diff options
Diffstat (limited to 'tests/shell')
40 files changed, 5699 insertions, 0 deletions
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.json-nft new file mode 100644 index 00000000..aa718441 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.json-nft @@ -0,0 +1,73 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.json-nft new file mode 100644 index 00000000..73abbd4a --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.json-nft @@ -0,0 +1,73 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.json-nft new file mode 100644 index 00000000..26ac7a59 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.json-nft @@ -0,0 +1,73 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.json-nft new file mode 100644 index 00000000..7b386ebe --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.json-nft @@ -0,0 +1,73 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.json-nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.json-nft new file mode 100644 index 00000000..d1a9a0a7 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.json-nft @@ -0,0 +1,71 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 512 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.json-nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.json-nft new file mode 100644 index 00000000..ee379637 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.json-nft @@ -0,0 +1,71 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 512 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bogons/nat_map_and_protocol_assert b/tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert index 67f2ae87..67f2ae87 100644 --- a/tests/shell/testcases/bogons/nat_map_and_protocol_assert +++ b/tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert diff --git a/tests/shell/testcases/bogons/objref_double_free_crash b/tests/shell/testcases/bogons/nft-f/objref_double_free_crash index 52b0435b..52b0435b 100644 --- a/tests/shell/testcases/bogons/objref_double_free_crash +++ b/tests/shell/testcases/bogons/nft-f/objref_double_free_crash diff --git a/tests/shell/testcases/chains/dumps/netdev_move_device.nodump b/tests/shell/testcases/chains/dumps/netdev_move_device.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_move_device.nodump diff --git a/tests/shell/testcases/include/dumps/glob_duplicated_include.json-nft b/tests/shell/testcases/include/dumps/glob_duplicated_include.json-nft new file mode 100644 index 00000000..3489e2b8 --- /dev/null +++ b/tests/shell/testcases/include/dumps/glob_duplicated_include.json-nft @@ -0,0 +1,76 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 25 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/single_flag.json-nft b/tests/shell/testcases/json/dumps/single_flag.json-nft new file mode 100644 index 00000000..512888b8 --- /dev/null +++ b/tests/shell/testcases/json/dumps/single_flag.json-nft @@ -0,0 +1,50 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "queue": { + "num": { + "range": [ + 1, + 10 + ] + }, + "flags": [ + "bypass", + "fanout" + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/single_flag.nft b/tests/shell/testcases/json/dumps/single_flag.nft new file mode 100644 index 00000000..437e6983 --- /dev/null +++ b/tests/shell/testcases/json/dumps/single_flag.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + queue flags bypass,fanout to 1-10 + } +} diff --git a/tests/shell/testcases/listing/dumps/reset_objects.nodump b/tests/shell/testcases/listing/dumps/reset_objects.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/reset_objects.nodump diff --git a/tests/shell/testcases/maps/dumps/delete_element.json-nft b/tests/shell/testcases/maps/dumps/delete_element.json-nft new file mode 100644 index 00000000..69a0d3a2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/delete_element.json-nft @@ -0,0 +1,87 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "x", + "type": { + "typeof": { + "ct": { + "key": "bytes" + } + } + }, + "handle": 0, + "map": "classid", + "flags": "interval", + "elem": [ + [ + { + "range": [ + 2048001, + 4000000 + ] + }, + "1:2" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "priority" + } + }, + "value": { + "map": { + "key": { + "ct": { + "key": "bytes" + } + }, + "data": "@m" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/delete_element_catchall.json-nft b/tests/shell/testcases/maps/dumps/delete_element_catchall.json-nft new file mode 100644 index 00000000..65053f2c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/delete_element_catchall.json-nft @@ -0,0 +1,82 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "x", + "type": { + "typeof": { + "ct": { + "key": "bytes" + } + } + }, + "handle": 0, + "map": "classid", + "flags": "interval", + "elem": [ + [ + "*", + "1:3" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "priority" + } + }, + "value": { + "map": { + "key": { + "ct": { + "key": "bytes" + } + }, + "data": "@m" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.json-nft b/tests/shell/testcases/maps/dumps/named_ct_objects.json-nft new file mode 100644 index 00000000..5258d87c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_ct_objects.json-nft @@ -0,0 +1,587 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "y", + "handle": 0 + } + }, + { + "ct expectation": { + "family": "inet", + "name": "exp1", + "table": "t", + "handle": 0, + "protocol": "tcp", + "dport": 9876, + "timeout": 60000, + "size": 12, + "l3proto": "ip" + } + }, + { + "ct expectation": { + "family": "inet", + "name": "exp2", + "table": "t", + "handle": 