diff options
Diffstat (limited to 'tests')
1168 files changed, 69336 insertions, 3758 deletions
diff --git a/tests/build/run-tests.sh b/tests/build/run-tests.sh index f78cc901..916df2e2 100755 --- a/tests/build/run-tests.sh +++ b/tests/build/run-tests.sh @@ -1,32 +1,36 @@ #!/bin/bash -log_file="`pwd`/tests.log" +log_file="$(pwd)/tests.log" dir=../.. argument=( --without-cli --with-cli=linenoise --with-cli=editline --enable-debug --with-mini-gmp --enable-man-doc --with-xtables --with-json) ok=0 failed=0 -[ -f $log_file ] && rm -rf $log_file +[ -f "$log_file" ] && rm -rf "$log_file" tmpdir=$(mktemp -d) -if [ ! -w $tmpdir ] ; then +if [ ! -w "$tmpdir" ] ; then echo "Failed to create tmp file" >&2 exit 0 fi -git clone $dir $tmpdir >/dev/null 2>>$log_file -cd $tmpdir +git clone "$dir" "$tmpdir" &>>"$log_file" +cd "$tmpdir" || exit -autoreconf -fi >/dev/null 2>>$log_file -./configure >/dev/null 2>>$log_file +if ! autoreconf -fi &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." + exit 1 +fi -echo "Testing build with distcheck" -make distcheck >/dev/null 2>>$log_file -rt=$? +if ! ./configure &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." + exit 1 +fi -if [ $rt != 0 ] ; then - echo "Something went wrong. Check the log for details." +echo "Testing build with distcheck" +if ! make distcheck &>>"$log_file" ; then + echo "Something went wrong. Check the log '${log_file}' for details." exit 1 fi @@ -35,8 +39,8 @@ echo "Build works. Now, testing compile options" for var in "${argument[@]}" ; do echo "[EXECUTING] Testing compile option $var" - ./configure $var >/dev/null 2>>$log_file - make -j 8 >/dev/null 2>>$log_file + ./configure "$var" &>>"$log_file" + make -j 8 &>>"$log_file" rt=$? echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line @@ -49,7 +53,7 @@ for var in "${argument[@]}" ; do fi done -rm -rf $tmpdir +rm -rf "$tmpdir" echo "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" [ "$failed" -eq 0 ] diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index b5ca47d9..67d3e618 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -1,7 +1,6 @@ #!/bin/bash -cd $(dirname $0) -nft=${NFT:-../../src/nft} +nft=${NFT:-$(dirname $0)/../../src/nft} debug=false test_json=false @@ -120,6 +119,14 @@ echo_run_test() { return $rc } +netns=true +for arg in "$@"; do + [[ "$arg" == "--no-netns" ]] && netns=false +done +if $netns; then + exec unshare -n $0 --no-netns "$@" +fi + testcases="" while [ -n "$1" ]; do case "$1" in @@ -131,11 +138,14 @@ while [ -n "$1" ]; do test_json=true shift ;; + --no-netns) + shift + ;; -H|--host) nft=nft shift ;; - testcases/*.t) + *.t) testcases+=" $1" shift ;; @@ -161,7 +171,10 @@ for variant in $variants; do output_append=${variant}_output_append for testcase in ${testcases:-testcases/*.t}; do - echo "$variant: running tests from file $(basename $testcase)" + filename=$(basename $testcase) + echo "$variant: running tests from file $filename" + rc_start=$rc + # files are like this: # # I add table ip t @@ -199,6 +212,10 @@ for variant in $variants; do $run_test let "rc += $?" } + + let "rc_diff = rc - rc_start" + [[ $rc_diff -ne 0 ]] && \ + echo "$variant: $rc_diff tests from file $filename failed" done done exit $rc diff --git a/tests/monitor/testcases/flowtable-simple.t b/tests/monitor/testcases/flowtable-simple.t new file mode 100644 index 00000000..df8eccbd --- /dev/null +++ b/tests/monitor/testcases/flowtable-simple.t @@ -0,0 +1,10 @@ +# setup first +I add table ip t +I add flowtable ip t ft { hook ingress priority 0; devices = { lo }; } +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} + +I delete flowtable ip t ft +O - +J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t index 8729c0b4..d11ad0eb 100644 --- a/tests/monitor/testcases/map-expr.t +++ b/tests/monitor/testcases/map-expr.t @@ -3,4 +3,4 @@ I add table ip t I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; } O - J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} -J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} +J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": {"typeof": {"concat": [{"meta": {"key": "day"}}, {"meta": {"key": "hour"}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t index 2afe33c8..53a9f8c5 100644 --- a/tests/monitor/testcases/object.t +++ b/tests/monitor/testcases/object.t @@ -37,7 +37,7 @@ I delete ct helper ip t cth O - J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}} -I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; } +I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15s, replied : 12s }; } O - J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} diff --git a/tests/monitor/testcases/set-concat-interval.t b/tests/monitor/testcases/set-concat-interval.t new file mode 100644 index 00000000..3542b822 --- /dev/null +++ b/tests/monitor/testcases/set-concat-interval.t @@ -0,0 +1,15 @@ +# setup first +I add table ip t +I add chain ip t c +O - +J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}} + +# add set with elements, monitor output expectedly differs +I add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop }; } +O add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; } +O add element ip t s { 20-80 . 0x14 : accept } +O add element ip t s { 1-10 . 0xa : drop } +J {"add": {"map": {"family": "ip", "name": "s", "table": "t", "type": {"typeof": {"concat": [{"payload": {"protocol": "udp", "field": "length"}}, {"payload": {"base": "ih", "offset": 32, "len": 32}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"]}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [20, 80]}, 20]}, {"accept": null}]]}}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [1, 10]}, 10]}, {"drop": null}]]}}}} diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t index b0649cdf..5053c596 100644 --- a/tests/monitor/testcases/set-interval.t +++ b/tests/monitor/testcases/set-interval.t @@ -27,4 +27,4 @@ J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "ex # ... and anon concat range I add rule ip t c ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10-192.168.56.12 } O - -{"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ether", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "saddr"}}]}, "right": {"set": [{"concat": ["08:00:27:40:f7:09", {"range": ["192.168.56.10", "192.168.56.12"]}]}]}}}]}}} +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ether", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "saddr"}}]}, "right": {"set": [{"concat": ["08:00:27:40:f7:09", {"range": ["192.168.56.10", "192.168.56.12"]}]}]}}}]}}} diff --git a/tests/monitor/testcases/set-simple.t b/tests/monitor/testcases/set-simple.t index 8ca4f324..6853a0eb 100644 --- a/tests/monitor/testcases/set-simple.t +++ b/tests/monitor/testcases/set-simple.t @@ -37,9 +37,10 @@ J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem" # make sure half open before other element works I add element ip t portrange { 1024-65535 } I add element ip t portrange { 100-200 } -O - -J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}} +O add element ip t portrange { 100-200 } +O add element ip t portrange { 1024-65535 } J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [100, 200]}]}}}} +J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}} # make sure deletion of elements works I delete element ip t portrange { 0-10 } diff --git a/tests/monitor/testcases/simple.t b/tests/monitor/testcases/simple.t index 2d9c92de..67be5c85 100644 --- a/tests/monitor/testcases/simple.t +++ b/tests/monitor/testcases/simple.t @@ -15,13 +15,13 @@ J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "ex I insert rule ip t c counter accept O insert rule ip t c counter packets 0 bytes 0 accept -J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}} +J {"insert": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}} I replace rule ip t c handle 2 accept comment "foo bar" O delete rule ip t c handle 2 O add rule ip t c handle 5 accept comment "foo bar" -J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "comment": "foo bar", "expr": [{"accept": null}]}}} J {"delete": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"accept": null}]}}} +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "comment": "foo bar", "expr": [{"accept": null}]}}} I add counter ip t cnt O add counter ip t cnt { packets 0 bytes 0 } diff --git a/tests/py/README b/tests/py/README index ed5dc58b..864a966e 100644 --- a/tests/py/README +++ b/tests/py/README @@ -163,4 +163,35 @@ G) Acknowledgements Thanks to the Outreach Program for Women (OPW) for sponsoring this test infrastructure and my mentor Pablo Neira. +H) JSON (-j) Mode + +This mode is supposed to repeat the same tests using JSON syntax. For each test +file example.t, there is supposed to be a file example.t.json holding the JSON +equivalents of each rule in example.t. The file's syntax is similar to payload +files: An initial comment identifies the rule belonging to the following JSON +equivalent. Pairs of comment and JSON are separated by a single blank line. + +If the example.t.json file does not exist, the test script will warn and create +(or append to) example.t.json.got. The JSON equivalent written is generated by +applying the rule in standard syntax and listing the ruleset in JSON format. +After thorough review, it may be renamed to example.t.json. + +One common case for editing the content in example.t.json.got is expected +differences between input and output. The generated content will match the +output while it is supposed to match the input. + +If a rule is expected to differ in output, the expected output must be recorded +in example.t.json.output. Its syntax is identical to example.t.json, i.e. pairs +of comment identifying the rule (in standard syntax) and JSON (output) format +separated by blank lines. Note: the comment states the rule as in input, not +output. + +If the example.t.json.output file does not exist and output differs from input, +the file example.t.json.output.got is created with the actual output recorded. + +JSON mode will also check the payload created for the rule in JSON syntax by +comparing it to the recorded one in example.t.payload. Should it differ, it +will be recorded in example.t.json.payload.got. This is always a bug: A rule's +JSON equivalent must turn into the same bytecode as the rule itself. + -EOF- diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index f73fa4e7..0059e49c 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -40,7 +40,9 @@ ct mark and 0x23 == 0x11;ok;ct mark & 0x00000023 == 0x00000011 ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001 ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032 ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002 + ct mark set ct mark or 0x00000001;ok;ct mark set ct mark | 0x00000001 +ct mark set 0x00000001 or ct mark;ok;ct mark set ct mark | 0x00000001 ct mark 0x00000032;ok ct mark != 0x00000032;ok @@ -61,6 +63,7 @@ ct mark set 0x11;ok;ct mark set 0x00000011 ct mark set mark;ok;ct mark set meta mark ct mark set (meta mark | 0x10) << 8;ok;ct mark set (meta mark | 0x00000010) << 8 ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set meta mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a} +ct mark set ct mark and 0xffff0000 or meta mark and 0xffff;ok;ct mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff ct mark set {0x11333, 0x11};fail ct zone set {123, 127};fail diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json index a2a06025..ef350000 100644 --- a/tests/py/any/ct.t.json +++ b/tests/py/any/ct.t.json @@ -560,6 +560,29 @@ } ] +# ct mark set 0x00000001 or ct mark +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + 1 + ] + } + } + } +] + # ct mark 0x00000032 [ { @@ -817,6 +840,43 @@ } ] +# ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } +] + # ct expiration 30s [ { diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index ed868e53..64504134 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -172,8 +172,7 @@ ip test-ip4 output ip test-ip4 output [ ct load mark => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0x32000000 ] - [ cmp lte reg 1 0x45000000 ] + [ range eq reg 1 0x32000000 0x45000000 ] # ct mark != 0x00000032-0x00000045 ip test-ip4 output @@ -240,8 +239,7 @@ ip test-ip4 output ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0x60ea0000 ] - [ cmp lte reg 1 0x80ee3600 ] + [ range eq reg 1 0x60ea0000 0x80ee3600 ] # ct expiration > 4d23h59m59s ip test-ip4 output @@ -258,8 +256,7 @@ ip test-ip4 output ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0xe8800000 ] - [ cmp lte reg 1 0xc8af0000 ] + [ range eq reg 1 0xe8800000 0xc8af0000 ] # ct expiration != 33-45 ip test-ip4 output @@ -336,6 +333,15 @@ ip test-ip4 output [ lookup reg 1 set __map%d dreg 1 ] [ ct set mark with reg 1 ] +# ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +ip + [ ct load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffff0000 ) ^ 0x00000000 ] + [ meta load mark => reg 2 ] + [ bitwise reg 2 = ( reg 2 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ ct set mark with reg 1 ] + # ct original bytes > 100000 ip test-ip4 output [ ct load bytes => reg 1 , dir original ] @@ -497,9 +503,15 @@ ip test-ip4 output [ bitwise reg 1 = ( reg 1 & 0xfffffffe ) ^ 0x00000001 ] [ ct set mark with reg 1 ] +# ct mark set 0x00000001 or ct mark +ip test-ip4 output + [ ct load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffe ) ^ 0x00000001 ] + [ ct set mark with reg 1 ] + # ct id 12345 ip test-ip4 output - [ ct load unknown => reg 1 ] + [ ct load id => reg 1 ] [ cmp eq reg 1 0x39300000 ] # ct status ! dnat diff --git a/tests/py/any/last.t.json b/tests/py/any/last.t.json new file mode 100644 index 00000000..2a2b9e72 --- /dev/null +++ b/tests/py/any/last.t.json @@ -0,0 +1,16 @@ +# last +[ + { + "last": null + } +] + +# last used 300s +[ + { + "last": { + "used": 300000 + } + } +] + diff --git a/tests/py/any/last.t.json.output b/tests/py/any/last.t.json.output new file mode 100644 index 00000000..e8ec4f47 --- /dev/null +++ b/tests/py/any/last.t.json.output @@ -0,0 +1,7 @@ +# last used 300s +[ + { + "last": null + } +] + diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t index 86e8d430..2a84e3f5 100644 --- a/tests/py/any/limit.t +++ b/tests/py/any/limit.t @@ -9,11 +9,11 @@ *bridge;test-bridge;output *netdev;test-netdev;ingress,egress -limit rate 400/minute;ok -limit rate 20/second;ok -limit rate 400/hour;ok -limit rate 40/day;ok -limit rate 400/week;ok +limit rate 400/minute;ok;limit rate 400/minute burst 5 packets +limit rate 20/second;ok;limit rate 20/second burst 5 packets +limit rate 400/hour;ok;limit rate 400/hour burst 5 packets +limit rate 40/day;ok;limit rate 40/day burst 5 packets +limit rate 400/week;ok;limit rate 400/week burst 5 packets limit rate 1023/second burst 10 packets;ok limit rate 1023/second burst 10 bytes;fail @@ -22,7 +22,6 @@ limit rate 2 kbytes/second;ok limit rate 1025 kbytes/second;ok limit rate 1023 mbytes/second;ok limit rate 10230 mbytes/second;ok -limit rate 1023000 mbytes/second;ok limit rate 512 kbytes/second burst 5 packets;fail limit rate 1 bytes / second;ok;limit rate 1 bytes/second @@ -33,13 +32,12 @@ limit rate 1 gbytes / second;fail limit rate 1025 bytes/second burst 512 bytes;ok limit rate 1025 kbytes/second burst 1023 kbytes;ok limit rate 1025 mbytes/second burst 1025 kbytes;ok -limit rate 1025000 mbytes/second burst 1023 mbytes;ok -limit rate over 400/minute;ok -limit rate over 20/second;ok -limit rate over 400/hour;ok -limit rate over 40/day;ok -limit rate over 400/week;ok +limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets +limit rate over 20/second;ok;limit rate over 20/second burst 5 packets +limit rate over 400/hour;ok;limit rate over 400/hour burst 5 packets +limit rate over 40/day;ok;limit rate over 40/day burst 5 packets +limit rate over 400/week;ok;limit rate over 400/week burst 5 packets limit rate over 1023/second burst 10 packets;ok limit rate over 1 kbytes/second;ok @@ -47,9 +45,7 @@ limit rate over 2 kbytes/second;ok limit rate over 1025 kbytes/second;ok limit rate over 1023 mbytes/second;ok limit rate over 10230 mbytes/second;ok -limit rate over 1023000 mbytes/second;ok limit rate over 1025 bytes/second burst 512 bytes;ok limit rate over 1025 kbytes/second burst 1023 kbytes;ok limit rate over 1025 mbytes/second burst 1025 kbytes;ok -limit rate over 1025000 mbytes/second burst 1023 mbytes;ok diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json index e001ba0f..73160b27 100644 --- a/tests/py/any/limit.t.json +++ b/tests/py/any/limit.t.json @@ -114,17 +114,6 @@ } ] -# limit rate 1023000 mbytes/second -[ - { - "limit": { - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate 1 bytes / second [ { @@ -203,19 +192,6 @@ } ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 400/minute [ { @@ -343,18 +319,6 @@ } ] -# limit rate over 1023000 mbytes/second -[ - { - "limit": { - "inv": true, - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 1025 bytes/second burst 512 bytes [ { @@ -396,18 +360,3 @@ } } ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "inv": true, - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output index 5a95f5e1..2c94d2de 100644 --- a/tests/py/any/limit.t.json.output +++ b/tests/py/any/limit.t.json.output @@ -118,19 +118,6 @@ } ] -# limit rate 1023000 mbytes/second -[ - { - "limit": { - "burst": 0, - "burst_unit": "bytes", - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 400/minute [ { @@ -260,18 +247,3 @@ } } ] - -# limit rate over 1023000 mbytes/second -[ - { - "limit": { - "burst": 0, - "burst_unit": "bytes", - "inv": true, - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload index 0c7ee942..dc6701b3 100644 --- a/tests/py/any/limit.t.payload +++ b/tests/py/any/limit.t.payload @@ -42,10 +42,6 @@ ip test-ip4 output ip test-ip4 output [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ] -# limit rate 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ] - # limit rate 1 bytes / second ip [ limit rate 1/second burst 0 type bytes flags 0x0 ] @@ -71,10 +67,6 @@ ip test-ip4 output ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ] - # limit rate over 400/minute ip test-ip4 output [ limit rate 400/minute burst 5 type packets flags 0x1 ] @@ -119,10 +111,6 @@ ip test-ip4 output ip test-ip4 output [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ] -# limit rate over 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ] - # limit rate over 1025 bytes/second burst 512 bytes ip test-ip4 output [ limit rate 1025/second burst 512 type bytes flags 0x1 ] @@ -134,8 +122,3 @@ ip test-ip4 output # limit rate over 1025 mbytes/second burst 1025 kbytes ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ] - diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index 12fabb79..3f0ef121 100644 --- a/tests/py/any/meta.t +++ b/tests/py/any/meta.t @@ -56,7 +56,7 @@ meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001 meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001 meta mark 0x10;ok;meta mark 0x00000010 meta mark != 0x10;ok;meta mark != 0x00000010 -meta mark 0xffffff00/24;ok +meta mark 0xffffff00/24;ok;meta mark & 0xffffff00 == 0xffffff00 meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001 meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001 @@ -224,3 +224,9 @@ time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept meta time "meh";fail meta hour "24:00" drop;fail meta day 7 drop;fail + +meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 };ok +!map1 typeof vlan id : meta mark;ok +meta mark set vlan id map @map1;ok + +meta mark set meta mark | iif | meta cpu;ok diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json index 4734bbf9..65590388 100644 --- a/tests/py/any/meta.t.json +++ b/tests/py/any/meta.t.json @@ -667,17 +667,17 @@ { "match": { "left": { - "meta": { - "key": "mark" - } + "&": [ + { + "meta": { + "key": "mark" + } + }, + 4294967040 + ] }, "op": "==", - "right": { - "prefix": { - "addr": 4294967040, - "len": 24 - } - } + "right": 4294967040 } } ] @@ -2661,7 +2661,7 @@ } }, "op": "==", - "right": "17:00" + "right": "17:00:00" } }, { @@ -2758,3 +2758,95 @@ "accept": null } ] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + 1, + 1 + ], + [ + 4095, + 16533 + ] + ] + }, + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + +# meta mark set vlan id map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + +# meta mark set meta mark | iif | meta cpu +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "meta": { + "key": "mark" + } + }, + { + "meta": { + "key": "iif" + } + }, + { + "meta": { + "key": "cpu" + } + } + ] + } + } + } +] + diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output index 4e9e669f..d46935de 100644 --- a/tests/py/any/meta.t.json.output +++ b/tests/py/any/meta.t.json.output @@ -592,24 +592,6 @@ } ] -# meta time "1970-05-23 21:07:14" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "1970-05-23 21:07:14" - } - }, - { - "drop": null - } -] - # meta time 12341234 drop [ { @@ -628,96 +610,6 @@ } ] -# meta time "2019-06-21 17:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-06-21 17:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:01:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:01:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:01" - } - }, - { - "drop": null - } -] - -# meta day "Saturday" drop -[ - { - "match": { - "left": { - "meta": { - "key": "day" - } - }, - "op": "==", - "right": "Saturday" - } - }, - { - "drop": null - } -] - # meta day 6 drop [ { @@ -736,24 +628,6 @@ } ] -# meta hour "17:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00" - } - }, - { - "drop": null - } -] - # meta hour "17:00:00" drop [ { @@ -772,57 +646,3 @@ } ] -# meta hour "17:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00:01" - } - }, - { - "drop": null - } -] - -# meta hour "00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:00" - } - }, - { - "drop": null - } -] - -# meta hour "00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:01" - } - }, - { - "drop": null - } -] - diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload index 16dc1211..52c3efa8 100644 --- a/tests/py/any/meta.t.payload +++ b/tests/py/any/meta.t.payload @@ -17,8 +17,7 @@ ip test-ip4 input ip test-ip4 input [ meta load len => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # meta length != 33-45 ip test-ip4 input @@ -99,8 +98,7 @@ ip test-ip4 input # meta l4proto 33-45 ip test-ip4 input [ meta load l4proto => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # meta l4proto != 33-45 ip test-ip4 input @@ -385,8 +383,7 @@ ip test-ip4 input ip test-ip4 input [ meta load skuid => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0xb90b0000 ] - [ cmp lte reg 1 0xbd0b0000 ] + [ range eq reg 1 0xb90b0000 0xbd0b0000 ] [ immediate reg 0 accept ] # meta skuid != 2001-2005 accept @@ -448,8 +445,7 @@ ip test-ip4 input ip test-ip4 input [ meta load skgid => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0xd1070000 ] - [ cmp lte reg 1 0xd5070000 ] + [ range eq reg 1 0xd1070000 0xd5070000 ] [ immediate reg 0 accept ] # meta skgid != 2001-2005 accept @@ -583,8 +579,7 @@ ip test-ip4 input ip test-ip4 input [ meta load cpu => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0x01000000 ] - [ cmp lte reg 1 0x03000000 ] + [ range eq reg 1 0x01000000 0x03000000 ] # meta cpu != 1-2 ip test-ip4 input @@ -703,8 +698,7 @@ ip test-ip4 input ip test-ip4 input [ meta load cgroup => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0x01001000 ] - [ cmp lte reg 1 0x02001000 ] + [ range eq reg 1 0x01001000 0x02001000 ] # meta cgroup != 1048577-1048578 ip test-ip4 input @@ -789,8 +783,7 @@ ip test-ip4 input ip test-ip4 input [ meta load priority => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ cmp gte reg 1 0xdadaadbc ] - [ cmp lte reg 1 0xdcdaadbc ] + [ range eq reg 1 0xdadaadbc 0xdcdaadbc ] # meta priority != bcad:dada-bcad:dadc ip test-ip4 input @@ -1072,3 +1065,37 @@ ip test-ip4 input [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ] [ immediate reg 0 accept ] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set meta mark | iif | meta cpu +ip test-ip4 input + [ meta load mark => reg 1 ] + [ meta load iif => reg 2 ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ meta load cpu => reg 2 ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/meta.t.payload.bridge b/tests/py/any/meta.t.payload.bridge new file mode 100644 index 00000000..5997ccc7 --- /dev/null +++ b/tests/py/any/meta.t.payload.bridge @@ -0,0 +1,20 @@ +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-bridge b size 2 +__map%d test-bridge 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t index 5bc9d35f..118f58fd 100644 --- a/tests/py/any/rawpayload.t +++ b/tests/py/any/rawpayload.t @@ -15,10 +15,18 @@ meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80} @ll,0,0 2;fail @ll,0,1;fail +@ll,1,0 1;fail @ll,0,1 1;ok;@ll,0,8 & 0x80 == 0x80 @ll,0,8 & 0x80 == 0x80;ok @ll,0,128 0xfedcba987654321001234567890abcde;ok meta l4proto 91 @th,400,16 0x0 accept;ok +meta l4proto 91 @th,0,16 0x0 accept;ok @ih,32,32 0x14000000;ok +@ih,58,6 set 0 @ih,86,6 set 0 @ih,170,22 set 0;ok;@ih,58,6 set 0x0 @ih,86,6 set 0x0 @ih,170,22 set 0x0 +@ih,58,6 set 0x1 @ih,86,6 set 0x2 @ih,170,22 set 0x3;ok +@ih,58,6 0x0 @ih,86,6 0x0 @ih,170,22 0x0;ok +@ih,1,1 0x2;fail +@ih,1,2 0x2;ok +@ih,35,3 0x2;ok diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json index 4cae4d49..04ed0acf 100644 --- a/tests/py/any/rawpayload.t.json +++ b/tests/py/any/rawpayload.t.json @@ -187,6 +187,37 @@ } ] +# meta l4proto 91 @th,0,16 0x0 accept +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 91 + } + }, + { + "match": { + "left": { + "payload": { + "base": "th", + "len": 16, + "offset": 0 + } + }, + "op": "==", + "right": 0 + } + }, + { + "accept": null + } +] + # @ih,32,32 0x14000000 [ { @@ -204,3 +235,160 @@ } ] +# @ih,58,6 set 0 @ih,86,6 set 0 @ih,170,22 set 0 +[ + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 6, + "offset": 58 + } + }, + "value": 0 + } + }, + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 6, + "offset": 86 + } + }, + "value": 0 + } + }, + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 22, + "offset": 170 + } + }, + "value": 0 + } + } +] + +# @ih,58,6 set 0x1 @ih,86,6 set 0x2 @ih,170,22 set 0x3 +[ + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 6, + "offset": 58 + } + }, + "value": 1 + } + }, + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 6, + "offset": 86 + } + }, + "value": 2 + } + }, + { + "mangle": { + "key": { + "payload": { + "base": "ih", + "len": 22, + "offset": 170 + } + }, + "value": 3 + } + } +] + +# @ih,58,6 0x0 @ih,86,6 0x0 @ih,170,22 0x0 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 6, + "offset": 58 + } + }, + "op": "==", + "right": 0 + } + }, + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 6, + "offset": 86 + } + }, + "op": "==", + "right": 0 + } + }, + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 22, + "offset": 170 + } + }, + "op": "==", + "right": 0 + } + } +] + +# @ih,1,2 0x2 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 2, + "offset": 1 + } + }, + "op": "==", + "right": 2 + } + } +] + +# @ih,35,3 0x2 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 3, + "offset": 35 + } + }, + "op": "==", + "right": 2 + } + } +] + diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload index fe2377e6..c093d5d8 100644 --- a/tests/py/any/rawpayload.t.payload +++ b/tests/py/any/rawpayload.t.payload @@ -56,8 +56,69 @@ inet test-inet input [ cmp eq reg 1 0x00000000 ] [ immediate reg 0 accept ] +# meta l4proto 91 @th,0,16 0x0 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000005b ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 accept ] + # @ih,32,32 0x14000000 inet test-inet input [ payload load 4b @ inner header + 4 => reg 1 ] [ cmp eq reg 1 0x00000014 ] +# @ih,58,6 set 0 @ih,86,6 set 0 @ih,170,22 set 0 +inet test-inet input + [ payload load 2b @ inner header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c0ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ inner header + 6 csum_type 0 csum_off 0 csum_flags 0x1 ] + [ payload load 2b @ inner header + 10 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000ffc ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ inner header + 10 csum_type 0 csum_off 0 csum_flags 0x1 ] + [ payload load 4b @ inner header + 20 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c0ff ) ^ 0x00000000 ] + [ payload write reg 1 => 4b @ inner header + 20 csum_type 0 csum_off 0 csum_flags 0x1 ] + +# @ih,58,6 set 0x1 @ih,86,6 set 0x2 @ih,170,22 set 0x3 +inet test-inet input + [ payload load 2b @ inner header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c0ff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ inner header + 6 csum_type 0 csum_off 0 csum_flags 0x1 ] + [ payload load 2b @ inner header + 10 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000ffc ) ^ 0x00002000 ] + [ payload write reg 1 => 2b @ inner header + 10 csum_type 0 csum_off 0 csum_flags 0x1 ] + [ payload load 4b @ inner header + 20 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c0ff ) ^ 0x03000000 ] + [ payload write reg 1 => 4b @ inner header + 20 csum_type 0 csum_off 0 csum_flags 0x1 ] + +# @ih,58,6 0x0 @ih,86,6 0x0 @ih,170,22 0x0 +inet test-inet input + [ payload load 1b @ inner header + 7 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 2b @ inner header + 10 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f003 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 3b @ inner header + 21 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00ffff3f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# @ih,1,2 0x2 +inet test-inet input + [ payload load 1b @ inner header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000060 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000040 ] + +# @ih,2,1 0x1 +inet test-inet input + [ payload load 1b @ inner header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000020 ] + +# @ih,35,3 0x2 +inet test-inet input + [ payload load 1b @ inner header + 4 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001c ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] diff --git a/tests/py/any/tcpopt.t b/tests/py/any/tcpopt.t index 177f01c4..3d46c0ef 100644 --- a/tests/py/any/tcpopt.t +++ b/tests/py/any/tcpopt.t @@ -51,9 +51,10 @@ tcp option md5sig exists;ok tcp option fastopen exists;ok tcp option mptcp exists;ok -tcp option mptcp subtype 0;ok -tcp option mptcp subtype 1;ok -tcp option mptcp subtype { 0, 2};ok +tcp option mptcp subtype mp-capable;ok +tcp option mptcp subtype 1;ok;tcp option mptcp subtype mp-join +tcp option mptcp subtype { mp-capable, mp-join, remove-addr, mp-prio, mp-fail, mp-fastclose, mp-tcprst };ok +tcp option mptcp subtype . tcp dport { mp-capable . 10, mp-join . 100, add-addr . 200, remove-addr . 300, mp-prio . 400, mp-fail . 500, mp-fastclose . 600, mp-tcprst . 700 };ok reset tcp option mptcp;ok reset tcp option 2;ok;reset tcp option maxseg diff --git a/tests/py/any/tcpopt.t.json b/tests/py/any/tcpopt.t.json index 4466f14f..e712a5e0 100644 --- a/tests/py/any/tcpopt.t.json +++ b/tests/py/any/tcpopt.t.json @@ -192,7 +192,7 @@ "left": { "tcp option": { "field": "left", - "name": "sack" + "name": "sack0" } }, "op": "==", @@ -272,7 +272,7 @@ "left": { "tcp option": { "field": "right", - "name": "sack" + "name": "sack0" } }, "op": "==", @@ -533,7 +533,7 @@ } ] -# tcp option mptcp subtype 0 +# tcp option mptcp subtype mp-capable [ { "match": { @@ -544,7 +544,7 @@ } }, "op": "==", - "right": 0 + "right": "mp-capable" } } ] @@ -560,12 +560,12 @@ } }, "op": "==", - "right": 1 + "right": "mp-join" } } ] -# tcp option mptcp subtype { 0, 2} +# tcp option mptcp subtype { mp-capable, mp-join, remove-addr, mp-prio, mp-fail, mp-fastclose, mp-tcprst } [ { "match": { @@ -578,14 +578,96 @@ "op": "==", "right": { "set": [ - 0, - 2 + "mp-capable", + "mp-join", + "remove-addr", + "mp-prio", + "mp-fail", + "mp-fastclose", + "mp-tcprst" ] } } } ] +# tcp option mptcp subtype . tcp dport { mp-capable . 10, mp-join . 100, add-addr . 200, remove-addr . 300, mp-prio . 400, mp-fail . 500, mp-fastclose . 600, mp-tcprst . 700 } +[ + { + "match": { + "left": { + "concat": [ + { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "mp-capable", + 10 + ] + }, + { + "concat": [ + "remove-addr", + 300 + ] + }, + { + "concat": [ + "mp-fastclose", + 600 + ] + }, + { + "concat": [ + "mp-join", + 100 + ] + }, + { + "concat": [ + "mp-prio", + 400 + ] + }, + { + "concat": [ + "mp-tcprst", + 700 + ] + }, + { + "concat": [ + "add-addr", + 200 + ] + }, + { + "concat": [ + "mp-fail", + 500 + ] + } + ] + } + } + } +] + # reset tcp option mptcp [ { diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload index 99b8985f..437e073a 100644 --- a/tests/py/any/tcpopt.t.payload +++ b/tests/py/any/tcpopt.t.payload @@ -168,7 +168,7 @@ inet [ exthdr load tcpopt 1b @ 30 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] -# tcp option mptcp subtype 0 +# tcp option mptcp subtype mp-capable inet [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] @@ -180,13 +180,26 @@ inet [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000010 ] -# tcp option mptcp subtype { 0, 2} -__set%d test-inet 3 size 2 -__set%d test-inet 0 - element 00000000 : 0 [end] element 00000020 : 0 [end] -inet +# tcp option mptcp subtype { mp-capable, mp-join, remove-addr, mp-prio, mp-fail, mp-fastclose, mp-tcprst } +__set%d test-ip4 3 size 7 +__set%d test-ip4 0 + element 00000000 : 0 [end] element 00000010 : 0 [end] element 00000040 : 0 [end] element 00000050 : 0 [end] element 00000060 : 0 [end] element 00000070 : 0 [end] element 00000080 : 0 [end] +ip test-ip4 input + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# tcp option mptcp subtype . tcp dport { mp-capable . 10, mp-join . 100, add-addr . 200, remove-addr . 300, mp-prio . 400, mp-fail . 500, mp-fastclose . 600, mp-tcprst . 700 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000000 00000a00 : 0 [end] element 00000001 00006400 : 0 [end] element 00000003 0000c800 : 0 [end] element 00000004 00002c01 : 0 [end] element 00000005 00009001 : 0 [end] element 00000006 0000f401 : 0 [end] element 00000007 00005802 : 0 [end] element 00000008 0000bc02 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000004 ) ] + [ payload load 2b @ transport header + 2 => reg 9 ] [ lookup reg 1 set __set%d ] # reset tcp option mptcp diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload index d56927b5..0182bb1b 100644 --- a/tests/py/arp/arp.t.payload +++ b/tests/py/arp/arp.t.payload @@ -21,8 +21,7 @@ arp test-arp input # arp htype 33-45 arp test-arp input [ payload load 2b @ network header + 0 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # arp htype != 33-45 arp test-arp input @@ -63,8 +62,7 @@ arp test-arp input # arp hlen 33-45 arp test-arp input [ payload load 1b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # arp hlen != 33-45 arp test-arp input @@ -100,8 +98,7 @@ arp test-arp input # arp plen 33-45 arp test-arp input [ payload load 1b @ network header + 5 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # arp plen != 33-45 arp test-arp input @@ -143,8 +140,7 @@ arp test-arp input # arp operation 1-2 arp test-arp input [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00000100 ] - [ cmp lte reg 1 0x00000200 ] + [ range eq reg 1 0x00000100 0x00000200 ] # arp operation request arp test-arp input diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev index 92df2400..d1188112 100644 --- a/tests/py/arp/arp.t.payload.netdev +++ b/tests/py/arp/arp.t.payload.netdev @@ -31,8 +31,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000608 ] [ payload load 2b @ network header + 0 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # arp htype != 33-45 netdev test-netdev ingress @@ -87,8 +86,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000608 ] [ payload load 1b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # arp hlen != 33-45 netdev test-netdev ingress @@ -136,8 +134,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000608 ] [ payload load 1b @ network header + 5 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # arp plen != 33-45 netdev test-netdev ingress @@ -191,8 +188,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000608 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00000100 ] - [ cmp lte reg 1 0x00000200 ] + [ range eq reg 1 0x00000100 0x00000200 ] # arp operation request netdev test-netdev ingress diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index d77ebd89..171aa610 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -9,3 +9,5 @@ meta ibrpvid 100;ok meta protocol ip udp dport 67;ok meta protocol ip6 udp dport 67;ok + +meta broute set 1;fail diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t new file mode 100644 index 00000000..5181e799 --- /dev/null +++ b/tests/py/bridge/redirect.t @@ -0,0 +1,5 @@ +:prerouting;type filter hook prerouting priority 0 + +*bridge;test-bridge;prerouting + +meta broute set 1;ok diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json new file mode 100644 index 00000000..7e32b329 --- /dev/null +++ b/tests/py/bridge/redirect.t.json @@ -0,0 +1,12 @@ +# meta broute set 1 +[ + { + "mangle": { + "key": { + "meta": { "key": "broute" } + }, + "value": 1 + } + } +] + diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload new file mode 100644 index 00000000..1fcfa5f1 --- /dev/null +++ b/tests/py/bridge/redirect.t.payload @@ -0,0 +1,4 @@ +# meta broute set 1 +bridge test-bridge prerouting + [ immediate reg 1 0x00000001 ] + [ meta set broute with reg 1 ] diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t index 95bdff4f..8fa90dac 100644 --- a/tests/py/bridge/vlan.t +++ b/tests/py/bridge/vlan.t @@ -52,3 +52,5 @@ ether saddr 00:01:02:03:04:05 vlan id 1;ok vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok + +ether saddr 00:11:22:33:44:55 counter ether type 8021q;ok diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json index f77756f5..7dfcdb4b 100644 --- a/tests/py/bridge/vlan.t.json +++ b/tests/py/bridge/vlan.t.json @@ -858,3 +858,37 @@ } } ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output index 2f90c8ff..eea2d411 100644 --- a/tests/py/bridge/vlan.t.json.output +++ b/tests/py/bridge/vlan.t.json.output @@ -202,3 +202,34 @@ } } ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload index 62e4b89b..0144a9a5 100644 --- a/tests/py/bridge/vlan.t.payload +++ b/tests/py/bridge/vlan.t.payload @@ -207,8 +207,7 @@ bridge test-bridge input [ lookup reg 1 set __set%d ] [ payload load 1b @ link header + 14 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000020 ] - [ cmp lte reg 1 0x00000060 ] + [ range eq reg 1 0x00000020 0x00000060 ] # ether type vlan ip protocol 1 accept bridge test-bridge input @@ -304,3 +303,11 @@ bridge test-bridge input [ payload load 2b @ link header + 14 => reg 10 ] [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev index 1018d4c6..330fb4a3 100644 --- a/tests/py/bridge/vlan.t.payload.netdev +++ b/tests/py/bridge/vlan.t.payload.netdev @@ -243,8 +243,7 @@ netdev test-netdev ingress [ lookup reg 1 set __set%d ] [ payload load 1b @ link header + 14 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000020 ] - [ cmp lte reg 1 0x00000060 ] + [ range eq reg 1 0x00000020 0x00000060 ] # ether type vlan ip protocol 1 accept netdev test-netdev ingress @@ -356,3 +355,13 @@ netdev test-netdev ingress [ payload load 2b @ link header + 14 => reg 10 ] [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload index 7ddd72d5..e0cd2002 100644 --- a/tests/py/inet/ah.t.payload +++ b/tests/py/inet/ah.t.payload @@ -3,8 +3,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000033 ] [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp gte reg 1 0x0000000b ] - [ cmp lte reg 1 0x00000017 ] + [ range eq reg 1 0x0000000b 0x00000017 ] # ah hdrlength != 11-23 inet test-inet input @@ -52,8 +51,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000033 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ah reserved != 33-45 inet test-inet input @@ -101,8 +99,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000033 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x6f000000 ] - [ cmp lte reg 1 0xde000000 ] + [ range eq reg 1 0x6f000000 0xde000000 ] # ah spi != 111-222 inet test-inet input @@ -170,8 +167,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000033 ] [ payload load 4b @ transport header + 8 => reg 1 ] - [ cmp gte reg 1 0x17000000 ] - [ cmp lte reg 1 0x21000000 ] + [ range eq reg 1 0x17000000 0x21000000 ] # ah sequence != 23-33 inet test-inet input diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload index 024e47cd..2ffe3b31 100644 --- a/tests/py/inet/comp.t.payload +++ b/tests/py/inet/comp.t.payload @@ -24,8 +24,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000006c ] [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp gte reg 1 0x00000033 ] - [ cmp lte reg 1 0x00000045 ] + [ range eq reg 1 0x00000033 0x00000045 ] # comp flags != 0x33-0x45 inet test-inet input @@ -73,8 +72,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000006c ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # comp cpi != 33-45 inet test-inet input diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t index 5312b328..8a7b1555 100644 --- a/tests/py/inet/ct.t +++ b/tests/py/inet/ct.t @@ -3,11 +3,16 @@ *inet;test-inet;input +# dependency should be removed meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 ct original ip6 saddr ::1;ok ct original ip daddr 1.2.3.4 accept;ok +# dependency must not be removed +meta nfproto ipv4 ct mark 0x00000001;ok +meta nfproto ipv6 ct protocol 6;ok + # missing protocol context ct original saddr ::1;fail diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json index 223ac9e7..155eecc5 100644 --- a/tests/py/inet/ct.t.json +++ b/tests/py/inet/ct.t.json @@ -58,3 +58,54 @@ } ] +# meta nfproto ipv4 ct mark 0x00000001 +[ + { + "match": { + "left": { + "meta": { + "key": "nfproto" + } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "ct": { + "key": "mark" + } + }, + "op": "==", + "right": 1 + } + } +] + +# meta nfproto ipv6 ct protocol 6 +[ + { + "match": { + "left": { + "meta": { + "key": "nfproto" + } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "ct": { + "key": "protocol" + } + }, + "op": "==", + "right": 6 + } + } +] diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload index f7a2ef27..216dad2b 100644 --- a/tests/py/inet/ct.t.payload +++ b/tests/py/inet/ct.t.payload @@ -15,3 +15,17 @@ inet test-inet input [ ct load dst_ip => reg 1 , dir original ] [ cmp eq reg 1 0x04030201 ] [ immediate reg 0 accept ] + +# meta nfproto ipv4 ct mark 0x00000001 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ ct load mark => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# meta nfproto ipv6 ct protocol 6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ ct load protocol => reg 1 ] + [ cmp eq reg 1 0x00000006 ] diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t index 90142f53..99cddbe7 100644 --- a/tests/py/inet/dccp.t +++ b/tests/py/inet/dccp.t @@ -23,3 +23,8 @@ dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type request;ok dccp type != request;ok + +dccp option 0 exists;ok +dccp option 43 missing;ok +dccp option 255 exists;ok +dccp option 256 exists;fail diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json index 806ef5ee..9f47e97b 100644 --- a/tests/py/inet/dccp.t.json +++ b/tests/py/inet/dccp.t.json @@ -230,3 +230,47 @@ } ] +# dccp option 0 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# dccp option 43 missing +[ + { + "match": { + "left": { + "dccp option": { + "type": 43 + } + }, + "op": "==", + "right": false + } + } +] + +# dccp option 255 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 255 + } + }, + "op": "==", + "right": true + } + } +] diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload index fbe9dc5b..7cb9721c 100644 --- a/tests/py/inet/dccp.t.payload +++ b/tests/py/inet/dccp.t.payload @@ -3,8 +3,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00001500 ] - [ cmp lte reg 1 0x00002300 ] + [ range eq reg 1 0x00001500 0x00002300 ] # dccp sport != 21-35 inet test-inet input @@ -38,8 +37,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00001400 ] - [ cmp lte reg 1 0x00003200 ] + [ range eq reg 1 0x00001400 0x00003200 ] # dccp dport {23, 24, 25} __set%d test-ip4 3 @@ -99,3 +97,17 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] +# dccp option 0 exists +ip test-inet input + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# dccp option 43 missing +ip test-inet input + [ exthdr load 1b @ 43 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp option 255 exists +ip test-inet input + [ exthdr load 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload index 0353b056..bb67aad6 100644 --- a/tests/py/inet/esp.t.payload +++ b/tests/py/inet/esp.t.payload @@ -17,8 +17,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000032 ] [ payload load 4b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x6f000000 ] - [ cmp lte reg 1 0xde000000 ] + [ range eq reg 1 0x6f000000 0xde000000 ] # esp spi != 111-222 inet test-inet input @@ -59,8 +58,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000032 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x16000000 ] - [ cmp lte reg 1 0x18000000 ] + [ range eq reg 1 0x16000000 0x18000000 ] # esp sequence != 22-24 inet test-inet input diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json new file mode 100644 index 00000000..a299fcd2 --- /dev/null +++ b/tests/py/inet/geneve.t.json @@ -0,0 +1,344 @@ +# udp dport 6081 geneve vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "geneve", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 6081 geneve ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 6081 geneve udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 6081 geneve icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 6081 geneve vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "geneve" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload index 1ce54de6..59778738 100644 --- a/tests/py/inet/geneve.t.payload +++ b/tests/py/inet/geneve.t.payload @@ -4,7 +4,7 @@ ip test-ip4 input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000c117 ] - [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ] [ cmp eq reg 1 0x000a0000 ] # udp dport 6081 geneve ip saddr 10.141.11.2 diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json new file mode 100644 index 00000000..c4431764 --- /dev/null +++ b/tests/py/inet/gre.t.json @@ -0,0 +1,177 @@ +# gre version 0 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "gre" + } + }, + "op": "==", + "right": 0 + } + } +] + +# gre ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gre ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gre ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gre udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gre" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gre icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gre" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gre" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json new file mode 100644 index 00000000..36fa9782 --- /dev/null +++ b/tests/py/inet/gretap.t.json @@ -0,0 +1,195 @@ +# gretap ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gretap ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gretap ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gretap udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gretap icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gretap ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# gretap vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 10 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gretap" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload index 9648255d..f8ecd9d1 100644 --- a/tests/py/inet/ipsec.t.payload +++ b/tests/py/inet/ipsec.t.payload @@ -16,8 +16,7 @@ ip ipsec-ip4 ipsec-input # ipsec out spi 1-561 inet ipsec-inet ipsec-post [ xfrm load out 0 spi => reg 1 ] - [ cmp gte reg 1 0x01000000 ] - [ cmp lte reg 1 0x31020000 ] + [ range eq reg 1 0x01000000 0x31020000 ] # ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 } __set%d ipsec-ip4 7 size 5 diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index 374738a7..5c5c11d4 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -25,3 +25,11 @@ meta mark set ct mark >> 8;ok meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok +ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 };ok + +meta mark set ip dscp;ok +meta mark set ip dscp | 0x40;ok +meta mark set ip6 dscp;ok +meta mark set ip6 dscp | 0x40;ok + +meta mark set ct mark and 0xffff0000 or meta mark and 0xffff;ok;meta mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json index 92a1f9bf..4352b963 100644 --- a/tests/py/inet/meta.t.json +++ b/tests/py/inet/meta.t.json @@ -236,6 +236,43 @@ } ] +# meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 4294901760 + ] + }, + { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 65535 + ] + } + ] + } + } + } +] + # meta protocol ip udp dport 67 [ { @@ -440,3 +477,130 @@ } ] +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + "tcp" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output index 3e7dd214..8697d5a2 100644 --- a/tests/py/inet/meta.t.json.output +++ b/tests/py/inet/meta.t.json.output @@ -51,3 +51,44 @@ } ] +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + 6 + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index ea540907..04dfbd8f 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -80,6 +80,15 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] [ meta set mark with reg 1 ] +# meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +inet test-inet input + [ ct load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffff0000 ) ^ 0x00000000 ] + [ meta load mark => reg 2 ] + [ bitwise reg 2 = ( reg 2 & 0x0000ffff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ meta set mark with reg 1 ] + # meta protocol ip udp dport 67 inet test-inet input [ meta load protocol => reg 1 ] @@ -133,3 +142,57 @@ inet test-inet input [ meta load mark => reg 9 ] [ lookup reg 1 set __set%d ] +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +__set%d test-inet 3 size 1 +__set%d test-inet 0 + element 04030201 ddccbbaa 0000ffee 00000006 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 6b @ link header + 6 => reg 9 ] + [ meta load l4proto => reg 11 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/payloadmerge.t b/tests/py/inet/payloadmerge.t new file mode 100644 index 00000000..04ba1ce6 --- /dev/null +++ b/tests/py/inet/payloadmerge.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input + +tcp sport 1 tcp dport 2;ok +tcp sport != 1 tcp dport != 2;ok +tcp sport 1 tcp dport != 2;ok +tcp sport != 1 tcp dport 2;ok +meta l4proto != 6 th dport 2;ok +meta l4proto 6 tcp dport 22;ok;tcp dport 22 +tcp sport > 1 tcp dport > 2;ok +tcp sport 1 tcp dport > 2;ok diff --git a/tests/py/inet/payloadmerge.t.json b/tests/py/inet/payloadmerge.t.json new file mode 100644 index 00000000..e5b66cf9 --- /dev/null +++ b/tests/py/inet/payloadmerge.t.json @@ -0,0 +1,211 @@ +# tcp sport 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto != 6 th dport 2 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "!=", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "th" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto 6 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport > 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + diff --git a/tests/py/inet/payloadmerge.t.payload b/tests/py/inet/payloadmerge.t.payload new file mode 100644 index 00000000..a0465cdd --- /dev/null +++ b/tests/py/inet/payloadmerge.t.payload @@ -0,0 +1,66 @@ +# tcp sport 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# tcp sport != 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport != 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto != 6 th dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto 6 tcp dport 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sport > 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gt reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + +# tcp sport 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload index 7337e2ea..0f6b3a8b 100644 --- a/tests/py/inet/sctp.t.payload +++ b/tests/py/inet/sctp.t.payload @@ -17,8 +17,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000084 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00001700 ] - [ cmp lte reg 1 0x00002c00 ] + [ range eq reg 1 0x00001700 0x00002c00 ] # sctp sport != 23-44 inet test-inet input @@ -66,8 +65,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000084 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00001700 ] - [ cmp lte reg 1 0x00002c00 ] + [ range eq reg 1 0x00001700 0x00002c00 ] # sctp dport != 23-44 inet test-inet input @@ -115,8 +113,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000084 ] [ payload load 4b @ transport header + 8 => reg 1 ] - [ cmp gte reg 1 0x15000000 ] - [ cmp lte reg 1 0x4d010000 ] + [ range eq reg 1 0x15000000 0x4d010000 ] # sctp checksum != 32-111 inet test-inet input @@ -164,8 +161,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000084 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # sctp vtag != 33-45 inet test-inet input diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index f51ebd36..f4bdac17 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -68,8 +68,8 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok tcp flags cwr;ok tcp flags != cwr;ok tcp flags == syn;ok -tcp flags fin,syn / fin,syn;ok -tcp flags != syn / fin,syn;ok +tcp flags fin,syn / fin,syn;ok;tcp flags & (fin | syn) == fin | syn +tcp flags != syn / fin,syn;ok;tcp flags & (fin | syn) != syn tcp flags & syn != 0;ok;tcp flags syn tcp flags & syn == 0;ok;tcp flags ! syn tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack @@ -77,12 +77,12 @@ tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack # it should be possible to transform this to: tcp flags syn tcp flags & syn == syn;ok tcp flags & syn != syn;ok -tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) == (syn | ack);ok;tcp flags syn,ack / fin,syn,rst,ack -tcp flags & (fin | syn | rst | ack) != (syn | ack);ok;tcp flags != syn,ack / fin,syn,rst,ack -tcp flags & (syn | ack) == (syn | ack);ok;tcp flags syn,ack / syn,ack +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags & (fin | syn | rst | ack) == syn +tcp flags & (fin | syn | rst | ack) == syn;ok +tcp flags & (fin | syn | rst | ack) != syn;ok +tcp flags & (fin | syn | rst | ack) == syn | ack;ok +tcp flags & (fin | syn | rst | ack) != syn | ack;ok +tcp flags & (syn | ack) == syn | ack;ok tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff tcp flags { syn, syn | ack };ok tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index 8439c2b5..28dd4341 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -954,12 +954,12 @@ } }, { - "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } ] }, "op": "==", - "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + "right": { "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } } } ] @@ -1370,13 +1370,13 @@ "op": "==", "right": { "set": [ + "syn", { "|": [ "syn", "ack" ] - }, - "syn" + } ] } } @@ -1395,56 +1395,16 @@ "protocol": "tcp" } }, - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, - "urg" - ] - } + { "|": [ "fin", "syn", "rst", "psh", "ack", "urg" ] } ] }, "op": "==", "right": { "set": [ - { - "|": [ - { - "|": [ - "fin", - "psh" - ] - }, - "ack" - ] - }, "fin", - { - "|": [ - "psh", - "ack" - ] - }, - "ack" + "ack", + { "|": [ "psh", "ack" ] }, + { "|": [ "fin", "psh", "ack" ] } ] } } @@ -1482,17 +1442,21 @@ "protocol": "tcp" } }, - [ - "fin", - "syn" - ] + { + "|": [ + "fin", + "syn" + ] + } ] }, "op": "==", - "right": [ - "fin", - "syn" - ] + "right": { + "|": [ + "fin", + "syn" + ] + } } } ] @@ -1509,10 +1473,12 @@ "protocol": "tcp" } }, - [ - "fin", - "syn" - ] + { + "|": [ + "fin", + "syn" + ] + } ] }, "op": "!=", @@ -1645,12 +1611,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", @@ -1671,12 +1639,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", @@ -1698,12 +1668,14 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "!=", @@ -1712,7 +1684,7 @@ } ] -# tcp flags & (fin | syn | rst | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) == syn | ack [ { "match": { @@ -1724,24 +1696,28 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } ] }, "op": "==", - "right": [ - "syn", - "ack" - ] + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] -# tcp flags & (fin | syn | rst | ack) != (syn | ack) +# tcp flags & (syn | ack) == syn | ack [ { "match": { @@ -1753,24 +1729,26 @@ "protocol": "tcp" } }, - [ - "fin", - "syn", - "rst", - "ack" - ] + { + "|": [ + "syn", + "ack" + ] + } ] }, - "op": "!=", - "right": [ - "syn", - "ack" - ] + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] -# tcp flags & (syn | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) != syn | ack [ { "match": { @@ -1782,17 +1760,16 @@ "protocol": "tcp" } }, - [ - "syn", - "ack" - ] + { "|": [ "fin", "syn", "rst", "ack" ] } ] }, - "op": "==", - "right": [ - "syn", - "ack" - ] + "op": "!=", + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index c471e8d8..d487a8f1 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -115,32 +115,6 @@ } ] -# tcp flags { syn, syn | ack } -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - "syn", - { - "|": [ - "syn", - "ack" - ] - } - ] - } - } - } -] - # tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { @@ -155,27 +129,11 @@ }, { "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, + "fin", + "syn", + "rst", + "psh", + "ack", "urg" ] } @@ -187,12 +145,8 @@ "fin", { "|": [ - { - "|": [ - "fin", - "psh" - ] - }, + "fin", + "psh", "ack" ] }, diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload index 1cfe500b..5c36ad3e 100644 --- a/tests/py/inet/tcp.t.payload +++ b/tests/py/inet/tcp.t.payload @@ -17,8 +17,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # tcp dport != 33-45 inet test-inet input @@ -117,8 +116,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # tcp sport != 33-45 inet test-inet input @@ -223,8 +221,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # tcp sequence != 33-45 inet test-inet input @@ -280,8 +277,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ transport header + 8 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # tcp ackseq != 33-45 inet test-inet input @@ -442,7 +438,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000002 ] -# tcp flags & (fin | syn | rst | ack) == (syn | ack) +# tcp flags & (fin | syn | rst | ack) == syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -450,7 +446,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000012 ] -# tcp flags & (fin | syn | rst | ack) != (syn | ack) +# tcp flags & (fin | syn | rst | ack) != syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -458,7 +454,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000012 ] -# tcp flags & (syn | ack) == (syn | ack) +# tcp flags & (syn | ack) == syn | ack inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -500,8 +496,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 14 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # tcp window != 33-45 inet test-inet input @@ -549,8 +544,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 16 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # tcp checksum != 33-45 inet test-inet input @@ -606,8 +600,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 18 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # tcp urgptr != 33-45 inet test-inet input diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t index d23bbcb5..9901df75 100644 --- a/tests/py/inet/tproxy.t +++ b/tests/py/inet/tproxy.t @@ -19,3 +19,5 @@ meta l4proto 17 tproxy ip to :50080;ok meta l4proto 17 tproxy ip6 to :50080;ok meta l4proto 17 tproxy to :50080;ok ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok + +meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 };ok diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json index 7b3b11c4..71b6fd2f 100644 --- a/tests/py/inet/tproxy.t.json +++ b/tests/py/inet/tproxy.t.json @@ -183,3 +183,38 @@ } } ] + +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "127.0.0.1", + "family": "ip", + "port": { + "map": { + "data": { + "set": [ + [ 0, 23 ], + [ 1, 42 ] + ] + }, + "key": { + "symhash": { "mod": 2 } + } + } + } + } + } +] + diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload index 24bf8f60..2f419042 100644 --- a/tests/py/inet/tproxy.t.payload +++ b/tests/py/inet/tproxy.t.payload @@ -61,3 +61,15 @@ inet x y [ immediate reg 1 0x0000d007 ] [ tproxy ip port reg 1 ] +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +__map%d x b size 2 +__map%d x 0 + element 00000000 : 00001700 0 [end] element 00000001 : 00002a00 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0100007f ] + [ hash reg 2 = symhash() % mod 2 ] + [ lookup reg 2 set __map%d dreg 2 ] + [ tproxy ip addr reg 1 port reg 2 ] + diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload index e6beda7f..d2c62d92 100644 --- a/tests/py/inet/udp.t.payload +++ b/tests/py/inet/udp.t.payload @@ -19,8 +19,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00003200 ] - [ cmp lte reg 1 0x00004600 ] + [ range eq reg 1 0x00003200 0x00004600 ] [ immediate reg 0 accept ] # udp sport != 50-60 accept @@ -74,8 +73,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004600 ] - [ cmp lte reg 1 0x00004b00 ] + [ range eq reg 1 0x00004600 0x00004b00 ] [ immediate reg 0 accept ] # udp dport != 50-60 accept @@ -127,8 +125,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x00003200 ] - [ cmp lte reg 1 0x00004100 ] + [ range eq reg 1 0x00003200 0x00004100 ] [ immediate reg 0 accept ] # udp length != 50-65 accept @@ -199,8 +196,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # udp checksum != 33-45 inet test-inet input @@ -236,7 +232,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ immediate reg 1 0x00000000 ] - [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ] + [ payload write reg 1 => 2b @ transport header + 6 csum_type 0 csum_off 0 csum_flags 0x1 ] # iif "lo" udp dport set 65535 inet test-inet input @@ -245,4 +241,4 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ immediate reg 1 0x0000ffff ] - [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 csum_flags 0x0 ] + [ payload write reg 1 => 2b @ transport header + 2 csum_type 0 csum_off 0 csum_flags 0x1 ] diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload index de9d09ed..dbaeaa78 100644 --- a/tests/py/inet/udplite.t.payload +++ b/tests/py/inet/udplite.t.payload @@ -19,8 +19,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000088 ] [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00003200 ] - [ cmp lte reg 1 0x00004600 ] + [ range eq reg 1 0x00003200 0x00004600 ] [ immediate reg 0 accept ] # udplite sport != 50-60 accept @@ -74,8 +73,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000088 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004600 ] - [ cmp lte reg 1 0x00004b00 ] + [ range eq reg 1 0x00004600 0x00004b00 ] [ immediate reg 0 accept ] # udplite dport != 50-60 accept @@ -146,8 +144,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000088 ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # udplite checksum != 33-45 inet test-inet input diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json new file mode 100644 index 00000000..91b3d294 --- /dev/null +++ b/tests/py/inet/vxlan.t.json @@ -0,0 +1,344 @@ +# udp dport 4789 vxlan vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "vxlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 4789 vxlan ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 4789 vxlan udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 4789 vxlan icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 4789 vxlan vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "vxlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload index cde8e56f..b9e4ca2c 100644 --- a/tests/py/inet/vxlan.t.payload +++ b/tests/py/inet/vxlan.t.payload @@ -4,7 +4,7 @@ netdev test-netdev ingress [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000b512 ] - [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ] [ cmp eq reg 1 0x000a0000 ] # udp dport 4789 vxlan ip saddr 10.141.11.2 diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t index a387863e..523d0244 100644 --- a/tests/py/ip/ct.t +++ b/tests/py/ip/ct.t @@ -28,3 +28,11 @@ meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x00000 meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok + +ct mark set ip dscp << 2 | 0x10;ok +ct mark set ip dscp << 26 | 0x10;ok +ct mark set ip dscp & 0x0f << 1;ok;ct mark set ip dscp & af33 +ct mark set ip dscp & 0x0f << 2;ok;ct mark set ip dscp & 0x3c +ct mark set ip dscp | 0x04;ok +ct mark set ip dscp | 1 << 20;ok;ct mark set ip dscp | 0x100000 +ct mark set ct mark | ip dscp | 0x200 counter;ok;ct mark set ct mark | ip dscp | 0x00000200 counter diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json index 3288413f..9e60f7e2 100644 --- a/tests/py/ip/ct.t.json +++ b/tests/py/ip/ct.t.json @@ -325,3 +325,189 @@ } } ] + +# ct mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 1 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "af33" + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 60 + ] + } + } + } +] + +# ct mark set ip dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip dscp | 1 << 20 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 1048576 + ] + } + } + } +] + +# ct mark set ct mark | ip dscp | 0x200 counter +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 512 + ] + } + } + }, + { + "counter": null + } +] diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index 49f06a84..823de597 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -84,3 +84,64 @@ ip [ ct load src_ip => reg 1 , dir original ] [ meta load mark => reg 9 ] [ lookup reg 1 set __set%d ] + +# ct mark set ip dscp << 2 | 0x10 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 1 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 2 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 0x04 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 1 << 20 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffefffff ) ^ 0x00100000 ] + [ ct set mark with reg 1 ] + +# ct mark set ct mark | ip dscp | 0x200 counter +ip test-ip4 output + [ ct load mark => reg 1 ] + [ payload load 1b @ network header + 1 => reg 2 ] + [ bitwise reg 2 = ( reg 2 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 2 = ( reg 2 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffdff ) ^ 0x00000200 ] + [ ct set mark with reg 1 ] + [ counter pkts 0 bytes 0 ] diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip index 439c6abe..72b52546 100644 --- a/tests/py/ip/dnat.t.payload.ip +++ b/tests/py/ip/dnat.t.payload.ip @@ -5,8 +5,7 @@ ip test-ip4 prerouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] [ nat dnat ip addr_min reg 1 ] diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t deleted file mode 100644 index 086c6cf6..00000000 --- a/tests/py/ip/flowtable.t +++ /dev/null @@ -1,5 +0,0 @@ -:input;type filter hook input priority 0 - -*ip;test-ip;input - -meter xyz size 8192 { ip saddr timeout 30s counter};ok diff --git a/tests/py/ip/flowtable.t.json b/tests/py/ip/flowtable.t.json deleted file mode 100644 index a03cc9d7..00000000 --- a/tests/py/ip/flowtable.t.json +++ /dev/null @@ -1,24 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -[ - { - "meter": { - "key": { - "elem": { - "timeout": 30, - "val": { - "payload": { - "field": "saddr", - "protocol": "ip" - } - } - } - }, - "name": "xyz", - "size": 8192, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload deleted file mode 100644 index c0aad39e..00000000 --- a/tests/py/ip/flowtable.t.payload +++ /dev/null @@ -1,7 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -xyz test-ip 31 -xyz test-ip 0 -ip test-ip input - [ payload load 4b @ network header + 12 => reg 1 ] - [ dynset update reg_key 1 set xyz timeout 30000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 7ddf8b38..226c339b 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -26,8 +26,8 @@ icmp code 111 accept;ok icmp code != 111 accept;ok icmp code 33-55;ok icmp code != 33-55;ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} -icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok;icmp code != { 2, 4, 33, 54, 56} icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok @@ -73,5 +73,5 @@ icmp gateway != { 33, 55, 67, 88};ok icmp gateway != 34;ok icmp gateway != { 333, 334};ok -icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable +icmp code 1 icmp type 2;ok;icmp type 2 icmp code 1 icmp code != 1 icmp type 2 icmp mtu 5;fail diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json index 4f052509..45e04c78 100644 --- a/tests/py/ip/icmp.t.json +++ b/tests/py/ip/icmp.t.json @@ -459,8 +459,8 @@ "op": "!