summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/sets
diff options
context:
space:
mode:
Diffstat (limited to 'tests/shell/testcases/sets')
-rwxr-xr-xtests/shell/testcases/sets/0011add_many_elements_015
-rwxr-xr-xtests/shell/testcases/sets/0012add_delete_many_elements_014
-rwxr-xr-xtests/shell/testcases/sets/0013add_delete_many_elements_014
-rwxr-xr-xtests/shell/testcases/sets/0020comments_02
-rwxr-xr-xtests/shell/testcases/sets/0022type_selective_flush_02
-rwxr-xr-xtests/shell/testcases/sets/0024named_objects_063
-rwxr-xr-xtests/shell/testcases/sets/0024synproxy_031
-rwxr-xr-xtests/shell/testcases/sets/0030add_many_elements_interval_014
-rwxr-xr-xtests/shell/testcases/sets/0034get_element_02
-rwxr-xr-xtests/shell/testcases/sets/0036add_set_element_expiration_018
-rwxr-xr-xtests/shell/testcases/sets/0038meter_list_07
-rwxr-xr-xtests/shell/testcases/sets/0043concatenated_ranges_018
-rwxr-xr-xtests/shell/testcases/sets/0043concatenated_ranges_14
-rwxr-xr-xtests/shell/testcases/sets/0044interval_overlap_016
-rwxr-xr-xtests/shell/testcases/sets/0044interval_overlap_14
-rwxr-xr-xtests/shell/testcases/sets/0046netmap_08
-rwxr-xr-xtests/shell/testcases/sets/0047nat_022
-rwxr-xr-xtests/shell/testcases/sets/0048set_counters_02
-rwxr-xr-xtests/shell/testcases/sets/0049set_define_012
-rwxr-xr-xtests/shell/testcases/sets/0051set_interval_counter_02
-rwxr-xr-xtests/shell/testcases/sets/0059set_update_multistmt_02
-rwxr-xr-xtests/shell/testcases/sets/0060set_multistmt_02
-rwxr-xr-xtests/shell/testcases/sets/0060set_multistmt_140
-rwxr-xr-xtests/shell/testcases/sets/0062set_connlimit_05
-rwxr-xr-xtests/shell/testcases/sets/0063set_catchall_02
-rwxr-xr-xtests/shell/testcases/sets/0064map_catchall_02
-rwxr-xr-xtests/shell/testcases/sets/0067nat_concat_interval_044
-rwxr-xr-xtests/shell/testcases/sets/0067nat_interval_018
-rwxr-xr-xtests/shell/testcases/sets/0068interval_stack_overflow_018
-rwxr-xr-xtests/shell/testcases/sets/0070stacked_l2_headers6
-rwxr-xr-xtests/shell/testcases/sets/0071unclosed_prefix_interval_023
-rwxr-xr-xtests/shell/testcases/sets/0072destroy_012
-rwxr-xr-xtests/shell/testcases/sets/0073flat_interval_set11
-rwxr-xr-xtests/shell/testcases/sets/0074nested_interval_set6
-rwxr-xr-xtests/shell/testcases/sets/automerge_079
-rwxr-xr-xtests/shell/testcases/sets/collapse_elem_019
-rwxr-xr-xtests/shell/testcases/sets/concat_interval_026
-rw-r--r--tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft261
-rw-r--r--tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft44
-rw-r--r--tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft27
-rw-r--r--tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft38
-rw-r--r--tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft38
-rw-r--r--tests/shell/testcases/sets/dumps/0006create_set_0.json-nft27
-rw-r--r--tests/shell/testcases/sets/dumps/0007create_element_0.json-nft30
-rw-r--r--tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft38
-rw-r--r--tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft78
-rw-r--r--tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft38
-rw-r--r--tests/shell/testcases/sets/dumps/0010comments_0.json-nft35
-rw-r--r--tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft27
-rw-r--r--tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft27
-rw-r--r--tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft0
-rw-r--r--tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft53
-rw-r--r--tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft31
-rw-r--r--tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft31
-rw-r--r--tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft32
-rw-r--r--tests/shell/testcases/sets/dumps/0018set_check_size_1.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft32
-rw-r--r--tests/shell/testcases/sets/dumps/0020comments_0.json-nft35
-rw-r--r--tests/shell/testcases/sets/dumps/0021nesting_0.json-nft69
-rw-r--r--tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft101
-rw-r--r--tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft8
-rw-r--r--tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft18
-rw-r--r--tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft165
-rw-r--r--tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft131
-rw-r--r--tests/shell/testcases/sets/dumps/0024synproxy_0.nft (renamed from tests/shell/testcases/sets/dumps/0024named_objects_0.nft)27
-rw-r--r--tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft102
-rw-r--r--tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft75
-rw-r--r--tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft38
-rw-r--r--tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft168
-rw-r--r--tests/shell/testcases/sets/dumps/0028autoselect_0.nft26
-rw-r--r--tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft53
-rw-r--r--tests/shell/testcases/sets/dumps/0028delete_handle_0.nft15
-rw-r--r--tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft49
-rw-r--r--tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft49
-rw-r--r--tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0034get_element_0.json-nft140
-rw-r--r--tests/shell/testcases/sets/dumps/0034get_element_0.nft23
-rw-r--r--tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft30
-rw-r--r--tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft6
-rw-r--r--tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft159
-rw-r--r--tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft96
-rw-r--r--tests/shell/testcases/sets/dumps/0038meter_list_0.nft17
-rw-r--r--tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft39
-rw-r--r--tests/shell/testcases/sets/dumps/0039delete_interval_0.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft39
-rw-r--r--tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0041interval_0.json-nft33
-rw-r--r--tests/shell/testcases/sets/dumps/0041interval_0.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0042update_set_0.json-nft87
-rw-r--r--tests/shell/testcases/sets/dumps/0042update_set_0.nft15
-rw-r--r--tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft98
-rw-r--r--tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft1723
-rw-r--r--tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft116
-rw-r--r--tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft529
-rw-r--r--tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft106
-rw-r--r--tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft95
-rw-r--r--tests/shell/testcases/sets/dumps/0046netmap_0.json-nft167
-rw-r--r--tests/shell/testcases/sets/dumps/0046netmap_0.nft6
-rw-r--r--tests/shell/testcases/sets/dumps/0047nat_0.nft17
-rw-r--r--tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft95
-rw-r--r--tests/shell/testcases/sets/dumps/0049set_define_0.json-nft94
-rw-r--r--tests/shell/testcases/sets/dumps/0049set_define_0.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0050set_define_1.json-nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0050set_define_1.nft0
-rw-r--r--tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft85
-rw-r--r--tests/shell/testcases/sets/dumps/0052overlap_0.json-nft35
-rw-r--r--tests/shell/testcases/sets/dumps/0053echo_0.json-nft101
-rw-r--r--tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft45
-rw-r--r--tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft138
-rw-r--r--tests/shell/testcases/sets/dumps/0055tcpflags_0.nft8
-rw-r--r--tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft0
-rw-r--r--tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft31
-rw-r--r--tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft7
-rw-r--r--tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft68
-rw-r--r--tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft79
-rw-r--r--tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft2
-rw-r--r--tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft105
-rw-r--r--tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft6
-rw-r--r--tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft105
-rw-r--r--tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft15
-rw-r--r--tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft57
-rw-r--r--tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft52
-rw-r--r--tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft14
-rw-r--r--tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft94
-rw-r--r--tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft220
-rw-r--r--tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft78
-rw-r--r--tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft6
-rw-r--r--tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft23
-rw-r--r--tests/shell/testcases/sets/dumps/0067nat_interval_0.nft12
-rw-r--r--tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft51
-rw-r--r--tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft28
-rw-r--r--tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft128
-rw-r--r--tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft19
-rw-r--r--tests/shell/testcases/sets/dumps/0072destroy_0.json-nft18
-rw-r--r--tests/shell/testcases/sets/dumps/0072destroy_0.nft2
-rw-r--r--tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft52
-rw-r--r--tests/shell/testcases/sets/dumps/0073flat_interval_set.nft11
-rw-r--r--tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft52
-rw-r--r--tests/shell/testcases/sets/dumps/0074nested_interval_set.nft11
-rw-r--r--tests/shell/testcases/sets/dumps/automerge_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft50
-rw-r--r--tests/shell/testcases/sets/dumps/collapse_elem_0.nft12
-rw-r--r--tests/shell/testcases/sets/dumps/concat_interval_0.json-nft68
-rw-r--r--tests/shell/testcases/sets/dumps/concat_interval_0.nft14
-rw-r--r--tests/shell/testcases/sets/dumps/dynset_missing.json-nft83
-rw-r--r--tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/errors_0.json-nft11
-rw-r--r--tests/shell/testcases/sets/dumps/errors_0.nft0
-rw-r--r--tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft110
-rw-r--r--tests/shell/testcases/sets/dumps/exact_overlap_0.nft13
-rw-r--r--tests/shell/testcases/sets/dumps/inner_0.json-nft207
-rw-r--r--tests/shell/testcases/sets/dumps/inner_0.nft18
-rw-r--r--tests/shell/testcases/sets/dumps/meter_0.json-nft203
-rw-r--r--tests/shell/testcases/sets/dumps/meter_0.nft29
-rw-r--r--tests/shell/testcases/sets/dumps/reset_command_0.nodump0
-rw-r--r--tests/shell/testcases/sets/dumps/set_eval_0.json-nft85
-rw-r--r--tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft551
-rw-r--r--tests/shell/testcases/sets/dumps/sets_with_ifnames.nft11
-rw-r--r--tests/shell/testcases/sets/dumps/type_set_symbol.json-nft114
-rw-r--r--tests/shell/testcases/sets/dumps/type_set_symbol.nft16
-rw-r--r--tests/shell/testcases/sets/dumps/typeof_raw_0.nft4
-rw-r--r--tests/shell/testcases/sets/dumps/typeof_sets_0.nft18
-rw-r--r--tests/shell/testcases/sets/dumps/typeof_sets_1.nft15
-rw-r--r--tests/shell/testcases/sets/dumps/typeof_sets_concat.nft23
-rwxr-xr-xtests/shell/testcases/sets/elem_opts_compat_031
-rwxr-xr-xtests/shell/testcases/sets/errors_028
-rwxr-xr-xtests/shell/testcases/sets/inner_027
-rwxr-xr-xtests/shell/testcases/sets/meter_018
-rwxr-xr-xtests/shell/testcases/sets/reset_command_087
-rwxr-xr-xtests/shell/testcases/sets/sets_with_ifnames2
-rwxr-xr-xtests/shell/testcases/sets/type_set_symbol6
-rwxr-xr-xtests/shell/testcases/sets/typeof_raw_04
-rwxr-xr-xtests/shell/testcases/sets/typeof_sets_0202
-rwxr-xr-xtests/shell/testcases/sets/typeof_sets_122
-rwxr-xr-xtests/shell/testcases/sets/typeof_sets_concat8
184 files changed, 10090 insertions, 179 deletions
diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0
index ba23f90f..c37b2f0d 100755
--- a/tests/shell/testcases/sets/0011add_many_elements_0
+++ b/tests/shell/testcases/sets/0011add_many_elements_0
@@ -3,6 +3,14 @@
# test adding many sets elements
HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=30
+fi
+
tmpfile=$(mktemp)
if [ ! -w $tmpfile ] ; then
@@ -30,3 +38,10 @@ add element x y $(generate)" > $tmpfile
set -e
$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0
index 7e7beebd..64451604 100755
--- a/tests/shell/testcases/sets/0012add_delete_many_elements_0
+++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0
@@ -3,6 +3,13 @@
# test adding and deleting many sets elements
HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=30
+fi
tmpfile=$(mktemp)
if [ ! -w $tmpfile ] ; then
@@ -31,3 +38,10 @@ delete element x y $(generate)" > $tmpfile
set -e
$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0
index 5774317b..c0925dd5 100755
--- a/tests/shell/testcases/sets/0013add_delete_many_elements_0
+++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0
@@ -3,6 +3,13 @@
# test adding and deleting many sets elements in two nft -f runs.
HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=30
+fi
tmpfile=$(mktemp)
if [ ! -w $tmpfile ] ; then
@@ -32,3 +39,10 @@ add element x y $(generate)" > $tmpfile
$NFT -f $tmpfile
echo "delete element x y $(generate)" > $tmpfile
$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0
index 44d451a8..1df38326 100755
--- a/tests/shell/testcases/sets/0020comments_0
+++ b/tests/shell/testcases/sets/0020comments_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment)
