diff options
Diffstat (limited to 'tests')
45 files changed, 489 insertions, 857 deletions
diff --git a/tests/py/any/last.t.json.output b/tests/py/any/last.t.json.output index b8a977ed..e8ec4f47 100644 --- a/tests/py/any/last.t.json.output +++ b/tests/py/any/last.t.json.output @@ -1,10 +1,3 @@ -# last -[ - { - "last": null - } -] - # last used 300s [ { diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index 718c7ad9..bd10c56d 100644 --- a/tests/py/any/meta.t +++ b/tests/py/any/meta.t @@ -56,7 +56,7 @@ meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001 meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001 meta mark 0x10;ok;meta mark 0x00000010 meta mark != 0x10;ok;meta mark != 0x00000010 -meta mark 0xffffff00/24;ok +meta mark 0xffffff00/24;ok;meta mark & 0xffffff00 == 0xffffff00 meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001 meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001 diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json index d50272de..676affea 100644 --- a/tests/py/any/meta.t.json +++ b/tests/py/any/meta.t.json @@ -667,17 +667,17 @@ { "match": { "left": { - "meta": { - "key": "mark" - } + "&": [ + { + "meta": { + "key": "mark" + } + }, + 4294967040 + ] }, "op": "==", - "right": { - "prefix": { - "addr": 4294967040, - "len": 24 - } - } + "right": 4294967040 } } ] @@ -2661,7 +2661,7 @@ } }, "op": "==", - "right": "17:00" + "right": "17:00:00" } }, { diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output index 4e9e669f..d46935de 100644 --- a/tests/py/any/meta.t.json.output +++ b/tests/py/any/meta.t.json.output @@ -592,24 +592,6 @@ } ] -# meta time "1970-05-23 21:07:14" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "1970-05-23 21:07:14" - } - }, - { - "drop": null - } -] - # meta time 12341234 drop [ { @@ -628,96 +610,6 @@ } ] -# meta time "2019-06-21 17:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-06-21 17:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:01:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:01:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:01" - } - }, - { - "drop": null - } -] - -# meta day "Saturday" drop -[ - { - "match": { - "left": { - "meta": { - "key": "day" - } - }, - "op": "==", - "right": "Saturday" - } - }, - { - "drop": null - } -] - # meta day 6 drop [ { @@ -736,24 +628,6 @@ } ] -# meta hour "17:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00" - } - }, - { - "drop": null - } -] - # meta hour "17:00:00" drop [ { @@ -772,57 +646,3 @@ } ] -# meta hour "17:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00:01" - } - }, - { - "drop": null - } -] - -# meta hour "00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:00" - } - }, - { - "drop": null - } -] - -# meta hour "00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:01" - } - }, - { - "drop": null - } -] - diff --git a/tests/py/any/tcpopt.t.json b/tests/py/any/tcpopt.t.json index 4466f14f..87074b9d 100644 --- a/tests/py/any/tcpopt.t.json +++ b/tests/py/any/tcpopt.t.json @@ -192,7 +192,7 @@ "left": { "tcp option": { "field": "left", - "name": "sack" + "name": "sack0" } }, "op": "==", @@ -272,7 +272,7 @@ "left": { "tcp option": { "field": "right", - "name": "sack" + "name": "sack0" } }, "op": "==", diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index d3a846cf..28dd4341 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -954,12 +954,12 @@ } }, { - "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } ] }, "op": "==", - "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + "right": { "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } } } ] @@ -1370,13 +1370,13 @@ "op": "==", "right": { "set": [ + "syn", { "|": [ "syn", "ack" ] - }, - "syn" + } ] } } @@ -1395,56 +1395,16 @@ "protocol": "tcp" } }, - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, - "urg" - ] - } + { "|": [ "fin", "syn", "rst", "psh", "ack", "urg" ] } ] }, "op": "==", "right": { "set": [ - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, - "ack" - ] - }, "fin", - { - "|": [ - "psh", - "ack" - ] - }, - "ack" + "ack", + { "|": [ "psh", "ack" ] }, + { "|": [ "fin", "psh", "ack" ] } ] } } @@ -1482,17 +1442,21 @@ "protocol": "tcp" } }, - [ - "fin", - "syn" - ] + { + "|": [ + "fin", + "syn" + ] + } ] }, "op": "==", - "right": [ - "fin", - "syn" - ] + "right": { + "|": [ + "fin", + "syn" + ] + } } } ] @@ -1509,10 +1473,12 @@ "protocol": "tcp" } }, - [ - "fin", - "syn" - ] + { + "|": [ + "fin", + "syn" + ] + } ] }, "op": "!=", @@ -1645,12 +1611,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", @@ -1671,12 +1639,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", @@ -1698,12 +1668,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "!=", @@ -1724,19 +1696,23 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", - "right": [ - "syn", - "ack" - ] + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] @@ -1753,17 +1729,21 @@ "protocol": "tcp" } }, - [ - "syn", - "ack" - ] + { + "|": [ + "syn", + "ack" + ] + } ] }, "op": "==", - "right": [ - "syn", - "ack" - ] + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] @@ -1780,22 +1760,7 @@ "protocol": "tcp" } }, - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "ack" - ] - } + { "|": [ "fin", "syn", "rst", "ack" ] } ] }, "op": "!=", diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index e186e127..d487a8f1 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -115,32 +115,6 @@ } ] -# tcp flags { syn, syn | ack } -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - "syn", - { - "|": [ - "syn", - "ack" - ] - } - ] - } - } - } -] - # tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { @@ -155,27 +129,11 @@ }, { "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, + "fin", + "syn", + "rst", + "psh", + "ack", "urg" ] } @@ -187,303 +145,20 @@ "fin", { "|": [ - { - "|": [ - "fin", - "psh" - ] - }, - "ack" - ] - }, - { - "|": [ - "psh", - "ack" - ] - }, - "ack" - ] - } - } - } -] - -# tcp flags fin,syn / fin,syn -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ - "fin", - "syn" - ] - } - ] - }, - "op": "==", - "right": { - "|": [ - "fin", - "syn" - ] - } - } - } -] - -# tcp flags != syn / fin,syn -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ "fin", - "syn" - ] - } - ] - }, - "op": "!=", - "right": "syn" - } - } -] - -# tcp flags & (fin | syn | rst | ack) syn -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "ack" - ] - } - ] - }, - "op": "==", - "right": "syn" - } - } -] - -# tcp flags & (fin | syn | rst | ack) == syn -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "ack" - ] - } - ] - }, - "op": "==", - "right": "syn" - } - } -] - -# tcp flags & (fin | syn | rst | ack) != syn -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, + "psh", "ack" ] - } - ] - }, - "op": "!=", - "right": "syn" - } - } -] - -# tcp flags & (fin | syn | rst | ack) == syn | ack -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } }, { "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "ack" - ] - } - ] - }, - "op": "==", - "right": { - "|": [ - "syn", - "ack" - ] - } - } - } -] - -# tcp flags & (fin | syn | rst | ack) != syn | ack -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, + "psh", "ack" ] - } - ] - }, - "op": "!=", - "right": { - "|": [ - "syn", - "ack" - ] - } - } - } -] - -# tcp flags & (syn | ack) == syn | ack -[ - { - "match": { - "left": { - "&": [ - { - "payload": { - "field": "flags", - "protocol": "tcp" - } }, - { - "|": [ - "syn", - "ack" - ] - } - ] - }, - "op": "==", - "right": { - "|": [ - "syn", "ack" ] } } } ] - diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 7ddf8b38..226c339b 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -26,8 +26,8 @@ icmp code 111 accept;ok icmp code != 111 accept;ok icmp code 33-55;ok icmp code != 33-55;ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} -icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok;icmp code != { 2, 4, 33, 54, 56} icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok @@ -73,5 +73,5 @@ icmp gateway != { 33, 55, 67, 88};ok icmp gateway != 34;ok icmp gateway != { 333, 334};ok -icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable +icmp code 1 icmp type 2;ok;icmp type 2 icmp code 1 icmp code != 1 icmp type 2 icmp mtu 5;fail diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json index 4f052509..45e04c78 100644 --- a/tests/py/ip/icmp.t.json +++ b/tests/py/ip/icmp.t.json @@ -459,8 +459,8 @@ "op": "!=", "right": { "set": [ - "prot-unreachable", - "frag-needed", + 2, + 4, 33, 54, 56 @@ -1488,7 +1488,7 @@ } }, "op": "==", - "right": "host-unreachable" + "right": 1 } } ] diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output index 5a075858..52fd6016 100644 --- a/tests/py/ip/icmp.t.json.output +++ b/tests/py/ip/icmp.t.json.output @@ -11,8 +11,8 @@ "op": "==", "right": { "set": [ - "prot-unreachable", - "frag-needed", + 2, + 4, 33, 54, 56 diff --git a/tests/py/ip/numgen.t.json.output b/tests/py/ip/numgen.t.json.output index 06ad1ecc..b54121ca 100644 --- a/tests/py/ip/numgen.t.json.output +++ b/tests/py/ip/numgen.t.json.output @@ -80,33 +80,3 @@ } ] -# dnat to numgen inc mod 7 offset 167772161 -[ - { - "dnat": { - "addr": { - "numgen": { - "mod": 7, - "mode": "inc", - "offset": 167772161 - } - } - } - } -] - -# dnat to numgen inc mod 255 offset 167772161 -[ - { - "dnat": { - "addr": { - "numgen": { - "mod": 255, - "mode": "inc", - "offset": 167772161 - } - } - } - } -] - diff --git a/tests/py/ip6/exthdr.t.json.output b/tests/py/ip6/exthdr.t.json.output index c9f5b49b..813402a2 100644 --- a/tests/py/ip6/exthdr.t.json.output +++ b/tests/py/ip6/exthdr.t.json.output @@ -1,33 +1,3 @@ -# exthdr hbh == exists -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": true - } - } -] - -# exthdr hbh == missing -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": false - } - } -] - # exthdr hbh 1 [ { diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index 35dad2be..7632bfd8 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,10 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok;icmpv6 code port-unreachable +icmpv6 code 4;ok icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept -icmpv6 code != {policy-fail, reject-route, 7} accept;ok +icmpv6 code {5, 6, 7} accept;ok +icmpv6 code != {policy-fail, reject-route, 7} accept;ok;icmpv6 code != {5, 6, 7} accept icmpv6 checksum 2222 log;ok icmpv6 checksum != 2222 log;ok @@ -84,7 +84,7 @@ icmpv6 max-delay != 33-45;ok icmpv6 max-delay {33, 55, 67, 88};ok icmpv6 max-delay != {33, 55, 67, 88};ok -icmpv6 type parameter-problem icmpv6 code no-route;ok +icmpv6 type parameter-problem icmpv6 code 0;ok icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133;ok icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133;ok diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json index 224a8e81..9df886dd 100644 --- a/tests/py/ip6/icmpv6.t.json +++ b/tests/py/ip6/icmpv6.t.json @@ -532,8 +532,8 @@ "op": "!=", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } @@ -1136,7 +1136,7 @@ } ] -# icmpv6 type parameter-problem icmpv6 code no-route +# icmpv6 type parameter-problem icmpv6 code 0 [ { "match": { @@ -1159,7 +1159,7 @@ } }, "op": "==", - "right": "no-route" + "right": 0 } } ] diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output index 7b8f5c19..f29b346c 100644 --- a/tests/py/ip6/icmpv6.t.json.output +++ b/tests/py/ip6/icmpv6.t.json.output @@ -104,7 +104,7 @@ } }, "op": "==", - "right": "port-unreachable" + "right": 4 } } ] @@ -122,7 +122,7 @@ "op": "==", "right": { "range": [ - "addr-unreachable", + 3, 66 ] } @@ -143,8 +143,8 @@ "op": "==", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index fcaf4812..5b6035d1 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -554,7 +554,7 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 type parameter-problem icmpv6 code no-route +# icmpv6 type parameter-problem icmpv6 code 0 ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index a7d27c25..1bc89558 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -809,6 +809,8 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): reason = "Invalid JSON syntax in expected output: %s" % json_expected print_error(reason) return [-1, warning, error, unit_tests] + if json_expected == json_input: + print_warning("Recorded JSON output matches input for: %s" % rule[0]) for table in table_list: if rule[1].strip() == "ok": diff --git a/tests/shell/features/reset_tcp_options.nft b/tests/shell/features/reset_tcp_options.nft new file mode 100644 index 00000000..47d1c7b8 --- /dev/null +++ b/tests/shell/features/reset_tcp_options.nft @@ -0,0 +1,5 @@ +table inet t { + chain c { + reset tcp option fastopen + } +} diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 86c83126..6a9b518c 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -860,7 +860,7 @@ job_start() { local testfile="$1" local testidx="$2" - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then print_test_header I "$testfile" "$testidx" "EXECUTING" fi @@ -873,7 +873,7 @@ job_start() { $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile" local rc_got=$? - if [ "$NFT_TEST_JOBS" -le 1 ] ; then + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line fi diff --git a/tests/shell/testcases/chains/netdev_chain_dev_gone b/tests/shell/testcases/chains/netdev_chain_dev_gone index 77f828d5..99933a31 100755 --- a/tests/shell/testcases/chains/netdev_chain_dev_gone +++ b/tests/shell/testcases/chains/netdev_chain_dev_gone @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + set -e iface_cleanup() { diff --git a/tests/shell/testcases/chains/netdev_netns_gone b/tests/shell/testcases/chains/netdev_netns_gone index e6b65996..3a92c99e 100755 --- a/tests/shell/testcases/chains/netdev_netns_gone +++ b/tests/shell/testcases/chains/netdev_netns_gone @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + set -e rnd=$(mktemp -u XXXXXXXX) diff --git a/tests/shell/testcases/listing/dumps/meta_time.nft b/tests/shell/testcases/listing/dumps/meta_time.nft