/sets/meter_0 b/tests/shell/testcases/sets/meter_0 new file mode 100755 index 00000000..82e6f20a --- /dev/null +++ b/tests/shell/testcases/sets/meter_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +RULESET="table ip6 test { + chain test { + meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } + meter acct_out2 size 12345 { ip6 saddr . meta iif timeout 600s counter } + } +} + +table ip test { + chain test { + meter xyz size 8192 { ip saddr timeout 30s counter} + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/meter_set_reuse b/tests/shell/testcases/sets/meter_set_reuse new file mode 100755 index 00000000..94eccc1a --- /dev/null +++ b/tests/shell/testcases/sets/meter_set_reuse @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +addrule() +{ + $NFT add rule ip filter input tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop +} + +$NFT add table filter +$NFT add chain filter input +addrule + +$NFT list meters + +# This used to remove the anon set, but not anymore +$NFT flush chain filter input + +# This re-add should work. +addrule diff --git a/tests/shell/testcases/sets/range_with_same_start_end b/tests/shell/testcases/sets/range_with_same_start_end new file mode 100755 index 00000000..127f0921 --- /dev/null +++ b/tests/shell/testcases/sets/range_with_same_start_end @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT -f - <<EOF +table ip t { + set X { + type inet_service + flags interval + elements = { 10, 30-30, 30, 35 } + } +} +EOF diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 new file mode 100755 index 00000000..c59cc56d --- /dev/null +++ b/tests/shell/testcases/sets/reset_command_0 @@ -0,0 +1,137 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set) + +set -e + +trap '[[ $? -eq 0 ]] || echo FAIL' EXIT + +RULESET="table t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + + set s2 { + type ipv4_addr + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 counter packets 5 bytes 30 expires 20m, + 1.0.1.1-1.0.1.10 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + + map m { + type ipv4_addr : ipv4_addr + quota 50 bytes + elements = { + 1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4, + 5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8 + } + } + + map m1 { + type ipv4_addr : ipv4_addr + counter + timeout 30m + elements = { + 1.2.3.4 counter packets 5 bytes 30 expires 20m : 10.2.3.4, + 5.6.7.8 counter packets 10 bytes 100 timeout 15m expires 10m : 50.6.7.8 + } + } + + map m2 { + type ipv4_addr : ipv4_addr + flags interval, timeout + counter + timeout 30m + elements = { + 1.2.3.4-1.2.3.10 counter packets 5 bytes 30 expires 20m : 10.2.3.4, + 5.6.7.8-5.6.7.10 counter packets 10 bytes 100 timeout 15m expires 10m : 50.6.7.8 + } + } +}" + +echo -n "applying test ruleset: " +$NFT -f - <<< "$RULESET" +echo OK + +drop_seconds() { + sed 's/[0-9]\+m\?s//g' +} +expires_minutes() { + sed -n 's/.*expires \([0-9]*\)m.*/\1/p' +} + +get_and_reset() +{ + local setname="$1" + local key="$2" + + echo -n "get set elem matches reset set elem in set $setname: " + + elem="element t $setname { $key }" + echo $NFT get $elem + $NFT get $elem + [[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] + echo OK + + echo -n "counters are reset, expiry left alone in set $setname: " + NEW=$($NFT "get $elem") + echo NEW $NEW + grep -q 'counter packets 0 bytes 0' <<< "$NEW" + [[ $(expires_minutes <<< "$NEW") -lt 20 ]] + echo OK +} + +get_and_reset "s" "1.0.0.1 . udp . 