+
# Test that comments are added to set elements in standard sets.
# Explicitly test bitmap backend set implementation.
diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0
index 6062913b..48f6875b 100755
--- a/tests/shell/testcases/sets/0022type_selective_flush_0
+++ b/tests/shell/testcases/sets/0022type_selective_flush_0
@@ -16,7 +16,7 @@ $NFT -f - <<< "$RULESET"
# Commands that should be invalid
declare -a cmds=(
- "flush set t m" "flush set t f"
+ "flush set t m"
"flush map t s" "flush map t f"
"flush meter t s" "flush meter t m"
)
diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0
deleted file mode 100755
index 6d21e388..00000000
--- a/tests/shell/testcases/sets/0024named_objects_0
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/bin/bash
-
-# This is the testscase:
-# * creating valid named objects
-# * referencing them from a valid rule
-
-RULESET="
-table inet x {
- counter user123 {
- packets 12 bytes 1433
- }
- counter user321 {
- packets 12 bytes 1433
- }
- quota user123 {
- over 2000 bytes
- }
- quota user124 {
- over 2000 bytes
- }
- synproxy https-synproxy {
- mss 1460
- wscale 7
- timestamp sack-perm
- }
- synproxy other-synproxy {
- mss 1460
- wscale 5
- }
- set y {
- type ipv4_addr
- }
- map test {
- type ipv4_addr : quota
- elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"}
- }
- map test2 {
- type ipv4_addr : synproxy
- flags interval
- elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
- }
- chain y {
- type filter hook input priority 0; policy accept;
- counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
- synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
- quota name ip saddr map @test drop
- }
-}"
-
-set -e
-$NFT -f - <<< "$RULESET"
-
-EXPECTED="table inet x {
- counter user321 {
- packets 12 bytes 1433
- }
-}"
-
-GET="$($NFT reset counter inet x user321)"
-if [ "$EXPECTED" != "$GET" ] ; then
- $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
- exit 1
-fi
diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0
new file mode 100755
index 00000000..0c7da572
--- /dev/null
+++ b/tests/shell/testcases/sets/0024synproxy_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_synproxy)
+
+# * creating valid named objects
+# * referencing them from a valid rule
+
+RULESET="
+table inet x {
+ synproxy https-synproxy {
+ mss 1460
+ wscale 7
+ timestamp sack-perm
+ }
+ synproxy other-synproxy {
+ mss 1460
+ wscale 5
+ }
+ map test2 {
+ type ipv4_addr : synproxy
+ flags interval
+ elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+ }
+ chain y {
+ type filter hook input priority 0; policy accept;
+ synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+ }
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0
index 059ade9a..32a705bf 100755
--- a/tests/shell/testcases/sets/0030add_many_elements_interval_0
+++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0
@@ -1,6 +1,13 @@
#!/bin/bash
HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=30
+fi
tmpfile=$(mktemp)
if [ ! -w $tmpfile ] ; then
@@ -28,3 +35,10 @@ add element x y $(generate)" > $tmpfile
set -e
$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0
index 3343529b..32375b9f 100755
--- a/tests/shell/testcases/sets/0034get_element_0
+++ b/tests/shell/testcases/sets/0034get_element_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
RC=0
check() { # (set, elems, expected)
diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0
index 3097d077..d961ffd4 100755
--- a/tests/shell/testcases/sets/0036add_set_element_expiration_0
+++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0
@@ -1,15 +1,25 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_setelem_expiration)
+
set -e
+drop_seconds() {
+ sed -E 's/m[0-9]*s([0-9]*ms)?/m/g'
+}
+
RULESET="add table ip x
+add set ip x y { type ipv4_addr; flags dynamic,timeout; }
+add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }"
+
+EXPECTED="add table ip x
add set ip x y { type ipv4_addr; flags dynamic,timeout; }
-add element ip x y { 1.1.1.1 timeout 30s expires 15s }"
+add element ip x y { 1.1.1.1 timeout 30m expires 15m }"
-test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation')
+test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds)
-if [ "$test_output" != "$RULESET" ] ; then
- $DIFF -u <(echo "$test_output") <(echo "$RULESET")
+if [ "$test_output" != "$EXPECTED" ] ; then
+ $DIFF -u <(echo "$test_output") <(echo "$EXPECTED")
exit 1
fi
diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0
index e9e0f6fb..7c37c1d8 100755
--- a/tests/shell/testcases/sets/0038meter_list_0
+++ b/tests/shell/testcases/sets/0038meter_list_0
@@ -14,7 +14,12 @@ RULESET="
"
expected_output="table ip t {
- meter m {
+ set s {
+ type ipv4_addr
+ size 256
+ flags dynamic,timeout
+ }
+ set m {
type ipv4_addr
size 128
flags dynamic
diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0
index 11767373..a3dbf5bf 100755
--- a/tests/shell/testcases/sets/0043concatenated_ranges_0
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_0
@@ -1,4 +1,7 @@
-#!/bin/sh -e
+#!/bin/bash -e
+#
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
#
# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges
#
@@ -14,12 +17,7 @@
# - delete them
# - make sure they can't be deleted again
-if [ "$(ps -o comm= $PPID)" = "run-tests.sh" ]; then
- # Skip some permutations on a full test suite run to keep it quick
- TYPES="ipv4_addr ipv6_addr ether_addr inet_service"
-else
- TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark"
-fi
+TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark"
RULESPEC_ipv4_addr="ip saddr"
ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129"
@@ -147,7 +145,7 @@ for ta in ${TYPES}; do
eval add_b=\$ADD_${tb}
eval add_c=\$ADD_${tc}
${NFT} add element inet filter test \
- "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}"
+ "{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}"
[ $(${NFT} list ${setmap} inet filter test | \
grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ]
@@ -180,6 +178,10 @@ for ta in ${TYPES}; do
continue
fi
+ ${NFT} delete element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} ${mapv}}"
+ ${NFT} add element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}"
sleep 1
[ $(${NFT} list ${setmap} inet filter test | \
grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ]
diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1
index bab189c5..bb3bf6b2 100755
--- a/tests/shell/testcases/sets/0043concatenated_ranges_1
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_1
@@ -1,7 +1,9 @@
-#!/bin/sh -e
+#!/bin/bash -e
#
# 0043concatenated_ranges_1 - Insert and list subnets of different sizes
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
check() {
$NFT add element "${1}" t s "{ ${2} . ${3} }"
[ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ]
diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0
index face90f2..b0f51cc8 100755
--- a/tests/shell/testcases/sets/0044interval_overlap_0
+++ b/tests/shell/testcases/sets/0044interval_overlap_0
@@ -1,4 +1,6 @@
-#!/bin/sh -e
+#!/bin/bash -e
+#
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
#
# 0044interval_overlap_0 - Add overlapping and non-overlapping intervals
#
@@ -115,7 +117,11 @@ add_elements() {
IFS='
'
for t in ${intervals_simple} switch ${intervals_concat}; do
+if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then
[ "${t}" = "switch" ] && set="c" && continue
+else
+ break
+fi
[ -z "${pass}" ] && pass="${t}" && continue
[ -z "${interval}" ] && interval="${t}" && continue
unset IFS
@@ -146,7 +152,9 @@ add_elements() {
$NFT add table t
$NFT add set t s '{ type inet_service ; flags interval ; }'
-$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }'
+if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then
+ $NFT add set t c '{ type inet_service . inet_service ; flags interval ; }'
+fi
add_elements
$NFT flush ruleset
@@ -155,7 +163,9 @@ estimate_timeout
$NFT flush ruleset
$NFT add table t
$NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }"
-$NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }"
+if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then
+ $NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }"
+fi
add_elements
sleep $((timeout * 3 / 2))
diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1
index eeea1943..cdd0c844 100755
--- a/tests/shell/testcases/sets/0044interval_overlap_1
+++ b/tests/shell/testcases/sets/0044interval_overlap_1
@@ -1,4 +1,6 @@
-#!/bin/sh -e
+#!/bin/bash -e
+#
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
#
# 0044interval_overlap_1 - Single-sized intervals can never overlap partially
#
diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0
index 2804a4a2..7533623e 100755
--- a/tests/shell/testcases/sets/0046netmap_0
+++ b/tests/shell/testcases/sets/0046netmap_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netmap)
+
EXPECTED="table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
@@ -8,6 +10,12 @@ EXPECTED="table ip x {
10.141.13.0/24 : 192.168.4.0/24 }
}
}
+ table ip6 x {
+ chain y {
+ type nat hook postrouting priority srcnat; policy accept;
+ snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 }
+ }
+ }
"
set -e
diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0
index cb1d4d68..757605ee 100755
--- a/tests/shell/testcases/sets/0047nat_0
+++ b/tests/shell/testcases/sets/0047nat_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
EXPECTED="table ip x {
map y {
type ipv4_addr : interval ipv4_addr
@@ -8,6 +10,12 @@ EXPECTED="table ip x {
10.141.11.0/24 : 192.168.4.2-192.168.4.3 }
}
+ chain x {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+ dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+ }
+
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat to ip saddr map @y
@@ -18,3 +26,17 @@ EXPECTED="table ip x {
set -e
$NFT -f - <<< $EXPECTED
$NFT add element x y { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 }
+
+EXPECTED="table inet x {
+ chain x {
+ type nat hook prerouting priority dstnat; policy accept;
+ dnat to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 }
+ }
+
+ chain y {
+ type nat hook postrouting priority srcnat; policy accept;
+ snat to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2-192.168.4.3 }
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0
index e62d25df..95babdc9 100755
--- a/tests/shell/testcases/sets/0048set_counters_0
+++ b/tests/shell/testcases/sets/0048set_counters_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
set -e
EXPECTED="table ip x {
diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0
index 1d512f7b..756afdc1 100755
--- a/tests/shell/testcases/sets/0049set_define_0
+++ b/tests/shell/testcases/sets/0049set_define_0
@@ -14,3 +14,15 @@ table inet filter {
"
$NFT -f - <<< "$EXPECTED"
+
+EXPECTED="define ip-block-4 = { 1.1.1.1 }
+
+ create set inet filter ip-block-4-test {
+ type ipv4_addr
+ flags interval
+ auto-merge
+ elements = \$ip-block-4
+ }
+"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0
index ea90e264..6e67a43c 100755
--- a/tests/shell/testcases/sets/0051set_interval_counter_0
+++ b/tests/shell/testcases/sets/0051set_interval_counter_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
set -e
EXPECTED="table ip x {
diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0
index 107bfb87..2aeba2c5 100755
--- a/tests/shell/testcases/sets/0059set_update_multistmt_0
+++ b/tests/shell/testcases/sets/0059set_update_multistmt_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
RULESET="table x {
set y {
type ipv4_addr
diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0
index 6bd147c3..8e17444e 100755
--- a/tests/shell/testcases/sets/0060set_multistmt_0
+++ b/tests/shell/testcases/sets/0060set_multistmt_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
RULESET="table x {
set y {
type ipv4_addr
diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1
new file mode 100755
index 00000000..04ef047c
--- /dev/null
+++ b/tests/shell/testcases/sets/0060set_multistmt_1
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
+RULESET="table x {
+ set y {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter quota 500 bytes
+ elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes }
+ }
+ chain y {
+ type filter hook output priority filter; policy accept;
+ update @y { ip daddr }
+ }
+}"
+
+$NFT -f - <<< $RULESET
+# should work
+if [ $? -ne 0 ]
+then
+ exit 1
+fi
+
+# should work
+$NFT add element x y { 1.1.1.1 }
+if [ $? -ne 0 ]
+then
+ exit 1
+fi
+
+# should work
+$NFT add element x y { 2.2.2.2 counter quota 1000 bytes }
+if [ $? -ne 0 ]
+then
+ exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
index 48d589fe..48aa6fce 100755
--- a/tests/shell/testcases/sets/0062set_connlimit_0
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
set -e
RULESET="table ip x {
@@ -24,3 +26,6 @@ RULESET="table ip x {
}"
$NFT -f - <<< $RULESET
+
+$NFT flush set ip x est-connlimit
+$NFT flush set ip x new-connlimit
diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0
index faca56a1..edd015d0 100755
--- a/tests/shell/testcases/sets/0063set_catchall_0
+++ b/tests/shell/testcases/sets/0063set_catchall_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
set -e
RULESET="table ip x {
diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0
index 43685160..fd289372 100755
--- a/tests/shell/testcases/sets/0064map_catchall_0
+++ b/tests/shell/testcases/sets/0064map_catchall_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
set -e
RULESET="table ip x {
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0
index 530771b0..81621957 100755
--- a/tests/shell/testcases/sets/0067nat_concat_interval_0
+++ b/tests/shell/testcases/sets/0067nat_concat_interval_0
@@ -1,21 +1,8 @@
#!/bin/bash
-set -e
-
-EXPECTED="table ip nat {
- map ipportmap {
- type ipv4_addr : interval ipv4_addr . inet_service
- flags interval
- elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 }
- }
- chain prerouting {
- type nat hook prerouting priority dstnat; policy accept;
- ip protocol tcp dnat ip to ip saddr map @ipportmap
- }
-}"
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
-$NFT -f - <<< $EXPECTED
-$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+set -e
EXPECTED="table ip nat {
map ipportmap2 {
@@ -42,3 +29,30 @@ EXPECTED="table ip nat {
$NFT -f - <<< $EXPECTED
$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th
+
+EXPECTED="table ip nat {
+ map ipportmap4 {
+ typeof iifname . ip saddr : interval ip daddr
+ flags interval
+ elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ dnat to iifname . ip saddr map @ipportmap4
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
+EXPECTED="table ip nat {
+ map ipportmap5 {
+ typeof iifname . ip saddr : interval ip daddr . tcp dport
+ flags interval
+ elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0067nat_interval_0 b/tests/shell/testcases/sets/0067nat_interval_0
new file mode 100755
index 00000000..c90203d0
--- /dev/null
+++ b/tests/shell/testcases/sets/0067nat_interval_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 }
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
index 2cbc9868..e61010c7 100755
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -6,9 +6,18 @@ ruleset_file=$(mktemp)
trap 'rm -f "$ruleset_file"' EXIT
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=30
+fi
+
{
echo 'define big_set = {'
- for ((i = 1; i < 255; i++)); do
+ for ((i = 1; i < $HOWMANY; i++)); do
for ((j = 1; j < 255; j++)); do
echo "10.0.$i.$j,"
done
@@ -27,3 +36,10 @@ table inet test68_table {
EOF
( ulimit -s 400 && $NFT -f "$ruleset_file" )
+
+if [ "$HOWMANY" != 255 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers
new file mode 100755
index 00000000..07820b7c
--- /dev/null
+++ b/tests/shell/testcases/sets/0070stacked_l2_headers
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0
new file mode 100755
index 00000000..79e3ca7d
--- /dev/null
+++ b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+table inet t {
+ set s1 {
+ type ipv4_addr
+ flags interval
+ elements = { 192.0.0.0/2, 10.0.0.0/8 }
+ }
+ set s2 {
+ type ipv6_addr
+ flags interval
+ elements = { ff00::/8, fe80::/10 }
+ }
+ chain c {
+ ip saddr @s1 accept
+ ip6 daddr @s2 accept
+ }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0
new file mode 100755
index 00000000..9886a9b0
--- /dev/null
+++ b/tests/shell/testcases/sets/0072destroy_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table x
+
+# pass for non-existent set
+$NFT destroy set x s
+
+# successfully delete existing set
+$NFT add set x s '{type ipv4_addr; size 2;}'
+$NFT destroy set x s
diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set
new file mode 100755
index 00000000..0630595f
--- /dev/null
+++ b/tests/shell/testcases/sets/0073flat_interval_set
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="flush ruleset
+add table inet filter
+add map inet filter testmap { type ipv4_addr : counter; flags interval;}
+add counter inet filter TEST
+add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set
new file mode 100755
index 00000000..e7f65fc5
--- /dev/null
+++ b/tests/shell/testcases/sets/0074nested_interval_set
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0
index c9fb6095..1dbac0b7 100755
--- a/tests/shell/testcases/sets/automerge_0
+++ b/tests/shell/testcases/sets/automerge_0
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
set -e
RULESET="table inet x {
@@ -10,14 +12,23 @@ RULESET="table inet x {
}
}"
+HOWMANY=65535
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+ # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+ # the test.
+ #
+ # Run only a subset of the test and mark as skipped at the end.