=", "right": { "set": [ - "prot-unreachable", - "frag-needed", + 2, + 4, 33, 54, 56 @@ -1488,7 +1488,7 @@ } }, "op": "==", - "right": "host-unreachable" + "right": 1 } } ] diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output index 5a075858..d79e72b5 100644 --- a/tests/py/ip/icmp.t.json.output +++ b/tests/py/ip/icmp.t.json.output @@ -1,27 +1,3 @@ -# icmp code { 2, 4, 54, 33, 56} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - "prot-unreachable", - "frag-needed", - 33, - 54, - 56 - ] - } - } - } -] - # icmp id 1245 log [ { diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index 3bc6de3c..04a53cff 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -133,8 +133,7 @@ ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x00000037 ] + [ range eq reg 1 0x00000021 0x00000037 ] # icmp code != 33-55 ip test-ip4 input @@ -184,8 +183,7 @@ ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00000b00 ] - [ cmp lte reg 1 0x00005701 ] + [ range eq reg 1 0x00000b00 0x00005701 ] [ immediate reg 0 accept ] # icmp checksum != 11-343 accept @@ -265,8 +263,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # icmp id != 33-45 __set%d test-ip4 3 @@ -344,8 +341,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # icmp sequence != 33-45 __set%d test-ip4 3 @@ -438,8 +434,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00001600 ] - [ cmp lte reg 1 0x00002100 ] + [ range eq reg 1 0x00001600 0x00002100 ] # icmp mtu 22 ip test-ip4 input @@ -466,8 +461,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000003 ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # icmp mtu != 33-45 ip test-ip4 input @@ -527,8 +521,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000005 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # icmp gateway != 33-45 ip test-ip4 input diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload index 940fe2cd..872fc3af 100644 --- a/tests/py/ip/igmp.t.payload +++ b/tests/py/ip/igmp.t.payload @@ -52,8 +52,7 @@ ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00000b00 ] - [ cmp lte reg 1 0x00005701 ] + [ range eq reg 1 0x00000b00 0x00005701 ] # igmp checksum != 11-343 ip test-ip4 input diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t index d5a4d8a5..47262d9a 100644 --- a/tests/py/ip/ip.t +++ b/tests/py/ip/ip.t @@ -48,12 +48,15 @@ ip id != 33-45;ok ip id { 33, 55, 67, 88};ok ip id != { 33, 55, 67, 88};ok -ip frag-off 222 accept;ok -ip frag-off != 233;ok -ip frag-off 33-45;ok -ip frag-off != 33-45;ok -ip frag-off { 33, 55, 67, 88};ok -ip frag-off != { 33, 55, 67, 88};ok +ip frag-off 0xde accept;ok +ip frag-off != 0xe9;ok +ip frag-off 0x21-0x2d;ok +ip frag-off != 0x21-0x2d;ok +ip frag-off { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off != { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off & 0x1fff != 0x0;ok +ip frag-off & 0x2000 != 0x0;ok +ip frag-off & 0x4000 != 0x0;ok ip ttl 0 drop;ok ip ttl 233;ok @@ -127,3 +130,25 @@ iif "lo" ip dscp set cs0;ok ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok + +ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok +ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok + +ip dscp 1/6;ok;ip dscp & 0x3f == lephb + +ip ecn set ip ecn | ect0;ok +ip ecn set ip ecn | ect1;ok +ip ecn set ip ecn & ect0;ok +ip ecn set ip ecn & ect1;ok +tcp flags set tcp flags & (fin | syn | rst | psh | ack | urg);ok +tcp flags set tcp flags | ecn | cwr;ok +ip dscp set ip dscp | lephb;ok +ip dscp set ip dscp & lephb;ok +ip dscp set ip dscp & 0x1f;ok +ip dscp set ip dscp & 0x4f;fail +ip version set ip version | 1;ok +ip version set ip version & 1;ok +ip version set ip version | 0x1f;fail +ip hdrlength set ip hdrlength | 1;ok +ip hdrlength set ip hdrlength & 1;ok +ip hdrlength set ip hdrlength | 0x1f;fail diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json index b1085035..3c3a12d7 100644 --- a/tests/py/ip/ip.t.json +++ b/tests/py/ip/ip.t.json @@ -384,7 +384,7 @@ } ] -# ip frag-off 222 accept +# ip frag-off 0xde accept [ { "match": { @@ -403,7 +403,7 @@ } ] -# ip frag-off != 233 +# ip frag-off != 0xe9 [ { "match": { @@ -419,7 +419,7 @@ } ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d [ { "match": { @@ -437,7 +437,7 @@ } ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d [ { "match": { @@ -455,7 +455,7 @@ } ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -478,7 +478,7 @@ } ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -501,6 +501,69 @@ } ] +# ip frag-off & 0x1fff != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8191 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x2000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8192 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x4000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 16384 + ] + }, + "op": "!=", + "right": 0 + } + } +] + # ip ttl 0 drop [ { @@ -1685,3 +1748,421 @@ } ] +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip dscp 1/6 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 63 + ] + }, + "op": "==", + "right": "lephb" + } + } +] + +# ip ecn set ip ecn | ect0 +[ + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "ect0" + ] + } + } + } +] + +# ip ecn set ip ecn | ect1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "ect1" + ] + } + } + } +] + +# ip ecn set ip ecn & ect0 +[ + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "ect0" + ] + } + } + } +] + +# ip ecn set ip ecn & ect1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "ect1" + ] + } + } + } +] + +# tcp flags set tcp flags & (fin | syn | rst | psh | ack | urg) +[ + { + "mangle": { + "key": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "psh", + "ack", + "urg" + ] + } + ] + } + } + } +] + +# tcp flags set tcp flags | ecn | cwr +[ + { + "mangle": { + "key": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "ecn", + "cwr" + ] + } + } + } +] + +# ip dscp set ip dscp | lephb +[ + { + "mangle": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "lephb" + ] + } + } + } +] + +# ip dscp set ip dscp & lephb +[ + { + "mangle": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "lephb" + ] + } + } + } +] + +# ip dscp set ip dscp & 0x1f +[ + { + "mangle": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 31 + ] + } + } + } +] + +# ip version set ip version | 1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "version", + "protocol": "ip" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "version", + "protocol": "ip" + } + }, + 1 + ] + } + } + } +] + +# ip version set ip version & 1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "version", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "version", + "protocol": "ip" + } + }, + 1 + ] + } + } + } +] + +# ip hdrlength set ip hdrlength | 1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + 1 + ] + } + } + } +] + +# ip hdrlength set ip hdrlength & 1 +[ + { + "mangle": { + "key": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + 1 + ] + } + } + } +] + diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output index b201cdaa..351ae935 100644 --- a/tests/py/ip/ip.t.json.output +++ b/tests/py/ip/ip.t.json.output @@ -230,3 +230,34 @@ } ] +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload index b9fcb515..0e993627 100644 --- a/tests/py/ip/ip.t.payload +++ b/tests/py/ip/ip.t.payload @@ -63,8 +63,7 @@ ip test-ip4 input # ip length 333-435 ip test-ip4 input [ payload load 2b @ network header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004d01 ] - [ cmp lte reg 1 0x0000b301 ] + [ range eq reg 1 0x00004d01 0x0000b301 ] # ip length != 333-453 ip test-ip4 input @@ -100,8 +99,7 @@ ip test-ip4 input # ip id 33-45 ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip id != 33-45 ip test-ip4 input @@ -124,29 +122,28 @@ ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off 222 accept +# ip frag-off 0xde accept ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -154,7 +151,7 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -162,6 +159,24 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] +# ip frag-off & 0x1fff != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + # ip ttl 0 drop ip test-ip4 input [ payload load 1b @ network header + 8 => reg 1 ] @@ -176,8 +191,7 @@ ip test-ip4 input # ip ttl 33-55 ip test-ip4 input [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x00000037 ] + [ range eq reg 1 0x00000021 0x00000037 ] # ip ttl != 45-50 ip test-ip4 input @@ -252,8 +266,7 @@ ip test-ip4 input # ip checksum 33-45 ip test-ip4 input [ payload load 2b @ network header + 10 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip checksum != 33-45 ip test-ip4 input @@ -306,26 +319,22 @@ ip test-ip4 input # ip daddr 192.168.0.1-192.168.0.250 ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0100a8c0 ] - [ cmp lte reg 1 0xfa00a8c0 ] + [ range eq reg 1 0x0100a8c0 0xfa00a8c0 ] # ip daddr 10.0.0.0-10.255.255.255 ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0xffffff0a ] + [ range eq reg 1 0x0000000a 0xffffff0a ] # ip daddr 172.16.0.0-172.31.255.255 ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x000010ac ] - [ cmp lte reg 1 0xffff1fac ] + [ range eq reg 1 0x000010ac 0xffff1fac ] # ip daddr 192.168.3.1-192.168.4.250 ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0103a8c0 ] - [ cmp lte reg 1 0xfa04a8c0 ] + [ range eq reg 1 0x0103a8c0 0xfa04a8c0 ] # ip daddr != 192.168.0.1-192.168.0.250 ip test-ip4 input @@ -353,8 +362,7 @@ ip test-ip4 input # ip daddr 192.168.1.2-192.168.1.55 ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0201a8c0 ] - [ cmp lte reg 1 0x3701a8c0 ] + [ range eq reg 1 0x0201a8c0 0x3701a8c0 ] # ip daddr != 192.168.1.2-192.168.1.55 ip test-ip4 input @@ -364,8 +372,7 @@ ip test-ip4 input # ip saddr 192.168.1.3-192.168.33.55 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp gte reg 1 0x0301a8c0 ] - [ cmp lte reg 1 0x3721a8c0 ] + [ range eq reg 1 0x0301a8c0 0x3721a8c0 ] # ip saddr != 192.168.1.3-192.168.33.55 ip test-ip4 input @@ -523,3 +530,108 @@ ip [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# ip ecn set ip ecn | ect0 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# tcp flags set tcp flags & (fin | syn | rst | psh | ack | urg) +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# tcp flags set tcp flags | ecn | cwr +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x0000c000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +ip test-ip4 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge index c6f8d4e5..94da3e90 100644 --- a/tests/py/ip/ip.t.payload.bridge +++ b/tests/py/ip/ip.t.payload.bridge @@ -83,8 +83,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004d01 ] - [ cmp lte reg 1 0x0000b301 ] + [ range eq reg 1 0x00004d01 0x0000b301 ] # ip length != 333-453 bridge test-bridge input @@ -132,8 +131,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip id != 33-45 bridge test-bridge input @@ -162,7 +160,7 @@ bridge test-bridge input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off 222 accept +# ip frag-off 0xde accept bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -170,29 +168,28 @@ bridge test-bridge input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -202,7 +199,7 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -212,6 +209,30 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] +# ip frag-off & 0x1fff != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + # ip ttl 0 drop bridge test-bridge input [ meta load protocol => reg 1 ] @@ -232,8 +253,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x00000037 ] + [ range eq reg 1 0x00000021 0x00000037 ] # ip ttl != 45-50 bridge test-bridge input @@ -332,8 +352,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 10 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip checksum != 33-45 bridge test-bridge input @@ -404,32 +423,28 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0100a8c0 ] - [ cmp lte reg 1 0xfa00a8c0 ] + [ range eq reg 1 0x0100a8c0 0xfa00a8c0 ] # ip daddr 10.0.0.0-10.255.255.255 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0xffffff0a ] + [ range eq reg 1 0x0000000a 0xffffff0a ] # ip daddr 172.16.0.0-172.31.255.255 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x000010ac ] - [ cmp lte reg 1 0xffff1fac ] + [ range eq reg 1 0x000010ac 0xffff1fac ] # ip daddr 192.168.3.1-192.168.4.250 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0103a8c0 ] - [ cmp lte reg 1 0xfa04a8c0 ] + [ range eq reg 1 0x0103a8c0 0xfa04a8c0 ] # ip daddr != 192.168.0.1-192.168.0.250 bridge test-bridge input @@ -465,8 +480,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0201a8c0 ] - [ cmp lte reg 1 0x3701a8c0 ] + [ range eq reg 1 0x0201a8c0 0x3701a8c0 ] # ip daddr != 192.168.1.2-192.168.1.55 bridge test-bridge input @@ -480,8 +494,7 @@ bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp gte reg 1 0x0301a8c0 ] - [ cmp lte reg 1 0x3721a8c0 ] + [ range eq reg 1 0x0301a8c0 0x3721a8c0 ] # ip saddr != 192.168.1.3-192.168.33.55 bridge test-bridge input @@ -684,3 +697,396 @@ bridge [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# ip ecn set ip ecn | ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# tcp flags set tcp flags & (fin | syn | rst | psh | ack | urg) +bridge test-bridge input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# tcp flags set tcp flags | ecn | cwr +bridge test-bridge input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x0000c000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip dscp set ip dscp & lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip dscp set ip dscp & lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip dscp set ip dscp & lephb +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet index e26d0dac..2004a3eb 100644 --- a/tests/py/ip/ip.t.payload.inet +++ b/tests/py/ip/ip.t.payload.inet @@ -83,8 +83,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004d01 ] - [ cmp lte reg 1 0x0000b301 ] + [ range eq reg 1 0x00004d01 0x0000b301 ] # ip length != 333-453 inet test-inet input @@ -132,8 +131,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip id != 33-45 inet test-inet input @@ -162,7 +160,7 @@ inet test-inet input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off 222 accept +# ip frag-off 0xde accept inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -170,29 +168,28 @@ inet test-inet input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -202,7 +199,7 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -212,6 +209,30 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] +# ip frag-off & 0x1fff != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + # ip ttl 0 drop inet test-inet input [ meta load nfproto => reg 1 ] @@ -232,8 +253,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x00000037 ] + [ range eq reg 1 0x00000021 0x00000037 ] # ip ttl != 45-50 inet test-inet input @@ -332,8 +352,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip checksum != 33-45 inet test-inet input @@ -404,32 +423,28 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0100a8c0 ] - [ cmp lte reg 1 0xfa00a8c0 ] + [ range eq reg 1 0x0100a8c0 0xfa00a8c0 ] # ip daddr 10.0.0.0-10.255.255.255 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0xffffff0a ] + [ range eq reg 1 0x0000000a 0xffffff0a ] # ip daddr 172.16.0.0-172.31.255.255 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x000010ac ] - [ cmp lte reg 1 0xffff1fac ] + [ range eq reg 1 0x000010ac 0xffff1fac ] # ip daddr 192.168.3.1-192.168.4.250 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0103a8c0 ] - [ cmp lte reg 1 0xfa04a8c0 ] + [ range eq reg 1 0x0103a8c0 0xfa04a8c0 ] # ip daddr != 192.168.0.1-192.168.0.250 inet test-inet input @@ -465,8 +480,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0201a8c0 ] - [ cmp lte reg 1 0x3701a8c0 ] + [ range eq reg 1 0x0201a8c0 0x3701a8c0 ] # ip daddr != 192.168.1.2-192.168.1.55 inet test-inet input @@ -480,8 +494,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp gte reg 1 0x0301a8c0 ] - [ cmp lte reg 1 0x3721a8c0 ] + [ range eq reg 1 0x0301a8c0 0x3721a8c0 ] # ip saddr != 192.168.1.3-192.168.33.55 inet test-inet input @@ -684,3 +697,311 @@ inet [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# ip ecn set ip ecn | ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# tcp flags set tcp flags & (fin | syn | rst | psh | ack | urg) +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# tcp flags set tcp flags | ecn | cwr +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00003fff ) ^ 0x0000c000 ] + [ payload write reg 1 => 2b @ transport header + 12 csum_type 1 csum_off 16 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev index de990f5b..bd349532 100644 --- a/tests/py/ip/ip.t.payload.netdev +++ b/tests/py/ip/ip.t.payload.netdev @@ -17,8 +17,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 2 => reg 1 ] - [ cmp gte reg 1 0x00004d01 ] - [ cmp lte reg 1 0x0000b301 ] + [ range eq reg 1 0x00004d01 0x0000b301 ] # ip length != 333-453 netdev test-netdev ingress @@ -66,8 +65,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip id != 33-45 netdev test-netdev ingress @@ -96,7 +94,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off 222 accept +# ip frag-off 0xde accept netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -104,29 +102,28 @@ netdev test-netdev ingress [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -136,7 +133,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -146,6 +143,30 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] +# ip frag-off & 0x1fff != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + # ip ttl 0 drop netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -159,8 +180,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 8 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x00000037 ] + [ range eq reg 1 0x00000021 0x00000037 ] # ip ttl != 45-50 netdev test-netdev ingress @@ -245,8 +265,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 10 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip checksum != 33-45 netdev test-netdev ingress @@ -310,32 +329,28 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0100a8c0 ] - [ cmp lte reg 1 0xfa00a8c0 ] + [ range eq reg 1 0x0100a8c0 0xfa00a8c0 ] # ip daddr 10.0.0.0-10.255.255.255 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0xffffff0a ] + [ range eq reg 1 0x0000000a 0xffffff0a ] # ip daddr 172.16.0.0-172.31.255.255 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x000010ac ] - [ cmp lte reg 1 0xffff1fac ] + [ range eq reg 1 0x000010ac 0xffff1fac ] # ip daddr 192.168.3.1-192.168.4.250 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0103a8c0 ] - [ cmp lte reg 1 0xfa04a8c0 ] + [ range eq reg 1 0x0103a8c0 0xfa04a8c0 ] # ip daddr != 192.168.0.1-192.168.0.250 netdev test-netdev ingress @@ -371,8 +386,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0201a8c0 ] - [ cmp lte reg 1 0x3701a8c0 ] + [ range eq reg 1 0x0201a8c0 0x3701a8c0 ] # ip daddr != 192.168.1.2-192.168.1.55 netdev test-netdev ingress @@ -386,8 +400,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] - [ cmp gte reg 1 0x0301a8c0 ] - [ cmp lte reg 1 0x3721a8c0 ] + [ range eq reg 1 0x0301a8c0 0x3721a8c0 ] # ip saddr != 192.168.1.3-192.168.33.55 netdev test-netdev ingress @@ -684,3 +697,119 @@ netdev [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# ip ecn set ip ecn | ect0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn | ect1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000feff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip ecn set ip ecn & ect1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fdff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp | lephb +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & lephb +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000007ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip dscp set ip dscp & 0x1f +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00007fff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version | 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffef ) ^ 0x00000010 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip version set ip version & 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength | 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fffe ) ^ 0x00000001 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip hdrlength set ip hdrlength & 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fff1 ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload index 79e52856..c4957fd7 100644 --- a/tests/py/ip/masquerade.t.payload +++ b/tests/py/ip/masquerade.t.payload @@ -100,8 +100,7 @@ ip test-ip4 postrouting # ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade ip test-ip4 postrouting [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0x0403020a ] + [ range eq reg 1 0x0000000a 0x0403020a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 5a05923a..a88a6145 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -15,3 +15,8 @@ meta obrname "br0";fail meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok + +meta mark set ip dscp << 2 | 0x10;ok +meta mark set ip dscp << 26 | 0x10;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index 3df31ce3..25936dba 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -156,3 +156,81 @@ } } ] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + + +# meta mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index afde5cc1..880ac5d6 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -51,3 +51,28 @@ ip test-ip4 input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 2 | 0x10 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t index 29a6a105..2a881460 100644 --- a/tests/py/ip/numgen.t +++ b/tests/py/ip/numgen.t @@ -5,3 +5,5 @@ ct mark set numgen inc mod 2;ok ct mark set numgen inc mod 2 offset 100;ok dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok +dnat to numgen inc mod 7 offset 167772161;ok +dnat to numgen inc mod 255 offset 167772161;ok diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json index 9902c2cf..6cf66041 100644 --- a/tests/py/ip/numgen.t.json +++ b/tests/py/ip/numgen.t.json @@ -97,3 +97,33 @@ } ] +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload index 3349c68b..b4eadf85 100644 --- a/tests/py/ip/numgen.t.payload +++ b/tests/py/ip/numgen.t.payload @@ -27,3 +27,14 @@ ip test-ip4 pre [ numgen reg 1 = inc mod 2 offset 100 ] [ ct set mark with reg 1 ] +# dnat to numgen inc mod 7 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 7 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 255 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 255 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t index d2991ce2..8c2b52f0 100644 --- a/tests/py/ip/redirect.t +++ b/tests/py/ip/redirect.t @@ -47,5 +47,5 @@ ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json index 3544e7f1..2afdf9b1 100644 --- a/tests/py/ip/redirect.t.json +++ b/tests/py/ip/redirect.t.json @@ -593,21 +593,9 @@ } ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "protocol", - "protocol": "ip" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload index 424ad7b4..8a543057 100644 --- a/tests/py/ip/redirect.t.payload +++ b/tests/py/ip/redirect.t.payload @@ -182,8 +182,7 @@ ip test-ip4 output # ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect ip test-ip4 output [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp gte reg 1 0x0000000a ] - [ cmp lte reg 1 0x0403020a ] + [ range eq reg 1 0x0000000a 0x0403020a ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] @@ -207,12 +206,12 @@ ip test-ip4 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip4 b __map%d test-ip4 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip test-ip4 output - [ payload load 1b @ network header + 9 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t index a224d0fe..ad2c8316 100644 --- a/tests/py/ip/sets.t +++ b/tests/py/ip/sets.t @@ -52,6 +52,9 @@ ip saddr != @set33 drop;fail ip saddr . ip daddr @set5 drop;ok add @set5 { ip saddr . ip daddr };ok +!map1 type ipv4_addr . ipv4_addr : mark;ok +add @map1 { ip saddr . ip daddr : meta mark };ok + # test nested anonymous sets ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 } ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } @@ -63,3 +66,5 @@ ip saddr @set6 drop;ok ip saddr vmap { 1.1.1.1 : drop, * : accept };ok meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 };ok +!map2 type ipv4_addr . ipv4_addr . inet_service : ipv4_addr . inet_service;ok +add @map2 { ip saddr . ip daddr . th dport : 10.0.0.1 . 80 };ok diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json index d24b3918..f2637d93 100644 --- a/tests/py/ip/sets.t.json +++ b/tests/py/ip/sets.t.json @@ -272,3 +272,71 @@ } ] +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + +# add @map2 { ip saddr . ip daddr . th dport : 10.0.0.1 . 80 } +[ + { + "map": { + "data": { + "concat": [ + "10.0.0.1", + 80 + ] + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + }, + "map": "@map2", + "op": "add" + } + } +] diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet index d7d70b0c..cc04b43d 100644 --- a/tests/py/ip/sets.t.payload.inet +++ b/tests/py/ip/sets.t.payload.inet @@ -75,6 +75,15 @@ inet [ lookup reg 1 set set6 ] [ immediate reg 0 drop ] +# add @map1 { ip saddr . ip daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + # ip saddr vmap { 1.1.1.1 : drop, * : accept } __map%d test-inet b __map%d test-inet 0 @@ -95,3 +104,14 @@ inet [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] + +# add @map2 { ip saddr . ip daddr . th dport : 10.0.0.1 . 80 } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ immediate reg 11 0x0100000a ] + [ immediate reg 2 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 11 ] diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip index 97a96693..f9ee1f98 100644 --- a/tests/py/ip/sets.t.payload.ip +++ b/tests/py/ip/sets.t.payload.ip @@ -73,3 +73,19 @@ ip [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map2 { ip saddr . ip daddr . th dport : 10.0.0.1 . 80 } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ immediate reg 11 0x0100000a ] + [ immediate reg 2 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 11 ] diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev index d4317d29..3d0dc79a 100644 --- a/tests/py/ip/sets.t.payload.netdev +++ b/tests/py/ip/sets.t.payload.netdev @@ -95,3 +95,23 @@ netdev [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map2 { ip saddr . ip daddr . th dport : 10.0.0.1 . 80 } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ immediate reg 11 0x0100000a ] + [ immediate reg 2 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 11 ] diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload index 71a5e2f1..7044d7b0 100644 --- a/tests/py/ip/snat.t.payload +++ b/tests/py/ip/snat.t.payload @@ -5,8 +5,7 @@ ip test-ip4 postrouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] [ nat snat ip addr_min reg 1 ] @@ -67,8 +66,7 @@ ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0003a8c0 ] [ immediate reg 2 0xff03a8c0 ] [ nat snat ip addr_min reg 1 addr_max reg 2 ] @@ -80,8 +78,7 @@ ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0f03a8c0 ] [ immediate reg 2 0xf003a8c0 ] [ nat snat ip addr_min reg 1 addr_max reg 2 ] diff --git a/tests/py/ip6/ct.t b/tests/py/ip6/ct.t new file mode 100644 index 00000000..1617c68b --- /dev/null +++ b/tests/py/ip6/ct.t @@ -0,0 +1,10 @@ +:output;type filter hook output priority 0 + +*ip6;test-ip6;output + +ct mark set ip6 dscp << 2 | 0x10;ok +ct mark set ip6 dscp << 26 | 0x10;ok +ct mark set ip6 dscp | 0x04;ok +ct mark set ip6 dscp | 0xff000000;ok +ct mark set ip6 dscp & 0x0f << 2;ok;ct mark set ip6 dscp & 0x3c +ct mark set ct mark | ip6 dscp | 0x200 counter;ok;ct mark set ct mark | ip6 dscp | 0x00000200 counter diff --git a/tests/py/ip6/ct.t.json b/tests/py/ip6/ct.t.json new file mode 100644 index 00000000..2633c2b9 --- /dev/null +++ b/tests/py/ip6/ct.t.json @@ -0,0 +1,325 @@ +# ct mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 60 + ] + } + } + } +] + +# ct mark set ct mark | ip6 dscp | 0x200 counter +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 512 + ] + } + } + }, + { + "counter": null + } +] diff --git a/tests/py/ip6/ct.t.payload b/tests/py/ip6/ct.t.payload new file mode 100644 index 00000000..a7a56d4b --- /dev/null +++ b/tests/py/ip6/ct.t.payload @@ -0,0 +1,58 @@ +# ct mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0x04 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0xff000000 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x00ffffff ) ^ 0xff000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp & 0x0f << 2 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ct mark | ip6 dscp | 0x200 counter +ip6 test-ip6 output + [ ct load mark => reg 1 ] + [ payload load 2b @ network header + 0 => reg 2 ] + [ bitwise reg 2 = ( reg 2 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 2 = ntoh(reg 2, 2, 2) ] + [ bitwise reg 2 = ( reg 2 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 | reg 2 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffdff ) ^ 0x00000200 ] + [ ct set mark with reg 1 ] + [ counter pkts 0 bytes 0 ] diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6 index 004ffdeb..fe6e0422 100644 --- a/tests/py/ip6/dnat.t.payload.ip6 +++ b/tests/py/ip6/dnat.t.payload.ip6 @@ -3,8 +3,7 @@ ip6 test-ip6 prerouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00005000 ] @@ -16,8 +15,7 @@ ip6 test-ip6 prerouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] @@ -28,8 +26,7 @@ ip6 test-ip6 prerouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x00005000 ] [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet index 90d6bda1..476fdbcd 100644 --- a/tests/py/ip6/dst.t.payload.inet +++ b/tests/py/ip6/dst.t.payload.inet @@ -17,8 +17,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # dst nexthdr != 33-45 inet test-inet input @@ -100,8 +99,7 @@ ip6 test-ip6 input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # dst hdrlength != 33-45 ip6 test-ip6 input diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6 index 941140d0..af3bab9b 100644 --- a/tests/py/ip6/dst.t.payload.ip6 +++ b/tests/py/ip6/dst.t.payload.ip6 @@ -11,8 +11,7 @@ ip6 test-ip6 input # dst nexthdr 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # dst nexthdr != 33-45 ip6 test-ip6 input @@ -74,8 +73,7 @@ ip6 test-ip6 input # dst hdrlength 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # dst hdrlength != 33-45 ip6 test-ip6 input diff --git a/tests/py/ip6/exthdr.t.json.output b/tests/py/ip6/exthdr.t.json.output index c9f5b49b..813402a2 100644 --- a/tests/py/ip6/exthdr.t.json.output +++ b/tests/py/ip6/exthdr.t.json.output @@ -1,33 +1,3 @@ -# exthdr hbh == exists -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": true - } - } -] - -# exthdr hbh == missing -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": false - } - } -] - # exthdr hbh 1 [ { diff --git a/tests/py/ip6/flowtable.t b/tests/py/ip6/flowtable.t deleted file mode 100644 index e58d51bb..00000000 --- a/tests/py/ip6/flowtable.t +++ /dev/null @@ -1,6 +0,0 @@ -:input;type filter hook input priority 0 - -*ip6;test-ip6;input - -meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter };ok;meter acct_out size 4096 { iif . ip6 saddr timeout 10m counter } -meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter };ok;meter acct_out size 12345 { ip6 saddr . iif timeout 10m counter } diff --git a/tests/py/ip6/flowtable.t.json b/tests/py/ip6/flowtable.t.json deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.json.output b/tests/py/ip6/flowtable.t.json.output deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json.output +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.payload b/tests/py/ip6/flowtable.t.payload deleted file mode 100644 index 559475f6..00000000 --- a/tests/py/ip6/flowtable.t.payload +++ /dev/null @@ -1,16 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ meta load iif => reg 1 ] - [ payload load 16b @ network header + 8 => reg 9 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ payload load 16b @ network header + 8 => reg 1 ] - [ meta load iif => reg 2 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet index 20334f44..1100896e 100644 --- a/tests/py/ip6/frag.t.payload.inet +++ b/tests/py/ip6/frag.t.payload.inet @@ -65,8 +65,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # frag reserved != 33-45 inet test-inet output @@ -117,8 +116,7 @@ inet test-inet output [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] + [ range eq reg 1 0x00000801 0x00006801 ] # frag frag-off != 33-45 inet test-inet output @@ -176,8 +174,7 @@ inet test-inet output [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # frag id != 33-45 inet test-inet output diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6 index 7c3e7a4e..0556395a 100644 --- a/tests/py/ip6/frag.t.payload.ip6 +++ b/tests/py/ip6/frag.t.payload.ip6 @@ -47,8 +47,7 @@ ip6 test-ip6 output # frag reserved 33-45 ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # frag reserved != 33-45 ip6 test-ip6 output @@ -87,8 +86,7 @@ ip6 test-ip6 output ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] + [ range eq reg 1 0x00000801 0x00006801 ] # frag frag-off != 33-45 ip6 test-ip6 output @@ -132,8 +130,7 @@ ip6 test-ip6 output # frag id 33-45 ip6 test-ip6 output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # frag id != 33-45 ip6 test-ip6 output diff --git a/tests/py/ip6/frag.t.payload.netdev b/tests/py/ip6/frag.t.payload.netdev index 821d5679..68257f5b 100644 --- a/tests/py/ip6/frag.t.payload.netdev +++ b/tests/py/ip6/frag.t.payload.netdev @@ -1,1457 +1,109 @@ -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag nexthdr tcp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# frag nexthdr tcp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# frag nexthdr != icmp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp neq reg 1 0x00000001 ] - -# frag nexthdr != icmp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp neq reg 1 0x00000001 ] - -# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag nexthdr esp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - -# frag nexthdr esp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - -# frag nexthdr ah -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - -# frag nexthdr ah -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - -# frag reserved 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000016 ] - -# frag reserved 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000016 ] - -# frag reserved != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp neq reg 1 0x000000e9 ] - -# frag reserved != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp neq reg 1 0x000000e9 ] - -# frag reserved 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] - -# frag reserved 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] - -# frag reserved != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ range neq reg 1 0x00000021 0x0000002d ] - -# frag reserved != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ range neq reg 1 0x00000021 0x0000002d ] - -# frag reserved { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag id 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# frag id 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# frag id 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x16000000 ] - -# frag id 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x16000000 ] - -# frag id != 33 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp neq reg 1 0x21000000 ] - -# frag id != 33 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp neq reg 1 0x21000000 ] - -# frag id 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] - -# frag id 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] - -# frag id != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ range neq reg 1 0x21000000 0x2d000000 ] - -# frag id != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ range neq reg 1 0x21000000 0x2d000000 ] - -# frag id { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag nexthdr tcp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - -# frag nexthdr tcp -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ cmp eq reg 1 0x00000006 ] # frag nexthdr != icmp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp neq reg 1 0x00000001 ] - -# frag nexthdr != icmp -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ cmp neq reg 1 0x00000001 ] # frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 +__set%d test-netdev 3 size 8 __set%d test-netdev 0 element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ lookup reg 1 set __set%d ] -# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} -__set%d test-netdev 3 +__set%d test-netdev 3 size 8 __set%d test-netdev 0 element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # frag nexthdr esp -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ cmp eq reg 1 0x00000032 ] -# frag nexthdr esp -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - -# frag nexthdr ah -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - # frag nexthdr ah -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] [ cmp eq reg 1 0x00000033 ] # frag reserved 22 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ cmp eq reg 1 0x00000016 ] -# frag reserved 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp eq reg 1 0x00000016 ] - -# frag reserved != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp neq reg 1 0x000000e9 ] - # frag reserved != 233 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ cmp neq reg 1 0x000000e9 ] # frag reserved 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] - -# frag reserved 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] - -# frag reserved != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ range neq reg 1 0x00000021 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # frag reserved != 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ range neq reg 1 0x00000021 0x0000002d ] # frag reserved { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d ] -# frag reserved { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag reserved != { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # frag frag-off 22 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000b000 ] -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - # frag frag-off != 233 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] @@ -1459,55 +111,26 @@ netdev [ cmp neq reg 1 0x00004807 ] # frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] + [ range eq reg 1 0x00000801 0x00006801 ] # frag frag-off != 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ range neq reg 1 0x00000801 0x00006801 ] -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - # frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] @@ -1515,81 +138,18 @@ netdev [ lookup reg 1 set __set%d ] # frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - # frag reserved2 1 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] @@ -1597,15 +157,7 @@ netdev [ cmp eq reg 1 0x00000002 ] # frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] @@ -1613,15 +165,7 @@ netdev [ cmp eq reg 1 0x00000000 ] # frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] @@ -1629,558 +173,57 @@ netdev [ cmp eq reg 1 0x00000001 ] # frag id 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x01000000 ] - -# frag id 1 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ cmp eq reg 1 0x01000000 ] # frag id 22 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ cmp eq reg 1 0x16000000 ] -# frag id 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp eq reg 1 0x16000000 ] - -# frag id != 33 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp neq reg 1 0x21000000 ] - # frag id != 33 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ cmp neq reg 1 0x21000000 ] # frag id 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] - -# frag id 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] - -# frag id != 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ range neq reg 1 0x21000000 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # frag id != 33-45 -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ range neq reg 1 0x21000000 0x2d000000 ] # frag id { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ lookup reg 1 set __set%d ] # frag id != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id != { 33, 55, 67, 88} -__set%d test-netdev 3 +__set%d test-netdev 3 size 4 __set%d test-netdev 0 element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev +netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off 22 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000b000 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off != 233 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp neq reg 1 0x00004807 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ cmp gte reg 1 0x00000801 ] - [ cmp lte reg 1 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off != 33-45 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ range neq reg 1 0x00000801 0x00006801 ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off != { 33, 55, 67, 88} -__set%d test-netdev 3 -__set%d test-netdev 0 - element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag reserved2 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000002 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 0 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000000 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - -# frag more-fragments 1 -netdev - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x0000dd86 ] - [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000001 ] - diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet index 63afd832..10f010aa 100644 --- a/tests/py/ip6/hbh.t.payload.inet +++ b/tests/py/ip6/hbh.t.payload.inet @@ -17,8 +17,7 @@ inet test-inet filter-input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # hbh hdrlength != 33-45 inet test-inet filter-input @@ -86,8 +85,7 @@ inet test-inet filter-input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # hbh nexthdr != 33-45 inet test-inet filter-input diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6 index 913505a5..a6bc7ae6 100644 --- a/tests/py/ip6/hbh.t.payload.ip6 +++ b/tests/py/ip6/hbh.t.payload.ip6 @@ -11,8 +11,7 @@ ip6 test-ip6 filter-input # hbh hdrlength 33-45 ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # hbh hdrlength != 33-45 ip6 test-ip6 filter-input @@ -64,8 +63,7 @@ ip6 test-ip6 filter-input # hbh nexthdr 33-45 ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # hbh nexthdr != 33-45 ip6 test-ip6 filter-input diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index 4de6ee23..7632bfd8 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,10 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok;icmpv6 code port-unreachable +icmpv6 code 4;ok icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept -icmpv6 code != {policy-fail, reject-route, 7} accept;ok +icmpv6 code {5, 6, 7} accept;ok +icmpv6 code != {policy-fail, reject-route, 7} accept;ok;icmpv6 code != {5, 6, 7} accept icmpv6 checksum 2222 log;ok icmpv6 checksum != 2222 log;ok @@ -84,4 +84,16 @@ icmpv6 max-delay != 33-45;ok icmpv6 max-delay {33, 55, 67, 88};ok icmpv6 max-delay != {33, 55, 67, 88};ok -icmpv6 type parameter-problem icmpv6 code no-route;ok +icmpv6 type parameter-problem icmpv6 code 0;ok + +icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133;ok +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133;ok +icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133;ok +icmpv6 daddr 2001:db8::133;ok +icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133;ok;icmpv6 daddr 2001:db8::133 diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json index 2251be82..9df886dd 100644 --- a/tests/py/ip6/icmpv6.t.json +++ b/tests/py/ip6/icmpv6.t.json @@ -532,8 +532,8 @@ "op": "!=", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } @@ -1136,7 +1136,7 @@ } ] -# icmpv6 type parameter-problem icmpv6 code no-route +# icmpv6 type parameter-problem icmpv6 code 0 [ { "match": { @@ -1159,7 +1159,267 @@ } }, "op": "==", - "right": "no-route" + "right": 0 + } + } +] + +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "mld-listener-query" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-solicit" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-advert" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": { + "set": [ + "nd-neighbor-solicit", + "nd-neighbor-advert" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 daddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" } } ] diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output index 7b8f5c19..5d33780e 100644 --- a/tests/py/ip6/icmpv6.t.json.output +++ b/tests/py/ip6/icmpv6.t.json.output @@ -93,68 +93,6 @@ } ] -# icmpv6 code 4 -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": "port-unreachable" - } - } -] - -# icmpv6 code 3-66 -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "range": [ - "addr-unreachable", - 66 - ] - } - } - } -] - -# icmpv6 code {5, 6, 7} accept -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - "policy-fail", - "reject-route", - 7 - ] - } - } - }, - { - "accept": null - } -] - # icmpv6 code { 3-66} [ { diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index 0e96be2d..8a637afa 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -206,8 +206,7 @@ ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 1b @ transport header + 1 => reg 1 ] - [ cmp gte reg 1 0x00000003 ] - [ cmp lte reg 1 0x00000042 ] + [ range eq reg 1 0x00000003 0x00000042 ] # icmpv6 code {5, 6, 7} accept __set%d test-ip6 3 @@ -252,8 +251,7 @@ ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x0000de00 ] - [ cmp lte reg 1 0x0000e200 ] + [ range eq reg 1 0x0000de00 0x0000e200 ] # icmpv6 checksum != 222-226 ip6 @@ -307,8 +305,7 @@ ip6 test-ip6 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x21000000 ] - [ cmp lte reg 1 0x2d000000 ] + [ range eq reg 1 0x21000000 0x2d000000 ] # icmpv6 mtu != 33-45 ip6 test-ip6 input @@ -362,8 +359,7 @@ ip6 test-ip6 input [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # icmpv6 id != 33-45 __set%d test-ip6 3 @@ -496,8 +492,7 @@ ip6 test-ip6 input [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 6 => reg 1 ] - [ cmp gte reg 1 0x00000200 ] - [ cmp lte reg 1 0x00000400 ] + [ range eq reg 1 0x00000200 0x00000400 ] # icmpv6 sequence != 2-4 __set%d test-ip6 3 @@ -518,8 +513,7 @@ ip6 test-ip6 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000082 ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # icmpv6 max-delay != 33-45 ip6 test-ip6 input @@ -554,10 +548,90 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 type parameter-problem icmpv6 code no-route +# icmpv6 type parameter-problem icmpv6 code 0 ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 2b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000004 ] +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000082 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000087 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 +__set%d test-ip6 0 + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 +__set%d test-ip6 0 + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 2 +__set%d test-ip6 0 + element 00000087 : 0 [end] element 00000088 : 0 [end] +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t index 2ffe318e..430dd571 100644 --- a/tests/py/ip6/ip6.t +++ b/tests/py/ip6/ip6.t @@ -17,6 +17,15 @@ ip6 dscp != 0x20;ok;ip6 dscp != cs4 ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok +!map1 type dscp : mark;ok +meta mark set ip6 dscp map @map1;ok +!map2 type dscp . ipv6_addr : mark;ok +meta mark set ip6 dscp . ip6 daddr map @map2;ok +!map3 type dscp : mark;ok +ip6 dscp @map3;ok +!map4 type dscp . ipv6_addr : mark;ok +ip6 dscp . ip6 daddr @map4;ok + ip6 flowlabel 22;ok ip6 flowlabel != 233;ok - ip6 flowlabel 33-45;ok diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json index cf802175..49e5a2dd 100644 --- a/tests/py/ip6/ip6.t.json +++ b/tests/py/ip6/ip6.t.json @@ -135,6 +135,106 @@ } ] +# meta mark set ip6 dscp map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } + } + } +] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map2", + "key": { + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + } + } + } + } + } +] + +# ip6 dscp @map3 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + "op": "==", + "right": "@map3" + } + } +] + +# ip6 dscp . ip6 daddr @map4 +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + }, + "op": "==", + "right": "@map4" + } + } +] + # ip6 flowlabel 22 [ { diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet index 20dfe549..f0c1843d 100644 --- a/tests/py/ip6/ip6.t.payload.inet +++ b/tests/py/ip6/ip6.t.payload.inet @@ -53,6 +53,50 @@ ip6 test-ip6 input [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -121,8 +165,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip6 length != 33-45 inet test-inet input @@ -200,8 +243,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002c ] + [ range eq reg 1 0x00000021 0x0000002c ] # ip6 nexthdr != 33-44 inet test-inet input @@ -229,8 +271,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ payload load 1b @ network header + 7 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # ip6 hoplimit != 33-45 inet test-inet input diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 index f8e3ca3c..5118d4f2 100644 --- a/tests/py/ip6/ip6.t.payload.ip6 +++ b/tests/py/ip6/ip6.t.payload.ip6 @@ -41,6 +41,42 @@ ip6 test-ip6 input [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] @@ -93,8 +129,7 @@ ip6 test-ip6 input # ip6 length 33-45 ip6 test-ip6 input [ payload load 2b @ network header + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # ip6 length != 33-45 ip6 test-ip6 input @@ -154,8 +189,7 @@ ip6 test-ip6 input # ip6 nexthdr 33-44 ip6 test-ip6 input [ payload load 1b @ network header + 6 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002c ] + [ range eq reg 1 0x00000021 0x0000002c ] # ip6 nexthdr != 33-44 ip6 test-ip6 input @@ -175,8 +209,7 @@ ip6 test-ip6 input # ip6 hoplimit 33-45 ip6 test-ip6 input [ payload load 1b @ network header + 7 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # ip6 hoplimit != 33-45 ip6 test-ip6 input diff --git a/tests/py/ip6/masquerade.t.payload.ip6 b/tests/py/ip6/masquerade.t.payload.ip6 index 43ae2ae4..086a6dda 100644 --- a/tests/py/ip6/masquerade.t.payload.ip6 +++ b/tests/py/ip6/masquerade.t.payload.ip6 @@ -100,8 +100,7 @@ ip6 test-ip6 postrouting # ip6 daddr fe00::1-fe00::200 udp dport 53 counter masquerade ip6 test-ip6 postrouting [ payload load 16b @ network header + 24 => reg 1 ] - [ cmp gte reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 ] - [ cmp lte reg 1 0x000000fe 0x00000000 0x00000000 0x00020000 ] + [ range eq reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 0x000000fe 0x00000000 0x00000000 0x00020000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t index 471e1481..c177b081 100644 --- a/tests/py/ip6/meta.t +++ b/tests/py/ip6/meta.t @@ -14,3 +14,6 @@ meta protocol ip6 udp dport 67;ok;udp dport 67 meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip6 dscp << 2 | 0x10;ok +meta mark set ip6 dscp << 26 | 0x10;ok diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json index 351320d7..1a2394d8 100644 --- a/tests/py/ip6/meta.t.json +++ b/tests/py/ip6/meta.t.json @@ -194,3 +194,120 @@ } } ] + +# meta mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload index 0e3db6ba..6a37f1de 100644 --- a/tests/py/ip6/meta.t.payload +++ b/tests/py/ip6/meta.t.payload @@ -60,3 +60,23 @@ ip6 test-ip6 input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet index 54eaa70e..7ab9b75c 100644 --- a/tests/py/ip6/mh.t.payload.inet +++ b/tests/py/ip6/mh.t.payload.inet @@ -65,8 +65,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh nexthdr != 33-45 inet test-inet input @@ -114,8 +113,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh hdrlength != 33-45 inet test-inet input @@ -187,8 +185,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh reserved != 33-45 inet test-inet input @@ -236,8 +233,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # mh checksum != 33-45 inet test-inet input diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6 index 73bd4226..7edde6e8 100644 --- a/tests/py/ip6/mh.t.payload.ip6 +++ b/tests/py/ip6/mh.t.payload.ip6 @@ -47,8 +47,7 @@ ip6 test-ip6 input # mh nexthdr 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh nexthdr != 33-45 ip6 test-ip6 input @@ -84,8 +83,7 @@ ip6 test-ip6 input # mh hdrlength 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh hdrlength != 33-45 ip6 test-ip6 input @@ -139,8 +137,7 @@ ip6 test-ip6 input # mh reserved 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # mh reserved != 33-45 ip6 test-ip6 input @@ -176,8 +173,7 @@ ip6 test-ip6 input # mh checksum 33-45 ip6 test-ip6 input [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ cmp gte reg 1 0x00002100 ] - [ cmp lte reg 1 0x00002d00 ] + [ range eq reg 1 0x00002100 0x00002d00 ] # mh checksum != 33-45 ip6 test-ip6 input diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t index 778d53f3..70ef7f9f 100644 --- a/tests/py/ip6/redirect.t +++ b/tests/py/ip6/redirect.t @@ -46,4 +46,4 @@ ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip6/redirect.t.json b/tests/py/ip6/redirect.t.json index 0059c7ac..c18223fa 100644 --- a/tests/py/ip6/redirect.t.json +++ b/tests/py/ip6/redirect.t.json @@ -557,21 +557,9 @@ } ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "nexthdr", - "protocol": "ip6" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6 index e9a20316..832c51da 100644 --- a/tests/py/ip6/redirect.t.payload.ip6 +++ b/tests/py/ip6/redirect.t.payload.ip6 @@ -166,8 +166,7 @@ ip6 test-ip6 output # ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect ip6 test-ip6 output [ payload load 16b @ network header + 24 => reg 1 ] - [ cmp gte reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 ] - [ cmp lte reg 1 0x000000fe 0x00000000 0x00000000 0x00020000 ] + [ range eq reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 0x000000fe 0x00000000 0x00000000 0x00020000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] @@ -191,12 +190,12 @@ ip6 test-ip6 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip6 b __map%d test-ip6 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip6 test-ip6 output - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet index 864d3114..6549ab78 100644 --- a/tests/py/ip6/rt.t.payload.inet +++ b/tests/py/ip6/rt.t.payload.inet @@ -65,8 +65,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt nexthdr != 33-45 inet test-inet input @@ -114,8 +113,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt hdrlength != 33-45 inet test-inet input @@ -163,8 +161,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt type != 33-45 inet test-inet input @@ -212,8 +209,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt seg-left != 33-45 inet test-inet input diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6 index c7b52f82..2b40159b 100644 --- a/tests/py/ip6/rt.t.payload.ip6 +++ b/tests/py/ip6/rt.t.payload.ip6 @@ -47,8 +47,7 @@ ip6 test-ip6 input # rt nexthdr 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt nexthdr != 33-45 ip6 test-ip6 input @@ -84,8 +83,7 @@ ip6 test-ip6 input # rt hdrlength 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt hdrlength != 33-45 ip6 test-ip6 input @@ -121,8 +119,7 @@ ip6 test-ip6 input # rt type 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt type != 33-45 ip6 test-ip6 input @@ -158,8 +155,7 @@ ip6 test-ip6 input # rt seg-left 33-45 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ cmp gte reg 1 0x00000021 ] - [ cmp lte reg 1 0x0000002d ] + [ range eq reg 1 0x00000021 0x0000002d ] # rt seg-left != 33-45 ip6 test-ip6 input diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t index 3b99d661..cc26bd22 100644 --- a/tests/py/ip6/sets.t +++ b/tests/py/ip6/sets.t @@ -41,4 +41,11 @@ ip6 saddr != @set33 drop;fail !set5 type ipv6_addr . ipv6_addr;ok ip6 saddr . ip6 daddr @set5 drop;ok add @set5 { ip6 saddr . ip6 daddr };ok + +!map1 type ipv6_addr . ipv6_addr : mark;ok +add @map1 { ip6 saddr . ip6 daddr : meta mark };ok + delete @set5 { ip6 saddr . ip6 daddr };ok + +!map2 type ipv6_addr . ipv6_addr . inet_service : ipv6_addr . inet_service;ok +add @map2 { ip6 saddr . ip6 daddr . th dport : 1234::1 . 80 };ok