0, + "protocol": "tcp", + "dport": 9876, + "timeout": 3000, + "size": 13, + "l3proto": "ip6" + } + }, + { + "ct helper": { + "family": "inet", + "name": "myftp", + "table": "t", + "handle": 0, + "type": "ftp", + "protocol": "tcp", + "l3proto": "inet" + } + }, + { + "ct timeout": { + "family": "inet", + "name": "dns", + "table": "t", + "handle": 0, + "protocol": "tcp", + "l3proto": "ip", + "policy": { + "established": 3, + "close": 1 + } + } + }, + { + "map": { + "family": "inet", + "name": "exp", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "ct expectation", + "elem": [ + [ + "192.168.2.2", + "exp1" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "exp6", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "ct expectation", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "dead:beef::", + "len": 64 + } + }, + "exp2" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "helpobj", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "ct helper", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "dead:beef::", + "len": 64 + } + }, + "myftp" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "timeoutmap", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + }, + "handle": 0, + "map": "ct timeout", + "elem": [ + [ + "192.168.0.1", + "dns" + ] + ] + } + }, + { + "set": { + "family": "inet", + "name": "helpname", + "table": "t", + "type": { + "typeof": { + "ct": { + "key": "helper" + } + } + }, + "handle": 0, + "elem": [ + "sip", + "ftp" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct expectation": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@exp" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct expectation": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "dead::beef", + "exp2" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct expectation": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "dead::beef", + "exp2" + ], + [ + "feed::17", + "exp2" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct expectation": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "feed::17", + 512 + ] + }, + "exp2" + ], + [ + { + "concat": [ + "dead::beef", + 123 + ] + }, + "exp2" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct helper": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1c3::c01d", + "myftp" + ], + [ + "dead::beef", + "myftp" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct helper": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@helpobj" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct timeout": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": "@timeoutmap" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct timeout": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "1.2.3.4", + "dns" + ], + [ + "5.6.7.8", + "dns" + ], + [ + { + "prefix": { + "addr": "192.168.8.0", + "len": 24 + } + }, + "dns" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct timeout": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + { + "range": [ + "1.2.3.4", + "1.2.3.8" + ] + }, + "dns" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "ct timeout": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "1ce::", + "len": 64 + } + }, + "dns" + ], + [ + "dead::beef", + "dns" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "@helpname" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "192.168.1.1" + } + }, + { + "ct timeout": "dns" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.json-nft b/tests/shell/testcases/maps/dumps/nat_addr_port.json-nft new file mode 100644 index 00000000..38b01e69 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/nat_addr_port.json-nft @@ -0,0 +1,1419 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "ipfoo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "ipfoo", + "name": "c", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "t1", + "table": "ipfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": "ipv4_addr" + } + }, + { + "map": { + "family": "ip", + "name": "t2", + "table": "ipfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "ip", + "name": "x", + "table": "ipfoo", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr" + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "ipfoo", + "type": "ipv4_addr", + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + "192.168.7.2", + { + "concat": [ + "10.1.1.1", + 4242 + ] + } + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "ipfoo", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "192.168.7.2", + 42 + ] + }, + { + "concat": [ + "10.1.1.1", + 4242 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": "@x" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.1.1.1" + } + }, + { + "dnat": { + "addr": "10.2.3.4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.1.1.2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 42 + } + }, + { + "dnat": { + "addr": "10.2.3.4", + "port": 4242 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@y" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t1" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "ipfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t2" + } + } + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "ip6foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "ip6foo", + "name": "c", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "ip6", + "name": "t1", + "table": "ip6foo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": "ipv6_addr" + } + }, + { + "map": { + "family": "ip6", + "name": "t2", + "table": "ip6foo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "ip6", + "name": "x", + "table": "ip6foo", + "type": "ipv6_addr", + "handle": 