53" +get_and_reset "s2" "1.0.0.1" +get_and_reset "s2" "1.0.1.1-1.0.1.10" +get_and_reset "m1" "1.2.3.4" +get_and_reset "m2" "1.2.3.4-1.2.3.10" + +echo -n "get map elem matches reset map elem: " +elem='element t m { 1.2.3.4 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | uniq | wc -l) == 1 ]] +echo OK + +echo -n "quota value is reset: " +$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4' +echo OK + +echo -n "other elements remain the same: " +OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }') +grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT" +VAL=$(expires_minutes <<< "$OUT") +[[ $val -lt 10 ]] +$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes' +echo OK + +echo -n "list set matches reset set: " +EXP=$($NFT list set t s | drop_seconds) +OUT=$($NFT reset set t s | drop_seconds) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "list map matches reset map: " +EXP=$($NFT list map t m) +OUT=$($NFT reset map t m) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "remaining elements are reset: " +OUT=$($NFT list ruleset) +grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT" +echo OK diff --git a/tests/shell/testcases/sets/set_element_timeout_updates b/tests/shell/testcases/sets/set_element_timeout_updates new file mode 100755 index 00000000..4bf6c7c3 --- /dev/null +++ b/tests/shell/testcases/sets/set_element_timeout_updates @@ -0,0 +1,120 @@ +#!/bin/bash +# +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_elem_timeout_update) +# + +assert_fail() +{ + ret=$1 + + if [ $ret -eq 0 ];then + echo "subtest should have failed: $2" + exit 111 + fi +} + +assert_ok() +{ + ret=$1 + + if [ $ret -ne 0 ];then + echo "subtest should have passed: $2" + exit 111 + fi +} + + +$NFT -f - <<EOF +table t { + set s { + typeof ip saddr + timeout 1m + elements = { 10.0.0.1, 10.0.0.2, 10.0.0.3 } + } + + chain base { + type filter hook input priority 0 + } +} +EOF + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i" +done + +# first, bogus updates to trigger abort path with updates. +$NFT -f - <<EOF +add element t s { 10.0.0.2 timeout 2m } +create element t s { 10.0.0.1 } +add element t s { 10.0.0.3 timeout 3m } +EOF +assert_fail $? "abort due to existing element" + +$NFT -f - <<EOF +add chain t a +add element t s { 10.0.0.1 timeout 1m } +add element t s { 10.0.0.2 timeout 2m } +add element t s { 10.0.0.3 timeout 3m } +add chain t b +add rule t a jump b +add rule t b jump a +add rule t base jump a +EOF +assert_fail $? "abort due to chainloop" + +$NFT -f - <<EOF +add element t s { 10.0.0.1 expires 2m } +EOF +assert_fail $? "expire larger than timeout" + +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1s } +add element t s { 10.0.0.2 timeout 1s } +add element t s { 10.0.0.3 timeout 1s } +add element t s { 10.0.0.4 expires 2m } +EOF +assert_fail $? "abort because expire too large" + +# check timeout update had no effect +sleep 1 +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i after aborted update" +done + +# adjust timeouts upwards. +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1m } +add element t s { 10.0.0.2 timeout 2m } +add element t s { 10.0.0.3 timeout 3m } +EOF +assert_ok $? "upwards adjust" + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i" +done + +# insert 4th element with timeout larger than set default +$NFT -f - <<EOF +add element t s { 10.0.0.4 timeout 2m expires 2m } +EOF +$NFT get element t s "{ 10.0.0.4 }" +assert_ok $? "get element 4" + +# adjust timeouts downwards +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1s } +add element t s { 10.0.0.2 timeout 2s expires 1s } +add element t s { 10.0.0.3 expires 1s } +add element t s { 10.0.0.4 timeout 4m expires 1s } +EOF +assert_ok $? + +sleep 1 + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_fail $? +done diff --git a/tests/shell/testcases/sets/set_stmt b/tests/shell/testcases/sets/set_stmt new file mode 100755 index 00000000..0433b676 --- /dev/null +++ b/tests/shell/testcases/sets/set_stmt @@ -0,0 +1,48 @@ +#!/bin/bash + +test_set_stmt() { + local i=$1 + local stmt1=$2 + local stmt2=$3 + + RULESET="table x { + set y$i { + type ipv4_addr + $stmt1 + elements = { 5.5.5.