summaryrefslogtreecommitdiffstats
path: root/tests/shell
diff options
context:
space:
mode:
Diffstat (limited to 'tests/shell')
-rwxr-xr-xtests/shell/testcases/maps/0010concat_map_019
-rwxr-xr-xtests/shell/testcases/maps/0011vmap_025
-rwxr-xr-xtests/shell/testcases/maps/0012map_017
-rwxr-xr-xtests/shell/testcases/maps/0013map_014
-rw-r--r--tests/shell/testcases/maps/dumps/0010concat_map_0.nft11
-rw-r--r--tests/shell/testcases/maps/dumps/0011vmap_0.nft19
-rw-r--r--tests/shell/testcases/maps/dumps/0012map_0.nft12
-rw-r--r--tests/shell/testcases/maps/dumps/0013map_0.nft13
-rw-r--r--tests/shell/testcases/maps/dumps/nat_addr_port.nft24
-rwxr-xr-xtests/shell/testcases/nft-f/0012different_defines_07
-rwxr-xr-xtests/shell/testcases/nft-f/0027split_chains_017
-rwxr-xr-xtests/shell/testcases/nft-f/0028variable_cmdline_017
-rw-r--r--tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft5
-rw-r--r--tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft5
-rw-r--r--tests/shell/testcases/nft-f/dumps/0022variables_0.nft14
-rw-r--r--tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft9
-rw-r--r--tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft8
-rwxr-xr-xtests/shell/testcases/optimizations/dependency_kill48
-rw-r--r--tests/shell/testcases/optimizations/dumps/dependency_kill.nft42
-rwxr-xr-xtests/shell/testcases/sets/0031set_timeout_size_04
-rwxr-xr-xtests/shell/testcases/sets/0047nat_02
-rwxr-xr-xtests/shell/testcases/sets/0065_icmp_postprocessing13
-rwxr-xr-xtests/shell/testcases/sets/0067nat_concat_interval_033
-rw-r--r--tests/shell/testcases/sets/dumps/0047nat_0.nft2
-rw-r--r--tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft19
25 files changed, 378 insertions, 21 deletions
diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0
new file mode 100755
index 00000000..4848d972
--- /dev/null
+++ b/tests/shell/testcases/maps/0010concat_map_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet x {
+ map z {
+ type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+ elements = {
+ 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30
+ }
+ }
+
+ chain y {
+ type nat hook prerouting priority dstnat;
+ dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0
new file mode 100755
index 00000000..83704d48
--- /dev/null
+++ b/tests/shell/testcases/maps/0011vmap_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet filter {
+ map portmap {
+ type inet_service : verdict
+ counter
+ }
+
+ chain ssh_input {
+ }
+
+ chain wan_input {
+ tcp dport vmap @portmap
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept;
+ iif vmap { "lo" : jump wan_input }
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
+$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }'
diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0
new file mode 100755
index 00000000..dd93c482
--- /dev/null
+++ b/tests/shell/testcases/maps/0012map_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define interfaces = { eth0, eth1 }
+
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { \$interfaces : drop, lo : accept }
+ }
+ chain y {
+ iifname vmap { lo : accept, \$interfaces : drop }
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0
new file mode 100755
index 00000000..70d7fd3b
--- /dev/null
+++ b/tests/shell/testcases/maps/0013map_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+flush ruleset
+
+add table ip filter
+add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
+add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; }
+add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter
+add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
new file mode 100644
index 00000000..b6bc338c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
@@ -0,0 +1,11 @@
+table inet x {
+ map z {
+ type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+ elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 }
+ }
+
+ chain y {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta nfproto ipv4 dnat ip to ip saddr . ip protocol . tcp dport map @z
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
new file mode 100644
index 00000000..4a72b5e7
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
@@ -0,0 +1,19 @@
+table inet filter {
+ map portmap {
+ type inet_service : verdict
+ counter
+ elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
+ }
+
+ chain ssh_input {
+ }
+
+ chain wan_input {
+ tcp dport vmap @portmap
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority raw; policy accept;
+ iif vmap { "lo" : jump wan_input }
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft
new file mode 100644
index 00000000..e734fc1c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0012map_0.nft
@@ -0,0 +1,12 @@
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { "lo" : accept,
+ "eth0" : drop,
+ "eth1" : drop }
+ }
+
+ chain y {
+ iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft
new file mode 100644
index 00000000..1455877d
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0013map_0.nft
@@ -0,0 +1,13 @@
+table ip filter {
+ map forwport {
+ type ipv4_addr . inet_proto . inet_service : verdict
+ flags interval