0, + "map": "ipv6_addr" + } + }, + { + "map": { + "family": "ip6", + "name": "y", + "table": "ip6foo", + "type": "ipv6_addr", + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "ip6", + "name": "z", + "table": "ip6foo", + "type": [ + "ipv6_addr", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": "@x" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "dead::1" + } + }, + { + "dnat": { + "addr": "feed::1" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "dead::2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 42 + } + }, + { + "dnat": { + "addr": "c0::1a", + "port": 4242 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@y" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t1" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "ip6foo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t2" + } + } + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "inetfoo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "inetfoo", + "name": "c", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "t1v4", + "table": "inetfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": "ipv4_addr" + } + }, + { + "map": { + "family": "inet", + "name": "t2v4", + "table": "inetfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "inet", + "name": "t1v6", + "table": "inetfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": "ipv6_addr" + } + }, + { + "map": { + "family": "inet", + "name": "t2v6", + "table": "inetfoo", + "type": { + "typeof": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + } + }, + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "inet", + "name": "x4", + "table": "inetfoo", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr" + } + }, + { + "map": { + "family": "inet", + "name": "y4", + "table": "inetfoo", + "type": "ipv4_addr", + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "inet", + "name": "z4", + "table": "inetfoo", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "192.168.7.2", + 42 + ] + }, + { + "concat": [ + "10.1.1.1", + 4242 + ] + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "x6", + "table": "inetfoo", + "type": "ipv6_addr", + "handle": 0, + "map": "ipv6_addr" + } + }, + { + "map": { + "family": "inet", + "name": "y6", + "table": "inetfoo", + "type": "ipv6_addr", + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "map": { + "family": "inet", + "name": "z6", + "table": "inetfoo", + "type": [ + "ipv6_addr", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv6_addr", + "inet_service" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": "@x4" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.1.1.1" + } + }, + { + "dnat": { + "family": "ip", + "addr": "10.2.3.4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.1.1.2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 42 + } + }, + { + "dnat": { + "family": "ip", + "addr": "10.2.3.4", + "port": 4242 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@y4" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z4" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t1v4" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t2v4" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": "@x6" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "dead::1" + } + }, + { + "dnat": { + "family": "ip6", + "addr": "feed::1" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "dead::2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 42 + } + }, + { + "dnat": { + "family": "ip6", + "addr": "c0::1a", + "port": 4242 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@y6" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z6" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t1v6" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "inetfoo", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "dnat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 2, + "offset": 0 + } + }, + "data": "@t2v6" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.json-nft new file mode 100644 index 00000000..8dea5c17 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.json-nft @@ -0,0 +1,256 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "m1", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "ih", + "offset": 32, + "len": 32 + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "flags": "interval", + "elem": [ + [ + { + "concat": [ + { + "range": [ + 20, + 80 + ] + }, + 20 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + { + "range": [ + 1, + 10 + ] + }, + 10 + ] + }, + { + "drop": null + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "m2", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "ih", + "offset": 32, + "len": 32 + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "concat": [ + 30, + 30 + ] + }, + { + "drop": null + } + ], + [ + { + "concat": [ + 20, + 36 + ] + }, + { + "accept": null + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "data": "@m1" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "data": "@m2" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "th", + "offset": 160, + "len": 128 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.json-nft new file mode 100644 index 00000000..c9b27a72 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.json-nft @@ -0,0 +1,112 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "netdev", + "name": "m", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + ] + } + }, + "handle": 0, + "map": "mark", + "size": 