+ HOWMANY=5000
+fi
+
$NFT -f - <<< $RULESET
tmpfile=$(mktemp)
echo -n "add element inet x y { " > $tmpfile
-for ((i=0;i<65535;i+=2))
+for ((i=0;i<$HOWMANY;i+=2))
do
echo -n "$i, " >> $tmpfile
- if [ $i -eq 65534 ]
+ if [ $i -eq $((HOWMANY-1)) ]
then
echo -n "$i" >> $tmpfile
fi
@@ -27,23 +38,28 @@ echo "}" >> $tmpfile
$NFT -f $tmpfile
tmpfile2=$(mktemp)
-for ((i=1;i<65535;i+=2))
+for ((i=1;i<$HOWMANY;i+=2))
do
echo "$i" >> $tmpfile2
done
tmpfile3=$(mktemp)
-shuf $tmpfile2 > $tmpfile3
+shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3"
i=0
cat $tmpfile3 | while read line && [ $i -lt 10 ]
do
$NFT add element inet x y { $line }
+ if [ $? -ne 0 ]
+ then
+ echo "failed to add $line"
+ exit 1
+ fi
i=$((i+1))
done
for ((i=0;i<10;i++))
do
- from=$(($RANDOM%65535))
+ from=$(($RANDOM%$HOWMANY))
to=$(($from+100))
$NFT add element inet x y { $from-$to }
if [ $? -ne 0 ]
@@ -51,14 +67,65 @@ do
echo "failed to add $from-$to"
exit 1
fi
- $NFT get element inet x y { $from-$to }
+
+ $NFT get element inet x y { $from-$to } 1>/dev/null
if [ $? -ne 0 ]
then
echo "failed to get $from-$to"
exit 1
fi
+
+ # partial removals in the previous random range
+ from2=$(($from+10))
+ to2=$(($to-10))
+ $NFT delete element inet x y { $from, $to, $from2-$to2 }
+ if [ $? -ne 0 ]
+ then
+ echo "failed to delete $from, $to, $from2-$to2"
+ exit 1
+ fi
+
+ # check deletions are correct
+ from=$(($from+1))
+ $NFT get element inet x y { $from } 1>/dev/null
+ if [ $? -ne 0 ]
+ then
+ echo "failed to get $from"
+ exit 1
+ fi
+
+ to=$(($to-1))
+ $NFT get element inet x y { $to } 1>/dev/null
+ if [ $? -ne 0 ]
+ then
+ echo "failed to get $to"
+ exit 1
+ fi
+
+ from2=$(($from2-1))
+ $NFT get element inet x y { $from2 } 1>/dev/null
+ if [ $? -ne 0 ]
+ then
+ echo "failed to get $from2"
+ exit 1
+ fi
+ to2=$(($to2+1))
+
+ $NFT get element inet x y { $to2 } 1>/dev/null
+ if [ $? -ne 0 ]
+ then
+ echo "failed to get $to2"
+ exit 1
+ fi
done
rm -f $tmpfile
rm -f $tmpfile2
rm -f $tmpfile3
+
+if [ "$HOWMANY" != 65535 ] ; then
+ echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+ echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+ echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
new file mode 100755
index 00000000..7699e9da
--- /dev/null
+++ b/tests/shell/testcases/sets/collapse_elem_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip a {
+ set x {
+ type inet_service;
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service;
+ }
+}
+add element ip a x { 1 }
+add element ip a x { 2 }
+add element ip6 a x { 2 }"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0
new file mode 100755
index 00000000..36138ae0
--- /dev/null
+++ b/tests/shell/testcases/sets/concat_interval_0
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
+set -e
+
+RULESET="table ip t {
+ set s {
+ type ipv4_addr . inet_proto . inet_service
+ flags interval
+ counter
+ elements = { 1.0.0.1 . udp . 53 }
+ }
+ set s2 {
+ type ipv4_addr . mark
+ flags interval
+ elements = { 10.10.10.10 . 0x00000100,
+ 20.20.20.20 . 0x00000200 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT delete element t s { 1.0.0.1 . udp . 53}
+
+exit 0
diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft
new file mode 100644
index 00000000..b9c66a21
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft
@@ -0,0 +1,261 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s1",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "range": [
+ "10.0.0.0",
+ "11.0.0.0"
+ ]
+ },
+ {
+ "prefix": {
+ "addr": "172.16.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s2",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fe00::",
+ "len": 64
+ }
+ },
+ {
+ "range": [
+ "fe11::",
+ "fe22::"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s3",
+ "table": "t",
+ "type": "inet_proto",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "range": [
+ 10,
+ 20
+ ]
+ },
+ {
+ "range": [
+ 50,
+ 60
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s4",
+ "table": "t",
+ "type": "inet_service",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "range": [
+ 0,
+ 1024
+ ]
+ },
+ {
+ "range": [
+ 8080,
+ 8082
+ ]
+ },
+ {
+ "range": [
+ 10000,
+ 40000
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@s1"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@s2"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "right": "@s3"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "nexthdr"
+ }
+ },
+ "right": "@s3"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": "@s4"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft
new file mode 100644
index 00000000..4c0be670
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft
@@ -0,0 +1,44 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "192.168.0.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.168.1.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft
new file mode 100644
index 00000000..b6173e9f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft
@@ -0,0 +1,27 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft
new file mode 100644
index 00000000..c55858fa
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft
@@ -0,0 +1,38 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fe00::",
+ "len": 64
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft
new file mode 100644
index 00000000..a75681f3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft
@@ -0,0 +1,38 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fe00::",
+ "len": 48
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft
new file mode 100644
index 00000000..b6173e9f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft
@@ -0,0 +1,27 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft
new file mode 100644
index 00000000..f5a9ac19
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft
@@ -0,0 +1,30 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ "1.1.1.1"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft
new file mode 100644
index 00000000..c6f5aa68
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft
@@ -0,0 +1,38 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "elem": {
+ "val": "1.1.1.1",
+ "comment": "test"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
new file mode 100644
index 00000000..fa5dcb25
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft
@@ -0,0 +1,78 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "postrouting",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "sourcemap",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "verdict",
+ "elem": [
+ [
+ "100.123.10.2",
+ {
+ "jump": {
+ "target": "c"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "postrouting",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": "@sourcemap"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft
new file mode 100644
index 00000000..2418b39a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft
@@ -0,0 +1,38 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ],
+ "elem": [
+ {
+ "elem": {
+ "val": "1.1.1.1",
+ "comment": "test"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.json-nft b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft
new file mode 100644
index 00000000..7ea3c602
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft
@@ -0,0 +1,35 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "elem": [
+ {
+ "elem": {
+ "val": "::1",
+ "comment": "test"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft
new file mode 100644
index 00000000..c1b7639d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft
@@ -0,0 +1,27 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft
new file mode 100644
index 00000000..c1b7639d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft
@@ -0,0 +1,27 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft
new file mode 100644
index 00000000..546cc597
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft
@@ -0,0 +1,11 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft
diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft
new file mode 100644
index 00000000..6268e216
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft
@@ -0,0 +1,53 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "blacklist_v4",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "192.168.0.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft
new file mode 100644
index 00000000..96b9714a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft
@@ -0,0 +1,31 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 2,
+ "elem": [
+ "1.1.1.1"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft
new file mode 100644
index 00000000..96b9714a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft
@@ -0,0 +1,31 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 2,
+ "elem": [
+ "1.1.1.1"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft
new file mode 100644
index 00000000..d226811c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft
@@ -0,0 +1,32 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 2,
+ "elem": [
+ "1.1.1.1",
+ "1.1.1.2"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft
new file mode 100644
index 00000000..8cd37076
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft
@@ -0,0 +1,7 @@
+table ip x {
+ set s {
+ type ipv4_addr
+ size 2
+ elements = { 1.1.1.1, 1.1.1.2 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft
new file mode 100644
index 00000000..d226811c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft
@@ -0,0 +1,32 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 2,
+ "elem": [
+ "1.1.1.1",
+ "1.1.1.2"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.json-nft b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft
new file mode 100644
index 00000000..401a8f23
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft
@@ -0,0 +1,35 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": "inet_service",
+ "handle": 0,
+ "elem": [
+ {
+ "elem": {
+ "val": 22,
+ "comment": "test"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft
new file mode 100644
index 00000000..5ed089dc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft
@@ -0,0 +1,69 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "set": [
+ {
+ "prefix": {
+ "addr": "1.1.1.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "2.2.2.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "3.3.3.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft
new file mode 100644
index 00000000..c6171392
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft
@@ -0,0 +1,101 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "m",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "inet_service"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "f",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 1024,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": 80
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "set": "@f",
+ "stmt": [
+ {
+ "limit": {
+ "rate": 10,
+ "burst": 5,
+ "per": "second"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
index 5a6e3261..38987ded 100644
--- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
+++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
@@ -7,7 +7,13 @@ table ip t {
type ipv4_addr : inet_service
}
+ set f {
+ type ipv4_addr
+ size 1024
+ flags dynamic
+ }
+
chain c {
- tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second }
+ tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets }
}
}
diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft
new file mode 100644
index 00000000..e0e56fec
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft
@@ -0,0 +1,18 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft
new file mode 100644
index 00000000..b4521333
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft
@@ -0,0 +1,165 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "packets": 12,
+ "bytes": 1433
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user321",
+ "table": "x",
+ "handle": 0,
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user124",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "test",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "quota",
+ "elem": [
+ [
+ "192.168.2.2",
+ "user124"
+ ],
+ [
+ "192.168.2.3",
+ "user124"
+ ]
+ ]
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "counter": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ "user123"
+ ],
+ [
+ "2.2.2.2",
+ "user123"
+ ],
+ [
+ "192.168.2.2",
+ "user123"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "quota": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": "@test"
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
new file mode 100644
index 00000000..0af61333
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft
@@ -0,0 +1,131 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "synproxy": {
+ "family": "inet",
+ "name": "https-synproxy",
+ "table": "x",
+ "handle": 0,
+ "mss": 1460,
+ "wscale": 7,
+ "flags": [
+ "timestamp",
+ "sack-perm"
+ ]
+ }
+ },
+ {
+ "synproxy": {
+ "family": "inet",
+ "name": "other-synproxy",
+ "table": "x",
+ "handle": 0,
+ "mss": 1460,
+ "wscale": 5
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "test2",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "synproxy",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.1.0",
+ "len": 24
+ }
+ },
+ "https-synproxy"
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ },
+ "other-synproxy"
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "synproxy": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.1.0",
+ "len": 24
+ }
+ },
+ "https-synproxy"
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ },
+ "other-synproxy"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft
index 52d1bf64..e0ee86db 100644
--- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
+++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft
@@ -1,20 +1,4 @@
table inet x {
- counter user123 {
- packets 12 bytes 1433
- }
-
- counter user321 {
- packets 0 bytes 0
- }
-
- quota user123 {
- over 2000 bytes
- }
-
- quota user124 {
- over 2000 bytes
- }
-
synproxy https-synproxy {
mss 1460
wscale 7
@@ -26,15 +10,6 @@ table inet x {
wscale 5
}
- set y {
- type ipv4_addr
- }
-
- map test {
- type ipv4_addr : quota
- elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
- }
-
map test2 {
type ipv4_addr : synproxy
flags interval
@@ -43,8 +18,6 @@ table inet x {
chain y {
type filter hook input priority filter; policy accept;
- counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
- quota name ip saddr map @test drop
}
}
diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft
new file mode 100644
index 00000000..9d56d025
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft
@@ -0,0 +1,102 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": {
+ "set": [
+ "192.168.0.1",
+ "192.168.0.2",
+ "192.168.0.3"
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "oifname"
+ }
+ },
+ "right": "doesntexist"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": {
+ "set": [
+ 22,
+ 23
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft
new file mode 100644
index 00000000..5d21f26c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft
@@ -0,0 +1,75 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "limit": {
+ "family": "ip",
+ "name": "http-traffic",
+ "table": "filter",
+ "handle": 0,
+ "rate": 1,
+ "per": "second",
+ "burst": 5
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "limit": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 80,
+ "http-traffic"
+ ],
+ [
+ 443,
+ "http-traffic"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft
new file mode 100644
index 00000000..b9251ffa
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft
@@ -0,0 +1,38 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "::ffff:0.0.0.0",
+ "len": 96
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft
new file mode 100644
index 00000000..5968b2e0
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft
@@ -0,0 +1,168 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s1",
+ "table": "t",
+ "type": "inet_proto",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s2",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s3",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 1024,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "foobar"
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "set": "@s1"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "foobar"
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "set": "@s2"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "foobar"
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "set": "@s3"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft
new file mode 100644
index 00000000..0c604927
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft
@@ -0,0 +1,26 @@
+table ip t {
+ set s1 {
+ type inet_proto
+ size 65535
+ flags dynamic
+ }
+
+ set s2 {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+
+ set s3 {
+ type ipv4_addr
+ size 1024
+ flags dynamic
+ }
+
+ chain c {
+ type filter hook input priority filter; policy accept;
+ iifname "foobar" add @s1 { ip protocol }
+ iifname "foobar" add @s2 { ip daddr }
+ iifname "foobar" add @s3 { ip daddr }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft
new file mode 100644
index 00000000..96314141
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft
@@ -0,0 +1,53 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test-ip",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "x",
+ "table": "test-ip",
+ "type": "ipv4_addr",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "test-ip",
+ "type": "inet_service",
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ],
+ "timeout": 10845
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "z",
+ "table": "test-ip",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "constant",
+ "interval"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft
new file mode 100644
index 00000000..0f25c763
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft
@@ -0,0 +1,15 @@
+table ip test-ip {