\ No newline at end of file diff --git a/tests/py/ip6/sets.t.json b/tests/py/ip6/sets.t.json index 948c1f16..99236099 100644 --- a/tests/py/ip6/sets.t.json +++ b/tests/py/ip6/sets.t.json @@ -116,3 +116,72 @@ } } ] + +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + +# add @map2 { ip6 saddr . ip6 daddr . th dport : 1234::1 . 80 } +[ + { + "map": { + "data": { + "concat": [ + "1234::1", + 80 + ] + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + }, + "map": "@map2", + "op": "add" + } + } +] diff --git a/tests/py/ip6/sets.t.payload.inet b/tests/py/ip6/sets.t.payload.inet index 47ad86a2..2dbb818a 100644 --- a/tests/py/ip6/sets.t.payload.inet +++ b/tests/py/ip6/sets.t.payload.inet @@ -31,6 +31,15 @@ inet test-inet input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset add reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + # delete @set5 { ip6 saddr . ip6 daddr } inet test-inet input [ meta load nfproto => reg 1 ] @@ -38,3 +47,14 @@ inet test-inet input [ payload load 16b @ network header + 8 => reg 1 ] [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] + +# add @map2 { ip6 saddr . ip6 daddr . th dport : 1234::1 . 80 } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 3 ] + [ immediate reg 17 0x00003412 0x00000000 0x00000000 0x01000000 ] + [ immediate reg 21 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 17 ] diff --git a/tests/py/ip6/sets.t.payload.ip6 b/tests/py/ip6/sets.t.payload.ip6 index a5febb9f..7234b989 100644 --- a/tests/py/ip6/sets.t.payload.ip6 +++ b/tests/py/ip6/sets.t.payload.ip6 @@ -29,3 +29,18 @@ ip6 test-ip6 input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +ip6 test-ip6 input + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + +# add @map2 { ip6 saddr . ip6 daddr . th dport : 1234::1 . 80 } +ip6 test-ip6 input + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 3 ] + [ immediate reg 17 0x00003412 0x00000000 0x00000000 0x01000000 ] + [ immediate reg 21 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 17 ] diff --git a/tests/py/ip6/sets.t.payload.netdev b/tests/py/ip6/sets.t.payload.netdev index dab74159..2ad0f434 100644 --- a/tests/py/ip6/sets.t.payload.netdev +++ b/tests/py/ip6/sets.t.payload.netdev @@ -39,3 +39,22 @@ netdev test-netdev ingress [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + +# add @map2 { ip6 saddr . ip6 daddr . th dport : 1234::1 . 80 } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 3 ] + [ immediate reg 17 0x00003412 0x00000000 0x00000000 0x01000000 ] + [ immediate reg 21 0x00005000 ] + [ dynset add reg_key 1 set map2 sreg_data 17 ] diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6 index 66a29672..96a9ba0a 100644 --- a/tests/py/ip6/snat.t.payload.ip6 +++ b/tests/py/ip6/snat.t.payload.ip6 @@ -3,8 +3,7 @@ ip6 test-ip6 postrouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00005000 ] @@ -16,8 +15,7 @@ ip6 test-ip6 postrouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp gte reg 1 0x00005000 ] - [ cmp lte reg 1 0x00005a00 ] + [ range eq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index b66a33c2..7acdb77f 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -86,11 +86,12 @@ class Table: class Set: """Class that represents a set""" - def __init__(self, family, table, name, type, timeout, flags): + def __init__(self, family, table, name, type, data, timeout, flags): self.family = family self.table = table self.name = name self.type = type + self.data = data self.timeout = timeout self.flags = flags @@ -366,7 +367,11 @@ def set_add(s, test_result, filename, lineno): if flags != "": flags = "flags %s; " % flags - cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + if s.data == "": + cmd = "add set %s %s { %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + else: + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + ret = execute_cmd(cmd, filename, lineno) if (ret == 0 and test_result == "fail") or \ @@ -384,6 +389,44 @@ def set_add(s, test_result, filename, lineno): return 0 +def map_add(s, test_result, filename, lineno): + ''' + Adds a map + ''' + if not table_list: + reason = "Missing table to add rule" + print_error(reason, filename, lineno) + return -1 + + for table in table_list: + s.table = table.name + s.family = table.family + if _map_exist(s, filename, lineno): + reason = "Map %s already exists in %s" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + flags = s.flags + if flags != "": + flags = "flags %s; " % flags + + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + + ret = execute_cmd(cmd, filename, lineno) + + if (ret == 0 and test_result == "fail") or \ + (ret != 0 and test_result == "ok"): + reason = "%s: I cannot add the set %s" % (cmd, s.name) + print_error(reason, filename, lineno) + return -1 + + if not _map_exist(s, filename, lineno): + reason = "I have just added the set %s to " \ + "the table %s but it does not exist" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + def set_add_elements(set_element, set_name, state, filename, lineno): ''' Adds elements to the set. @@ -490,6 +533,16 @@ def _set_exist(s, filename, lineno): return True if (ret == 0) else False +def _map_exist(s, filename, lineno): + ''' + Check if the map exists. + ''' + cmd = "list map %s %s %s" % (s.family, s.table, s.name) + ret = execute_cmd(cmd, filename, lineno) + + return True if (ret == 0) else False + + def set_check_element(rule1, rule2): ''' Check if element exists in anonymous sets. @@ -716,10 +769,9 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): if rule[1].strip() == "ok": payload_expected = None - payload_path = None + payload_path = "%s.payload" % filename_path try: - payload_log = open("%s.payload" % filename_path) - payload_path = payload_log.name + payload_log = open(payload_path) payload_expected = payload_find_expected(payload_log, rule[0]) except: payload_log = None @@ -756,6 +808,8 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): reason = "Invalid JSON syntax in expected output: %s" % json_expected print_error(reason) return [-1, warning, error, unit_tests] + if json_expected == json_input: + print_warning("Recorded JSON output matches input for: %s" % rule[0]) for table in table_list: if rule[1].strip() == "ok": @@ -1091,14 +1145,32 @@ def set_process(set_line, filename, lineno): tokens = set_line[0].split(" ") set_name = tokens[0] - set_type = tokens[2] + parse_typeof = tokens[1] == "typeof" + set_type = tokens[1] + " " + tokens[2] + set_data = "" set_flags = "" i = 3 + if parse_typeof and tokens[i] == "id": + set_type += " " + tokens[i] + i += 1; + while len(tokens) > i and tokens[i] == ".": set_type += " . " + tokens[i+1] i += 2 + while len(tokens) > i and tokens[i] == ":": + set_data = tokens[i+1] + i += 2 + + while len(tokens) > i and tokens[i] == ".": + set_data += " . " + tokens[i+1] + i += 2 + + if parse_typeof and tokens[i] == "mark": + set_data += " " + tokens[i] + i += 1; + if len(tokens) == i+2 and tokens[i] == "timeout": timeout = "timeout " + tokens[i+1] + ";" i += 2 @@ -1108,9 +1180,13 @@ def set_process(set_line, filename, lineno): elif len(tokens) != i: print_error(set_name + " bad flag: " + tokens[i], filename, lineno) - s = Set("", "", set_name, set_type, timeout, set_flags) + s = Set("", "", set_name, set_type, set_data, timeout, set_flags) + + if set_data == "": + ret = set_add(s, test_result, filename, lineno) + else: + ret = map_add(s, test_result, filename, lineno) - ret = set_add(s, test_result, filename, lineno) if ret == 0: all_set[set_name] = set() diff --git a/tests/shell/features/bitshift.nft b/tests/shell/features/bitshift.nft new file mode 100644 index 00000000..7f9ccb64 --- /dev/null +++ b/tests/shell/features/bitshift.nft @@ -0,0 +1,7 @@ +# 567d746b55bc ("netfilter: bitwise: add support for shifts.") +# v5.6-rc1~151^2~73^2 +table ip t { + chain c { + meta mark set meta mark << 2 + } +} diff --git a/tests/shell/features/bitwise_multireg.nft b/tests/shell/features/bitwise_multireg.nft new file mode 100644 index 00000000..cfce5a39 --- /dev/null +++ b/tests/shell/features/bitwise_multireg.nft @@ -0,0 +1,5 @@ +table inet test { + chain y { + ct mark set ct mark | meta mark + } +} diff --git a/tests/shell/features/catchall_element.nft b/tests/shell/features/catchall_element.nft new file mode 100644 index 00000000..1a02fd61 --- /dev/null +++ b/tests/shell/features/catchall_element.nft @@ -0,0 +1,8 @@ +# aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +# v5.13-rc1~94^2~10^2~2 +table t { + map m { + type inet_service : inet_service + elements = { * : 42 } + } +} diff --git a/tests/shell/features/chain_binding.nft b/tests/shell/features/chain_binding.nft new file mode 100644 index 00000000..b381ec54 --- /dev/null +++ b/tests/shell/features/chain_binding.nft @@ -0,0 +1,7 @@ +# d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +# v5.9-rc1~133^2~302^2~1 +table ip t { + chain c { + jump { counter; } + } +} diff --git a/tests/shell/features/comment.sh b/tests/shell/features/comment.sh new file mode 100755 index 00000000..0ad24d04 --- /dev/null +++ b/tests/shell/features/comment.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# 002f21765320 ("netfilter: nf_tables: add userdata attributes to nft_chain") +# v5.10-rc1~107^2~60^2~5 + +EXPECTED="table ip x { + chain y { + comment \"test\" + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/ctexpect.nft b/tests/shell/features/ctexpect.nft new file mode 100644 index 00000000..02c3dfd7 --- /dev/null +++ b/tests/shell/features/ctexpect.nft @@ -0,0 +1,10 @@ +# 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +# v5.3-rc1~140^2~153^2~19 +table t { + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12; + } +} diff --git a/tests/shell/features/cttimeout.nft b/tests/shell/features/cttimeout.nft new file mode 100644 index 00000000..4be58cd3 --- /dev/null +++ b/tests/shell/features/cttimeout.nft @@ -0,0 +1,8 @@ +# 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +# v4.19-rc1~140^2~64^2~3 +table t { + ct timeout cttime { + protocol tcp; + policy = {established: 120 } + } +} diff --git a/tests/shell/features/destroy.nft b/tests/shell/features/destroy.nft new file mode 100644 index 00000000..b97242e4 --- /dev/null +++ b/tests/shell/features/destroy.nft @@ -0,0 +1,3 @@ +# f80a612dd77c ("netfilter: nf_tables: add support to destroy operation") +# v6.3-rc1~162^2~264^2 +destroy table t diff --git a/tests/shell/features/dynset_op_delete.nft b/tests/shell/features/dynset_op_delete.nft new file mode 100644 index 00000000..125b4526 --- /dev/null +++ b/tests/shell/features/dynset_op_delete.nft @@ -0,0 +1,12 @@ +# d0a8d877da97 ("netfilter: nft_dynset: support for element deletion") +# v5.4-rc1~131^2~59^2~4 +table ip x { + set s { + flags dynamic; + type inet_service; + } + + chain y { + delete @s { tcp dport } + } +} diff --git a/tests/shell/features/elem_timeout_update.sh b/tests/shell/features/elem_timeout_update.sh new file mode 100755 index 00000000..6243170a --- /dev/null +++ b/tests/shell/features/elem_timeout_update.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# 4201f3938914 ("netfilter: nf_tables: set element timeout update support") + +$NFT -f - <<EOF +table ip t { + set s { + typeof ip saddr + timeout 1m + elements = { 1.2.3.4 } + } +} +EOF + +$NFT add element t s { 1.2.3.4 expires 1ms } + +sleep 0.001 +$NFT get element t s { 1.2.3.4 } + +[ $? -eq 0 ] && exit 111 + +exit 0 diff --git a/tests/shell/features/flowtable_counter.sh b/tests/shell/features/flowtable_counter.sh new file mode 100755 index 00000000..a4c4c621 --- /dev/null +++ b/tests/shell/features/flowtable_counter.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# 53c2b2899af7 ("netfilter: flowtable: add counter support") +# v5.7-rc1~146^2~12^2~16 + +EXPECTED="table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/flowtable_no_devices.nft b/tests/shell/features/flowtable_no_devices.nft new file mode 100755 index 00000000..30dd3db8 --- /dev/null +++ b/tests/shell/features/flowtable_no_devices.nft @@ -0,0 +1,8 @@ +# 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices") +# v5.8-rc1~165^2~27^2~1 +table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + counter + } +} diff --git a/tests/shell/features/inet_ingress.nft b/tests/shell/features/inet_ingress.nft new file mode 100644 index 00000000..944a5c77 --- /dev/null +++ b/tests/shell/features/inet_ingress.nft @@ -0,0 +1,7 @@ +# d3519cb89f6d ("netfilter: nf_tables: add inet ingress support") +# v5.10-rc1~107^2~17^2~1 +table inet t { + chain c { + type filter hook ingress device "lo" priority filter; policy accept; + } +} diff --git a/tests/shell/features/inet_nat.nft b/tests/shell/features/inet_nat.nft new file mode 100644 index 00000000..189ea1d0 --- /dev/null +++ b/tests/shell/features/inet_nat.nft @@ -0,0 +1,7 @@ +# v5.2-rc1~133^2~174^2~15 +# d164385ec572 ("netfilter: nat: add inet family nat support") +table inet x { + chain y { + type nat hook prerouting priority dstnat; + } +} diff --git a/tests/shell/features/inner_matching.nft b/tests/shell/features/inner_matching.nft new file mode 100644 index 00000000..6c86fd35 --- /dev/null +++ b/tests/shell/features/inner_matching.nft @@ -0,0 +1,7 @@ +# 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") +# v6.2-rc1~99^2~350^2~4 +table ip t { + chain c { + udp dport 4789 vxlan ip saddr 1.2.3.4 + } +} diff --git a/tests/shell/features/ip_options.nft b/tests/shell/features/ip_options.nft new file mode 100644 index 00000000..0b8cb09c --- /dev/null +++ b/tests/shell/features/ip_options.nft @@ -0,0 +1,8 @@ +# dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +# v5.3-rc1~140^2~153^2~1 + +table ip x { + chain y { + ip option ra value 255 + } +} diff --git a/tests/shell/features/ipsec.nft b/tests/shell/features/ipsec.nft new file mode 100644 index 00000000..e7252271 --- /dev/null +++ b/tests/shell/features/ipsec.nft @@ -0,0 +1,7 @@ +# 6c47260250fc ("netfilter: nf_tables: add xfrm expression") +# v4.20-rc1~14^2~125^2~25 +table ip x { + chain y { + ipsec in reqid 23 + } +} diff --git a/tests/shell/features/json.sh b/tests/shell/features/json.sh new file mode 100755 index 00000000..d8115702 --- /dev/null +++ b/tests/shell/features/json.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# Detect JSON support. Note that $NFT may not be the binary from our build +# tree, hence we detect it by running the binary (instead of asking the build +# configuration). +$NFT -j list ruleset diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft new file mode 100644 index 00000000..06c4c9d9 --- /dev/null +++ b/tests/shell/features/map_lookup.nft @@ -0,0 +1,11 @@ +# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks") +# v6.5-rc1~163^2~256^2~8 +table ip t { + map m { + typeof ip daddr : meta mark + } + + chain c { + ip saddr @m + } +} diff --git a/tests/shell/features/meta_time.nft b/tests/shell/features/meta_time.nft new file mode 100644 index 00000000..34550de4 --- /dev/null +++ b/tests/shell/features/meta_time.nft @@ -0,0 +1,7 @@ +# 63d10e12b00d ("netfilter: nft_meta: support for time matching") +# v5.4-rc1~131^2~59^2~6 +table ip t { + chain c { + meta time "1970-05-23 21:07:14" + } +} diff --git a/tests/shell/features/netdev_chain_multidevice.sh b/tests/shell/features/netdev_chain_multidevice.sh new file mode 100755 index 00000000..d2a56d6d --- /dev/null +++ b/tests/shell/features/netdev_chain_multidevice.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") +# v5.5-rc1~174^2~312^2~4 + +trap "ip link del d0; ip link del d1" EXIT + +ip link add d0 type dummy +ip link add d1 type dummy + +EXPECTED="table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \"d0\", \"d1\" } priority -500; policy accept; + } +}" + +$NFT -f - <<< $EXPECTED diff --git a/tests/shell/features/netdev_chain_without_device.nft b/tests/shell/features/netdev_chain_without_device.nft new file mode 100644 index 00000000..25eb200f --- /dev/null +++ b/tests/shell/features/netdev_chain_without_device.nft @@ -0,0 +1,7 @@ +# 207296f1a03b ("netfilter: nf_tables: allow to create netdev chain without device") +# v6.4-rc1~132^2~14^2 +table netdev t { + chain c { + type filter hook ingress priority 0; policy accept; + } +} diff --git a/tests/shell/features/netdev_egress.nft b/tests/shell/features/netdev_egress.nft new file mode 100644 index 00000000..67d706d8 --- /dev/null +++ b/tests/shell/features/netdev_egress.nft @@ -0,0 +1,7 @@ +# 42df6e1d221d ("netfilter: Introduce egress hook") +# v5.16-rc1~159^2~167^2~10 +table netdev t { + chain c { + type filter hook egress devices = { lo } priority 0; policy accept; + } +} diff --git a/tests/shell/features/netmap.nft b/tests/shell/features/netmap.nft new file mode 100644 index 00000000..2580a8dc --- /dev/null +++ b/tests/shell/features/netmap.nft @@ -0,0 +1,8 @@ +# 3ff7ddb1353d ("netfilter: nft_nat: add netmap support") +# v5.8-rc1~165^2~393^2 +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } + } +} diff --git a/tests/shell/features/osf.nft b/tests/shell/features/osf.nft new file mode 100644 index 00000000..dbb6b4c3 --- /dev/null +++ b/tests/shell/features/osf.nft @@ -0,0 +1,7 @@ +# b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +# v4.19-rc1~140^2~135^2~15 +table t { + chain c { + osf name "Linux" + } +} diff --git a/tests/shell/features/pipapo.nft b/tests/shell/features/pipapo.nft new file mode 100644 index 00000000..3557721e --- /dev/null +++ b/tests/shell/features/pipapo.nft @@ -0,0 +1,9 @@ +# 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +# v5.6-rc1~151^2~28^2~1 +table t { + set s { + type ipv4_addr . inet_service + flags interval + elements = { 1.1.1.1-2.2.2.2 . 80-90 } + } +} diff --git a/tests/shell/features/position_id.sh b/tests/shell/features/position_id.sh new file mode 100755 index 00000000..43ac97ac --- /dev/null +++ b/tests/shell/features/position_id.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule") +# v5.1-rc1~178^2~405^2~27 + +EXPECTED="table inet t { + chain c { + tcp dport 1234 accept + udp dport 4321 accept + accept + } +}" + +RULESET="add table inet t +add chain inet t c +add rule inet t c tcp dport 1234 accept +add rule inet t c accept +insert rule inet t c index 1 udp dport 4321 accept +" + +$NFT -f - <<< $RULESET + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/prerouting_reject.nft b/tests/shell/features/prerouting_reject.nft new file mode 100644 index 00000000..3dcfb40e --- /dev/null +++ b/tests/shell/features/prerouting_reject.nft @@ -0,0 +1,8 @@ +# f53b9b0bdc59 netfilter: introduce support for reject at prerouting stage +# v5.9-rc1~133^2~302^2~11 +table inet t { + chain nat_filter { + type filter hook prerouting priority 0; policy accept; + reject with icmpx type host-unreachable + } +} diff --git a/tests/shell/features/rbtree_size_limit.nft b/tests/shell/features/rbtree_size_limit.nft new file mode 100644 index 00000000..7eb44fac --- /dev/null +++ b/tests/shell/features/rbtree_size_limit.nft @@ -0,0 +1,10 @@ +# 8d738c1869f6 ("netfilter: nf_tables: fix set size with rbtree backend") +# v6.14-rc1~162^2~7^2~13 +table inet x { + set y { + typeof ip saddr + flags interval + size 1 + elements = { 10.1.1.0/24 } + } +} diff --git a/tests/shell/features/reset_rule.sh b/tests/shell/features/reset_rule.sh new file mode 100755 index 00000000..567ee2f1 --- /dev/null +++ b/tests/shell/features/reset_rule.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# 8daa8fde3fc3 ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET") +# v6.2-rc1~99^2~210^2~2 + +unshare -n bash -c "$NFT \"add table t; add chain t c ; add rule t c counter packets 1 bytes 42\"; \ +$NFT reset rules chain t c ; \ +$NFT reset rules chain t c |grep counter\ packets\ 0\ bytes\ 0" diff --git a/tests/shell/features/reset_set.sh b/tests/shell/features/reset_set.sh new file mode 100755 index 00000000..3d034175 --- /dev/null +++ b/tests/shell/features/reset_set.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET") +# v6.5-rc1~163^2~9^2~1 + +unshare -n bash -c "$NFT add table t; \ + $NFT add set t s { type ipv4_addr\; counter\; elements = { 127.0.0.1 counter packets 1 bytes 2 } } ; \ + $NFT reset set t s ; \ + $NFT reset set t s | grep counter\ packets\ 0\ bytes\ 0 +" diff --git a/tests/shell/features/reset_tcp_options.nft b/tests/shell/features/reset_tcp_options.nft new file mode 100644 index 00000000..47d1c7b8 --- /dev/null +++ b/tests/shell/features/reset_tcp_options.nft @@ -0,0 +1,5 @@ +table inet t { + chain c { + reset tcp option fastopen + } +} diff --git a/tests/shell/features/sctp_chunks.nft b/tests/shell/features/sctp_chunks.nft new file mode 100644 index 00000000..520afd64 --- /dev/null +++ b/tests/shell/features/sctp_chunks.nft @@ -0,0 +1,7 @@ +# 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") +# v5.14-rc1~119^2~373^2~15 +table ip t { + chain c { + sctp chunk init 0 + } +} diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft new file mode 100644 index 00000000..ccbb572f --- /dev/null +++ b/tests/shell/features/secmark.nft @@ -0,0 +1,7 @@ +# fb961945457f ("netfilter: nf_tables: add SECMARK support") +# v4.20-rc1~14^2~125^2~5 +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } +} diff --git a/tests/shell/features/set_expr.sh b/tests/shell/features/set_expr.sh new file mode 100755 index 00000000..fbdfc228 --- /dev/null +++ b/tests/shell/features/set_expr.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") +# v5.7-rc1~146^2~12^2~25 + +# NFT_SET_EXPR to detect kernel feature only available since +# b4e70d8dd9ea ("netfilter: nftables: add set expression flags") +# v5.11-rc3~39^2^2 + +EXPECTED="table ip x { + set y { + typeof ip saddr + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft new file mode 100644 index 00000000..97632a7a --- /dev/null +++ b/tests/shell/features/set_with_two_expressions.nft @@ -0,0 +1,9 @@ +# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") +# v5.11-rc1~169^2~25^2 +table x { + set y { + type ipv4_addr + size 65535 + counter quota 500 bytes + } +} diff --git a/tests/shell/features/setelem_expiration.sh b/tests/shell/features/setelem_expiration.sh new file mode 100755 index 00000000..c539ceba --- /dev/null +++ b/tests/shell/features/setelem_expiration.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# v5.3-rc1~140^2~153^2~8 +# 79ebb5bb4e38 ("netfilter: nf_tables: enable set expiration time for set elements") + +RULESET="table ip x { + set y { + type ipv4_addr + flags dynamic + timeout 1h + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element ip x y { 1.1.1.1 timeout 1h expires 15m59s } + +$NFT list ruleset | grep "expires 15m" diff --git a/tests/shell/features/socat.sh b/tests/shell/features/socat.sh new file mode 100755 index 00000000..93cad6f2 --- /dev/null +++ b/tests/shell/features/socat.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +# check whether socat is installed +socat -h >/dev/null 2>&1 diff --git a/tests/shell/features/stateful_object_update.sh b/tests/shell/features/stateful_object_update.sh new file mode 100755 index 00000000..62fbf7e3 --- /dev/null +++ b/tests/shell/features/stateful_object_update.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation") +# v5.4-rc1~131^2~59^2~2 + +set -e +$NFT add table test-ip +$NFT add quota test-ip traffic-quota 25 mbytes +$NFT add quota test-ip traffic-quota 50 mbytes + +EXPECTED="table ip test-ip { + quota traffic-quota { + 50 mbytes + } +}" + +GET="$($NFT list ruleset)" +if [ "$EXPECTED" != "$GET" ] ; then + diff -u <(echo "$EXPECTED") <(echo "$GET") + exit 1 +fi diff --git a/tests/shell/features/synproxy.nft b/tests/shell/features/synproxy.nft new file mode 100644 index 00000000..bea4f920 --- /dev/null +++ b/tests/shell/features/synproxy.nft @@ -0,0 +1,9 @@ +# v5.3-rc1~140^2~44^2~10 +# ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } +} diff --git a/tests/shell/features/table_flag_owner.nft b/tests/shell/features/table_flag_owner.nft new file mode 100644 index 00000000..aef122a0 --- /dev/null +++ b/tests/shell/features/table_flag_owner.nft @@ -0,0 +1,5 @@ +# 6001a930ce03 ("netfilter: nftables: introduce table ownership") +# v5.12-rc1~200^2~6^2 +table t { + flags owner; +} diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft new file mode 100644 index 00000000..0da3e6d4 --- /dev/null +++ b/tests/shell/features/table_flag_persist.nft @@ -0,0 +1,3 @@ +table t { + flags persist; +} diff --git a/tests/shell/helpers/json-diff-pretty.sh b/tests/shell/helpers/json-diff-pretty.sh new file mode 100755 index 00000000..bebb7e8e --- /dev/null +++ b/tests/shell/helpers/json-diff-pretty.sh @@ -0,0 +1,17 @@ +#!/bin/bash -e + +BASEDIR="$(dirname "$0")" + +[ $# -eq 2 ] || (echo "$0: expects two JSON files as arguments" ; exit 1) + +FILE1="$1" +FILE2="$2" + +pretty() +{ + "$BASEDIR/json-pretty.sh" < "$1" 2>&1 || : +} + +echo "Cmd: \"$0\" \"$FILE1\" \"$FILE2\"" +diff -u "$FILE1" "$FILE2" 2>&1 || : +diff -u <(pretty "$FILE1") <(pretty "$FILE2") 2>&1 || : diff --git a/tests/shell/helpers/json-pretty.sh b/tests/shell/helpers/json-pretty.sh new file mode 100755 index 00000000..5407a842 --- /dev/null +++ b/tests/shell/helpers/json-pretty.sh @@ -0,0 +1,30 @@ +#!/bin/bash -e + +exec_pretty() { + # The output of this command must be stable (and `jq` and python + # fallback must generate the same output. + + if command -v jq &>/dev/null ; then + # If we have, use `jq` + exec jq + fi + + # Fallback to python. + exec python -c ' +import json +import sys + +parsed = json.load(sys.stdin) +print(json.dumps(parsed, indent=2)) +' +} + +[ "$#" -le 1 ] || { echo "At most one argument supported" ; exit 1 ; } + +if [ "$#" -eq 1 ] ; then + # One argument passed. This must be a JSON file. + [ -f "$1" ] || { echo "File \"$1\" does not exist" ; exit 1 ; } + exec_pretty < "$1" +fi + +exec_pretty diff --git a/tests/shell/helpers/json-sanitize-ruleset.sh b/tests/shell/helpers/json-sanitize-ruleset.sh new file mode 100755 index 00000000..31b85cbd --- /dev/null +++ b/tests/shell/helpers/json-sanitize-ruleset.sh @@ -0,0 +1,30 @@ +#!/bin/bash -e + +die() { + printf "%s\n" "$*" + exit 1 +} + +do_sed() { + # Normalize the "version"/"release_name", otherwise we have to + # regenerate the JSON output upon new release. + # + # Also, "handle" are not stable. Normalize them 0. + sed \ + -e '1s/^\({"nftables": \[{"metainfo": {"version": "\)[0-9.]\+\(", "release_name": "\)[^"]\+\(", "\)/\1VERSION\2RELEASE_NAME\3/' \ + -e '1s/"handle": [0-9]\+\>/"handle": 0/g' \ + "$@" +} + +if [ "$#" = 0 ] ; then + do_sed + exit $? +fi + +for f ; do + test -f "$f" || die "$0: file \"$f\" does not exist" +done + +for f ; do + do_sed -i "$f" || die "$0: \`sed -i\` failed for \"$f\"" +done diff --git a/tests/shell/helpers/nft-valgrind-wrapper.sh b/tests/shell/helpers/nft-valgrind-wrapper.sh new file mode 100755 index 00000000..98bbdf43 --- /dev/null +++ b/tests/shell/helpers/nft-valgrind-wrapper.sh @@ -0,0 +1,31 @@ +#!/bin/bash -e + +SUFFIX="$(date "+%H%M%S.%6N").$$" + +rc=0 +libtool \ + --mode=execute \ + valgrind \ + --log-file="$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX.%p.log" \ + --trace-children=yes \ + --leak-check=full \ + --show-leak-kinds=all \ + --num-callers=100 \ + --error-exitcode=122 \ + --vgdb-prefix="$_NFT_TEST_VALGRIND_VGDB_PREFIX-$SUFFIX" \ + $NFT_TEST_VALGRIND_OPTS \ + "$NFT_REAL" \ + "$@" \ + || rc=$? + +if [ "$rc" -eq 122 ] ; then + shopt -s nullglob + FILES=( "$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX."*".log" ) + shopt -u nullglob + ( + printf '%s\n' "args: $*" + printf '%s\n' "${FILES[*]}" + ) >> "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" +fi + +exit $rc diff --git a/tests/shell/helpers/random-source.sh b/tests/shell/helpers/random-source.sh new file mode 100755 index 00000000..91a8248b --- /dev/null +++ b/tests/shell/helpers/random-source.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Commands like `sort` and `shuf` have a "--random-source" argument, for +# generating a stable, reproducible output. However, they require an input +# that provides sufficiently many bytes (depending on the input). +# +# This script generates a stream that can be used like +# +# shuf --random-source=<($0 "$seed") + +seed="" +for a; do + seed="$seed${#a}:$a\n" +done + +if command -v openssl &>/dev/null ; then + # We have openssl. Use it. + # https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html#Random-sources + # + # Note that we don't care that different installations/architectures generate the + # same output. + openssl enc -aes-256-ctr -pass "pass:$seed" -nosalt </dev/zero 2>/dev/null +else + # Hack something. It's much slower. + idx=0 + while : ; do + idx="$((idx++))" + seed="$(sha256sum <<<"$idx.$seed")" + echo ">>>$seed" >> a + seed="${seed%% *}" + LANG=C awk -v s="$seed" 'BEGIN{ + for (i=1; i <= length(s); i+=2) { + xchar = substr(s, i, 2); + decnum = strtonum("0x"xchar); + printf("%c", decnum); + } + }' || break + done +fi +exit 0 diff --git a/tests/shell/helpers/test-wrapper.sh b/tests/shell/helpers/test-wrapper.sh new file mode 100755 index 00000000..c016e0ce --- /dev/null +++ b/tests/shell/helpers/test-wrapper.sh @@ -0,0 +1,328 @@ +#!/bin/bash -e + +# This wrapper wraps the invocation of the test. It is called by run-tests.sh, +# and already in the unshared namespace. +# +# For some printf debugging, you can also patch this file. + +array_contains() { + local needle="$1" + local a + shift + for a; do + [ "$a" = "$needle" ] && return 0 + done + return 1 +} + +show_file() { + local filename="$1" + shift + local msg="$*" + + printf '%s\n>>>>\n' "$msg" + cat "$filename" + printf "<<<<\n" +} + +json_pretty() { + "$NFT_TEST_BASEDIR/helpers/json-pretty.sh" "$@" 2>&1 || : +} + +TEST="$1" +TESTBASE="$(basename "$TEST")" +TESTDIR="$(dirname "$TEST")" + +START_TIME="$(cut -d ' ' -f1 /proc/uptime)" + +export TMPDIR="$NFT_TEST_TESTTMPDIR" + +CLEANUP_UMOUNT_VAR_RUN=n + +cleanup() { + if [ "$CLEANUP_UMOUNT_VAR_RUN" = y ] ; then + umount "/var/run" &>/dev/null || : + fi +} + +trap cleanup EXIT + +printf '%s\n' "$TEST" > "$NFT_TEST_TESTTMPDIR/name" + +read tainted_before < /proc/sys/kernel/tainted + +if [ "$NFT_TEST_HAS_UNSHARED_MOUNT" = y ] ; then + # We have a private mount namespace. We will mount /var/run/ as a tmpfs. + # + # The main purpose is so that we can create /var/run/netns, which is + # required for `ip netns add` to work. When running as rootless, this + # is necessary to get such tests to pass. When running rootful, it's + # still useful to not touch the "real" /var/run/netns of the system. + # + # Note that this also hides everything that might reside in /var/run. + # That is desirable, as tests should not depend on content there (or if + # they do, we need to explicitly handle it as appropriate). + if mount -t tmpfs --make-private tmpfs "/var/run" ; then + CLEANUP_UMOUNT_VAR_RUN=y + fi + mkdir -p /var/run/netns +fi + +TEST_TAGS_PARSED=0 +ensure_TEST_TAGS() { + if [ "$TEST_TAGS_PARSED" = 0 ] ; then + TEST_TAGS_PARSED=1 + TEST_TAGS=( $(sed -n '1,10 { s/^.*\<\(NFT_TEST_REQUIRES\|NFT_TEST_SKIP\)\>\s*(\s*\(NFT_TEST_SKIP_[a-zA-Z0-9_]\+\|NFT_TEST_HAVE_[a-zA-Z0-9_]\+\)\s*).*$/\1(\2)/p }' "$1" 2>/dev/null || : ) ) + fi +} + +rc_test=0 + +if [ "$rc_test" -eq 0 ] ; then + for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_') ; do + if [ "${!KEY}" != n ]; then + continue + fi + ensure_TEST_TAGS "$TEST" + if array_contains "NFT_TEST_REQUIRES($KEY)" "${TEST_TAGS[@]}" ; then + echo "Test skipped due to $KEY=n (test has \"NFT_TEST_REQUIRES($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log" + rc_test=77 + break + fi + done +fi + +if [ "$rc_test" -eq 0 ] ; then + for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_') ; do + if [ "${!KEY}" != y ]; then + continue + fi + ensure_TEST_TAGS "$TEST" + if array_contains "NFT_TEST_SKIP($KEY)" "${TEST_TAGS[@]}" ; then + echo "Test skipped due to $KEY=y (test has \"NFT_TEST_SKIP($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log" + rc_test=77 + break + fi + done +fi + +if [ "$rc_test" -eq 0 ] ; then + CMD=( "$TEST" ) + if [ "$NFT_TEST_VERBOSE_TEST" = y ] ; then + X="$(sed -n '1 s/^#!\(\/bin\/bash\>.*$\)/\1/p' "$TEST" 2>/dev/null)" + if [ -n "$X" ] ; then + # Note that kernel parses the shebang differently and does not + # word splitting for the arguments. We do split the arguments here + # which would matter if there are spaces. For our tests, there + # are either no arguments or only one argument without space. So + # this is good enough. + CMD=( $X -x "$TEST" ) + fi + fi + printf "Command: $(printf '%q ' "${CMD[@]}")\n" &>> "$NFT_TEST_TESTTMPDIR/testout.log" + "${CMD[@]}" &>> "$NFT_TEST_TESTTMPDIR/testout.log" || rc_test=$? +fi + +rc_chkdump=0 +rc=0 +$NFT list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after" 2> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=$? +if [ "$rc" -ne 0 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT list ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +if [ "$NFT_TEST_HAVE_json" != n ] ; then + rc=0 + $NFT -j list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after.json" 2> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=$? + + # Workaround known bug in stmt_print_json(), due to + # "chain_stmt_ops.json" being NULL. This spams stderr. + sed -i '/^warning: stmt ops chain have no json callback$/d' "$NFT_TEST_TESTTMPDIR/chkdump" + + if [ "$rc" -ne 0 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j list ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + # JSON output needs normalization/sanitization, otherwise it's not stable. + "$NFT_TEST_BASEDIR/helpers/json-sanitize-ruleset.sh" "$NFT_TEST_TESTTMPDIR/ruleset-after.json" + json_pretty "$NFT_TEST_TESTTMPDIR/ruleset-after.json" > "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" +fi + +read tainted_after < /proc/sys/kernel/tainted + +DUMPPATH="$TESTDIR/dumps" +DUMPFILE="$DUMPPATH/$TESTBASE.nft" +JDUMPFILE="$DUMPPATH/$TESTBASE.json-nft" +NODUMPFILE="$DUMPPATH/$TESTBASE.nodump" + +# The caller can request a re-geneating of the .nft, .nodump, .json-nft dump files +# by setting DUMPGEN=y. In that case, only the existing files will be regenerated +# (unless all three files are missing, in which case all of them are generated). +# +# By setting DUMPGEN=all, all 3 files are always regenerated. +dump_written=n +if [ "$rc_test" -eq 0 -a '(' "$DUMPGEN" = all -o "$DUMPGEN" = y ')' ] ; then + dump_written=y + if [ ! -d "$DUMPPATH" ] ; then + mkdir "$DUMPPATH" + fi + if [ "$DUMPGEN" = all ] ; then + gen_nodumpfile=y + gen_dumpfile=y + gen_jdumpfile=y + else + # by default, only regenerate the files that we already have on disk. + gen_nodumpfile=n + gen_dumpfile=n + gen_jdumpfile=n + test -f "$DUMPFILE" && gen_dumpfile=y + test -f "$JDUMPFILE" && gen_jdumpfile=y + test -f "$NODUMPFILE" && gen_nodumpfile=y + if [ "$gen_dumpfile" != y -a "$gen_jdumpfile" != y -a "$gen_nodumpfile" != y ] ; then + # Except, if no files exist. Them generate all files. + gen_dumpfile=y + gen_jdumpfile=y + gen_nodumpfile=y + fi + fi + if [ "$gen_nodumpfile" = y ] ; then + : > "$NODUMPFILE" + fi + if [ "$gen_dumpfile" = y ] ; then + cat "$NFT_TEST_TESTTMPDIR/ruleset-after" > "$DUMPFILE" + fi + if [ "$NFT_TEST_HAVE_json" != n -a "$gen_jdumpfile" = y ] ; then + cat "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" > "$JDUMPFILE" + fi +fi + +rc_dump=0 +if [ "$rc_test" -ne 77 -a "$dump_written" != y ] ; then + if [ -f "$DUMPFILE" ] ; then + if ! $DIFF -u "$DUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after" &> "$NFT_TEST_TESTTMPDIR/ruleset-diff" ; then + show_file "$NFT_TEST_TESTTMPDIR/ruleset-diff" "Failed \`$DIFF -u \"$DUMPFILE\" \"$NFT_TEST_TESTTMPDIR/ruleset-after\"\`" >> "$NFT_TEST_TESTTMPDIR/rc-failed-dump" + rc_dump=1 + else + rm -f "$NFT_TEST_TESTTMPDIR/ruleset-diff" + fi + fi + if [ "$NFT_TEST_HAVE_json" != n -a -f "$JDUMPFILE" ] ; then + if ! $DIFF -u "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &> "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" ; then + show_file "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" "Failed \`$DIFF -u \"$JDUMPFILE\" \"$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty\"\`" >> "$NFT_TEST_TESTTMPDIR/rc-failed-dump" + rc_dump=1 + else + rm -f "$NFT_TEST_TESTTMPDIR/ruleset-diff.json" + fi + fi +fi + +# check that a flush after the test succeeds. We anyway need a clean ruleset +# for the `nft --check` next. +rc=0 +$NFT flush ruleset &> "$NFT_TEST_TESTTMPDIR/chkdump" || rc=1 +if [ "$rc" = 1 -o -s "$NFT_TEST_TESTTMPDIR/chkdump" ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT flush ruleset\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +# Check that `nft [-j] list ruleset | nft [-j] --check -f -` works. +fail=n +$NFT --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y +test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y +if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 +fi +if [ -f "$DUMPFILE" ] && ! cmp "$DUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after" &>/dev/null ; then + # Also check the $DUMPFILE to hit possibly new code paths. This + # is useful to see crashes and with ASAN/valgrind. + $NFT --check -f "$DUMPFILE" &>/dev/null || : +fi +if [ "$NFT_TEST_HAVE_json" != n ] ; then + if [ ! -f "$JDUMPFILE" ] ; then + # Optimally, `nft -j list ruleset | nft -j --check -f -` never + # fails. However, there are known issues where this doesn't + # work, and we cannot assert hard against that. It's those + # tests that don't have a .json-nft file. + # + # This should be fixed, every test should have a .json-nft + # file, and this workaround removed. + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &>/dev/null || : + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &>/dev/null || : + else + fail=n + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y + test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y + if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after.json\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + fail=n + $NFT -j --check -f "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &> "$NFT_TEST_TESTTMPDIR/chkdump" || fail=y + test -s "$NFT_TEST_TESTTMPDIR/chkdump" && fail=y + if [ "$fail" = y ] ; then + show_file "$NFT_TEST_TESTTMPDIR/chkdump" "Command \`$NFT -j --check -f \"$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty\"\` failed" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" + rc_chkdump=1 + fi + fi + if [ -f "$JDUMPFILE" ] \ + && ! cmp "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json" &>/dev/null \ + && ! cmp "$JDUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after.json-pretty" &>/dev/null ; \ + then + $NFT -j --check -f "$JDUMPFILE" &>/dev/null || : + fi +fi +rm -f "$NFT_TEST_TESTTMPDIR/chkdump" + +rc_valgrind=0 +[ -f "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" ] && rc_valgrind=1 + +rc_tainted=0 +if [ "$tainted_before" != "$tainted_after" ] ; then + echo "$tainted_after" > "$NFT_TEST_TESTTMPDIR/rc-failed-tainted" + rc_tainted=1 +fi + +if [ "$rc_valgrind" -ne 0 ] ; then + rc_exit=122 +elif [ "$rc_tainted" -ne 0 ] ; then + rc_exit=123 +elif [ "$rc_test" -ge 118 -a "$rc_test" -le 124 ] ; then + # Special exit codes are reserved. Coerce them. + rc_exit=125 +elif [ "$rc_test" -ne 0 ] ; then + rc_exit="$rc_test" +elif [ "$rc_dump" -ne 0 ] ; then + rc_exit=124 +elif [ "$rc_chkdump" -ne 0 ] ; then + rc_exit=121 +else + rc_exit=0 +fi + + +# We always write the real exit code of the test ($rc_test) to one of the files +# rc-{ok,skipped,failed}, depending on which it is. +# +# Note that there might be other rc-failed-{dump,tainted,valgrind} files with +# additional errors. Note that if such files exist, the overall state will +# always be failed too (and an "rc-failed" file exists). +# +# On failure, we also write the combined "$rc_exit" code from "test-wrapper.sh" +# to "rc-failed-exit" file. +# +# This means, failed tests will have a "rc-failed" file, and additional +# "rc-failed-*" files exist for further information. +if [ "$rc_exit" -eq 0 ] ; then + RC_FILENAME="rc-ok" +elif [ "$rc_exit" -eq 77 ] ; then + RC_FILENAME="rc-skipped" +else + RC_FILENAME="rc-failed" + echo "$rc_exit" > "$NFT_TEST_TESTTMPDIR/rc-failed-exit" +fi +echo "$rc_test" > "$NFT_TEST_TESTTMPDIR/$RC_FILENAME" + +END_TIME="$(cut -d ' ' -f1 /proc/uptime)" +WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")" +printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TESTTMPDIR/times" + +exit "$rc_exit" diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 931bba96..6a9b518c 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -1,57 +1,617 @@ #!/bin/bash -# Configuration -TESTDIR="./$(dirname $0)/testcases" -SRC_NFT="$(dirname $0)/../../src/nft" -DIFF=$(which diff) +unset LANGUAGE +export LANG=C +export LC_ALL=C + +GREEN="" +YELLOW="" +RED="" +RESET="" +if [ -z "$NO_COLOR" ] ; then + if [ -n "$CLICOLOR_FORCE" ] || [[ -t 1 ]] ; then + # See https://bixense.com/clicolors/ . We only check isatty() on + # file descriptor 1, to decide whether colorizing happens (although, + # we might also colorize on other places/FDs). + GREEN=$'\e[32m' + YELLOW=$'\e[33m' + RED=$'\e[31m' + RESET=$'\e[0m' + fi +fi + +array_contains() { + local needle="$1" + local a + shift + for a; do + [ "$a" = "$needle" ] && return 0 + done + return 1 +} + +array_remove_first() { + local _varname="$1" + local _needle="$2" + local _result=() + local _a + + eval "local _input=( \"\${$_varname[@]}\" )" + for _a in "${_input[@]}" ; do + if [ -n "${_needle+x}" -a "$_needle" = "$_a" ] ; then + unset _needle + else + _result+=("$_a") + fi + done + eval "$_varname="'( "${_result[@]}" )' +} + +colorize_keywords() { + local out_variable="$1" + local color="$2" + local val="$3" + local val2 + shift 3 + + printf -v val2 '%q' "$val" + array_contains "$val" "$@" && val2="$color$val2$RESET" + printf -v "$out_variable" '%s' "$val2" +} + +strtonum() { + local s="$1" + local n + local n2 + + re='^[[:space:]]*([0-9]+)[[:space:]]*$' + if [[ "$s" =~ $re ]] ; then + n="${BASH_REMATCH[1]}" + if [ "$(( n + 0 ))" = "$n" ] ; then + echo "$n" + return 0 + fi + fi + re='^[[:space:]]*0x([0-9a-fA-F]+)[[:space:]]*$' + if [[ "$s" =~ $re ]] ; then + n="${BASH_REMATCH[1]}" + n2="$(( 16#$n + 0 ))" + if [ "$n2" = "$(printf '%d' "0x$n" 2>/dev/null)" ] ; then + echo "$n2" + return 0 + fi + fi + return 1 +} + +_msg() { + local level="$1" + shift + + if [ "$level" = E ] ; then + printf '%s\n' "$RED$level$RESET: $*" + elif [ "$level" = W ] ; then + printf '%s\n' "$YELLOW$level$RESET: $*" + else + printf '%s\n' "$level: $*" + fi + if [ "$level" = E ] ; then + exit 1 + fi +} msg_error() { - echo "E: $1 ..." >&2 - exit 1 + _msg E "$@" } msg_warn() { - echo "W: $1" >&2 + _msg W "$@" } msg_info() { - echo "I: $1" + _msg I "$@" } -if [ "$(id -u)" != "0" ] ; then - msg_error "this requires root!" +align_text() { + local _OUT_VARNAME="$1" + local _LEFT_OR_RIGHT="$2" + local _INDENT="$3" + shift 3 + local _text="$*" + local _text_plain + local _text_align + local _text_result + local _i + + # This function is needed, because "$text" might contain color escape + # sequences. A plain `printf '%12s' "$text"` will not align properly. + + # strip escape sequences + _text_plain="${_text//$'\e['[0-9]m/}" + _text_plain="${_text_plain//$'\e['[0-9][0-9]m/}" + + _text_align="" + for (( _i = "${#_text_plain}" ; "$_i" < "$_INDENT" ; _i++ )) ; do + _text_align="$_text_align " + done + + if [ "$_LEFT_OR_RIGHT" = left ] ; then + _text_result="$(printf "%s$_text_align-" "$_text")" + else + _text_result="$(printf "$_text_align%s-" "$_text")" + fi + _text_result="${_text_result%-}" + + eval "$_OUT_VARNAME=\"\$_text_result\"" +} + +bool_n() { + case "$1" in + n|N|no|No|NO|0|false|False|FALSE) + printf n + ;; + *) + printf y + ;; + esac +} + +bool_y() { + case "$1" in + y|Y|yes|Yes|YES|1|true|True|TRUE) + printf y + ;; + *) + printf n + ;; + esac +} + +usage() { + echo " $0 [OPTIONS] [TESTS...]" + echo + echo "OPTIONS:" + echo " -h|--help : Print usage." + echo " -L|--list-tests : List test names and quit." + echo " -v : Sets VERBOSE=y." + echo " -g : Sets DUMPGEN=y." + echo " -V : Sets VALGRIND=y." + echo " -K : Sets KMEMLEAK=y." + echo " -R|--without-realroot : Sets NFT_TEST_HAS_REALROOT=n." + echo " -U|--no-unshare : Sets NFT_TEST_UNSHARE_CMD=\"\"." + echo " -k|--keep-logs : Sets NFT_TEST_KEEP_LOGS=y." + echo " -x : Sets NFT_TEST_VERBOSE_TEST=y." + echo " -s|--sequential : Sets NFT_TEST_JOBS=0, which also enables global cleanups." + echo " Also sets NFT_TEST_SHUFFLE_TESTS=n if left unspecified." + echo " -Q|--quick : Sets NFT_TEST_SKIP_slow=y." + echo " -S|--setup-host : Modify the host to run as rootless. Otherwise, some tests will be" + echo " skipped. Basically, this bumps /proc/sys/net/core/{wmem_max,rmem_max}." + echo " Must run as root and this option must be specified alone." + echo " -- : Separate options from tests." + echo " [TESTS...] : Other options are treated as test names," + echo " that is, executables that are run by the runner." + echo + echo "ENVIRONMENT VARIABLES:" + echo " NFT=<CMD> : Path to nft executable. Will be called as \`\$NFT [...]\` so" + echo " it can be a command with parameters. Note that in this mode quoting" + echo " does not work, so the usage is limited and the command cannot contain" + echo " spaces." + echo " NFT_REAL=<CMD> : Real nft comand. Usually this is just the same as \$NFT," + echo " however, you may set NFT='valgrind nft' and NFT_REAL to the real command." + echo " VERBOSE=*|y : Enable verbose output." + echo " NFT_TEST_VERBOSE_TEST=*|y: if true, enable verbose output for tests. For bash scripts, this means" + echo " to pass \"-x\" to the interpreter." + echo " DUMPGEN=*|y|all : Regenerate dump files \".{nft,json-nft,nodump}\". \"DUMPGEN=y\" only regenerates existing" + echo " files, unless the test has no files (then all three files are generated, and you need to" + echo " choose which to keep). With \"DUMPGEN=all\" all 3 files are regenerated, regardless" + echo " whether they already exist." + echo " VALGRIND=*|y : Run \$NFT in valgrind." + echo " KMEMLEAK=*|y : Check for kernel memleaks." + echo " NFT_TEST_HAS_REALROOT=*|y : To indicate whether the test has real root permissions." + echo " Usually, you don't need this and it gets autodetected." + echo " You might want to set it, if you know better than the" + echo " \`id -u\` check, whether the user is root in the main namespace." + echo " Note that without real root, certain tests may not work," + echo " e.g. due to limited /proc/sys/net/core/{wmem_max,rmem_max}." + echo " Checks that cannot pass in such environment should check for" + echo " [ \"\$NFT_TEST_HAS_REALROOT\" != y ] and skip gracefully." + echo " NFT_TEST_HAS_SOCKET_LIMITS=*|n : some tests will fail if /proc/sys/net/core/{wmem_max,rmem_max} is" + echo " too small. When running as real root, then test can override those limits. However," + echo " with rootless the test would fail. Tests will check for [ "\$NFT_TEST_HAS_SOCKET_LIMITS" = y ]" + echo " and skip. You may set NFT_TEST_HAS_SOCKET_LIMITS=n if you ensure those limits are" + echo " suitable to run the test rootless. Otherwise will be autodetected." + echo " Set /proc/sys/net/core/{wmem_max,rmem_max} to at least 4MB to get them to pass automatically." + echo " NFT_TEST_UNSHARE_CMD=cmd : when set, this is the command line for an unshare" + echo " command, which is used to sandbox each test invocation. By" + echo " setting it to empty, no unsharing is done." + echo " By default it is unset, in which case it's autodetected as" + echo " \`unshare -f -p\` (for root) or as \`unshare -f -p --mount-proc -U --map-root-user -n\`" + echo " for non-root." + echo " When setting this, you may also want to set NFT_TEST_HAS_UNSHARED=," + echo " NFT_TEST_HAS_REALROOT= and NFT_TEST_HAS_UNSHARED_MOUNT= accordingly." + echo " NFT_TEST_HAS_UNSHARED=*|y : To indicate to the test whether the test run will be unshared." + echo " Test may consider this." + echo " This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected." + echo " NFT_TEST_HAS_UNSHARED_MOUNT=*|y : To indicate to the test whether the test run will have a private" + echo " mount namespace." + echo " This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected." + echo " NFT_TEST_KEEP_LOGS=*|y: Keep the temp directory. On success, it will be deleted by default." + echo " NFT_TEST_JOBS=<NUM}>: number of jobs for parallel execution. Defaults to \"\$(nproc)*1.5\" for parallel run." + echo " Setting this to \"0\" or \"1\", means to run jobs sequentially." + echo " Setting this to \"0\" means also to perform global cleanups between tests (remove" + echo " kernel modules)." + echo " Parallel jobs requires unshare and are disabled with NFT_TEST_UNSHARE_CMD=\"\"." + echo " NFT_TEST_FAIL_ON_SKIP=*|y: if any jobs are skipped, exit with error." + echo " NFT_TEST_RANDOM_SEED=<SEED>: The test runner will export the environment variable NFT_TEST_RANDOM_SEED" + echo " set to a random number. This can be used as a stable seed for tests to randomize behavior." + echo " Set this to a fixed value to get reproducible behavior." + echo " NFT_TEST_SHUFFLE_TESTS=*|n|y: control whether to randomly shuffle the order of tests. By default, if" + echo " tests are specified explicitly, they are not shuffled while they are shuffled when" + echo " all tests are run. The shuffling is based on NFT_TEST_RANDOM_SEED." + echo " TMPDIR=<PATH> : select a different base directory for the result data." + echo + echo " NFT_TEST_HAVE_<FEATURE>=*|y: Some tests requires certain features or will be skipped." + echo " The features are autodetected, but you can force it by setting the variable." + echo " Supported <FEATURE>s are: ${_HAVE_OPTS[@]}." + echo " NFT_TEST_SKIP_<OPTION>=*|y: if set, certain tests are skipped." + echo " Supported <OPTION>s are: ${_SKIP_OPTS[@]}." +} + +NFT_TEST_BASEDIR="$(dirname "$0")" + +# Export the base directory. It may be used by tests. +export NFT_TEST_BASEDIR + +_HAVE_OPTS=() +shopt -s nullglob +F=( "$NFT_TEST_BASEDIR/features/"*.nft "$NFT_TEST_BASEDIR/features/"*.sh ) +shopt -u nullglob +for file in "${F[@]}"; do + feat="${file##*/}" + feat="${feat%.*}" + re="^[a-z_0-9]+$" + if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then + _HAVE_OPTS+=( "$feat" ) + else + msg_warn "Ignore feature file \"$file\"" + fi +done +_HAVE_OPTS=( $(printf '%s\n' "${_HAVE_OPTS[@]}" | sort) ) + +for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do + if ! array_contains "${KEY#NFT_TEST_HAVE_}" "${_HAVE_OPTS[@]}" ; then + unset "$KEY" + fi +done + +_SKIP_OPTS=( slow ) +for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do + if ! array_contains "${KEY#NFT_TEST_SKIP_}" "${_SKIP_OPTS[@]}" ; then + unset "$KEY" + fi +done + +_NFT_TEST_JOBS_DEFAULT="$(nproc)" +[ "$_NFT_TEST_JOBS_DEFAULT" -gt 0 ] 2>/dev/null || _NFT_TEST_JOBS_DEFAULT=1 +_NFT_TEST_JOBS_DEFAULT="$(( _NFT_TEST_JOBS_DEFAULT + (_NFT_TEST_JOBS_DEFAULT + 1) / 2 ))" + +VERBOSE="$(bool_y "$VERBOSE")" +NFT_TEST_VERBOSE_TEST="$(bool_y "$NFT_TEST_VERBOSE_TEST")" +if [ "$DUMPGEN" != "all" ] ; then + DUMPGEN="$(bool_y "$DUMPGEN")" fi +VALGRIND="$(bool_y "$VALGRIND")" +KMEMLEAK="$(bool_y "$KMEMLEAK")" +NFT_TEST_KEEP_LOGS="$(bool_y "$NFT_TEST_KEEP_LOGS")" +NFT_TEST_HAS_REALROOT="$NFT_TEST_HAS_REALROOT" +NFT_TEST_JOBS="${NFT_TEST_JOBS:-$_NFT_TEST_JOBS_DEFAULT}" +NFT_TEST_FAIL_ON_SKIP="$(bool_y "$NFT_TEST_FAIL_ON_SKIP")" +NFT_TEST_RANDOM_SEED="$NFT_TEST_RANDOM_SEED" +NFT_TEST_SHUFFLE_TESTS="$NFT_TEST_SHUFFLE_TESTS" +NFT_TEST_SKIP_slow="$(bool_y "$NFT_TEST_SKIP_slow")" +DO_LIST_TESTS= -if [ "${1}" != "run" ]; then - if unshare -f -n true; then - unshare -n "${0}" run $@ - exit $? +if [ -z "$NFT_TEST_RANDOM_SEED" ] ; then + # Choose a random value. + n="$SRANDOM" + [ -z "$n" ] && n="$RANDOM" +else + # Parse as number. + n="$(strtonum "$NFT_TEST_RANDOM_SEED")" + if [ -z "$n" ] ; then + # If not a number, pick a hash based on the SHA-sum of the seed. + n="$(printf "%d" "0x$(sha256sum <<<"NFT_TEST_RANDOM_SEED:$NFT_TEST_RANDOM_SEED" | sed -n '1 { s/^\(........\).*/\1/p }')")" fi - msg_warn "cannot run in own namespace, connectivity might break" fi -shift +# Limit a 31 bit decimal so tests can rely on this being in a certain +# restricted form. +NFT_TEST_RANDOM_SEED="$(( $n % 0x80000000 ))" +export NFT_TEST_RANDOM_SEED -[ -z "$NFT" ] && NFT=$SRC_NFT -${NFT} > /dev/null 2>&1 -ret=$? -if [ ${ret} -eq 126 ] || [ ${ret} -eq 127 ]; then - msg_error "cannot execute nft command: ${NFT}" +TESTS=() + +SETUP_HOST= +SETUP_HOST_OTHER= + +ARGV_ORIG=( "$@" ) + +while [ $# -gt 0 ] ; do + A="$1" + shift + case "$A" in + -S|--setup-host) + ;; + *) + SETUP_HOST_OTHER=y + ;; + esac + case "$A" in + -S|--setup-host) + SETUP_HOST="$A" + ;; + -v) + VERBOSE=y + ;; + -x) + NFT_TEST_VERBOSE_TEST=y + ;; + -g) + DUMPGEN=y + ;; + -V) + VALGRIND=y + ;; + -K) + KMEMLEAK=y + ;; + -h|--help) + usage + exit 0 + ;; + -k|--keep-logs) + NFT_TEST_KEEP_LOGS=y + ;; + -L|--list-tests) + DO_LIST_TESTS=y + ;; + -R|--without-realroot) + NFT_TEST_HAS_REALROOT=n + ;; + -U|--no-unshare) + NFT_TEST_UNSHARE_CMD= + ;; + -s|--sequential) + NFT_TEST_JOBS=0 + if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then + NFT_TEST_SHUFFLE_TESTS=n + fi + ;; + -Q|--quick) + NFT_TEST_SKIP_slow=y + ;; + --) + TESTS+=( "$@" ) + shift $# + ;; + *) + TESTS+=( "$A" ) + ;; + esac +done + +sysctl_bump() { + local sysctl="$1" + local val="$2" + local cur; + + cur="$(cat "$sysctl" 2>/dev/null)" || : + if [ -n "$cur" -a "$cur" -ge "$val" ] ; then + echo "# Skip: echo $val > $sysctl (current value $cur)" + return 0 + fi + echo " echo $val > $sysctl (previous value $cur)" + echo "$val" > "$sysctl" +} + +setup_host() { + echo "Setting up host for running as rootless (requires root)." + sysctl_bump /proc/sys/net/core/rmem_max $((4000*1024)) || return $? + sysctl_bump /proc/sys/net/core/wmem_max $((4000*1024)) || return $? +} + +if [ -n "$SETUP_HOST" ] ; then + if [ "$SETUP_HOST_OTHER" = y ] ; then + msg_error "The $SETUP_HOST option must be specified alone." + fi + setup_host + exit $? +fi + +find_tests() { + find "$1" -type f -executable | sort +} + +if [ "${#TESTS[@]}" -eq 0 ] ; then + d="$NFT_TEST_BASEDIR/testcases/" + d="${d#./}" + TESTS=( $(find_tests "$d") ) + test "${#TESTS[@]}" -gt 0 || msg_error "Could not find tests" + if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then + NFT_TEST_SHUFFLE_TESTS=y + fi +fi + +TESTSOLD=( "${TESTS[@]}" ) +TESTS=() +for t in "${TESTSOLD[@]}" ; do + if [ -f "$t" -a -x "$t" ] ; then + TESTS+=( "$t" ) + elif [ -d "$t" ] ; then + TESTS+=( $(find_tests "$t") ) + else + msg_error "Unknown test \"$t\"" + fi +done + +NFT_TEST_SHUFFLE_TESTS="$(bool_y "$NFT_TEST_SHUFFLE_TESTS")" + +if [ "$DO_LIST_TESTS" = y ] ; then + printf '%s\n' "${TESTS[@]}" + exit 0 +fi + +START_TIME="$(cut -d ' ' -f1 /proc/uptime)" + +_TMPDIR="${TMPDIR:-/tmp}" + +# Export the orignal TMPDIR for the tests. "test-wrapper.sh" sets TMPDIR to +# NFT_TEST_TESTTMPDIR, so that temporary files are placed along side the +# test data. In some cases, we may want to know the original TMPDIR. +export NFT_TEST_TMPDIR_ORIG="$_TMPDIR" + +if [ "$NFT_TEST_HAS_REALROOT" = "" ] ; then + # The caller didn't set NFT_TEST_HAS_REALROOT and didn't specify + # -R/--without-root option. Autodetect it based on `id -u`. + export NFT_TEST_HAS_REALROOT="$(test "$(id -u)" = "0" && echo y || echo n)" else - msg_info "using nft command: ${NFT}" + NFT_TEST_HAS_REALROOT="$(bool_y "$NFT_TEST_HAS_REALROOT")" fi +export NFT_TEST_HAS_REALROOT -if [ ! -d "$TESTDIR" ] ; then - msg_error "missing testdir $TESTDIR" +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = "" ] ; then + if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then + NFT_TEST_HAS_SOCKET_LIMITS=n + elif [ "$(cat /proc/sys/net/core/wmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null && \ + [ "$(cat /proc/sys/net/core/rmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null ; then + NFT_TEST_HAS_SOCKET_LIMITS=n + else + NFT_TEST_HAS_SOCKET_LIMITS=y + fi +else + NFT_TEST_HAS_SOCKET_LIMITS="$(bool_n "$NFT_TEST_HAS_SOCKET_LIMITS")" fi +export NFT_TEST_HAS_SOCKET_LIMITS -FIND="$(which find)" -if [ ! -x "$FIND" ] ; then - msg_error "no find binary found" +detect_unshare() { + if ! $1 true &>/dev/null ; then + return 1 + fi + NFT_TEST_UNSHARE_CMD="$1" + return 0 +} + +if [ -n "${NFT_TEST_UNSHARE_CMD+x}" ] ; then + # User overrides the unshare command. + if ! detect_unshare "$NFT_TEST_UNSHARE_CMD" ; then + msg_error "Cannot unshare via NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")" + fi + if [ -z "${NFT_TEST_HAS_UNSHARED+x}" ] ; then + # Autodetect NFT_TEST_HAS_UNSHARED based one whether + # $NFT_TEST_UNSHARE_CMD is set. + if [ -n "$NFT_TEST_UNSHARE_CMD" ] ; then + NFT_TEST_HAS_UNSHARED="y" + else + NFT_TEST_HAS_UNSHARED="n" + fi + else + NFT_TEST_HAS_UNSHARED="$(bool_y "$NFT_TEST_HAS_UNSHARED")" + fi + if [ -z "${NFT_TEST_HAS_UNSHARED_MOUNT+x}" ] ; then + NFT_TEST_HAS_UNSHARED_MOUNT=n + if [ "$NFT_TEST_HAS_UNSHARED" == y ] ; then + case "$NFT_TEST_UNSHARE_CMD" in + unshare*-m*|unshare*--mount-proc*) + NFT_TEST_HAS_UNSHARED_MOUNT=y + ;; + esac + fi + else + NFT_TEST_HAS_UNSHARED_MOUNT="$(bool_y "$NFT_TEST_HAS_UNSHARED_MOUNT")" + fi +else + NFT_TEST_HAS_UNSHARED_MOUNT=n + if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then + # We appear to have real root. So try to unshare + # without a separate USERNS. CLONE_NEWUSER will break + # tests that are limited by + # /proc/sys/net/core/{wmem_max,rmem_max}. With real + # root, we want to test that. + if detect_unshare "unshare -f -n -m" ; then + NFT_TEST_HAS_UNSHARED_MOUNT=y + else + detect_unshare "unshare -f -n" || + detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" || + detect_unshare "unshare -f -U --map-root-user -n" + fi + else + if detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" ; then + NFT_TEST_HAS_UNSHARED_MOUNT=y + else + detect_unshare "unshare -f -U --map-root-user -n" + fi + fi + if [ -z "$NFT_TEST_UNSHARE_CMD" ] ; then + msg_error "Unshare does not work. Run as root with -U/--no-unshare or set NFT_TEST_UNSHARE_CMD" + fi + NFT_TEST_HAS_UNSHARED=y fi +# If tests wish, they can know whether they are unshared via this variable. +export NFT_TEST_HAS_UNSHARED +export NFT_TEST_HAS_UNSHARED_MOUNT -MODPROBE="$(which modprobe)" -if [ ! -x "$MODPROBE" ] ; then - msg_error "no modprobe binary found" +# normalize the jobs number to be an integer. +case "$NFT_TEST_JOBS" in + ''|*[!0-9]*) NFT_TEST_JOBS=_NFT_TEST_JOBS_DEFAULT ;; +esac +if [ -z "$NFT_TEST_UNSHARE_CMD" -a "$NFT_TEST_JOBS" -gt 1 ] ; then + NFT_TEST_JOBS=1 +fi + +[ -z "$NFT" ] && NFT="$NFT_TEST_BASEDIR/../../src/nft" +${NFT} > /dev/null 2>&1 +ret=$? +if [ ${ret} -eq 126 ] || [ ${ret} -eq 127 ]; then + msg_error "cannot execute nft command: $NFT" +fi + +NFT_REAL="${NFT_REAL-$NFT}" + +feature_probe() +{ + local with_path="$NFT_TEST_BASEDIR/features/$1" + + if [ -r "$with_path.nft" ] ; then + $NFT_TEST_UNSHARE_CMD "$NFT_REAL" --check -f "$with_path.nft" &>/dev/null + return $? + fi + + if [ -x "$with_path.sh" ] ; then + NFT="$NFT_REAL" $NFT_TEST_UNSHARE_CMD "$with_path.sh" &>/dev/null + return $? + fi + + return 1 +} + +for feat in "${_HAVE_OPTS[@]}" ; do + var="NFT_TEST_HAVE_$feat" + if [ -z "${!var+x}" ] ; then + val='y' + feature_probe "$feat" || val='n' + else + val="$(bool_n "${!var}")" + fi + eval "export $var=$val" + if [ "$NFT_TEST_HAS_UNSHARED" != y ] ; then + $NFT flush ruleset + fi +done + +if [ "$NFT_TEST_JOBS" -eq 0 ] ; then + MODPROBE="$(which modprobe)" + if [ ! -x "$MODPROBE" ] ; then + msg_error "no modprobe binary found" + fi fi DIFF="$(which diff)" @@ -59,23 +619,102 @@ if [ ! -x "$DIFF" ] ; then DIFF=true fi -if [ "$1" == "-v" ] ; then - VERBOSE=y - shift -fi +JOBS_PIDLIST_ARR=() +declare -A JOBS_PIDLIST -if [ "$1" == "-g" ] ; then - DUMPGEN=y - shift -fi +_NFT_TEST_VALGRIND_VGDB_PREFIX= + +cleanup_on_exit() { + pids_search='' + for pid in "${JOBS_PIDLIST_ARR[@]}" ; do + kill -- "-$pid" &>/dev/null + pids_search="$pids_search\\|\\<$pid\\>" + done + if [ -n "$pids_search" ] ; then + pids_search="${pids_search:2}" + for i in {1..100}; do + ps xh -o pgrp | grep -q "$pids_search" || break + sleep 0.01 + done + fi + if [ "$NFT_TEST_KEEP_LOGS" != y -a -n "$NFT_TEST_TMPDIR" ] ; then + rm -rf "$NFT_TEST_TMPDIR" + fi + if [ -n "$_NFT_TEST_VALGRIND_VGDB_PREFIX" ] ; then + rm -rf "$_NFT_TEST_VALGRIND_VGDB_PREFIX"* &>/dev/null + fi +} + +trap 'exit 130' SIGINT +trap 'exit 143' SIGTERM +trap 'rc=$?; cleanup_on_exit; exit $rc' EXIT + +TIMESTAMP=$(date '+%Y%m%d-%H%M%S.%3N') +NFT_TEST_TMPDIR="$(mktemp --tmpdir="$_TMPDIR" -d "nft-test.$TIMESTAMP$NFT_TEST_TMPDIR_TAG.XXXXXX")" || + msg_error "Failure to create temp directory in \"$_TMPDIR\"" +chmod 755 "$NFT_TEST_TMPDIR" -for arg in "$@"; do - SINGLE+=" $arg" - VERBOSE=y +exec &> >(tee "$NFT_TEST_TMPDIR/test.log") + +msg_info "conf: NFT=$(printf '%q' "$NFT")" +msg_info "conf: NFT_REAL=$(printf '%q' "$NFT_REAL")" +msg_info "conf: VERBOSE=$(printf '%q' "$VERBOSE")" +msg_info "conf: NFT_TEST_VERBOSE_TEST=$(printf '%q' "$NFT_TEST_VERBOSE_TEST")" +msg_info "conf: DUMPGEN=$(printf '%q' "$DUMPGEN")" +msg_info "conf: VALGRIND=$(printf '%q' "$VALGRIND")" +msg_info "conf: KMEMLEAK=$(printf '%q' "$KMEMLEAK")" +msg_info "conf: NFT_TEST_HAS_REALROOT=$(printf '%q' "$NFT_TEST_HAS_REALROOT")" +colorize_keywords value "$YELLOW" "$NFT_TEST_HAS_SOCKET_LIMITS" y +msg_info "conf: NFT_TEST_HAS_SOCKET_LIMITS=$value" +msg_info "conf: NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")" +msg_info "conf: NFT_TEST_HAS_UNSHARED=$(printf '%q' "$NFT_TEST_HAS_UNSHARED")" +msg_info "conf: NFT_TEST_HAS_UNSHARED_MOUNT=$(printf '%q' "$NFT_TEST_HAS_UNSHARED_MOUNT")" +msg_info "conf: NFT_TEST_KEEP_LOGS=$(printf '%q' "$NFT_TEST_KEEP_LOGS")" +msg_info "conf: NFT_TEST_JOBS=$NFT_TEST_JOBS" +msg_info "conf: NFT_TEST_FAIL_ON_SKIP=$NFT_TEST_FAIL_ON_SKIP" +msg_info "conf: NFT_TEST_RANDOM_SEED=$NFT_TEST_RANDOM_SEED" +msg_info "conf: NFT_TEST_SHUFFLE_TESTS=$NFT_TEST_SHUFFLE_TESTS" +msg_info "conf: TMPDIR=$(printf '%q' "$_TMPDIR")" +echo +for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do + colorize_keywords value "$YELLOW" "${!KEY}" y + msg_info "conf: $KEY=$value" + export "$KEY" +done +for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do + colorize_keywords value "$YELLOW" "${!KEY}" n + msg_info "conf: $KEY=$value" + export "$KEY" done +NFT_TEST_LATEST="$_TMPDIR/nft-test.latest.$USER" + +ln -snf "$NFT_TEST_TMPDIR" "$NFT_TEST_LATEST" + +# export the tmp directory for tests. They may use it, but create distinct +# files! On success, it will be deleted on EXIT. See also "--keep-logs" +export NFT_TEST_TMPDIR + +echo +msg_info "info: NFT_TEST_BASEDIR=$(printf '%q' "$NFT_TEST_BASEDIR")" +msg_info "info: NFT_TEST_TMPDIR=$(printf '%q' "$NFT_TEST_TMPDIR")" + +if [ "$VALGRIND" == "y" ]; then + NFT="$NFT_TEST_BASEDIR/helpers/nft-valgrind-wrapper.sh" + msg_info "info: NFT=$(printf '%q' "$NFT")" + _NFT_TEST_VALGRIND_VGDB_PREFIX="$NFT_TEST_TMPDIR_ORIG/vgdb-pipe-nft-test-$TIMESTAMP.$$.$RANDOM" + export _NFT_TEST_VALGRIND_VGDB_PREFIX +fi + kernel_cleanup() { - $NFT flush ruleset + if [ "$NFT_TEST_JOBS" -ne 0 ] ; then + # When we run jobs in parallel (even with only one "parallel" + # job via `NFT_TEST_JOBS=1`), we skip such global cleanups. + return + fi + if [ "$NFT_TEST_HAS_UNSHARED" != y ] ; then + $NFT flush ruleset + fi $MODPROBE -raq \ nft_reject_ipv4 nft_reject_bridge nft_reject_ipv6 nft_reject \ nft_redir_ipv4 nft_redir_ipv6 nft_redir \ @@ -98,83 +737,262 @@ kernel_cleanup() { nft_xfrm } -find_tests() { - if [ ! -z "$SINGLE" ] ; then - echo $SINGLE - return - fi - ${FIND} ${TESTDIR} -type f -executable | sort -} - echo "" ok=0 +skipped=0 failed=0 -taint=0 -check_taint() +kmem_runs=0 +kmemleak_found=0 + +check_kmemleak_force() { - read taint_now < /proc/sys/kernel/tainted - if [ $taint -ne $taint_now ] ; then - msg_warn "[FAILED] kernel is tainted: $taint -> $taint_now" - ((failed++)) + test -f /sys/kernel/debug/kmemleak || return 0 + + echo scan > /sys/kernel/debug/kmemleak + + lines=$(grep "unreferenced object" /sys/kernel/debug/kmemleak | wc -l) + if [ $lines -ne $kmemleak_found ];then + msg_warn "[FAILED] kmemleak detected $lines memory leaks" + kmemleak_found=$lines + fi + + if [ $lines -ne 0 ];then + return 1 fi + + return 0 } -check_taint +check_kmemleak() +{ + test -f /sys/kernel/debug/kmemleak || return -for testfile in $(find_tests) -do - read taint < /proc/sys/kernel/tainted - kernel_cleanup + if [ "$KMEMLEAK" == "y" ] ; then + check_kmemleak_force + return + fi - msg_info "[EXECUTING] $testfile" - test_output=$(NFT="$NFT" DIFF=$DIFF ${testfile} 2>&1) - rc_got=$? - echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line + kmem_runs=$((kmem_runs + 1)) + if [ $((kmem_runs % 30)) -eq 0 ]; then + # scan slows tests down quite a bit, hence + # do this only for every 30th test file by + # default. + check_kmemleak_force + fi +} + +read kernel_tainted < /proc/sys/kernel/tainted +if [ "$kernel_tainted" -ne 0 ] ; then + msg_warn "kernel is tainted" + echo +fi + +print_test_header() { + local msglevel="$1" + local testfile="$2" + local testidx_completed="$3" + local status="$4" + local text + local s_idx + + s_idx="${#TESTS[@]}" + align_text text right "${#s_idx}" "$testidx_completed" + s_idx="$text/${#TESTS[@]}" + + align_text text left 12 "[$status]" + _msg "$msglevel" "$text $s_idx $testfile" +} + +print_test_result() { + local NFT_TEST_TESTTMPDIR="$1" + local testfile="$2" + local rc_got="$3" + + local result_msg_level="I" + local result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" "$NFT_TEST_TESTTMPDIR/ruleset-diff" ) + local result_msg_status if [ "$rc_got" -eq 0 ] ; then - # check nft dump only for positive tests - dumppath="$(dirname ${testfile})/dumps" - dumpfile="${dumppath}/$(basename ${testfile}).nft" - rc_spec=0 - if [ "$rc_got" -eq 0 ] && [ -f ${dumpfile} ]; then - test_output=$(${DIFF} -u ${dumpfile} <($NFT list ruleset) 2>&1) - rc_spec=$? + ((ok++)) + result_msg_status="${GREEN}OK$RESET" + elif [ "$rc_got" -eq 77 ] ; then + ((skipped++)) + result_msg_status="${YELLOW}SKIPPED$RESET" + else + ((failed++)) + result_msg_level="W" + if [ "$rc_got" -eq 121 ] ; then + result_msg_status="CHK DUMP" + elif [ "$rc_got" -eq 122 ] ; then + result_msg_status="VALGRIND" + elif [ "$rc_got" -eq 123 ] ; then + result_msg_status="TAINTED" + elif [ "$rc_got" -eq 124 ] ; then + result_msg_status="DUMP FAIL" + else + result_msg_status="FAILED" fi + result_msg_status="$RED$result_msg_status$RESET" + result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" ) + fi - if [ "$rc_spec" -eq 0 ]; then - msg_info "[OK] $testfile" - [ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output" - ((ok++)) + print_test_header "$result_msg_level" "$testfile" "$((ok + skipped + failed))" "$result_msg_status" - if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == 0 ] && [ ! -f "${dumpfile}" ]; then - mkdir -p "${dumppath}" - $NFT list ruleset > "${dumpfile}" - fi - else - ((failed++)) - if [ "$VERBOSE" == "y" ] ; then - msg_warn "[DUMP FAIL] $testfile: dump diff detected" - [ ! -z "$test_output" ] && echo "$test_output" - else - msg_warn "[DUMP FAIL] $testfile" + if [ "$VERBOSE" = "y" ] ; then + local f + + for f in "${result_msg_files[@]}"; do + if [ -s "$f" ] ; then + cat "$f" fi + done + + if [ "$rc_got" -ne 0 ] ; then + msg_info "check \"$NFT_TEST_TESTTMPDIR\"" fi - else - ((failed++)) - if [ "$VERBOSE" == "y" ] ; then - msg_warn "[FAILED] $testfile: got $rc_got" - [ ! -z "$test_output" ] && echo "$test_output" + fi +} + +declare -A JOBS_TEMPDIR + +job_start() { + local testfile="$1" + local testidx="$2" + + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then + print_test_header I "$testfile" "$testidx" "EXECUTING" + fi + + NFT_TEST_TESTTMPDIR="${JOBS_TEMPDIR["$testfile"]}" \ + NFT="$NFT" \ + NFT_REAL="$NFT_REAL" \ + DIFF="$DIFF" \ + DUMPGEN="$DUMPGEN" \ + NFT_TEST_VERBOSE_TEST="$NFT_TEST_VERBOSE_TEST" \ + $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile" + local rc_got=$? + + if [ "$NFT_TEST_JOBS" -le 1 ] && [[ -t 1 ]]; then + echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line + fi + + return "$rc_got" +} + +# `wait -p` is only supported since bash 5.1 +WAIT_SUPPORTS_P=1 +[ "${BASH_VERSINFO[0]}" -le 4 -o \( "${BASH_VERSINFO[0]}" -eq 5 -a "${BASH_VERSINFO[1]}" -eq 0 \) ] && WAIT_SUPPORTS_P=0 + +job_wait() +{ + local num_jobs="$1" + local JOBCOMPLETED + local rc_got + + while [ "${#JOBS_PIDLIST_ARR[@]}" -gt 0 -a "${#JOBS_PIDLIST_ARR[@]}" -ge "$num_jobs" ] ; do + if [ "$WAIT_SUPPORTS_P" = 1 ] ; then + wait -n -p JOBCOMPLETED + rc_got="$?" + array_remove_first JOBS_PIDLIST_ARR "$JOBCOMPLETED" else - msg_warn "[FAILED] $testfile" + # Without `wait -p` support, we need to explicitly wait + # for a PID. That reduces parallelism. + JOBCOMPLETED="${JOBS_PIDLIST_ARR[0]}" + JOBS_PIDLIST_ARR=( "${JOBS_PIDLIST_ARR[@]:1}" ) + wait -n "$JOBCOMPLETED" + rc_got="$?" fi - fi - check_taint + local testfile2="${JOBS_PIDLIST[$JOBCOMPLETED]}" + unset JOBS_PIDLIST[$JOBCOMPLETED] + print_test_result "${JOBS_TEMPDIR["$testfile2"]}" "$testfile2" "$rc_got" + check_kmemleak + done +} + +if [ "$NFT_TEST_SHUFFLE_TESTS" = y ] ; then + TESTS=( $(printf '%s\n' "${TESTS[@]}" | shuf --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "nft-test-shuffle-tests" "$NFT_TEST_RANDOM_SEED") ) ) +fi + +TESTIDX=0 +for testfile in "${TESTS[@]}" ; do + job_wait "$NFT_TEST_JOBS" + + kernel_cleanup + + ((TESTIDX++)) + + NFT_TEST_TESTTMPDIR="$NFT_TEST_TMPDIR/test-${testfile//\//-}.$TESTIDX" + mkdir "$NFT_TEST_TESTTMPDIR" + chmod 755 "$NFT_TEST_TESTTMPDIR" + JOBS_TEMPDIR["$testfile"]="$NFT_TEST_TESTTMPDIR" + + [[ -o monitor ]] && set_old_state='set -m' || set_old_state='set +m' + set -m + ( job_start "$testfile" "$TESTIDX" ) & + pid=$! + eval "$set_old_state" + JOBS_PIDLIST[$pid]="$testfile" + JOBS_PIDLIST_ARR+=( "$pid" ) done +job_wait 0 + echo "" -msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" + +# kmemleak may report suspected leaks +# that get free'd after all, so always do +# a check after all test cases +# have completed and reset the counter +# so another warning gets emitted. +kmemleak_found=0 +check_kmemleak_force + +failed_total="$failed" +if [ "$NFT_TEST_FAIL_ON_SKIP" = y ] ; then + failed_total="$((failed_total + skipped))" +fi + +if [ "$failed_total" -gt 0 ] ; then + RR="$RED" +elif [ "$skipped" -gt 0 ] ; then + RR="$YELLOW" +else + RR="$GREEN" +fi +msg_info "${RR}results$RESET: [OK] $GREEN$ok$RESET [SKIPPED] $YELLOW$skipped$RESET [FAILED] $RED$failed$RESET [TOTAL] $((ok+skipped+failed))" kernel_cleanup -[ "$failed" -eq 0 ] + +# ( \ +# for d in /tmp/nft-test.latest.*/test-*/ ; do \ +# printf '%10.2f %s\n' \ +# "$(sed '1!d' "$d/times")" \ +# "$(cat "$d/name")" ; \ +# done \ +# | sort -n \ +# | awk '{print $0; s+=$1} END{printf("%10.2f\n", s)}' ; \ +# printf '%10.2f wall time\n' "$(sed '1!d' /tmp/nft-test.latest.*/times)" \ +# ) +END_TIME="$(cut -d ' ' -f1 /proc/uptime)" +WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")" +printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TMPDIR/times" + +if [ "$failed_total" -gt 0 -o "$NFT_TEST_KEEP_LOGS" = y ] ; then + msg_info "check the temp directory \"$NFT_TEST_TMPDIR\" (\"$NFT_TEST_LATEST\")" + msg_info " ls -lad \"$NFT_TEST_LATEST\"/*/*" + msg_info " grep -R ^ \"$NFT_TEST_LATEST\"/" + NFT_TEST_TMPDIR= +fi + +if [ "$failed" -gt 0 ] ; then + exit 1 +elif [ "$NFT_TEST_FAIL_ON_SKIP" = y -a "$skipped" -gt 0 ] ; then + msg_info "some tests were skipped. Fail due to NFT_TEST_FAIL_ON_SKIP=y" + exit 1 +elif [ "$ok" -eq 0 -a "$skipped" -gt 0 ] ; then + exit 77 +else + exit 0 +fi diff --git a/tests/shell/testcases/chains/0040mark_shift_0 b/tests/shell/testcases/bitwise/0040mark_binop_0 index ef3dccfa..4ecc9d3d 100755 --- a/tests/shell/testcases/chains/0040mark_shift_0 +++ b/tests/shell/testcases/bitwise/0040mark_binop_0 @@ -1,10 +1,12 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + set -e RULESET=" add table t - add chain t c { type filter hook output priority mangle; } + add chain t c { type filter hook output priority filter; } add rule t c oif lo ct mark set (meta mark | 0x10) << 8 " diff --git a/tests/shell/testcases/chains/0040mark_shift_1 b/tests/shell/testcases/bitwise/0040mark_binop_1 index b609f5ef..bd9e028d 100755 --- a/tests/shell/testcases/chains/0040mark_shift_1 +++ b/tests/shell/testcases/bitwise/0040mark_binop_1 @@ -1,10 +1,12 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + set -e RULESET=" add table t - add chain t c { type filter hook input priority mangle; } + add chain t c { type filter hook input priority filter; } add rule t c iif lo ct mark & 0xff 0x10 meta mark set ct mark >> 8 " diff --git a/tests/shell/testcases/bitwise/0040mark_binop_10 b/tests/shell/testcases/bitwise/0040mark_binop_10 new file mode 100755 index 00000000..f523bd73 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_10 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_11 b/tests/shell/testcases/bitwise/0040mark_binop_11 new file mode 100755 index 00000000..d6dfb3b8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_11 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_12 b/tests/shell/testcases/bitwise/0040mark_binop_12 new file mode 100755 index 00000000..bbddb55b --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_12 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_13 b/tests/shell/testcases/bitwise/0040mark_binop_13 new file mode 100755 index 00000000..769acb63 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_13 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_2 b/tests/shell/testcases/bitwise/0040mark_binop_2 new file mode 100755 index 00000000..5e66a27a --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_2 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_3 b/tests/shell/testcases/bitwise/0040mark_binop_3 new file mode 100755 index 00000000..21dda670 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_3 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_4 b/tests/shell/testcases/bitwise/0040mark_binop_4 new file mode 100755 index 00000000..e5c8a42a --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_4 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_5 b/tests/shell/testcases/bitwise/0040mark_binop_5 new file mode 100755 index 00000000..184fbed0 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_5 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ip dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_6 b/tests/shell/testcases/bitwise/0040mark_binop_6 new file mode 100755 index 00000000..129dd5c0 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_6 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_7 b/tests/shell/testcases/bitwise/0040mark_binop_7 new file mode 100755 index 00000000..791a7943 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_7 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 2 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_8 b/tests/shell/testcases/bitwise/0040mark_binop_8 new file mode 100755 index 00000000..5e7bd28d --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_8 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_9 b/tests/shell/testcases/bitwise/0040mark_binop_9 new file mode 100755 index 00000000..a7b60fb8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_9 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ip6 dscp lshift 26 or 0x10 +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0044payload_binop_2 b/tests/shell/testcases/bitwise/0044payload_binop_2 new file mode 100755 index 00000000..13c4acef --- /dev/null +++ b/tests/shell/testcases/bitwise/0044payload_binop_2 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ct mark | ip dscp | 0x200 counter +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0044payload_binop_5 b/tests/shell/testcases/bitwise/0044payload_binop_5 new file mode 100755 index 00000000..7e8095c8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0044payload_binop_5 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ct mark | ip6 dscp | 0x200 counter +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft new file mode 100644 index 00000000..8973de85 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "<<": [ + { + "|": [ + { + "meta": { + "key": "mark" + } + }, + 16 + ] + }, + 8 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0040mark_shift_0.