diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/shell/features/table_flag_persist.nft | 3 | ||||
-rwxr-xr-x | tests/shell/run-tests.sh | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/chains/netdev_chain_dormant_autoremove | 9 | ||||
-rw-r--r-- | tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft | 2 | ||||
-rw-r--r-- | tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft | 2 | ||||
-rwxr-xr-x | tests/shell/testcases/maps/typeof_maps_add_delete | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/owner/0002-persist | 36 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/policy.json-nft | 121 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/policy.nft | 11 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/policy | 42 |
10 files changed, 228 insertions, 6 deletions
diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 86c83126..6a9b518c 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -860,7 +860,7 @@ job_start() { local testfile="$1" local testidx="$2" - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then print_test_header I "$testfile" "$testidx" "EXECUTING" fi @@ -873,7 +873,7 @@ job_start() { $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile" local rc_got=$? - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line fi diff --git a/tests/shell/testcases/chains/netdev_chain_dormant_autoremove b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove new file mode 100755 index 00000000..0a684e56 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +ip link add dummy0 type dummy +ip link add dummy1 type dummy +$NFT add table netdev test { flags dormant\; } +$NFT add chain netdev test ingress { type filter hook ingress devices = { "dummy0", "dummy1" } priority 0\; policy drop\; } +ip link del dummy0 diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft index 8130c46c..b3204a28 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -231,7 +231,7 @@ "elem": { "elem": { "val": "10.2.3.4", - "timeout": 1 + "timeout": 2 } }, "data": 2, diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft index 9134673c..e80366b8 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -16,7 +16,7 @@ table ip dynset { chain input { type filter hook input priority filter; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + add @dynmark { 10.2.3.4 timeout 2s : 0x00000002 } comment "also check timeout-gc" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } } diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete index d2ac9f1c..2d718c5f 100755 --- a/tests/shell/testcases/maps/typeof_maps_add_delete +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -30,7 +30,7 @@ EXPECTED="table ip dynset { chain input { type filter hook input priority 0; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + add @dynmark { 10.2.3.4 timeout 2s : 0x2 } comment \"also check timeout-gc\" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } }" @@ -45,7 +45,7 @@ ping -c 1 127.0.0.42 $NFT get element ip dynset dynmark { 10.2.3.4 } # wait so that 10.2.3.4 times out. -sleep 2 +sleep 3 set +e $NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist new file mode 100755 index 00000000..cf4b8f13 --- /dev/null +++ b/tests/shell/testcases/owner/0002-persist @@ -0,0 +1,36 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist) + +die() { + echo "$@" + exit 1 +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "table add failed" +} + +$NFT list ruleset | grep -q 'table ip t' || { + die "table does not persist" +} +$NFT list ruleset | grep -q 'flags persist$' || { + die "unexpected flags in orphaned table" +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "retake ownership failed" +} + +exit 0 diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 00000000..26e8a052 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 00000000..e625ea6c --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 00000000..0bb42a54 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 |