+ set x {
+ type ipv4_addr
+ }
+
+ set y {
+ type inet_service
+ timeout 3h45s
+ }
+
+ set z {
+ type ipv4_addr
+ flags constant,interval
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft
new file mode 100644
index 00000000..4d194bff
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft
@@ -0,0 +1,49 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "setA",
+ "table": "filter",
+ "type": [
+ "ipv4_addr",
+ "inet_service",
+ "ipv4_addr"
+ ],
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "setB",
+ "table": "filter",
+ "type": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft
new file mode 100644
index 00000000..16684438
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft
@@ -0,0 +1,49 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "setA",
+ "table": "x",
+ "type": [
+ "ipv4_addr",
+ "inet_service",
+ "ipv4_addr"
+ ],
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "setB",
+ "table": "x",
+ "type": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "flags": [
+ "timeout"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft
new file mode 100644
index 00000000..d6174c51
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft
@@ -0,0 +1,11 @@
+table ip x {
+ set setA {
+ type ipv4_addr . inet_service . ipv4_addr
+ flags timeout
+ }
+
+ set setB {
+ type ipv4_addr . inet_service
+ flags timeout
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft
new file mode 100644
index 00000000..bfc0e4a0
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft
@@ -0,0 +1,140 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "inet_service",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ 10,
+ {
+ "range": [
+ 20,
+ 30
+ ]
+ },
+ 40,
+ {
+ "range": [
+ 50,
+ 60
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "ips",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ "10.0.0.1",
+ {
+ "range": [
+ "10.0.0.5",
+ "10.0.0.8"
+ ]
+ },
+ {
+ "prefix": {
+ "addr": "10.0.0.128",
+ "len": 25
+ }
+ },
+ {
+ "prefix": {
+ "addr": "10.0.1.0",
+ "len": 24
+ }
+ },
+ {
+ "range": [
+ "10.0.2.3",
+ "10.0.2.12"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "cs",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ "10.0.0.1",
+ 22
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "10.1.0.0",
+ "len": 16
+ }
+ },
+ {
+ "range": [
+ 1,
+ 1024
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ "10.2.0.1",
+ "10.2.0.8"
+ ]
+ },
+ {
+ "range": [
+ 1024,
+ 65535
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft
new file mode 100644
index 00000000..1c1dd977
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft
@@ -0,0 +1,23 @@
+table ip t {
+ set s {
+ type inet_service
+ flags interval
+ elements = { 10, 20-30, 40, 50-60 }
+ }
+
+ set ips {
+ type ipv4_addr
+ flags interval
+ elements = { 10.0.0.1, 10.0.0.5-10.0.0.8,
+ 10.0.0.128/25, 10.0.1.0/24,
+ 10.0.2.3-10.0.2.12 }
+ }
+
+ set cs {
+ type ipv4_addr . inet_service
+ flags interval
+ elements = { 10.0.0.1 . 22,
+ 10.1.0.0/16 . 1-1024,
+ 10.2.0.1-10.2.0.8 . 1024-65535 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft
new file mode 100644
index 00000000..e4c77147
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft
@@ -0,0 +1,30 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft
new file mode 100644
index 00000000..ca69cee2
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+ set y {
+ type ipv4_addr
+ flags interval
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft
new file mode 100644
index 00000000..1c3b559d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft
@@ -0,0 +1,159 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "forward",
+ "handle": 0,
+ "type": "filter",
+ "hook": "forward",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "myset",
+ "table": "filter",
+ "type": [
+ "ipv4_addr",
+ "inet_proto",
+ "inet_service"
+ ],
+ "handle": 0,
+ "elem": [
+ {
+ "concat": [
+ "192.168.0.113",
+ "tcp",
+ 22
+ ]
+ },
+ {
+ "concat": [
+ "192.168.0.12",
+ "tcp",
+ 53
+ ]
+ },
+ {
+ "concat": [
+ "192.168.0.12",
+ "udp",
+ 53
+ ]
+ },
+ {
+ "concat": [
+ "192.168.0.12",
+ "tcp",
+ 80
+ ]
+ },
+ {
+ "concat": [
+ "192.168.0.13",
+ "tcp",
+ 80
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "forward",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "in",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "established",
+ "related"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "forward",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "in",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": "new"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ }
+ ]
+ },
+ "right": "@myset"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft
new file mode 100644
index 00000000..5b13f59a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft
@@ -0,0 +1,96 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 256,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "m",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 128,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": 80
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "set": "@m",
+ "stmt": [
+ {
+ "limit": {
+ "rate": 10,
+ "burst": 5,
+ "per": "second"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft
new file mode 100644
index 00000000..8037dfa5
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft
@@ -0,0 +1,17 @@
+table ip t {
+ set s {
+ type ipv4_addr
+ size 256
+ flags dynamic,timeout
+ }
+
+ set m {
+ type ipv4_addr
+ size 128
+ flags dynamic
+ }
+
+ chain c {
+ tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft
new file mode 100644
index 00000000..d6e46aad
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft
@@ -0,0 +1,39 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "range": [
+ "192.168.1.0",
+ "192.168.1.254"
+ ]
+ },
+ "192.168.1.255"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft
new file mode 100644
index 00000000..1fc76572
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+ set s {
+ type ipv4_addr
+ flags interval
+ elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft
new file mode 100644
index 00000000..4b6cf03c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft
@@ -0,0 +1,39 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "mark",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "range": [
+ 35,
+ 66
+ ]
+ },
+ 4919
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft
new file mode 100644
index 00000000..f580c381
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+ set s {
+ type mark
+ flags interval
+ elements = { 0x00000023-0x00000042, 0x00001337 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.json-nft b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft
new file mode 100644
index 00000000..14a39330
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft
@@ -0,0 +1,33 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ "192.168.2.196"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft
new file mode 100644
index 00000000..222d4d74
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+ set s {
+ type ipv4_addr
+ flags interval
+ elements = { 192.168.2.196 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft
new file mode 100644
index 00000000..bc1d4cc2
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft
@@ -0,0 +1,87 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "set1",
+ "table": "t",
+ "type": "ether_addr",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "set2",
+ "table": "t",
+ "type": "ether_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ether",
+ "field": "daddr"
+ }
+ },
+ "right": "@set1"
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "payload": {
+ "protocol": "ether",
+ "field": "daddr"
+ }
+ },
+ "set": "@set2",
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft
new file mode 100644
index 00000000..56cc875e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft
@@ -0,0 +1,15 @@
+table ip t {
+ set set1 {
+ type ether_addr
+ }
+
+ set set2 {
+ type ether_addr
+ size 65535
+ flags dynamic
+ }
+
+ chain c {
+ ether daddr @set1 add @set2 { ether daddr counter }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft
new file mode 100644
index 00000000..ffb76e2f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft
@@ -0,0 +1,98 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "output",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "test",
+ "table": "filter",
+ "type": [
+ "mark",
+ "inet_service",
+ "inet_proto"
+ ],
+ "handle": 0,
+ "map": "mark",
+ "flags": [
+ "interval",
+ "timeout"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "output",
+ "handle": 0,
+ "expr": [
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "map": {
+ "key": {
+ "concat": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ {
+ "meta": {
+ "key": "l4proto"
+ }
+ }
+ ]
+ },
+ "data": "@test"
+ }
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft
new file mode 100644
index 00000000..f2077b91
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft
@@ -0,0 +1,11 @@
+table inet filter {
+ map test {
+ type mark . inet_service . inet_proto : mark
+ flags interval,timeout
+ }
+
+ chain output {
+ type filter hook output priority filter; policy accept;
+ meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft
new file mode 100644
index 00000000..92b59c86
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft
@@ -0,0 +1,1723 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip6",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip6",
+ "name": "s",
+ "table": "t",
+ "type": [
+ "ipv6_addr",
+ "ipv6_addr"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 32
+ }
+ },
+ {
+ "range": [
+ "2001:db8:20::",
+ "2001:db8:20::20:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 33
+ }
+ },
+ {
+ "range": [
+ "2001:db8:21::",
+ "2001:db8:21::21:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 34
+ }
+ },
+ {
+ "range": [
+ "2001:db8:22::",
+ "2001:db8:22::22:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 35
+ }
+ },
+ {
+ "range": [
+ "2001:db8:23::",
+ "2001:db8:23::23:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 36
+ }
+ },
+ {
+ "range": [
+ "2001:db8:24::",
+ "2001:db8:24::24:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 37
+ }
+ },
+ {
+ "range": [
+ "2001:db8:25::",
+ "2001:db8:25::25:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 38
+ }
+ },
+ {
+ "range": [
+ "2001:db8:26::",
+ "2001:db8:26::26:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 39
+ }
+ },
+ {
+ "range": [
+ "2001:db8:27::",
+ "2001:db8:27::27:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 40
+ }
+ },
+ {
+ "range": [
+ "2001:db8:28::",
+ "2001:db8:28::28:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 41
+ }
+ },
+ {
+ "range": [
+ "2001:db8:29::",
+ "2001:db8:29::29:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 42
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2a::",
+ "2001:db8:2a::2a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 43
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2b::",
+ "2001:db8:2b::2b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 44
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2c::",
+ "2001:db8:2c::2c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 45
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2d::",
+ "2001:db8:2d::2d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 46
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2e::",
+ "2001:db8:2e::2e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 47
+ }
+ },
+ {
+ "range": [
+ "2001:db8:2f::",
+ "2001:db8:2f::2f:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 48
+ }
+ },
+ {
+ "range": [
+ "2001:db8:30::",
+ "2001:db8:30::30:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 49
+ }
+ },
+ {
+ "range": [
+ "2001:db8:31::",
+ "2001:db8:31::31:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 50
+ }
+ },
+ {
+ "range": [
+ "2001:db8:32::",
+ "2001:db8:32::32:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 51
+ }
+ },
+ {
+ "range": [
+ "2001:db8:33::",
+ "2001:db8:33::33:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 52
+ }
+ },
+ {
+ "range": [
+ "2001:db8:34::",
+ "2001:db8:34::34:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 53
+ }
+ },
+ {
+ "range": [
+ "2001:db8:35::",
+ "2001:db8:35::35:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 54
+ }
+ },
+ {
+ "range": [
+ "2001:db8:36::",
+ "2001:db8:36::36:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 55
+ }
+ },
+ {
+ "range": [
+ "2001:db8:37::",
+ "2001:db8:37::37:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 56
+ }
+ },
+ {
+ "range": [
+ "2001:db8:38::",
+ "2001:db8:38::38:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 57
+ }
+ },
+ {
+ "range": [
+ "2001:db8:39::",
+ "2001:db8:39::39:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 58
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3a::",
+ "2001:db8:3a::3a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 59
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3b::",
+ "2001:db8:3b::3b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 60
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3c::",
+ "2001:db8:3c::3c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 61
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3d::",
+ "2001:db8:3d::3d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 62
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3e::",
+ "2001:db8:3e::3e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 63
+ }
+ },
+ {
+ "range": [
+ "2001:db8:3f::",
+ "2001:db8:3f::3f:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 64
+ }
+ },
+ {
+ "range": [
+ "2001:db8:40::",
+ "2001:db8:40::40:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 65
+ }
+ },
+ {
+ "range": [
+ "2001:db8:41::",
+ "2001:db8:41::41:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 66
+ }
+ },
+ {
+ "range": [
+ "2001:db8:42::",
+ "2001:db8:42::42:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 67
+ }
+ },
+ {
+ "range": [
+ "2001:db8:43::",
+ "2001:db8:43::43:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 68
+ }
+ },
+ {
+ "range": [
+ "2001:db8:44::",
+ "2001:db8:44::44:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 69
+ }
+ },
+ {
+ "range": [
+ "2001:db8:45::",
+ "2001:db8:45::45:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 70
+ }
+ },
+ {
+ "range": [
+ "2001:db8:46::",
+ "2001:db8:46::46:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 71
+ }
+ },
+ {
+ "range": [
+ "2001:db8:47::",
+ "2001:db8:47::47:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 72
+ }
+ },
+ {
+ "range": [
+ "2001:db8:48::",
+ "2001:db8:48::48:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 73
+ }
+ },
+ {
+ "range": [
+ "2001:db8:49::",
+ "2001:db8:49::49:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 74
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4a::",
+ "2001:db8:4a::4a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 75
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4b::",
+ "2001:db8:4b::4b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 76
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4c::",
+ "2001:db8:4c::4c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 77
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4d::",
+ "2001:db8:4d::4d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 78
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4e::",
+ "2001:db8:4e::4e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 79
+ }
+ },
+ {
+ "range": [
+ "2001:db8:4f::",
+ "2001:db8:4f::4f:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 80
+ }
+ },
+ {
+ "range": [
+ "2001:db8:50::",
+ "2001:db8:50::50:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 81
+ }
+ },
+ {
+ "range": [
+ "2001:db8:51::",
+ "2001:db8:51::51:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 82
+ }
+ },
+ {
+ "range": [
+ "2001:db8:52::",
+ "2001:db8:52::52:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 83
+ }
+ },
+ {
+ "range": [
+ "2001:db8:53::",
+ "2001:db8:53::53:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 84
+ }
+ },
+ {
+ "range": [
+ "2001:db8:54::",
+ "2001:db8:54::54:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 85
+ }
+ },
+ {
+ "range": [
+ "2001:db8:55::",
+ "2001:db8:55::55:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 86
+ }
+ },
+ {
+ "range": [
+ "2001:db8:56::",
+ "2001:db8:56::56:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 87
+ }
+ },
+ {
+ "range": [
+ "2001:db8:57::",
+ "2001:db8:57::57:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 88
+ }
+ },
+ {
+ "range": [
+ "2001:db8:58::",
+ "2001:db8:58::58:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 89
+ }
+ },
+ {
+ "range": [
+ "2001:db8:59::",
+ "2001:db8:59::59:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 90
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5a::",
+ "2001:db8:5a::5a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 91
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5b::",
+ "2001:db8:5b::5b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 92
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5c::",
+ "2001:db8:5c::5c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 93
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5d::",
+ "2001:db8:5d::5d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 94
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5e::",
+ "2001:db8:5e::5e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 95
+ }
+ },
+ {
+ "range": [
+ "2001:db8:5f::",
+ "2001:db8:5f::5f:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 96
+ }
+ },
+ {
+ "range": [
+ "2001:db8:60::",
+ "2001:db8:60::60:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 97
+ }
+ },
+ {
+ "range": [
+ "2001:db8:61::",
+ "2001:db8:61::61:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 98
+ }
+ },
+ {
+ "range": [
+ "2001:db8:62::",