$i $stmt1, + 6.6.6.$i $stmt2 } + } + chain y$i { + ip daddr @y$i + } +}" + + $NFT -f - <<< $RULESET + # should work + if [ $? -ne 0 ] + then + exit 1 + fi + + # should work + $NFT add element x y$i { 2.2.2.$i $stmt2 } + if [ $? -ne 0 ] + then + exit 1 + fi + + # should work + $NFT add element x y$i { 3.3.3.$i } + if [ $? -ne 0 ] + then + exit 1 + fi +} + +test_set_stmt "0" "counter packets 1 bytes 2" "counter packets 3 bytes 4" +test_set_stmt "1" "limit rate 1/second" "limit rate 5/second" +test_set_stmt "2" "ct count over 2" "ct count over 5" +test_set_stmt "3" "last" "last" +test_set_stmt "4" "quota over 1000 bytes" "quota over 30000 bytes used 1000 bytes" + +exit 0 diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames index 9531c856..c65499b7 100755 --- a/tests/shell/testcases/sets/sets_with_ifnames +++ b/tests/shell/testcases/sets/sets_with_ifnames @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + dumpfile=$(dirname $0)/dumps/$(basename $0).nft [ -z "$NFT" ] && exit 111 @@ -103,10 +105,67 @@ check_matching_icmp_ppp() fi } +check_add_del_ifnames() +{ + local what="$1" + local setname="$2" + local prefix="$3" + local data="$4" + local i=0 + + for i in $(seq 1 5);do + local cmd="element inet testifsets $setname { " + local to_batch=16 + + for j in $(seq 1 $to_batch);do + local name=$(printf '"%x-%d"' $i $j) + + [ -n "$prefix" ] && cmd="$cmd $prefix . " + + cmd="$cmd $name" + + [ -n "$data" ] && cmd="$cmd : $data" + + if [ $j -lt $to_batch ] ; then + cmd="$cmd, " + fi + done + + cmd="$cmd }" + + if ! $NFT "$what" "$cmd"; then + echo "$what $cmd failed." + $NFT list set inet testifsets $setname + exit 1 + fi + + if ! ip netns exec "$ns1" $NFT "$what" "$cmd"; then + echo "$ns1 $what $cmd failed." + ip netns exec "$ns1" $NFT list set inet testifsets $setname + exit 1 + fi + done +} + +check_add_ifnames() +{ + check_add_del_ifnames "add" "$1" "$2" "$3" +} + +check_del_ifnames() +{ + check_add_del_ifnames "delete" "$1" "$2" "$3" +} + ip netns add "$ns1" || exit 111 ip netns add "$ns2" || exit 111 ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3 +check_add_ifnames "simple" "" "" +check_add_ifnames "simple_wild" "" "" +check_add_ifnames "concat" "10.1.2.2" "" +check_add_ifnames "map_wild" "" "drop" + for n in abcdef0 abcdef1 othername;do check_elem simple $n done @@ -148,3 +207,8 @@ ip -net "$ns2" addr add 10.1.2.2/24 dev veth0 ip -net "$ns2" addr add 10.2.2.2/24 dev veth1 check_matching_icmp_ppp + +check_del_ifnames "simple" "" "" +check_del_ifnames "simple_wild" "" "" +check_del_ifnames "concat" "10.1.2.2" "" +check_del_ifnames "map_wild" "" "drop" diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/sets/type_set_symbol @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0 index 36396b5c..66042eb4 100755 --- a/tests/shell/testcases/sets/typeof_raw_0 +++ b/tests/shell/testcases/sets/typeof_raw_0 @@ -7,8 +7,8 @@ EXPECTED="table inet t { } chain y { - ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - ip daddr . @ih,32,32 @y + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y } }" diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 index 9f777a8c..ef2726db 100755 --- a/tests/shell/testcases/sets/typeof_sets_0 +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -4,12 +4,78 @@ # s1 and s2 are identical, they just use different # ways for declaration. -EXPECTED="table inet t { +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ip_options) + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_SET=" set s1 { typeof osf name elements = { \"Linux\" } } +" + +INPUT_FRAG_SET=" + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } +" +INPUT_VERSION_SET=" + set s8 { + typeof ip version + elements = { 4, 6 } + } +" + +INPUT_OSF_CHAIN=" + chain c1 { + osf name @s1 