deleted file mode 100644 index 9121aef5..00000000 --- a/tests/shell/testcases/listing/dumps/meta_time.nft +++ /dev/null @@ -1,32 +0,0 @@ -table ip t { - chain c { - meta hour "01:00"-"01:59" - meta hour "02:00"-"02:59" - meta hour "03:00"-"03:59" - meta hour "04:00"-"04:59" - meta hour "05:00"-"05:59" - meta hour "06:00"-"06:59" - meta hour "07:00"-"07:59" - meta hour "08:00"-"08:59" - meta hour "09:00"-"09:59" - meta hour "10:00"-"10:59" - meta hour "11:00"-"11:59" - meta hour "12:00"-"12:59" - meta hour "13:00"-"13:59" - meta hour "14:00"-"14:59" - meta hour "15:00"-"15:59" - meta hour "16:00"-"16:59" - meta hour "17:00"-"17:59" - meta hour "18:00"-"18:59" - meta hour "19:00"-"19:59" - meta hour "20:00"-"20:59" - meta hour "21:00"-"21:59" - meta hour "22:00"-"22:59" - meta hour "23:00"-"23:59" - meta hour "00:00"-"00:59" - meta hour "04:00"-"15:00" - meta hour "05:00"-"16:00" - meta hour "06:00"-"17:00" - meta hour "07:00"-"18:00" - } -} diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/meta_time.nodump diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time index 39fa4387..96a9d557 100755 --- a/tests/shell/testcases/listing/meta_time +++ b/tests/shell/testcases/listing/meta_time @@ -53,7 +53,15 @@ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" check_decode UTC-1 +$NFT flush chain t c TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00" TZ=EADT $NFT add rule t c meta hour "04:00"-"15:00" TZ=EADT $NFT add rule t c meta hour "05:00"-"16:00" TZ=EADT $NFT add rule t c meta hour "06:00"-"17:00" + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 3 0 14 0 > "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 4 0 15 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1" + +check_decode EADT diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft index 8130c46c..b3204a28 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -231,7 +231,7 @@ "elem": { "elem": { "val": "10.2.3.4", - "timeout": 1 + "timeout": 2 } }, "data": 2, diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft index 9134673c..e80366b8 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -16,7 +16,7 @@ table ip dynset { chain input { type filter hook input priority filter; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc" + add @dynmark { 10.2.3.4 timeout 2s : 0x00000002 } comment "also check timeout-gc" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } } diff --git a/tests/shell/testcases/maps/named_limits b/tests/shell/testcases/maps/named_limits index 5604f6ca..ac8e434c 100755 --- a/tests/shell/testcases/maps/named_limits +++ b/tests/shell/testcases/maps/named_limits @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + dumpfile=$(dirname $0)/dumps/$(basename $0).nft $NFT -f "$dumpfile" || exit 1 diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete index d2ac9f1c..2d718c5f 100755 --- a/tests/shell/testcases/maps/typeof_maps_add_delete +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -30,7 +30,7 @@ EXPECTED="table ip dynset { chain input { type filter hook input priority 0; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" + add @dynmark { 10.2.3.4 timeout 2s : 0x2 } comment \"also check timeout-gc\" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } }" @@ -45,7 +45,7 @@ ping -c 1 127.0.0.42 $NFT get element ip dynset dynmark { 10.2.3.4 } # wait so that 10.2.3.4 times out. -sleep 2 +sleep 3 set +e $NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 diff --git a/tests/shell/testcases/maps/vmap_unary b/tests/shell/testcases/maps/vmap_unary index 4038d1c1..f4e1f012 100755 --- a/tests/shell/testcases/maps/vmap_unary +++ b/tests/shell/testcases/maps/vmap_unary @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET="table ip filter { diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft index 8f3f3a81..1b2e3420 100644 --- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft @@ -169,12 +169,8 @@ }, "right": { "|": [ - { - "|": [ - "established", - "related" - ] - }, + "established", + "related", "new" ] } diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist new file mode 100755 index 00000000..cf4b8f13 --- /dev/null +++ b/tests/shell/testcases/owner/0002-persist @@ -0,0 +1,36 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist) + +die() { + echo "$@" + exit 1 +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "table add failed" +} + +$NFT list ruleset | grep -q 'table ip t' || { + die "table does not persist" +} +$NFT list ruleset | grep -q 'flags persist$' || { + die "unexpected flags in orphaned table" +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "retake ownership failed" +} + +exit 