+ "2001:db8:62::62:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 99
+ }
+ },
+ {
+ "range": [
+ "2001:db8:63::",
+ "2001:db8:63::63:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 100
+ }
+ },
+ {
+ "range": [
+ "2001:db8:64::",
+ "2001:db8:64::64:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 101
+ }
+ },
+ {
+ "range": [
+ "2001:db8:65::",
+ "2001:db8:65::65:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 102
+ }
+ },
+ {
+ "range": [
+ "2001:db8:66::",
+ "2001:db8:66::66:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 103
+ }
+ },
+ {
+ "range": [
+ "2001:db8:67::",
+ "2001:db8:67::67:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 104
+ }
+ },
+ {
+ "range": [
+ "2001:db8:68::",
+ "2001:db8:68::68:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 105
+ }
+ },
+ {
+ "range": [
+ "2001:db8:69::",
+ "2001:db8:69::69:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 106
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6a::",
+ "2001:db8:6a::6a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 107
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6b::",
+ "2001:db8:6b::6b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 108
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6c::",
+ "2001:db8:6c::6c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 109
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6d::",
+ "2001:db8:6d::6d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 110
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6e::",
+ "2001:db8:6e::6e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 111
+ }
+ },
+ {
+ "range": [
+ "2001:db8:6f::",
+ "2001:db8:6f::6f:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 112
+ }
+ },
+ {
+ "range": [
+ "2001:db8:70::",
+ "2001:db8:70::70:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 113
+ }
+ },
+ {
+ "range": [
+ "2001:db8:71::",
+ "2001:db8:71::71:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 114
+ }
+ },
+ {
+ "range": [
+ "2001:db8:72::",
+ "2001:db8:72::72:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 115
+ }
+ },
+ {
+ "range": [
+ "2001:db8:73::",
+ "2001:db8:73::73:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 116
+ }
+ },
+ {
+ "range": [
+ "2001:db8:74::",
+ "2001:db8:74::74:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 117
+ }
+ },
+ {
+ "range": [
+ "2001:db8:75::",
+ "2001:db8:75::75:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 118
+ }
+ },
+ {
+ "range": [
+ "2001:db8:76::",
+ "2001:db8:76::76:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 119
+ }
+ },
+ {
+ "range": [
+ "2001:db8:77::",
+ "2001:db8:77::77:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 120
+ }
+ },
+ {
+ "range": [
+ "2001:db8:78::",
+ "2001:db8:78::78:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 121
+ }
+ },
+ {
+ "range": [
+ "2001:db8:79::",
+ "2001:db8:79::79:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 122
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7a::",
+ "2001:db8:7a::7a:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 123
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7b::",
+ "2001:db8:7b::7b:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 124
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7c::",
+ "2001:db8:7c::7c:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 125
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7d::",
+ "2001:db8:7d::7d:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 126
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7e::",
+ "2001:db8:7e::7e:1"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "2001:db8::",
+ "len": 127
+ }
+ },
+ {
+ "range": [
+ "2001:db8:7f::",
+ "2001:db8:7f::7f:1"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "ipv4_addr"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 24
+ }
+ },
+ {
+ "range": [
+ "192.0.2.72",
+ "192.0.2.74"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 25
+ }
+ },
+ {
+ "range": [
+ "192.0.2.75",
+ "192.0.2.77"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 26
+ }
+ },
+ {
+ "range": [
+ "192.0.2.78",
+ "192.0.2.80"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 27
+ }
+ },
+ {
+ "range": [
+ "192.0.2.81",
+ "192.0.2.83"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 28
+ }
+ },
+ {
+ "range": [
+ "192.0.2.84",
+ "192.0.2.86"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 29
+ }
+ },
+ {
+ "range": [
+ "192.0.2.87",
+ "192.0.2.89"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 30
+ }
+ },
+ {
+ "range": [
+ "192.0.2.90",
+ "192.0.2.92"
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.0.2.0",
+ "len": 31
+ }
+ },
+ {
+ "range": [
+ "192.0.2.93",
+ "192.0.2.95"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft
new file mode 100644
index 00000000..19d08d3d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft
@@ -0,0 +1,116 @@
+table ip6 t {
+ set s {
+ type ipv6_addr . ipv6_addr
+ flags interval
+ elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1,
+ 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1,
+ 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1,
+ 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1,
+ 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1,
+ 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1,
+ 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1,
+ 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1,
+ 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1,
+ 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1,
+ 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1,
+ 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1,
+ 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1,
+ 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1,
+ 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1,
+ 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1,
+ 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1,
+ 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1,
+ 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1,
+ 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1,
+ 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1,
+ 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1,
+ 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1,
+ 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1,
+ 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1,
+ 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1,
+ 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1,
+ 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1,
+ 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1,
+ 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1,
+ 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1,
+ 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1,
+ 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1,
+ 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1,
+ 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1,
+ 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1,
+ 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1,
+ 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1,
+ 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1,
+ 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1,
+ 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1,
+ 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1,
+ 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1,
+ 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1,
+ 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1,
+ 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1,
+ 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1,
+ 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1,
+ 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1,
+ 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1,
+ 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1,
+ 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1,
+ 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1,
+ 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1,
+ 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1,
+ 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1,
+ 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1,
+ 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1,
+ 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1,
+ 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1,
+ 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1,
+ 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1,
+ 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1,
+ 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1,
+ 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1,
+ 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1,
+ 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1,
+ 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1,
+ 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1,
+ 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1,
+ 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1,
+ 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1,
+ 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1,
+ 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1,
+ 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1,
+ 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1,
+ 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1,
+ 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1,
+ 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1,
+ 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1,
+ 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1,
+ 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1,
+ 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1,
+ 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1,
+ 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1,
+ 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1,
+ 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1,
+ 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1,
+ 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1,
+ 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1,
+ 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1,
+ 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1,
+ 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1,
+ 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1,
+ 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1,
+ 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 }
+ }
+}
+table ip t {
+ set s {
+ type ipv4_addr . ipv4_addr
+ flags interval
+ elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74,
+ 192.0.2.0/25 . 192.0.2.75-192.0.2.77,
+ 192.0.2.0/26 . 192.0.2.78-192.0.2.80,
+ 192.0.2.0/27 . 192.0.2.81-192.0.2.83,
+ 192.0.2.0/28 . 192.0.2.84-192.0.2.86,
+ 192.0.2.0/29 . 192.0.2.87-192.0.2.89,
+ 192.0.2.0/30 . 192.0.2.90-192.0.2.92,
+ 192.0.2.0/31 . 192.0.2.93-192.0.2.95 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft
new file mode 100644
index 00000000..f4aae383
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft
@@ -0,0 +1,529 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "inet_service",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ 25,
+ 30,
+ 82,
+ 119,
+ 349,
+ 745,
+ 748,
+ 1165,
+ 1233,
+ 1476,
+ 1550,
+ 1562,
+ 1743,
+ 1745,
+ 1882,
+ 2070,
+ 2194,
+ 2238,
+ 2450,
+ 2455,
+ 2642,
+ 2671,
+ 2906,
+ 3093,
+ 3203,
+ 3287,
+ 3348,
+ 3411,
+ 3540,
+ 3892,
+ 3943,
+ 4133,
+ 4205,
+ 4317,
+ 4733,
+ 5095,
+ 5156,
+ 5223,
+ 5230,
+ 5432,
+ 5826,
+ 5828,
+ 6044,
+ 6377,
+ 6388,
+ 6491,
+ 6952,
+ 6986,
+ 7012,
+ 7187,
+ 7300,
+ 7305,
+ 7549,
+ 7664,
+ 8111,
+ 8206,
+ 8396,
+ 8782,
+ 8920,
+ 8981,
+ 9067,
+ 9216,
+ 9245,
+ 9315,
+ 9432,
+ 9587,
+ 9689,
+ 9844,
+ 9991,
+ 10045,
+ 10252,
+ 10328,
+ 10670,
+ 10907,
+ 11021,
+ 11337,
+ 11427,
+ 11497,
+ 11502,
+ 11523,
+ 11552,
+ 11577,
+ 11721,
+ 11943,
+ 12474,
+ 12718,
+ 12764,
+ 12794,
+ 12922,
+ 13186,
+ 13232,
+ 13383,
+ 13431,
+ 13551,
+ 13676,
+ 13685,
+ 13747,
+ 13925,
+ 13935,
+ 14015,
+ 14090,
+ 14320,
+ 14392,
+ 14515,
+ 14647,
+ 14911,
+ 15096,
+ 15105,
+ 15154,
+ 15440,
+ 15583,
+ 15623,
+ 15677,
+ 15710,
+ 15926,
+ 15934,
+ 15960,
+ 16068,
+ 16166,
+ 16486,
+ 16489,
+ 16528,
+ 16646,
+ 16650,
+ 16770,
+ 16882,
+ 17052,
+ 17237,
+ 17387,
+ 17431,
+ 17886,
+ 17939,
+ 17999,
+ 18092,
+ 18123,
+ 18238,
+ 18562,
+ 18698,
+ 19004,
+ 19229,
+ 19237,
+ 19585,
+ 19879,
+ 19938,
+ 19950,
+ 19958,
+ 20031,
+ 20138,
+ 20157,
+ 20205,
+ 20368,
+ 20682,
+ 20687,
+ 20873,
+ 20910,
+ 20919,
+ 21019,
+ 21068,
+ 21115,
+ 21188,
+ 21236,
+ 21319,
+ 21563,
+ 21734,
+ 21806,
+ 21810,
+ 21959,
+ 21982,
+ 22078,
+ 22181,
+ 22308,
+ 22480,
+ 22643,
+ 22854,
+ 22879,
+ 22961,
+ 23397,
+ 23534,
+ 23845,
+ 23893,
+ 24130,
+ 24406,
+ 24794,
+ 24997,
+ 25019,
+ 25143,
+ 25179,
+ 25439,
+ 25603,
+ 25718,
+ 25859,
+ 25949,
+ 26006,
+ 26022,
+ 26047,
+ 26170,
+ 26193,
+ 26725,
+ 26747,
+ 26924,
+ 27023,
+ 27040,
+ 27233,
+ 27344,
+ 27478,
+ 27593,
+ 27600,
+ 27664,
+ 27678,
+ 27818,
+ 27822,
+ 28003,
+ 28038,
+ 28709,
+ 28808,
+ 29010,
+ 29057,
+ 29228,
+ 29485,
+ 30132,
+ 30160,
+ 30415,
+ 30469,
+ 30673,
+ 30736,
+ 30776,
+ 30780,
+ 31450,
+ 31537,
+ 31669,
+ 31839,
+ 31873,
+ 32019,
+ 32229,
+ 32685,
+ 32879,
+ 33318,
+ 33337,
+ 33404,
+ 33517,
+ 33906,
+ 34214,
+ 34346,
+ 34416,
+ 34727,
+ 34848,
+ 35325,
+ 35400,
+ 35451,
+ 35501,
+ 35637,
+ 35653,
+ 35710,
+ 35761,
+ 35767,
+ 36238,
+ 36258,
+ 36279,
+ 36464,
+ 36586,
+ 36603,
+ 36770,
+ 36774,
+ 36805,
+ 36851,
+ 37079,
+ 37189,
+ 37209,
+ 37565,
+ 37570,
+ 37585,
+ 37832,
+ 37931,
+ 37954,
+ 38006,
+ 38015,
+ 38045,
+ 38109,
+ 38114,
+ 38200,
+ 38209,
+ 38214,
+ 38277,
+ 38306,
+ 38402,
+ 38606,
+ 38697,
+ 38960,
+ 39004,
+ 39006,
+ 39197,
+ 39217,
+ 39265,
+ 39319,
+ 39460,
+ 39550,
+ 39615,
+ 39871,
+ 39886,
+ 40088,
+ 40135,
+ 40244,
+ 40323,
+ 40339,
+ 40355,
+ 40385,
+ 40428,
+ 40538,
+ 40791,
+ 40848,
+ 40959,
+ 41003,
+ 41131,
+ 41349,
+ 41643,
+ 41710,
+ 41826,
+ 41904,
+ 42027,
+ 42148,
+ 42235,
+ 42255,
+ 42498,
+ 42680,
+ 42973,
+ 43118,
+ 43135,
+ 43233,
+ 43349,
+ 43411,
+ 43487,
+ 43840,
+ 43843,
+ 43870,
+ 44040,
+ 44204,
+ 44817,
+ 44883,
+ 44894,
+ 44958,
+ 45201,
+ 45259,
+ 45283,
+ 45357,
+ 45423,
+ 45473,
+ 45498,
+ 45519,
+ 45561,
+ 45611,
+ 45627,
+ 45831,
+ 46043,
+ 46105,
+ 46116,
+ 46147,
+ 46169,
+ 46349,
+ 47147,
+ 47252,
+ 47314,
+ 47335,
+ 47360,
+ 47546,
+ 47617,
+ 47648,
+ 47772,
+ 47793,
+ 47846,
+ 47913,
+ 47952,
+ 48095,
+ 48325,
+ 48334,
+ 48412,
+ 48419,
+ 48540,
+ 48569,
+ 48628,
+ 48751,
+ 48944,
+ 48971,
+ 49008,
+ 49025,
+ 49503,
+ 49505,
+ 49613,
+ 49767,
+ 49839,
+ 49925,
+ 50022,
+ 50028,
+ 50238,
+ 51057,
+ 51477,
+ 51617,
+ 51910,
+ 52044,
+ 52482,
+ 52550,
+ 52643,
+ 52832,
+ 53382,
+ 53690,
+ 53809,
+ 53858,
+ 54001,
+ 54198,
+ 54280,
+ 54327,
+ 54376,
+ 54609,
+ 54776,
+ 54983,
+ 54984,
+ 55019,
+ 55038,
+ 55094,
+ 55368,
+ 55737,
+ 55793,
+ 55904,
+ 55941,
+ 55960,
+ 55978,
+ 56063,
+ 56121,
+ 56314,
+ 56505,
+ 56548,
+ 56568,
+ 56696,
+ 56798,
+ 56855,
+ 57102,
+ 57236,
+ 57333,
+ 57334,
+ 57441,
+ 57574,
+ 57659,
+ 57987,
+ 58325,
+ 58404,
+ 58509,
+ 58782,
+ 58876,
+ 59116,
+ 59544,
+ 59685,
+ 59700,
+ 59750,
+ 59799,
+ 59866,
+ 59870,
+ 59894,
+ 59984,
+ 60343,
+ 60481,
+ 60564,
+ 60731,
+ 61075,
+ 61087,
+ 61148,
+ 61174,
+ 61655,
+ 61679,
+ 61691,
+ 61723,
+ 61730,
+ 61758,
+ 61824,
+ 62035,
+ 62056,
+ 62661,
+ 62768,
+ 62946,
+ 63059,
+ 63116,
+ 63338,
+ 63387,
+ 63672,
+ 63719,
+ 63881,
+ 63995,
+ 64197,
+ 64374,
+ 64377,
+ 64472,
+ 64606,
+ 64662,
+ 64777,
+ 64795,
+ 64906,
+ 65049,
+ 65122,
+ 65318
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft
new file mode 100644
index 00000000..5b249a3e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft
@@ -0,0 +1,106 @@
+table ip t {
+ set s {
+ type inet_service
+ flags interval
+ elements = { 25, 30, 82, 119, 349,
+ 745, 748, 1165, 1233, 1476,
+ 1550, 1562, 1743, 1745, 1882,
+ 2070, 2194, 2238, 2450, 2455,
+ 2642, 2671, 2906, 3093, 3203,
+ 3287, 3348, 3411, 3540, 3892,
+ 3943, 4133, 4205, 4317, 4733,
+ 5095, 5156, 5223, 5230, 5432,
+ 5826, 5828, 6044, 6377, 6388,
+ 6491, 6952, 6986, 7012, 7187,
+ 7300, 7305, 7549, 7664, 8111,
+ 8206, 8396, 8782, 8920, 8981,
+ 9067, 9216, 9245, 9315, 9432,
+ 9587, 9689, 9844, 9991, 10045,
+ 10252, 10328, 10670, 10907, 11021,
+ 11337, 11427, 11497, 11502, 11523,
+ 11552, 11577, 11721, 11943, 12474,
+ 12718, 12764, 12794, 12922, 13186,
+ 13232, 13383, 13431, 13551, 13676,
+ 13685, 13747, 13925, 13935, 14015,
+ 14090, 14320, 14392, 14515, 14647,
+ 14911, 15096, 15105, 15154, 15440,
+ 15583, 15623, 15677, 15710, 15926,
+ 15934, 15960, 16068, 16166, 16486,
+ 16489, 16528, 16646, 16650, 16770,
+ 16882, 17052, 17237, 17387, 17431,
+ 17886, 17939, 17999, 18092, 18123,
+ 18238, 18562, 18698, 19004, 19229,
+ 19237, 19585, 19879, 19938, 19950,
+ 19958, 20031, 20138, 20157, 20205,
+ 20368, 20682, 20687, 20873, 20910,
+ 20919, 21019, 21068, 21115, 21188,
+ 21236, 21319, 21563, 21734, 21806,
+ 21810, 21959, 21982, 22078, 22181,
+ 22308, 22480, 22643, 22854, 22879,
+ 22961, 23397, 23534, 23845, 23893,
+ 24130, 24406, 24794, 24997, 25019,
+ 25143, 25179, 25439, 25603, 25718,
+ 25859, 25949, 26006, 26022, 26047,
+ 26170, 26193, 26725, 26747, 26924,
+ 27023, 27040, 27233, 27344, 27478,
+ 27593, 27600, 27664, 27678, 27818,
+ 27822, 28003, 28038, 28709, 28808,
+ 29010, 29057, 29228, 29485, 30132,
+ 30160, 30415, 30469, 30673, 30736,
+ 30776, 30780, 31450, 31537, 31669,
+ 31839, 31873, 32019, 32229, 32685,
+ 32879, 33318, 33337, 33404, 33517,
+ 33906, 34214, 34346, 34416, 34727,
+ 34848, 35325, 35400, 35451, 35501,
+ 35637, 35653, 35710, 35761, 35767,
+ 36238, 36258, 36279, 36464, 36586,
+ 36603, 36770, 36774, 36805, 36851,
+ 37079, 37189, 37209, 37565, 37570,
+ 37585, 37832, 37931, 37954, 38006,
+ 38015, 38045, 38109, 38114, 38200,
+ 38209, 38214, 38277, 38306, 38402,
+ 38606, 38697, 38960, 39004, 39006,