accept + } +" + +INPUT_FRAG_CHAIN=" + chain c4 { + frag frag-off @s4 accept + } +" + +INPUT_SCTP_CHAIN=" + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } +" +INPUT_VERSION_CHAIN=" + chain c8 { + ip version @s8 accept + } +" + +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + INPUT_SCTP_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + INPUT_FRAG_CHAIN= + INPUT_VERSION_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + if [ "$((RANDOM % 2))" -eq 1 ] ; then + # Regardless of $NFT_TEST_HAVE_osf, we can define the set. + # Randomly do so. + INPUT_OSF_SET= + fi + INPUT_OSF_CHAIN= +fi + +INPUT="table inet t {$INPUT_OSF_SET set s2 { typeof vlan id elements = { 2, 3, 103 } @@ -18,12 +84,7 @@ EXPECTED="table inet t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } - } - - set s4 { - typeof frag frag-off - elements = { 1, 1024 } - } + }$INPUT_FRAG_SET set s5 { typeof ip option ra value @@ -38,12 +99,7 @@ EXPECTED="table inet t { set s7 { typeof sctp chunk init num-inbound-streams elements = { 1, 4 } - } - - set s8 { - typeof ip version - elements = { 4, 6 } - } + }$INPUT_VERSION_SET set s9 { typeof ip hdrlength @@ -59,19 +115,25 @@ EXPECTED="table inet t { typeof vlan id . ip saddr elements = { 3567 . 1.2.3.4 } } + set s12 { + typeof meta iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . 1 } + } - chain c1 { - osf name @s1 accept + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } } + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, mp-join . 10.1.1.2 } + } +$INPUT_OSF_CHAIN chain c2 { ether type vlan vlan id @s2 accept } - - chain c4 { - frag frag-off @s4 accept - } - +$INPUT_FRAG_CHAIN chain c5 { ip option ra value @s5 accept } @@ -79,28 +141,142 @@ EXPECTED="table inet t { chain c6 { tcp option maxseg size @s6 accept } +$INPUT_SCTP_CHAIN +$INPUT_VERSION_CHAIN + chain c9 { + ip hdrlength @s9 accept + } - chain c7 { - sctp chunk init num-inbound-streams @s7 accept + chain c10 { + meta iifname . ip saddr . ipsec in reqid @s10 accept } - chain c8 { - ip version @s8 accept + chain c11 { + ether type vlan vlan id . ip saddr @s11 accept + } + + chain c12 { + meta iifname . ip saddr . meta ipsec @s12 accept } + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept + } +}" + +EXPECTED="table inet t {$INPUT_OSF_SET + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } +$INPUT_FRAG_SET + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } +$INPUT_VERSION_SET + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . exists } + } + + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } + } + + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, + mp-join . 10.1.1.2 } + } +$INPUT_OSF_CHAIN + chain c2 { + vlan id @s2 accept + } +$INPUT_FRAG_CHAIN + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN$INPUT_VERSION_CHAIN chain c9 { ip hdrlength @s9 accept } chain c10 { - meta iifname . ip saddr . ipsec in reqid @s10 accept + iifname . ip saddr . ipsec in reqid @s10 accept } chain c11 { - ether type vlan vlan id . ip saddr @s11 accept + vlan id . ip saddr @s11 accept + } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } + + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept } }" -set -e -$NFT -f - <<< $EXPECTED +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_bitshift=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1 new file mode 100755 index 00000000..e520270c --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +# regression test for corner case in netlink_delinearize + +EXPECTED="table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +}" + +set -e +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat new file mode 100755 index 00000000..34465f1d --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -0,0 +1,8 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" |