0 diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 00000000..26e8a052 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 00000000..e625ea6c --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables index 18a57a9b..ec7dfeb7 100755 --- a/tests/shell/testcases/packetpath/flowtables +++ b/tests/shell/testcases/packetpath/flowtables @@ -77,7 +77,7 @@ ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86 } # A trick to control the timing to send a packet -ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof & +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof & sleep 1 ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & sleep 1 diff --git a/tests/shell/testcases/packetpath/payload b/tests/shell/testcases/packetpath/payload index 9f4587d2..4c5c42da 100755 --- a/tests/shell/testcases/packetpath/payload +++ b/tests/shell/testcases/packetpath/payload @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + rnd=$(mktemp -u XXXXXXXX) ns1="nft1payload-$rnd" ns2="nft2payload-$rnd" diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 00000000..0bb42a54 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 diff --git a/tests/shell/testcases/packetpath/set_lookups b/tests/shell/testcases/packetpath/set_lookups index 84a0000a..85159858 100755 --- a/tests/shell/testcases/packetpath/set_lookups +++ b/tests/shell/testcases/packetpath/set_lookups @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e $NFT -f /dev/stdin <<"EOF" diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options index 88552226..57e228c5 100755 --- a/tests/shell/testcases/packetpath/tcp_options +++ b/tests/shell/testcases/packetpath/tcp_options @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_tcp_options) + have_socat="no" socat -h > /dev/null && have_socat="yes" diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft index cd39f090..e37139f3 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -27,146 +27,87 @@ "elem": [ { "|": [ - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, - "ack" - ] - }, - "urg" - ] - }, - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, + "fin", "ack" ] }, { "|": [ - { - "|": [ - "fin", - "ack" - ] - }, + "fin", + "ack", "urg" ] }, { "|": [ "fin", + "psh", "ack" ] }, { "|": [ - { - "|": [ - { - "|": [ - "syn", - "psh" - ] - }, - "ack" - ] - }, + "fin", + "psh", + "ack", "urg" ] }, + "syn", { "|": [ - { - "|": [ - "syn", - "psh" - ] - }, + "syn", "ack" ] }, { "|": [ - { - "|": [ - "syn", - "ack" - ] - }, + "syn", + "ack", "urg" ] }, { "|": [ "syn", + "psh", "ack" ] }, - "syn", { "|": [ - { - "|": [ - { - "|": [ - "rst", - "psh" - ] - }, - "ack" - ] - }, + "syn", + "psh", + "ack", "urg" ] }, + "rst", { "|": [ - { - "|": [ - "rst", - "psh" - ] - }, + "rst", "ack" ] }, { "|": [ - { - "|": [ - "rst", - "ack" - ] - }, + "rst", + "ack", "urg" ] }, { "|": [ "rst", + "psh", "ack" ] }, - "rst", { "|": [ - { - "|": [ - "psh", - "ack" - ] - }, + "rst", + "psh", + "ack", "urg" ] }, @@ -178,11 +119,18 @@ }, { "|": [ + "psh", "ack", "urg" ] }, - "ack" + "ack", + { + "|": [ + "ack", + "urg" + ] + } ] } } diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft index ffed5426..22bf5c46 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -2,9 +2,9 @@ table ip test { set tcp_good_flags { type tcp_flag flags constant - elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, - syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, - rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, - psh | ack, ack | urg, ack } + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } } } diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat index 07820b7c..34465f1d 100755 --- a/tests/shell/testcases/sets/typeof_sets_concat +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e dumpfile=$(dirname $0)/dumps/$(basename $0).nft diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort new file mode 100755 index 00000000..b2bbe37b --- /dev/null +++ b/tests/shell/testcases/transactions/concat_range_abort @@ -0,0 +1,28 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<EOF +table ip x { + map m { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo, + } + } + + chain foo { + accept + } +} +EOF + +$NFT -f /dev/stdin <<EOF +add chain ip x bar +add element ip x m { 1.2.3.4 . 42 : jump bar } +delete set ip x m +EOF diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft new file mode 100644 index 00000000..8db71894 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft new file mode 100644 index 00000000..06adca7a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft @@ -0,0 +1,8 @@ +table ip x { + chain foo { + accept + } + + chain bar { + } +} |