+ 39197, 39217, 39265, 39319, 39460,
+ 39550, 39615, 39871, 39886, 40088,
+ 40135, 40244, 40323, 40339, 40355,
+ 40385, 40428, 40538, 40791, 40848,
+ 40959, 41003, 41131, 41349, 41643,
+ 41710, 41826, 41904, 42027, 42148,
+ 42235, 42255, 42498, 42680, 42973,
+ 43118, 43135, 43233, 43349, 43411,
+ 43487, 43840, 43843, 43870, 44040,
+ 44204, 44817, 44883, 44894, 44958,
+ 45201, 45259, 45283, 45357, 45423,
+ 45473, 45498, 45519, 45561, 45611,
+ 45627, 45831, 46043, 46105, 46116,
+ 46147, 46169, 46349, 47147, 47252,
+ 47314, 47335, 47360, 47546, 47617,
+ 47648, 47772, 47793, 47846, 47913,
+ 47952, 48095, 48325, 48334, 48412,
+ 48419, 48540, 48569, 48628, 48751,
+ 48944, 48971, 49008, 49025, 49503,
+ 49505, 49613, 49767, 49839, 49925,
+ 50022, 50028, 50238, 51057, 51477,
+ 51617, 51910, 52044, 52482, 52550,
+ 52643, 52832, 53382, 53690, 53809,
+ 53858, 54001, 54198, 54280, 54327,
+ 54376, 54609, 54776, 54983, 54984,
+ 55019, 55038, 55094, 55368, 55737,
+ 55793, 55904, 55941, 55960, 55978,
+ 56063, 56121, 56314, 56505, 56548,
+ 56568, 56696, 56798, 56855, 57102,
+ 57236, 57333, 57334, 57441, 57574,
+ 57659, 57987, 58325, 58404, 58509,
+ 58782, 58876, 59116, 59544, 59685,
+ 59700, 59750, 59799, 59866, 59870,
+ 59894, 59984, 60343, 60481, 60564,
+ 60731, 61075, 61087, 61148, 61174,
+ 61655, 61679, 61691, 61723, 61730,
+ 61758, 61824, 62035, 62056, 62661,
+ 62768, 62946, 63059, 63116, 63338,
+ 63387, 63672, 63719, 63881, 63995,
+ 64197, 64374, 64377, 64472, 64606,
+ 64662, 64777, 64795, 64906, 65049,
+ 65122, 65318 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft
new file mode 100644
index 00000000..8473c333
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft
@@ -0,0 +1,95 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "size": 65536,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ],
+ "elem": [
+ {
+ "concat": [
+ "192.168.7.1",
+ 22
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": 21
+ }
+ },
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "elem": {
+ "val": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ 22
+ ]
+ },
+ "timeout": 60
+ }
+ },
+ "set": "@s"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft
new file mode 100644
index 00000000..55f1a2ad
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft
@@ -0,0 +1,167 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "nat",
+ "hook": "postrouting",
+ "prio": 100,
+ "policy": "accept"
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "family": "ip",
+ "addr": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "prefix": {
+ "addr": "10.141.11.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ }
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "10.141.12.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.168.3.0",
+ "len": 24
+ }
+ }
+ ],
+ [
+ {
+ "prefix": {
+ "addr": "10.141.13.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.168.4.0",
+ "len": 24
+ }
+ }
+ ]
+ ]
+ }
+ }
+ },
+ "flags": "netmap",
+ "type_flags": "prefix"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "table": {
+ "family": "ip6",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip6",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "nat",
+ "hook": "postrouting",
+ "prio": 100,
+ "policy": "accept"
+ }
+ },
+ {
+ "rule": {
+ "family": "ip6",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "family": "ip6",
+ "addr": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "prefix": {
+ "addr": "2001:db8:1111::",
+ "len": 64
+ }
+ },
+ {
+ "prefix": {
+ "addr": "2001:db8:2222::",
+ "len": 64
+ }
+ }
+ ]
+ ]
+ }
+ }
+ },
+ "flags": "netmap",
+ "type_flags": "prefix"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.nft b/tests/shell/testcases/sets/dumps/0046netmap_0.nft
index e14c3395..5ac6b346 100644
--- a/tests/shell/testcases/sets/dumps/0046netmap_0.nft
+++ b/tests/shell/testcases/sets/dumps/0046netmap_0.nft
@@ -4,3 +4,9 @@ table ip x {
snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.0/24 : 192.168.3.0/24, 10.141.13.0/24 : 192.168.4.0/24 }
}
}
+table ip6 x {
+ chain y {
+ type nat hook postrouting priority srcnat; policy accept;
+ snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft
index e7968054..9fa9fc74 100644
--- a/tests/shell/testcases/sets/dumps/0047nat_0.nft
+++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft
@@ -6,8 +6,25 @@ table ip x {
10.141.12.0/24 : 192.168.5.10-192.168.5.20 }
}
+ chain x {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+ dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+ }
+
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip to ip saddr map @y
}
}
+table inet x {
+ chain x {
+ type nat hook prerouting priority dstnat; policy accept;
+ dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 }
+ }
+
+ chain y {
+ type nat hook postrouting priority srcnat; policy accept;
+ snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft
new file mode 100644
index 00000000..62a6a177
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft
@@ -0,0 +1,95 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "z",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ {
+ "elem": {
+ "val": "192.168.10.35",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "192.168.10.101",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "192.168.10.135",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "z",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@y"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft
new file mode 100644
index 00000000..f8495bab
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft
@@ -0,0 +1,94 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "ip-block-4-test",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "auto-merge": true,
+ "elem": [
+ "1.1.1.1"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": {
+ "set": [
+ 22,
+ 80,
+ 443
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "in",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": "new"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
index 998b387a..d654420c 100644
--- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
@@ -1,4 +1,11 @@
table inet filter {
+ set ip-block-4-test {
+ type ipv4_addr
+ flags interval
+ auto-merge
+ elements = { 1.1.1.1 }
+ }
+
chain input {
type filter hook input priority filter; policy drop;
tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept
diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft
new file mode 100644
index 00000000..546cc597
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft
@@ -0,0 +1,11 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft
diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft
new file mode 100644
index 00000000..b468b5f9
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft
@@ -0,0 +1,85 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "elem": {
+ "val": {
+ "prefix": {
+ "addr": "192.168.2.0",
+ "len": 24
+ }
+ },
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@s"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft
new file mode 100644
index 00000000..96d5fbcc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft
@@ -0,0 +1,35 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "w_all",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "auto-merge": true,
+ "elem": [
+ "10.10.10.10",
+ "10.10.10.253"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.json-nft b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft
new file mode 100644
index 00000000..12a5c4b4
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft
@@ -0,0 +1,101 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "drop"
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "lo"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 8
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "192.168.100.62"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "dport"
+ }
+ },
+ "right": 2001
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft
new file mode 100644
index 00000000..3fd6d37e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft
@@ -0,0 +1,45 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "comment": "test",
+ "flags": [
+ "interval"
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "m",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "comment": "another test",
+ "map": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft
new file mode 100644
index 00000000..e37139f3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft
@@ -0,0 +1,138 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "tcp_good_flags",
+ "table": "test",
+ "type": "tcp_flag",
+ "handle": 0,
+ "flags": [
+ "constant"
+ ],
+ "elem": [
+ {
+ "|": [
+ "fin",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "fin",
+ "ack",
+ "urg"
+ ]
+ },
+ {
+ "|": [
+ "fin",
+ "psh",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "fin",
+ "psh",
+ "ack",
+ "urg"
+ ]
+ },
+ "syn",
+ {
+ "|": [
+ "syn",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "syn",
+ "ack",
+ "urg"
+ ]
+ },
+ {
+ "|": [
+ "syn",
+ "psh",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "syn",
+ "psh",
+ "ack",
+ "urg"
+ ]
+ },
+ "rst",
+ {
+ "|": [
+ "rst",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "rst",
+ "ack",
+ "urg"
+ ]
+ },
+ {
+ "|": [
+ "rst",
+ "psh",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "rst",
+ "psh",
+ "ack",
+ "urg"
+ ]
+ },
+ {
+ "|": [
+ "psh",
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "psh",
+ "ack",
+ "urg"
+ ]
+ },
+ "ack",
+ {
+ "|": [
+ "ack",
+ "urg"
+ ]
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft
index ffed5426..22bf5c46 100644
--- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft
+++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft
@@ -2,9 +2,9 @@ table ip test {
set tcp_good_flags {
type tcp_flag
flags constant
- elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg,
- syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg,
- rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg,
- psh | ack, ack | urg, ack }
+ elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn,
+ syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst,
+ rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack,
+ psh | ack | urg, ack, ack | urg }
}
}
diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft
new file mode 100644
index 00000000..546cc597
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft
@@ -0,0 +1,11 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft
diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft
new file mode 100644
index 00000000..79d7257e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft
@@ -0,0 +1,31 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "test",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "elem": [
+ "1.1.1.1"
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft
new file mode 100644
index 00000000..de43d565
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft
@@ -0,0 +1,7 @@
+table inet filter {
+ set test {
+ type ipv4_addr
+ size 65535
+ elements = { 1.1.1.1 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft
new file mode 100644
index 00000000..ac8d8bef
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft
@@ -0,0 +1,68 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "filter",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "ssh_meter",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ],
+ "timeout": 2592000
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "filter",
+ "chain": "test",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "add",
+ "elem": {
+ "elem": {
+ "val": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "timeout": 2592000
+ }
+ },
+ "set": "@ssh_meter"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft
new file mode 100644
index 00000000..16ecdb2a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft
@@ -0,0 +1,79 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "z",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ],
+ "timeout": 3600
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "z",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "set": "@y",
+ "stmt": [
+ {
+ "limit": {
+ "rate": 1,
+ "burst": 5,
+ "per": "second"
+ }
+ },
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
index 1b0ffae4..c1cc3b51 100644
--- a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
+++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
@@ -8,6 +8,6 @@ table ip x {
chain z {
type filter hook output priority filter; policy accept;
- update @y { ip daddr limit rate 1/second counter }
+ update @y { ip daddr limit rate 1/second burst 5 packets counter }
}
}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft
new file mode 100644
index 00000000..1aede147
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft
@@ -0,0 +1,105 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ {
+ "elem": {
+ "val": "1.1.1.1",
+ "limit": {
+ "rate": 1,
+ "burst": 5,
+ "per": "second"
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "4.4.4.4",
+ "limit": {
+ "rate": 1,
+ "burst": 5,
+ "per": "second"
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "5.5.5.5",
+ "limit": {
+ "rate": 1,
+ "burst": 5,
+ "per": "second"
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "limit": {
+ "rate": 1,
+ "burst": 5,
+ "per": "second"
+ }
+ },
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@y"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
index f23db534..df68fcdf 100644
--- a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
@@ -1,9 +1,9 @@
table ip x {
set y {
type ipv4_addr
- limit rate 1/second counter
- elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0,
- 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 }
+ limit rate 1/second burst 5 packets counter
+ elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0,
+ 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 }
}
chain y {
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft
new file mode 100644
index 00000000..6098dc56
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft
@@ -0,0 +1,105 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ],
+ "elem": [
+ {
+ "elem": {
+ "val": "1.1.1.1",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "1.2.3.4",
+ "counter": {
+ "packets": 9,
+ "bytes": 756
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "2.2.2.2",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "counter": null
+ },
+ {
+ "quota": {
+ "val": 500,
+ "val_unit": "bytes"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "set": "@y"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
new file mode 100644
index 00000000..ac1bd26b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
@@ -0,0 +1,15 @@
+table ip x {
+ set y {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ counter quota 500 bytes
+ elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes,
+ 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes }
+ }
+
+ chain y {
+ type filter hook output priority filter; policy accept;
+ update @y { ip daddr }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft
new file mode 100644
index 00000000..c5591505
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft
@@ -0,0 +1,57 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "set": [
+ {
+ "range": [
+ "1.1.1.1",
+ "1.1.1.2"
+ ]
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft
new file mode 100644
index 00000000..c5e60e36
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft
@@ -0,0 +1,52 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "est-connlimit",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "new-connlimit",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ],
+ "stmt": [
+ {
+ "ct count": {
+ "val": 20,
+ "inv": true
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft
new file mode 100644
index 00000000..13bbb953
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft
@@ -0,0 +1,14 @@
+table ip x {
+ set est-connlimit {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+
+ set new-connlimit {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ ct count over 20
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft
new file mode 100644
index 00000000..3006f75a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft
@@ -0,0 +1,94 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "elem": [
+ {
+ "elem": {
+ "val": "1.1.1.1",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "*",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "z",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "elem": {
+ "val": {
+ "prefix": {
+ "addr": "1.1.1.0",
+ "len": 24
+ }
+ },
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ },
+ {
+ "elem": {
+ "val": "*",
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ }
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft
new file mode 100644
index 00000000..64dd2667
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft
@@ -0,0 +1,220 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "ipv4_addr",
+ "elem": [
+ [
+ "10.141.0.1",
+ "192.168.0.2"
+ ],
+ [
+ "*",
+ "192.168.0.4"
+ ]
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "ip",
+ "name": "z",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "ipv4_addr",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ {
+ "prefix": {
+ "addr": "10.141.0.0",
+ "len": 24
+ }
+ },
+ "192.168.0.2"
+ ],
+ [
+ "*",
+ "192.168.0.3"
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "addr": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": "@z"
+ }
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "addr": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "prefix": {
+ "addr": "10.141.0.0",
+ "len": 24
+ }
+ },
+ "192.168.0.2"
+ ],
+ [
+ "*",
+ "192.168.0.3"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "addr": {
+ "map": {
+ "key": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ }
+ ]
+ },
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "10.141.0.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 8
+ }
+ }
+ ]
+ },