+ counter
+ elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
+ }
+
+ chain FORWARD {
+ type filter hook forward priority filter; policy drop;
+ iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
index 89c3bd14..cf6b957f 100644
--- a/tests/shell/testcases/maps/dumps/nat_addr_port.nft
+++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
@@ -27,10 +27,10 @@ table ip ipfoo {
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
- meta l4proto tcp dnat ip addr . port to ip saddr map @y
- dnat ip addr . port to ip saddr . tcp dport map @z
+ meta l4proto tcp dnat ip to ip saddr map @y
+ dnat ip to ip saddr . tcp dport map @z
dnat to numgen inc mod 2 map @t1
- meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
+ meta l4proto tcp dnat ip to numgen inc mod 2 map @t2
}
}
table ip6 ip6foo {
@@ -60,10 +60,10 @@ table ip6 ip6foo {
dnat to ip6 daddr map @x
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
- meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
- dnat ip6 addr . port to ip6 saddr . tcp dport map @z
+ meta l4proto tcp dnat ip6 to ip6 saddr map @y
+ dnat ip6 to ip6 saddr . tcp dport map @z
dnat to numgen inc mod 2 map @t1
- meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
+ meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2
}
}
table inet inetfoo {
@@ -114,16 +114,16 @@ table inet inetfoo {
dnat ip to ip daddr map @x4
ip saddr 10.1.1.1 dnat ip to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242
- meta l4proto tcp meta nfproto ipv4 dnat ip addr . port to ip saddr map @y4
- meta nfproto ipv4 dnat ip addr . port to ip saddr . tcp dport map @z4
+ meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map @y4
+ meta nfproto ipv4 dnat ip to ip saddr . tcp dport map @z4
dnat ip to numgen inc mod 2 map @t1v4
- meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
+ meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4
dnat ip6 to ip6 daddr map @x6
ip6 saddr dead::1 dnat ip6 to feed::1
ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242
- meta l4proto tcp meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr map @y6
- meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
+ meta l4proto tcp meta nfproto ipv6 dnat ip6 to ip6 saddr map @y6
+ meta nfproto ipv6 dnat ip6 to ip6 saddr . tcp dport map @z6
dnat ip6 to numgen inc mod 2 map @t1v6
- meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
+ meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6
}
}
diff --git a/tests/shell/testcases/nft-f/0012different_defines_0 b/tests/shell/testcases/nft-f/0012different_defines_0
index 0bdbd1b5..fe228587 100755
--- a/tests/shell/testcases/nft-f/0012different_defines_0
+++ b/tests/shell/testcases/nft-f/0012different_defines_0
@@ -14,6 +14,8 @@ define d_ipv4_2 = 10.0.0.2
define d_ipv6 = fe0::1
define d_ipv6_2 = fe0::2
define d_ports = 100-222
+define d_qnum = 0
+define d_qnumr = 1-42
table inet t {
chain c {
@@ -29,6 +31,11 @@ table inet t {
ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept }
tcp dport \$d_ports
udp dport vmap { \$d_ports : accept }
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}"
diff --git a/tests/shell/testcases/nft-f/0027split_chains_0 b/tests/shell/testcases/nft-f/0027split_chains_0
new file mode 100755
index 00000000..de1e5a00
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0027split_chains_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+ chain x {
+ }
+}
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy accept;
+ jump x
+ }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 0
+exit 1
diff --git a/tests/shell/testcases/nft-f/0028variable_cmdline_0 b/tests/shell/testcases/nft-f/0028variable_cmdline_0
new file mode 100755
index 00000000..a2bbd5da
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0028variable_cmdline_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+RULESET="table inet filter {
+ set whitelist_v4 { type ipv4_addr; }
+}
+add element inet filter whitelist_v4 \$whitelist_v4
+"
+
+# this is intentional: exercise error path
+$NFT --define whitelist_v4="{ wrong }" -f - <<< "$RULESET"
+$NFT --define whitelist_v4="{ 1.1.1.1, \$wrong }" -f - <<< "$RULESET"
+
+set -e
+
+$NFT --define whitelist_v4="{ 1.1.1.1, 2.2.2.2 }" -f - <<< "$RULESET"
+$NFT --define x={5.5.5.5} --define whitelist_v4="{ 3.3.3.3, 4.4.4.4, \$x }" -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
index 28094387..4734b2fd 100644
--- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
@@ -12,5 +12,10 @@ table inet t {
ip daddr . iif vmap { 10.0.0.0 . "lo" : accept }
tcp dport 100-222
udp dport vmap { 100-222 : accept }
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to 0
+ tcp sport 1 tcp dport 1 oifname "foobar" queue to 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout to 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}
diff --git a/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft b/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft
deleted file mode 100644
index 2e944599..00000000
--- a/tests/shell/testcases/nft-f/dumps/0022priority_variable_0.nft
+++ /dev/null
@@ -1,5 +0,0 @@
-table inet global {
