diff options
Diffstat (limited to 'tests/shell')
22 files changed, 393 insertions, 19 deletions
diff --git a/tests/shell/README b/tests/shell/README index e0279bbd..3af17a9e 100644 --- a/tests/shell/README +++ b/tests/shell/README @@ -1,16 +1,20 @@ -This test-suite is intended to perform tests of higher level than -the other regression test-suite. +This test suite is intended to perform tests on a higher level +than the other regression test suites. -It can run arbitrary executables which can perform any test apart of testing -the nft syntax or netlink code (which is what the regression tests does). +It can run arbitrary executables which can perform any test, not +limited to testing the nft syntax or netlink code (which is what +the regression tests do). To run the test suite (as root): $ cd tests/shell # ./run-tests.sh -Test files are executables files with the pattern <<name_N>>, where N is the -expected return code of the executable. Since they are located with `find', -test-files can be spread in any sub-directories. +Test files are executable files matching the pattern <<name_N>>, +where N should be 0 in all new tests. All tests should return 0 on +success. + +Since they are located with `find', test files can be put in any +subdirectory. You can turn on a verbose execution by calling: # ./run-tests.sh -v @@ -18,11 +22,14 @@ You can turn on a verbose execution by calling: And generate missing dump files with: # ./run-tests.sh -g <TESTFILE> -Before each call to the test-files, `nft flush ruleset' will be called. -Also, test-files will receive the environment variable $NFT which contains the -path to the nftables binary being tested. +Before each test file invocation, `nft flush ruleset' will be called. +Also, test file process environment will include the variable $NFT +which contains the nft command being tested. You can pass an arbitrary $NFT value as well: # NFT=/usr/local/sbin/nft ./run-tests.sh -By default the tests are run with the nft binary at '../../src/nft' +Note that, to support usage such as NFT='valgrind nft', tests must +invoke $NFT unquoted. + +By default, the tests are run with the nft binary at '../../src/nft' diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 349ec6cb..f77d850e 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -160,4 +160,4 @@ echo "" msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" kernel_cleanup -exit $failed +[ "$failed" -eq 0 ] diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0 index e7612974..d450dc0b 100755 --- a/tests/shell/testcases/chains/0021prio_0 +++ b/tests/shell/testcases/chains/0021prio_0 @@ -69,6 +69,7 @@ done family=netdev echo "add table $family x" gen_chains $family ingress filter lo +gen_chains $family egress filter lo family=bridge echo "add table $family x" diff --git a/tests/shell/testcases/chains/0026prio_netdev_1 b/tests/shell/testcases/chains/0026prio_netdev_1 index aa902e9b..b6fa3db5 100755 --- a/tests/shell/testcases/chains/0026prio_netdev_1 +++ b/tests/shell/testcases/chains/0026prio_netdev_1 @@ -1,7 +1,8 @@ #!/bin/bash family=netdev - hook=ingress + for hook in ingress egress + do for prioname in raw mangle dstnat security srcnat do $NFT add table $family x || exit 1 @@ -12,4 +13,5 @@ family=netdev exit 1 fi done + done exit 0 diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0 index 86dc075d..bff46468 100755 --- a/tests/shell/testcases/chains/0043chain_ingress_0 +++ b/tests/shell/testcases/chains/0043chain_ingress_0 @@ -14,5 +14,11 @@ RULESET="table inet filter { } }" +# Test auto-removal of chain hook on netns removal +unshare -n bash -c "ip link add br0 type bridge; \ + $NFT add table netdev test; \ + $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ +" || exit 1 + $NFT -f - <<< "$RULESET" && exit 0 exit 1 diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.nft b/tests/shell/testcases/chains/dumps/0021prio_0.nft index ca94d441..4297d246 100644 --- a/tests/shell/testcases/chains/dumps/0021prio_0.nft +++ b/tests/shell/testcases/chains/dumps/0021prio_0.nft @@ -1382,6 +1382,26 @@ table netdev x { chain ingressfilterp11 { type filter hook ingress device "lo" priority 11; policy accept; } + + chain egressfilterm11 { + type filter hook egress device "lo" priority -11; policy accept; + } + + chain egressfilterm10 { + type filter hook egress device "lo" priority filter - 