1234, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "8021q" + } + }, + { + "map": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + 123 + ] + }, + "timeout": 60 + } + }, + "data": 42, + "map": "@m" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "return": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.json-nft new file mode 100644 index 00000000..a21ff184 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "pr", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "pinned", + "table": "foo", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "ct": { + "key": "proto-dst", + "dir": "original" + } + } + ] + } + }, + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 360 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "pr", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "ct": { + "key": "proto-dst", + "dir": "original" + } + } + ] + }, + "timeout": 90 + } + }, + "data": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "map": "@pinned" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "pr", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "ct": { + "key": "proto-dst", + "dir": "original" + } + } + ] + }, + "timeout": 90 + } + }, + "data": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "map": "@pinned" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.json-nft new file mode 100644 index 00000000..273f6759 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.json-nft @@ -0,0 +1,178 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "base": "ih", + "offset": 32, + "len": 32 + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "7.7.7.7", + 134 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "7.7.7.8", + 151 + ] + }, + { + "drop": null + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "data": "@y" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "4.4.4.4", + 52 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "5.5.5.5", + 69 + ] + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_unary.json-nft b/tests/shell/testcases/maps/dumps/vmap_unary.json-nft new file mode 100644 index 00000000..08583f9b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_unary.json-nft @@ -0,0 +1,89 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "map": { + "family": "ip", + "name": "ipsec_in", + "table": "filter", + "type": { + "typeof": { + "concat": [ + { + "ipsec": { + "key": "reqid", + "dir": "in", + "spnum": 0 + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "flags": "interval" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "INPUT", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "ipsec": { + "key": "reqid", + "dir": "in", + "spnum": 0 + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "data": "@ipsec_in" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-i/dumps/index_0.json-nft b/tests/shell/testcases/nft-i/dumps/index_0.json-nft new file mode 100644 index 00000000..31820fdc --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/index_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "foo", + "name": "bar", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-i/dumps/set_0.json-nft b/tests/shell/testcases/nft-i/dumps/set_0.json-nft new file mode 100644 index 00000000..61e4b99e --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/set_0.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "bar", + "table": "foo", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + "10.1.1.1", + "10.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/bitmask.json-nft b/tests/shell/testcases/optimizations/dumps/bitmask.json-nft new file mode 100644 index 00000000..45ca199d --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/bitmask.json-nft @@ -0,0 +1,242 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "ack_chain", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "urg_chain", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "syn", + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "|": [ + "ack", + "urg" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "set": [ + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "ack" + ] + }, + "fin", + { + "|": [ + "syn", + "ack" + ] + }, + "syn", + { + "|": [ + "rst", + "ack" + ] + }, + "rst", + { + "|": [ + "ack", + "urg" + ] + }, + "ack" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "|": [ + "rst", + "ack" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "ack", + "urg" + ] + } + ] + }, + "data": { + "set": [ + [ + "ack", + { + "jump": { + "target": "ack_chain" + } + } + ], + [ + "urg", + { + "jump": { + "target": "urg_chain" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft b/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft new file mode 100644 index 00000000..3fdb0581 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "invalid", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ], + [ + { + "elem": { + "val": "established", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "related", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 123 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "elem": { + "val": { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": { + "concat": [ + "1.1.1.2", + "3.3.3.3" + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft new file mode 100644 index 00000000..aacdd00d --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft @@ -0,0 +1,84 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "sl", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "base": "th", + "offset": 160, + "len": 32 + } + }, + "right": 41118720 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "pizzaseo.com", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "base": "th", + "offset": 160, + "len": 112 + } + }, + "right": "0x870697a7a6173656f03636f6d00" + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft new file mode 100644 index 00000000..e68a4889 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft @@ -0,0 +1,7 @@ +table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + @th,160,32 0x2736c00 drop comment "sl" + @th,160,112 0x870697a7a6173656f03636f6d00 drop comment "pizzaseo.com" + } +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_vmap.nodump b/tests/shell/testcases/optimizations/dumps/nomerge_vmap.