- chain prerouting {
- type filter hook prerouting priority filter + 10; policy accept;
- }
-}
diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft
new file mode 100644
index 00000000..d30f4d53
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft
@@ -0,0 +1,14 @@
+table ip x {
+ set y {
+ type ipv4_addr
+ size 65535
+ flags dynamic,timeout
+ }
+
+ chain z {
+ type filter hook input priority filter; policy accept;
+ add @y { ip saddr }
+ update @y { ip saddr timeout 30s }
+ ip saddr @y
+ }
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
new file mode 100644
index 00000000..39198be1
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
@@ -0,0 +1,9 @@
+table inet filter {
+ chain x {
+ }
+
+ chain input {
+ type filter hook input priority filter; policy accept;
+ jump x
+ }
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
new file mode 100644
index 00000000..aa081122
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
@@ -0,0 +1,8 @@
+table inet filter {
+ set whitelist_v4 {
+ type ipv4_addr
+ elements = { 1.1.1.1, 2.2.2.2,
+ 3.3.3.3, 4.4.4.4,
+ 5.5.5.5 }
+ }
+}
diff --git a/tests/shell/testcases/optimizations/dependency_kill b/tests/shell/testcases/optimizations/dependency_kill
new file mode 100755
index 00000000..904eecf8
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dependency_kill
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table bridge foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table ip foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table ip6 foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table netdev foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table inet foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ meta nfproto ipv4 udp dport 67
+ meta nfproto ipv6 udp dport 67
+ }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft
new file mode 100644
index 00000000..1781f7be
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft
@@ -0,0 +1,42 @@
+table bridge foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table ip foo {
+ chain bar {
+ udp dport 67
+ meta protocol ip6 udp dport 67
+ udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table ip6 foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ udp dport 67
+ ether type ip udp dport 67
+ udp dport 67
+ }
+}
+table netdev foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ }
+}
+table inet foo {
+ chain bar {
+ meta protocol ip udp dport 67
+ meta protocol ip6 udp dport 67
+ ether type ip udp dport 67
+ ether type ip6 udp dport 67
+ meta nfproto ipv4 udp dport 67
+ meta nfproto ipv6 udp dport 67
+ }
+}
diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0
index 9edd5f6f..796640d6 100755
--- a/tests/shell/testcases/sets/0031set_timeout_size_0
+++ b/tests/shell/testcases/sets/0031set_timeout_size_0
@@ -3,10 +3,10 @@
RULESET="add table x
add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
add chain x test
-add rule x test set update ip saddr timeout 1d2h3m4s8ms @y
+add rule x test set update ip saddr timeout 1d2h3m4s10ms @y
add rule x test set update ip daddr timeout 100ms @y"
set -e
$NFT -f - <<< "$RULESET"
-$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s8ms }'
+$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s10ms }'
$NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }'
diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0
index 746a6b6d..cb1d4d68 100755
--- a/tests/shell/testcases/sets/0047nat_0
+++ b/tests/shell/testcases/sets/0047nat_0
@@ -10,7 +10,7 @@ EXPECTED="table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
- snat ip interval to ip saddr map @y
+ snat to ip saddr map @y
}
}
"
diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing
new file mode 100755
index 00000000..f838c3ef
--- /dev/null
+++ b/tests/shell/testcases/sets/0065_icmp_postprocessing
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ chain foo {
+ icmp id 42
+ }
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT insert rule ip x foo index 0 accept
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0
new file mode 100755
index 00000000..3d1b62d6
--- /dev/null
+++ b/tests/shell/testcases/sets/0067nat_concat_interval_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 }
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+
+EXPECTED="table ip nat {
+ map ipportmap2 {
+ type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.1/8 . 42 - 43 }
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft
index 70730ef3..e7968054 100644
--- a/tests/shell/testcases/sets/dumps/0047nat_0.nft
+++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft
@@ -8,6 +8,6 @@ table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
- snat ip interval to ip saddr map @y
+ snat ip to ip saddr map @y
}
}
diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
new file mode 100644
index 00000000..c565d21f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
@@ -0,0 +1,19 @@
+table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+ }
+
+ map ipportmap2 {
+ type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 }
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+ }
+}