10; policy accept; + } + + chain egressfilter { + type filter hook egress device "lo" priority filter; policy accept; + } + + chain egressfilterp10 { + type filter hook egress device "lo" priority filter + 10; policy accept; + } + + chain egressfilterp11 { + type filter hook egress device "lo" priority 11; policy accept; + } } table bridge x { chain preroutingfilterm11 { diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 index 2f0a98d1..47488d8e 100755 --- a/tests/shell/testcases/listing/0020flowtable_0 +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -2,19 +2,60 @@ # list only the flowtable asked for with table +FLOWTABLES="flowtable f { + hook ingress priority filter + devices = { lo } +} +flowtable f2 { + hook ingress priority filter + devices = { d0 } +}" + +RULESET="table inet filter { + $FLOWTABLES +} +table ip filter { + $FLOWTABLES +}" + EXPECTED="table inet filter { flowtable f { hook ingress priority filter devices = { lo } } }" +EXPECTED2="table ip filter { + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" +EXPECTED3="table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + flowtable f2 { + hook ingress priority filter + devices = { d0 } + } +}" + +ip link add d0 type dummy || { + echo "Skipping, no dummy interface available" + exit 0 +} +trap "ip link del d0" EXIT set -e -$NFT -f - <<< "$EXPECTED" +$NFT -f - <<< "$RULESET" GET="$($NFT list flowtable inet filter f)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi +$DIFF -u <(echo "$EXPECTED") <(echo "$GET") + +GET="$($NFT list flowtable ip filter f2)" +$DIFF -u <(echo "$EXPECTED2") <(echo "$GET") + +GET="$($NFT list flowtables ip)" +$DIFF -u <(echo "$EXPECTED3") <(echo "$GET") diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0 new file mode 100755 index 00000000..4841771c --- /dev/null +++ b/tests/shell/testcases/listing/0022terse_0 @@ -0,0 +1,69 @@ +#!/bin/bash + +RULESET="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +set -e + +$NFT -f - <<< "$RULESET" + +GET="$($NFT list ruleset)" +if [ "$RULESET" != "$GET" ] ; then + $DIFF -u <(echo "$RULESET") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +}" + +GET="$($NFT -t list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } +}" + +GET="$($NFT list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi + +EXPECTED="table inet filter { + set example { + type ipv4_addr + flags interval + } +}" + +GET="$($NFT -t list set inet filter example)" +if [ "$EXPECTED" != "$GET" ] ; then + $DIFF -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 new file mode 100755 index 00000000..70d7fd3b --- /dev/null +++ b/tests/shell/testcases/maps/0013map_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +RULESET=" +flush ruleset + +add table ip filter +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; } +add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter +add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft new file mode 100644 index 00000000..1455877d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.nft @@ -0,0 +1,13 @@ +table ip filter { + map forwport { + type ipv4_addr . inet_proto . inet_service : verdict + flags interval + counter + elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept } + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/nft-f/0029split_file_0 b/tests/shell/testcases/nft-f/0029split_file_0 new file mode 100755 index 00000000..0cc547ab --- /dev/null +++ b/tests/shell/testcases/nft-f/0029split_file_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +RULESET="table inet filter { + set whitelist_v4 { + type ipv4_addr; + } + + chain prerouting { + type filter hook prerouting priority filter; + } +} +" + +$NFT -f - <<< "$RULESET" + +RULESET="table inet filter { + chain prerouting { + ip daddr @whitelist_v4 + } +} +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/0030variable_reuse_0 b/tests/shell/testcases/nft-f/0030variable_reuse_0 new file mode 100755 index 00000000..8afc54aa --- /dev/null +++ b/tests/shell/testcases/nft-f/0030variable_reuse_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +RULESET="define test = { 1.1.1.1 } + +table ip x { + set y { + type ipv4_addr + elements = { 2.2.2.2, \$test } + } + + set z { + type ipv4_addr + elements = { 3.3.3.3, \$test } + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft new file mode 100644 index 00000000..635901f4 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft @@ -0,0 +1,11 @@ +table ip x { + set y { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2 } + } + + set z { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/parsing/describe b/tests/shell/testcases/parsing/describe new file mode 100755 index 00000000..2ee072e8 --- /dev/null +++ b/tests/shell/testcases/parsing/describe @@ -0,0 +1,7 @@ +#!