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft index 52d59d2c..fc0a600a 100644 --- a/tests/shell/testcases/chains/dumps/0040mark_shift_0.nft +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft @@ -1,6 +1,6 @@ table ip t { chain c { - type filter hook output priority mangle; policy accept; + type filter hook output priority filter; policy accept; oif "lo" ct mark set (meta mark | 0x00000010) << 8 } } diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft new file mode 100644 index 00000000..ed8e1a0d --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.json-nft @@ -0,0 +1,86 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "&": [ + { + "ct": { + "key": "mark" + } + }, + 255 + ] + }, + "right": 16 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + ">>": [ + { + "ct": { + "key": "mark" + } + }, + 8 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0040mark_shift_1.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft index 56ec8dc7..dbaacefb 100644 --- a/tests/shell/testcases/chains/dumps/0040mark_shift_1.nft +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft @@ -1,6 +1,6 @@ table ip t { chain c { - type filter hook input priority mangle; policy accept; + type filter hook input priority filter; policy accept; iif "lo" ct mark & 0x000000ff == 0x00000010 meta mark set ct mark >> 8 } } diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft new file mode 100644 index 00000000..5566f729 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft new file mode 100644 index 00000000..719980d5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft new file mode 100644 index 00000000..bd589fe5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft new file mode 100644 index 00000000..2b046b12 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft new file mode 100644 index 00000000..3cd9a831 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft new file mode 100644 index 00000000..2b9be36e --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft new file mode 100644 index 00000000..00c5b78a --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft new file mode 100644 index 00000000..8206fec0 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft new file mode 100644 index 00000000..3aa81605 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft new file mode 100644 index 00000000..91d9f566 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft new file mode 100644 index 00000000..a3214973 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft new file mode 100644 index 00000000..f2b51eb8 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft new file mode 100644 index 00000000..2de0323d --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft new file mode 100644 index 00000000..cf7be90c --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft new file mode 100644 index 00000000..72aee701 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 2 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft new file mode 100644 index 00000000..a9663e62 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 2 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft new file mode 100644 index 00000000..1cf84be5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft new file mode 100644 index 00000000..04b866ad --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft new file mode 100644 index 00000000..6f4494b1 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "protocol": "ip6", + "field": "dscp" + } + }, + 26 + ] + }, + 16 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft new file mode 100644 index 00000000..d4745ea4 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ip6 dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft new file mode 100644 index 00000000..ed347bb2 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark | ip dscp | 0x00000200 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft new file mode 100644 index 00000000..ccdb93d7 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark | ip6 dscp | 0x00000200 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures new file mode 100755 index 00000000..74e162ad --- /dev/null +++ b/tests/shell/testcases/bogons/assert_failures @@ -0,0 +1,50 @@ +#!/bin/bash + +dir=$(dirname $0)/nft-f/ +jsondir=$(dirname $0)/nft-j-f/ + +tmpfile=$(mktemp) + +cleanup() +{ + rm -f "$tmpfile" +} + +trap cleanup EXIT + +die_on_error() +{ + local rv="$1" + local fname="$2" + + if [ $rv -ne 1 ]; then + echo "Bogus input file $fname did not cause expected error code" 1>&2 + exit 111 + fi + + if grep AddressSanitizer "$tmpfile"; then + echo "Address sanitizer splat for $fname" 1>&2 + cat "$tmpfile" + exit 111 + fi +} + +for f in $dir/*; do + echo "Check $f" + $NFT --check -f "$f" 2> "$tmpfile" + + die_on_error $? "$f" +done + +if [ "$NFT_TEST_HAVE_json" = "n" ];then + # Intentionally do not skip if we lack json input, + # we ran all the tests that we could. + exit 0 +fi + +for f in $jsondir/*; do + echo "Check json input $f" + $NFT --check -j -f "$f" 2> "$tmpfile" + + die_on_error $? +done diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.json-nft b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.nft b/tests/shell/testcases/bogons/dumps/assert_failures.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/bogons/dumps/assert_failures.nft diff --git a/tests/shell/testcases/bogons/nat_map_and_protocol_assert b/tests/shell/testcases/bogons/nat_map_and_protocol_assert new file mode 100644 index 00000000..67f2ae87 --- /dev/null +++ b/tests/shell/testcases/bogons/nat_map_and_protocol_assert @@ -0,0 +1,5 @@ +table t { + chain y { + snat to ip saddr . tcp sport map { 1.1.1.1 . 1 : 1.1.1.2 . 1 } : 6 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash new file mode 100644 index 00000000..80a01b45 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash @@ -0,0 +1,11 @@ +table t { + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range b/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range new file mode 100644 index 00000000..2f7872e4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range @@ -0,0 +1,6 @@ +table ip test { + chain y { + redirect to :tcp dport map { 83 : 80/3, 84 :4 } + } +} + diff --git a/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert new file mode 100644 index 00000000..e8436008 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + oifname set ip9dscp << 26 | 0x10 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert new file mode 100644 index 00000000..0e75e6f1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/bitwise_masklen_assert @@ -0,0 +1,5 @@ +table inet t { + chain c { + udp length . @th,160,138 vmap { 47-63 . 0xe37313536313033&131303735353203 : accept } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow new file mode 100644 index 00000000..01640528 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow @@ -0,0 +1,6 @@ +table inet x { + chain nat_dns_acme { + udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, } + drop + } +} diff --git a/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free new file mode 100644 index 00000000..6a42aa90 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free @@ -0,0 +1,20 @@ +nt rootepep test- { +* : 1:3 } + element root tesip { +* : 1:3 } + elent rootsel s1 { + typ� elements < { "Linux" } + } +tatlet e t { + thataepep test- { +* : 1:3 } + element root tesip { +* : 1:3 }� table Cridgents < t { +list set y p + type i , { + sel s1 { + typ� elements < { "Linux" } + } +tatlet e t { + thatable Cridgents < t { +lis diff --git a/tests/shell/testcases/bogons/nft-f/counter_objref_crash b/tests/shell/testcases/bogons/nft-f/counter_objref_crash new file mode 100644 index 00000000..3a4b981b --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/counter_objref_crash @@ -0,0 +1,5 @@ +table inet x { + chain y { + counter name ip saddr bytes 1.1.1. 1024 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow new file mode 100644 index 00000000..18eb25eb --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow @@ -0,0 +1,14 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + }5060t { + type "sip" protocol tcp + l3pownerip + } + + chain input { + type filtol/dev/stdinok input priority f)lser; policy accept; + ct helper set ip protocol . th dport map { udp . 1-20000 : "si60u", tcp . 10000-20000 : "sip-5060t" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak new file mode 100644 index 00000000..014525a3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak @@ -0,0 +1,7 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { estabQisheestablished : 2m3s, cd : 2m3s, } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree new file mode 100644 index 00000000..28b1a211 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_timeout_memleak_objfree @@ -0,0 +1,5 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { close : 12s } diff --git a/tests/shell/testcases/bogons/nft-f/define_policy_assert b/tests/shell/testcases/bogons/nft-f/define_policy_assert new file mode 100644 index 00000000..f1e58b55 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/define_policy_assert @@ -0,0 +1,3 @@ +chain y x { priority filter +define p = foo +policy $p diff --git a/tests/shell/testcases/bogons/nft-f/delete_nonexistant_object_crash b/tests/shell/testcases/bogons/nft-f/delete_nonexistant_object_crash new file mode 100644 index 00000000..c369dec8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/delete_nonexistant_object_crash @@ -0,0 +1 @@ +delete quota a b diff --git a/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert new file mode 100644 index 00000000..b7a9a1cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert @@ -0,0 +1,6 @@ +table inet t { + chain c { + udp length . @th,160,118 vmap { 47-63 . 0xe3731353631303331313037353532/3 : accept } + jump noexist # only here so this fails to load after patch. + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges new file mode 100644 index 00000000..efaff9e5 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dup_fwd_ranges @@ -0,0 +1,14 @@ +define dev = "1"-"2" + +table netdev t { + chain c { + fwd to 1-2 + dup to 1-2 + } +} + +table ip t { + chain c { + dup to 1-2 device $dev + } +} diff --git a/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix new file mode 100644 index 00000000..23c2dc31 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport set ip daddr map { 192.168.0.1 : 0x000/0001 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert new file mode 100644 index 00000000..43d72c4d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/evaluate_conflict_resolution_gen_dependency_base_ll_hdr_assert @@ -0,0 +1,5 @@ +table ip6 t { + chain c { + ip6 nexthdr comp udp dport 4789 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug new file mode 100644 index 00000000..e307e7cc --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/exthdr_with_range_bug @@ -0,0 +1 @@ +add rule t c ip option ra set 0-1 diff --git a/tests/shell/testcases/bogons/nft-f/flowtable-no-priority-crash b/tests/shell/testcases/bogons/nft-f/flowtable-no-priority-crash new file mode 100644 index 00000000..627e66d6 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/flowtable-no-priority-crash @@ -0,0 +1,5 @@ +table inet filter { + flowtable f { + devices = { lo } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash new file mode 100644 index 00000000..8d1da726 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash @@ -0,0 +1,5 @@ +table t { + chain c { + meta oifname^a^b^c^d^e^f^g^h^i^j^k^l^m^n^o^p^q^r^s^t^u^v^w^x^y^z^A^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z^0^1^2^3^4^5^6^7^8^9 bar + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert new file mode 100644 index 00000000..161f867d --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_assert @@ -0,0 +1,5 @@ +table inet x { + chain c { + udp length vmap { 1 : goto rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert new file mode 100644 index 00000000..3c2c0d3e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_name_define_assert @@ -0,0 +1,7 @@ +define huge = rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr + +table t { + chain d { + jump $huge + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_prio b/tests/shell/testcases/bogons/nft-f/huge_chain_prio new file mode 100644 index 00000000..41f8061a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_chain_prio @@ -0,0 +1,5 @@ +table t { + chain c { + type filter hook input priority srcnDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD#DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD; policy accept; + } +} diff --git a/tests/shell/testcases/bogons/nft-f/huge_shift_assert b/tests/shell/testcases/bogons/nft-f/huge_shift_assert new file mode 100644 index 00000000..7599f850 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/huge_shift_assert @@ -0,0 +1,5 @@ +table ip t { + chain c { + counter name meta mark >> 88888888888888888888 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert new file mode 100644 index 00000000..1fc85b29 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/icmp_reject_type_uint8_assert @@ -0,0 +1 @@ +rule t c reject with icmp 512 diff --git a/tests/shell/testcases/bogons/nft-f/include-device b/tests/shell/testcases/bogons/nft-f/include-device new file mode 100644 index 00000000..1eb79773 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/include-device @@ -0,0 +1 @@ +include "/dev/null" diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert new file mode 100644 index 00000000..56f541a6 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert @@ -0,0 +1,13 @@ +table inet t { + map m2 { + typeof udp length . @ih,32,32 : verdict + elements = { + 1-10 . 0xa : drop } + } + + map m2 { + typeof udp length . @ih,32,32 : verdict + flags interval + elements = { 20-80 . 0x14 : accept } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert new file mode 100644 index 00000000..4637a4f9 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert @@ -0,0 +1,12 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 1.168.0.4 } + } + + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.3.0/24 : 192.8.0.3 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert new file mode 100644 index 00000000..7205ff4f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert @@ -0,0 +1 @@ +xy mame ip saddr map h& p p diff --git a/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop new file mode 100644 index 00000000..514d6ffe --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop @@ -0,0 +1,12 @@ +table ip x { + map z { + type ipv4_addr : ipv4_addr + elements = { 1&.141.0.1 - 192.168.0.2} + } + + map z { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.0.0, * : 192.168.0.4 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert b/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert new file mode 100644 index 00000000..d73dce8e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert @@ -0,0 +1,10 @@ +table ip t { + map t2 { + typeof numgen inc mod 2 : ip daddr . 0 + } + + chain c { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to numgen inc mod 2 map @t2 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash b/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash new file mode 100644 index 00000000..b802430b --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash @@ -0,0 +1,3 @@ +table inet p +list table inet p +delete table inet p diff --git a/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert b/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert new file mode 100644 index 00000000..c77a9c33 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert @@ -0,0 +1,6 @@ +table ip x { + map m { + typeof ct saddr :ct expectation + elements = { * : none} + } +} diff --git a/tests/shell/testcases/bogons/nft-f/map_without_key b/tests/shell/testcases/bogons/nft-f/map_without_key new file mode 100644 index 00000000..78f16b23 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/map_without_key @@ -0,0 +1,5 @@ +table t { + map m { + elements = { 0x00000023 : 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash new file mode 100644 index 00000000..9f7084c8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash @@ -0,0 +1 @@ +bla to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } bla diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error new file mode 100644 index 00000000..6f52658f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_hookspec_error @@ -0,0 +1,21 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + size 12 + l3proto ip + } . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priori + + chain c { + cttable inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type gilter hook output priority filuer; policy
\ No newline at end of file diff --git a/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath new file mode 100644 index 00000000..917e8bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/memleak_on_meta_set_errpath @@ -0,0 +1,5 @@ +table filter { + chain y { + meta seccark set ct secmark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert new file mode 100644 index 00000000..18c7edd1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert @@ -0,0 +1,7 @@ +table ip x { + chain y { + type nat hook postrouting priority srcnat; policy accept; + snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 } + } +} + diff --git a/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map new file mode 100644 index 00000000..b1302278 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/nat_stmt_with_set_instead_of_map @@ -0,0 +1,10 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + snat ip to ip saddr map @y + } +} diff --git a/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert new file mode 100644 index 00000000..547b937f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert @@ -0,0 +1,6 @@ +table ip x { + map sctm_o1 { + type mark : counter + counter name meta mark + } +} diff --git a/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash new file mode 100644 index 00000000..16d3e41f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash @@ -0,0 +1 @@ +cPoR et ip dscp << 2>0 ,xl rt ipsec c0tt in tabl rt ipsec cl diff --git a/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash b/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash new file mode 100644 index 00000000..310486c5 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash @@ -0,0 +1,8 @@ +table ip f { + chain c { + jump { + accept + } + } +} +a b index 1 10.1.26.a diff --git a/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert new file mode 100644 index 00000000..d880a377 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert @@ -0,0 +1,6 @@ +table t { + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "x*" } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert new file mode 100644 index 00000000..64bd596a --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert @@ -0,0 +1 @@ +x x comp nexthdr comp diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store new file mode 100644 index 00000000..c1358df4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store @@ -0,0 +1 @@ +add rule f i @th,1,128 set 1 diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert new file mode 100644 index 00000000..f85a04e7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_with_0_length_assert @@ -0,0 +1 @@ +add rule t c @th,0,0 0 diff --git a/tests/shell/testcases/bogons/nft-f/range_expression_corruption b/tests/shell/testcases/bogons/nft-f/range_expression_corruption new file mode 100644 index 00000000..b77221bd --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/range_expression_corruption @@ -0,0 +1,2 @@ +aal tht@nh,32,3 set ctag| oi to ip + p sept ct l3proto map q -u dscp | ma
\ No newline at end of file diff --git a/tests/shell/testcases/bogons/nft-f/scope_underflow_assert b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert new file mode 100644 index 00000000..aee1dcbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert @@ -0,0 +1,6 @@ +table t { + chain c { + jump{ + jump { + jump + diff --git a/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert new file mode 100644 index 00000000..59ef1ab3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert @@ -0,0 +1,12 @@ +table inet testifsets { + map map_wild { elements = { "abcdex*", + "othername", + "ppp0" } + } + map map_wild { + type ifname : verdict + flags interval + elements = { "abcdez*" : jump do_nothing, + "eth0" : jump do_nothing } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/set_without_key b/tests/shell/testcases/bogons/nft-f/set_without_key new file mode 100644 index 00000000..f194afbf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/set_without_key @@ -0,0 +1,5 @@ +table ip t { + set s { + elements = { 0x00000023-0x00000142, 0x00001337 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr new file mode 100644 index 00000000..8b0d2744 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr @@ -0,0 +1,5 @@ +table t { + chain c { + udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr new file mode 100644 index 00000000..66bd6bf8 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr @@ -0,0 +1,5 @@ +table t { + chain c { + @th,160,1272 gt 0 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow new file mode 100644 index 00000000..ea7186bf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow @@ -0,0 +1,6 @@ +table t { +map m { + type ipv4_addr : classid + elements = { 1.1.26.3 : ::a } +} +} diff --git a/tests/shell/testcases/bogons/nft-f/tcp_option_without_template b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template new file mode 100644 index 00000000..fd732fd3 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template @@ -0,0 +1 @@ +add rule f i tcp option nop length . @ih,32,3 1 diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges new file mode 100644 index 00000000..1230860e --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges @@ -0,0 +1,8 @@ +define range = 42-80 + +table t { + chain c { + tcp dport 42 tproxy to 192.168.0.1:$range + tcp dport 42 tproxy to 192.168.0.0/16 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/typeof_map_with_plain_integer_assert b/tests/shell/testcases/bogons/nft-f/typeof_map_with_plain_integer_assert new file mode 100644 index 00000000..f1dc12f6 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/typeof_map_with_plain_integer_assert @@ -0,0 +1,7 @@ +table ip t { + map m { + typeof ip saddr . meta mark . 0: verdict + flags interval + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 : accept } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert new file mode 100644 index 00000000..35eecf60 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport { tcp / 22, udp . 67 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map new file mode 100644 index 00000000..3da16ce1 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_map @@ -0,0 +1,5 @@ +table ip x { + chain y { + meta mark set ip protocol . th dport map { tcp / 22 : 1234, udp . 67 : 1234 } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap new file mode 100644 index 00000000..f4dc273f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unhandled_key_type_13_assert_vmap @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip protocol . th dport vmap { tcp / 22 : accept, udp . 67 : drop } + } +} diff --git a/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert new file mode 100644 index 00000000..e6206736 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert @@ -0,0 +1,7 @@ +table ip x { + chain k { + meta mark set 0x001-3434 + ct mark set 0x001-3434 + tcp dport set 1-3 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal new file mode 100644 index 00000000..bb9632b0 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/use_after_free_on_chain_removal @@ -0,0 +1,5 @@ +delete chain d iUi { +}} +delete chain d hUi { +delete chain o +c b icmpv6 id$i diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert new file mode 100644 index 00000000..fe416f85 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename2_assert @@ -0,0 +1,5 @@ +table netdev x { + chain Main_Ingress1 { + type filter hook ingress device "" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert new file mode 100644 index 00000000..84f33073 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert @@ -0,0 +1,5 @@ +table ip x { + chain Main_Ingress1 { + type filter hook ingress device""lo" priority -1 + } +} diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert new file mode 100644 index 00000000..2c3e6c3f --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert @@ -0,0 +1,5 @@ +table t { + flowtable f { + devices = { """"lo } + } +} diff --git a/tests/shell/testcases/bogons/nft-j-f/binop_rhs_decode_error_crash b/tests/shell/testcases/bogons/nft-j-f/binop_rhs_decode_error_crash new file mode 100644 index 00000000..8b5b7290 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/binop_rhs_decode_error_crash @@ -0,0 +1,76 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "<<": [ + { + "|": [ + { + "meta": { + "key": "mark" + } + }, + 16 + ] + }, + { }, + 8 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bogons/nft-j-f/constant_expr_alloc_assert b/tests/shell/testcases/bogons/nft-j-f/constant_expr_alloc_assert new file mode 100644 index 00000000..9c400302 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/constant_expr_alloc_assert @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "testchain", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "testmap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "jump": { + "target": "" + } + } + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash b/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash new file mode 100644 index 00000000..c8c662e9 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash @@ -0,0 +1,54 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "filter", + "handle": 0, + "protocol": "Xcp", + "l3proto": "ip", + "policy": { + "established": 123, + "close": 12 + } + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "c", + "handle": 0, + "expr": [ + { + "ct timeout": "cttime" + } + ] + } + } + ] +} + diff --git a/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert b/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert new file mode 100644 index 00000000..956ecdc9 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "table": { "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + ], + "elem": [ + { + "concat": [ + "foo", "bar" + ] + } + ] + } + } + ] +} + diff --git a/tests/shell/testcases/bogons/nft-j-f/list_a_destroyed_table_crash b/tests/shell/testcases/bogons/nft-j-f/list_a_destroyed_table_crash new file mode 100644 index 00000000..f06145c7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/list_a_destroyed_table_crash @@ -0,0 +1,3 @@ +table t +list table t +destroy table t diff --git a/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash b/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash new file mode 100644 index 00000000..04c01aa7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "table": { "family": "ip", "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c", + "expr": [ + { + "reject": { + "type": "icmpv6", + "exprlimit": "port-unreachable" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert b/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert new file mode 100644 index 00000000..c99a2668 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "nftables", "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ "ifname" ], + "flags": [ "interval" ], + "elem": [ [] ] + } + } + ] +} diff --git a/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert new file mode 100644 index 00000000..e8a0f768 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "stmt": [ + { + "notrack": null + } + ] + } + } + ] +} + diff --git a/tests/shell/testcases/cache/0008_delete_by_handle_0 b/tests/shell/testcases/cache/0008_delete_by_handle_0 index 529d6b85..0db4c693 100755 --- a/tests/shell/testcases/cache/0008_delete_by_handle_0 +++ b/tests/shell/testcases/cache/0008_delete_by_handle_0 @@ -16,7 +16,7 @@ $NFT add set t s { type ipv4_addr\; } HANDLE=`$NFT -a list ruleset | grep "set.*handle" | cut -d' ' -f6` $NFT delete set t handle $HANDLE -$NFT add flowtable t f { hook ingress priority 0\; } +$NFT add flowtable t f { hook ingress priority 0\; devices = { lo } \; } HANDLE=`$NFT -a list ruleset | grep "flowtable.*handle" | cut -d' ' -f6` $NFT delete flowtable t handle $HANDLE diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0 index 0ab0db95..834dc6e4 100755 --- a/tests/shell/testcases/cache/0010_implicit_chain_0 +++ b/tests/shell/testcases/cache/0010_implicit_chain_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + set -e EXPECTED="table ip f { diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0 index c9eb8683..76f2615d 100755 --- a/tests/shell/testcases/cache/0011_index_0 +++ b/tests/shell/testcases/cache/0011_index_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_position_id) + set -e RULESET="flush ruleset diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft new file mode 100644 index 00000000..7a2eacdd --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft @@ -0,0 +1,142 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "3.3.3.3" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@test" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "2.2.2.2", + "4.4.4.4" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft new file mode 100644 index 00000000..5e2b9b42 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft new file mode 100644 index 00000000..e09a694c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.json-nft @@ -0,0 +1,137 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t3", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t4", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "icmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "igmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t4", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft new file mode 100644 index 00000000..43898d33 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft @@ -0,0 +1,18 @@ +table ip t { + chain c { + } +} +table ip t2 { + chain c { + } +} +table ip t3 { +} +table ip t4 { + chain c { + meta l4proto icmp accept + drop + meta l4proto igmp accept + drop + } +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft new file mode 100644 index 00000000..d1864f00 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.json-nft @@ -0,0 +1,42 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testfilter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testfilter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "testfilter", + "chain": "test", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft new file mode 100644 index 00000000..4f5761bc --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft @@ -0,0 +1,5 @@ +table inet testfilter { + chain test { + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft new file mode 100644 index 00000000..1c47d3ef --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft @@ -0,0 +1,77 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "mapping", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "map": "@mapping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft new file mode 100644 index 00000000..8ab55a2c --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft @@ -0,0 +1,14 @@ +table ip x { + map mapping { + type ipv4_addr : inet_service + size 65535 + flags dynamic,timeout + } + + chain y { + update @mapping { ip saddr : tcp sport } + } + + chain z { + } +} diff --git a/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft new file mode 100644 index 00000000..0968d8a4 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "first", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "second", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "comment": "third", + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft diff --git a/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft new file mode 100644 index 00000000..aba92c0e --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft @@ -0,0 +1,7 @@ +table ip f { + chain c { + jump { + accept + } + } +} diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.json-nft b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft new file mode 100644 index 00000000..46b2909f --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0011_index_0.json-nft @@ -0,0 +1,93 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4321 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 index 80e243f0..1a8eaf68 100755 --- a/tests/shell/testcases/chains/0003jump_loop_1 +++ b/tests/shell/testcases/chains/0003jump_loop_1 @@ -5,8 +5,9 @@ set -e MAX_JUMPS=16 $NFT add table t +$NFT "add chain t c1 { type filter hook prerouting priority 0; }" -for i in $(seq 1 $MAX_JUMPS) +for i in $(seq 2 $MAX_JUMPS) do $NFT add chain t c${i} done diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1 index 5d3ef239..6000e5d7 100755 --- a/tests/shell/testcases/chains/0010endless_jump_loop_1 +++ b/tests/shell/testcases/chains/0010endless_jump_loop_1 @@ -3,7 +3,7 @@ set -e $NFT add table t -$NFT add chain t c +$NFT add chain "t c { type filter hook input priority 0; }" # kernel should return ELOOP $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0 diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1 index d75932d7..66abf8d0 100755 --- a/tests/shell/testcases/chains/0011endless_jump_loop_1 +++ b/tests/shell/testcases/chains/0011endless_jump_loop_1 @@ -3,7 +3,7 @@ set -e $NFT add table t -$NFT add chain t c1 +$NFT add chain "t c1 { type filter hook forward priority 0; }" $NFT add chain t c2 $NFT add map t m {type inet_service : verdict \;} $NFT add element t m {2 : jump c2} diff --git a/tests/shell/testcases/chains/0014rename_0 b/tests/shell/testcases/chains/0014rename_0 index bebe48d6..bd84e957 100755 --- a/tests/shell/testcases/chains/0014rename_0 +++ b/tests/shell/testcases/chains/0014rename_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash $NFT add table t || exit 1 $NFT add chain t c1 || exit 1 diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1 index b87520f2..1e674d3d 100755 --- a/tests/shell/testcases/chains/0018check_jump_loop_1 +++ b/tests/shell/testcases/chains/0018check_jump_loop_1 @@ -3,7 +3,7 @@ set -e $NFT add table ip filter -$NFT add chain ip filter ap1 +$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }" $NFT add chain ip filter ap2 $NFT add rule ip filter ap1 jump ap2 diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0 index d450dc0b..ceda1558 100755 --- a/tests/shell/testcases/chains/0021prio_0 +++ b/tests/shell/testcases/chains/0021prio_0 @@ -69,7 +69,7 @@ done family=netdev echo "add table $family x" gen_chains $family ingress filter lo -gen_chains $family egress filter lo +[ "$NFT_TEST_HAVE_netdev_egress" != n ] && gen_chains $family egress filter lo family=bridge echo "add table $family x" @@ -83,3 +83,8 @@ gen_chains $family postrouting srcnat ) >$tmpfile $NFT -f $tmpfile + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ]; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 index d2b1fa43..e4a668e1 100755 --- a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 +++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1 @@ -2,7 +2,7 @@ for family in ip ip6 inet do - for hook in prerouting input forward output + for hook in prerouting forward output do $NFT add table $family x $NFT add chain $family x y "{ type filter hook $hook priority srcnat; }" &> /dev/null diff --git a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 index d112f2c9..f1b802a0 100755 --- a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 +++ b/tests/shell/testcases/chains/0024prio_inet_dstnat_1 @@ -2,7 +2,7 @@ for family in ip ip6 inet do - for hook in input forward output postrouting + for hook in input forward postrouting do $NFT add table $family x $NFT add chain $family x y "{ type filter hook $hook priority dstnat; }" &> /dev/null diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0 index 4b541bb5..141a4b6d 100755 --- a/tests/shell/testcases/chains/0041chain_binding_0 +++ b/tests/shell/testcases/chains/0041chain_binding_0 @@ -6,6 +6,11 @@ if [ $? -ne 1 ]; then exit 1 fi +if [ $NFT_TEST_HAVE_chain_binding = "n" ] ; then + echo "Test partially skipped due to NFT_TEST_HAVE_chain_binding=n" + exit 77 +fi + set -e EXPECTED="table inet x { diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0 index 58535f76..c5de495e 100755 --- a/tests/shell/testcases/chains/0042chain_variable_0 +++ b/tests/shell/testcases/chains/0042chain_variable_0 @@ -1,8 +1,11 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + set -e -ip link add name dummy0 type dummy +ip link add name d23456789012345 type dummy + EXPECTED="define if_main = \"lo\" @@ -14,24 +17,55 @@ table netdev filter1 { $NFT -f - <<< $EXPECTED + +EXPECTED="define if_main = \"lo\" + +table netdev filter2 { + chain Main_Ingress2 { + type filter hook ingress devices = { \$if_main, d23456789012345x } priority -500; policy accept; + } +}" + +rc=0 +$NFT -f - <<< $EXPECTED || rc=$? +test "$rc" = 1 +cat <<EOF | $DIFF -u <($NFT list ruleset) - +table netdev filter1 { + chain Main_Ingress1 { + type filter hook ingress device "lo" priority -500; policy accept; + } +} +EOF + + EXPECTED="define if_main = \"lo\" table netdev filter2 { chain Main_Ingress2 { - type filter hook ingress devices = { \$if_main, dummy0 } priority -500; policy accept; + type filter hook ingress devices = { \$if_main, d23456789012345 } priority -500; policy accept; } }" $NFT -f - <<< $EXPECTED -EXPECTED="define if_main = { lo, dummy0 } + +if [ "$NFT_TEST_HAVE_netdev_egress" = n ] ; then + echo "Skip parts of the test due to NFT_TEST_HAVE_netdev_egress=n" + exit 77 +fi + + +EXPECTED="define if_main = { lo, d23456789012345 } +define lan_interfaces = { lo } table netdev filter3 { chain Main_Ingress3 { type filter hook ingress devices = \$if_main priority -500; policy accept; } + chain Main_Egress3 { + type filter hook egress devices = \$lan_interfaces priority -500; policy accept; + } }" $NFT -f - <<< $EXPECTED - diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0 index bff46468..a6973b99 100755 --- a/tests/shell/testcases/chains/0043chain_ingress_0 +++ b/tests/shell/testcases/chains/0043chain_ingress_0 @@ -1,7 +1,8 @@ #!/bin/bash -set -e +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) +set -e RULESET="table inet filter { chain ingress { type filter hook ingress device \"lo\" priority filter; policy accept; @@ -14,11 +15,5 @@ RULESET="table inet filter { } }" -# Test auto-removal of chain hook on netns removal -unshare -n bash -c "ip link add br0 type bridge; \ - $NFT add table netdev test; \ - $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ -" || exit 1 - $NFT -f - <<< "$RULESET" && exit 0 exit 1 diff --git a/tests/shell/testcases/chains/0044chain_destroy_0 b/tests/shell/testcases/chains/0044chain_destroy_0 new file mode 100755 index 00000000..5c5a10a7 --- /dev/null +++ b/tests/shell/testcases/chains/0044chain_destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table t + +# pass for non-existent chain +$NFT destroy chain t c + +# successfully delete existing chain +$NFT add chain t c +$NFT destroy chain t c diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft b/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft new file mode 100644 index 00000000..ceef3224 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0001jumps_0.json-nft @@ -0,0 +1,371 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft b/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft new file mode 100644 index 00000000..66f921a0 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0002jumps_1.json-nft @@ -0,0 +1,383 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c17", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.nft b/tests/shell/testcases/chains/dumps/0002jumps_1.nft new file mode 100644 index 00000000..ed37ad0e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0002jumps_1.nft @@ -0,0 +1,68 @@ +table ip t { + chain c1 { + type filter hook input priority filter; policy accept; + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } + + chain c17 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft new file mode 100644 index 00000000..d197e123 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft @@ -0,0 +1,375 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c16", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c10", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c11" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c16" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft new file mode 100644 index 00000000..8d89bc40 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft @@ -0,0 +1,65 @@ +table ip t { + chain c1 { + type filter hook prerouting priority filter; policy accept; + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.json-nft b/tests/shell/testcases/chains/dumps/0004busy_1.json-nft new file mode 100644 index 00000000..314245ff --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0004busy_1.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.nft b/tests/shell/testcases/chains/dumps/0004busy_1.nft new file mode 100644 index 00000000..429dd494 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0004busy_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft new file mode 100644 index 00000000..ce776822 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.json-nft @@ -0,0 +1,66 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "jump": { + "target": "c2" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft new file mode 100644 index 00000000..acf23183 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + tcp dport vmap { 1 : jump c2 } + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft new file mode 100644 index 00000000..b6fc221f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.json-nft @@ -0,0 +1,43 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft new file mode 100644 index 00000000..98b51044 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft new file mode 100644 index 00000000..b25355f7 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft @@ -0,0 +1,5 @@ +table ip t { + chain c1 { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft new file mode 100644 index 00000000..3215496f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "output", + "handle": 0, + "type": "nat", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft new file mode 100644 index 00000000..49910711 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft new file mode 100644 index 00000000..3215496f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "output", + "handle": 0, + "type": "nat", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft new file mode 100644 index 00000000..49910711 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain output { + type nat hook output priority filter; policy accept; + } + + chain c1 { + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft new file mode 100644 index 00000000..af99873d --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft new file mode 100644 index 00000000..62fefaff --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft new file mode 100644 index 00000000..75a4d895 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft @@ -0,0 +1,79 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 2, + { + "jump": { + "target": "c2" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@m" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft new file mode 100644 index 00000000..d35736e8 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft @@ -0,0 +1,14 @@ +table ip t { + map m { + type inet_service : verdict + elements = { 2 : jump c2 } + } + + chain c1 { + type filter hook forward priority filter; policy accept; + tcp dport vmap @m + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.json-nft b/tests/shell/testcases/chains/dumps/0013rename_0.json-nft new file mode 100644 index 00000000..f89c455a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0013rename_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.json-nft b/tests/shell/testcases/chains/dumps/0014rename_0.json-nft new file mode 100644 index 00000000..f4c6855e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0014rename_0.json-nft @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.nft b/tests/shell/testcases/chains/dumps/0014rename_0.nft new file mode 100644 index 00000000..574c4863 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0014rename_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c1 { + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft new file mode 100644 index 00000000..314245ff --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft new file mode 100644 index 00000000..429dd494 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft @@ -0,0 +1,8 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft new file mode 100644 index 00000000..ca1311db --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test-ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test-ip", + "name": "z", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test-ip6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test-ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test-ip6", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft new file mode 100644 index 00000000..b368c23a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 4, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft new file mode 100644 index 00000000..636e8440 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + jump c1 + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft new file mode 100644 index 00000000..ac7e1199 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "ap1", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "ap2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "ap1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "ap2" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft new file mode 100644 index 00000000..bdd0ead7 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft @@ -0,0 +1,9 @@ +table ip filter { + chain ap1 { + type filter hook input priority filter; policy accept; + jump ap2 + } + + chain ap2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft new file mode 100644 index 00000000..c164ffb8 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.json-nft @@ -0,0 +1,70 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 4, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + { + "jump": { + "target": "c1" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft new file mode 100644 index 00000000..81cf9cc7 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft @@ -0,0 +1,9 @@ +table ip t { + chain input { + type filter hook input priority filter + 4; policy accept; + ip saddr vmap { 1.1.1.1 : jump c1 } + } + + chain c1 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.json-nft b/tests/shell/testcases/chains/dumps/0020depth_1.json-nft new file mode 100644 index 00000000..31bc2b13 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0020depth_1.json-nft @@ -0,0 +1,475 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a5", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a6", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a7", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a11", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a12", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a13", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a14", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a15", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a16", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a17", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a18", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "a19", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a0", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a2", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a3" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a3", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a4" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a4", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a5" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a5", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a6" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a6", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a7" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a7", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a8" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a11", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a12" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a12", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a13" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a13", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a14" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a14", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a15" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a15", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a16" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a16", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a17" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a17", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a18" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "a18", + "handle": 0, + "expr": [ + { + "jump": { + "target": "a19" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.nft b/tests/shell/testcases/chains/dumps/0020depth_1.nft new file mode 100644 index 00000000..422c3952 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0020depth_1.nft @@ -0,0 +1,84 @@ +table ip filter { + chain input { + type filter hook input priority filter; policy accept; + jump a1 + } + + chain a0 { + jump a1 + } + + chain a1 { + jump a2 + } + + chain a2 { + jump a3 + } + + chain a3 { + jump a4 + } + + chain a4 { + jump a5 + } + + chain a5 { + jump a6 + } + + chain a6 { + jump a7 + } + + chain a7 { + jump a8 + } + + chain a8 { + jump a9 + } + + chain a9 { + jump a10 + } + + chain a10 { + } + + chain a11 { + jump a12 + } + + chain a12 { + jump a13 + } + + chain a13 { + jump a14 + } + + chain a14 { + jump a15 + } + + chain a15 { + jump a16 + } + + chain a16 { + jump a17 + } + + chain a17 { + jump a18 + } + + chain a18 { + jump a19 + } + + chain a19 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.json-nft b/tests/shell/testcases/chains/dumps/0021prio_0.json-nft new file mode 100644 index 00000000..1a3e1161 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0021prio_0.json-nft @@ -0,0 +1,4743 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingraw", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmangle", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputraw", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputrawp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglem11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglem10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmangle", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglep10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputmanglep11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurity", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "inputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardraw", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardrawp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglem11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglem10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmangle", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglep10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardmanglep11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecuritym11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecuritym10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurity", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurityp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "forwardsecurityp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputraw", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputrawp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglem11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglem10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmangle", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglep10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputmanglep11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecuritym11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecuritym10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurity", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurityp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "outputsecurityp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingraw", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingrawp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglem11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -161, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglem10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -160, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmangle", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -150, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglep10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingmanglep11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -139, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecuritym11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 39, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecuritym10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 40, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurity", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 50, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurityp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 60, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsecurityp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 61, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -111, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -110, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -89, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 111, + "policy": "accept" + } + }, + { + "table": { + "family": "arp", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "arp", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 11, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterm11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterm10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilter", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterp10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "ingressfilterp11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterm11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -11, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterm10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilter", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterp10", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "egressfilterp11", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": 11, + "policy": "accept" + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilter", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterm11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterm10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilter", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterp10", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "inputfilterp11", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterm11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterm10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilter", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterp10", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "forwardfilterp11", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilter", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputfilterp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -211, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -210, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilter", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -200, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -190, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingfilterp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -189, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatm11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -311, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatm10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -310, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnat", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatp10", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "preroutingdstnatp11", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -289, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutm11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 89, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutm10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 90, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputout", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 100, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutp10", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "outputoutp11", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 111, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatm11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 289, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatm10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 290, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnat", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 300, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatp10", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 310, + "policy": "accept" + } + }, + { + "chain": { + "family": "bridge", + "table": "x", + "name": "postroutingsrcnatp11", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 311, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft new file mode 100644 index 00000000..72e0d438 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft new file mode 100644 index 00000000..46912eaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft new file mode 100644 index 00000000..72e0d438 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft new file mode 100644 index 00000000..46912eaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft @@ -0,0 +1,6 @@ +table ip x { +} +table ip6 x { +} +table inet x { +} diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft new file mode 100644 index 00000000..17410e32 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "arp", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft new file mode 100644 index 00000000..7483cdaa --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft @@ -0,0 +1,2 @@ +table arp x { +} diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft new file mode 100644 index 00000000..7d78bd67 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft new file mode 100644 index 00000000..aa571e00 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft new file mode 100644 index 00000000..af6ff0a4 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft new file mode 100644 index 00000000..d17be818 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft @@ -0,0 +1,2 @@ +table bridge x { +} diff --git a/tests/shell/testcases/chains/dumps/0030create_0.json-nft b/tests/shell/testcases/chains/dumps/0030create_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0030create_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft new file mode 100644 index 00000000..9572eda3 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0031priority_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft new file mode 100644 index 00000000..3044a668 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0032priority_variable_0.json-nft @@ -0,0 +1,54 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "postrouting", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": -10, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft new file mode 100644 index 00000000..9572eda3 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0035policy_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft new file mode 100644 index 00000000..fc688463 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "global", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "global", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "drop" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0026policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft index d729e1ea..d729e1ea 100644 --- a/tests/shell/testcases/nft-f/dumps/0026policy_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft new file mode 100644 index 00000000..94218a8d --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -30, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft new file mode 100644 index 00000000..20f8272a --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type filter hook input priority -30; policy accept; + } +} diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft new file mode 100644 index 00000000..4059e85b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.json-nft @@ -0,0 +1,90 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "filter1", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter1", + "name": "Main_Ingress1", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "filter2", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter2", + "name": "Main_Ingress2", + "handle": 0, + "dev": [ + "d23456789012345", + "lo" + ], + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "table": { + "family": "netdev", + "name": "filter3", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "filter3", + "name": "Main_Ingress3", + "handle": 0, + "dev": [ + "d23456789012345", + "lo" + ], + "type": "filter", + "hook": "ingress", + "prio": -500, + "policy": "accept" + } + }, + { + "chain": { + "family": "netdev", + "table": "filter3", + "name": "Main_Egress3", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "egress", + "prio": -500, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft index 12931aad..84a908d3 100644 --- a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft @@ -5,11 +5,15 @@ table netdev filter1 { } table netdev filter2 { chain Main_Ingress2 { - type filter hook ingress devices = { dummy0, lo } priority -500; policy accept; + type filter hook ingress devices = { d23456789012345, lo } priority -500; policy accept; } } table netdev filter3 { chain Main_Ingress3 { - type filter hook ingress devices = { dummy0, lo } priority -500; policy accept; + type filter hook ingress devices = { d23456789012345, lo } priority -500; policy accept; + } + + chain Main_Egress3 { + type filter hook egress device "lo" priority -500; policy accept; } } diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft new file mode 100644 index 00000000..6753658e --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.json-nft @@ -0,0 +1,55 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ingress", + "handle": 0, + "dev": "lo", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress.nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft index 74670423..8483b265 100644 --- a/tests/shell/testcases/chains/dumps/0043chain_ingress.nft +++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft @@ -1,10 +1,12 @@ table inet filter { chain ingress { - type filter hook ingress device \"lo\" priority filter; policy accept; + type filter hook ingress device "lo" priority filter; policy accept; } + chain input { type filter hook input priority filter; policy accept; } + chain forward { type filter hook forward priority filter; policy accept; } diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/chains/dumps/jump_to_base_chain.nodump b/tests/shell/testcases/chains/dumps/jump_to_base_chain.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/jump_to_base_chain.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft new file mode 100644 index 00000000..7d78bd67 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft new file mode 100644 index 00000000..aa571e00 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft @@ -0,0 +1,2 @@ +table netdev x { +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dev_addremove.nodump b/tests/shell/testcases/chains/dumps/netdev_chain_dev_addremove.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dev_addremove.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dev_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft new file mode 100644 index 00000000..9151d42f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "test", + "handle": 0, + "flags": "dormant" + } + }, + { + "chain": { + "family": "netdev", + "table": "test", + "name": "ingress", + "handle": 0, + "dev": "dummy1", + "type": "filter", + "hook": "ingress", + "prio": 0, + "policy": "drop" + } + } + ] +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft new file mode 100644 index 00000000..aad7cb63 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_dormant_autoremove.nft @@ -0,0 +1,7 @@ +table netdev test { + flags dormant + + chain ingress { + type filter hook ingress device "dummy1" priority filter; policy drop; + } +} diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_multidev_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_multidev_netns_gone.nodump diff --git a/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump b/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_netns_gone.nodump diff --git a/tests/shell/testcases/chains/jump_to_base_chain b/tests/shell/testcases/chains/jump_to_base_chain new file mode 100755 index 00000000..d71da4cf --- /dev/null +++ b/tests/shell/testcases/chains/jump_to_base_chain @@ -0,0 +1,25 @@ +#!