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/nomerge_vmap.nodump diff --git a/tests/shell/testcases/packetpath/dumps/match_l4proto.nodump b/tests/shell/testcases/packetpath/dumps/match_l4proto.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/match_l4proto.nodump diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.json-nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.json-nft new file mode 100644 index 00000000..422186ac --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.json-nft @@ -0,0 +1,316 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "nt", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "nt", + "name": "nc", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "vlanidset", + "table": "nt", + "type": { + "typeof": { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + }, + "handle": 0, + "size": 1024, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "netdev", + "name": "macset", + "table": "nt", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + ] + } + }, + "handle": 0, + "size": 1024, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "netdev", + "name": "ipset", + "table": "nt", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + ] + } + }, + "handle": 0, + "size": 1024, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + ] + }, + "timeout": 5 + } + }, + "set": "@macset" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + ] + }, + "right": "@macset" + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "vlan", + "field": "pcp" + } + }, + "right": 1 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + "right": "0a:0b:0c:0d:0e:0f" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + "right": 42 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + "timeout": 5 + } + }, + "set": "@vlanidset" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "nt", + "chain": "nc", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + ] + }, + "timeout": 5 + } + }, + "set": "@ipset" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.json-nft b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.json-nft new file mode 100644 index 00000000..2a8d233e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "test_set", + "table": "filter", + "type": [ + "iface_index", + "ether_addr", + "ipv4_addr" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "elem": { + "val": { + "concat": [ + "lo", + "00:11:22:33:44:55", + "10.1.2.3" + ] + }, + "comment": "123456789012345678901234567890" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/elem_limit_0.json-nft b/tests/shell/testcases/sets/dumps/elem_limit_0.json-nft new file mode 100644 index 00000000..20e3ea01 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_limit_0.json-nft @@ -0,0 +1,61 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "test123", + "table": "filter", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.2.3.4", + "limit": { + "rate": 1, + "burst": 0, + "per": "second", + "inv": true, + "rate_unit": "mbytes", + "burst_unit": "bytes" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 0, + "per": "second", + "inv": true, + "rate_unit": "mbytes", + "burst_unit": "bytes" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/interval_size.json-nft b/tests/shell/testcases/sets/dumps/interval_size.json-nft new file mode 100644 index 00000000..96fc54fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/interval_size.json-nft @@ -0,0 +1,66 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "x", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 1, + "flags": "interval", + "auto-merge": true, + "elem": [ + { + "prefix": { + "addr": "255.255.255.0", + "len": 24 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 1, + "flags": "interval", + "elem": [ + "0.0.0.0" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/interval_size.nft b/tests/shell/testcases/sets/dumps/interval_size.nft new file mode 100644 index 00000000..bd7fd73f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/interval_size.nft @@ -0,0 +1,16 @@ +table inet x { + set x { + typeof ip saddr + size 1 # count 1 + flags interval + auto-merge + elements = { 255.255.255.0/24 } + } + + set y { + typeof ip saddr + size 1 # count 1 + flags interval + elements = { 0.0.0.0 } + } +} diff --git a/tests/shell/testcases/sets/dumps/interval_size_random.nodump b/tests/shell/testcases/sets/dumps/interval_size_random.