/bin/bash + +errmsg='Error: unknown ip option type/field' + +str=$($NFT describe ip option rr value 2>&1 | head -n 1) + +[ "$str" = "$errmsg" ] && exit 0 diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0 index 796640d6..9a4a27f6 100755 --- a/tests/shell/testcases/sets/0031set_timeout_size_0 +++ b/tests/shell/testcases/sets/0031set_timeout_size_0 @@ -8,5 +8,5 @@ add rule x test set update ip daddr timeout 100ms @y" set -e $NFT -f - <<< "$RULESET" -$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s10ms }' +$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s\(10\|8\)ms }' $NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }' diff --git a/tests/shell/testcases/sets/0045concat_ipv4_service b/tests/shell/testcases/sets/0045concat_ipv4_service new file mode 100755 index 00000000..5b40f973 --- /dev/null +++ b/tests/shell/testcases/sets/0045concat_ipv4_service @@ -0,0 +1,16 @@ +#!/bin/bash + +$NFT -f - <<EOF +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 60s } + } +} +EOF diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 index 3d1b62d6..530771b0 100755 --- a/tests/shell/testcases/sets/0067nat_concat_interval_0 +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -31,3 +31,14 @@ EXPECTED="table ip nat { }" $NFT -f - <<< $EXPECTED + +EXPECTED="table ip nat { + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 new file mode 100755 index 00000000..2cbc9868 --- /dev/null +++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +set -e + +ruleset_file=$(mktemp) + +trap 'rm -f "$ruleset_file"' EXIT + +{ + echo 'define big_set = {' + for ((i = 1; i < 255; i++)); do + for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done + echo '10.1.0.0/24 }' +} >"$ruleset_file" + +cat >>"$ruleset_file" <<\EOF +table inet test68_table { + set test68_set { + type ipv4_addr + flags interval + elements = { $big_set } + } +} +EOF + +( ulimit -s 400 && $NFT -f "$ruleset_file" ) diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft new file mode 100644 index 00000000..e548a17a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft @@ -0,0 +1,12 @@ +table inet t { + set s { + type ipv4_addr . inet_service + size 65536 + flags dynamic,timeout + elements = { 192.168.7.1 . 22 } + } + + chain c { + tcp dport 21 add @s { ip saddr . 22 timeout 1m } + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft index c565d21f..3226da15 100644 --- a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -11,9 +11,16 @@ table ip nat { elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 } } + map fwdtoip_th { + type ipv4_addr . inet_service : interval ipv4_addr . inet_service + flags interval + elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 } + } + chain prerouting { type nat hook prerouting priority dstnat; policy accept; ip protocol tcp dnat ip to ip saddr map @ipportmap ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 + meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft index 565369fb..8f11b110 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -14,6 +14,26 @@ table inet t { elements = { 2, 3, 103 } } + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + chain c1 { osf name @s1 accept } @@ -21,4 +41,16 @@ table inet t { chain c2 { vlan id @s2 accept } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } + + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } } diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 index 9b2712e5..1e99e298 100755 --- a/tests/shell/testcases/sets/typeof_sets_0 +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -20,6 +20,26 @@ EXPECTED="table inet t { elements = { 2, 3, 103 } } + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } + + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } + chain c1 { osf name @s1 accept } @@ -27,6 +47,18 @@ EXPECTED="table inet t { chain c2 { ether type vlan vlan id @s2 accept } + + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } + + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } }" set -e |