/bin/bash + +$NFT -f - <<EOF +table t { + chain i { + type filter hook input priority 0 + } + + chain o { + type filter hook output priority 0 + jump c + } + + chain c { + jump i + } +} +EOF + +if [ $? -eq 0 ];then + echo "E: Accepted jump to a base chain" + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0 new file mode 100755 index 00000000..f2eae6a1 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_0 @@ -0,0 +1,30 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : + ip link del d1 &>/dev/null || : + ip link del d2 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + +ip link add d0 type dummy +ip link add d1 type dummy +ip link add d2 type dummy + +RULESET="table netdev x { + chain y { + type filter hook ingress priority 0; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT add chain netdev x y '{ devices = { d0 }; }' +$NFT add chain netdev x y '{ devices = { d1, d2, lo }; }' +$NFT delete chain netdev x y '{ devices = { lo }; }' +$NFT delete chain netdev x y diff --git a/tests/shell/testcases/chains/netdev_chain_autoremove b/tests/shell/testcases/chains/netdev_chain_autoremove new file mode 100755 index 00000000..21f3ad29 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_autoremove @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Test auto-removal of chain hook on netns removal +unshare -n bash -e -c "ip link add br0 type bridge; \ + $NFT add table netdev test; \ + $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ +" diff --git a/tests/shell/testcases/chains/netdev_chain_dev_addremove b/tests/shell/testcases/chains/netdev_chain_dev_addremove new file mode 100755 index 00000000..6103e82b --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dev_addremove @@ -0,0 +1,49 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e + +read taint < /proc/sys/kernel/tainted +if [ "$taint" -ne 0 ]; then + echo "Kernel already tainted up front." + exit 77 +fi + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +load_rules() +{ +$NFT -f - <<EOF +add table netdev nm-mlag-dummy0 +add set netdev nm-mlag-dummy0 macset-tagged { typeof ether saddr . vlan id; size 65535; flags dynamic,timeout; } +add set netdev nm-mlag-dummy0 macset-untagged { typeof ether saddr; size 65535; flags dynamic,timeout; } +add chain netdev nm-mlag-dummy0 tx-snoop-source-mac { type filter hook egress devices = { dummy0 } priority filter; policy accept; } +add rule netdev nm-mlag-dummy0 tx-snoop-source-mac update @macset-tagged { ether saddr . vlan id timeout 5s } return +add rule netdev nm-mlag-dummy0 tx-snoop-source-mac update @macset-untagged { ether saddr timeout 5s } +add chain netdev nm-mlag-dummy0 rx-drop-looped-packets { type filter hook ingress devices = { dummy0 } priority filter; policy accept; } +add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop +add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether type 8021q return +add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether saddr @macset-untagged drop +EOF +} + +for i in $(seq 1 500);do + ip link add dummy0 type dummy + load_rules + + # zap ruleset and down device at same time + $NFT flush ruleset & + ip link del dummy0 & + wait + + read taint < /proc/sys/kernel/tainted + if [ "$taint" -ne 0 ]; then + exit 1 + fi +done + +exit 0 diff --git a/tests/shell/testcases/chains/netdev_chain_dev_gone b/tests/shell/testcases/chains/netdev_chain_dev_gone new file mode 100755 index 00000000..99933a31 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dev_gone @@ -0,0 +1,34 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +ip link add d0 type dummy + +load_ruleset() { + family=$1 + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump x + } + chain y { + type filter hook ingress device \"d0\" priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + $NFT -c -f - <<< $RULESET + $NFT -f - <<< $RULESET +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_chain_dormant_autoremove b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove new file mode 100755 index 00000000..3093ce25 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_dormant_autoremove @@ -0,0 +1,11 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +ip link add dummy0 type dummy +ip link add dummy1 type dummy +$NFT add table netdev test { flags dormant\; } +$NFT add chain netdev test ingress { type filter hook ingress devices = { "dummy0", "dummy1" } priority 0\; policy drop\; } +ip link del dummy0 diff --git a/tests/shell/testcases/chains/netdev_chain_multidev_gone b/tests/shell/testcases/chains/netdev_chain_multidev_gone new file mode 100755 index 00000000..e82698a7 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_multidev_gone @@ -0,0 +1,41 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : + ip link del d1 &>/dev/null || : + ip link del d2 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +ip link add d0 type dummy +ip link add d1 type dummy +ip link add d2 type dummy + +load_ruleset() { + family=$1 + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump { + ip daddr vmap { 8.7.6.3 : jump x, 8.7.6.4 : jump x } + } + } + chain y { + type filter hook ingress devices = { d0, d1, d2 } priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + $NFT -c -f - <<< $RULESET + $NFT -f - <<< $RULESET +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_move_device b/tests/shell/testcases/chains/netdev_move_device new file mode 100755 index 00000000..762ca598 --- /dev/null +++ b/tests/shell/testcases/chains/netdev_move_device @@ -0,0 +1,39 @@ +#!/bin/bash + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1-$rnd" + +cleanup() { + ip netns del "$ns1" + ip link del d0 &>/dev/null || : +} +trap 'cleanup' EXIT + +RULESET="table netdev x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 counter + } + chain y { + type filter hook ingress device d0 priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + +ip link add d0 type dummy +$NFT -f - <<< $RULESET + +ip netns add $ns1 +# move device to $ns1 triggers UNREGISTER event +ip link set d0 netns $ns1 + +cleanup +$NFT delete table netdev x + +# a simple test that also triggers UNREGISTER event +ip netns add $ns1 +ip -netns $ns1 link add d0 type dummy +ip netns exec $ns1 $NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/chains/netdev_multidev_netns_gone b/tests/shell/testcases/chains/netdev_multidev_netns_gone new file mode 100755 index 00000000..31ab29bd --- /dev/null +++ b/tests/shell/testcases/chains/netdev_multidev_netns_gone @@ -0,0 +1,43 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_multidevice) + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ns-$rnd" + +iface_cleanup() { + ip netns del $ns1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +load_ruleset() { + family=$1 + + ip netns add $ns1 + ip -net $ns1 link add d0 type dummy + ip -net $ns1 link add d1 type dummy + ip -net $ns1 link add d2 type dummy + + # Test auto-removal of chain hook on device removal + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump { + ip daddr vmap { 8.7.6.3 : jump x, 8.7.6.4 : jump x } + } + } + chain y { + type filter hook ingress devices = { d0, d1, d2 } priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + ip netns exec $ns1 $NFT -f - <<< $RULESET + ip netns del $ns1 +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/chains/netdev_netns_gone b/tests/shell/testcases/chains/netdev_netns_gone new file mode 100755 index 00000000..3a92c99e --- /dev/null +++ b/tests/shell/testcases/chains/netdev_netns_gone @@ -0,0 +1,37 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress) + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ns-$rnd" + +iface_cleanup() { + ip netns del $ns1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT + +load_ruleset() { + family=$1 + + ip netns add $ns1 + ip -net $ns1 link add d0 type dummy + + RULESET="table $family x { + chain x {} + chain w { + ip daddr 8.7.6.0/24 jump x + } + chain y { + type filter hook ingress device \"d0\" priority 0; + ip saddr { 1.2.3.4, 2.3.4.5 } counter + ip daddr vmap { 5.4.3.0/24 : jump w, 8.9.0.0/24 : jump x } + } +}" + ip netns exec $ns1 $NFT -f - <<< $RULESET + ip netns del $ns1 +} + +load_ruleset "inet" +load_ruleset "netdev" diff --git a/tests/shell/testcases/comments/dumps/comments_0.json-nft b/tests/shell/testcases/comments/dumps/comments_0.json-nft new file mode 100644 index 00000000..201abd6f --- /dev/null +++ b/tests/shell/testcases/comments/dumps/comments_0.json-nft @@ -0,0 +1,135 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "2.2.2.2", + "3.3.3.3" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "destination-unreachable", + "packet-too-big" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + 1, + 2 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 21, + 2121 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0 index 8e334224..9c03820f 100755 --- a/tests/shell/testcases/flowtable/0012flowtable_variable_0 +++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0 @@ -1,7 +1,15 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_counter) + set -e +iface_cleanup() { + ip link del dummy1 &>/dev/null || : +} +trap 'iface_cleanup' EXIT +iface_cleanup + ip link add name dummy1 type dummy EXPECTED="define if_main = { lo, dummy1 } diff --git a/tests/shell/testcases/flowtable/0013addafterdelete_0 b/tests/shell/testcases/flowtable/0013addafterdelete_0 index b23ab978..56c9834f 100755 --- a/tests/shell/testcases/flowtable/0013addafterdelete_0 +++ b/tests/shell/testcases/flowtable/0013addafterdelete_0 @@ -7,7 +7,6 @@ RULESET='table inet filter { flowtable f { hook ingress priority filter - 1 devices = { lo } - counter } }' @@ -20,7 +19,6 @@ table inet filter { flowtable f { hook ingress priority filter - 1 devices = { lo } - counter } }' diff --git a/tests/shell/testcases/flowtable/0014addafterdelete_0 b/tests/shell/testcases/flowtable/0014addafterdelete_0 index 6a24c4b9..1ac65104 100755 --- a/tests/shell/testcases/flowtable/0014addafterdelete_0 +++ b/tests/shell/testcases/flowtable/0014addafterdelete_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_counter) + set -e RULESET='table inet filter { diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0 new file mode 100755 index 00000000..cea33524 --- /dev/null +++ b/tests/shell/testcases/flowtable/0015destroy_0 @@ -0,0 +1,20 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +trap "ip link del dummy1" EXIT + +ip link add dummy1 type dummy +ip link set dummy1 up + +$NFT add table t + +# pass for non-existent flowtable +$NFT destroy flowtable t f + +# successfully delete existing flowtable +$NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }' + +$NFT 'add flowtable t f { devices = { dummy1 } ; }' + +$NFT destroy flowtable t f diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft new file mode 100644 index 00000000..4d15fe3a --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "t", + "handle": 0, + "hook": "ingress", + "prio": 10, + "dev": "lo" + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@f" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft new file mode 100644 index 00000000..0013512b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "f", + "table": "t", + "handle": 0, + "hook": "ingress", + "prio": 10, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft new file mode 100644 index 00000000..aecfb2ab --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft @@ -0,0 +1,6 @@ +table ip t { + flowtable f { + hook ingress priority filter + 10 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft new file mode 100644 index 00000000..04057f1f --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "y", + "table": "x", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft new file mode 100644 index 00000000..dd904f44 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft @@ -0,0 +1,6 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft new file mode 100644 index 00000000..302502dc --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "y", + "table": "x", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft new file mode 100644 index 00000000..c1d79e7b --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft @@ -0,0 +1,10 @@ +table ip x { + flowtable y { + hook ingress priority filter + devices = { lo } + } + + chain x { + flow add @y + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft new file mode 100644 index 00000000..10372b0e --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft new file mode 100644 index 00000000..17838bdf --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft @@ -0,0 +1,2 @@ +table inet t { +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft new file mode 100644 index 00000000..8e818d2d --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft new file mode 100644 index 00000000..10f1df98 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter1", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "Main_ft1", + "table": "filter1", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "table": { + "family": "ip", + "name": "filter2", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "Main_ft2", + "table": "filter2", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft index 1cbb2f11..df1c51a2 100644 --- a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft +++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft @@ -1,14 +1,14 @@ table ip filter1 { flowtable Main_ft1 { hook ingress priority filter - devices = { dummy1, lo } + devices = { lo } counter } } table ip filter2 { flowtable Main_ft2 { hook ingress priority filter - devices = { dummy1, lo } + devices = { lo } counter } } diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft new file mode 100644 index 00000000..85c7b327 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": -1, + "dev": "lo" + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft new file mode 100644 index 00000000..67db7d02 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft @@ -0,0 +1,6 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft new file mode 100644 index 00000000..471ba5be --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft @@ -0,0 +1,63 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": -1, + "dev": "lo" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "y", + "handle": 0, + "expr": [ + { + "flow": { + "op": "add", + "flowtable": "@f" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft new file mode 100644 index 00000000..145aa081 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft @@ -0,0 +1,12 @@ +table inet filter { + flowtable f { + hook ingress priority filter - 1 + devices = { lo } + counter + } + + chain y { + type filter hook forward priority filter; policy accept; + flow add @f counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/include/0002relative_0 b/tests/shell/testcases/include/0002relative_0 index a91cd8f0..ac835547 100755 --- a/tests/shell/testcases/include/0002relative_0 +++ b/tests/shell/testcases/include/0002relative_0 @@ -1,20 +1,21 @@ #!/bin/bash -set -e - tmpfile1=$(mktemp -p .) -if [ ! -w $tmpfile1 ] ; then - echo "Failed to create tmp file" >&2 - exit 0 +if [ ! -w "$tmpfile1" ] ; then + # cwd might be readonly, mark as skip. + echo "Failed to create tmp file" >&2 + exit 77 fi -tmpfile2=$(mktemp -p .) -if [ ! -w $tmpfile2 ] ; then - echo "Failed to create tmp file" >&2 - exit 0 -fi +cleanup() +{ + rm -f "$tmpfile1" "$tmpfile2" +} -trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted +trap cleanup EXIT + +set -e +tmpfile2=$(mktemp -p .) RULESET1="add table x" RULESET2="include \"$tmpfile1\"" diff --git a/tests/shell/testcases/include/0003includepath_0 b/tests/shell/testcases/include/0003includepath_0 index ba722068..20037a8f 100755 --- a/tests/shell/testcases/include/0003includepath_0 +++ b/tests/shell/testcases/include/0003includepath_0 @@ -8,7 +8,7 @@ if [ ! -w $tmpfile1 ] ; then exit 0 fi -tmpfile3=$(echo "$tmpfile1" | cut -d'/' -f 3) +tmpfile3="$(basename "$tmpfile1")" tmpfile2=$(mktemp) if [ ! -w $tmpfile2 ] ; then @@ -24,7 +24,7 @@ RULESET2="include \"$tmpfile3\"" echo "$RULESET1" > $tmpfile1 echo "$RULESET2" > $tmpfile2 -$NFT -I /tmp -f $tmpfile2 +$NFT -I "$(dirname "$tmpfile1")" -f $tmpfile2 if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 diff --git a/tests/shell/testcases/include/0013input_descriptors_included_files_0 b/tests/shell/testcases/include/0013input_descriptors_included_files_0 index 03de50b3..af374d66 100755 --- a/tests/shell/testcases/include/0013input_descriptors_included_files_0 +++ b/tests/shell/testcases/include/0013input_descriptors_included_files_0 @@ -7,32 +7,32 @@ # instead of return value of nft. -tmpfile1=$(mktemp -p .) -if [ ! -w $tmpfile1 ] ; then +tmpfile1=$(mktemp) +if [ ! -w "$tmpfile1" ] ; then echo "Failed to create tmp file" >&2 - exit 0 + exit 1 fi -tmpfile2=$(mktemp -p .) -if [ ! -w $tmpfile2 ] ; then +trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4" EXIT # cleanup if aborted + +tmpfile2=$(mktemp) +if [ ! -w "$tmpfile2" ] ; then echo "Failed to create tmp file" >&2 - exit 0 + exit 1 fi -tmpfile3=$(mktemp -p .) -if [ ! -w $tmpfile3 ] ; then +tmpfile3=$(mktemp) +if [ ! -w "$tmpfile3" ] ; then echo "Failed to create tmp file" >&2 - exit 0 + exit 1 fi -tmpfile4=$(mktemp -p .) -if [ ! -w $tmpfile4 ]; then +tmpfile4=$(mktemp) +if [ ! -w "$tmpfile4" ]; then echo "Failed to create tmp file" >&2 - exit 0 + exit 1 fi -trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4" EXIT # cleanup if aborted - RULESET1="include \"$tmpfile2\"" RULESET2="include \"$tmpfile3\"" RULESET3="add rule x y anything everything" # wrong nft syntax @@ -44,7 +44,7 @@ echo "$RULESET3" > $tmpfile2 $NFT -f $tmpfile1 2> $tmpfile4 -var=$(awk -F: '$4==" Error"{print $1;exit;}' $tmpfile4) +var=$(awk -F: '$4==" Error"{print $1;exit;}' "$tmpfile4") if [ $var == "$tmpfile3" ]; then echo "E: Test failed" >&2 diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0 index 8f78e8c6..1501d719 100755 --- a/tests/shell/testcases/include/0020include_chain_0 +++ b/tests/shell/testcases/include/0020include_chain_0 @@ -2,11 +2,7 @@ set -e -tmpfile1=$(mktemp -p .) -if [ ! -w $tmpfile1 ] ; then - echo "Failed to create tmp file" >&2 - exit 0 -fi +tmpfile1=$(mktemp) trap "rm -rf $tmpfile1" EXIT # cleanup if aborted @@ -20,4 +16,11 @@ RULESET2="chain inet filter input2 { echo "$RULESET2" > $tmpfile1 +RULESET3="create chain inet filter output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET3" >> $tmpfile1 + $NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.json-nft b/tests/shell/testcases/include/dumps/0001absolute_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0001absolute_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0002relative_0.json-nft b/tests/shell/testcases/include/dumps/0002relative_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0002relative_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.json-nft b/tests/shell/testcases/include/dumps/0003includepath_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0003includepath_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft b/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0006glob_single_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft b/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/include/dumps/0007glob_double_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft new file mode 100644 index 00000000..b6088c80 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.json-nft b/tests/shell/testcases/include/dumps/0018include_error_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0018include_error_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.nft b/tests/shell/testcases/include/dumps/0018include_error_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0018include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.json-nft b/tests/shell/testcases/include/dumps/0019include_error_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0019include_error_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.nft b/tests/shell/testcases/include/dumps/0019include_error_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/include/dumps/0019include_error_0.nft diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft b/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft new file mode 100644 index 00000000..e893ccf1 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.json-nft @@ -0,0 +1,128 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input2", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output2", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 123, + 443 + ] + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 123, + 443 + ] + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft index 3ad6db14..bf596ffb 100644 --- a/tests/shell/testcases/include/dumps/0020include_chain_0.nft +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft @@ -3,4 +3,9 @@ table inet filter { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop } + + chain output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } } diff --git a/tests/shell/testcases/include/dumps/glob_duplicated_include.nft b/tests/shell/testcases/include/dumps/glob_duplicated_include.nft new file mode 100644 index 00000000..8e316e9d --- /dev/null +++ b/tests/shell/testcases/include/dumps/glob_duplicated_include.nft @@ -0,0 +1,6 @@ +table inet test { + chain test { + tcp dport 22 accept + tcp dport 25 accept + } +} diff --git a/tests/shell/testcases/include/glob_duplicated_include b/tests/shell/testcases/include/glob_duplicated_include new file mode 100755 index 00000000..4507f5d9 --- /dev/null +++ b/tests/shell/testcases/include/glob_duplicated_include @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +trap "rm -rf $tmpdir" EXIT + +tmpdir=$(mktemp -d) +mkdir -p $tmpdir/test/include +cat > $tmpdir/test/main << EOF +table inet test { + chain test { + include "include/*"; + } +} +EOF +echo "tcp dport 22 accept;" > $tmpdir/test/include/one +echo "tcp dport 25 accept;" > $tmpdir/test/include/two + +$NFT -I $tmpdir/test/ -f $tmpdir/test/main diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0 index 1c72d35b..fc4941f4 100755 --- a/tests/shell/testcases/json/0001set_statements_0 +++ b/tests/shell/testcases/json/0001set_statements_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0 index 4b54527b..a1e9f263 100755 --- a/tests/shell/testcases/json/0002table_map_0 +++ b/tests/shell/testcases/json/0002table_map_0 @@ -1,5 +1,8 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0 index 0ccf94c8..43f387a1 100755 --- a/tests/shell/testcases/json/0003json_schema_version_0 +++ b/tests/shell/testcases/json/0003json_schema_version_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1 index bc451ae7..0f8d586f 100755 --- a/tests/shell/testcases/json/0004json_schema_version_1 +++ b/tests/shell/testcases/json/0004json_schema_version_1 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 index ae967435..5c44f093 100755 --- a/tests/shell/testcases/json/0005secmark_objref_0 +++ b/tests/shell/testcases/json/0005secmark_objref_0 @@ -1,5 +1,8 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/0006obj_comment_0 b/tests/shell/testcases/json/0006obj_comment_0 index 76d8fe16..7ce859d2 100755 --- a/tests/shell/testcases/json/0006obj_comment_0 +++ b/tests/shell/testcases/json/0006obj_comment_0 @@ -1,5 +1,8 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + set -e $NFT flush ruleset diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft new file mode 100644 index 00000000..ecc7eade --- /dev/null +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft @@ -0,0 +1,98 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "testt", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "testt", + "name": "testc", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "ssh_meter", + "table": "testt", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "testt", + "chain": "testc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@ssh_meter", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft index ee4a8670..d80a4321 100644 --- a/tests/shell/testcases/json/dumps/0001set_statements_0.nft +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft @@ -7,6 +7,6 @@ table ip testt { chain testc { type filter hook input priority filter; policy accept; - tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second } accept + tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second burst 5 packets } accept } } diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.json-nft b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft new file mode 100644 index 00000000..78e3c8ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0002table_map_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft new file mode 100644 index 00000000..3783c6b7 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft @@ -0,0 +1,233 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -225, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 225, + "policy": "accept" + } + }, + { + "secmark": { + "family": "inet", + "name": "ssh_server", + "table": "x", + "handle": 0, + "context": "system_u:object_r:ssh_server_packet_t:s0" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2222 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "secmark": "ssh_server" + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "mangle": { + "key": { + "ct": { + "key": "secmark" + } + }, + "value": { + "meta": { + "key": "secmark" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "secmark" + } + }, + "value": { + "ct": { + "key": "secmark" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft new file mode 100644 index 00000000..208e13ad --- /dev/null +++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "mycounter", + "table": "t", + "handle": 0, + "comment": "my comment in counter", + "packets": 0, + "bytes": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/netdev.json-nft b/tests/shell/testcases/json/dumps/netdev.json-nft new file mode 100644 index 00000000..e0d2bfb4 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "test_table", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft new file mode 100644 index 00000000..3c568ed3 --- /dev/null +++ b/tests/shell/testcases/json/dumps/netdev.nft @@ -0,0 +1,2 @@ +table netdev test_table { +} diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev index a16a4f5e..23776c35 100755 --- a/tests/shell/testcases/json/netdev +++ b/tests/shell/testcases/json/netdev @@ -1,12 +1,14 @@ #!/bin/bash -ip link add d0 type dummy || { - echo "Skipping, no dummy interface available" - exit 0 +set -e + +iface_cleanup() { + ip link del d0 &>/dev/null || : } -trap "ip link del d0" EXIT +trap 'iface_cleanup' EXIT +iface_cleanup -set -e +ip link add d0 type dummy $NFT flush ruleset $NFT add table inet test @@ -16,4 +18,13 @@ $NFT flush ruleset RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}' -$NFT -j -f - <<< $RULESET +if [ "$NFT_TEST_HAVE_json" != n ]; then + $NFT -j -f - <<< $RULESET +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi + +$NFT delete chain netdev test_table test_chain diff --git a/tests/shell/testcases/json/single_flag b/tests/shell/testcases/json/single_flag new file mode 100755 index 00000000..41fab63b --- /dev/null +++ b/tests/shell/testcases/json/single_flag @@ -0,0 +1,189 @@ +#!/bin/bash +# +# Test various "flags" properties in JSON syntax: +# - single item arrays are abbreviated as non-array in output +# - both non-array and single item array accepted in input +# - single and multiple item values are correctly printed in output and +# recognized in input (checked against standard syntax input/output) + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) + +set -e + +json_sanitize() { + sed -e 's/{"metainfo": {[^}]*}}, //' \ + -e 's/\("handle":\) [0-9]*/\1 0/g' +} +back_n_forth() { # (std, json) + $NFT flush ruleset + $NFT -f - <<< "$1" + diff --label "line ${BASH_LINENO[0]}: JSON output" \ + --label "line ${BASH_LINENO[0]}: JSON expect" \ + -u <($NFT -j list ruleset | json_sanitize) <(echo "$2") + + $NFT flush ruleset + $NFT -j -f - <<< "$2" + diff --label "line ${BASH_LINENO[0]}: std output" \ + --label "line ${BASH_LINENO[0]}: std expect" \ + -u <($NFT list ruleset) <(echo "$1") +} +json_equiv() { # (json_in, json_out) + $NFT flush ruleset + $NFT -j -f - <<< "$1" + diff --label "line ${BASH_LINENO[0]}: JSON equiv output" \ + --label "line ${BASH_LINENO[0]}: JSON equiv expect" \ + -u <($NFT -j list ruleset | json_sanitize) <(echo "$2") +} + +# +# test table flags +# + +STD_TABLE_1="table ip t { + flags dormant +}" +JSON_TABLE_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0, "flags": "dormant"}}]}' +JSON_TABLE_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_TABLE_1") + +STD_TABLE_2=$(sed 's/\(flags dormant\)/\1,persist/' <<< "$STD_TABLE_1") +JSON_TABLE_2=$(sed 's/\("flags":\) \("dormant"\)/\1 [\2, "persist"]/' <<< "$JSON_TABLE_1") + +back_n_forth "$STD_TABLE_1" "$JSON_TABLE_1" +json_equiv "$JSON_TABLE_1_EQUIV" "$JSON_TABLE_1" +back_n_forth "$STD_TABLE_2" "$JSON_TABLE_2" + +# +# test set flags +# + +STD_SET_1="table ip t { + set s { + type inet_proto + flags interval + } +}" +JSON_SET_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_proto", "handle": 0, "flags": "interval"}}]}' +JSON_SET_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SET_1") + +STD_SET_2=$(sed 's/\(flags interval\)/\1,timeout/' <<< "$STD_SET_1") +JSON_SET_2=$(sed 's/\("flags":\) \("interval"\)/\1 [\2, "timeout"]/' <<< "$JSON_SET_1") + +back_n_forth "$STD_SET_1" "$JSON_SET_1" +json_equiv "$JSON_SET_1_EQUIV" "$JSON_SET_1" +back_n_forth "$STD_SET_2" "$JSON_SET_2" + +# +# test fib expression flags +# + +STD_FIB_1="table ip t { + chain c { + fib saddr oif exists + } +}" +JSON_FIB_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"fib": {"result": "oif", "flags": "saddr"}}, "right": true}}]}}]}' +JSON_FIB_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_FIB_1") + +STD_FIB_2=$(sed 's/\(fib saddr\)/\1 . iif/' <<< "$STD_FIB_1") +JSON_FIB_2=$(sed 's/\("flags":\) \("saddr"\)/\1 [\2, "iif"]/' <<< "$JSON_FIB_1") + +back_n_forth "$STD_FIB_1" "$JSON_FIB_1" +json_equiv "$JSON_FIB_1_EQUIV" "$JSON_FIB_1" +back_n_forth "$STD_FIB_2" "$JSON_FIB_2" + +# +# test nat statement flags +# + +STD_NAT_1="table ip t { + chain c { + dnat to 192.168.0.0/24 persistent + } +}" +JSON_NAT_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"dnat": {"addr": {"prefix": {"addr": "192.168.0.0", "len": 24}}, "flags": "persistent"}}]}}]}' +JSON_NAT_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_NAT_1") + +STD_NAT_2=$(sed 's/\(persistent\)/random,\1/' <<< "$STD_NAT_1") +JSON_NAT_2=$(sed 's/\("flags":\) \("persistent"\)/\1 ["random", \2]/' <<< "$JSON_NAT_1") + +back_n_forth "$STD_NAT_1" "$JSON_NAT_1" +json_equiv "$JSON_NAT_1_EQUIV" "$JSON_NAT_1" +back_n_forth "$STD_NAT_2" "$JSON_NAT_2" + +# +# test log statement flags +# + +STD_LOG_1="table ip t { + chain c { + log flags tcp sequence + } +}" +JSON_LOG_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"log": {"flags": "tcp sequence"}}]}}]}' +JSON_LOG_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_LOG_1") + +STD_LOG_2=$(sed 's/\(tcp sequence\)/\1,options/' <<< "$STD_LOG_1") +JSON_LOG_2=$(sed 's/\("flags":\) \("tcp sequence"\)/\1 [\2, "tcp options"]/' <<< "$JSON_LOG_1") + +back_n_forth "$STD_LOG_1" "$JSON_LOG_1" +json_equiv "$JSON_LOG_1_EQUIV" "$JSON_LOG_1" +back_n_forth "$STD_LOG_2" "$JSON_LOG_2" + +# +# test synproxy statement flags +# + +STD_SYNPROXY_1="table ip t { + chain c { + synproxy sack-perm + } +}" +JSON_SYNPROXY_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"synproxy": {"flags": "sack-perm"}}]}}]}' +JSON_SYNPROXY_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SYNPROXY_1") + +STD_SYNPROXY_2=$(sed 's/\(sack-perm\)/timestamp \1/' <<< "$STD_SYNPROXY_1") +JSON_SYNPROXY_2=$(sed 's/\("flags":\) \("sack-perm"\)/\1 ["timestamp", \2]/' <<< "$JSON_SYNPROXY_1") + +back_n_forth "$STD_SYNPROXY_1" "$JSON_SYNPROXY_1" +json_equiv "$JSON_SYNPROXY_1_EQUIV" "$JSON_SYNPROXY_1" +back_n_forth "$STD_SYNPROXY_2" "$JSON_SYNPROXY_2" + +# +# test synproxy object flags +# + +STD_SYNPROXY_OBJ_1="table ip t { + synproxy s { + mss 1280 + wscale 64 + sack-perm + } +}" +JSON_SYNPROXY_OBJ_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"synproxy": {"family": "ip", "name": "s", "table": "t", "handle": 0, "mss": 1280, "wscale": 64, "flags": "sack-perm"}}]}' +JSON_SYNPROXY_OBJ_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SYNPROXY_OBJ_1") + +STD_SYNPROXY_OBJ_2=$(sed 's/ \(sack-perm\)/timestamp \1/' <<< "$STD_SYNPROXY_OBJ_1") +JSON_SYNPROXY_OBJ_2=$(sed 's/\("flags":\) \("sack-perm"\)/\1 ["timestamp", \2]/' <<< "$JSON_SYNPROXY_OBJ_1") + +back_n_forth "$STD_SYNPROXY_OBJ_1" "$JSON_SYNPROXY_OBJ_1" +json_equiv "$JSON_SYNPROXY_OBJ_1_EQUIV" "$JSON_SYNPROXY_OBJ_1" +back_n_forth "$STD_SYNPROXY_OBJ_2" "$JSON_SYNPROXY_OBJ_2" + +# +# test queue statement flags +# + +STD_QUEUE_1="table ip t { + chain c { + queue flags bypass to 1-10 + } +}" +JSON_QUEUE_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"queue": {"num": {"range": [1, 10]}, "flags": "bypass"}}]}}]}' +JSON_QUEUE_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_QUEUE_1") + +STD_QUEUE_2=$(sed 's/\(bypass\)/\1,fanout/' <<< "$STD_QUEUE_1") +JSON_QUEUE_2=$(sed 's/\("flags":\) \("bypass"\)/\1 [\2, "fanout"]/' <<< "$JSON_QUEUE_1") + +back_n_forth "$STD_QUEUE_1" "$JSON_QUEUE_1" +json_equiv "$JSON_QUEUE_1_EQUIV" "$JSON_QUEUE_1" +back_n_forth "$STD_QUEUE_2" "$JSON_QUEUE_2" diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 index 4d39143d..c78ada94 100755 --- a/tests/shell/testcases/listing/0013objects_0 +++ b/tests/shell/testcases/listing/0013objects_0 @@ -1,47 +1,23 @@ #!/bin/bash -# list table with all objects and chains - -EXPECTED="table ip test { - quota https-quota { - 25 mbytes - } - - ct helper cthelp { - type \"sip\" protocol tcp - l3proto ip - } - - ct timeout cttime { - protocol udp - l3proto ip - policy = { unreplied : 15, replied : 12 } - } - - ct expectation ctexpect { - protocol tcp - dport 5432 - timeout 1h - size 12 - l3proto ip - } - - chain input { - } -}" - set -e $NFT add table test $NFT add chain test input $NFT add quota test https-quota 25 mbytes $NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } -$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } -$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } -$NFT add table test-ip +if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then + $NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } +fi +if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then + $NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } +fi -GET="$($NFT list table test)" -if [ "$EXPECTED" != "$GET" ] ; then - $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 +if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)" + exit 77 +fi +if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then + echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)" + exit 77 fi diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 index 47488d8e..0e89f5dd 100755 --- a/tests/shell/testcases/listing/0020flowtable_0 +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -1,7 +1,11 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_no_devices) + # list only the flowtable asked for with table +set -e + FLOWTABLES="flowtable f { hook ingress priority filter devices = { lo } @@ -41,13 +45,13 @@ EXPECTED3="table ip filter { } }" -ip link add d0 type dummy || { - echo "Skipping, no dummy interface available" - exit 0 +iface_cleanup() { + ip link del d0 &>/dev/null || : } -trap "ip link del d0" EXIT +trap 'iface_cleanup' EXIT +iface_cleanup -set -e +ip link add d0 type dummy $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0 index c739ac3f..98a7ce8a 100755 --- a/tests/shell/testcases/listing/0021ruleset_json_terse_0 +++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0 @@ -6,7 +6,14 @@ $NFT add chain ip test c $NFT add set ip test s { type ipv4_addr\; } $NFT add element ip test s { 192.168.3.4, 192.168.3.5 } -if $NFT -j -t list ruleset | grep '192' -then - exit 1 +if [ "$NFT_TEST_HAVE_json" != n ]; then + if $NFT -j -t list ruleset | grep '192\.168' + then + exit 1 + fi +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 fi diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft diff --git a/tests/shell/testcases/listing/dumps/0003table_0.json-nft b/tests/shell/testcases/listing/dumps/0003table_0.json-nft new file mode 100644 index 00000000..1bb0e1b8 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0003table_0.nft b/tests/shell/testcases/listing/dumps/0003table_0.nft new file mode 100644 index 00000000..1c9f40c5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0003table_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.json-nft b/tests/shell/testcases/listing/dumps/0004table_0.json-nft new file mode 100644 index 00000000..85e9b287 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0004table_0.nft b/tests/shell/testcases/listing/dumps/0004table_0.nft new file mode 100644 index 00000000..56d035d1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0004table_0.nft @@ -0,0 +1,4 @@ +table ip test { +} +table ip test2 { +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft new file mode 100644 index 00000000..ffd657e5 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test", + "handle": 0 + } + }, + { + "table": { + "family": "bridge", + "name": "test", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft new file mode 100644 index 00000000..c37261b3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft @@ -0,0 +1,10 @@ +table ip test { +} +table ip6 test { +} +table inet test { +} +table arp test { +} +table bridge test { +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.json-nft b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft new file mode 100644 index 00000000..6aa99b4e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.json-nft @@ -0,0 +1,120 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": "constant" + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": "constant" + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.nft b/tests/shell/testcases/listing/dumps/0010sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0010sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.json-nft b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft new file mode 100644 index 00000000..a742fa45 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.json-nft @@ -0,0 +1,220 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "sport" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "chain": { + "family": "arp", + "table": "test_arp", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "arp", + "table": "test_arp", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + 123, + 321 + ] + } + } + } + ] + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "test_bridge", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "test_bridge", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "1.1.1.1", + "2.2.2.2" + ] + } + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.nft b/tests/shell/testcases/listing/dumps/0011sets_0.nft new file mode 100644 index 00000000..4d0aeaf3 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0011sets_0.nft @@ -0,0 +1,25 @@ +table ip nat { + chain test { + tcp dport { 123, 321 } + } +} +table ip6 test { + chain test { + udp sport { 123, 321 } + } +} +table arp test_arp { + chain test { + meta mark { 0x0000007b, 0x00000141 } + } +} +table bridge test_bridge { + chain test { + ip daddr { 1.1.1.1, 2.2.2.2 } + } +} +table inet filter { + chain test { + tcp dport { 80, 443 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.json-nft b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft new file mode 100644 index 00000000..6aa99b4e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.json-nft @@ -0,0 +1,120 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "ssh", + "table": "nat", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "testset", + "table": "test", + "type": "ipv6_addr", + "handle": 0 + } + }, + { + "table": { + "family": "arp", + "name": "test_arp", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp00", + "table": "test_arp", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "arp", + "name": "test_set_arp01", + "table": "test_arp", + "type": "inet_service", + "handle": 0, + "flags": "constant" + } + }, + { + "table": { + "family": "bridge", + "name": "test_bridge", + "handle": 0 + } + }, + { + "set": { + "family": "bridge", + "name": "test_set_bridge", + "table": "test_bridge", + "type": "inet_service", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set0", + "table": "filter", + "type": "inet_service", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "set1", + "table": "filter", + "type": "inet_service", + "handle": 0, + "flags": "constant" + } + }, + { + "set": { + "family": "inet", + "name": "set2", + "table": "filter", + "type": "icmpv6_type", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.nft b/tests/shell/testcases/listing/dumps/0012sets_0.nft new file mode 100644 index 00000000..7303c403 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0012sets_0.nft @@ -0,0 +1,39 @@ +table ip nat { + set ssh { + type ipv4_addr + } +} +table ip6 test { + set testset { + type ipv6_addr + } +} +table arp test_arp { + set test_set_arp00 { + type inet_service + } + + set test_set_arp01 { + type inet_service + flags constant + } +} +table bridge test_bridge { + set test_set_bridge { + type inet_service + } +} +table inet filter { + set set0 { + type inet_service + } + + set set1 { + type inet_service + flags constant + } + + set set2 { + type icmpv6_type + } +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft new file mode 100644 index 00000000..830aad85 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "input", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "test", + "handle": 0, + "protocol": "udp", + "l3proto": "ip", + "policy": { + "unreplied": 15, + "replied": 12 + } + } + }, + { + "ct expectation": { + "family": "ip", + "name": "ctexpect", + "table": "test", + "handle": 0, + "protocol": "tcp", + "dport": 5432, + "timeout": 3600000, + "size": 12, + "l3proto": "ip" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft new file mode 100644 index 00000000..427db268 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft @@ -0,0 +1,27 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } + + ct timeout cttime { + protocol udp + l3proto ip + policy = { unreplied : 15s, replied : 12s } + } + + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + + chain input { + } +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.json-nft b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft new file mode 100644 index 00000000..83f72d40 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "ct helper": { + "family": "ip", + "name": "cthelp", + "table": "test", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.nft b/tests/shell/testcases/listing/dumps/0014objects_0.nft new file mode 100644 index 00000000..9281a1a0 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0014objects_0.nft @@ -0,0 +1,12 @@ +table ip test { + quota https-quota { + 25 mbytes + } + + ct helper cthelp { + type "sip" protocol tcp + l3proto ip + } +} +table ip test-ip { +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft new file mode 100644 index 00000000..a94a1b04 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.json-nft @@ -0,0 +1,38 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "test_set", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr", + "inet_service", + "inet_proto" + ], + "handle": 0, + "size": 100000, + "flags": [ + "timeout", + "dynamic" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft new file mode 100644 index 00000000..0f4244bf --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto + size 100000 + flags dynamic,timeout + } +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft new file mode 100644 index 00000000..e47ccb8e --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.1.1.1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + 2 + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft new file mode 100644 index 00000000..cb089337 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr 1.1.1.1 + meta mark set ip saddr map { 1.1.1.1 : 0x00000002 } + } +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.json-nft b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft new file mode 100644 index 00000000..d735f7a1 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "countermap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.nft b/tests/shell/testcases/listing/dumps/0017objects_0.nft new file mode 100644 index 00000000..e60e3afa --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0017objects_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map countermap { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.json-nft b/tests/shell/testcases/listing/dumps/0018data_0.json-nft new file mode 100644 index 00000000..211dcd30 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "ipmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr" + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0018data_0.nft b/tests/shell/testcases/listing/dumps/0018data_0.nft new file mode 100644 index 00000000..5d318550 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0018data_0.nft @@ -0,0 +1,5 @@ +table inet filter { + map ipmap { + type ipv4_addr : ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.json-nft b/tests/shell/testcases/listing/dumps/0019set_0.json-nft new file mode 100644 index 00000000..3bb7cb8a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ipset", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0019set_0.nft b/tests/shell/testcases/listing/dumps/0019set_0.nft new file mode 100644 index 00000000..915922ca --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0019set_0.nft @@ -0,0 +1,5 @@ +table inet filter { + set ipset { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft new file mode 100644 index 00000000..d511739a --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "inet", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "flowtable": { + "family": "ip", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0, + "dev": "lo" + } + }, + { + "flowtable": { + "family": "ip", + "name": "f2", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": 0 + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft new file mode 100644 index 00000000..4a64e531 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft @@ -0,0 +1,20 @@ +table inet filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} +table ip filter { + flowtable f { + hook ingress priority filter + devices = { lo } + } + + flowtable f2 { + hook ingress priority filter + } +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft new file mode 100644 index 00000000..d1131bb4 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "192.168.3.4", + "192.168.3.5" + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft new file mode 100644 index 00000000..13c8ac63 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft @@ -0,0 +1,9 @@ +table ip test { + set s { + type ipv4_addr + elements = { 192.168.3.4, 192.168.3.5 } + } + + chain c { + } +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft new file mode 100644 index 00000000..1a33d688 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft @@ -0,0 +1,86 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "example", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + "10.10.10.10", + "10.10.11.11" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "10.10.10.100", + "10.10.10.111" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@example" + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.nft b/tests/shell/testcases/listing/dumps/0022terse_0.nft new file mode 100644 index 00000000..40665cb7 --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0022terse_0.nft @@ -0,0 +1,12 @@ +table inet filter { + set example { + type ipv4_addr + flags interval + elements = { 10.10.10.10, 10.10.11.11 } + } + + chain input { + type filter hook prerouting priority filter; policy accept; + ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } +} diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/listing/dumps/meta_time.nodump diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time new file mode 100755 index 00000000..96a9d557 --- /dev/null +++ b/tests/shell/testcases/listing/meta_time @@ -0,0 +1,67 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_meta_time) + +set -e + +TMP1=$(mktemp) +TMP2=$(mktemp) + +cleanup() +{ + rm -f "$TMP1" + rm -f "$TMP2" +} + +check_decode() +{ + TZ=$1 $NFT list chain t c | grep meta > "$TMP2" + diff -u "$TMP1" "$TMP2" +} + +trap cleanup EXIT + +$NFT -f - <<EOF +table t { + chain c { + } +} +EOF + +for i in $(seq -w 0 23); do + TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59" +done + +# Check decoding in UTC, this mirrors 1:1 what should have been added. +for i in $(seq 0 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done + +check_decode UTC + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1" +for i in $(seq 0 22); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +check_decode UTC+1 + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1" +for i in $(seq 2 23); do + printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" +done +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" + +check_decode UTC-1 + +$NFT flush chain t c +TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00" +TZ=EADT $NFT add rule t c meta hour "04:00"-"15:00" +TZ=EADT $NFT add rule t c meta hour "05:00"-"16:00" +TZ=EADT $NFT add rule t c meta hour "06:00"-"17:00" + +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 3 0 14 0 > "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 4 0 15 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1" +printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1" + +check_decode EADT diff --git a/tests/shell/testcases/listing/reset_objects b/tests/shell/testcases/listing/reset_objects new file mode 100755 index 00000000..0b6720b6 --- /dev/null +++ b/tests/shell/testcases/listing/reset_objects @@ -0,0 +1,104 @@ +#!/bin/bash + +set -e + +load_ruleset() +{ + $NFT -f - <<EOF +table ip test { + quota https-quota { + 25 mbytes used 10 mbytes + } + counter https-counter { + packets 10 bytes 4096 + } +} +EOF +} + +check_list_quota() +{ + EXPECT="table ip test { + quota https-quota { + 25 mbytes + } +}" + $DIFF -u <(echo "$EXPECT") <($NFT list quotas) +} + +check_list_counter() +{ + EXPECT="table ip test { + counter https-counter { + packets 0 bytes 0 + } +}" + $DIFF -u <(echo "$EXPECT") <($NFT list counters) +} + +load_ruleset + +EXPECT="table ip test { + quota https-quota { + 25 mbytes used 10 mbytes + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset quotas) + +check_list_quota +$NFT flush ruleset +load_ruleset + +EXPECT="table ip test { + quota https-quota { + 25 mbytes used 10 mbytes + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset quotas ip) + +check_list_quota +$NFT flush ruleset +load_ruleset + +EXPECT="table ip test { + quota https-quota { + 25 mbytes used 10 mbytes + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset quota ip test https-quota) + +check_list_quota +$NFT flush ruleset +load_ruleset + +EXPECT="table ip test { + counter https-counter { + packets 10 bytes 4096 + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset counters) + +check_list_counter +$NFT flush ruleset +load_ruleset + +EXPECT="table ip test { + counter https-counter { + packets 10 bytes 4096 + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset counters ip) + +check_list_counter +$NFT flush ruleset +load_ruleset + +EXPECT="table ip test { + counter https-counter { + packets 10 bytes 4096 + } +}" +$DIFF -u <(echo "$EXPECT") <($NFT reset counter ip test https-counter) + +check_list_counter +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/0003map_add_many_elements_0 b/tests/shell/testcases/maps/0003map_add_many_elements_0 index 2b254c51..427d94df 100755 --- a/tests/shell/testcases/maps/0003map_add_many_elements_0 +++ b/tests/shell/testcases/maps/0003map_add_many_elements_0 @@ -24,19 +24,12 @@ generate_add() { } generate_test() { - count=0 elements="" for ((i=1; i<=HOWMANY; i++)) ; do for ((j=1; j<=HOWMANY; j++)) ; do - ((count++)) elements="${elements}10.0.${i}.${j} : 10.0.${i}.${j}" [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break - if [ "$count" == "2" ] ; then - count=0 - elements="${elements},\\n\\t\\t\\t " - else - elements="${elements}, " - fi + elements="${elements},\\n\\t\\t\\t " done done echo -e "$elements" diff --git a/tests/shell/testcases/maps/0004interval_map_create_once_0 b/tests/shell/testcases/maps/0004interval_map_create_once_0 index 3de0c9de..7d382559 100755 --- a/tests/shell/testcases/maps/0004interval_map_create_once_0 +++ b/tests/shell/testcases/maps/0004interval_map_create_once_0 @@ -5,6 +5,10 @@ HOWMANY=63 +if [ "$NFT_TEST_SKIP_slow" = y ] ; then + HOWMANY=5 +fi + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then echo "Failed to create tmp file" >&2 @@ -26,19 +30,12 @@ generate_add() { } generate_test() { - count=0 elements="" for ((i=1; i<=HOWMANY; i++)) ; do for ((j=1; j<=HOWMANY; j++)) ; do - ((count++)) elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}" [ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break - if [ "$count" == "2" ] ; then - count=0 - elements="${elements},\\n\\t\\t\\t " - else - elements="${elements}, " - fi + elements="${elements},\\n\\t\\t\\t " done done echo -e "$elements" @@ -64,3 +61,7 @@ if [ "$EXPECTED" != "$GET" ] ; then exit 1 fi +if [ "$HOWMANY" != 63 ] ; then + echo "Run a partial test due to NFT_TEST_SKIP_slow=y. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0008interval_map_delete_0 b/tests/shell/testcases/maps/0008interval_map_delete_0 index 39ea3127..86e54b68 100755 --- a/tests/shell/testcases/maps/0008interval_map_delete_0 +++ b/tests/shell/testcases/maps/0008interval_map_delete_0 @@ -6,7 +6,8 @@ EXPECTED="table ip filter { map m { type ipv4_addr : mark flags interval - elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 } + elements = { 127.0.0.2 : 0x00000002, + 127.0.0.3 : 0x00000003 } } chain input { diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 index 7627c81d..4e133b72 100755 --- a/tests/shell/testcases/maps/0009vmap_0 +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e EXPECTED="table inet filter { @@ -12,7 +14,7 @@ EXPECTED="table inet filter { chain prerouting { type filter hook prerouting priority -300; policy accept; - iif vmap { "lo" : jump wan_input } + iif vmap { "lo" counter : jump wan_input } } }" diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0 index 4848d972..859bbfcf 100755 --- a/tests/shell/testcases/maps/0010concat_map_0 +++ b/tests/shell/testcases/maps/0010concat_map_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) + set -e EXPECTED="table inet x { diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0 index 83704d48..3e6fa78d 100755 --- a/tests/shell/testcases/maps/0011vmap_0 +++ b/tests/shell/testcases/maps/0011vmap_0 @@ -22,4 +22,12 @@ EXPECTED="table inet filter { }" $NFT -f - <<< "$EXPECTED" -$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }' + +if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then + $NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }' +fi + +if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then + echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0 index 49e51b75..dd93c482 100755 --- a/tests/shell/testcases/maps/0012map_0 +++ b/tests/shell/testcases/maps/0012map_0 @@ -15,22 +15,3 @@ table ip x { }" $NFT -f - <<< "$EXPECTED" - -EXPECTED="table ip x { - map w { - typeof ip saddr . meta mark : verdict - flags interval - counter - elements = { - 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, - } - } - - chain k { - type filter hook input priority filter + 1; policy accept; - meta mark set 0x123434 - ip saddr . meta mark vmap @w - } -}" - -$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0012map_concat_0 b/tests/shell/testcases/maps/0012map_concat_0 new file mode 100755 index 00000000..d18c7a73 --- /dev/null +++ b/tests/shell/testcases/maps/0012map_concat_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +EXPECTED="table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, + } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x123434 + ip saddr . meta mark vmap @w + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 index 70d7fd3b..c8d20cee 100755 --- a/tests/shell/testcases/maps/0013map_0 +++ b/tests/shell/testcases/maps/0013map_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET=" diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0 new file mode 100755 index 00000000..ee81e3cd --- /dev/null +++ b/tests/shell/testcases/maps/0014destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent map +$NFT destroy map x y + +# successfully delete existing map +$NFT add map x y '{ type ipv4_addr : ipv4_addr; }' +$NFT destroy map x y diff --git a/tests/shell/testcases/maps/0016map_leak_0 b/tests/shell/testcases/maps/0016map_leak_0 new file mode 100755 index 00000000..e110ee4b --- /dev/null +++ b/tests/shell/testcases/maps/0016map_leak_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak +$NFT flush ruleset diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0 new file mode 100755 index 00000000..e01adb4c --- /dev/null +++ b/tests/shell/testcases/maps/0017_map_variable_0 @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then + CATCHALL="* : 3," +else + CATCHALL="," +fi + +RULESET="define x = { + 1.1.1.1 : 2, + $CATCHALL +} + +table ip x { + map y { + typeof ip saddr : mark + elements = \$x + } + map z { + typeof ip saddr : mark + elements = \$x + } +}" + +$NFT -f - <<< "$RULESET" + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)" + exit 77 +fi diff --git a/tests/shell/testcases/maps/0018map_leak_timeout_0 b/tests/shell/testcases/maps/0018map_leak_timeout_0 new file mode 100755 index 00000000..09db315a --- /dev/null +++ b/tests/shell/testcases/maps/0018map_leak_timeout_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +RULESET="table ip t { + map sourcemap { + type ipv4_addr : verdict + timeout 3s + elements = { 100.123.10.2 : jump c } + } + + chain c { + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" + +# wait for elements to expire +sleep 5 + +# flush it to check for refcount leak +$NFT flush ruleset + +# +# again with stateful objects +# + +RULESET="table ip t { + counter c {} + + map sourcemap { + type ipv4_addr : counter + timeout 3s + elements = { 100.123.10.2 : \"c\" } + } +}" + +$NFT -f - <<< "$RULESET" +# again, since it is addition, not creation, it is successful +$NFT -f - <<< "$RULESET" +# flush it to check for refcount leak + +# wait for elements to expire +sleep 5 + +$NFT flush ruleset diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/maps/0024named_objects_0 index 6d21e388..21200c3c 100755 --- a/tests/shell/testcases/sets/0024named_objects_0 +++ b/tests/shell/testcases/maps/0024named_objects_0 @@ -18,15 +18,6 @@ table inet x { quota user124 { over 2000 bytes } - synproxy https-synproxy { - mss 1460 - wscale 7 - timestamp sack-perm - } - synproxy other-synproxy { - mss 1460 - wscale 5 - } set y { type ipv4_addr } @@ -34,15 +25,9 @@ table inet x { type ipv4_addr : quota elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"} } - map test2 { - type ipv4_addr : synproxy - flags interval - elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } - } chain y { type filter hook input priority 0; policy accept; counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"} - synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } quota name ip saddr map @test drop } }" diff --git a/tests/shell/testcases/maps/0024named_objects_1 b/tests/shell/testcases/maps/0024named_objects_1 new file mode 100755 index 00000000..a861e9e2 --- /dev/null +++ b/tests/shell/testcases/maps/0024named_objects_1 @@ -0,0 +1,31 @@ +#!/bin/bash + +# This is the test-case: +# * creating valid named objects and using map variables in statements + +RULESET=' +define counter_map = { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123" } +define quota_map = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + +table inet x { + counter user123 { + packets 12 bytes 1433 + } + counter user321 { + packets 12 bytes 1433 + } + quota user123 { + over 2000 bytes + } + quota user124 { + over 2000 bytes + } + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map $counter_map + quota name ip saddr map $quota_map drop + } +}' + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/0024named_objects_2 b/tests/shell/testcases/maps/0024named_objects_2 new file mode 100755 index 00000000..584b5100 --- /dev/null +++ b/tests/shell/testcases/maps/0024named_objects_2 @@ -0,0 +1,23 @@ +#!/bin/bash + +# +# Test some error conditions for using variables to define maps +# + +set -e + +for m in "192.168.2.2" "{ 192.168.2.2, 1.1.1.1, 2.2.2.2 }"; do + + RULESET=" +define m = $m"' +table inet x { + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map $m + } +}' + + $NFT -f - <<< "$RULESET" || rc=$? + test $rc = 1 + +done diff --git a/tests/shell/testcases/maps/anon_objmap_concat b/tests/shell/testcases/maps/anon_objmap_concat index 07820b7c..34465f1d 100755 --- a/tests/shell/testcases/maps/anon_objmap_concat +++ b/tests/shell/testcases/maps/anon_objmap_concat @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e dumpfile=$(dirname $0)/dumps/$(basename $0).nft diff --git a/tests/shell/testcases/maps/anonymous_snat_map_1 b/tests/shell/testcases/maps/anonymous_snat_map_1 new file mode 100755 index 00000000..031de0c1 --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_1 @@ -0,0 +1,16 @@ +#!/bin/bash + +# Variable containing anonymous map can be added to a snat rule + +set -e + +RULESET=' +define m = {1.1.1.1 : 2.2.2.2} +table nat { + chain postrouting { + snat ip saddr map $m + } +} +' + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/maps/anonymous_snat_map_2 b/tests/shell/testcases/maps/anonymous_snat_map_2 new file mode 100755 index 00000000..90e02038 --- /dev/null +++ b/tests/shell/testcases/maps/anonymous_snat_map_2 @@ -0,0 +1,23 @@ +#!