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/interval_size_random.nodump diff --git a/tests/shell/testcases/sets/dumps/set_stmt.json-nft b/tests/shell/testcases/sets/dumps/set_stmt.json-nft new file mode 100644 index 00000000..644413bd --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_stmt.json-nft @@ -0,0 +1,439 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y4", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y0", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "2.2.2.0", + "counter": { + "packets": 3, + "bytes": 4 + } + } + }, + { + "elem": { + "val": "3.3.3.0", + "counter": { + "packets": 1, + "bytes": 2 + } + } + }, + { + "elem": { + "val": "5.5.5.0", + "counter": { + "packets": 1, + "bytes": 2 + } + } + }, + { + "elem": { + "val": "6.6.6.0", + "counter": { + "packets": 3, + "bytes": 4 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "y1", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "2.2.2.1", + "limit": { + "rate": 5, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "3.3.3.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "5.5.5.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "6.6.6.1", + "limit": { + "rate": 5, + "burst": 5, + "per": "second" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "y2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "2.2.2.2", + "ct count": { + "val": 5, + "inv": true + } + } + }, + { + "elem": { + "val": "3.3.3.2", + "ct count": { + "val": 2, + "inv": true + } + } + }, + { + "elem": { + "val": "5.5.5.2", + "ct count": { + "val": 2, + "inv": true + } + } + }, + { + "elem": { + "val": "6.6.6.2", + "ct count": { + "val": 5, + "inv": true + } + } + } + ], + "stmt": [ + { + "ct count": { + "val": 2, + "inv": true + } + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "y3", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "2.2.2.3", + "last": null + } + }, + { + "elem": { + "val": "3.3.3.3", + "last": null + } + }, + { + "elem": { + "val": "5.5.5.3", + "last": null + } + }, + { + "elem": { + "val": "6.6.6.3", + "last": null + } + } + ], + "stmt": [ + { + "last": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "y4", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "2.2.2.4", + "quota": { + "val": 30000, + "val_unit": "bytes", + "inv": true, + "used": 1000, + "used_unit": "bytes" + } + } + }, + { + "elem": { + "val": "3.3.3.4", + "quota": { + "val": 1000, + "val_unit": "bytes", + "inv": true + } + } + }, + { + "elem": { + "val": "5.5.5.4", + "quota": { + "val": 1000, + "val_unit": "bytes", + "inv": true + } + } + }, + { + "elem": { + "val": "6.6.6.4", + "quota": { + "val": 30000, + "val_unit": "bytes", + "inv": true, + "used": 1000, + "used_unit": "bytes" + } + } + } + ], + "stmt": [ + { + "quota": { + "val": 1000, + "val_unit": "bytes", + "inv": true + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y0", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y0" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y1", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y3", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y4", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y4" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.json-nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.json-nft new file mode 100644 index 00000000..12cdad1f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.json-nft @@ -0,0 +1,148 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "base": "ih", + "offset": 32, + "len": 32 + } + } + ] + } + }, + "handle": 0, + "elem": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 32 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "base": "nh", + "offset": 32, + "len": 32 + } + } + ] + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.json-nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.json-nft new file mode 100644 index 00000000..3dbb1797 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.json-nft @@ -0,0 +1,193 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "nodhcpvlan", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + }, + "handle": 0, + "elem": [ + 1 + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + "right": "@nodhcpvlan" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "vlan", + "field": "type" + } + }, + "right": "arp" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + "right": "@nodhcpvlan" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "vlan", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "vlan", + "field": "id" + } + }, + "right": { + "set": [ + 1, + 2 + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "vlan", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "c2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.json-nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.json-nft new file mode 100644 index 00000000..ffb97f77 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.json-nft @@ -0,0 +1,234 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "s", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "vlan", + "field": "id" + } + } + ] + } + }, + "handle": 0, + "size": 2048, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "8021q" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "saddr" + } + }, + 0 + ] + }, + "timeout": 5 + } + }, + "set": "@s" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "return": null + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "8021q" + } + }, + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + 123 + ] + }, + "timeout": 60 + } + }, + "set": "@s" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "return": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "ipsec": { + "key": "reqid", + "dir": "in", + "spnum": 0 + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, + "handle": 0, + "size": 16, + "flags": "interval" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "ipsec": { + "key": "reqid", + "dir": "in", + "spnum": 0 + } + }, + "lo" + ] + }, + "right": "@s" + } + } + ] + } + } + ] +} |