+ "192.168.0.2"
+ ],
+ [
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "192.168.9.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.168.10.0",
+ "len": 24
+ }
+ }
+ ]
+ },
+ "192.168.0.4"
+ ],
+ [
+ "*",
+ "192.168.0.3"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft
new file mode 100644
index 00000000..f470adf3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft
@@ -0,0 +1,78 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "x",
+ "name": "foo",
+ "handle": 0
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "foo",
+ "handle": 0,
+ "expr": [
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "x",
+ "chain": "foo",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmp",
+ "field": "type"
+ }
+ },
+ "right": {
+ "set": [
+ "echo-reply",
+ "echo-request"
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmp",
+ "field": "id"
+ }
+ },
+ "right": 42
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft
new file mode 100644
index 00000000..461c7a73
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft
@@ -0,0 +1,6 @@
+table ip x {
+ chain foo {
+ accept
+ icmp type { echo-reply, echo-request } icmp id 42
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
index 3226da15..9ac3774a 100644
--- a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
+++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
@@ -1,10 +1,4 @@
table ip nat {
- map ipportmap {
- type ipv4_addr : interval ipv4_addr . inet_service
- flags interval
- elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
- }
-
map ipportmap2 {
type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
flags interval
@@ -17,10 +11,25 @@ table ip nat {
elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
}
+ map ipportmap4 {
+ typeof iifname . ip saddr : interval ip daddr
+ flags interval
+ elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32,
+ "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+ }
+
+ map ipportmap5 {
+ typeof iifname . ip saddr : interval ip daddr . tcp dport
+ flags interval
+ elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22,
+ "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+ }
+
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
- ip protocol tcp dnat ip to ip saddr map @ipportmap
ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
+ dnat ip to iifname . ip saddr map @ipportmap4
+ meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5
}
}
diff --git a/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft
new file mode 100644
index 00000000..b6d07fcd
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft
@@ -0,0 +1,12 @@
+table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft
new file mode 100644
index 00000000..d7b32f8c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft
@@ -0,0 +1,51 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "auto-merge": true,
+ "elem": [
+ {
+ "range": [
+ "1.2.3.0",
+ "1.2.4.255"
+ ]
+ },
+ {
+ "range": [
+ "3.3.3.3",
+ "3.3.3.6"
+ ]
+ },
+ {
+ "range": [
+ "4.4.4.0",
+ "4.4.5.0"
+ ]
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
new file mode 100644
index 00000000..0057e9c6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
@@ -0,0 +1,28 @@
+table netdev nt {
+ set vlanidset {
+ typeof vlan id
+ size 1024
+ flags dynamic,timeout
+ }
+
+ set macset {
+ typeof ether saddr . vlan id
+ size 1024
+ flags dynamic,timeout
+ }
+
+ set ipset {
+ typeof vlan id . ip saddr
+ size 1024
+ flags dynamic,timeout
+ }
+
+ chain nc {
+ update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0
+ ether saddr . vlan id @macset
+ vlan pcp 1
+ ether saddr 0a:0b:0c:0d:0e:0f vlan id 42
+ update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0
+ update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft
new file mode 100644
index 00000000..6b579a2e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft
@@ -0,0 +1,128 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "t",
+ "name": "c",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s1",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 8
+ }
+ },
+ {
+ "prefix": {
+ "addr": "192.0.0.0",
+ "len": 2
+ }
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "s2",
+ "table": "t",
+ "type": "ipv6_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fe80::",
+ "len": 10
+ }
+ },
+ {
+ "prefix": {
+ "addr": "ff00::",
+ "len": 8
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@s1"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "t",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@s2"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
new file mode 100644
index 00000000..4eed94c2
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
@@ -0,0 +1,19 @@
+table inet t {
+ set s1 {
+ type ipv4_addr
+ flags interval
+ elements = { 10.0.0.0/8, 192.0.0.0/2 }
+ }
+
+ set s2 {
+ type ipv6_addr
+ flags interval
+ elements = { fe80::/10,
+ ff00::/8 }
+ }
+
+ chain c {
+ ip saddr @s1 accept
+ ip6 daddr @s2 accept
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft
new file mode 100644
index 00000000..15ec0aac
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft
@@ -0,0 +1,18 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "x",
+ "handle": 0
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft
new file mode 100644
index 00000000..5d4d2caf
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft
new file mode 100644
index 00000000..e2fb6214
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft
@@ -0,0 +1,52 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "TEST",
+ "table": "filter",
+ "handle": 0,
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "testmap",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "counter",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.0.0",
+ "len": 24
+ }
+ },
+ "TEST"
+ ]
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft
new file mode 100644
index 00000000..20f53741
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft
@@ -0,0 +1,11 @@
+table inet filter {
+ counter TEST {
+ packets 0 bytes 0
+ }
+
+ map testmap {
+ type ipv4_addr : counter
+ flags interval
+ elements = { 192.168.0.0/24 : "TEST" }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft
new file mode 100644
index 00000000..e2fb6214
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft
@@ -0,0 +1,52 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "filter",
+ "handle": 0
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "TEST",
+ "table": "filter",
+ "handle": 0,
+ "packets": 0,
+ "bytes": 0
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "testmap",
+ "table": "filter",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "map": "counter",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ {
+ "prefix": {
+ "addr": "192.168.0.0",
+ "len": 24
+ }
+ },
+ "TEST"
+ ]
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft
new file mode 100644
index 00000000..20f53741
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft
@@ -0,0 +1,11 @@
+table inet filter {
+ counter TEST {
+ packets 0 bytes 0
+ }
+
+ map testmap {
+ type ipv4_addr : counter
+ flags interval
+ elements = { 192.168.0.0/24 : "TEST" }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft
new file mode 100644
index 00000000..c713828d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft
@@ -0,0 +1,50 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "a",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "x",
+ "table": "a",
+ "type": "inet_service",
+ "handle": 0,
+ "elem": [
+ 1,
+ 2
+ ]
+ }
+ },
+ {
+ "table": {
+ "family": "ip6",
+ "name": "a",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip6",
+ "name": "x",
+ "table": "a",
+ "type": "inet_service",
+ "handle": 0,
+ "elem": [
+ 2
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
new file mode 100644
index 00000000..a3244fc6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
@@ -0,0 +1,12 @@
+table ip a {
+ set x {
+ type inet_service
+ elements = { 1, 2 }
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service
+ elements = { 2 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft
new file mode 100644
index 00000000..d65065e4
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft
@@ -0,0 +1,68 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "inet_proto",
+ "inet_service"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s2",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "mark"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ "10.10.10.10",
+ 256
+ ]
+ },
+ {
+ "concat": [
+ "20.20.20.20",
+ 512
+ ]
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
new file mode 100644
index 00000000..61547c5e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
@@ -0,0 +1,14 @@
+table ip t {
+ set s {
+ type ipv4_addr . inet_proto . inet_service
+ flags interval
+ counter
+ }
+
+ set s2 {
+ type ipv4_addr . mark
+ flags interval
+ elements = { 10.10.10.10 . 0x00000100,
+ 20.20.20.20 . 0x00000200 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft
new file mode 100644
index 00000000..ad8a7cc0
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft
@@ -0,0 +1,83 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "output",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "dlist",
+ "table": "test",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "test",
+ "chain": "output",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "udp",
+ "field": "dport"
+ }
+ },
+ "right": 1234
+ }
+ },
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "set": "@dlist"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/errors_0.json-nft b/tests/shell/testcases/sets/dumps/errors_0.json-nft
new file mode 100644
index 00000000..546cc597
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/errors_0.json-nft
@@ -0,0 +1,11 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/errors_0.nft
diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft
new file mode 100644
index 00000000..958d1e5c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft
@@ -0,0 +1,110 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "t",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "prefix": {
+ "addr": "1.0.1.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.0.2.0",
+ "len": 23
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.0.8.0",
+ "len": 21
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.0.32.0",
+ "len": 19
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.0.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.2.0",
+ "len": 23
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.4.0",
+ "len": 22
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.8.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.9.0",
+ "len": 24
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.10.0",
+ "len": 23
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.12.0",
+ "len": 22
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.16.0",
+ "len": 20
+ }
+ },
+ {
+ "prefix": {
+ "addr": "1.1.32.0",
+ "len": 19
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft
new file mode 100644
index 00000000..c903e3fc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft
@@ -0,0 +1,13 @@
+table ip t {
+ set s {
+ type ipv4_addr
+ flags interval
+ elements = { 1.0.1.0/24, 1.0.2.0/23,
+ 1.0.8.0/21, 1.0.32.0/19,
+ 1.1.0.0/24, 1.1.2.0/23,
+ 1.1.4.0/22, 1.1.8.0/24,
+ 1.1.9.0/24, 1.1.10.0/23,
+ 1.1.12.0/22, 1.1.16.0/20,
+ 1.1.32.0/19 }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft
new file mode 100644
index 00000000..8d84e1cc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft
@@ -0,0 +1,207 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "netdev",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "netdev",
+ "table": "x",
+ "name": "y",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "netdev",
+ "name": "x",
+ "table": "x",
+ "type": [
+ "ipv4_addr",
+ "ipv4_addr"
+ ],
+ "handle": 0,
+ "elem": [
+ {
+ "concat": [
+ "3.3.3.3",
+ "4.4.4.4"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "netdev",
+ "name": "y",
+ "table": "x",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "netdev",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "udp",
+ "field": "dport"
+ }
+ },
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "tunnel": "vxlan",
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "payload": {
+ "tunnel": "vxlan",
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ }
+ ]
+ },
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.1.1.1",
+ "2.2.2.2"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "netdev",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "udp",
+ "field": "dport"
+ }
+ },
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "tunnel": "vxlan",
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "payload": {
+ "tunnel": "vxlan",
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ }
+ ]
+ },
+ "right": "@x"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "netdev",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "udp",
+ "field": "dport"
+ }
+ },
+ "right": 4789
+ }
+ },
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "tunnel": "vxlan",
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "set": "@y"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft
new file mode 100644
index 00000000..925ca777
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/inner_0.nft
@@ -0,0 +1,18 @@
+table netdev x {
+ set x {
+ typeof vxlan ip saddr . vxlan ip daddr
+ elements = { 3.3.3.3 . 4.4.4.4 }
+ }
+
+ set y {
+ typeof vxlan ip saddr
+ size 65535
+ flags dynamic
+ }
+
+ chain y {
+ udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0
+ udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0
+ udp dport 4789 update @y { vxlan ip saddr }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/meter_0.json-nft b/tests/shell/testcases/sets/dumps/meter_0.json-nft
new file mode 100644
index 00000000..c318e4f2
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/meter_0.json-nft
@@ -0,0 +1,203 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip6",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip6",
+ "table": "test",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip6",
+ "name": "acct_out",
+ "table": "test",
+ "type": [
+ "iface_index",
+ "ipv6_addr"
+ ],
+ "handle": 0,
+ "size": 4096,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "ip6",
+ "name": "acct_out2",
+ "table": "test",
+ "type": [
+ "ipv6_addr",
+ "iface_index"
+ ],
+ "handle": 0,
+ "size": 12345,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip6",
+ "table": "test",
+ "chain": "test",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "elem": {
+ "val": {
+ "concat": [
+ {
+ "meta": {
+ "key": "iif"
+ }
+ },
+ {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ }
+ ]
+ },
+ "timeout": 600
+ }
+ },
+ "set": "@acct_out",
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip6",
+ "table": "test",
+ "chain": "test",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "elem": {
+ "val": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iif"
+ }
+ }
+ ]
+ },
+ "timeout": 600
+ }
+ },
+ "set": "@acct_out2",
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "xyz",
+ "table": "test",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "size": 8192,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "test",
+ "chain": "test",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "elem": {
+ "val": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "timeout": 30
+ }
+ },
+ "set": "@xyz",
+ "stmt": [
+ {
+ "counter": null
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/meter_0.nft b/tests/shell/testcases/sets/dumps/meter_0.nft
new file mode 100644
index 00000000..3843f9a9
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/meter_0.nft
@@ -0,0 +1,29 @@
+table ip6 test {
+ set acct_out {
+ type iface_index . ipv6_addr
+ size 4096
+ flags dynamic,timeout
+ }
+
+ set acct_out2 {
+ type ipv6_addr . iface_index
+ size 12345
+ flags dynamic,timeout
+ }
+
+ chain test {
+ update @acct_out { iif . ip6 saddr timeout 10m counter }
+ update @acct_out2 { ip6 saddr . iif timeout 10m counter }
+ }
+}
+table ip test {
+ set xyz {
+ type ipv4_addr
+ size 8192
+ flags dynamic,timeout
+ }
+
+ chain test {
+ update @xyz { ip saddr timeout 30s counter }
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft
new file mode 100644
index 00000000..6f692381
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft
@@ -0,0 +1,85 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "nat",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "nat",
+ "name": "prerouting",
+ "handle": 0,
+ "type": "nat",
+ "hook": "prerouting",
+ "prio": -100,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "set_with_interval",
+ "table": "nat",
+ "type": "ipv4_addr",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "nat",
+ "chain": "prerouting",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": {
+ "set": [
+ "tcp",
+ "udp"
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 443
+ }
+ },
+ {
+ "dnat": {
+ "addr": "10.0.0.1"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
new file mode 100644
index 00000000..ac428429
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft
@@ -0,0 +1,551 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "testifsets",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "v4icmp",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "v4icmpc",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "input",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "testifsets",
+ "name": "do_nothing",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "simple",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "elem": [
+ "abcdef0",
+ "abcdef1",
+ "othername"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "simple_wild",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ "abcdef*",
+ "othername",
+ "ppp0"
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "concat",
+ "table": "testifsets",
+ "type": [
+ "ipv4_addr",