/bin/bash + +# +# Test some error conditions for using variables to define maps +# + +set -e + +for m in "1.1.1.1" "{1.1.1.1}"; do + + RULESET=" +define m = $m"' +table nat { + chain postrouting { + snat ip saddr map $m + } +} +' + + $NFT -f - <<< "$RULESET" || rc=$? + test $rc = 1 + +done diff --git a/tests/shell/testcases/maps/delete_element b/tests/shell/testcases/maps/delete_element new file mode 100755 index 00000000..75272f44 --- /dev/null +++ b/tests/shell/testcases/maps/delete_element @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +RULESET="flush ruleset + +table ip x { + map m { + typeof ct bytes : meta priority + flags interval + elements = { + 0-2048000 : 1:0001, + 2048001-4000000 : 1:0002, + } + } + + chain y { + type filter hook output priority 0; policy accept; + + meta priority set ct bytes map @m + } +}" + +$NFT -f - <<< $RULESET + +$NFT delete element ip x m { 0-2048000 } +$NFT add element ip x m { 0-2048000 : 1:0002 } +$NFT delete element ip x m { 0-2048000 : 1:0002 } diff --git a/tests/shell/testcases/maps/delete_element_catchall b/tests/shell/testcases/maps/delete_element_catchall new file mode 100755 index 00000000..a6a0fc6f --- /dev/null +++ b/tests/shell/testcases/maps/delete_element_catchall @@ -0,0 +1,35 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +set -e + +RULESET="flush ruleset + +table ip x { + map m { + typeof ct bytes : meta priority + flags interval + elements = { + 0-2048000 : 1:0001, + * : 1:0002, + } + } + + chain y { + type filter hook output priority 0; policy accept; + + meta priority set ct bytes map @m + } +}" + +$NFT -f - <<< $RULESET + +$NFT delete element ip x m { 0-2048000 } +$NFT add element ip x m { 0-2048000 : 1:0002 } +$NFT delete element ip x m { 0-2048000 : 1:0002 } + +$NFT 'delete element ip x m { * }' +$NFT 'add element ip x m { * : 1:0003 }' +$NFT 'delete element ip x m { * : 1:0003 }' +$NFT 'add element ip x m { * : 1:0003 }' diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft new file mode 100644 index 00000000..1b5c2a23 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.json-nft @@ -0,0 +1,3874 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.0.1.1", + "10.0.1.1" + ], + [ + "10.0.1.2", + "10.0.1.2" + ], + [ + "10.0.1.3", + "10.0.1.3" + ], + [ + "10.0.1.4", + "10.0.1.4" + ], + [ + "10.0.1.5", + "10.0.1.5" + ], + [ + "10.0.1.6", + "10.0.1.6" + ], + [ + "10.0.1.7", + "10.0.1.7" + ], + [ + "10.0.1.8", + "10.0.1.8" + ], + [ + "10.0.1.9", + "10.0.1.9" + ], + [ + "10.0.1.10", + "10.0.1.10" + ], + [ + "10.0.1.11", + "10.0.1.11" + ], + [ + "10.0.1.12", + "10.0.1.12" + ], + [ + "10.0.1.13", + "10.0.1.13" + ], + [ + "10.0.1.14", + "10.0.1.14" + ], + [ + "10.0.1.15", + "10.0.1.15" + ], + [ + "10.0.1.16", + "10.0.1.16" + ], + [ + "10.0.1.17", + "10.0.1.17" + ], + [ + "10.0.1.18", + "10.0.1.18" + ], + [ + "10.0.1.19", + "10.0.1.19" + ], + [ + "10.0.1.20", + "10.0.1.20" + ], + [ + "10.0.1.21", + "10.0.1.21" + ], + [ + "10.0.1.22", + "10.0.1.22" + ], + [ + "10.0.1.23", + "10.0.1.23" + ], + [ + "10.0.1.24", + "10.0.1.24" + ], + [ + "10.0.1.25", + "10.0.1.25" + ], + [ + "10.0.1.26", + "10.0.1.26" + ], + [ + "10.0.1.27", + "10.0.1.27" + ], + [ + "10.0.1.28", + "10.0.1.28" + ], + [ + "10.0.1.29", + "10.0.1.29" + ], + [ + "10.0.1.30", + "10.0.1.30" + ], + [ + "10.0.1.31", + "10.0.1.31" + ], + [ + "10.0.2.1", + "10.0.2.1" + ], + [ + "10.0.2.2", + "10.0.2.2" + ], + [ + "10.0.2.3", + "10.0.2.3" + ], + [ + "10.0.2.4", + "10.0.2.4" + ], + [ + "10.0.2.5", + "10.0.2.5" + ], + [ + "10.0.2.6", + "10.0.2.6" + ], + [ + "10.0.2.7", + "10.0.2.7" + ], + [ + "10.0.2.8", + "10.0.2.8" + ], + [ + "10.0.2.9", + "10.0.2.9" + ], + [ + "10.0.2.10", + "10.0.2.10" + ], + [ + "10.0.2.11", + "10.0.2.11" + ], + [ + "10.0.2.12", + "10.0.2.12" + ], + [ + "10.0.2.13", + "10.0.2.13" + ], + [ + "10.0.2.14", + "10.0.2.14" + ], + [ + "10.0.2.15", + "10.0.2.15" + ], + [ + "10.0.2.16", + "10.0.2.16" + ], + [ + "10.0.2.17", + "10.0.2.17" + ], + [ + "10.0.2.18", + "10.0.2.18" + ], + [ + "10.0.2.19", + "10.0.2.19" + ], + [ + "10.0.2.20", + "10.0.2.20" + ], + [ + "10.0.2.21", + "10.0.2.21" + ], + [ + "10.0.2.22", + "10.0.2.22" + ], + [ + "10.0.2.23", + "10.0.2.23" + ], + [ + "10.0.2.24", + "10.0.2.24" + ], + [ + "10.0.2.25", + "10.0.2.25" + ], + [ + "10.0.2.26", + "10.0.2.26" + ], + [ + "10.0.2.27", + "10.0.2.27" + ], + [ + "10.0.2.28", + "10.0.2.28" + ], + [ + "10.0.2.29", + "10.0.2.29" + ], + [ + "10.0.2.30", + "10.0.2.30" + ], + [ + "10.0.2.31", + "10.0.2.31" + ], + [ + "10.0.3.1", + "10.0.3.1" + ], + [ + "10.0.3.2", + "10.0.3.2" + ], + [ + "10.0.3.3", + "10.0.3.3" + ], + [ + "10.0.3.4", + "10.0.3.4" + ], + [ + "10.0.3.5", + "10.0.3.5" + ], + [ + "10.0.3.6", + "10.0.3.6" + ], + [ + "10.0.3.7", + "10.0.3.7" + ], + [ + "10.0.3.8", + "10.0.3.8" + ], + [ + "10.0.3.9", + "10.0.3.9" + ], + [ + "10.0.3.10", + "10.0.3.10" + ], + [ + "10.0.3.11", + "10.0.3.11" + ], + [ + "10.0.3.12", + "10.0.3.12" + ], + [ + "10.0.3.13", + "10.0.3.13" + ], + [ + "10.0.3.14", + "10.0.3.14" + ], + [ + "10.0.3.15", + "10.0.3.15" + ], + [ + "10.0.3.16", + "10.0.3.16" + ], + [ + "10.0.3.17", + "10.0.3.17" + ], + [ + "10.0.3.18", + "10.0.3.18" + ], + [ + "10.0.3.19", + "10.0.3.19" + ], + [ + "10.0.3.20", + "10.0.3.20" + ], + [ + "10.0.3.21", + "10.0.3.21" + ], + [ + "10.0.3.22", + "10.0.3.22" + ], + [ + "10.0.3.23", + "10.0.3.23" + ], + [ + "10.0.3.24", + "10.0.3.24" + ], + [ + "10.0.3.25", + "10.0.3.25" + ], + [ + "10.0.3.26", + "10.0.3.26" + ], + [ + "10.0.3.27", + "10.0.3.27" + ], + [ + "10.0.3.28", + "10.0.3.28" + ], + [ + "10.0.3.29", + "10.0.3.29" + ], + [ + "10.0.3.30", + "10.0.3.30" + ], + [ + "10.0.3.31", + "10.0.3.31" + ], + [ + "10.0.4.1", + "10.0.4.1" + ], + [ + "10.0.4.2", + "10.0.4.2" + ], + [ + "10.0.4.3", + "10.0.4.3" + ], + [ + "10.0.4.4", + "10.0.4.4" + ], + [ + "10.0.4.5", + "10.0.4.5" + ], + [ + "10.0.4.6", + "10.0.4.6" + ], + [ + "10.0.4.7", + "10.0.4.7" + ], + [ + "10.0.4.8", + "10.0.4.8" + ], + [ + "10.0.4.9", + "10.0.4.9" + ], + [ + "10.0.4.10", + "10.0.4.10" + ], + [ + "10.0.4.11", + "10.0.4.11" + ], + [ + "10.0.4.12", + "10.0.4.12" + ], + [ + "10.0.4.13", + "10.0.4.13" + ], + [ + "10.0.4.14", + "10.0.4.14" + ], + [ + "10.0.4.15", + "10.0.4.15" + ], + [ + "10.0.4.16", + "10.0.4.16" + ], + [ + "10.0.4.17", + "10.0.4.17" + ], + [ + "10.0.4.18", + "10.0.4.18" + ], + [ + "10.0.4.19", + "10.0.4.19" + ], + [ + "10.0.4.20", + "10.0.4.20" + ], + [ + "10.0.4.21", + "10.0.4.21" + ], + [ + "10.0.4.22", + "10.0.4.22" + ], + [ + "10.0.4.23", + "10.0.4.23" + ], + [ + "10.0.4.24", + "10.0.4.24" + ], + [ + "10.0.4.25", + "10.0.4.25" + ], + [ + "10.0.4.26", + "10.0.4.26" + ], + [ + "10.0.4.27", + "10.0.4.27" + ], + [ + "10.0.4.28", + "10.0.4.28" + ], + [ + "10.0.4.29", + "10.0.4.29" + ], + [ + "10.0.4.30", + "10.0.4.30" + ], + [ + "10.0.4.31", + "10.0.4.31" + ], + [ + "10.0.5.1", + "10.0.5.1" + ], + [ + "10.0.5.2", + "10.0.5.2" + ], + [ + "10.0.5.3", + "10.0.5.3" + ], + [ + "10.0.5.4", + "10.0.5.4" + ], + [ + "10.0.5.5", + "10.0.5.5" + ], + [ + "10.0.5.6", + "10.0.5.6" + ], + [ + "10.0.5.7", + "10.0.5.7" + ], + [ + "10.0.5.8", + "10.0.5.8" + ], + [ + "10.0.5.9", + "10.0.5.9" + ], + [ + "10.0.5.10", + "10.0.5.10" + ], + [ + "10.0.5.11", + "10.0.5.11" + ], + [ + "10.0.5.12", + "10.0.5.12" + ], + [ + "10.0.5.13", + "10.0.5.13" + ], + [ + "10.0.5.14", + "10.0.5.14" + ], + [ + "10.0.5.15", + "10.0.5.15" + ], + [ + "10.0.5.16", + "10.0.5.16" + ], + [ + "10.0.5.17", + "10.0.5.17" + ], + [ + "10.0.5.18", + "10.0.5.18" + ], + [ + "10.0.5.19", + "10.0.5.19" + ], + [ + "10.0.5.20", + "10.0.5.20" + ], + [ + "10.0.5.21", + "10.0.5.21" + ], + [ + "10.0.5.22", + "10.0.5.22" + ], + [ + "10.0.5.23", + "10.0.5.23" + ], + [ + "10.0.5.24", + "10.0.5.24" + ], + [ + "10.0.5.25", + "10.0.5.25" + ], + [ + "10.0.5.26", + "10.0.5.26" + ], + [ + "10.0.5.27", + "10.0.5.27" + ], + [ + "10.0.5.28", + "10.0.5.28" + ], + [ + "10.0.5.29", + "10.0.5.29" + ], + [ + "10.0.5.30", + "10.0.5.30" + ], + [ + "10.0.5.31", + "10.0.5.31" + ], + [ + "10.0.6.1", + "10.0.6.1" + ], + [ + "10.0.6.2", + "10.0.6.2" + ], + [ + "10.0.6.3", + "10.0.6.3" + ], + [ + "10.0.6.4", + "10.0.6.4" + ], + [ + "10.0.6.5", + "10.0.6.5" + ], + [ + "10.0.6.6", + "10.0.6.6" + ], + [ + "10.0.6.7", + "10.0.6.7" + ], + [ + "10.0.6.8", + "10.0.6.8" + ], + [ + "10.0.6.9", + "10.0.6.9" + ], + [ + "10.0.6.10", + "10.0.6.10" + ], + [ + "10.0.6.11", + "10.0.6.11" + ], + [ + "10.0.6.12", + "10.0.6.12" + ], + [ + "10.0.6.13", + "10.0.6.13" + ], + [ + "10.0.6.14", + "10.0.6.14" + ], + [ + "10.0.6.15", + "10.0.6.15" + ], + [ + "10.0.6.16", + "10.0.6.16" + ], + [ + "10.0.6.17", + "10.0.6.17" + ], + [ + "10.0.6.18", + "10.0.6.18" + ], + [ + "10.0.6.19", + "10.0.6.19" + ], + [ + "10.0.6.20", + "10.0.6.20" + ], + [ + "10.0.6.21", + "10.0.6.21" + ], + [ + "10.0.6.22", + "10.0.6.22" + ], + [ + "10.0.6.23", + "10.0.6.23" + ], + [ + "10.0.6.24", + "10.0.6.24" + ], + [ + "10.0.6.25", + "10.0.6.25" + ], + [ + "10.0.6.26", + "10.0.6.26" + ], + [ + "10.0.6.27", + "10.0.6.27" + ], + [ + "10.0.6.28", + "10.0.6.28" + ], + [ + "10.0.6.29", + "10.0.6.29" + ], + [ + "10.0.6.30", + "10.0.6.30" + ], + [ + "10.0.6.31", + "10.0.6.31" + ], + [ + "10.0.7.1", + "10.0.7.1" + ], + [ + "10.0.7.2", + "10.0.7.2" + ], + [ + "10.0.7.3", + "10.0.7.3" + ], + [ + "10.0.7.4", + "10.0.7.4" + ], + [ + "10.0.7.5", + "10.0.7.5" + ], + [ + "10.0.7.6", + "10.0.7.6" + ], + [ + "10.0.7.7", + "10.0.7.7" + ], + [ + "10.0.7.8", + "10.0.7.8" + ], + [ + "10.0.7.9", + "10.0.7.9" + ], + [ + "10.0.7.10", + "10.0.7.10" + ], + [ + "10.0.7.11", + "10.0.7.11" + ], + [ + "10.0.7.12", + "10.0.7.12" + ], + [ + "10.0.7.13", + "10.0.7.13" + ], + [ + "10.0.7.14", + "10.0.7.14" + ], + [ + "10.0.7.15", + "10.0.7.15" + ], + [ + "10.0.7.16", + "10.0.7.16" + ], + [ + "10.0.7.17", + "10.0.7.17" + ], + [ + "10.0.7.18", + "10.0.7.18" + ], + [ + "10.0.7.19", + "10.0.7.19" + ], + [ + "10.0.7.20", + "10.0.7.20" + ], + [ + "10.0.7.21", + "10.0.7.21" + ], + [ + "10.0.7.22", + "10.0.7.22" + ], + [ + "10.0.7.23", + "10.0.7.23" + ], + [ + "10.0.7.24", + "10.0.7.24" + ], + [ + "10.0.7.25", + "10.0.7.25" + ], + [ + "10.0.7.26", + "10.0.7.26" + ], + [ + "10.0.7.27", + "10.0.7.27" + ], + [ + "10.0.7.28", + "10.0.7.28" + ], + [ + "10.0.7.29", + "10.0.7.29" + ], + [ + "10.0.7.30", + "10.0.7.30" + ], + [ + "10.0.7.31", + "10.0.7.31" + ], + [ + "10.0.8.1", + "10.0.8.1" + ], + [ + "10.0.8.2", + "10.0.8.2" + ], + [ + "10.0.8.3", + "10.0.8.3" + ], + [ + "10.0.8.4", + "10.0.8.4" + ], + [ + "10.0.8.5", + "10.0.8.5" + ], + [ + "10.0.8.6", + "10.0.8.6" + ], + [ + "10.0.8.7", + "10.0.8.7" + ], + [ + "10.0.8.8", + "10.0.8.8" + ], + [ + "10.0.8.9", + "10.0.8.9" + ], + [ + "10.0.8.10", + "10.0.8.10" + ], + [ + "10.0.8.11", + "10.0.8.11" + ], + [ + "10.0.8.12", + "10.0.8.12" + ], + [ + "10.0.8.13", + "10.0.8.13" + ], + [ + "10.0.8.14", + "10.0.8.14" + ], + [ + "10.0.8.15", + "10.0.8.15" + ], + [ + "10.0.8.16", + "10.0.8.16" + ], + [ + "10.0.8.17", + "10.0.8.17" + ], + [ + "10.0.8.18", + "10.0.8.18" + ], + [ + "10.0.8.19", + "10.0.8.19" + ], + [ + "10.0.8.20", + "10.0.8.20" + ], + [ + "10.0.8.21", + "10.0.8.21" + ], + [ + "10.0.8.22", + "10.0.8.22" + ], + [ + "10.0.8.23", + "10.0.8.23" + ], + [ + "10.0.8.24", + "10.0.8.24" + ], + [ + "10.0.8.25", + "10.0.8.25" + ], + [ + "10.0.8.26", + "10.0.8.26" + ], + [ + "10.0.8.27", + "10.0.8.27" + ], + [ + "10.0.8.28", + "10.0.8.28" + ], + [ + "10.0.8.29", + "10.0.8.29" + ], + [ + "10.0.8.30", + "10.0.8.30" + ], + [ + "10.0.8.31", + "10.0.8.31" + ], + [ + "10.0.9.1", + "10.0.9.1" + ], + [ + "10.0.9.2", + "10.0.9.2" + ], + [ + "10.0.9.3", + "10.0.9.3" + ], + [ + "10.0.9.4", + "10.0.9.4" + ], + [ + "10.0.9.5", + "10.0.9.5" + ], + [ + "10.0.9.6", + "10.0.9.6" + ], + [ + "10.0.9.7", + "10.0.9.7" + ], + [ + "10.0.9.8", + "10.0.9.8" + ], + [ + "10.0.9.9", + "10.0.9.9" + ], + [ + "10.0.9.10", + "10.0.9.10" + ], + [ + "10.0.9.11", + "10.0.9.11" + ], + [ + "10.0.9.12", + "10.0.9.12" + ], + [ + "10.0.9.13", + "10.0.9.13" + ], + [ + "10.0.9.14", + "10.0.9.14" + ], + [ + "10.0.9.15", + "10.0.9.15" + ], + [ + "10.0.9.16", + "10.0.9.16" + ], + [ + "10.0.9.17", + "10.0.9.17" + ], + [ + "10.0.9.18", + "10.0.9.18" + ], + [ + "10.0.9.19", + "10.0.9.19" + ], + [ + "10.0.9.20", + "10.0.9.20" + ], + [ + "10.0.9.21", + "10.0.9.21" + ], + [ + "10.0.9.22", + "10.0.9.22" + ], + [ + "10.0.9.23", + "10.0.9.23" + ], + [ + "10.0.9.24", + "10.0.9.24" + ], + [ + "10.0.9.25", + "10.0.9.25" + ], + [ + "10.0.9.26", + "10.0.9.26" + ], + [ + "10.0.9.27", + "10.0.9.27" + ], + [ + "10.0.9.28", + "10.0.9.28" + ], + [ + "10.0.9.29", + "10.0.9.29" + ], + [ + "10.0.9.30", + "10.0.9.30" + ], + [ + "10.0.9.31", + "10.0.9.31" + ], + [ + "10.0.10.1", + "10.0.10.1" + ], + [ + "10.0.10.2", + "10.0.10.2" + ], + [ + "10.0.10.3", + "10.0.10.3" + ], + [ + "10.0.10.4", + "10.0.10.4" + ], + [ + "10.0.10.5", + "10.0.10.5" + ], + [ + "10.0.10.6", + "10.0.10.6" + ], + [ + "10.0.10.7", + "10.0.10.7" + ], + [ + "10.0.10.8", + "10.0.10.8" + ], + [ + "10.0.10.9", + "10.0.10.9" + ], + [ + "10.0.10.10", + "10.0.10.10" + ], + [ + "10.0.10.11", + "10.0.10.11" + ], + [ + "10.0.10.12", + "10.0.10.12" + ], + [ + "10.0.10.13", + "10.0.10.13" + ], + [ + "10.0.10.14", + "10.0.10.14" + ], + [ + "10.0.10.15", + "10.0.10.15" + ], + [ + "10.0.10.16", + "10.0.10.16" + ], + [ + "10.0.10.17", + "10.0.10.17" + ], + [ + "10.0.10.18", + "10.0.10.18" + ], + [ + "10.0.10.19", + "10.0.10.19" + ], + [ + "10.0.10.20", + "10.0.10.20" + ], + [ + "10.0.10.21", + "10.0.10.21" + ], + [ + "10.0.10.22", + "10.0.10.22" + ], + [ + "10.0.10.23", + "10.0.10.23" + ], + [ + "10.0.10.24", + "10.0.10.24" + ], + [ + "10.0.10.25", + "10.0.10.25" + ], + [ + "10.0.10.26", + "10.0.10.26" + ], + [ + "10.0.10.27", + "10.0.10.27" + ], + [ + "10.0.10.28", + "10.0.10.28" + ], + [ + "10.0.10.29", + "10.0.10.29" + ], + [ + "10.0.10.30", + "10.0.10.30" + ], + [ + "10.0.10.31", + "10.0.10.31" + ], + [ + "10.0.11.1", + "10.0.11.1" + ], + [ + "10.0.11.2", + "10.0.11.2" + ], + [ + "10.0.11.3", + "10.0.11.3" + ], + [ + "10.0.11.4", + "10.0.11.4" + ], + [ + "10.0.11.5", + "10.0.11.5" + ], + [ + "10.0.11.6", + "10.0.11.6" + ], + [ + "10.0.11.7", + "10.0.11.7" + ], + [ + "10.0.11.8", + "10.0.11.8" + ], + [ + "10.0.11.9", + "10.0.11.9" + ], + [ + "10.0.11.10", + "10.0.11.10" + ], + [ + "10.0.11.11", + "10.0.11.11" + ], + [ + "10.0.11.12", + "10.0.11.12" + ], + [ + "10.0.11.13", + "10.0.11.13" + ], + [ + "10.0.11.14", + "10.0.11.14" + ], + [ + "10.0.11.15", + "10.0.11.15" + ], + [ + "10.0.11.16", + "10.0.11.16" + ], + [ + "10.0.11.17", + "10.0.11.17" + ], + [ + "10.0.11.18", + "10.0.11.18" + ], + [ + "10.0.11.19", + "10.0.11.19" + ], + [ + "10.0.11.20", + "10.0.11.20" + ], + [ + "10.0.11.21", + "10.0.11.21" + ], + [ + "10.0.11.22", + "10.0.11.22" + ], + [ + "10.0.11.23", + "10.0.11.23" + ], + [ + "10.0.11.24", + "10.0.11.24" + ], + [ + "10.0.11.25", + "10.0.11.25" + ], + [ + "10.0.11.26", + "10.0.11.26" + ], + [ + "10.0.11.27", + "10.0.11.27" + ], + [ + "10.0.11.28", + "10.0.11.28" + ], + [ + "10.0.11.29", + "10.0.11.29" + ], + [ + "10.0.11.30", + "10.0.11.30" + ], + [ + "10.0.11.31", + "10.0.11.31" + ], + [ + "10.0.12.1", + "10.0.12.1" + ], + [ + "10.0.12.2", + "10.0.12.2" + ], + [ + "10.0.12.3", + "10.0.12.3" + ], + [ + "10.0.12.4", + "10.0.12.4" + ], + [ + "10.0.12.5", + "10.0.12.5" + ], + [ + "10.0.12.6", + "10.0.12.6" + ], + [ + "10.0.12.7", + "10.0.12.7" + ], + [ + "10.0.12.8", + "10.0.12.8" + ], + [ + "10.0.12.9", + "10.0.12.9" + ], + [ + "10.0.12.10", + "10.0.12.10" + ], + [ + "10.0.12.11", + "10.0.12.11" + ], + [ + "10.0.12.12", + "10.0.12.12" + ], + [ + "10.0.12.13", + "10.0.12.13" + ], + [ + "10.0.12.14", + "10.0.12.14" + ], + [ + "10.0.12.15", + "10.0.12.15" + ], + [ + "10.0.12.16", + "10.0.12.16" + ], + [ + "10.0.12.17", + "10.0.12.17" + ], + [ + "10.0.12.18", + "10.0.12.18" + ], + [ + "10.0.12.19", + "10.0.12.19" + ], + [ + "10.0.12.20", + "10.0.12.20" + ], + [ + "10.0.12.21", + "10.0.12.21" + ], + [ + "10.0.12.22", + "10.0.12.22" + ], + [ + "10.0.12.23", + "10.0.12.23" + ], + [ + "10.0.12.24", + "10.0.12.24" + ], + [ + "10.0.12.25", + "10.0.12.25" + ], + [ + "10.0.12.26", + "10.0.12.26" + ], + [ + "10.0.12.27", + "10.0.12.27" + ], + [ + "10.0.12.28", + "10.0.12.28" + ], + [ + "10.0.12.29", + "10.0.12.29" + ], + [ + "10.0.12.30", + "10.0.12.30" + ], + [ + "10.0.12.31", + "10.0.12.31" + ], + [ + "10.0.13.1", + "10.0.13.1" + ], + [ + "10.0.13.2", + "10.0.13.2" + ], + [ + "10.0.13.3", + "10.0.13.3" + ], + [ + "10.0.13.4", + "10.0.13.4" + ], + [ + "10.0.13.5", + "10.0.13.5" + ], + [ + "10.0.13.6", + "10.0.13.6" + ], + [ + "10.0.13.7", + "10.0.13.7" + ], + [ + "10.0.13.8", + "10.0.13.8" + ], + [ + "10.0.13.9", + "10.0.13.9" + ], + [ + "10.0.13.10", + "10.0.13.10" + ], + [ + "10.0.13.11", + "10.0.13.11" + ], + [ + "10.0.13.12", + "10.0.13.12" + ], + [ + "10.0.13.13", + "10.0.13.13" + ], + [ + "10.0.13.14", + "10.0.13.14" + ], + [ + "10.0.13.15", + "10.0.13.15" + ], + [ + "10.0.13.16", + "10.0.13.16" + ], + [ + "10.0.13.17", + "10.0.13.17" + ], + [ + "10.0.13.18", + "10.0.13.18" + ], + [ + "10.0.13.19", + "10.0.13.19" + ], + [ + "10.0.13.20", + "10.0.13.20" + ], + [ + "10.0.13.21", + "10.0.13.21" + ], + [ + "10.0.13.22", + "10.0.13.22" + ], + [ + "10.0.13.23", + "10.0.13.23" + ], + [ + "10.0.13.24", + "10.0.13.24" + ], + [ + "10.0.13.25", + "10.0.13.25" + ], + [ + "10.0.13.26", + "10.0.13.26" + ], + [ + "10.0.13.27", + "10.0.13.27" + ], + [ + "10.0.13.28", + "10.0.13.28" + ], + [ + "10.0.13.29", + "10.0.13.29" + ], + [ + "10.0.13.30", + "10.0.13.30" + ], + [ + "10.0.13.31", + "10.0.13.31" + ], + [ + "10.0.14.1", + "10.0.14.1" + ], + [ + "10.0.14.2", + "10.0.14.2" + ], + [ + "10.0.14.3", + "10.0.14.3" + ], + [ + "10.0.14.4", + "10.0.14.4" + ], + [ + "10.0.14.5", + "10.0.14.5" + ], + [ + "10.0.14.6", + "10.0.14.6" + ], + [ + "10.0.14.7", + "10.0.14.7" + ], + [ + "10.0.14.8", + "10.0.14.8" + ], + [ + "10.0.14.9", + "10.0.14.9" + ], + [ + "10.0.14.10", + "10.0.14.10" + ], + [ + "10.0.14.11", + "10.0.14.11" + ], + [ + "10.0.14.12", + "10.0.14.12" + ], + [ + "10.0.14.13", + "10.0.14.13" + ], + [ + "10.0.14.14", + "10.0.14.14" + ], + [ + "10.0.14.15", + "10.0.14.15" + ], + [ + "10.0.14.16", + "10.0.14.16" + ], + [ + "10.0.14.17", + "10.0.14.17" + ], + [ + "10.0.14.18", + "10.0.14.18" + ], + [ + "10.0.14.19", + "10.0.14.19" + ], + [ + "10.0.14.20", + "10.0.14.20" + ], + [ + "10.0.14.21", + "10.0.14.21" + ], + [ + "10.0.14.22", + "10.0.14.22" + ], + [ + "10.0.14.23", + "10.0.14.23" + ], + [ + "10.0.14.24", + "10.0.14.24" + ], + [ + "10.0.14.25", + "10.0.14.25" + ], + [ + "10.0.14.26", + "10.0.14.26" + ], + [ + "10.0.14.27", + "10.0.14.27" + ], + [ + "10.0.14.28", + "10.0.14.28" + ], + [ + "10.0.14.29", + "10.0.14.29" + ], + [ + "10.0.14.30", + "10.0.14.30" + ], + [ + "10.0.14.31", + "10.0.14.31" + ], + [ + "10.0.15.1", + "10.0.15.1" + ], + [ + "10.0.15.2", + "10.0.15.2" + ], + [ + "10.0.15.3", + "10.0.15.3" + ], + [ + "10.0.15.4", + "10.0.15.4" + ], + [ + "10.0.15.5", + "10.0.15.5" + ], + [ + "10.0.15.6", + "10.0.15.6" + ], + [ + "10.0.15.7", + "10.0.15.7" + ], + [ + "10.0.15.8", + "10.0.15.8" + ], + [ + "10.0.15.9", + "10.0.15.9" + ], + [ + "10.0.15.10", + "10.0.15.10" + ], + [ + "10.0.15.11", + "10.0.15.11" + ], + [ + "10.0.15.12", + "10.0.15.12" + ], + [ + "10.0.15.13", + "10.0.15.13" + ], + [ + "10.0.15.14", + "10.0.15.14" + ], + [ + "10.0.15.15", + "10.0.15.15" + ], + [ + "10.0.15.16", + "10.0.15.16" + ], + [ + "10.0.15.17", + "10.0.15.17" + ], + [ + "10.0.15.18", + "10.0.15.18" + ], + [ + "10.0.15.19", + "10.0.15.19" + ], + [ + "10.0.15.20", + "10.0.15.20" + ], + [ + "10.0.15.21", + "10.0.15.21" + ], + [ + "10.0.15.22", + "10.0.15.22" + ], + [ + "10.0.15.23", + "10.0.15.23" + ], + [ + "10.0.15.24", + "10.0.15.24" + ], + [ + "10.0.15.25", + "10.0.15.25" + ], + [ + "10.0.15.26", + "10.0.15.26" + ], + [ + "10.0.15.27", + "10.0.15.27" + ], + [ + "10.0.15.28", + "10.0.15.28" + ], + [ + "10.0.15.29", + "10.0.15.29" + ], + [ + "10.0.15.30", + "10.0.15.30" + ], + [ + "10.0.15.31", + "10.0.15.31" + ], + [ + "10.0.16.1", + "10.0.16.1" + ], + [ + "10.0.16.2", + "10.0.16.2" + ], + [ + "10.0.16.3", + "10.0.16.3" + ], + [ + "10.0.16.4", + "10.0.16.4" + ], + [ + "10.0.16.5", + "10.0.16.5" + ], + [ + "10.0.16.6", + "10.0.16.6" + ], + [ + "10.0.16.7", + "10.0.16.7" + ], + [ + "10.0.16.8", + "10.0.16.8" + ], + [ + "10.0.16.9", + "10.0.16.9" + ], + [ + "10.0.16.10", + "10.0.16.10" + ], + [ + "10.0.16.11", + "10.0.16.11" + ], + [ + "10.0.16.12", + "10.0.16.12" + ], + [ + "10.0.16.13", + "10.0.16.13" + ], + [ + "10.0.16.14", + "10.0.16.14" + ], + [ + "10.0.16.15", + "10.0.16.15" + ], + [ + "10.0.16.16", + "10.0.16.16" + ], + [ + "10.0.16.17", + "10.0.16.17" + ], + [ + "10.0.16.18", + "10.0.16.18" + ], + [ + "10.0.16.19", + "10.0.16.19" + ], + [ + "10.0.16.20", + "10.0.16.20" + ], + [ + "10.0.16.21", + "10.0.16.21" + ], + [ + "10.0.16.22", + "10.0.16.22" + ], + [ + "10.0.16.23", + "10.0.16.23" + ], + [ + "10.0.16.24", + "10.0.16.24" + ], + [ + "10.0.16.25", + "10.0.16.25" + ], + [ + "10.0.16.26", + "10.0.16.26" + ], + [ + "10.0.16.27", + "10.0.16.27" + ], + [ + "10.0.16.28", + "10.0.16.28" + ], + [ + "10.0.16.29", + "10.0.16.29" + ], + [ + "10.0.16.30", + "10.0.16.30" + ], + [ + "10.0.16.31", + "10.0.16.31" + ], + [ + "10.0.17.1", + "10.0.17.1" + ], + [ + "10.0.17.2", + "10.0.17.2" + ], + [ + "10.0.17.3", + "10.0.17.3" + ], + [ + "10.0.17.4", + "10.0.17.4" + ], + [ + "10.0.17.5", + "10.0.17.5" + ], + [ + "10.0.17.6", + "10.0.17.6" + ], + [ + "10.0.17.7", + "10.0.17.7" + ], + [ + "10.0.17.8", + "10.0.17.8" + ], + [ + "10.0.17.9", + "10.0.17.9" + ], + [ + "10.0.17.10", + "10.0.17.10" + ], + [ + "10.0.17.11", + "10.0.17.11" + ], + [ + "10.0.17.12", + "10.0.17.12" + ], + [ + "10.0.17.13", + "10.0.17.13" + ], + [ + "10.0.17.14", + "10.0.17.14" + ], + [ + "10.0.17.15", + "10.0.17.15" + ], + [ + "10.0.17.16", + "10.0.17.16" + ], + [ + "10.0.17.17", + "10.0.17.17" + ], + [ + "10.0.17.18", + "10.0.17.18" + ], + [ + "10.0.17.19", + "10.0.17.19" + ], + [ + "10.0.17.20", + "10.0.17.20" + ], + [ + "10.0.17.21", + "10.0.17.21" + ], + [ + "10.0.17.22", + "10.0.17.22" + ], + [ + "10.0.17.23", + "10.0.17.23" + ], + [ + "10.0.17.24", + "10.0.17.24" + ], + [ + "10.0.17.25", + "10.0.17.25" + ], + [ + "10.0.17.26", + "10.0.17.26" + ], + [ + "10.0.17.27", + "10.0.17.27" + ], + [ + "10.0.17.28", + "10.0.17.28" + ], + [ + "10.0.17.29", + "10.0.17.29" + ], + [ + "10.0.17.30", + "10.0.17.30" + ], + [ + "10.0.17.31", + "10.0.17.31" + ], + [ + "10.0.18.1", + "10.0.18.1" + ], + [ + "10.0.18.2", + "10.0.18.2" + ], + [ + "10.0.18.3", + "10.0.18.3" + ], + [ + "10.0.18.4", + "10.0.18.4" + ], + [ + "10.0.18.5", + "10.0.18.5" + ], + [ + "10.0.18.6", + "10.0.18.6" + ], + [ + "10.0.18.7", + "10.0.18.7" + ], + [ + "10.0.18.8", + "10.0.18.8" + ], + [ + "10.0.18.9", + "10.0.18.9" + ], + [ + "10.0.18.10", + "10.0.18.10" + ], + [ + "10.0.18.11", + "10.0.18.11" + ], + [ + "10.0.18.12", + "10.0.18.12" + ], + [ + "10.0.18.13", + "10.0.18.13" + ], + [ + "10.0.18.14", + "10.0.18.14" + ], + [ + "10.0.18.15", + "10.0.18.15" + ], + [ + "10.0.18.16", + "10.0.18.16" + ], + [ + "10.0.18.17", + "10.0.18.17" + ], + [ + "10.0.18.18", + "10.0.18.18" + ], + [ + "10.0.18.19", + "10.0.18.19" + ], + [ + "10.0.18.20", + "10.0.18.20" + ], + [ + "10.0.18.21", + "10.0.18.21" + ], + [ + "10.0.18.22", + "10.0.18.22" + ], + [ + "10.0.18.23", + "10.0.18.23" + ], + [ + "10.0.18.24", + "10.0.18.24" + ], + [ + "10.0.18.25", + "10.0.18.25" + ], + [ + "10.0.18.26", + "10.0.18.26" + ], + [ + "10.0.18.27", + "10.0.18.27" + ], + [ + "10.0.18.28", + "10.0.18.28" + ], + [ + "10.0.18.29", + "10.0.18.29" + ], + [ + "10.0.18.30", + "10.0.18.30" + ], + [ + "10.0.18.31", + "10.0.18.31" + ], + [ + "10.0.19.1", + "10.0.19.1" + ], + [ + "10.0.19.2", + "10.0.19.2" + ], + [ + "10.0.19.3", + "10.0.19.3" + ], + [ + "10.0.19.4", + "10.0.19.4" + ], + [ + "10.0.19.5", + "10.0.19.5" + ], + [ + "10.0.19.6", + "10.0.19.6" + ], + [ + "10.0.19.7", + "10.0.19.7" + ], + [ + "10.0.19.8", + "10.0.19.8" + ], + [ + "10.0.19.9", + "10.0.19.9" + ], + [ + "10.0.19.10", + "10.0.19.10" + ], + [ + "10.0.19.11", + "10.0.19.11" + ], + [ + "10.0.19.12", + "10.0.19.12" + ], + [ + "10.0.19.13", + "10.0.19.13" + ], + [ + "10.0.19.14", + "10.0.19.14" + ], + [ + "10.0.19.15", + "10.0.19.15" + ], + [ + "10.0.19.16", + "10.0.19.16" + ], + [ + "10.0.19.17", + "10.0.19.17" + ], + [ + "10.0.19.18", + "10.0.19.18" + ], + [ + "10.0.19.19", + "10.0.19.19" + ], + [ + "10.0.19.20", + "10.0.19.20" + ], + [ + "10.0.19.21", + "10.0.19.21" + ], + [ + "10.0.19.22", + "10.0.19.22" + ], + [ + "10.0.19.23", + "10.0.19.23" + ], + [ + "10.0.19.24", + "10.0.19.24" + ], + [ + "10.0.19.25", + "10.0.19.25" + ], + [ + "10.0.19.26", + "10.0.19.26" + ], + [ + "10.0.19.27", + "10.0.19.27" + ], + [ + "10.0.19.28", + "10.0.19.28" + ], + [ + "10.0.19.29", + "10.0.19.29" + ], + [ + "10.0.19.30", + "10.0.19.30" + ], + [ + "10.0.19.31", + "10.0.19.31" + ], + [ + "10.0.20.1", + "10.0.20.1" + ], + [ + "10.0.20.2", + "10.0.20.2" + ], + [ + "10.0.20.3", + "10.0.20.3" + ], + [ + "10.0.20.4", + "10.0.20.4" + ], + [ + "10.0.20.5", + "10.0.20.5" + ], + [ + "10.0.20.6", + "10.0.20.6" + ], + [ + "10.0.20.7", + "10.0.20.7" + ], + [ + "10.0.20.8", + "10.0.20.8" + ], + [ + "10.0.20.9", + "10.0.20.9" + ], + [ + "10.0.20.10", + "10.0.20.10" + ], + [ + "10.0.20.11", + "10.0.20.11" + ], + [ + "10.0.20.12", + "10.0.20.12" + ], + [ + "10.0.20.13", + "10.0.20.13" + ], + [ + "10.0.20.14", + "10.0.20.14" + ], + [ + "10.0.20.15", + "10.0.20.15" + ], + [ + "10.0.20.16", + "10.0.20.16" + ], + [ + "10.0.20.17", + "10.0.20.17" + ], + [ + "10.0.20.18", + "10.0.20.18" + ], + [ + "10.0.20.19", + "10.0.20.19" + ], + [ + "10.0.20.20", + "10.0.20.20" + ], + [ + "10.0.20.21", + "10.0.20.21" + ], + [ + "10.0.20.22", + "10.0.20.22" + ], + [ + "10.0.20.23", + "10.0.20.23" + ], + [ + "10.0.20.24", + "10.0.20.24" + ], + [ + "10.0.20.25", + "10.0.20.25" + ], + [ + "10.0.20.26", + "10.0.20.26" + ], + [ + "10.0.20.27", + "10.0.20.27" + ], + [ + "10.0.20.28", + "10.0.20.28" + ], + [ + "10.0.20.29", + "10.0.20.29" + ], + [ + "10.0.20.30", + "10.0.20.30" + ], + [ + "10.0.20.31", + "10.0.20.31" + ], + [ + "10.0.21.1", + "10.0.21.1" + ], + [ + "10.0.21.2", + "10.0.21.2" + ], + [ + "10.0.21.3", + "10.0.21.3" + ], + [ + "10.0.21.4", + "10.0.21.4" + ], + [ + "10.0.21.5", + "10.0.21.5" + ], + [ + "10.0.21.6", + "10.0.21.6" + ], + [ + "10.0.21.7", + "10.0.21.7" + ], + [ + "10.0.21.8", + "10.0.21.8" + ], + [ + "10.0.21.9", + "10.0.21.9" + ], + [ + "10.0.21.10", + "10.0.21.10" + ], + [ + "10.0.21.11", + "10.0.21.11" + ], + [ + "10.0.21.12", + "10.0.21.12" + ], + [ + "10.0.21.13", + "10.0.21.13" + ], + [ + "10.0.21.14", + "10.0.21.14" + ], + [ + "10.0.21.15", + "10.0.21.15" + ], + [ + "10.0.21.16", + "10.0.21.16" + ], + [ + "10.0.21.17", + "10.0.21.17" + ], + [ + "10.0.21.18", + "10.0.21.18" + ], + [ + "10.0.21.19", + "10.0.21.19" + ], + [ + "10.0.21.20", + "10.0.21.20" + ], + [ + "10.0.21.21", + "10.0.21.21" + ], + [ + "10.0.21.22", + "10.0.21.22" + ], + [ + "10.0.21.23", + "10.0.21.23" + ], + [ + "10.0.21.24", + "10.0.21.24" + ], + [ + "10.0.21.25", + "10.0.21.25" + ], + [ + "10.0.21.26", + "10.0.21.26" + ], + [ + "10.0.21.27", + "10.0.21.27" + ], + [ + "10.0.21.28", + "10.0.21.28" + ], + [ + "10.0.21.29", + "10.0.21.29" + ], + [ + "10.0.21.30", + "10.0.21.30" + ], + [ + "10.0.21.31", + "10.0.21.31" + ], + [ + "10.0.22.1", + "10.0.22.1" + ], + [ + "10.0.22.2", + "10.0.22.2" + ], + [ + "10.0.22.3", + "10.0.22.3" + ], + [ + "10.0.22.4", + "10.0.22.4" + ], + [ + "10.0.22.5", + "10.0.22.5" + ], + [ + "10.0.22.6", + "10.0.22.6" + ], + [ + "10.0.22.7", + "10.0.22.7" + ], + [ + "10.0.22.8", + "10.0.22.8" + ], + [ + "10.0.22.9", + "10.0.22.9" + ], + [ + "10.0.22.10", + "10.0.22.10" + ], + [ + "10.0.22.11", + "10.0.22.11" + ], + [ + "10.0.22.12", + "10.0.22.12" + ], + [ + "10.0.22.13", + "10.0.22.13" + ], + [ + "10.0.22.14", + "10.0.22.14" + ], + [ + "10.0.22.15", + "10.0.22.15" + ], + [ + "10.0.22.16", + "10.0.22.16" + ], + [ + "10.0.22.17", + "10.0.22.17" + ], + [ + "10.0.22.18", + "10.0.22.18" + ], + [ + "10.0.22.19", + "10.0.22.19" + ], + [ + "10.0.22.20", + "10.0.22.20" + ], + [ + "10.0.22.21", + "10.0.22.21" + ], + [ + "10.0.22.22", + "10.0.22.22" + ], + [ + "10.0.22.23", + "10.0.22.23" + ], + [ + "10.0.22.24", + "10.0.22.24" + ], + [ + "10.0.22.25", + "10.0.22.25" + ], + [ + "10.0.22.26", + "10.0.22.26" + ], + [ + "10.0.22.27", + "10.0.22.27" + ], + [ + "10.0.22.28", + "10.0.22.28" + ], + [ + "10.0.22.29", + "10.0.22.29" + ], + [ + "10.0.22.30", + "10.0.22.30" + ], + [ + "10.0.22.31", + "10.0.22.31" + ], + [ + "10.0.23.1", + "10.0.23.1" + ], + [ + "10.0.23.2", + "10.0.23.2" + ], + [ + "10.0.23.3", + "10.0.23.3" + ], + [ + "10.0.23.4", + "10.0.23.4" + ], + [ + "10.0.23.5", + "10.0.23.5" + ], + [ + "10.0.23.6", + "10.0.23.6" + ], + [ + "10.0.23.7", + "10.0.23.7" + ], + [ + "10.0.23.8", + "10.0.23.8" + ], + [ + "10.0.23.9", + "10.0.23.9" + ], + [ + "10.0.23.10", + "10.0.23.10" + ], + [ + "10.0.23.11", + "10.0.23.11" + ], + [ + "10.0.23.12", + "10.0.23.12" + ], + [ + "10.0.23.13", + "10.0.23.13" + ], + [ + "10.0.23.14", + "10.0.23.14" + ], + [ + "10.0.23.15", + "10.0.23.15" + ], + [ + "10.0.23.16", + "10.0.23.16" + ], + [ + "10.0.23.17", + "10.0.23.17" + ], + [ + "10.0.23.18", + "10.0.23.18" + ], + [ + "10.0.23.19", + "10.0.23.19" + ], + [ + "10.0.23.20", + "10.0.23.20" + ], + [ + "10.0.23.21", + "10.0.23.21" + ], + [ + "10.0.23.22", + "10.0.23.22" + ], + [ + "10.0.23.23", + "10.0.23.23" + ], + [ + "10.0.23.24", + "10.0.23.24" + ], + [ + "10.0.23.25", + "10.0.23.25" + ], + [ + "10.0.23.26", + "10.0.23.26" + ], + [ + "10.0.23.27", + "10.0.23.27" + ], + [ + "10.0.23.28", + "10.0.23.28" + ], + [ + "10.0.23.29", + "10.0.23.29" + ], + [ + "10.0.23.30", + "10.0.23.30" + ], + [ + "10.0.23.31", + "10.0.23.31" + ], + [ + "10.0.24.1", + "10.0.24.1" + ], + [ + "10.0.24.2", + "10.0.24.2" + ], + [ + "10.0.24.3", + "10.0.24.3" + ], + [ + "10.0.24.4", + "10.0.24.4" + ], + [ + "10.0.24.5", + "10.0.24.5" + ], + [ + "10.0.24.6", + "10.0.24.6" + ], + [ + "10.0.24.7", + "10.0.24.7" + ], + [ + "10.0.24.8", + "10.0.24.8" + ], + [ + "10.0.24.9", + "10.0.24.9" + ], + [ + "10.0.24.10", + "10.0.24.10" + ], + [ + "10.0.24.11", + "10.0.24.11" + ], + [ + "10.0.24.12", + "10.0.24.12" + ], + [ + "10.0.24.13", + "10.0.24.13" + ], + [ + "10.0.24.14", + "10.0.24.14" + ], + [ + "10.0.24.15", + "10.0.24.15" + ], + [ + "10.0.24.16", + "10.0.24.16" + ], + [ + "10.0.24.17", + "10.0.24.17" + ], + [ + "10.0.24.18", + "10.0.24.18" + ], + [ + "10.0.24.19", + "10.0.24.19" + ], + [ + "10.0.24.20", + "10.0.24.20" + ], + [ + "10.0.24.21", + "10.0.24.21" + ], + [ + "10.0.24.22", + "10.0.24.22" + ], + [ + "10.0.24.23", + "10.0.24.23" + ], + [ + "10.0.24.24", + "10.0.24.24" + ], + [ + "10.0.24.25", + "10.0.24.25" + ], + [ + "10.0.24.26", + "10.0.24.26" + ], + [ + "10.0.24.27", + "10.0.24.27" + ], + [ + "10.0.24.28", + "10.0.24.28" + ], + [ + "10.0.24.29", + "10.0.24.29" + ], + [ + "10.0.24.30", + "10.0.24.30" + ], + [ + "10.0.24.31", + "10.0.24.31" + ], + [ + "10.0.25.1", + "10.0.25.1" + ], + [ + "10.0.25.2", + "10.0.25.2" + ], + [ + "10.0.25.3", + "10.0.25.3" + ], + [ + "10.0.25.4", + "10.0.25.4" + ], + [ + "10.0.25.5", + "10.0.25.5" + ], + [ + "10.0.25.6", + "10.0.25.6" + ], + [ + "10.0.25.7", + "10.0.25.7" + ], + [ + "10.0.25.8", + "10.0.25.8" + ], + [ + "10.0.25.9", + "10.0.25.9" + ], + [ + "10.0.25.10", + "10.0.25.10" + ], + [ + "10.0.25.11", + "10.0.25.11" + ], + [ + "10.0.25.12", + "10.0.25.12" + ], + [ + "10.0.25.13", + "10.0.25.13" + ], + [ + "10.0.25.14", + "10.0.25.14" + ], + [ + "10.0.25.15", + "10.0.25.15" + ], + [ + "10.0.25.16", + "10.0.25.16" + ], + [ + "10.0.25.17", + "10.0.25.17" + ], + [ + "10.0.25.18", + "10.0.25.18" + ], + [ + "10.0.25.19", + "10.0.25.19" + ], + [ + "10.0.25.20", + "10.0.25.20" + ], + [ + "10.0.25.21", + "10.0.25.21" + ], + [ + "10.0.25.22", + "10.0.25.22" + ], + [ + "10.0.25.23", + "10.0.25.23" + ], + [ + "10.0.25.24", + "10.0.25.24" + ], + [ + "10.0.25.25", + "10.0.25.25" + ], + [ + "10.0.25.26", + "10.0.25.26" + ], + [ + "10.0.25.27", + "10.0.25.27" + ], + [ + "10.0.25.28", + "10.0.25.28" + ], + [ + "10.0.25.29", + "10.0.25.29" + ], + [ + "10.0.25.30", + "10.0.25.30" + ], + [ + "10.0.25.31", + "10.0.25.31" + ], + [ + "10.0.26.1", + "10.0.26.1" + ], + [ + "10.0.26.2", + "10.0.26.2" + ], + [ + "10.0.26.3", + "10.0.26.3" + ], + [ + "10.0.26.4", + "10.0.26.4" + ], + [ + "10.0.26.5", + "10.0.26.5" + ], + [ + "10.0.26.6", + "10.0.26.6" + ], + [ + "10.0.26.7", + "10.0.26.7" + ], + [ + "10.0.26.8", + "10.0.26.8" + ], + [ + "10.0.26.9", + "10.0.26.9" + ], + [ + "10.0.26.10", + "10.0.26.10" + ], + [ + "10.0.26.11", + "10.0.26.11" + ], + [ + "10.0.26.12", + "10.0.26.12" + ], + [ + "10.0.26.13", + "10.0.26.13" + ], + [ + "10.0.26.14", + "10.0.26.14" + ], + [ + "10.0.26.15", + "10.0.26.15" + ], + [ + "10.0.26.16", + "10.0.26.16" + ], + [ + "10.0.26.17", + "10.0.26.17" + ], + [ + "10.0.26.18", + "10.0.26.18" + ], + [ + "10.0.26.19", + "10.0.26.19" + ], + [ + "10.0.26.20", + "10.0.26.20" + ], + [ + "10.0.26.21", + "10.0.26.21" + ], + [ + "10.0.26.22", + "10.0.26.22" + ], + [ + "10.0.26.23", + "10.0.26.23" + ], + [ + "10.0.26.24", + "10.0.26.24" + ], + [ + "10.0.26.25", + "10.0.26.25" + ], + [ + "10.0.26.26", + "10.0.26.26" + ], + [ + "10.0.26.27", + "10.0.26.27" + ], + [ + "10.0.26.28", + "10.0.26.28" + ], + [ + "10.0.26.29", + "10.0.26.29" + ], + [ + "10.0.26.30", + "10.0.26.30" + ], + [ + "10.0.26.31", + "10.0.26.31" + ], + [ + "10.0.27.1", + "10.0.27.1" + ], + [ + "10.0.27.2", + "10.0.27.2" + ], + [ + "10.0.27.3", + "10.0.27.3" + ], + [ + "10.0.27.4", + "10.0.27.4" + ], + [ + "10.0.27.5", + "10.0.27.5" + ], + [ + "10.0.27.6", + "10.0.27.6" + ], + [ + "10.0.27.7", + "10.0.27.7" + ], + [ + "10.0.27.8", + "10.0.27.8" + ], + [ + "10.0.27.9", + "10.0.27.9" + ], + [ + "10.0.27.10", + "10.0.27.10" + ], + [ + "10.0.27.11", + "10.0.27.11" + ], + [ + "10.0.27.12", + "10.0.27.12" + ], + [ + "10.0.27.13", + "10.0.27.13" + ], + [ + "10.0.27.14", + "10.0.27.14" + ], + [ + "10.0.27.15", + "10.0.27.15" + ], + [ + "10.0.27.16", + "10.0.27.16" + ], + [ + "10.0.27.17", + "10.0.27.17" + ], + [ + "10.0.27.18", + "10.0.27.18" + ], + [ + "10.0.27.19", + "10.0.27.19" + ], + [ + "10.0.27.20", + "10.0.27.20" + ], + [ + "10.0.27.21", + "10.0.27.21" + ], + [ + "10.0.27.22", + "10.0.27.22" + ], + [ + "10.0.27.23", + "10.0.27.23" + ], + [ + "10.0.27.24", + "10.0.27.24" + ], + [ + "10.0.27.25", + "10.0.27.25" + ], + [ + "10.0.27.26", + "10.0.27.26" + ], + [ + "10.0.27.27", + "10.0.27.27" + ], + [ + "10.0.27.28", + "10.0.27.28" + ], + [ + "10.0.27.29", + "10.0.27.29" + ], + [ + "10.0.27.30", + "10.0.27.30" + ], + [ + "10.0.27.31", + "10.0.27.31" + ], + [ + "10.0.28.1", + "10.0.28.1" + ], + [ + "10.0.28.2", + "10.0.28.2" + ], + [ + "10.0.28.3", + "10.0.28.3" + ], + [ + "10.0.28.4", + "10.0.28.4" + ], + [ + "10.0.28.5", + "10.0.28.5" + ], + [ + "10.0.28.6", + "10.0.28.6" + ], + [ + "10.0.28.7", + "10.0.28.7" + ], + [ + "10.0.28.8", + "10.0.28.8" + ], + [ + "10.0.28.9", + "10.0.28.9" + ], + [ + "10.0.28.10", + "10.0.28.10" + ], + [ + "10.0.28.11", + "10.0.28.11" + ], + [ + "10.0.28.12", + "10.0.28.12" + ], + [ + "10.0.28.13", + "10.0.28.13" + ], + [ + "10.0.28.14", + "10.0.28.14" + ], + [ + "10.0.28.15", + "10.0.28.15" + ], + [ + "10.0.28.16", + "10.0.28.16" + ], + [ + "10.0.28.17", + "10.0.28.17" + ], + [ + "10.0.28.18", + "10.0.28.18" + ], + [ + "10.0.28.19", + "10.0.28.19" + ], + [ + "10.0.28.20", + "10.0.28.20" + ], + [ + "10.0.28.21", + "10.0.28.21" + ], + [ + "10.0.28.22", + "10.0.28.22" + ], + [ + "10.0.28.23", + "10.0.28.23" + ], + [ + "10.0.28.24", + "10.0.28.24" + ], + [ + "10.0.28.25", + "10.0.28.25" + ], + [ + "10.0.28.26", + "10.0.28.26" + ], + [ + "10.0.28.27", + "10.0.28.27" + ], + [ + "10.0.28.28", + "10.0.28.28" + ], + [ + "10.0.28.29", + "10.0.28.29" + ], + [ + "10.0.28.30", + "10.0.28.30" + ], + [ + "10.0.28.31", + "10.0.28.31" + ], + [ + "10.0.29.1", + "10.0.29.1" + ], + [ + "10.0.29.2", + "10.0.29.2" + ], + [ + "10.0.29.3", + "10.0.29.3" + ], + [ + "10.0.29.4", + "10.0.29.4" + ], + [ + "10.0.29.5", + "10.0.29.5" + ], + [ + "10.0.29.6", + "10.0.29.6" + ], + [ + "10.0.29.7", + "10.0.29.7" + ], + [ + "10.0.29.8", + "10.0.29.8" + ], + [ + "10.0.29.9", + "10.0.29.9" + ], + [ + "10.0.29.10", + "10.0.29.10" + ], + [ + "10.0.29.11", + "10.0.29.11" + ], + [ + "10.0.29.12", + "10.0.29.12" + ], + [ + "10.0.29.13", + "10.0.29.13" + ], + [ + "10.0.29.14", + "10.0.29.14" + ], + [ + "10.0.29.15", + "10.0.29.15" + ], + [ + "10.0.29.16", + "10.0.29.16" + ], + [ + "10.0.29.17", + "10.0.29.17" + ], + [ + "10.0.29.18", + "10.0.29.18" + ], + [ + "10.0.29.19", + "10.0.29.19" + ], + [ + "10.0.29.20", + "10.0.29.20" + ], + [ + "10.0.29.21", + "10.0.29.21" + ], + [ + "10.0.29.22", + "10.0.29.22" + ], + [ + "10.0.29.23", + "10.0.29.23" + ], + [ + "10.0.29.24", + "10.0.29.24" + ], + [ + "10.0.29.25", + "10.0.29.25" + ], + [ + "10.0.29.26", + "10.0.29.26" + ], + [ + "10.0.29.27", + "10.0.29.27" + ], + [ + "10.0.29.28", + "10.0.29.28" + ], + [ + "10.0.29.29", + "10.0.29.29" + ], + [ + "10.0.29.30", + "10.0.29.30" + ], + [ + "10.0.29.31", + "10.0.29.31" + ], + [ + "10.0.30.1", + "10.0.30.1" + ], + [ + "10.0.30.2", + "10.0.30.2" + ], + [ + "10.0.30.3", + "10.0.30.3" + ], + [ + "10.0.30.4", + "10.0.30.4" + ], + [ + "10.0.30.5", + "10.0.30.5" + ], + [ + "10.0.30.6", + "10.0.30.6" + ], + [ + "10.0.30.7", + "10.0.30.7" + ], + [ + "10.0.30.8", + "10.0.30.8" + ], + [ + "10.0.30.9", + "10.0.30.9" + ], + [ + "10.0.30.10", + "10.0.30.10" + ], + [ + "10.0.30.11", + "10.0.30.11" + ], + [ + "10.0.30.12", + "10.0.30.12" + ], + [ + "10.0.30.13", + "10.0.30.13" + ], + [ + "10.0.30.14", + "10.0.30.14" + ], + [ + "10.0.30.15", + "10.0.30.15" + ], + [ + "10.0.30.16", + "10.0.30.16" + ], + [ + "10.0.30.17", + "10.0.30.17" + ], + [ + "10.0.30.18", + "10.0.30.18" + ], + [ + "10.0.30.19", + "10.0.30.19" + ], + [ + "10.0.30.20", + "10.0.30.20" + ], + [ + "10.0.30.21", + "10.0.30.21" + ], + [ + "10.0.30.22", + "10.0.30.22" + ], + [ + "10.0.30.23", + "10.0.30.23" + ], + [ + "10.0.30.24", + "10.0.30.24" + ], + [ + "10.0.30.25", + "10.0.30.25" + ], + [ + "10.0.30.26", + "10.0.30.26" + ], + [ + "10.0.30.27", + "10.0.30.27" + ], + [ + "10.0.30.28", + "10.0.30.28" + ], + [ + "10.0.30.29", + "10.0.30.29" + ], + [ + "10.0.30.30", + "10.0.30.30" + ], + [ + "10.0.30.31", + "10.0.30.31" + ], + [ + "10.0.31.1", + "10.0.31.1" + ], + [ + "10.0.31.2", + "10.0.31.2" + ], + [ + "10.0.31.3", + "10.0.31.3" + ], + [ + "10.0.31.4", + "10.0.31.4" + ], + [ + "10.0.31.5", + "10.0.31.5" + ], + [ + "10.0.31.6", + "10.0.31.6" + ], + [ + "10.0.31.7", + "10.0.31.7" + ], + [ + "10.0.31.8", + "10.0.31.8" + ], + [ + "10.0.31.9", + "10.0.31.9" + ], + [ + "10.0.31.10", + "10.0.31.10" + ], + [ + "10.0.31.11", + "10.0.31.11" + ], + [ + "10.0.31.12", + "10.0.31.12" + ], + [ + "10.0.31.13", + "10.0.31.13" + ], + [ + "10.0.31.14", + "10.0.31.14" + ], + [ + "10.0.31.15", + "10.0.31.15" + ], + [ + "10.0.31.16", + "10.0.31.16" + ], + [ + "10.0.31.17", + "10.0.31.17" + ], + [ + "10.0.31.18", + "10.0.31.18" + ], + [ + "10.0.31.19", + "10.0.31.19" + ], + [ + "10.0.31.20", + "10.0.31.20" + ], + [ + "10.0.31.21", + "10.0.31.21" + ], + [ + "10.0.31.22", + "10.0.31.22" + ], + [ + "10.0.31.23", + "10.0.31.23" + ], + [ + "10.0.31.24", + "10.0.31.24" + ], + [ + "10.0.31.25", + "10.0.31.25" + ], + [ + "10.0.31.26", + "10.0.31.26" + ], + [ + "10.0.31.27", + "10.0.31.27" + ], + [ + "10.0.31.28", + "10.0.31.28" + ], + [ + "10.0.31.29", + "10.0.31.29" + ], + [ + "10.0.31.30", + "10.0.31.30" + ], + [ + "10.0.31.31", + "10.0.31.31" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft new file mode 100644 index 00000000..bd6e05df --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft @@ -0,0 +1,966 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 10.0.1.1 : 10.0.1.1, + 10.0.1.2 : 10.0.1.2, + 10.0.1.3 : 10.0.1.3, + 10.0.1.4 : 10.0.1.4, + 10.0.1.5 : 10.0.1.5, + 10.0.1.6 : 10.0.1.6, + 10.0.1.7 : 10.0.1.7, + 10.0.1.8 : 10.0.1.8, + 10.0.1.9 : 10.0.1.9, + 10.0.1.10 : 10.0.1.10, + 10.0.1.11 : 10.0.1.11, + 10.0.1.12 : 10.0.1.12, + 10.0.1.13 : 10.0.1.13, + 10.0.1.14 : 10.0.1.14, + 10.0.1.15 : 10.0.1.15, + 10.0.1.16 : 10.0.1.16, + 10.0.1.17 : 10.0.1.17, + 10.0.1.18 : 10.0.1.18, + 10.0.1.19 : 10.0.1.19, + 10.0.1.20 : 10.0.1.20, + 10.0.1.21 : 10.0.1.21, + 10.0.1.22 : 10.0.1.22, + 10.0.1.23 : 10.0.1.23, + 10.0.1.24 : 10.0.1.24, + 10.0.1.25 : 10.0.1.25, + 10.0.1.26 : 10.0.1.26, + 10.0.1.27 : 10.0.1.27, + 10.0.1.28 : 10.0.1.28, + 10.0.1.29 : 10.0.1.29, + 10.0.1.30 : 10.0.1.30, + 10.0.1.31 : 10.0.1.31, + 10.0.2.1 : 10.0.2.1, + 10.0.2.2 : 10.0.2.2, + 10.0.2.3 : 10.0.2.3, + 10.0.2.4 : 10.0.2.4, + 10.0.2.5 : 10.0.2.5, + 10.0.2.6 : 10.0.2.6, + 10.0.2.7 : 10.0.2.7, + 10.0.2.8 : 10.0.2.8, + 10.0.2.9 : 10.0.2.9, + 10.0.2.10 : 10.0.2.10, + 10.0.2.11 : 10.0.2.11, + 10.0.2.12 : 10.0.2.12, + 10.0.2.13 : 10.0.2.13, + 10.0.2.14 : 10.0.2.14, + 10.0.2.15 : 10.0.2.15, + 10.0.2.16 : 10.0.2.16, + 10.0.2.17 : 10.0.2.17, + 10.0.2.18 : 10.0.2.18, + 10.0.2.19 : 10.0.2.19, + 10.0.2.20 : 10.0.2.20, + 10.0.2.21 : 10.0.2.21, + 10.0.2.22 : 10.0.2.22, + 10.0.2.23 : 10.0.2.23, + 10.0.2.24 : 10.0.2.24, + 10.0.2.25 : 10.0.2.25, + 10.0.2.26 : 10.0.2.26, + 10.0.2.27 : 10.0.2.27, + 10.0.2.28 : 10.0.2.28, + 10.0.2.29 : 10.0.2.29, + 10.0.2.30 : 10.0.2.30, + 10.0.2.31 : 10.0.2.31, + 10.0.3.1 : 10.0.3.1, + 10.0.3.2 : 10.0.3.2, + 10.0.3.3 : 10.0.3.3, + 10.0.3.4 : 10.0.3.4, + 10.0.3.5 : 10.0.3.5, + 10.0.3.6 : 10.0.3.6, + 10.0.3.7 : 10.0.3.7, + 10.0.3.8 : 10.0.3.8, + 10.0.3.9 : 10.0.3.9, + 10.0.3.10 : 10.0.3.10, + 10.0.3.11 : 10.0.3.11, + 10.0.3.12 : 10.0.3.12, + 10.0.3.13 : 10.0.3.13, + 10.0.3.14 : 10.0.3.14, + 10.0.3.15 : 10.0.3.15, + 10.0.3.16 : 10.0.3.16, + 10.0.3.17 : 10.0.3.17, + 10.0.3.18 : 10.0.3.18, + 10.0.3.19 : 10.0.3.19, + 10.0.3.20 : 10.0.3.20, + 10.0.3.21 : 10.0.3.21, + 10.0.3.22 : 10.0.3.22, + 10.0.3.23 : 10.0.3.23, + 10.0.3.24 : 10.0.3.24, + 10.0.3.25 : 10.0.3.25, + 10.0.3.26 : 10.0.3.26, + 10.0.3.27 : 10.0.3.27, + 10.0.3.28 : 10.0.3.28, + 10.0.3.29 : 10.0.3.29, + 10.0.3.30 : 10.0.3.30, + 10.0.3.31 : 10.0.3.31, + 10.0.4.1 : 10.0.4.1, + 10.0.4.2 : 10.0.4.2, + 10.0.4.3 : 10.0.4.3, + 10.0.4.4 : 10.0.4.4, + 10.0.4.5 : 10.0.4.5, + 10.0.4.6 : 10.0.4.6, + 10.0.4.7 : 10.0.4.7, + 10.0.4.8 : 10.0.4.8, + 10.0.4.9 : 10.0.4.9, + 10.0.4.10 : 10.0.4.10, + 10.0.4.11 : 10.0.4.11, + 10.0.4.12 : 10.0.4.12, + 10.0.4.13 : 10.0.4.13, + 10.0.4.14 : 10.0.4.14, + 10.0.4.15 : 10.0.4.15, + 10.0.4.16 : 10.0.4.16, + 10.0.4.17 : 10.0.4.17, + 10.0.4.18 : 10.0.4.18, + 10.0.4.19 : 10.0.4.19, + 10.0.4.20 : 10.0.4.20, + 10.0.4.21 : 10.0.4.21, + 10.0.4.22 : 10.0.4.22, + 10.0.4.23 : 10.0.4.23, + 10.0.4.24 : 10.0.4.24, + 10.0.4.25 : 10.0.4.25, + 10.0.4.26 : 10.0.4.26, + 10.0.4.27 : 10.0.4.27, + 10.0.4.28 : 10.0.4.28, + 10.0.4.29 : 10.0.4.29, + 10.0.4.30 : 10.0.4.30, + 10.0.4.31 : 10.0.4.31, + 10.0.5.1 : 10.0.5.1, + 10.0.5.2 : 10.0.5.2, + 10.0.5.3 : 10.0.5.3, + 10.0.5.4 : 10.0.5.4, + 10.0.5.5 : 10.0.5.5, + 10.0.5.6 : 10.0.5.6, + 10.0.5.7 : 10.0.5.7, + 10.0.5.8 : 10.0.5.8, + 10.0.5.9 : 10.0.5.9, + 10.0.5.10 : 10.0.5.10, + 10.0.5.11 : 10.0.5.11, + 10.0.5.12 : 10.0.5.12, + 10.0.5.13 : 10.0.5.13, + 10.0.5.14 : 10.0.5.14, + 10.0.5.15 : 10.0.5.15, + 10.0.5.16 : 10.0.5.16, + 10.0.5.17 : 10.0.5.17, + 10.0.5.18 : 10.0.5.18, + 10.0.5.19 : 10.0.5.19, + 10.0.5.20 : 10.0.5.20, + 10.0.5.21 : 10.0.5.21, + 10.0.5.22 : 10.0.5.22, + 10.0.5.23 : 10.0.5.23, + 10.0.5.24 : 10.0.5.24, + 10.0.5.25 : 10.0.5.25, + 10.0.5.26 : 10.0.5.26, + 10.0.5.27 : 10.0.5.27, + 10.0.5.28 : 10.0.5.28, + 10.0.5.29 : 10.0.5.29, + 10.0.5.30 : 10.0.5.30, + 10.0.5.31 : 10.0.5.31, + 10.0.6.1 : 10.0.6.1, + 10.0.6.2 : 10.0.6.2, + 10.0.6.3 : 10.0.6.3, + 10.0.6.4 : 10.0.6.4, + 10.0.6.5 : 10.0.6.5, + 10.0.6.6 : 10.0.6.6, + 10.0.6.7 : 10.0.6.7, + 10.0.6.8 : 10.0.6.8, + 10.0.6.9 : 10.0.6.9, + 10.0.6.10 : 10.0.6.10, + 10.0.6.11 : 10.0.6.11, + 10.0.6.12 : 10.0.6.12, + 10.0.6.13 : 10.0.6.13, + 10.0.6.14 : 10.0.6.14, + 10.0.6.15 : 10.0.6.15, + 10.0.6.16 : 10.0.6.16, + 10.0.6.17 : 10.0.6.17, + 10.0.6.18 : 10.0.6.18, + 10.0.6.19 : 10.0.6.19, + 10.0.6.20 : 10.0.6.20, + 10.0.6.21 : 10.0.6.21, + 10.0.6.22 : 10.0.6.22, + 10.0.6.23 : 10.0.6.23, + 10.0.6.24 : 10.0.6.24, + 10.0.6.25 : 10.0.6.25, + 10.0.6.26 : 10.0.6.26, + 10.0.6.27 : 10.0.6.27, + 10.0.6.28 : 10.0.6.28, + 10.0.6.29 : 10.0.6.29, + 10.0.6.30 : 10.0.6.30, + 10.0.6.31 : 10.0.6.31, + 10.0.7.1 : 10.0.7.1, + 10.0.7.2 : 10.0.7.2, + 10.0.7.3 : 10.0.7.3, + 10.0.7.4 : 10.0.7.4, + 10.0.7.5 : 10.0.7.5, + 10.0.7.6 : 10.0.7.6, + 10.0.7.7 : 10.0.7.7, + 10.0.7.8 : 10.0.7.8, + 10.0.7.9 : 10.0.7.9, + 10.0.7.10 : 10.0.7.10, + 10.0.7.11 : 10.0.7.11, + 10.0.7.12 : 10.0.7.12, + 10.0.7.13 : 10.0.7.13, + 10.0.7.14 : 10.0.7.14, + 10.0.7.15 : 10.0.7.15, + 10.0.7.16 : 10.0.7.16, + 10.0.7.17 : 10.0.7.17, + 10.0.7.18 : 10.0.7.18, + 10.0.7.19 : 10.0.7.19, + 10.0.7.20 : 10.0.7.20, + 10.0.7.21 : 10.0.7.21, + 10.0.7.22 : 10.0.7.22, + 10.0.7.23 : 10.0.7.23, + 10.0.7.24 : 10.0.7.24, + 10.0.7.25 : 10.0.7.25, + 10.0.7.26 : 10.0.7.26, + 10.0.7.27 : 10.0.7.27, + 10.0.7.28 : 10.0.7.28, + 10.0.7.29 : 10.0.7.29, + 10.0.7.30 : 10.0.7.30, + 10.0.7.31 : 10.0.7.31, + 10.0.8.1 : 10.0.8.1, + 10.0.8.2 : 10.0.8.2, + 10.0.8.3 : 10.0.8.3, + 10.0.8.4 : 10.0.8.4, + 10.0.8.5 : 10.0.8.5, + 10.0.8.6 : 10.0.8.6, + 10.0.8.7 : 10.0.8.7, + 10.0.8.8 : 10.0.8.8, + 10.0.8.9 : 10.0.8.9, + 10.0.8.10 : 10.0.8.10, + 10.0.8.11 : 10.0.8.11, + 10.0.8.12 : 10.0.8.12, + 10.0.8.13 : 10.0.8.13, + 10.0.8.14 : 10.0.8.14, + 10.0.8.15 : 10.0.8.15, + 10.0.8.16 : 10.0.8.16, + 10.0.8.17 : 10.0.8.17, + 10.0.8.18 : 10.0.8.18, + 10.0.8.19 : 10.0.8.19, + 10.0.8.20 : 10.0.8.20, + 10.0.8.21 : 10.0.8.21, + 10.0.8.22 : 10.0.8.22, + 10.0.8.23 : 10.0.8.23, + 10.0.8.24 : 10.0.8.24, + 10.0.8.25 : 10.0.8.25, + 10.0.8.26 : 10.0.8.26, + 10.0.8.27 : 10.0.8.27, + 10.0.8.28 : 10.0.8.28, + 10.0.8.29 : 10.0.8.29, + 10.0.8.30 : 10.0.8.30, + 10.0.8.31 : 10.0.8.31, + 10.0.9.1 : 10.0.9.1, + 10.0.9.2 : 10.0.9.2, + 10.0.9.3 : 10.0.9.3, + 10.0.9.4 : 10.0.9.4, + 10.0.9.5 : 10.0.9.5, + 10.0.9.6 : 10.0.9.6, + 10.0.9.7 : 10.0.9.7, + 10.0.9.8 : 10.0.9.8, + 10.0.9.9 : 10.0.9.9, + 10.0.9.10 : 10.0.9.10, + 10.0.9.11 : 10.0.9.11, + 10.0.9.12 : 10.0.9.12, + 10.0.9.13 : 10.0.9.13, + 10.0.9.14 : 10.0.9.14, + 10.0.9.15 : 10.0.9.15, + 10.0.9.16 : 10.0.9.16, + 10.0.9.17 : 10.0.9.17, + 10.0.9.18 : 10.0.9.18, + 10.0.9.19 : 10.0.9.19, + 10.0.9.20 : 10.0.9.20, + 10.0.9.21 : 10.0.9.21, + 10.0.9.22 : 10.0.9.22, + 10.0.9.23 : 10.0.9.23, + 10.0.9.24 : 10.0.9.24, + 10.0.9.25 : 10.0.9.25, + 10.0.9.26 : 10.0.9.26, + 10.0.9.27 : 10.0.9.27, + 10.0.9.28 : 10.0.9.28, + 10.0.9.29 : 10.0.9.29, + 10.0.9.30 : 10.0.9.30, + 10.0.9.31 : 10.0.9.31, + 10.0.10.1 : 10.0.10.1, + 10.0.10.2 : 10.0.10.2, + 10.0.10.3 : 10.0.10.3, + 10.0.10.4 : 10.0.10.4, + 10.0.10.5 : 10.0.10.5, + 10.0.10.6 : 10.0.10.6, + 10.0.10.7 : 10.0.10.7, + 10.0.10.8 : 10.0.10.8, + 10.0.10.9 : 10.0.10.9, + 10.0.10.10 : 10.0.10.10, + 10.0.10.11 : 10.0.10.11, + 10.0.10.12 : 10.0.10.12, + 10.0.10.13 : 10.0.10.13, + 10.0.10.14 : 10.0.10.14, + 10.0.10.15 : 10.0.10.15, + 10.0.10.16 : 10.0.10.16, + 10.0.10.17 : 10.0.10.17, + 10.0.10.18 : 10.0.10.18, + 10.0.10.19 : 10.0.10.19, + 10.0.10.20 : 10.0.10.20, + 10.0.10.21 : 10.0.10.21, + 10.0.10.22 : 10.0.10.22, + 10.0.10.23 : 10.0.10.23, + 10.0.10.24 : 10.0.10.24, + 10.0.10.25 : 10.0.10.25, + 10.0.10.26 : 10.0.10.26, + 10.0.10.27 : 10.0.10.27, + 10.0.10.28 : 10.0.10.28, + 10.0.10.29 : 10.0.10.29, + 10.0.10.30 : 10.0.10.30, + 10.0.10.31 : 10.0.10.31, + 10.0.11.1 : 10.0.11.1, + 10.0.11.2 : 10.0.11.2, + 10.0.11.3 : 10.0.11.3, + 10.0.11.4 : 10.0.11.4, + 10.0.11.5 : 10.0.11.5, + 10.0.11.6 : 10.0.11.6, + 10.0.11.7 : 10.0.11.7, + 10.0.11.8 : 10.0.11.8, + 10.0.11.9 : 10.0.11.9, + 10.0.11.10 : 10.0.11.10, + 10.0.11.11 : 10.0.11.11, + 10.0.11.12 : 10.0.11.12, + 10.0.11.13 : 10.0.11.13, + 10.0.11.14 : 10.0.11.14, + 10.0.11.15 : 10.0.11.15, + 10.0.11.16 : 10.0.11.16, + 10.0.11.17 : 10.0.11.17, + 10.0.11.18 : 10.0.11.18, + 10.0.11.19 : 10.0.11.19, + 10.0.11.20 : 10.0.11.20, + 10.0.11.21 : 10.0.11.21, + 10.0.11.22 : 10.0.11.22, + 10.0.11.23 : 10.0.11.23, + 10.0.11.24 : 10.0.11.24, + 10.0.11.25 : 10.0.11.25, + 10.0.11.26 : 10.0.11.26, + 10.0.11.27 : 10.0.11.27, + 10.0.11.28 : 10.0.11.28, + 10.0.11.29 : 10.0.11.29, + 10.0.11.30 : 10.0.11.30, + 10.0.11.31 : 10.0.11.31, + 10.0.12.1 : 10.0.12.1, + 10.0.12.2 : 10.0.12.2, + 10.0.12.3 : 10.0.12.3, + 10.0.12.4 : 10.0.12.4, + 10.0.12.5 : 10.0.12.5, + 10.0.12.6 : 10.0.12.6, + 10.0.12.7 : 10.0.12.7, + 10.0.12.8 : 10.0.12.8, + 10.0.12.9 : 10.0.12.9, + 10.0.12.10 : 10.0.12.10, + 10.0.12.11 : 10.0.12.11, + 10.0.12.12 : 10.0.12.12, + 10.0.12.13 : 10.0.12.13, + 10.0.12.14 : 10.0.12.14, + 10.0.12.15 : 10.0.12.15, + 10.0.12.16 : 10.0.12.16, + 10.0.12.17 : 10.0.12.17, + 10.0.12.18 : 10.0.12.18, + 10.0.12.19 : 10.0.12.19, + 10.0.12.20 : 10.0.12.20, + 10.0.12.21 : 10.0.12.21, + 10.0.12.22 : 10.0.12.22, + 10.0.12.23 : 10.0.12.23, + 10.0.12.24 : 10.0.12.24, + 10.0.12.25 : 10.0.12.25, + 10.0.12.26 : 10.0.12.26, + 10.0.12.27 : 10.0.12.27, + 10.0.12.28 : 10.0.12.28, + 10.0.12.29 : 10.0.12.29, + 10.0.12.30 : 10.0.12.30, + 10.0.12.31 : 10.0.12.31, + 10.0.13.1 : 10.0.13.1, + 10.0.13.2 : 10.0.13.2, + 10.0.13.3 : 10.0.13.3, + 10.0.13.4 : 10.0.13.4, + 10.0.13.5 : 10.0.13.5, + 10.0.13.6 : 10.0.13.6, + 10.0.13.7 : 10.0.13.7, + 10.0.13.8 : 10.0.13.8, + 10.0.13.9 : 10.0.13.9, + 10.0.13.10 : 10.0.13.10, + 10.0.13.11 : 10.0.13.11, + 10.0.13.12 : 10.0.13.12, + 10.0.13.13 : 10.0.13.13, + 10.0.13.14 : 10.0.13.14, + 10.0.13.15 : 10.0.13.15, + 10.0.13.16 : 10.0.13.16, + 10.0.13.17 : 10.0.13.17, + 10.0.13.18 : 10.0.13.18, + 10.0.13.19 : 10.0.13.19, + 10.0.13.20 : 10.0.13.20, + 10.0.13.21 : 10.0.13.21, + 10.0.13.22 : 10.0.13.22, + 10.0.13.23 : 10.0.13.23, + 10.0.13.24 : 10.0.13.24, + 10.0.13.25 : 10.0.13.25, + 10.0.13.26 : 10.0.13.26, + 10.0.13.27 : 10.0.13.27, + 10.0.13.28 : 10.0.13.28, + 10.0.13.29 : 10.0.13.29, + 10.0.13.30 : 10.0.13.30, + 10.0.13.31 : 10.0.13.31, + 10.0.14.1 : 10.0.14.1, + 10.0.14.2 : 10.0.14.2, + 10.0.14.3 : 10.0.14.3, + 10.0.14.4 : 10.0.14.4, + 10.0.14.5 : 10.0.14.5, + 10.0.14.6 : 10.0.14.6, + 10.0.14.7 : 10.0.14.7, + 10.0.14.8 : 10.0.14.8, + 10.0.14.9 : 10.0.14.9, + 10.0.14.10 : 10.0.14.10, + 10.0.14.11 : 10.0.14.11, + 10.0.14.12 : 10.0.14.12, + 10.0.14.13 : 10.0.14.13, + 10.0.14.14 : 10.0.14.14, + 10.0.14.15 : 10.0.14.15, + 10.0.14.16 : 10.0.14.16, + 10.0.14.17 : 10.0.14.17, + 10.0.14.18 : 10.0.14.18, + 10.0.14.19 : 10.0.14.19, + 10.0.14.20 : 10.0.14.20, + 10.0.14.21 : 10.0.14.21, + 10.0.14.22 : 10.0.14.22, + 10.0.14.23 : 10.0.14.23, + 10.0.14.24 : 10.0.14.24, + 10.0.14.25 : 10.0.14.25, + 10.0.14.26 : 10.0.14.26, + 10.0.14.27 : 10.0.14.27, + 10.0.14.28 : 10.0.14.28, + 10.0.14.29 : 10.0.14.29, + 10.0.14.30 : 10.0.14.30, + 10.0.14.31 : 10.0.14.31, + 10.0.15.1 : 10.0.15.1, + 10.0.15.2 : 10.0.15.2, + 10.0.15.3 : 10.0.15.3, + 10.0.15.4 : 10.0.15.4, + 10.0.15.5 : 10.0.15.5, + 10.0.15.6 : 10.0.15.6, + 10.0.15.7 : 10.0.15.7, + 10.0.15.8 : 10.0.15.8, + 10.0.15.9 : 10.0.15.9, + 10.0.15.10 : 10.0.15.10, + 10.0.15.11 : 10.0.15.11, + 10.0.15.12 : 10.0.15.12, + 10.0.15.13 : 10.0.15.13, + 10.0.15.14 : 10.0.15.14, + 10.0.15.15 : 10.0.15.15, + 10.0.15.16 : 10.0.15.16, + 10.0.15.17 : 10.0.15.17, + 10.0.15.18 : 10.0.15.18, + 10.0.15.19 : 10.0.15.19, + 10.0.15.20 : 10.0.15.20, + 10.0.15.21 : 10.0.15.21, + 10.0.15.22 : 10.0.15.22, + 10.0.15.23 : 10.0.15.23, + 10.0.15.24 : 10.0.15.24, + 10.0.15.25 : 10.0.15.25, + 10.0.15.26 : 10.0.15.26, + 10.0.15.27 : 10.0.15.27, + 10.0.15.28 : 10.0.15.28, + 10.0.15.29 : 10.0.15.29, + 10.0.15.30 : 10.0.15.30, + 10.0.15.31 : 10.0.15.31, + 10.0.16.1 : 10.0.16.1, + 10.0.16.2 : 10.0.16.2, + 10.0.16.3 : 10.0.16.3, + 10.0.16.4 : 10.0.16.4, + 10.0.16.5 : 10.0.16.5, + 10.0.16.6 : 10.0.16.6, + 10.0.16.7 : 10.0.16.7, + 10.0.16.8 : 10.0.16.8, + 10.0.16.9 : 10.0.16.9, + 10.0.16.10 : 10.0.16.10, + 10.0.16.11 : 10.0.16.11, + 10.0.16.12 : 10.0.16.12, + 10.0.16.13 : 10.0.16.13, + 10.0.16.14 : 10.0.16.14, + 10.0.16.15 : 10.0.16.15, + 10.0.16.16 : 10.0.16.16, + 10.0.16.17 : 10.0.16.17, + 10.0.16.18 : 10.0.16.18, + 10.0.16.19 : 10.0.16.19, + 10.0.16.20 : 10.0.16.20, + 10.0.16.21 : 10.0.16.21, + 10.0.16.22 : 10.0.16.22, + 10.0.16.23 : 10.0.16.23, + 10.0.16.24 : 10.0.16.24, + 10.0.16.25 : 10.0.16.25, + 10.0.16.26 : 10.0.16.26, + 10.0.16.27 : 10.0.16.27, + 10.0.16.28 : 10.0.16.28, + 10.0.16.29 : 10.0.16.29, + 10.0.16.30 : 10.0.16.30, + 10.0.16.31 : 10.0.16.31, + 10.0.17.1 : 10.0.17.1, + 10.0.17.2 : 10.0.17.2, + 10.0.17.3 : 10.0.17.3, + 10.0.17.4 : 10.0.17.4, + 10.0.17.5 : 10.0.17.5, + 10.0.17.6 : 10.0.17.6, + 10.0.17.7 : 10.0.17.7, + 10.0.17.8 : 10.0.17.8, + 10.0.17.9 : 10.0.17.9, + 10.0.17.10 : 10.0.17.10, + 10.0.17.11 : 10.0.17.11, + 10.0.17.12 : 10.0.17.12, + 10.0.17.13 : 10.0.17.13, + 10.0.17.14 : 10.0.17.14, + 10.0.17.15 : 10.0.17.15, + 10.0.17.16 : 10.0.17.16, + 10.0.17.17 : 10.0.17.17, + 10.0.17.18 : 10.0.17.18, + 10.0.17.19 : 10.0.17.19, + 10.0.17.20 : 10.0.17.20, + 10.0.17.21 : 10.0.17.21, + 10.0.17.22 : 10.0.17.22, + 10.0.17.23 : 10.0.17.23, + 10.0.17.24 : 10.0.17.24, + 10.0.17.25 : 10.0.17.25, + 10.0.17.26 : 10.0.17.26, + 10.0.17.27 : 10.0.17.27, + 10.0.17.28 : 10.0.17.28, + 10.0.17.29 : 10.0.17.29, + 10.0.17.30 : 10.0.17.30, + 10.0.17.31 : 10.0.17.31, + 10.0.18.1 : 10.0.18.1, + 10.0.18.2 : 10.0.18.2, + 10.0.18.3 : 10.0.18.3, + 10.0.18.4 : 10.0.18.4, + 10.0.18.5 : 10.0.18.5, + 10.0.18.6 : 10.0.18.6, + 10.0.18.7 : 10.0.18.7, + 10.0.18.8 : 10.0.18.8, + 10.0.18.9 : 10.0.18.9, + 10.0.18.10 : 10.0.18.10, + 10.0.18.11 : 10.0.18.11, + 10.0.18.12 : 10.0.18.12, + 10.0.18.13 : 10.0.18.13, + 10.0.18.14 : 10.0.18.14, + 10.0.18.15 : 10.0.18.15, + 10.0.18.16 : 10.0.18.16, + 10.0.18.17 : 10.0.18.17, + 10.0.18.18 : 10.0.18.18, + 10.0.18.19 : 10.0.18.19, + 10.0.18.20 : 10.0.18.20, + 10.0.18.21 : 10.0.18.21, + 10.0.18.22 : 10.0.18.22, + 10.0.18.23 : 10.0.18.23, + 10.0.18.24 : 10.0.18.24, + 10.0.18.25 : 10.0.18.25, + 10.0.18.26 : 10.0.18.26, + 10.0.18.27 : 10.0.18.27, + 10.0.18.28 : 10.0.18.28, + 10.0.18.29 : 10.0.18.29, + 10.0.18.30 : 10.0.18.30, + 10.0.18.31 : 10.0.18.31, + 10.0.19.1 : 10.0.19.1, + 10.0.19.2 : 10.0.19.2, + 10.0.19.3 : 10.0.19.3, + 10.0.19.4 : 10.0.19.4, + 10.0.19.5 : 10.0.19.5, + 10.0.19.6 : 10.0.19.6, + 10.0.19.7 : 10.0.19.7, + 10.0.19.8 : 10.0.19.8, + 10.0.19.9 : 10.0.19.9, + 10.0.19.10 : 10.0.19.10, + 10.0.19.11 : 10.0.19.11, + 10.0.19.12 : 10.0.19.12, + 10.0.19.13 : 10.0.19.13, + 10.0.19.14 : 10.0.19.14, + 10.0.19.15 : 10.0.19.15, + 10.0.19.16 : 10.0.19.16, + 10.0.19.17 : 10.0.19.17, + 10.0.19.18 : 10.0.19.18, + 10.0.19.19 : 10.0.19.19, + 10.0.19.20 : 10.0.19.20, + 10.0.19.21 : 10.0.19.21, + 10.0.19.22 : 10.0.19.22, + 10.0.19.23 : 10.0.19.23, + 10.0.19.24 : 10.0.19.24, + 10.0.19.25 : 10.0.19.25, + 10.0.19.26 : 10.0.19.26, + 10.0.19.27 : 10.0.19.27, + 10.0.19.28 : 10.0.19.28, + 10.0.19.29 : 10.0.19.29, + 10.0.19.30 : 10.0.19.30, + 10.0.19.31 : 10.0.19.31, + 10.0.20.1 : 10.0.20.1, + 10.0.20.2 : 10.0.20.2, + 10.0.20.3 : 10.0.20.3, + 10.0.20.4 : 10.0.20.4, + 10.0.20.5 : 10.0.20.5, + 10.0.20.6 : 10.0.20.6, + 10.0.20.7 : 10.0.20.7, + 10.0.20.8 : 10.0.20.8, + 10.0.20.9 : 10.0.20.9, + 10.0.20.10 : 10.0.20.10, + 10.0.20.11 : 10.0.20.11, + 10.0.20.12 : 10.0.20.12, + 10.0.20.13 : 10.0.20.13, + 10.0.20.14 : 10.0.20.14, + 10.0.20.15 : 10.0.20.15, + 10.0.20.16 : 10.0.20.16, + 10.0.20.17 : 10.0.20.17, + 10.0.20.18 : 10.0.20.18, + 10.0.20.19 : 10.0.20.19, + 10.0.20.20 : 10.0.20.20, + 10.0.20.21 : 10.0.20.21, + 10.0.20.22 : 10.0.20.22, + 10.0.20.23 : 10.0.20.23, + 10.0.20.24 : 10.0.20.24, + 10.0.20.25 : 10.0.20.25, + 10.0.20.26 : 10.0.20.26, + 10.0.20.27 : 10.0.20.27, + 10.0.20.28 : 10.0.20.28, + 10.0.20.29 : 10.0.20.29, + 10.0.20.30 : 10.0.20.30, + 10.0.20.31 : 10.0.20.31, + 10.0.21.1 : 10.0.21.1, + 10.0.21.2 : 10.0.21.2, + 10.0.21.3 : 10.0.21.3, + 10.0.21.4 : 10.0.21.4, + 10.0.21.5 : 10.0.21.5, + 10.0.21.6 : 10.0.21.6, + 10.0.21.7 : 10.0.21.7, + 10.0.21.8 : 10.0.21.8, + 10.0.21.9 : 10.0.21.9, + 10.0.21.10 : 10.0.21.10, + 10.0.21.11 : 10.0.21.11, + 10.0.21.12 : 10.0.21.12, + 10.0.21.13 : 10.0.21.13, + 10.0.21.14 : 10.0.21.14, + 10.0.21.15 : 10.0.21.15, + 10.0.21.16 : 10.0.21.16, + 10.0.21.17 : 10.0.21.17, + 10.0.21.18 : 10.0.21.18, + 10.0.21.19 : 10.0.21.19, + 10.0.21.20 : 10.0.21.20, + 10.0.21.21 : 10.0.21.21, + 10.0.21.22 : 10.0.21.22, + 10.0.21.23 : 10.0.21.23, + 10.0.21.24 : 10.0.21.24, + 10.0.21.25 : 10.0.21.25, + 10.0.21.26 : 10.0.21.26, + 10.0.21.27 : 10.0.21.27, + 10.0.21.28 : 10.0.21.28, + 10.0.21.29 : 10.0.21.29, + 10.0.21.30 : 10.0.21.30, + 10.0.21.31 : 10.0.21.31, + 10.0.22.1 : 10.0.22.1, + 10.0.22.2 : 10.0.22.2, + 10.0.22.3 : 10.0.22.3, + 10.0.22.4 : 10.0.22.4, + 10.0.22.5 : 10.0.22.5, + 10.0.22.6 : 10.0.22.6, + 10.0.22.7 : 10.0.22.7, + 10.0.22.8 : 10.0.22.8, + 10.0.22.9 : 10.0.22.9, + 10.0.22.10 : 10.0.22.10, + 10.0.22.11 : 10.0.22.11, + 10.0.22.12 : 10.0.22.12, + 10.0.22.13 : 10.0.22.13, + 10.0.22.14 : 10.0.22.14, + 10.0.22.15 : 10.0.22.15, + 10.0.22.16 : 10.0.22.16, + 10.0.22.17 : 10.0.22.17, + 10.0.22.18 : 10.0.22.18, + 10.0.22.19 : 10.0.22.19, + 10.0.22.20 : 10.0.22.20, + 10.0.22.21 : 10.0.22.21, + 10.0.22.22 : 10.0.22.22, + 10.0.22.23 : 10.0.22.23, + 10.0.22.24 : 10.0.22.24, + 10.0.22.25 : 10.0.22.25, + 10.0.22.26 : 10.0.22.26, + 10.0.22.27 : 10.0.22.27, + 10.0.22.28 : 10.0.22.28, + 10.0.22.29 : 10.0.22.29, + 10.0.22.30 : 10.0.22.30, + 10.0.22.31 : 10.0.22.31, + 10.0.23.1 : 10.0.23.1, + 10.0.23.2 : 10.0.23.2, + 10.0.23.3 : 10.0.23.3, + 10.0.23.4 : 10.0.23.4, + 10.0.23.5 : 10.0.23.5, + 10.0.23.6 : 10.0.23.6, + 10.0.23.7 : 10.0.23.7, + 10.0.23.8 : 10.0.23.8, + 10.0.23.9 : 10.0.23.9, + 10.0.23.10 : 10.0.23.10, + 10.0.23.11 : 10.0.23.11, + 10.0.23.12 : 10.0.23.12, + 10.0.23.13 : 10.0.23.13, + 10.0.23.14 : 10.0.23.14, + 10.0.23.15 : 10.0.23.15, + 10.0.23.16 : 10.0.23.16, + 10.0.23.17 : 10.0.23.17, + 10.0.23.18 : 10.0.23.18, + 10.0.23.19 : 10.0.23.19, + 10.0.23.20 : 10.0.23.20, + 10.0.23.21 : 10.0.23.21, + 10.0.23.22 : 10.0.23.22, + 10.0.23.23 : 10.0.23.23, + 10.0.23.24 : 10.0.23.24, + 10.0.23.25 : 10.0.23.25, + 10.0.23.26 : 10.0.23.26, + 10.0.23.27 : 10.0.23.27, + 10.0.23.28 : 10.0.23.28, + 10.0.23.29 : 10.0.23.29, + 10.0.23.30 : 10.0.23.30, + 10.0.23.31 : 10.0.23.31, + 10.0.24.1 : 10.0.24.1, + 10.0.24.2 : 10.0.24.2, + 10.0.24.3 : 10.0.24.3, + 10.0.24.4 : 10.0.24.4, + 10.0.24.5 : 10.0.24.5, + 10.0.24.6 : 10.0.24.6, + 10.0.24.7 : 10.0.24.7, + 10.0.24.8 : 10.0.24.8, + 10.0.24.9 : 10.0.24.9, + 10.0.24.10 : 10.0.24.10, + 10.0.24.11 : 10.0.24.11, + 10.0.24.12 : 10.0.24.12, + 10.0.24.13 : 10.0.24.13, + 10.0.24.14 : 10.0.24.14, + 10.0.24.15 : 10.0.24.15, + 10.0.24.16 : 10.0.24.16, + 10.0.24.17 : 10.0.24.17, + 10.0.24.18 : 10.0.24.18, + 10.0.24.19 : 10.0.24.19, + 10.0.24.20 : 10.0.24.20, + 10.0.24.21 : 10.0.24.21, + 10.0.24.22 : 10.0.24.22, + 10.0.24.23 : 10.0.24.23, + 10.0.24.24 : 10.0.24.24, + 10.0.24.25 : 10.0.24.25, + 10.0.24.26 : 10.0.24.26, + 10.0.24.27 : 10.0.24.27, + 10.0.24.28 : 10.0.24.28, + 10.0.24.29 : 10.0.24.29, + 10.0.24.30 : 10.0.24.30, + 10.0.24.31 : 10.0.24.31, + 10.0.25.1 : 10.0.25.1, + 10.0.25.2 : 10.0.25.2, + 10.0.25.3 : 10.0.25.3, + 10.0.25.4 : 10.0.25.4, + 10.0.25.5 : 10.0.25.5, + 10.0.25.6 : 10.0.25.6, + 10.0.25.7 : 10.0.25.7, + 10.0.25.8 : 10.0.25.8, + 10.0.25.9 : 10.0.25.9, + 10.0.25.10 : 10.0.25.10, + 10.0.25.11 : 10.0.25.11, + 10.0.25.12 : 10.0.25.12, + 10.0.25.13 : 10.0.25.13, + 10.0.25.14 : 10.0.25.14, + 10.0.25.15 : 10.0.25.15, + 10.0.25.16 : 10.0.25.16, + 10.0.25.17 : 10.0.25.17, + 10.0.25.18 : 10.0.25.18, + 10.0.25.19 : 10.0.25.19, + 10.0.25.20 : 10.0.25.20, + 10.0.25.21 : 10.0.25.21, + 10.0.25.22 : 10.0.25.22, + 10.0.25.23 : 10.0.25.23, + 10.0.25.24 : 10.0.25.24, + 10.0.25.25 : 10.0.25.25, + 10.0.25.26 : 10.0.25.26, + 10.0.25.27 : 10.0.25.27, + 10.0.25.28 : 10.0.25.28, + 10.0.25.29 : 10.0.25.29, + 10.0.25.30 : 10.0.25.30, + 10.0.25.31 : 10.0.25.31, + 10.0.26.1 : 10.0.26.1, + 10.0.26.2 : 10.0.26.2, + 10.0.26.3 : 10.0.26.3, + 10.0.26.4 : 10.0.26.4, + 10.0.26.5 : 10.0.26.5, + 10.0.26.6 : 10.0.26.6, + 10.0.26.7 : 10.0.26.7, + 10.0.26.8 : 10.0.26.8, + 10.0.26.9 : 10.0.26.9, + 10.0.26.10 : 10.0.26.10, + 10.0.26.11 : 10.0.26.11, + 10.0.26.12 : 10.0.26.12, + 10.0.26.13 : 10.0.26.13, + 10.0.26.14 : 10.0.26.14, + 10.0.26.15 : 10.0.26.15, + 10.0.26.16 : 10.0.26.16, + 10.0.26.17 : 10.0.26.17, + 10.0.26.18 : 10.0.26.18, + 10.0.26.19 : 10.0.26.19, + 10.0.26.20 : 10.0.26.20, + 10.0.26.21 : 10.0.26.21, + 10.0.26.22 : 10.0.26.22, + 10.0.26.23 : 10.0.26.23, + 10.0.26.24 : 10.0.26.24, + 10.0.26.25 : 10.0.26.25, + 10.0.26.26 : 10.0.26.26, + 10.0.26.27 : 10.0.26.27, + 10.0.26.28 : 10.0.26.28, + 10.0.26.29 : 10.0.26.29, + 10.0.26.30 : 10.0.26.30, + 10.0.26.31 : 10.0.26.31, + 10.0.27.1 : 10.0.27.1, + 10.0.27.2 : 10.0.27.2, + 10.0.27.3 : 10.0.27.3, + 10.0.27.4 : 10.0.27.4, + 10.0.27.5 : 10.0.27.5, + 10.0.27.6 : 10.0.27.6, + 10.0.27.7 : 10.0.27.7, + 10.0.27.8 : 10.0.27.8, + 10.0.27.9 : 10.0.27.9, + 10.0.27.10 : 10.0.27.10, + 10.0.27.11 : 10.0.27.11, + 10.0.27.12 : 10.0.27.12, + 10.0.27.13 : 10.0.27.13, + 10.0.27.14 : 10.0.27.14, + 10.0.27.15 : 10.0.27.15, + 10.0.27.16 : 10.0.27.16, + 10.0.27.17 : 10.0.27.17, + 10.0.27.18 : 10.0.27.18, + 10.0.27.19 : 10.0.27.19, + 10.0.27.20 : 10.0.27.20, + 10.0.27.21 : 10.0.27.21, + 10.0.27.22 : 10.0.27.22, + 10.0.27.23 : 10.0.27.23, + 10.0.27.24 : 10.0.27.24, + 10.0.27.25 : 10.0.27.25, + 10.0.27.26 : 10.0.27.26, + 10.0.27.27 : 10.0.27.27, + 10.0.27.28 : 10.0.27.28, + 10.0.27.29 : 10.0.27.29, + 10.0.27.30 : 10.0.27.30, + 10.0.27.31 : 10.0.27.31, + 10.0.28.1 : 10.0.28.1, + 10.0.28.2 : 10.0.28.2, + 10.0.28.3 : 10.0.28.3, + 10.0.28.4 : 10.0.28.4, + 10.0.28.5 : 10.0.28.5, + 10.0.28.6 : 10.0.28.6, + 10.0.28.7 : 10.0.28.7, + 10.0.28.8 : 10.0.28.8, + 10.0.28.9 : 10.0.28.9, + 10.0.28.10 : 10.0.28.10, + 10.0.28.11 : 10.0.28.11, + 10.0.28.12 : 10.0.28.12, + 10.0.28.13 : 10.0.28.13, + 10.0.28.14 : 10.0.28.14, + 10.0.28.15 : 10.0.28.15, + 10.0.28.16 : 10.0.28.16, + 10.0.28.17 : 10.0.28.17, + 10.0.28.18 : 10.0.28.18, + 10.0.28.19 : 10.0.28.19, + 10.0.28.20 : 10.0.28.20, + 10.0.28.21 : 10.0.28.21, + 10.0.28.22 : 10.0.28.22, + 10.0.28.23 : 10.0.28.23, + 10.0.28.24 : 10.0.28.24, + 10.0.28.25 : 10.0.28.25, + 10.0.28.26 : 10.0.28.26, + 10.0.28.27 : 10.0.28.27, + 10.0.28.28 : 10.0.28.28, + 10.0.28.29 : 10.0.28.29, + 10.0.28.30 : 10.0.28.30, + 10.0.28.31 : 10.0.28.31, + 10.0.29.1 : 10.0.29.1, + 10.0.29.2 : 10.0.29.2, + 10.0.29.3 : 10.0.29.3, + 10.0.29.4 : 10.0.29.4, + 10.0.29.5 : 10.0.29.5, + 10.0.29.6 : 10.0.29.6, + 10.0.29.7 : 10.0.29.7, + 10.0.29.8 : 10.0.29.8, + 10.0.29.9 : 10.0.29.9, + 10.0.29.10 : 10.0.29.10, + 10.0.29.11 : 10.0.29.11, + 10.0.29.12 : 10.0.29.12, + 10.0.29.13 : 10.0.29.13, + 10.0.29.14 : 10.0.29.14, + 10.0.29.15 : 10.0.29.15, + 10.0.29.16 : 10.0.29.16, + 10.0.29.17 : 10.0.29.17, + 10.0.29.18 : 10.0.29.18, + 10.0.29.19 : 10.0.29.19, + 10.0.29.20 : 10.0.29.20, + 10.0.29.21 : 10.0.29.21, + 10.0.29.22 : 10.0.29.22, + 10.0.29.23 : 10.0.29.23, + 10.0.29.24 : 10.0.29.24, + 10.0.29.25 : 10.0.29.25, + 10.0.29.26 : 10.0.29.26, + 10.0.29.27 : 10.0.29.27, + 10.0.29.28 : 10.0.29.28, + 10.0.29.29 : 10.0.29.29, + 10.0.29.30 : 10.0.29.30, + 10.0.29.31 : 10.0.29.31, + 10.0.30.1 : 10.0.30.1, + 10.0.30.2 : 10.0.30.2, + 10.0.30.3 : 10.0.30.3, + 10.0.30.4 : 10.0.30.4, + 10.0.30.5 : 10.0.30.5, + 10.0.30.6 : 10.0.30.6, + 10.0.30.7 : 10.0.30.7, + 10.0.30.8 : 10.0.30.8, + 10.0.30.9 : 10.0.30.9, + 10.0.30.10 : 10.0.30.10, + 10.0.30.11 : 10.0.30.11, + 10.0.30.12 : 10.0.30.12, + 10.0.30.13 : 10.0.30.13, + 10.0.30.14 : 10.0.30.14, + 10.0.30.15 : 10.0.30.15, + 10.0.30.16 : 10.0.30.16, + 10.0.30.17 : 10.0.30.17, + 10.0.30.18 : 10.0.30.18, + 10.0.30.19 : 10.0.30.19, + 10.0.30.20 : 10.0.30.20, + 10.0.30.21 : 10.0.30.21, + 10.0.30.22 : 10.0.30.22, + 10.0.30.23 : 10.0.30.23, + 10.0.30.24 : 10.0.30.24, + 10.0.30.25 : 10.0.30.25, + 10.0.30.26 : 10.0.30.26, + 10.0.30.27 : 10.0.30.27, + 10.0.30.28 : 10.0.30.28, + 10.0.30.29 : 10.0.30.29, + 10.0.30.30 : 10.0.30.30, + 10.0.30.31 : 10.0.30.31, + 10.0.31.1 : 10.0.31.1, + 10.0.31.2 : 10.0.31.2, + 10.0.31.3 : 10.0.31.3, + 10.0.31.4 : 10.0.31.4, + 10.0.31.5 : 10.0.31.5, + 10.0.31.6 : 10.0.31.6, + 10.0.31.7 : 10.0.31.7, + 10.0.31.8 : 10.0.31.8, + 10.0.31.9 : 10.0.31.9, + 10.0.31.10 : 10.0.31.10, + 10.0.31.11 : 10.0.31.11, + 10.0.31.12 : 10.0.31.12, + 10.0.31.13 : 10.0.31.13, + 10.0.31.14 : 10.0.31.14, + 10.0.31.15 : 10.0.31.15, + 10.0.31.16 : 10.0.31.16, + 10.0.31.17 : 10.0.31.17, + 10.0.31.18 : 10.0.31.18, + 10.0.31.19 : 10.0.31.19, + 10.0.31.20 : 10.0.31.20, + 10.0.31.21 : 10.0.31.21, + 10.0.31.22 : 10.0.31.22, + 10.0.31.23 : 10.0.31.23, + 10.0.31.24 : 10.0.31.24, + 10.0.31.25 : 10.0.31.25, + 10.0.31.26 : 10.0.31.26, + 10.0.31.27 : 10.0.31.27, + 10.0.31.28 : 10.0.31.28, + 10.0.31.29 : 10.0.31.29, + 10.0.31.30 : 10.0.31.30, + 10.0.31.31 : 10.0.31.31 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft new file mode 100644 index 00000000..f9ac5bce --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + "10.0.1.1" + ], + [ + { + "prefix": { + "addr": "10.1.2.0", + "len": 24 + } + }, + "10.0.1.2" + ], + [ + { + "prefix": { + "addr": "10.2.1.0", + "len": 24 + } + }, + "10.0.2.1" + ], + [ + { + "prefix": { + "addr": "10.2.2.0", + "len": 24 + } + }, + "10.0.2.2" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft index ab992c4a..b1e017bd 100644 --- a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft @@ -2,7 +2,9 @@ table ip x { map y { type ipv4_addr : ipv4_addr flags interval - elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2, - 10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 } + elements = { 10.1.1.0/24 : 10.0.1.1, + 10.1.2.0/24 : 10.0.1.2, + 10.2.1.0/24 : 10.0.2.1, + 10.2.2.0/24 : 10.0.2.2 } } } diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft new file mode 100644 index 00000000..d6b32d0f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + "10.0.0.1" + ], + [ + { + "prefix": { + "addr": "10.0.2.0", + "len": 24 + } + }, + "10.0.0.2" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft index 1f5343f4..74380c29 100644 --- a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft @@ -2,6 +2,7 @@ table ip x { map y { type ipv4_addr : ipv4_addr flags interval - elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } + elements = { 10.0.1.0/24 : 10.0.0.1, + 10.0.2.0/24 : 10.0.0.2 } } } diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft new file mode 100644 index 00000000..ef57a749 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "m1", + "table": "t", + "type": "ifname", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "eth0", + "1.1.1.1" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@m1" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "meta": { + "key": "oifname" + } + }, + "data": "@m1" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft new file mode 100644 index 00000000..09cb6c85 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft @@ -0,0 +1,157 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "flags": "interval", + "elem": [ + [ + "127.0.0.2", + 2 + ], + [ + "127.0.0.3", + 3 + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": "@m" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 2 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 3 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft new file mode 100644 index 00000000..1b199ff2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft @@ -0,0 +1,16 @@ +table ip filter { + map m { + type ipv4_addr : mark + flags interval + elements = { 127.0.0.2 : 0x00000002, + 127.0.0.3 : 0x00000003 } + } + + chain input { + type filter hook input priority filter; policy accept; + meta mark set ip daddr map @m + meta mark 0x00000002 counter packets 0 bytes 0 accept + meta mark 0x00000003 counter packets 0 bytes 0 accept + counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft new file mode 100644 index 00000000..345a2c74 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.json-nft @@ -0,0 +1,117 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "lo", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft index c556fece..c37574ad 100644 --- a/tests/shell/testcases/maps/dumps/0009vmap_0.nft +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft @@ -8,6 +8,6 @@ table inet filter { chain prerouting { type filter hook prerouting priority raw; policy accept; - iif vmap { "lo" : jump wan_input } + iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input } } } diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft new file mode 100644 index 00000000..fcc23bb8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft @@ -0,0 +1,106 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "z", + "table": "x", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "1.1.1.1", + "tcp", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft new file mode 100644 index 00000000..8f07378a --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft @@ -0,0 +1,145 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "elem": { + "val": 22, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "ssh_input" + } + } + ], + [ + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft index 4a72b5e7..94b85a61 100644 --- a/tests/shell/testcases/maps/dumps/0011vmap_0.nft +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft @@ -2,7 +2,8 @@ table inet filter { map portmap { type inet_service : verdict counter - elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } + elements = { 22 counter packets 0 bytes 0 : jump ssh_input, + * counter packets 0 bytes 0 : drop } } chain ssh_input { diff --git a/tests/shell/testcases/maps/dumps/0012map_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_0.json-nft new file mode 100644 index 00000000..2892e11d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_0.json-nft @@ -0,0 +1,97 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ifname", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "lo", + { + "accept": null + } + ], + [ + "eth0", + { + "drop": null + } + ], + [ + "eth1", + { + "drop": null + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": { + "set": [ + [ + "lo", + { + "accept": null + } + ], + [ + "eth0", + { + "drop": null + } + ], + [ + "eth1", + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft index 895490cf..e734fc1c 100644 --- a/tests/shell/testcases/maps/dumps/0012map_0.nft +++ b/tests/shell/testcases/maps/dumps/0012map_0.nft @@ -6,20 +6,7 @@ table ip x { "eth1" : drop } } - map w { - typeof ip saddr . meta mark : verdict - flags interval - counter - elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } - } - chain y { iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } - - chain k { - type filter hook input priority filter + 1; policy accept; - meta mark set 0x00123434 - ip saddr . meta mark vmap @w - } } diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft new file mode 100644 index 00000000..85384c53 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft @@ -0,0 +1,143 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "k", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 1, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "w", + "table": "x", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "flags": "interval", + "elem": [ + [ + { + "elem": { + "val": { + "concat": [ + { + "range": [ + "127.0.0.1", + "127.0.0.4" + ] + }, + { + "range": [ + 1193012, + 11534626 + ] + } + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "k", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 1193012 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "k", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "data": "@w" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.nft new file mode 100644 index 00000000..6649d034 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.nft @@ -0,0 +1,14 @@ +table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x00123434 + ip saddr . meta mark vmap @w + } +} diff --git a/tests/shell/testcases/maps/dumps/0013map_0.json-nft b/tests/shell/testcases/maps/dumps/0013map_0.json-nft new file mode 100644 index 00000000..2c8d21b4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0013map_0.json-nft @@ -0,0 +1,126 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "map": { + "family": "ip", + "name": "forwport", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": "verdict", + "flags": "interval", + "elem": [ + [ + { + "elem": { + "val": { + "concat": [ + "10.133.89.138", + "tcp", + 8081 + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s8" + } + }, + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "data": "@forwport" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft b/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.nft b/tests/shell/testcases/maps/dumps/0014destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0014destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft new file mode 100644 index 00000000..8eacf612 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft @@ -0,0 +1,72 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "mark", + "elem": [ + [ + "1.1.1.1", + 2 + ], + [ + "*", + 3 + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "mark", + "elem": [ + [ + "1.1.1.1", + 2 + ], + [ + "*", + 3 + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft new file mode 100644 index 00000000..f6d7f6a4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft @@ -0,0 +1,13 @@ +table ip x { + map y { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, + * : 0x00000003 } + } + + map z { + typeof ip saddr : meta mark + elements = { 1.1.1.1 : 0x00000002, + * : 0x00000003 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..aa2f6f8c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.nft index 52d1bf64..3188ce2a 100644 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.nft @@ -15,36 +15,19 @@ table inet x { over 2000 bytes } - synproxy https-synproxy { - mss 1460 - wscale 7 - timestamp sack-perm - } - - synproxy other-synproxy { - mss 1460 - wscale 5 - } - set y { type ipv4_addr } map test { type ipv4_addr : quota - elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } - } - - map test2 { - type ipv4_addr : synproxy - flags interval - elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + elements = { 192.168.2.2 : "user124", + 192.168.2.3 : "user124" } } chain y { type filter hook input priority filter; policy accept; counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } - synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } quota name ip saddr map @test drop } } diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft new file mode 100644 index 00000000..e3fab16d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft @@ -0,0 +1,147 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_1.nft b/tests/shell/testcases/maps/dumps/0024named_objects_1.nft new file mode 100644 index 00000000..a8e99a3c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_1.nft @@ -0,0 +1,23 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + counter user321 { + packets 12 bytes 1433 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + chain y { + type filter hook input priority filter; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + quota name ip saddr map { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } drop + } +} diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_2.nodump b/tests/shell/testcases/maps/dumps/0024named_objects_2.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_2.nodump diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft new file mode 100644 index 00000000..64209842 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft @@ -0,0 +1,116 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "ct helper": { + "family": "inet", + "name": "sip-5060u", + "table": "filter", + "handle": 0, + "type": "sip", + "protocol": "udp", + "l3proto": "ip" + } + }, + { + "ct helper": { + "family": "inet", + "name": "sip-5060t", + "table": "filter", + "handle": 0, + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "ct helper": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "udp", + { + "range": [ + 10000, + 20000 + ] + } + ] + }, + "sip-5060u" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + 10000, + 20000 + ] + } + ] + }, + "sip-5060t" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft new file mode 100644 index 00000000..f4c55706 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft new file mode 100644 index 00000000..f4c55706 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft new file mode 100644 index 00000000..5009560c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_2.nodump b/tests/shell/testcases/maps/dumps/anonymous_snat_map_2.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_2.nodump diff --git a/tests/shell/testcases/maps/dumps/delete_element.nft b/tests/shell/testcases/maps/dumps/delete_element.nft new file mode 100644 index 00000000..5275b4dc --- /dev/null +++ b/tests/shell/testcases/maps/dumps/delete_element.nft @@ -0,0 +1,12 @@ +table ip x { + map m { + typeof ct bytes : meta priority + flags interval + elements = { 2048001-4000000 : 1:2 } + } + + chain y { + type filter hook output priority filter; policy accept; + meta priority set ct bytes map @m + } +} diff --git a/tests/shell/testcases/maps/dumps/delete_element_catchall.nft b/tests/shell/testcases/maps/dumps/delete_element_catchall.nft new file mode 100644 index 00000000..14054f4d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/delete_element_catchall.nft @@ -0,0 +1,12 @@ +table ip x { + map m { + typeof ct bytes : meta priority + flags interval + elements = { * : 1:3 } + } + + chain y { + type filter hook output priority filter; policy accept; + meta priority set ct bytes map @m + } +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft b/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft new file mode 100644 index 00000000..ed0ce0ed --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.nft b/tests/shell/testcases/maps/dumps/different_map_types_1.nft new file mode 100644 index 00000000..3c18b5c7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/different_map_types_1.nft @@ -0,0 +1,5 @@ +table ip filter { + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft new file mode 100644 index 00000000..49b8bb29 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft new file mode 100644 index 00000000..37c48bf3 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft @@ -0,0 +1,4 @@ +table ip test { + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump b/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free.nodump diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft new file mode 100644 index 00000000..a9d4c8e9 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "testmap", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "*", + { + "jump": { + "target": "testchain" + } + } + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft new file mode 100644 index 00000000..68958c40 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.nft @@ -0,0 +1,9 @@ +table ip test { + map testmap { + type ipv4_addr : verdict + elements = { * : jump testchain } + } + + chain testchain { + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft new file mode 100644 index 00000000..94ec5f75 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.json-nft @@ -0,0 +1,29 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": "timeout" + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.nft b/tests/shell/testcases/maps/dumps/named_ct_objects.nft new file mode 100644 index 00000000..59f18932 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_ct_objects.nft @@ -0,0 +1,71 @@ +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + l3proto inet + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3s, close : 1s } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "sip", + "ftp" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { feed::17 . 512 : "exp2", dead::beef . 123 : "exp2" } + ct helper set ip6 saddr map { 1c3::c01d : "myftp", dead::beef : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { 1ce::/64 : "dns", dead::beef : "dns" } + ct helper @helpname accept + ip saddr 192.168.1.1 ct timeout set "dns" + } +} diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft new file mode 100644 index 00000000..07e28929 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft @@ -0,0 +1,363 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-pps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-bps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "kbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-1m", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-10m", + "table": "filter", + "handle": 0, + "rate": 10, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "set": { + "family": "inet", + "name": "tarpit4", + "table": "filter", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "set": { + "family": "inet", + "name": "tarpit6", + "table": "filter", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "map": { + "family": "inet", + "name": "addr4limit", + "table": "filter", + "type": { + "typeof": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + } + }, + "handle": 0, + "map": "limit", + "flags": "interval", + "elem": [ + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-bps" + ], + [ + { + "concat": [ + "udp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "127.0.0.1", + "127.1.2.3" + ] + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 80 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 443 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "http-bulk-rl-10m" + ], + [ + { + "concat": [ + "tcp", + "10.0.2.1", + 22 + ] + }, + "http-bulk-rl-10m" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "saddr6limit", + "table": "filter", + "type": { + "typeof": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + }, + "handle": 0, + "map": "limit", + "flags": "interval", + "elem": [ + [ + { + "range": [ + "dead::beef", + "dead::1:aced" + ] + }, + "tarpit-pps" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "sport" + } + } + ] + }, + "data": "@addr4limit" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@saddr6limit" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/named_limits.nft b/tests/shell/testcases/maps/dumps/named_limits.nft new file mode 100644 index 00000000..214df204 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_limits.nft @@ -0,0 +1,55 @@ +table inet filter { + limit tarpit-pps { + rate 1/second + } + + limit tarpit-bps { + rate 1 kbytes/second + } + + limit http-bulk-rl-1m { + rate 1 mbytes/second + } + + limit http-bulk-rl-10m { + rate 10 mbytes/second + } + + set tarpit4 { + typeof ip saddr + size 10000 + flags dynamic,timeout + timeout 1m + } + + set tarpit6 { + typeof ip6 saddr + size 10000 + flags dynamic,timeout + timeout 1m + } + + map addr4limit { + typeof meta l4proto . ip saddr . tcp sport : limit + flags interval + elements = { tcp . 192.168.0.0/16 . 1-65535 : "tarpit-bps", + udp . 192.168.0.0/16 . 1-65535 : "tarpit-pps", + tcp . 127.0.0.1-127.1.2.3 . 1-1024 : "tarpit-pps", + tcp . 10.0.0.1-10.0.0.255 . 80 : "http-bulk-rl-1m", + tcp . 10.0.0.1-10.0.0.255 . 443 : "http-bulk-rl-1m", + tcp . 10.0.1.0/24 . 1024-65535 : "http-bulk-rl-10m", + tcp . 10.0.2.1 . 22 : "http-bulk-rl-10m" } + } + + map saddr6limit { + typeof ip6 saddr : limit + flags interval + elements = { dead::beef-dead::1:aced : "tarpit-pps" } + } + + chain input { + type filter hook input priority filter; policy accept; + limit name meta l4proto . ip saddr . th sport map @addr4limit + limit name ip6 saddr map @saddr6limit + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft new file mode 100644 index 00000000..ad9eb36e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "1.1.1.1", + "2.2.2.2" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@m" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft new file mode 100644 index 00000000..dc793a65 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft @@ -0,0 +1,40 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "m", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "map": "verdict", + "flags": "interval" + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft new file mode 100644 index 00000000..cca569ea --- /dev/null +++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.nft @@ -0,0 +1,9 @@ +table inet t { + map m { + type ipv4_addr . ipv4_addr : verdict + flags interval + } + + chain c { + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft index 33041557..19c24feb 100644 --- a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft +++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft @@ -13,8 +13,8 @@ table inet t { } chain c { - udp length . @ih,32,32 vmap @m1 - udp length . @ih,32,32 vmap @m2 + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } } } diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft index a5c0a609..e0efabab 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft @@ -6,7 +6,8 @@ table inet t { map m2 { typeof vlan id : meta mark - elements = { 1 : 0x00000001, 4095 : 0x00004095 } + elements = { 1 : 0x00000001, + 4095 : 0x00004095 } } map m3 { diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft new file mode 100644 index 00000000..8b18a78d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -0,0 +1,288 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "dynset", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "dynset", + "name": "test_ping", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "dynset", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "dynmark", + "table": "dynset", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + }, + "handle": 0, + "map": "mark", + "size": 64, + "flags": "timeout", + "timeout": 300, + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "should not increment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "map": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 1, + "map": "@dynmark" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "should increment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "map": { + "op": "delete", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 1, + "map": "@dynmark" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "test_ping", + "handle": 0, + "comment": "delete should be instant but might fail under memory pressure", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@dynmark" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "input", + "handle": 0, + "comment": "also check timeout-gc", + "expr": [ + { + "map": { + "op": "add", + "elem": { + "elem": { + "val": "10.2.3.4", + "timeout": 2 + } + }, + "data": 2, + "map": "@dynmark" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "dynset", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "icmp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.42" + } + }, + { + "jump": { + "target": "test_ping" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft new file mode 100644 index 00000000..e80366b8 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft @@ -0,0 +1,22 @@ +table ip dynset { + map dynmark { + typeof ip daddr : meta mark + size 64 + counter + timeout 5m + } + + chain test_ping { + ip saddr @dynmark counter packets 0 bytes 0 comment "should not increment" + ip saddr != @dynmark add @dynmark { ip saddr : 0x00000001 } counter packets 1 bytes 84 + ip saddr @dynmark counter packets 1 bytes 84 comment "should increment" + ip saddr @dynmark delete @dynmark { ip saddr : 0x00000001 } + ip saddr @dynmark counter packets 0 bytes 0 comment "delete should be instant but might fail under memory pressure" + } + + chain input { + type filter hook input priority filter; policy accept; + add @dynmark { 10.2.3.4 timeout 2s : 0x00000002 } comment "also check timeout-gc" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +} diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft new file mode 100644 index 00000000..b79237d0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft @@ -0,0 +1,113 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "kube-nfproxy-v4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sticky-set-svc-M53CN2XYVUHRQ7UB", + "table": "kube-nfproxy-v4", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "size": 65535, + "flags": "timeout", + "timeout": 360 + } + }, + { + "map": { + "family": "ip", + "name": "sticky-set-svc-153CN2XYVUHRQ7UB", + "table": "kube-nfproxy-v4", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + }, + "handle": 0, + "map": "mark", + "size": 65535, + "flags": "timeout", + "timeout": 60 + } + }, + { + "rule": { + "family": "ip", + "table": "kube-nfproxy-v4", + "chain": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 2, + "map": "@sticky-set-svc-M53CN2XYVUHRQ7UB" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "kube-nfproxy-v4", + "chain": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", + "handle": 0, + "expr": [ + { + "map": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": 3, + "map": "@sticky-set-svc-153CN2XYVUHRQ7UB" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft index e876425b..476169f2 100644 --- a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft +++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft @@ -7,7 +7,7 @@ table ip x { } chain y { - ip saddr . @ih,32,32 vmap @y - ip saddr . @ih,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop } } } diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft new file mode 100644 index 00000000..df156411 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft @@ -0,0 +1,158 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "SET_ctmark_RPLYroute", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "c_o0_0", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o0", + "table": "x", + "type": "mark", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 0, + { + "jump": { + "target": "sctm_o0_0" + } + } + ], + [ + 1, + { + "jump": { + "target": "sctm_o0_1" + } + } + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o1", + "table": "x", + "type": "mark", + "handle": 0, + "map": "counter", + "elem": [ + [ + 0, + "c_o0_0" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o0" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o1" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft new file mode 100644 index 00000000..6891e861 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft @@ -0,0 +1,27 @@ +table ip x { + counter c_o0_0 { + packets 0 bytes 0 + } + + map sctm_o0 { + type mark : verdict + elements = { 0x00000000 : jump sctm_o0_0, + 0x00000001 : jump sctm_o0_1 } + } + + map sctm_o1 { + type mark : counter + elements = { 0x00000000 : "c_o0_0" } + } + + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft new file mode 100644 index 00000000..2d7d8cc2 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft @@ -0,0 +1,239 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "log_and_drop", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "other_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "flags": "timeout", + "gc-interval": 10, + "elem": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "portaddrmap", + "table": "filter", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + } + }, + "handle": 0, + "map": "verdict", + "flags": "timeout", + "gc-interval": 10, + "elem": [ + [ + { + "concat": [ + "1.2.3.4", + 22 + ] + }, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "log_and_drop", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "other_input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "log_and_drop" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@portaddrmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.nft b/tests/shell/testcases/maps/dumps/vmap_timeout.nft new file mode 100644 index 00000000..095f894d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.nft @@ -0,0 +1,36 @@ +table inet filter { + map portmap { + type inet_service : verdict + flags timeout + gc-interval 10s + elements = { 22 : jump ssh_input } + } + + map portaddrmap { + typeof ip daddr . th dport : verdict + flags timeout + gc-interval 10s + elements = { 1.2.3.4 . 22 : jump ssh_input } + } + + chain ssh_input { + } + + chain log_and_drop { + drop + } + + chain other_input { + goto log_and_drop + } + + chain wan_input { + ip daddr . tcp dport vmap @portaddrmap + tcp dport vmap @portmap + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + iif vmap { "lo" : jump wan_input } + } +} diff --git a/tests/shell/testcases/maps/dumps/vmap_unary.nft b/tests/shell/testcases/maps/dumps/vmap_unary.nft new file mode 100644 index 00000000..46c538b7 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_unary.nft @@ -0,0 +1,11 @@ +table ip filter { + map ipsec_in { + typeof ipsec in reqid . iif : verdict + flags interval + } + + chain INPUT { + type filter hook input priority filter; policy drop; + ipsec in reqid . iif vmap @ipsec_in + } +} diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate new file mode 100755 index 00000000..651c08a1 --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_deactivate @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr : verdict; }; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap; delete map ip test testmap" 2>/dev/null && exit 1 +$NFT "flush map ip test testmap; delete map ip test testmap; delete element ip test testmap { * : jump testchain }" 2>/dev/null && exit 1 + +$NFT "flush map ip test testmap; delete map ip test testmap" || exit 1 diff --git a/tests/shell/testcases/maps/map_catchall_double_free b/tests/shell/testcases/maps/map_catchall_double_free new file mode 100755 index 00000000..d101256c --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_free @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT "add table ip test ; + add map ip test testmap { type ipv4_addr . ipv4_addr: verdict; flags interval,timeout; timeout 1s;}; + add chain ip test testchain; + add element ip test testmap { * : jump testchain }" || exit 1 + +sleep 2 +$NFT "add element ip test testmap { 1.2.3.4 . 5.6.7.8: jump testchain }" || exit 1 +sleep 2 +$NFT "add element ip test testmap { 2.3.4.5 . 6.7.8.9 timeout 1m: jump testchain }" || exit 1 diff --git a/tests/shell/testcases/maps/map_catchall_double_free_2 b/tests/shell/testcases/maps/map_catchall_double_free_2 new file mode 100755 index 00000000..5842fcb5 --- /dev/null +++ b/tests/shell/testcases/maps/map_catchall_double_free_2 @@ -0,0 +1,27 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + +$NFT -f /dev/stdin <<EOF +table ip test { + map testmap { + type ipv4_addr : verdict + elements = { * : jump testchain } + } + + chain testchain { } +} +EOF + +# second attempt to delete the catchall element +# musts trigger transaction abort +$NFT -f /dev/stdin <<EOF +delete element ip test testmap { * } +delete element ip test testmap { * } +EOF + +if [ $? -eq 1 ]; then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects new file mode 100755 index 00000000..518140b0 --- /dev/null +++ b/tests/shell/testcases/maps/named_ct_objects @@ -0,0 +1,95 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ctexpect) + +$NFT -f /dev/stdin <<EOF || exit 1 +table inet t { + ct expectation exp1 { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + ct expectation exp2 { + protocol tcp + dport 9876 + timeout 3s + size 13 + l3proto ip6 + } + + ct helper myftp { + type "ftp" protocol tcp + } + + ct timeout dns { + protocol tcp + l3proto ip + policy = { established : 3, close : 1 } + } + + map exp { + typeof ip saddr : ct expectation + elements = { 192.168.2.2 : "exp1" } + } + + map exp6 { + typeof ip6 saddr : ct expectation + flags interval + elements = { dead:beef::/64 : "exp2" } + } + + map helpobj { + typeof ip6 saddr : ct helper + flags interval + elements = { dead:beef::/64 : "myftp" } + } + + map timeoutmap { + typeof ip daddr : ct timeout + elements = { 192.168.0.1 : "dns" } + } + + set helpname { + typeof ct helper + elements = { "ftp", "sip" } + } + + chain y { + ct expectation set ip saddr map @exp + ct expectation set ip6 saddr map { dead::beef : "exp2" } + ct expectation set ip6 daddr map { dead::beef : "exp2", feed::17 : "exp2" } + ct expectation set ip6 daddr . tcp dport map { dead::beef . 123 : "exp2", feed::17 . 512 : "exp2" } + ct helper set ip6 saddr map { dead::beef : "myftp", 1c3::c01d : "myftp" } + ct helper set ip6 saddr map @helpobj + ct timeout set ip daddr map @timeoutmap + ct timeout set ip daddr map { 1.2.3.4 : "dns", 5.6.7.8 : "dns", 192.168.8.0/24 : "dns" } + ct timeout set ip daddr map { 1.2.3.4-1.2.3.8 : "dns" } + ct timeout set ip6 daddr map { dead::beef : "dns", 1ce::/64 : "dns" } + ct helper @helpname accept + } +} +EOF + +must_fail() +{ + echo "Command should have failed: $1" + exit 111 +} + + +must_work() +{ + echo "Command should have succeeded: $1" + exit 111 +} + +$NFT 'add rule inet t y ip saddr 192.168.1.1 ct timeout set "dns"' || must_work "dns timeout" + +$NFT 'add rule inet t y ct helper set ip saddr map @helpobj' && must_fail "helper assignment, map key is ipv6_addr" +$NFT 'add rule inet t y ct helper set ip6 saddr map @helpname' && must_fail "helper assignment, not a map with objects" + +exit 0 diff --git a/tests/shell/testcases/maps/named_limits b/tests/shell/testcases/maps/named_limits new file mode 100755 index 00000000..ac8e434c --- /dev/null +++ b/tests/shell/testcases/maps/named_limits @@ -0,0 +1,61 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" || exit 1 + +add_add_then_create() +{ + cmd="$@" + + $NFT "add element inet filter $cmd" || exit 2 + + # again, kernel should suppress -EEXIST + $NFT "add element inet filter $cmd" || exit 3 + + # AGAIN, kernel should report -EEXIST + $NFT "create element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 4 +} + +add_create_dupe() +{ + cmd="$@" + + $NFT "add element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 10 + $NFT "create element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 11 +} + +delete() +{ + cmd="$@" + + $NFT "delete element inet filter $cmd" || exit 30 + $NFT "delete element inet filter $cmd" && echo "$cmd worked" 1>&2 && exit 31 + + # destroy should NOT report an error +# $NFT "destroy element inet filter $cmd" || exit 40 +} + +add_add_then_create 'saddr6limit { fee1::dead : "tarpit-pps" }' +add_add_then_create 'saddr6limit { c01a::/64 : "tarpit-bps" }' + +# test same with a diffent set type (concat + interval) +add_add_then_create 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "tarpit-pps" }' + +# now test duplicate key with *DIFFERENT* limiter, should fail +add_create_dupe 'saddr6limit { fee1::dead : "tarpit-bps" }' + +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 43 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.5 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 : "http-bulk-rl-10m" }' +add_create_dupe 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-bps", tcp . 1.2.3.4 . 42 : "tarpit-pps" }' + +# delete keys again +delete 'addr4limit { udp . 1.2.3.4 . 42 : "tarpit-pps", tcp . 1.2.3.4 . 42 :"tarpit-pps" }' + +delete 'saddr6limit { fee1::dead : "tarpit-pps" }' +delete 'saddr6limit { c01a::/64 : "tarpit-bps" }' + +exit 0 diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port index 2804d48c..703a2ad9 100755 --- a/tests/shell/testcases/maps/nat_addr_port +++ b/tests/shell/testcases/maps/nat_addr_port @@ -84,6 +84,11 @@ $NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1 # should fail: rule has no test for l4 protocol, but map has inet_service $NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1 +if [ "$NFT_TEST_HAVE_inet_nat" = n ]; then + echo "Test partially skipped due to NFT_TEST_HAVE_inet_nat=n" + exit 77 +fi + # skeleton inet $NFT -f /dev/stdin <<EOF || exit 1 table inet inetfoo { diff --git a/tests/shell/testcases/maps/pipapo_double_flush b/tests/shell/testcases/maps/pipapo_double_flush new file mode 100755 index 00000000..35ad0966 --- /dev/null +++ b/tests/shell/testcases/maps/pipapo_double_flush @@ -0,0 +1,25 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT add table inet t +$NFT add chain inet t c +$NFT 'add map inet t m { type ipv4_addr . ipv4_addr : verdict; flags interval;}' + +for i in $(seq 1 10); do + $NFT "add element inet t m { 10.0.0.1 . 1.2.$i.1 - 1.2.$i.10 : jump c }" +done + +$NFT -f /dev/stdin <<EOF +add element inet t m { 10.1.1.1 . 1.1.1.4 : accept } +add element inet t m { 10.1.1.6 . 1.1.1.4 : drop } +add element inet t m { 10.1.1.7 . 1.1.1.4 : jump c } +flush map inet t m +add element inet t m { 10.1.1.1 . 1.1.1.4 : accept } +add element inet t m { 10.1.1.6 . 1.1.1.4 : drop } +add element inet t m { 10.1.1.7 . 1.1.1.4 : jump c } +flush map inet t m +flush map inet t m +EOF diff --git a/tests/shell/testcases/maps/typeof_integer_0 b/tests/shell/testcases/maps/typeof_integer_0 index d51510af..e93604e8 100755 --- a/tests/shell/testcases/maps/typeof_integer_0 +++ b/tests/shell/testcases/maps/typeof_integer_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + EXPECTED="table inet t { map m1 { typeof udp length . @ih,32,32 : verdict @@ -13,8 +15,8 @@ EXPECTED="table inet t { } chain c { - udp length . @ih,32,32 vmap @m1 - udp length . @ih,32,32 vmap @m2 + udp length . @nh,32,32 vmap @m1 + udp length . @nh,32,32 vmap @m2 udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } } }" diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0 index 5cf5ddde..8f629c5d 100755 --- a/tests/shell/testcases/maps/typeof_maps_0 +++ b/tests/shell/testcases/maps/typeof_maps_0 @@ -4,10 +4,25 @@ # without typeof, this is 'type string' and 'type integer', # but neither could be used because it lacks size information. -EXPECTED="table inet t { +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ipsec) + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_CT=" + ct mark set osf name map @m1" +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + INPUT_OSF_CT= +fi + +INPUT="table inet t { map m1 { typeof osf name : ct mark - elements = { "Linux" : 0x00000001 } + elements = { Linux : 0x00000001 } } map m2 { @@ -32,8 +47,7 @@ EXPECTED="table inet t { elements = { 23 . eth0 : accept } } - chain c { - ct mark set osf name map @m1 + chain c {$INPUT_OSF_CT ether type vlan meta mark set vlan id map @m2 meta mark set ip saddr . ip daddr map @m3 iifname . ip protocol . th dport vmap @m4 @@ -42,6 +56,49 @@ EXPECTED="table inet t { } }" -set -e -$NFT -f - <<< $EXPECTED +EXPECTED="table inet t { + map m1 { + typeof osf name : ct mark + elements = { \"Linux\" : 0x00000001 } + } + + map m2 { + typeof vlan id : meta mark + elements = { 1 : 0x00000001, + 4095 : 0x00004095 } + } + + map m3 { + typeof ip saddr . ip daddr : meta mark + elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001, + 2.3.4.5 . 6.7.8.9 : 0x00000002 } + } + + map m4 { + typeof iifname . ip protocol . th dport : verdict + elements = { \"eth0\" . tcp . 22 : accept } + } + + map m5 { + typeof ipsec in reqid . iifname : verdict + elements = { 23 . \"eth0\" : accept } + } + + chain c {$INPUT_OSF_CT + meta mark set vlan id map @m2 + meta mark set ip saddr . ip daddr map @m3 + iifname . ip protocol . th dport vmap @m4 + iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop } + ipsec in reqid . iifname vmap @m5 + } +}" + +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete new file mode 100755 index 00000000..2d718c5f --- /dev/null +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -0,0 +1,56 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_dynset_op_delete) + +CONDMATCH="ip saddr @dynmark" +NCONDMATCH="ip saddr != @dynmark" + +# use reduced feature set +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + CONDMATCH="" + NCONDMATCH="" +fi + +EXPECTED="table ip dynset { + map dynmark { + typeof ip daddr : meta mark + counter + size 64 + timeout 5m + } + + chain test_ping { + $CONDMATCH counter comment \"should not increment\" + $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter + $CONDMATCH counter comment \"should increment\" + $CONDMATCH delete @dynmark { ip saddr : 0x1 } + $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\" + } + + chain input { + type filter hook input priority 0; policy accept; + + add @dynmark { 10.2.3.4 timeout 2s : 0x2 } comment \"also check timeout-gc\" + meta l4proto icmp ip daddr 127.0.0.42 jump test_ping + } +}" + +set -e +$NFT -f - <<< $EXPECTED +$NFT list ruleset + +ip link set lo up +ping -c 1 127.0.0.42 + +$NFT get element ip dynset dynmark { 10.2.3.4 } + +# wait so that 10.2.3.4 times out. +sleep 3 + +set +e +$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 + +if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then + echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped." + exit 77 +fi diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0 index e3da7825..bcd2c6d8 100755 --- a/tests/shell/testcases/maps/typeof_raw_0 +++ b/tests/shell/testcases/maps/typeof_raw_0 @@ -7,8 +7,8 @@ EXPECTED="table ip x { } chain y { - ip saddr . @ih,32,32 vmap @y - ip saddr . @ih,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} + ip saddr . @nh,32,32 vmap @y + ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop} } }" diff --git a/tests/shell/testcases/maps/vmap_mark_bitwise_0 b/tests/shell/testcases/maps/vmap_mark_bitwise_0 new file mode 100755 index 00000000..2f305b27 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_mark_bitwise_0 @@ -0,0 +1,40 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift) + +set -e + +RULESET="table ip x { + chain sctm_o0_0 { + } + + chain sctm_o0_1 { + } + + map sctm_o0 { + type mark : verdict + elements = { + 0x0 : jump sctm_o0_0, + 0x1 : jump sctm_o0_1, + } + } + + counter c_o0_0 {} + + map sctm_o1 { + type mark : counter + elements = { + 0x0 : \"c_o0_0\", + } + } + + chain SET_ctmark_RPLYroute { + meta mark >> 8 & 0xf vmap @sctm_o0 + } + + chain SET_ctmark_RPLYroute { + counter name meta mark >> 8 & 0xf map @sctm_o1 + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout new file mode 100755 index 00000000..8ac7e8e7 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_timeout @@ -0,0 +1,92 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f $dumpfile + +port=23 +for i in $(seq 1 100) ; do + timeout=$((RANDOM % 5 + 1)) + expire=$((RANDOM%timeout)) + j=1 + + batched="{ $port timeout 3s : jump other_input " + ubatched="$batched" + + timeout_str="timeout ${timeout}s" + expire_str="" + if [ "$expire" -gt 0 ]; then + expire_str="expires ${expire}s" + fi + + batched_addr="{ 10.0.$((i%256)).$j . $port ${timeout_str} ${expire_str} : jump other_input " + ubatched_addr="$batched_addr" + + port=$((port + 1)) + for j in $(seq 2 400); do + timeout=$((RANDOM % 5 + 1)) + expire=$((RANDOM%timeout)) + utimeout=$((RANDOM % 5 + 1)) + + timeout_str="timeout ${timeout}s" + expire_str="" + if [ "$expire" -gt 0 ]; then + expire_str="expires ${expire}s" + fi + + batched="$batched, $port ${timeout_str} ${expire_str} : jump other_input " + batched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port ${timeout_str} ${expire_str} : jump other_input " + port=$((port + 1)) + + timeout_str="timeout ${utimeout}s" + expire=$((RANDOM%utimeout)) + + expire_str="" + if [ "$expires" -gt 0 ]; then + expire_str="expires ${expire}s" + fi + + update=$((RANDOM%2)) + if [ "$update" -ne 0 ]; then + ubatched="$batched, $port ${timeout_str} ${expire_str} : jump other_input " + ubatched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port ${timeout_str} ${expire_str} : jump other_input " + fi + done + + fail_addr="$batched_addr, 1.2.3.4 . 23 timeout 5m : jump other_input, + 1.2.3.4 . 23 timeout 3m : jump other_input }" + fail="$batched, 23 timeout 1m : jump other_input, 23 : jump other_input }" + + batched="$batched }" + batched_addr="$batched_addr }" + + if [ $i -gt 90 ]; then + # must fail, we create and $fail/$fail_addr contain one element twice. + $NFT create element inet filter portmap "$fail" && exit 111 + $NFT create element inet filter portaddrmap "$fail_addr" && exit 112 + fi + + $NFT add element inet filter portmap "$batched" + $NFT add element inet filter portaddrmap "$batched_addr" + + update=$((RANDOM%2)) + if [ "$update" -ne 0 ]; then + ubatched="$ubatched }" + ubatched_addr="$ubatched_addr }" + $NFT add element inet filter portmap "$ubatched" + $NFT add element inet filter portaddrmap "$ubatched_addr" + fi +done + +if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_catchall_element=n." +else + $NFT add element inet filter portaddrmap { "* timeout 2s : drop" } + $NFT add element inet filter portmap { "* timeout 3s : drop" } +fi + +# wait for elements to time out +sleep 5 diff --git a/tests/shell/testcases/maps/vmap_unary b/tests/shell/testcases/maps/vmap_unary new file mode 100755 index 00000000..f4e1f012 --- /dev/null +++ b/tests/shell/testcases/maps/vmap_unary @@ -0,0 +1,19 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip filter { + map ipsec_in { + typeof ipsec in reqid . iif : verdict + flags interval + } + + chain INPUT { + type filter hook input priority 0; policy drop + ipsec in reqid . iif vmap @ipsec_in + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft diff --git a/tests/shell/testcases/netns/dumps/0003many_0.json-nft b/tests/shell/testcases/netns/dumps/0003many_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0003many_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/netns/dumps/0003many_0.nft b/tests/shell/testcases/netns/dumps/0003many_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/netns/dumps/0003many_0.nft diff --git a/tests/shell/testcases/nft-f/0011manydefines_0 b/tests/shell/testcases/nft-f/0011manydefines_0 index 84664f46..aac06706 100755 --- a/tests/shell/testcases/nft-f/0011manydefines_0 +++ b/tests/shell/testcases/nft-f/0011manydefines_0 @@ -4,6 +4,15 @@ HOWMANY=20000 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=2000 +fi + + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then echo "Failed to create tmp file" >&2 @@ -35,3 +44,10 @@ table t { set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 20000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 index 4f407793..cfb78950 100755 --- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 +++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout) + EXPECTED='table ip filter { ct timeout cttime{ protocol tcp diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 index 4f9872f6..b288457c 100755 --- a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 +++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ctexpect) + EXPECTED='table ip filter { ct expectation ctexpect{ protocol tcp diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0 index b66c802f..fbdb5793 100755 --- a/tests/shell/testcases/nft-f/0025empty_dynset_0 +++ b/tests/shell/testcases/nft-f/0025empty_dynset_0 @@ -1,5 +1,7 @@ #!/bin/bash +set -e + RULESET="table ip foo { set inflows { type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service @@ -20,3 +22,9 @@ RULESET="table ip foo { }" $NFT -f - <<< "$RULESET" + +# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels. +if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then + echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n." + exit 77 +fi diff --git a/tests/shell/testcases/nft-f/0032pknock_0 b/tests/shell/testcases/nft-f/0032pknock_0 new file mode 100755 index 00000000..94fc8407 --- /dev/null +++ b/tests/shell/testcases/nft-f/0032pknock_0 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +RULESET="define guarded_ports = {ssh} + +table inet portknock { + set clients_ipv4 { + type ipv4_addr + flags timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + flags timeout + } + + chain input { + type filter hook input priority -10; policy accept; + + tcp dport 10001 add @candidates_ipv4 {ip saddr . 10002 timeout 1s} + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10003 timeout 1s} + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10004 timeout 1s} + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10005 timeout 1s} + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 600s} log prefix \"Successful portknock: \" + + tcp dport \$guarded_ports ip saddr @clients_ipv4 counter accept + tcp dport \$guarded_ports ct state established,related counter accept + + tcp dport \$guarded_ports reject with tcp reset + } +}" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft new file mode 100644 index 00000000..99b0b28d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "other", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "t", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22222, + 33333 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@t" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "jump": { + "target": "other" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft new file mode 100644 index 00000000..05ebed5a --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 1, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "ssh", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft new file mode 100644 index 00000000..41236dbe --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "forward", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "concat-set-variable", + "table": "forward", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.10.10.10", + 25 + ] + }, + { + "concat": [ + "10.10.10.10", + 143 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft new file mode 100644 index 00000000..4b4ec4fb --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft new file mode 100644 index 00000000..1b2e3420 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.json-nft @@ -0,0 +1,778 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "whatever" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "whatever" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "whatever" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": { + "set": [ + "lo" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": 123 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related", + "new" + ] + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "|": [ + "established", + "related", + "new" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.0.0.0" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "10.0.0.2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "10.0.0.0" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "fe0::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "fe0::2" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "10.0.0.0", + { + "drop": null + } + ], + [ + "10.0.0.2", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "fe0::1", + { + "drop": null + } + ], + [ + "fe0::2", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "fe0::2", + "tcp" + ] + }, + { + "concat": [ + "fe0::1", + "udp" + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "10.0.0.0", + "lo" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 100, + 222 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + { + "range": [ + 100, + 222 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": 0, + "flags": "bypass" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "range": [ + 1, + 42 + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "range": [ + 1, + 42 + ] + }, + "flags": [ + "bypass", + "fanout" + ] + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "symhash": { + "mod": 2 + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 1 + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "foobar" + } + }, + { + "queue": { + "num": { + "jhash": { + "mod": 4, + "expr": { + "concat": [ + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + } + } + }, + "flags": "bypass" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft new file mode 100644 index 00000000..40cdb000 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.json-nft @@ -0,0 +1,80 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "1.1.1.1", + "2.2.2.2" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft new file mode 100644 index 00000000..65b7f491 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1, 2.2.2.2 } + ip saddr { 3.3.3.3, 4.4.4.4 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft new file mode 100644 index 00000000..b56240ea --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, + { + "ct timeout": { + "family": "ip", + "name": "cttime", + "table": "filter", + "handle": 0, + "protocol": "tcp", + "l3proto": "ip", + "policy": { + "established": 123, + "close": 12 + } + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "c", + "handle": 0, + "expr": [ + { + "ct timeout": "cttime" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft index 7cff1ed5..c5d9649e 100644 --- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft @@ -2,7 +2,7 @@ table ip filter { ct timeout cttime { protocol tcp l3proto ip - policy = { established : 123, close : 12 } + policy = { established : 2m3s, close : 12s } } chain c { diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft new file mode 100644 index 00000000..21c97970 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, + { + "ct expectation": { + "family": "ip", + "name": "ctexpect", + "table": "filter", + "handle": 0, + "protocol": "tcp", + "dport": 9876, + "timeout": 60000, + "size": 12, + "l3proto": "ip" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "c", + "handle": 0, + "expr": [ + { + "ct expectation": "ctexpect" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft new file mode 100644 index 00000000..396185eb --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft @@ -0,0 +1,13 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft new file mode 100644 index 00000000..f62b48a3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "ber", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "jump": { + "target": "ber" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft new file mode 100644 index 00000000..f41b1b04 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -50, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft new file mode 100644 index 00000000..09a4c1e3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft @@ -0,0 +1,115 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@y" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft b/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft new file mode 100644 index 00000000..ddb2a057 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.nft b/tests/shell/testcases/nft-f/dumps/0023check_1.nft new file mode 100644 index 00000000..04b9e70f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.nft @@ -0,0 +1,5 @@ +table ip foo { + chain bar { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft new file mode 100644 index 00000000..cdc4b9d9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "statelessnat", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "statelessnat", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "statelessnat", + "name": "postrouting", + "handle": 0, + "type": "filter", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "statelessnat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "value": { + "map": { + "key": { + "numgen": { + "mode": "inc", + "mod": 16, + "offset": 0 + } + }, + "data": { + "set": [ + [ + { + "range": [ + 0, + 7 + ] + }, + "10.0.1.1" + ], + [ + { + "range": [ + 8, + 15 + ] + }, + "10.0.1.2" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft new file mode 100644 index 00000000..63d67641 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "inflows", + "table": "foo", + "type": [ + "ipv4_addr", + "inet_service", + "ifname", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": "dynamic", + "elem": [ + { + "elem": { + "val": { + "concat": [ + "10.1.0.3", + 39466, + "veth1", + "10.3.0.99", + 5201 + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "inflows6", + "table": "foo", + "type": [ + "ipv6_addr", + "inet_service", + "ifname", + "ipv6_addr", + "inet_service" + ], + "handle": 0, + "flags": "dynamic" + } + }, + { + "set": { + "family": "ip", + "name": "inflows_ratelimit", + "table": "foo", + "type": [ + "ipv4_addr", + "inet_service", + "ifname", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": "dynamic", + "elem": [ + { + "elem": { + "val": { + "concat": [ + "10.1.0.3", + 39466, + "veth1", + "10.3.0.99", + 5201 + ] + }, + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft index 2bb35592..33b9e4ff 100644 --- a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft @@ -13,6 +13,6 @@ table ip foo { set inflows_ratelimit { type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service flags dynamic - elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second counter packets 0 bytes 0 } + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } } } diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft new file mode 100644 index 00000000..8acdcdf4 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.json-nft @@ -0,0 +1,56 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "A", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "A", + "name": "B", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "A", + "chain": "B", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 1, + 2 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft new file mode 100644 index 00000000..fd0bb686 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft @@ -0,0 +1,5 @@ +table ip A { + chain B { + tcp dport { 1, 2 } accept + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft new file mode 100644 index 00000000..bda8bfc9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "jump": { + "target": "x" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft new file mode 100644 index 00000000..69d826df --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.json-nft @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "2.2.2.2", + "3.3.3.3", + "4.4.4.4", + "5.5.5.5" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft new file mode 100644 index 00000000..ab680af8 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft @@ -0,0 +1,61 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@whitelist_v4" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft new file mode 100644 index 00000000..32d5c0e9 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft @@ -0,0 +1,10 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + ip daddr @whitelist_v4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft new file mode 100644 index 00000000..e0704b7d --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.json-nft @@ -0,0 +1,44 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "2.2.2.2" + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1", + "3.3.3.3" + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft new file mode 100644 index 00000000..4c7d2bbe --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft @@ -0,0 +1,484 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "portknock", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "portknock", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "clients_ipv4", + "table": "portknock", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "inet", + "name": "candidates_ipv4", + "table": "portknock", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10001 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10002 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10002 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10003 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10003 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10004 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10004 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 10005 + ] + }, + "timeout": 1 + } + }, + "set": "@candidates_ipv4" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 10005 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": "@candidates_ipv4" + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 600 + } + }, + "set": "@clients_ipv4" + } + }, + { + "log": { + "prefix": "Successful portknock: " + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@clients_ipv4" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "portknock", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft new file mode 100644 index 00000000..f29dfb28 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft @@ -0,0 +1,25 @@ +table inet portknock { + set clients_ipv4 { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + type filter hook input priority filter - 10; policy accept; + tcp dport 10001 add @candidates_ipv4 { ip saddr . 10002 timeout 1s } + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10003 timeout 1s } + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10004 timeout 1s } + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10005 timeout 1s } + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10m } log prefix "Successful portknock: " + tcp dport 22 ip saddr @clients_ipv4 counter packets 0 bytes 0 accept + tcp dport 22 ct state established,related counter packets 0 bytes 0 accept + tcp dport 22 reject with tcp reset + } +} diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft new file mode 100644 index 00000000..4bc24aa3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "protos", + "table": "test", + "type": { + "typeof": { + "meta": { + "key": "l4proto" + } + } + }, + "handle": 0, + "elem": [ + "tcp", + "udp" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "@protos" + } + }, + { + "tproxy": { + "port": 1088 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft new file mode 100644 index 00000000..2bc0c2ad --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft @@ -0,0 +1,11 @@ +table inet test { + set protos { + typeof meta l4proto + elements = { tcp, udp } + } + + chain prerouting { + type filter hook prerouting priority mangle; policy accept; + meta l4proto @protos tproxy to :1088 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/nfqueue.nft b/tests/shell/testcases/nft-f/dumps/nfqueue.nft new file mode 100644 index 00000000..7fe3ca66 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/nfqueue.nft @@ -0,0 +1,11 @@ +table inet t { + map get_queue_id { + typeof ip saddr . ip daddr . tcp dport : queue + elements = { 127.0.0.1 . 127.0.0.1 . 22 : 1, + 127.0.0.1 . 127.0.0.2 . 22 : 2 } + } + + chain test { + queue flags bypass to ip saddr . ip daddr . tcp dport map @get_queue_id + } +} diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft new file mode 100644 index 00000000..1a9f4e7a --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -0,0 +1,239 @@ +table inet filter { + map if_input { + type ifname : verdict + elements = { "eth0" : jump public_input, + "eth1" : jump home_input, + "eth2.10" : jump home_input, + "eth2.20" : jump home_input } + } + + map if_forward { + type ifname : verdict + elements = { "eth0" : jump public_forward, + "eth1" : jump trusted_forward, + "eth2.10" : jump voip_forward, + "eth2.20" : jump guest_forward } + } + + map if_output { + type ifname : verdict + elements = { "eth0" : jump public_output, + "eth1" : jump home_output, + "eth2.10" : jump home_output, + "eth2.20" : jump home_output } + } + + set ipv4_blacklist { + type ipv4_addr + flags interval + auto-merge + } + + set ipv6_blacklist { + type ipv6_addr + flags interval + auto-merge + } + + set limit_src_ip { + type ipv4_addr + size 1024 + flags dynamic,timeout + } + + set limit_src_ip6 { + type ipv6_addr + size 1024 + flags dynamic,timeout + } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; policy accept; + meta l4proto != { icmp, tcp, udp, ipv6-icmp } counter packets 0 bytes 0 drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter packets 0 bytes 0 drop + tcp sport 0 counter packets 0 bytes 0 drop + } + rt type 0 counter packets 0 bytes 0 drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; policy accept; + ct state vmap { invalid : jump ct_invalid_pre, related : jump rpfilter, new : jump ct_new_pre, untracked : jump ct_untracked_pre } + } + + chain ct_invalid_pre { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_pre { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain ct_new_pre { + jump rpfilter + tcp flags & (fin | syn | rst | ack) != syn counter packets 0 bytes 0 drop + iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 return + ip6 saddr :: ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + fib saddr . iif oif 0 counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv4 { + ip saddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } counter packets 0 bytes 0 drop + ip saddr @ipv4_blacklist counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv6 { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport 547 ip6 saddr fe80::/64 return + ip6 saddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } counter packets 0 bytes 0 drop + ip6 saddr @ipv6_blacklist counter packets 0 bytes 0 drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + iif "lo" accept + ct state established,related accept + iifname vmap @if_input + log prefix "NFT REJECT IN " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + counter packets 0 bytes 0 drop + } + + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 68 udp dport 67 accept + udp sport 546 udp dport 547 iifname { "eth1", "eth2.10", "eth2.20" } accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + icmp type echo-request accept + icmpv6 type echo-request accept + tcp dport 22 iifname "eth1" accept + meta l4proto { tcp, udp } th dport 53 jump { + ip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable + accept + } + udp dport 123 accept + tcp dport 8443 accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; policy accept; + oifname "eth0" jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu + } + } + + chain blacklist_output_ipv4 { + ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16 } return + udp dport 547 ip6 daddr ff02::1:2 return + ip6 daddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ip options flags ether limit rate 5/minute burst 10 packets drop + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + iifname vmap @if_forward + log prefix "NFT REJECT FWD " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_forward { + udp dport { 5060, 7078-7097 } oifname "eth2.10" jump { + ip6 saddr { 2001:db8::1-2001:db8::2 } accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ip options flags ether limit rate 5/second burst 10 packets drop + } + counter packets 0 bytes 0 drop + } + + chain trusted_forward { + oifname "eth0" accept + icmp type echo-request accept + icmpv6 type echo-request accept + ip daddr { 192.168.3.30, 192.168.4.40 } tcp dport vmap { 22 : accept, 80 : drop, 443 : accept } + ip daddr 192.168.2.20 jump { + tcp dport { 80, 443, 515, 631, 9100 } accept + udp dport 161 accept + } + } + + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname "eth0" accept + ip6 daddr { 2001:db8::1-2001:db8::2 } jump { + udp dport { 3478, 5060 } accept + udp sport 7078-7097 accept + tcp dport 5061 accept + } + tcp dport 587 ip daddr 10.0.0.1 accept + tcp dport 80 oifname "eth0" counter packets 0 bytes 0 reject + } + + chain guest_forward { + oifname "eth0" accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + oif "lo" accept + ct state vmap { invalid : jump ct_invalid_out, established : accept, related : accept, untracked : jump ct_untracked_out } + oifname vmap @if_output + log prefix "NFT REJECT OUT " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain ct_invalid_out { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_out { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp dport 547 ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + udp dport { 53, 123 } accept + tcp dport { 443, 587, 853 } accept + } + + chain home_output { + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 oifname { "eth1", "eth2.10", "eth2.20" } accept + udp sport 67 udp dport 68 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept + tcp dport 22 ip daddr 192.168.1.10 accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.1.0-192.168.4.255 } oifname "eth0" masquerade + } +} diff --git a/tests/shell/testcases/nft-f/named_set_as_protocol_dep b/tests/shell/testcases/nft-f/named_set_as_protocol_dep new file mode 100755 index 00000000..5c516e42 --- /dev/null +++ b/tests/shell/testcases/nft-f/named_set_as_protocol_dep @@ -0,0 +1,5 @@ +#!/bin/bash + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" || exit 1 diff --git a/tests/shell/testcases/nft-f/nfqueue b/tests/shell/testcases/nft-f/nfqueue new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/nft-f/nfqueue @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/nft-f/sample-ruleset b/tests/shell/testcases/nft-f/sample-ruleset new file mode 100755 index 00000000..763e41a1 --- /dev/null +++ b/tests/shell/testcases/nft-f/sample-ruleset @@ -0,0 +1,262 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding) + +$NFT -f /dev/stdin <<"EOF" +define public_if = eth0 +define trusted_if = eth1 +define voip_if = eth2.10 +define guest_if = eth2.20 +define home_if = { $trusted_if, $voip_if, $guest_if } +define home_ipv6_if = { $trusted_if, $voip_if, $guest_if } + +define masq_ip = { 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 } +define masq_if = $public_if + +define host1_ip = 192.168.1.10 +define host2_ip = 192.168.2.20 +define host3_ip = 192.168.3.30 +define host4_ip = 192.168.4.40 + +define proxy_port = 8443 + +define private_ip = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } +define private_ip6 = { fe80::/64, fd00::/8 } +define bogons_ip = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } +define bogons_ip6 = { ::/3, 2001:0002::/48, 2001:0003::/32, 2001:10::/28, 2001:20::/28, 2001::/32, 2001:db8::/32, 2002::/16, 3000::/4, 4000::/2, 8000::/1 } + +define sip_whitelist_ip6 = { 2001:db8::1/128, 2001:db8::2/128 } +define smtps_whitelist_ip = 10.0.0.1 +define protocol_whitelist = { tcp, udp, icmp, ipv6-icmp } + +table inet filter { + map if_input { + type ifname : verdict; + elements = { $public_if : jump public_input, $trusted_if : jump home_input, $voip_if : jump home_input, $guest_if : jump home_input } + } + map if_forward { + type ifname : verdict; + elements = { $public_if : jump public_forward, $trusted_if : jump trusted_forward, $voip_if : jump voip_forward, $guest_if : jump guest_forward } + } + map if_output { + type ifname : verdict; + elements = { $public_if : jump public_output, $trusted_if : jump home_output, $voip_if : jump home_output, $guest_if : jump home_output } + } + + set ipv4_blacklist { type ipv4_addr; flags interval; auto-merge; } + set ipv6_blacklist { type ipv6_addr; flags interval; auto-merge; } + set limit_src_ip { type ipv4_addr; flags dynamic, timeout; size 1024; } + set limit_src_ip6 { type ipv6_addr; flags dynamic, timeout; size 1024; } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; + + meta l4proto != $protocol_whitelist counter drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter drop + tcp sport 0 counter drop + } + rt type 0 counter drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; + + ct state vmap { invalid : jump ct_invalid_pre, untracked : jump ct_untracked_pre, new : jump ct_new_pre, related : jump rpfilter } + } + chain ct_invalid_pre { + counter drop + } + chain ct_untracked_pre { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain ct_new_pre { + jump rpfilter + + tcp flags & (fin|syn|rst|ack) != syn counter drop + + iifname $public_if meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp dport bootps return + ip6 saddr ::/128 ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + + fib saddr . iif oif eq 0 counter drop + } + chain blacklist_input_ipv4{ + ip saddr $bogons_ip counter drop + ip saddr @ipv4_blacklist counter drop + } + chain blacklist_input_ipv6{ + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport dhcpv6-server ip6 saddr fe80::/64 return + + ip6 saddr $bogons_ip6 counter drop + ip6 saddr @ipv6_blacklist counter drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + + iif lo accept + + ct state established,related accept + + iifname vmap @if_input + + log prefix "NFT REJECT IN " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 accept + fib daddr type { broadcast, multicast, anycast } counter drop + + counter drop + } + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport bootpc udp dport bootps accept + udp sport dhcpv6-client udp dport dhcpv6-server iifname $home_ipv6_if accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + icmp type echo-request accept + icmpv6 type echo-request accept + + tcp dport ssh iifname $trusted_if accept + + meta l4proto { tcp, udp } th dport domain jump { + ip6 saddr != $private_ip6 counter reject + accept + } + + udp dport ntp accept + + tcp dport $proxy_port accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; + + oifname $public_if jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu + } + } + chain blacklist_output_ipv4 { + ip daddr $bogons_ip goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2/128, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1/128, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16/128 } return + udp dport dhcpv6-server ip6 daddr ff02::1:2 return + + ip6 daddr $bogons_ip6 goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ether flags ip options limit rate 5/minute burst 10 packets drop + counter drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + + ct state established,related accept + + fib daddr type { broadcast, multicast, anycast } counter drop + + iifname vmap @if_forward + + log prefix "NFT REJECT FWD " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain public_forward { + udp dport { 5060, 7078-7097 } oifname $voip_if jump { + ip6 saddr $sip_whitelist_ip6 accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ether flags ip options limit rate 5/second burst 10 packets drop + } + + counter drop + } + chain trusted_forward { + oifname $public_if accept + + icmp type echo-request accept + icmpv6 type echo-request accept + + ip daddr { $host3_ip, $host4_ip } tcp dport vmap { ssh : accept, https : accept, http : drop } + + ip daddr $host2_ip jump { + tcp dport { http, https, printer, ipp, 9100 } accept + udp dport snmp accept + } + } + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname $public_if accept + + ip6 daddr $sip_whitelist_ip6 jump { + udp dport { 3478, 5060 } accept + udp sport { 7078-7097 } accept + tcp dport 5061 accept + } + + tcp dport 587 ip daddr $smtps_whitelist_ip accept + tcp dport http oifname $public_if counter reject + } + chain guest_forward { + oifname $public_if accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + + oif lo accept + + ct state vmap { established : accept, related : accept, invalid : jump ct_invalid_out, untracked : jump ct_untracked_out } + + oifname vmap @if_output + + log prefix "NFT REJECT OUT " flags ether flags ip options limit rate 5/second burst 10 packets reject + } + chain ct_invalid_out { + counter drop + } + chain ct_untracked_out { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return + counter drop + } + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp dport dhcpv6-server ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + + udp dport { domain, ntp } accept + tcp dport { https, 587, domain-s } accept + } + chain home_output { + icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + + udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 oifname $home_ipv6_if accept + udp sport bootps udp dport bootpc ip saddr $private_ip accept + tcp dport ssh ip daddr $host1_ip accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; + + meta nfproto ipv4 ip saddr $masq_ip oifname $masq_if masquerade + } +} +EOF diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft b/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/0001define_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.nft b/tests/shell/testcases/nft-i/dumps/0001define_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/0001define_0.nft diff --git a/tests/shell/testcases/nft-i/dumps/index_0.nft b/tests/shell/testcases/nft-i/dumps/index_0.nft new file mode 100644 index 00000000..abcd1b7c --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/index_0.nft @@ -0,0 +1,8 @@ +table inet foo { + chain bar { + type filter hook input priority filter; policy accept; + accept + accept + accept + } +} diff --git a/tests/shell/testcases/nft-i/dumps/set_0.nft b/tests/shell/testcases/nft-i/dumps/set_0.nft new file mode 100644 index 00000000..d3377d63 --- /dev/null +++ b/tests/shell/testcases/nft-i/dumps/set_0.nft @@ -0,0 +1,7 @@ +table inet foo { + set bar { + type ipv4_addr + flags interval + elements = { 10.1.1.1, 10.1.1.2 } + } +} diff --git a/tests/shell/testcases/nft-i/index_0 b/tests/shell/testcases/nft-i/index_0 new file mode 100755 index 00000000..f885fdeb --- /dev/null +++ b/tests/shell/testcases/nft-i/index_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +RULESET="add table inet foo +add chain inet foo bar { type filter hook input priority filter; } +add rule inet foo bar accept +insert rule inet foo bar index 0 accept +add rule inet foo bar index 0 accept" + +$NFT -i <<< "$RULESET" diff --git a/tests/shell/testcases/nft-i/set_0 b/tests/shell/testcases/nft-i/set_0 new file mode 100755 index 00000000..e87eef1d --- /dev/null +++ b/tests/shell/testcases/nft-i/set_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +RULESET="add table inet foo +add set inet foo bar { type ipv4_addr; flags interval; }; add element inet foo bar { 10.1.1.1/32 } +add element inet foo bar { 10.1.1.2/32 }" + +$NFT -i <<< "$RULESET" diff --git a/tests/shell/testcases/optimizations/bitmask b/tests/shell/testcases/optimizations/bitmask new file mode 100755 index 00000000..064d9560 --- /dev/null +++ b/tests/shell/testcases/optimizations/bitmask @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +RULESET='table inet t { + chain ack_chain {} + chain urg_chain {} + + chain c { + tcp flags & (syn | rst | ack | urg) == ack | urg + tcp flags & (fin | syn | rst | ack | urg) == fin | ack | urg + tcp flags & (fin | syn | rst | ack | urg) == fin | ack + tcp flags & (fin | syn | rst | ack | urg) == fin + tcp flags & (fin | syn | rst | ack | urg) == syn | ack + tcp flags & (fin | syn | rst | ack | urg) == syn + tcp flags & (fin | syn | rst | ack | urg) == rst | ack + tcp flags & (fin | syn | rst | ack | urg) == rst + tcp flags & (fin | syn | rst | ack | urg) == ack | urg + tcp flags & (fin | syn | rst | ack | urg) == ack + tcp flags & (rst | ack | urg) == rst | ack + tcp flags & (ack | urg) == ack jump ack_chain + tcp flags & (ack | urg) == urg jump urg_chain + } +}' + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/dumps/bitmask.nft b/tests/shell/testcases/optimizations/dumps/bitmask.nft new file mode 100644 index 00000000..758b32a3 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/bitmask.nft @@ -0,0 +1,14 @@ +table inet t { + chain ack_chain { + } + + chain urg_chain { + } + + chain c { + tcp flags & (syn | rst | ack | urg) == ack | urg + tcp flags & (fin | syn | rst | ack | urg) == { fin | ack | urg, fin | ack, fin, syn | ack, syn, rst | ack, rst, ack | urg, ack } + tcp flags & (rst | ack | urg) == rst | ack + tcp flags & (ack | urg) vmap { ack : jump ack_chain, urg : jump urg_chain } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft new file mode 100644 index 00000000..712182e9 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft @@ -0,0 +1,776 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "netdev", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_counter.nft b/tests/shell/testcases/optimizations/dumps/merge_counter.nft new file mode 100644 index 00000000..72eed5d0 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_counter.nft @@ -0,0 +1,8 @@ +table ip x { + chain y { + type filter hook input priority filter; policy drop; + ct state vmap { invalid counter packets 0 bytes 0 : drop, established counter packets 0 bytes 0 : accept, related counter packets 0 bytes 0 : accept } + tcp dport { 80, 123 } counter packets 0 bytes 0 accept + ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 counter packets 0 bytes 0 : accept, 1.1.1.2 . 