+ "ifname"
+ ],
+ "handle": 0,
+ "elem": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef0"
+ ]
+ },
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef1"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "concat_wild",
+ "table": "testifsets",
+ "type": [
+ "ipv4_addr",
+ "ifname"
+ ],
+ "handle": 0,
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef*"
+ ]
+ },
+ {
+ "concat": [
+ "10.1.2.1",
+ "bar"
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "1.1.2.0",
+ "len": 24
+ }
+ },
+ "abcdef0"
+ ]
+ },
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "12.2.2.0",
+ "len": 24
+ }
+ },
+ "abcdef*"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "map": {
+ "family": "inet",
+ "name": "map_wild",
+ "table": "testifsets",
+ "type": "ifname",
+ "handle": 0,
+ "map": "verdict",
+ "flags": [
+ "interval"
+ ],
+ "elem": [
+ [
+ "abcdef*",
+ {
+ "jump": {
+ "target": "do_nothing"
+ }
+ }
+ ],
+ [
+ "eth0",
+ {
+ "jump": {
+ "target": "do_nothing"
+ }
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "@simple"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "@simple_wild"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": {
+ "set": [
+ "eth0",
+ "abcdef0"
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": {
+ "set": [
+ "abcdef*",
+ "eth0"
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmp",
+ "handle": 0,
+ "expr": [
+ {
+ "vmap": {
+ "key": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "data": "@map_wild"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": "@concat"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": "@concat_wild"
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef0"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "v4icmpc",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ }
+ ]
+ },
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "10.1.2.2",
+ "abcdef*"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "right": "icmp"
+ }
+ },
+ {
+ "jump": {
+ "target": "v4icmp"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "testifsets",
+ "chain": "input",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "protocol"
+ }
+ },
+ "right": "icmp"
+ }
+ },
+ {
+ "goto": {
+ "target": "v4icmpc"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft
index 6b073ae2..77a8baf5 100644
--- a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft
+++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft
@@ -29,11 +29,19 @@ table inet testifsets {
12.2.2.0/24 . "abcdef*" }
}
+ map map_wild {
+ type ifname : verdict
+ flags interval
+ elements = { "abcdef*" : jump do_nothing,
+ "eth0" : jump do_nothing }
+ }
+
chain v4icmp {
iifname @simple counter packets 0 bytes 0
iifname @simple_wild counter packets 0 bytes 0
iifname { "eth0", "abcdef0" } counter packets 0 bytes 0
iifname { "abcdef*", "eth0" } counter packets 0 bytes 0
+ iifname vmap @map_wild
}
chain v4icmpc {
@@ -48,4 +56,7 @@ table inet testifsets {
ip protocol icmp jump v4icmp
ip protocol icmp goto v4icmpc
}
+
+ chain do_nothing {
+ }
}
diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft
new file mode 100644
index 00000000..e22213ea
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft
@@ -0,0 +1,114 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "t",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c1",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "t",
+ "name": "c2",
+ "handle": 0
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s1",
+ "table": "t",
+ "type": [
+ "ipv4_addr",
+ "ipv4_addr",
+ "inet_service"
+ ],
+ "handle": 0,
+ "size": 65535,
+ "flags": [
+ "timeout",
+ "dynamic"
+ ],
+ "timeout": 10800
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c1",
+ "handle": 0,
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "10.180.0.4",
+ 80
+ ]
+ },
+ "set": "@s1"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "t",
+ "chain": "c2",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "1.2.3.4",
+ 80
+ ]
+ },
+ "right": "@s1"
+ }
+ },
+ {
+ "goto": {
+ "target": "c1"
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft
new file mode 100644
index 00000000..21209f6d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft
@@ -0,0 +1,16 @@
+table ip t {
+ set s1 {
+ type ipv4_addr . ipv4_addr . inet_service
+ size 65535
+ flags dynamic,timeout
+ timeout 3h
+ }
+
+ chain c1 {
+ update @s1 { ip saddr . 10.180.0.4 . 80 }
+ }
+
+ chain c2 {
+ ip saddr . 1.2.3.4 . 80 @s1 goto c1
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft
index 499ff167..4d6abaaa 100644
--- a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft
+++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft
@@ -6,7 +6,7 @@ table inet t {
}
chain y {
- ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
- ip daddr . @ih,32,32 @y
+ ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+ ip daddr . @nh,32,32 @y
}
}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
index 68b4dcc5..63fc5b14 100644
--- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
@@ -50,6 +50,16 @@ table inet t {
elements = { "eth0" . 10.1.1.2 . 42 }
}
+ set s11 {
+ typeof vlan id . ip saddr
+ elements = { 3567 . 1.2.3.4 }
+ }
+
+ set s12 {
+ typeof iifname . ip saddr . meta ipsec
+ elements = { "eth0" . 10.1.1.2 . exists }
+ }
+
chain c1 {
osf name @s1 accept
}
@@ -85,4 +95,12 @@ table inet t {
chain c10 {
iifname . ip saddr . ipsec in reqid @s10 accept
}
+
+ chain c11 {
+ vlan id . ip saddr @s11 accept
+ }
+
+ chain c12 {
+ iifname . ip saddr . meta ipsec @s12 accept
+ }
}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
new file mode 100644
index 00000000..89cbc835
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
@@ -0,0 +1,15 @@
+table bridge t {
+ set nodhcpvlan {
+ typeof vlan id
+ elements = { 1 }
+ }
+
+ chain c1 {
+ vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+ vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+ vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+ }
+
+ chain c2 {
+ }
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
new file mode 100644
index 00000000..348b5848
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
@@ -0,0 +1,23 @@
+table netdev t {
+ set s {
+ typeof ether saddr . vlan id
+ size 2048
+ flags dynamic,timeout
+ }
+
+ chain c {
+ ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return
+ ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return
+ }
+}
+table ip t {
+ set s {
+ typeof ipsec in reqid . iif
+ size 16
+ flags interval
+ }
+
+ chain c2 {
+ ipsec in reqid . "lo" @s
+ }
+}
diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0
new file mode 100755
index 00000000..7563773e
--- /dev/null
+++ b/tests/shell/testcases/sets/elem_opts_compat_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
+# ordering of element options and expressions has changed, make sure parser
+# accepts both ways
+
+set -e
+
+$NFT -f - <<EOF
+table t {
+ set s {
+ type inet_service
+ counter;
+ timeout 30s;
+ }
+}
+EOF
+
+check() {
+ out=$($NFT list ruleset)
+ secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out")
+ [[ $secs -lt 11 ]]
+ grep -q 'counter packets 10 bytes 20' <<< "$out"
+}
+
+$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }'
+check
+$NFT flush set t s
+$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }'
+check
diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0
index 569f4ab8..27f65df3 100755
--- a/tests/shell/testcases/sets/errors_0
+++ b/tests/shell/testcases/sets/errors_0
@@ -38,4 +38,32 @@ create table inet filter
set inet filter foo {}
add element inet filter foo { foobar }"
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+ exit 1
+fi
+
+RULESET="table ip x {
+ map x {
+ type ifname . ipv4_addr : verdict
+ elements = { if2 . 10.0.0.2 : jump chain2,
+ if2 . 192.168.0.0/24 : jump chain2 }
+ }
+
+ chain chain2 {}
+}"
+
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+ exit 1
+fi
+
+RULESET="add set inet filter myset { type ipv4_addr; flags interval; auto-merge }
+add element inet filter myset { 192.168.0.0/24 }
+add element inet filter myset { 192.168.0.2 }
+add element inet filter myset { 192.168.1.0/24 }
+add element inet filter myset { 192.168.1.100 }"
+
$NFT -f - <<< $RULESET || exit 0
diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0
new file mode 100755
index 00000000..39d91bd9
--- /dev/null
+++ b/tests/shell/testcases/sets/inner_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching)
+
+set -e
+
+RULESET="table netdev x {
+ set x {
+ typeof vxlan ip saddr . vxlan ip daddr
+ elements = {
+ 3.3.3.3 . 4.4.4.4,
+ }
+ }
+
+ set y {
+ typeof vxlan ip saddr
+ flags dynamic
+ }
+
+ chain y {
+ udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter
+ udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter
+ udp dport 4789 update @y { vxlan ip saddr }
+ }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/meter_0 b/tests/shell/testcases/sets/meter_0
new file mode 100755
index 00000000..82e6f20a
--- /dev/null
+++ b/tests/shell/testcases/sets/meter_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip6 test {
+ chain test {
+ meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter }
+ meter acct_out2 size 12345 { ip6 saddr . meta iif timeout 600s counter }
+ }
+}
+
+table ip test {
+ chain test {
+ meter xyz size 8192 { ip saddr timeout 30s counter}
+ }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0
new file mode 100755
index 00000000..d38ddb3f
--- /dev/null
+++ b/tests/shell/testcases/sets/reset_command_0
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set)
+
+set -e
+
+trap '[[ $? -eq 0 ]] || echo FAIL' EXIT
+
+RULESET="table t {
+ set s {
+ type ipv4_addr . inet_proto . inet_service
+ flags interval, timeout
+ counter
+ timeout 30m
+ elements = {
+ 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m,
+ 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m
+ }
+ }
+ map m {
+ type ipv4_addr : ipv4_addr
+ quota 50 bytes
+ elements = {
+ 1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4,
+ 5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8
+ }
+ }
+}"
+
+echo -n "applying test ruleset: "
+$NFT -f - <<< "$RULESET"
+echo OK
+
+drop_seconds() {
+ sed 's/[0-9]\+m\?s//g'
+}
+expires_minutes() {
+ sed -n 's/.*expires \([0-9]*\)m.*/\1/p'
+}
+
+echo -n "get set elem matches reset set elem: "
+elem='element t s { 1.0.0.1 . udp . 53 }'
+[[ $($NFT "get $elem ; reset $elem" | \
+ grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]]
+echo OK
+
+echo -n "counters are reset, expiry left alone: "
+NEW=$($NFT "get $elem")
+grep -q 'counter packets 0 bytes 0' <<< "$NEW"
+[[ $(expires_minutes <<< "$NEW") -lt 20 ]]
+echo OK
+
+echo -n "get map elem matches reset map elem: "
+elem='element t m { 1.2.3.4 }'
+[[ $($NFT "get $elem ; reset $elem" | \
+ grep 'elements = ' | uniq | wc -l) == 1 ]]
+echo OK
+
+echo -n "quota value is reset: "
+$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4'
+echo OK
+
+echo -n "other elements remain the same: "
+OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }')
+grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT"
+VAL=$(expires_minutes <<< "$OUT")
+[[ $val -lt 10 ]]
+$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes'
+echo OK
+
+echo -n "list set matches reset set: "
+EXP=$($NFT list set t s | drop_seconds)
+OUT=$($NFT reset set t s | drop_seconds)
+$DIFF -u <(echo "$EXP") <(echo "$OUT")
+echo OK
+
+echo -n "list map matches reset map: "
+EXP=$($NFT list map t m)
+OUT=$($NFT reset map t m)
+$DIFF -u <(echo "$EXP") <(echo "$OUT")
+echo OK
+
+echo -n "remaining elements are reset: "
+OUT=$($NFT list ruleset)
+grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT"
+grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT"
+echo OK
diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames
index 9531c856..a4bc5072 100755
--- a/tests/shell/testcases/sets/sets_with_ifnames
+++ b/tests/shell/testcases/sets/sets_with_ifnames
@@ -1,5 +1,7 @@
#!/bin/bash
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
dumpfile=$(dirname $0)/dumps/$(basename $0).nft
[ -z "$NFT" ] && exit 111
diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol
new file mode 100755
index 00000000..07820b7c
--- /dev/null
+++ b/tests/shell/testcases/sets/type_set_symbol
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0
index 36396b5c..66042eb4 100755
--- a/tests/shell/testcases/sets/typeof_raw_0
+++ b/tests/shell/testcases/sets/typeof_raw_0
@@ -7,8 +7,8 @@ EXPECTED="table inet t {
}
chain y {
- ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
- ip daddr . @ih,32,32 @y
+ ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+ ip daddr . @nh,32,32 @y
}
}"
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
index 5fc6a121..016227da 100755
--- a/tests/shell/testcases/sets/typeof_sets_0
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -4,12 +4,76 @@
# s1 and s2 are identical, they just use different
# ways for declaration.
-EXPECTED="table inet t {
+set -e
+
+die() {
+ printf '%s\n' "$*"
+ exit 1
+}
+
+INPUT_OSF_SET="
set s1 {
typeof osf name
elements = { \"Linux\" }
}
+"
+
+INPUT_FRAG_SET="
+ set s4 {
+ typeof frag frag-off
+ elements = { 1, 1024 }
+ }
+"
+
+INPUT_VERSION_SET="
+ set s8 {
+ typeof ip version
+ elements = { 4, 6 }
+ }
+"
+
+INPUT_OSF_CHAIN="
+ chain c1 {
+ osf name @s1 accept
+ }
+"
+
+INPUT_FRAG_CHAIN="
+ chain c4 {
+ frag frag-off @s4 accept
+ }
+"
+
+INPUT_SCTP_CHAIN="
+ chain c7 {
+ sctp chunk init num-inbound-streams @s7 accept
+ }
+"
+INPUT_VERSION_CHAIN="
+ chain c8 {
+ ip version @s8 accept
+ }
+"
+
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+ INPUT_SCTP_CHAIN=
+fi
+if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then
+ INPUT_FRAG_CHAIN=
+ INPUT_VERSION_CHAIN=
+fi
+
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+ if [ "$((RANDOM % 2))" -eq 1 ] ; then
+ # Regardless of $NFT_TEST_HAVE_osf, we can define the set.
+ # Randomly do so.
+ INPUT_OSF_SET=
+ fi
+ INPUT_OSF_CHAIN=
+fi
+
+INPUT="table inet t {$INPUT_OSF_SET
set s2 {
typeof vlan id
elements = { 2, 3, 103 }
@@ -18,12 +82,7 @@ EXPECTED="table inet t {
set s3 {
typeof meta ibrpvid
elements = { 2, 3, 103 }
- }
-
- set s4 {
- typeof frag frag-off
- elements = { 1, 1024 }
- }
+ }$INPUT_FRAG_SET
set s5 {
typeof ip option ra value
@@ -38,12 +97,7 @@ EXPECTED="table inet t {
set s7 {
typeof sctp chunk init num-inbound-streams
elements = { 1, 4 }
- }
-
- set s8 {
- typeof ip version
- elements = { 4, 6 }
- }
+ }$INPUT_VERSION_SET
set s9 {
typeof ip hdrlength
@@ -55,18 +109,19 @@ EXPECTED="table inet t {
elements = { \"eth0\" . 10.1.1.2 . 42 }
}
- chain c1 {
- osf name @s1 accept
+ set s11 {
+ typeof vlan id . ip saddr
+ elements = { 3567 . 1.2.3.4 }
}
-
+ set s12 {
+ typeof meta iifname . ip saddr . meta ipsec
+ elements = { \"eth0\" . 10.1.1.2 . 1 }
+ }
+$INPUT_OSF_CHAIN
chain c2 {
ether type vlan vlan id @s2 accept
}
-
- chain c4 {
- frag frag-off @s4 accept
- }
-
+$INPUT_FRAG_CHAIN
chain c5 {
ip option ra value @s5 accept
}
@@ -74,24 +129,115 @@ EXPECTED="table inet t {
chain c6 {
tcp option maxseg size @s6 accept
}
+$INPUT_SCTP_CHAIN
+$INPUT_VERSION_CHAIN
+ chain c9 {
+ ip hdrlength @s9 accept
+ }
- chain c7 {
- sctp chunk init num-inbound-streams @s7 accept
+ chain c10 {
+ meta iifname . ip saddr . ipsec in reqid @s10 accept
}
- chain c8 {
- ip version @s8 accept
+ chain c11 {
+ ether type vlan vlan id . ip saddr @s11 accept
+ }
+
+ chain c12 {
+ meta iifname . ip saddr . meta ipsec @s12 accept
}
+}"
+EXPECTED="table inet t {$INPUT_OSF_SET
+ set s2 {
+ typeof vlan id
+ elements = { 2, 3, 103 }
+ }
+
+ set s3 {
+ typeof meta ibrpvid
+ elements = { 2, 3, 103 }
+ }
+$INPUT_FRAG_SET
+ set s5 {
+ typeof ip option ra value
+ elements = { 1, 1024 }
+ }
+
+ set s6 {
+ typeof tcp option maxseg size
+ elements = { 1, 1024 }
+ }
+
+ set s7 {
+ typeof sctp chunk init num-inbound-streams
+ elements = { 1, 4 }
+ }
+$INPUT_VERSION_SET
+ set s9 {
+ typeof ip hdrlength
+ elements = { 0, 1, 2, 3, 4,
+ 15 }
+ }
+
+ set s10 {
+ typeof iifname . ip saddr . ipsec in reqid
+ elements = { \"eth0\" . 10.1.1.2 . 42 }
+ }
+
+ set s11 {
+ typeof vlan id . ip saddr
+ elements = { 3567 . 1.2.3.4 }
+ }
+
+ set s12 {
+ typeof iifname . ip saddr . meta ipsec
+ elements = { \"eth0\" . 10.1.1.2 . exists }
+ }
+$INPUT_OSF_CHAIN
+ chain c2 {
+ vlan id @s2 accept
+ }
+$INPUT_FRAG_CHAIN
+ chain c5 {
+ ip option ra value @s5 accept
+ }
+
+ chain c6 {
+ tcp option maxseg size @s6 accept
+ }
+$INPUT_SCTP_CHAIN$INPUT_VERSION_CHAIN
chain c9 {
ip hdrlength @s9 accept
}
chain c10 {
- meta iifname . ip saddr . ipsec in reqid @s10 accept
+ iifname . ip saddr . ipsec in reqid @s10 accept
+ }
+
+ chain c11 {
+ vlan id . ip saddr @s11 accept
+ }
+
+ chain c12 {
+ iifname . ip saddr . meta ipsec @s12 accept
}
}"
-set -e
-$NFT -f - <<< $EXPECTED
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
+
+if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then
+ echo "Partial test due to NFT_TEST_HAVE_bitshift=n. Skip"
+ exit 77
+fi
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+ echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+ exit 77
+fi
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+ echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip"
+ exit 77
+fi
diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1
new file mode 100755
index 00000000..e520270c
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_1
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# regression test for corner case in netlink_delinearize
+
+EXPECTED="table bridge t {
+ set nodhcpvlan {
+ typeof vlan id
+ elements = { 1 }
+ }
+
+ chain c1 {
+ vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+ vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+ vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+ }
+
+ chain c2 {
+ }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat
new file mode 100755
index 00000000..34465f1d
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_concat
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"