3.3.3.3 counter packets 0 bytes 0 : drop } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft new file mode 100644 index 00000000..a6cf1bfc --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft @@ -0,0 +1,379 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test1", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "4.4.4.4", + "1.1.1.1" + ], + [ + "5.5.5.5", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test2", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "concat": [ + "1.1.1.1", + 8001 + ] + } + ], + [ + 81, + { + "concat": [ + "2.2.2.2", + 9001 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + } + ] + } + } + }, + { + "masquerade": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test4", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 80 + ] + }, + { + "concat": [ + "4.4.4.4", + 8000 + ] + } + ], + [ + { + "concat": [ + "2.2.2.2", + 81 + ] + }, + { + "concat": [ + "3.3.3.3", + 9000 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "redirect": { + "port": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 83, + 8083 + ], + [ + 84, + 8084 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 85 + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft index dd17905d..f6c119ec 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_nat.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -8,29 +8,14 @@ table ip test2 { chain y { oif "lo" accept dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } - } -} -table ip test3 { - chain y { - oif "lo" accept - snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } - oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade } } table ip test4 { chain y { oif "lo" accept dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } - } -} -table inet nat { - chain prerouting { - oif "lo" accept - dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 } - } - - chain postrouting { - oif "lo" accept - snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 } + redirect to :tcp dport map { 83 : 8083, 84 : 8084 } + tcp dport 85 redirect } } diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft new file mode 100644 index 00000000..dc67feec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft @@ -0,0 +1,200 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test3", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "3.3.3.3" + ], + [ + { + "concat": [ + "2.2.2.2", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "4.4.4.4" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp2s0" + } + }, + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + { + "range": [ + "72.2.3.66", + "72.2.3.78" + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 8888, + 9999 + ] + } + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft new file mode 100644 index 00000000..0faddfd1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.nft @@ -0,0 +1,8 @@ +table ip test3 { + chain y { + oif "lo" accept + snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } + oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport { 8888, 9999 } redirect + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft new file mode 100644 index 00000000..99930f11 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.json-nft @@ -0,0 +1,208 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "prerouting", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "72.2.3.70", + 80 + ] + }, + { + "concat": [ + "10.1.1.52", + 80 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 53122 + ] + }, + { + "concat": [ + "10.1.1.10", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + "72.2.3.66", + 443 + ] + }, + { + "concat": [ + "10.1.1.52", + 443 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "nat", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "72.2.3.66", + "10.2.2.2" + ], + [ + "72.2.3.67", + "10.2.3.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft new file mode 100644 index 00000000..a1a11354 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft @@ -0,0 +1,11 @@ +table inet nat { + chain prerouting { + oif "lo" accept + dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 } + } + + chain postrouting { + oif "lo" accept + snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft new file mode 100644 index 00000000..46ed0677 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft @@ -0,0 +1,320 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.33.70" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "172.30.238.117", + 8080 + ] + }, + { + "concat": [ + "tcp", + "172.30.33.71", + 3306 + ] + }, + { + "concat": [ + "tcp", + "172.30.254.251", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmp", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.254.252" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "aaaa::3", + 8080 + ] + }, + { + "concat": [ + "tcp", + "aaaa::2", + 3306 + ] + }, + { + "concat": [ + "tcp", + "aaaa::4", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "aaaa::5" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft new file mode 100644 index 00000000..c392b76a --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft @@ -0,0 +1,63 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft new file mode 100644 index 00000000..46e740a8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -0,0 +1,435 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c3", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "eth1", + "1.1.1.1", + "2.2.2.3" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + "2.2.2.4" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "prefix": { + "addr": "2.2.3.0", + "len": 24 + } + } + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "range": [ + "2.2.4.0", + "2.2.4.10" + ] + } + ] + }, + { + "concat": [ + "eth2", + "1.1.1.3", + "2.2.2.5" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + 22 + ] + }, + { + "concat": [ + "udp", + 67 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "ct": { + "key": "state" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 137, + "new" + ] + }, + { + "concat": [ + 138, + "new" + ] + }, + { + "concat": [ + 137, + "untracked" + ] + }, + { + "concat": [ + 138, + "untracked" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c3", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + }, + { + "concat": [ + 100, + "test" + ] + }, + { + "concat": [ + 51820, + "test" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft index f56cea1c..d00ac417 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft @@ -2,6 +2,7 @@ table ip x { chain y { iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport . ct state { 137 . new, 138 . new, 137 . untracked, 138 . untracked } accept } chain c1 { diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft new file mode 100644 index 00000000..5dfa40a8 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "meta": { + "key": "pkttype" + } + }, + { + "payload": { + "protocol": "udp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "broadcast", + 547 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "broadcast", + 67 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "multicast", + 1900 + ] + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + { + "drop": null + } + ], + [ + { + "concat": [ + "4.4.4.4", + "5.5.5.5" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft new file mode 100644 index 00000000..17d57b8f --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft @@ -0,0 +1,182 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "w", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + "invalid", + { + "drop": null + } + ], + [ + "established", + { + "accept": null + } + ], + [ + "related", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "accept": null + } + ], + [ + { + "range": [ + 2, + 3 + ] + }, + { + "drop": null + } + ], + [ + 4, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "w", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "1.1.1.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft index 5a9b3006..8ecbd927 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft @@ -6,4 +6,8 @@ table ip x { chain z { tcp dport vmap { 1 : accept, 2-3 : drop, 4 : accept } } + + chain w { + ip saddr vmap { 1.1.1.1 counter packets 0 bytes 0 : accept, 1.1.1.2 counter packets 0 bytes 0 : drop } + } } diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft new file mode 100644 index 00000000..b8ad126c --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft @@ -0,0 +1,438 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_dnstc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_this_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5302", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5303", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_acme", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5300 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5302 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5303 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "th", + "offset": 160, + "len": 128 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "goto": { + "target": "nat_dns_dnstc" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31393032383939353831343037320e" + ] + }, + { + "goto": { + "target": "nat_dns_this_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31363436323733373931323934300e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe32393535373539353636383732310e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5302" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe38353439353637323038363633390e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5303" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft new file mode 100644 index 00000000..f058d6f1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_tcp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_udp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s", + "stmt": [ + { + "limit": { + "rate": 12, + "burst": 30, + "per": "minute" + } + } + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "accept": null + } + ], + [ + 81, + { + "accept": null + } + ], + [ + 443, + { + "accept": null + } + ], + [ + { + "range": [ + 8000, + 8100 + ] + }, + { + "accept": null + } + ], + [ + { + "range": [ + 24000, + 25000 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "l4proto" + } + }, + "data": { + "set": [ + [ + "tcp", + { + "goto": { + "target": "filter_in_tcp" + } + } + ], + [ + "udp", + { + "goto": { + "target": "filter_in_udp" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft new file mode 100644 index 00000000..8e64ba1e --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft @@ -0,0 +1,140 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "version" + } + }, + "data": { + "set": [ + [ + 4, + { + "jump": { + "target": "t3" + } + } + ], + [ + 6, + { + "jump": { + "target": "t4" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.json-nft b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.nft b/tests/shell/testcases/optimizations/dumps/ruleset.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/ruleset.nft diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft new file mode 100644 index 00000000..26634134 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.json-nft @@ -0,0 +1,360 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "127.0.0.0", + "len": 8 + } + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "range": [ + "127.0.0.1", + "192.168.7.3" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "range": [ + 1, + 1023 + ] + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.7.1", + "192.168.7.5" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 443 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "192.168.0.1", + 22 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "data": { + "set": [ + [ + "192.168.0.1", + 1 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input deleted file mode 100644 index 35b93832..00000000 --- a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input +++ /dev/null @@ -1,35 +0,0 @@ -table ip test { - chain test { - # Test cases where anon set can be removed: - ip saddr { 127.0.0.1 } accept - iif { "lo" } accept - - # negation, can change to != 22. - tcp dport != { 22 } drop - - # single prefix, can remove anon set. - ip saddr { 127.0.0.0/8 } accept - - # range, can remove anon set. - ip saddr { 127.0.0.1-192.168.7.3 } accept - tcp sport { 1-1023 } drop - - # Test cases where anon set must be kept. - - # 2 elements, cannot remove the anon set. - ip daddr { 192.168.7.1, 192.168.7.5 } accept - tcp dport { 80, 443 } accept - - # single element, but concatenation which is not - # supported outside of set/map context at this time. - ip daddr . tcp dport { 192.168.0.1 . 22 } accept - - # single element, but a map. - meta mark set ip daddr map { 192.168.0.1 : 1 } - - # 2 elements. This could be converted because - # ct state cannot be both established and related - # at the same time, but this needs extra work. - ct state { established, related } accept - } -} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft new file mode 100644 index 00000000..c8adddb1 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft @@ -0,0 +1,59 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + { + "elem": { + "val": 10, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft new file mode 100644 index 00000000..54880b92 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + meta mark { 0x0000000a counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft new file mode 100644 index 00000000..7bb6c656 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft @@ -0,0 +1,235 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "udp_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tcp_input", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "udp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 500, + 4500 + ] + } + }, + { + "set": { + "family": "inet", + "name": "tcp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 80, + 443 + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1, + 128 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": "@udp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + { + "range": [ + 1, + 128 + ] + }, + { + "range": [ + 8888, + 9999 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@tcp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1024, + 65535 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft new file mode 100644 index 00000000..19296d02 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft @@ -0,0 +1,108 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft new file mode 100644 index 00000000..bf5a8cec --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft @@ -0,0 +1,254 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "GEOIP_CC_wan-lan_120", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "1.32.128.0", + "len": 18 + } + }, + { + "range": [ + "1.32.200.0", + "1.32.204.128" + ] + }, + { + "prefix": { + "addr": "1.32.207.0", + "len": 24 + } + }, + { + "range": [ + "1.32.216.118", + "1.32.216.255" + ] + }, + { + "range": [ + "1.32.219.0", + "1.32.222.255" + ] + }, + { + "prefix": { + "addr": "1.32.226.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.231.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.233.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.238.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.240.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "223.223.220.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "223.255.254.0", + "len": 24 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 10 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 81 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 11 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.2.3.5", + 81 + ] + }, + { + "concat": [ + "1.2.3.5", + 82 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft index 43b6578d..f24855e7 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft @@ -1,4 +1,15 @@ table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + chain y { ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept diff --git a/tests/shell/testcases/optimizations/dumps/variables.json-nft b/tests/shell/testcases/optimizations/dumps/variables.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.nft b/tests/shell/testcases/optimizations/dumps/variables.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/variables.nft diff --git a/tests/shell/testcases/optimizations/merge_counter b/tests/shell/testcases/optimizations/merge_counter new file mode 100755 index 00000000..3b8bbadd --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_counter @@ -0,0 +1,20 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +RULESET="table ip x { + chain y { + type filter hook input priority 0; policy drop; + + ct state invalid counter drop + ct state established,related counter accept + tcp dport 80 counter accept + tcp dport 123 counter accept + ip saddr 1.1.1.1 ip daddr 2.2.2.2 counter accept + ip saddr 1.1.1.2 ip daddr 3.3.3.3 counter drop + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat index edf7f4c4..3ffcbd57 100755 --- a/tests/shell/testcases/optimizations/merge_nat +++ b/tests/shell/testcases/optimizations/merge_nat @@ -17,17 +17,8 @@ RULESET="table ip test2 { oif lo accept tcp dport 80 dnat to 1.1.1.1:8001 tcp dport 81 dnat to 2.2.2.2:9001 - } -}" - -$NFT -o -f - <<< $RULESET - -RULESET="table ip test3 { - chain y { - oif lo accept - ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 - ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 - oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + ip saddr 10.141.11.0/24 masquerade + ip saddr 10.141.13.0/24 masquerade } }" @@ -38,23 +29,10 @@ RULESET="table ip test4 { oif lo accept ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000 ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000 + tcp dport 83 redirect to :8083 + tcp dport 84 redirect to :8084 + tcp dport 85 redirect } }" $NFT -o -f - <<< $RULESET - -RULESET="table inet nat { - chain prerouting { - oif lo accept - iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22 - iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443 - iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80 - } - chain postrouting { - oif lo accept - ip daddr 72.2.3.66 snat to 10.2.2.2 - ip daddr 72.2.3.67 snat to 10.2.3.3 - } -}" - -$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_nat_concat b/tests/shell/testcases/optimizations/merge_nat_concat new file mode 100755 index 00000000..2e0a91a3 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat_concat @@ -0,0 +1,18 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET="table ip test3 { + chain y { + oif lo accept + ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 + ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 + oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport 8888 redirect + tcp dport 9999 redirect + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_nat_inet b/tests/shell/testcases/optimizations/merge_nat_inet new file mode 100755 index 00000000..ff1916d3 --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat_inet @@ -0,0 +1,21 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) + +set -e + +RULESET="table inet nat { + chain prerouting { + oif lo accept + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22 + iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443 + iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80 + } + chain postrouting { + oif lo accept + ip daddr 72.2.3.66 snat to 10.2.2.2 + ip daddr 72.2.3.67 snat to 10.2.3.3 + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat index 9679d862..bae54e36 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_concat +++ b/tests/shell/testcases/optimizations/merge_stmts_concat @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET="table ip x { @@ -10,6 +12,8 @@ RULESET="table ip x { meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept ip protocol . th dport { tcp . 22, udp . 67 } + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept } }" diff --git a/tests/shell/testcases/optimizations/merge_stmts_vmap b/tests/shell/testcases/optimizations/merge_stmts_vmap index 79350076..e5357c0f 100755 --- a/tests/shell/testcases/optimizations/merge_stmts_vmap +++ b/tests/shell/testcases/optimizations/merge_stmts_vmap @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e RULESET="table ip x { @@ -12,6 +14,10 @@ RULESET="table ip x { tcp dport 2-3 drop tcp dport 4 accept } + chain w { + ip saddr 1.1.1.1 counter accept + ip saddr 1.1.1.2 counter drop + } }" $NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/merge_vmap_raw b/tests/shell/testcases/optimizations/merge_vmap_raw index f3dc0721..eb04bec3 100755 --- a/tests/shell/testcases/optimizations/merge_vmap_raw +++ b/tests/shell/testcases/optimizations/merge_vmap_raw @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET="table inet x { diff --git a/tests/shell/testcases/optimizations/nomerge_raw_payload b/tests/shell/testcases/optimizations/nomerge_raw_payload new file mode 100755 index 00000000..bb8678ac --- /dev/null +++ b/tests/shell/testcases/optimizations/nomerge_raw_payload @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + @th,160,32 0x02736c00 drop comment \"sl\" + @th,160,112 0x870697a7a6173656f03636f6d00 drop comment \"pizzaseo.com\" + } +}" + +$NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optimizations/nomerge_vmap b/tests/shell/testcases/optimizations/nomerge_vmap new file mode 100755 index 00000000..36bdf281 --- /dev/null +++ b/tests/shell/testcases/optimizations/nomerge_vmap @@ -0,0 +1,40 @@ +#!/bin/bash + +RULESET='table ip x { + chain NAME_lan-wg8 {} + chain NAME_mullvadgb-wg8 {} + chain NAME_mullvadus-wg8 {} + chain NAME_wan-wg8 {} + chain NAME_wg0-wg8 {} + chain NAME_wg1-wg8 {} + chain NAME_wg7-wg8 {} + + chain VZONE_wg8 { + iifname "wg8" counter return + iifname "eth1" counter jump NAME_lan-wg8 + iifname "eth1" counter return + iifname "eth3" counter jump NAME_mullvadgb-wg8 + iifname "eth3" counter return + iifname "eth2" counter jump NAME_mullvadus-wg8 + iifname "eth2" counter return + iifname "eth0" counter jump NAME_wan-wg8 + iifname "eth0" counter return + iifname "wg0" counter jump NAME_wg0-wg8 + iifname "wg0" counter return + iifname "wg1" counter jump NAME_wg1-wg8 + iifname "wg1" counter return + iifname "wg7" counter jump NAME_wg7-wg8 + iifname "wg7" counter return + counter drop comment "zone_wg8 default-action drop" + } + + chain v4icmp {} + chain v4icmpc {} + + chain y { + ip protocol icmp jump v4icmp + ip protocol icmp goto v4icmpc + } +}' + +$NFT -c -o -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optimizations/ruleset b/tests/shell/testcases/optimizations/ruleset index ef2652db..f7c3b747 100755 --- a/tests/shell/testcases/optimizations/ruleset +++ b/tests/shell/testcases/optimizations/ruleset @@ -1,5 +1,8 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_prerouting_reject) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat) + RULESET="table inet uni { chain gtfo { reject with icmpx type host-unreachable diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set index 7275e360..632e965f 100755 --- a/tests/shell/testcases/optimizations/single_anon_set +++ b/tests/shell/testcases/optimizations/single_anon_set @@ -2,12 +2,52 @@ set -e +test -d "$NFT_TEST_TESTTMPDIR" + # Input file contains rules with anon sets that contain # one element, plus extra rule with two elements (that should be # left alone). # Dump file has the simplified rules where anon sets have been # replaced by equality tests where possible. -dumpfile=$(dirname $0)/dumps/$(basename $0).nft +file_input1="$NFT_TEST_TESTTMPDIR/input1.nft" + +cat <<EOF > "$file_input1" +table ip test { + chain test { + # Test cases where anon set can be removed: + ip saddr { 127.0.0.1 } accept + iif { "lo" } accept + + # negation, can change to != 22. + tcp dport != { 22 } drop + + # single prefix, can remove anon set. + ip saddr { 127.0.0.0/8 } accept + + # range, can remove anon set. + ip saddr { 127.0.0.1-192.168.7.3 } accept + tcp sport { 1-1023 } drop + + # Test cases where anon set must be kept. + + # 2 elements, cannot remove the anon set. + ip daddr { 192.168.7.1, 192.168.7.5 } accept + tcp dport { 80, 443 } accept + + # single element, but concatenation which is not + # supported outside of set/map context at this time. + ip daddr . tcp dport { 192.168.0.1 . 22 } accept + + # single element, but a map. + meta mark set ip daddr map { 192.168.0.1 : 1 } + + # 2 elements. This could be converted because + # ct state cannot be both established and related + # at the same time, but this needs extra work. + ct state { established, related } accept + } +} +EOF -$NFT -f "$dumpfile".input +$NFT -f "$file_input1" diff --git a/tests/shell/testcases/optimizations/single_anon_set_expr b/tests/shell/testcases/optimizations/single_anon_set_expr new file mode 100755 index 00000000..81b7ceba --- /dev/null +++ b/tests/shell/testcases/optimizations/single_anon_set_expr @@ -0,0 +1,26 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +set -e + +test -d "$NFT_TEST_TESTTMPDIR" + +# Input file contains rules with anon sets that contain +# one element, plus extra rule with two elements (that should be +# left alone). + +# Dump file has the simplified rules where anon sets have been +# replaced by equality tests where possible. +file_input1="$NFT_TEST_TESTTMPDIR/input1.nft" + +cat <<EOF > "$file_input1" +table ip test { + chain test { + # with stateful statement + meta mark { 0x0000000a counter } + } +} +EOF + +$NFT -f "$file_input1" diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported index 9313c302..6baa8280 100755 --- a/tests/shell/testcases/optimizations/skip_unsupported +++ b/tests/shell/testcases/optimizations/skip_unsupported @@ -3,6 +3,17 @@ set -e RULESET="table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + chain y { ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables index fa986065..4cb322db 100755 --- a/tests/shell/testcases/optimizations/variables +++ b/tests/shell/testcases/optimizations/variables @@ -2,14 +2,52 @@ set -e -RULESET="define addrv4_vpnnet = 10.1.0.0/16 +RULESET='define addrv4_vpnnet = 10.1.0.0/16 +define wan = "eth0" +define lan = "eth1" +define vpn = "tun0" +define server = "10.10.10.1" -table ip nat { - chain postrouting { - type nat hook postrouting priority 0; policy accept; +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + } + chain forward { + type filter hook forward priority 1; policy drop; - ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\" - } -}" + iifname $lan oifname $lan accept; + + iifname $lan oifname $wan ct state new accept + iifname $lan oifname $wan ct state {established, related} accept + + iifname $wan oifname $lan ct state {established, related} accept + + iifname $vpn oifname $wan accept + iifname $wan oifname $vpn accept + iifname $lan oifname $vpn accept + iifname $vpn oifname $lan accept + + iifname $lan oifname $server accept + iifname $server oifname $lan accept + iifname $server oifname $wan accept + iifname $wan oifname $server accept + } + chain output { + type filter hook output priority 0; policy drop; + } +} + +table nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + iifname $wan tcp dport 10000 dnat to $server:10000; + } + chain postrouting { + type nat hook postrouting priority 100; policy accept; + ip saddr $addrv4_vpnnet counter masquerade fully-random comment "masquerade ipv4" + oifname $vpn masquerade + oifname $wan masquerade + } +}' $NFT -c -o -f - <<< $RULESET diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0 index fba961c7..1a84cfa6 100755 --- a/tests/shell/testcases/optionals/comments_chain_0 +++ b/tests/shell/testcases/optionals/comments_chain_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + EXPECTED='table ip test_table { chain test_chain { comment "test" diff --git a/tests/shell/testcases/optionals/comments_objects_0 b/tests/shell/testcases/optionals/comments_objects_0 index 7437c77b..28041ebd 100755 --- a/tests/shell/testcases/optionals/comments_objects_0 +++ b/tests/shell/testcases/optionals/comments_objects_0 @@ -1,9 +1,25 @@ #!/bin/bash -EXPECTED='table ip filter { +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + +set -e + +COMMENT128="12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" + +# test for pass with comment that is 128 bytes long. +rc=0 +$NFT add table ip filter \{ quota foo1 \{ comment "\"${COMMENT128}\"" \}\; \}\; || rc="$?" +test "$rc" = 0 + +# test for failure with comment that is 128+1 bytes long. +rc=0 +$NFT add table ip filter \{ quota foo2 \{ comment "\"${COMMENT128}x\"" \}\; \}\; || rc="$?" +test "$rc" = 1 + +RULESET='table ip filter { quota q { over 1200 bytes - comment "test1" + comment "'"$COMMENT128"'" } counter c { @@ -39,6 +55,4 @@ EXPECTED='table ip filter { } ' -set -e - -$NFT -f - <<< "$EXPECTED" +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/optionals/comments_table_0 b/tests/shell/testcases/optionals/comments_table_0 index a0dfd749..56bb206b 100755 --- a/tests/shell/testcases/optionals/comments_table_0 +++ b/tests/shell/testcases/optionals/comments_table_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + # comments are shown $NFT add table test { comment \"test_comment\"\; } diff --git a/tests/shell/testcases/optionals/dumps/comments_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_0.json-nft new file mode 100644 index 00000000..aef4b3e4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "comment": "test_comment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft new file mode 100644 index 00000000..4c752e80 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test_table", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test_table", + "name": "test_chain", + "handle": 0, + "comment": "test" + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft new file mode 100644 index 00000000..aef4b3e4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.json-nft @@ -0,0 +1,58 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "comment": "test_comment", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft new file mode 100644 index 00000000..b5359d8b --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "foo1", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 0, + "used": 0, + "inv": false + } + }, + { + "quota": { + "family": "ip", + "name": "q", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 1200, + "used": 0, + "inv": true + } + }, + { + "counter": { + "family": "ip", + "name": "c", + "table": "filter", + "handle": 0, + "comment": "test2", + "packets": 0, + "bytes": 0 + } + }, + { + "ct helper": { + "family": "ip", + "name": "h", + "table": "filter", + "handle": 0, + "comment": "test3", + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct expectation": { + "family": "ip", + "name": "e", + "table": "filter", + "handle": 0, + "comment": "test4", + "protocol": "tcp", + "dport": 666, + "timeout": 100, + "size": 96, + "l3proto": "ip" + } + }, + { + "limit": { + "family": "ip", + "name": "l", + "table": "filter", + "handle": 0, + "comment": "test5", + "rate": 400, + "per": "hour", + "burst": 5 + } + }, + { + "synproxy": { + "family": "ip", + "name": "s", + "table": "filter", + "handle": 0, + "comment": "test6", + "mss": 1460, + "wscale": 2 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft index b760ced6..13822209 100644 --- a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft @@ -1,6 +1,11 @@ table ip filter { + quota foo1 { + comment "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" + 0 bytes + } + quota q { - comment "test1" + comment "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678" over 1200 bytes } diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft new file mode 100644 index 00000000..8512c7de --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_table_0.json-nft @@ -0,0 +1,19 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0, + "comment": "test_comment" + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft new file mode 100644 index 00000000..583ce528 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.json-nft @@ -0,0 +1,67 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "https-quota", + "table": "test-ip", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": false + } + }, + { + "map": { + "family": "ip", + "name": "ports", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "map": "quota" + } + }, + { + "table": { + "family": "ip6", + "name": "test-ip6", + "handle": 0 + } + }, + { + "quota": { + "family": "ip6", + "name": "http-quota", + "table": "test-ip6", + "handle": 0, + "bytes": 26214400, + "used": 0, + "inv": true + } + }, + { + "counter": { + "family": "ip6", + "name": "http-traffic", + "table": "test-ip6", + "handle": 0, + "packets": 0, + "bytes": 0 + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft new file mode 100644 index 00000000..aac03cc5 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft @@ -0,0 +1,18 @@ +table ip test-ip { + quota https-quota { + 25 mbytes + } + + map ports { + type inet_service : quota + } +} +table ip6 test-ip6 { + quota http-quota { + over 25 mbytes + } + + counter http-traffic { + packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.json-nft b/tests/shell/testcases/optionals/dumps/handles_0.json-nft new file mode 100644 index 00000000..ff06af30 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.json-nft b/tests/shell/testcases/optionals/dumps/handles_1.json-nft new file mode 100644 index 00000000..ff06af30 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/handles_1.nft b/tests/shell/testcases/optionals/dumps/handles_1.nft new file mode 100644 index 00000000..085c6cf1 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_1.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport 22 counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft new file mode 100644 index 00000000..161a58d4 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "log": { + "prefix": "invalid state match, logging:" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft new file mode 100644 index 00000000..ba78f8d7 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "traffic-counter", + "table": "test-ip", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "traffic-quota", + "table": "test-ip", + "handle": 0, + "bytes": 52428800, + "used": 0, + "inv": false + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft new file mode 100644 index 00000000..f391b631 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft @@ -0,0 +1,9 @@ +table ip test-ip { + counter traffic-counter { + packets 0 bytes 0 + } + + quota traffic-quota { + 50 mbytes + } +} diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 index 8b12b8c5..ccd96779 100755 --- a/tests/shell/testcases/optionals/update_object_handles_0 +++ b/tests/shell/testcases/optionals/update_object_handles_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_stateful_object_update) + set -e $NFT add table test-ip $NFT add counter test-ip traffic-counter diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf index 4efbe75c..c07e8d6a 100755 --- a/tests/shell/testcases/owner/0001-flowtable-uaf +++ b/tests/shell/testcases/owner/0001-flowtable-uaf @@ -1,11 +1,14 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) + set -e $NFT -f - <<EOF table t { flags owner flowtable f { + hook ingress priority 0 devices = { lo } } } @@ -16,6 +19,7 @@ $NFT -f - <<EOF table t { flags owner flowtable f { + hook ingress priority 0 devices = { lo } } } diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist new file mode 100755 index 00000000..700f00ec --- /dev/null +++ b/tests/shell/testcases/owner/0002-persist @@ -0,0 +1,79 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist) + +die() { + echo "$@" + exit 1 +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "table add failed" +} + +$NFT list ruleset | grep -q 'table ip t' || { + die "table does not persist" +} +$NFT list ruleset | grep -q 'flags persist$' || { + die "unexpected flags in orphaned table" +} + +$NFT -f - <<EOF +table ip t { + flags owner, persist +} +EOF +[[ $? -eq 0 ]] || { + die "retake ownership failed" +} + +EXPECT="table ip t { + flags persist +}" +diff -u <(echo "$EXPECT") <($NFT list ruleset) || { + die "unexpected ruleset before coproc setup" +} + +coproc $NFT -i +sleep 1 + +cat >&"${COPROC[1]}" <<EOF +add table ip t { flags owner, persist; } +EOF + +COMM=$(</proc/${COPROC_PID}/comm) +EXPECT="table ip t { # progname $COMM + flags owner,persist +}" +diff -u <(echo "$EXPECT") <($NFT list ruleset) || { + die "unexpected ruleset after coproc setup" +} + +$NFT flush ruleset +$NFT list ruleset | grep -q 'table ip t' || { + die "flushed owned table" +} + +$NFT add table 'ip t { flags owner, persist; }' && { + die "stole owned table" +} + +cat >&"${COPROC[1]}" <<EOF +delete table ip t +EOF + +[[ -z $($NFT list ruleset) ]] || { + die "owner should be able to delete the table" +} + +eval "exec ${COPROC[1]}>&-" +wait $COPROC_PID + + +exit 0 diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft diff --git a/tests/shell/testcases/owner/dumps/0002-persist.json-nft b/tests/shell/testcases/owner/dumps/0002-persist.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0002-persist.nft b/tests/shell/testcases/owner/dumps/0002-persist.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.nft diff --git a/tests/shell/testcases/packetpath/cgroupv2 b/tests/shell/testcases/packetpath/cgroupv2 new file mode 100755 index 00000000..65916e9d --- /dev/null +++ b/tests/shell/testcases/packetpath/cgroupv2 @@ -0,0 +1,142 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +doit="$1" +rc=0 + +# Create hierarchy: +# / -> nft-test1a/nft-test2a +# | `nft-test2b +# `--> nft-test1b/nft-test2a +# test1b/nft-test2a will remain empty and +# should never match, it only exists so we +# can create cgroupv2 match rules. + +if [ ! -r /sys/fs/cgroup/cgroup.procs ] ;then + echo "cgroup filesystem not available" + exit 77 +fi + +cleanup() +{ + echo $$ > "/sys/fs/cgroup/cgroup.procs" + + rmdir "/sys/fs/cgroup/nft-test1a/nft-test2a" + rmdir "/sys/fs/cgroup/nft-test1a/nft-test2b" + rmdir "/sys/fs/cgroup/nft-test1b/nft-test2a" + rmdir "/sys/fs/cgroup/nft-test1a" + rmdir "/sys/fs/cgroup/nft-test1b" + + # nft list is broken after cgroupv2 removal, as nft + # can't find the human-readable names anymore. + $NFT delete table inet testcgrpv2 +} + +do_initial_setup() +{ + trap cleanup EXIT + ip link set lo up + + mkdir -p "/sys/fs/cgroup/nft-test1a/nft-test2a" || exit 1 + mkdir -p "/sys/fs/cgroup/nft-test1b/nft-test2a" || exit 1 + + mkdir "/sys/fs/cgroup/nft-test1a/nft-test2b" || exit 1 + + # After this, we can create cgroupv2 rules for the these cgroups. + # test1a and test2a should match while test1b/test2b should not: +$NFT -f - <<EOF +table inet testcgrpv2 { + counter nft-test1a {} + counter nft-test1a2a {} + counter nft-test1a2b {} + counter nft-test1b {} + counter nft-test1b2a {} + + chain output { + type filter hook output priority 0; + + socket cgroupv2 level 1 "nft-test1a" counter name "nft-test1a" + socket cgroupv2 level 2 "nft-test1a/nft-test2a" counter name "nft-test1a2a" + + # Next must never match + socket cgroupv2 level 2 "nft-test1a/nft-test2b" counter name "nft-test1a2b" + + # Must never match + socket cgroupv2 level 1 "nft-test1b" counter name "nft-test1b" + # Same, must not match. + socket cgroupv2 level 2 "nft-test1b/nft-test2a" counter name "nft-test1b2a" + } +} +EOF +} + +test_counters() +{ + local subtest="$1" + + local t1a="$2" + local t1a2a="$3" + + $NFT list ruleset + + $NFT reset counter inet testcgrpv2 nft-test1a | grep -q "packets $t1a" || rc=1 + $NFT reset counter inet testcgrpv2 nft-test1a2a | grep -q "packets $t1a2a" || rc=2 + + # dummy cgroup counters, must not match. + $NFT reset counter inet testcgrpv2 nft-test1a2b | grep -q 'packets 0' || rc=3 + $NFT reset counter inet testcgrpv2 nft-test1b | grep -q 'packets 0' || rc=4 + $NFT reset counter inet testcgrpv2 nft-test1b2a | grep -q 'packets 0' || rc=5 + + if [ $rc -ne 0 ]; then + echo "Counters did not match expected values fur subtest $subtest, return $rc" + exit $rc + fi +} + +run_test() +{ + echo $$ > "/sys/fs/cgroup/nft-test1a/nft-test2a/cgroup.procs" || exit 2 + socat -u STDIN TCP:127.0.0.1:8880,connect-timeout=4 < /dev/null > /dev/null + + test_counters "a1,a2" 1 1 + + echo $$ > "/sys/fs/cgroup/nft-test1a/cgroup.procs" || exit 2 + socat -u STDIN TCP:127.0.0.1:8880,connect-timeout=4 < /dev/null > /dev/null + test_counters "a1 only" 1 0 +} + + +if [ "$doit" != "setup-done" ];then + mkdir -p "/sys/fs/cgroup/nft-test1a" || exit 77 + + do_initial_setup + run_test + + if [ $rc -ne 0 ]; then + exit $rc + fi + + echo "Re-running test with changed cgroup root" + echo $$ > "/sys/fs/cgroup/nft-test1a/cgroup.procs" || exit 2 + unshare --fork --pid --mount -n -C $0 "setup-done" + rc=$? +else + want_inode=$(stat --printf=%i "/sys/fs/cgroup/nft-test1a/") + mount --bind /sys/fs/cgroup/nft-test1a/ /sys/fs/cgroup/ + + # /sys/fs/cgroup/ should now match "/sys/fs/cgroup/nft-test1a/cgroup.procs" + rootinode=$(stat --printf=%i "/sys/fs/cgroup/") + + if [ $want_inode -ne $rootinode ] ;then + echo "Failed to remount cgroupv2 fs, wanted inode $want_inode as root node, but got $rootinode" + exit 77 + fi + + do_initial_setup + run_test + + umount /sys/fs/group/ +fi + +exit $rc diff --git a/tests/shell/testcases/packetpath/dumps/cgroupv2.nodump b/tests/shell/testcases/packetpath/dumps/cgroupv2.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/cgroupv2.nodump diff --git a/tests/shell/testcases/packetpath/dumps/flowtables.nodump b/tests/shell/testcases/packetpath/dumps/flowtables.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/flowtables.nodump diff --git a/tests/shell/testcases/packetpath/dumps/payload.nodump b/tests/shell/testcases/packetpath/dumps/payload.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/payload.nodump diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 00000000..26e8a052 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 00000000..e625ea6c --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft new file mode 100644 index 00000000..23f4b17f --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft @@ -0,0 +1,696 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + "127.0.0.1", + "lo" + ] + }, + { + "concat": [ + "127.0.0.2", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.1", + "lo" + ] + }, + { + "concat": [ + "127.0.0.2", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "iface_index", + "handle": 0, + "elem": [ + "lo" + ] + } + }, + { + "set": { + "family": "ip", + "name": "s4", + "table": "t", + "type": "iface_index", + "handle": 0, + "flags": "interval", + "elem": [ + "lo" + ] + } + }, + { + "set": { + "family": "ip", + "name": "nomatch", + "table": "t", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + } + }, + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.3", + "lo" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "nomatch2", + "table": "t", + "type": [ + "ipv4_addr", + "iface_index" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "127.0.0.2", + "90000" + ] + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@s" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@s2" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "@s3" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "@s4" + } + }, + { + "counter": { + "packets": 1, + "bytes": 84 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "lo" + ] + }, + "right": "@nomatch" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "right": "@nomatch2" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.nft b/tests/shell/testcases/packetpath/dumps/set_lookups.nft new file mode 100644 index 00000000..7566f557 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.nft @@ -0,0 +1,51 @@ +table ip t { + set s { + type ipv4_addr . iface_index + flags interval + elements = { 127.0.0.1 . "lo", + 127.0.0.2 . "lo" } + } + + set s2 { + typeof ip saddr . iif + elements = { 127.0.0.1 . "lo", + 127.0.0.2 . "lo" } + } + + set s3 { + type iface_index + elements = { "lo" } + } + + set s4 { + type iface_index + flags interval + elements = { "lo" } + } + + set nomatch { + typeof ip saddr . iif + elements = { 127.0.0.3 . "lo" } + } + + set nomatch2 { + type ipv4_addr . iface_index + elements = { 127.0.0.2 . 90000 } + } + + chain c { + type filter hook input priority filter; policy accept; + icmp type echo-request ip saddr . iif @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip saddr . iif @s2 counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request ip saddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request ip daddr . "lo" @s counter packets 1 bytes 84 + icmp type echo-request ip daddr . "lo" @s2 counter packets 1 bytes 84 + icmp type echo-request iif @s3 counter packets 1 bytes 84 + icmp type echo-request iif @s4 counter packets 1 bytes 84 + ip daddr . "lo" @nomatch counter packets 0 bytes 0 drop + ip daddr . iif @nomatch2 counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_options.nodump b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft new file mode 100644 index 00000000..e1367cc1 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "nftrace" + } + }, + "value": 1 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft new file mode 100644 index 00000000..fb3df1af --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft @@ -0,0 +1,13 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter packets 0 bytes 0 + } + + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump diff --git a/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump b/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump diff --git a/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump b/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables new file mode 100755 index 00000000..b68c5dd4 --- /dev/null +++ b/tests/shell/testcases/packetpath/flowtables @@ -0,0 +1,122 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +rnd=$(mktemp -u XXXXXXXX) +R="flowtable-router-$rnd" +C="flowtable-client-$rnd" +S="flowtbale-server-$rnd" + +cleanup() +{ + for i in $R $C $S;do + kill $(ip netns pid $i) 2>/dev/null + ip netns del $i + done +} +trap cleanup EXIT + +assert_pass() +{ + local ret=$? + if [ $ret != 0 ] + then + echo "FAIL: ${@}" + ip netns exec $R cat /proc/net/nf_conntrack + exit 1 + else + echo "PASS: ${@}" + fi +} +assert_fail() +{ + local ret=$? + if [ $ret == 0 ] + then + echo "FAIL: ${@}" + ip netns exec $R cat /proc/net/nf_conntrack + exit 1 + else + echo "PASS: ${@}" + fi +} + +ip netns add $R +ip netns add $S +ip netns add $C + +ip link add s_r netns $S type veth peer name r_s netns $R +ip netns exec $S ip link set s_r up +ip netns exec $R ip link set r_s up +ip link add c_r netns $C type veth peer name r_c netns $R +ip netns exec $R ip link set r_c up +ip netns exec $C ip link set c_r up + +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c +ip netns exec $R sysctl -wq net.ipv6.conf.all.forwarding=1 +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r +ip netns exec $S ethtool -K s_r tso off +ip netns exec $C ethtool -K c_r tso off +sleep 3 + +ip netns exec $C ping -q -6 2001:db8:ffff:22::1 -c1 +assert_pass "topo initialization" + +ip netns exec $R nft -f - <<EOF +table ip6 filter { + flowtable f1 { + hook ingress priority -100 + devices = { r_c, r_s } + } + + chain forward { + type filter hook forward priority filter; policy accept; + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0 + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop + tcp flags fin,rst counter packets 0 bytes 0 accept + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept + ip6 nexthdr tcp counter packets 0 bytes 0 log drop + } +} +EOF +assert_pass "apply nft ruleset" + +if [ ! -r /proc/net/nf_conntrack ] +then + echo "E: nf_conntrack unreadable, skipping" >&2 + exit 77 +fi + +ip netns exec $R sysctl -wq net.netfilter.nf_flowtable_tcp_timeout=5 +assert_pass "set net.netfilter.nf_flowtable_tcp_timeout=5" + +ip netns exec $R sysctl -wq net.netfilter.nf_conntrack_tcp_timeout_established=86400 +assert_pass "set net.netfilter.nf_conntrack_tcp_timeout_established=86400" + +# A trick to control the timing to send a packet +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/socat-$rnd,ignoreeof & +sleep 1 +ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & +sleep 1 +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet" +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "check [OFFLOAD] tag" +sleep 6 +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_fail "CT OFFLOAD timeout, back to the classical path" +ip netns exec $R grep -q '863[89][0-9]' /proc/net/nf_conntrack; assert_pass "check timeout adopt nf_conntrack_tcp_timeout_established" +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet" +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "packet detected, back to the OFFLOAD path" + +i=3; while ((i--)) +do + sleep 3 + ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd; assert_pass "send a packet" + sleep 3 + ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack + assert_pass "Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD" +done +exit 0 diff --git a/tests/shell/testcases/packetpath/match_l4proto b/tests/shell/testcases/packetpath/match_l4proto new file mode 100755 index 00000000..e61524e9 --- /dev/null +++ b/tests/shell/testcases/packetpath/match_l4proto @@ -0,0 +1,150 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1payload-$rnd" +ns2="nft2payload-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +run_test() +{ + ns1_addr=$2 + ns2_addr=$3 + cidr=$4 + + # socat needs square brackets, ie. [abcd::2] + if [ $1 -eq 6 ]; then + nsx1_addr="["$ns1_addr"]" + nsx2_addr="["$ns2_addr"]" + else + nsx1_addr="$ns1_addr" + nsx2_addr="$ns2_addr" + fi + + ip netns add "$ns1" || exit 111 + ip netns add "$ns2" || exit 111 + + ip -net "$ns1" link set lo up + ip -net "$ns2" link set lo up + + ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + + ip -net "$ns1" link set veth0 up + ip -net "$ns2" link set veth0 up + ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0 + ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0 + + sleep 5 + +RULESET="table netdev payload_netdev { + counter ingress {} + counter ingress_2 {} + counter egress {} + counter egress_2 {} + + chain ingress { + type filter hook ingress device veth0 priority 0; + udp dport 7777 counter name ingress + meta l4proto udp counter name ingress_2 + } + + chain egress { + type filter hook egress device veth0 priority 0; + udp dport 7777 counter name egress + meta l4proto udp counter name egress_2 + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress_2 | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress_2| grep "packets 5" > /dev/null || exit 1 + + # + # ... next stage + # + ip netns exec "$ns1" $NFT flush ruleset + + # + # bridge + # + + ip -net "$ns1" addr del $ns1_addr/$cidr dev veth0 + + ip -net "$ns1" link add name br0 type bridge + ip -net "$ns1" link set veth0 master br0 + ip -net "$ns1" addr add $ns1_addr/$cidr dev br0 + ip -net "$ns1" link set up dev br0 + + sleep 5 + +RULESET="table bridge payload_bridge { + counter input {} + counter output {} + counter input_2 {} + counter output_2 {} + + chain in { + type filter hook input priority 0; + udp dport 7777 counter name input + meta l4proto udp counter name input_2 + } + + chain out { + type filter hook output priority 0; + udp dport 7777 counter name output + meta l4proto udp counter name output_2 + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input_2 | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output_2 | grep "packets 5" > /dev/null || exit 1 +} + +run_test "4" "10.141.10.2" "10.141.10.3" "24" +cleanup +run_test "6" "abcd::2" "abcd::3" "64" +# trap calls cleanup diff --git a/tests/shell/testcases/packetpath/payload b/tests/shell/testcases/packetpath/payload new file mode 100755 index 00000000..1e6b5a51 --- /dev/null +++ b/tests/shell/testcases/packetpath/payload @@ -0,0 +1,252 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1payload-$rnd" +ns2="nft2payload-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +run_test() +{ + ns1_addr=$2 + ns2_addr=$3 + cidr=$4 + mode=$5 + + case $mode in + "udp") + l4proto="udp" + udp_checksum="udp checksum != 0" + udp_zero_checksum="" + ;; + "udp-zero-checksum") + l4proto="udp" + udp_checksum="udp checksum 0" + udp_zero_checksum="udp checksum set 0" + ;; + "tcp") + l4proto="tcp" + udp_checksum="" + udp_zero_checksum="" + ;; + *) + echo "unexpected, incorrect mode" + exit 0 + esac + + # socat needs square brackets, ie. [abcd::2] + if [ $1 -eq 6 ]; then + nsx1_addr="["$ns1_addr"]" + nsx2_addr="["$ns2_addr"]" + else + nsx1_addr="$ns1_addr" + nsx2_addr="$ns2_addr" + fi + + ip netns add "$ns1" || exit 111 + ip netns add "$ns2" || exit 111 + + ip -net "$ns1" link set lo up + ip -net "$ns2" link set lo up + + ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + + ip -net "$ns1" link set veth0 up + ip -net "$ns2" link set veth0 up + ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0 + ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0 + + sleep 3 + +RULESET="table netdev payload_netdev { + counter ingress {} + counter egress {} + counter mangle_ingress {} + counter mangle_egress {} + counter mangle_ingress_match {} + counter mangle_egress_match {} + + chain ingress { + type filter hook ingress device veth0 priority 0; + $udp_zero_checksum + $l4proto dport 7777 counter name ingress + $l4proto dport 7778 $l4proto dport set 7779 $udp_checksum counter name mangle_ingress + $l4proto dport 7779 counter name mangle_ingress_match + } + + chain egress { + type filter hook egress device veth0 priority 0; + $udp_zero_checksum + $l4proto dport 8887 counter name egress + $l4proto dport 8888 $l4proto dport set 8889 $udp_checksum counter name mangle_egress + $l4proto dport 8889 counter name mangle_egress_match + } +} + +table inet payload_inet { + counter input {} + counter output {} + counter mangle_input {} + counter mangle_output {} + counter mangle_input_match {} + counter mangle_output_match {} + + chain in { + type filter hook input priority 0; + $udp_zero_checksum + $l4proto dport 7770 counter name input + $l4proto dport 7771 $l4proto dport set 7772 $udp_checksum counter name mangle_input + $l4proto dport 7772 counter name mangle_input_match + } + + chain out { + type filter hook output priority 0; + $udp_zero_checksum + $l4proto dport 8880 counter name output + $l4proto dport 8881 $l4proto dport set 8882 $udp_checksum counter name mangle_output + $l4proto dport 8882 counter name mangle_output_match + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + case $l4proto in + "tcp") + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8887,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8888,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7777,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7778,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=4 < /dev/null > /dev/null + ;; + "udp") + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8887 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8888 > /dev/null" + + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8880 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8881 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7778 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7770 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7771 > /dev/null" + ;; + esac + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress_match | grep -q "packets 0" && exit 1 + + ip netns exec "$ns1" $NFT list counter inet payload_inet input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output_match | grep -q "packets 0" && exit 1 + + # + # ... next stage + # + + ip netns exec "$ns1" $NFT flush ruleset + + # + # bridge + # + + ip -net "$ns1" addr del $ns1_addr/$cidr dev veth0 + + ip -net "$ns1" link add name br0 type bridge + ip -net "$ns1" link set veth0 master br0 + ip -net "$ns1" addr add $ns1_addr/$cidr dev br0 + ip -net "$ns1" link set up dev br0 + + sleep 3 + +RULESET="table bridge payload_bridge { + counter input {} + counter output {} + counter mangle_input {} + counter mangle_output {} + counter mangle_input_match {} + counter mangle_output_match {} + + chain in { + type filter hook input priority 0; + $udp_zero_checksum + $l4proto dport 7770 counter name input + $l4proto dport 7771 $l4proto dport set 7772 $udp_checksum counter name mangle_input + $l4proto dport 7772 counter name mangle_input_match + } + + chain out { + type filter hook output priority 0; + $udp_zero_checksum + $l4proto dport 8880 counter name output + $l4proto dport 8881 $l4proto dport set 8882 $udp_checksum counter name mangle_output + $l4proto dport 8882 counter name mangle_output_match + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + case $l4proto in + "tcp") + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=4 < /dev/null > /dev/null + ;; + "udp") + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8880 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8881 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7770 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7771 > /dev/null" + ;; + esac + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output_match | grep -q "packets 0" && exit 1 +} + +run_test "4" "10.141.10.2" "10.141.10.3" "24" "tcp" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" "tcp" +cleanup +run_test "4" "10.141.10.2" "10.141.10.3" "24" "udp" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" "udp" +cleanup +run_test "4" "10.141.10.2" "10.141.10.3" "24" "udp-zero-checksum" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" "udp-zero-checksum" +# trap calls cleanup +exit 0 diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 00000000..0bb42a54 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 diff --git a/tests/shell/testcases/packetpath/set_lookups b/tests/shell/testcases/packetpath/set_lookups new file mode 100755 index 00000000..85159858 --- /dev/null +++ b/tests/shell/testcases/packetpath/set_lookups @@ -0,0 +1,66 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<"EOF" +table ip t { + set s { + type ipv4_addr . iface_index + flags interval + elements = { 127.0.0.1 . 1 } + } + + set s2 { + typeof ip saddr . meta iif + elements = { 127.0.0.1 . 1 } + } + + set s3 { + type iface_index + elements = { "lo" } + } + + set s4 { + type iface_index + flags interval + elements = { "lo" } + } + + set nomatch { + typeof ip saddr . meta iif + elements = { 127.0.0.3 . 1 } + } + + set nomatch2 { + type ipv4_addr . iface_index + elements = { 127.0.0.2 . 90000 } + } + + chain c { + type filter hook input priority filter; + icmp type echo-request ip saddr . meta iif @s counter + icmp type echo-request ip saddr . 1 @s counter + icmp type echo-request ip saddr . "lo" @s counter + icmp type echo-request ip saddr . meta iif @s2 counter + icmp type echo-request ip saddr . 1 @s2 counter + icmp type echo-request ip saddr . "lo" @s2 counter + + icmp type echo-request ip daddr . "lo" @s counter + icmp type echo-request ip daddr . "lo" @s2 counter + + icmp type echo-request meta iif @s3 counter + icmp type echo-request meta iif @s4 counter + + ip daddr . 1 @nomatch counter drop + ip daddr . meta iif @nomatch2 counter drop + } +} +EOF + +$NFT add element t s { 127.0.0.2 . 1 } +$NFT add element t s2 { 127.0.0.2 . "lo" } + +ip link set lo up +ping -q -c 1 127.0.0.2 > /dev/null diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options new file mode 100755 index 00000000..88c095ff --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_options @@ -0,0 +1,50 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_tcp_options) +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +ip link set lo up + +$NFT -f /dev/stdin <<EOF +table inet t { + counter nomatchc {} + counter sackpermc {} + counter maxsegc {} + counter nopc {} + + chain c { + type filter hook output priority 0; + tcp dport != 22345 accept + tcp flags & (fin | syn | rst | ack ) == syn tcp option 254 length ge 4 counter name nomatchc drop + tcp flags & (fin | syn | rst | ack ) == syn tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc + tcp flags & (fin | syn | rst | ack ) == syn tcp option sack-perm missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option sack-perm exists counter name sackpermc + tcp flags & (fin | syn | rst | ack) == syn tcp option maxseg size gt 1400 counter name maxsegc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop missing counter name nomatchc + tcp flags & (fin | syn | rst | ack) == syn tcp option nop exists counter name nopc + tcp flags & (fin | syn | rst | ack) == syn drop + } +} +EOF + +if [ $? -ne 0 ]; then + exit 1 +fi + +# This will fail (drop in output -> connect fails with eperm) +socat -u STDIN TCP:127.0.0.1:22345,connect-timeout=1 < /dev/null > /dev/null + +# can't validate via dump file, syn rexmit can cause counters to be > 1 in rare cases. + +$NFT list counter inet t nomatchc + +# nomatchc must be 0. +$NFT list counter inet t nomatchc | grep -q "packets 0" || exit 1 + +# these counters must not be 0. +for nz in sackpermc maxsegc nopc; do + $NFT list counter inet t $nz + $NFT list counter inet t $nz | grep -q "packets 0" && exit 1 +done + +exit 0 diff --git a/tests/shell/testcases/packetpath/tcp_reset b/tests/shell/testcases/packetpath/tcp_reset new file mode 100755 index 00000000..559260a3 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_reset @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +# regression check for kernel commit +# netfilter: nf_reject: init skb->dev for reset packet + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter + } + chain output { + type filter hook output priority filter; policy accept; + # empty chain, so nf_hook_slow is called from ip_local_out. + } +} +EOF +[ $? -ne 0 ] && exit 1 + +socat -u STDIN TCP:127.0.0.1:5555,connect-timeout=2 < /dev/null > /dev/null +socat -u STDIN TCP:[::1]:5555,connect-timeout=2 < /dev/null > /dev/null + +$NFT list ruleset |grep -q 'counter packets 0 bytes 0' || exit 1 +exit 0 diff --git a/tests/shell/testcases/packetpath/vlan_8021ad_tag b/tests/shell/testcases/packetpath/vlan_8021ad_tag new file mode 100755 index 00000000..379a5710 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_8021ad_tag @@ -0,0 +1,50 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 proto 802.1ad +ip -net "$ns2" link add vlan123 link veth0 type vlan id 123 proto 802.1ad + + +for dev in veth0 vlan123; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan123 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 ether type 8021ad vlan id 123 ip daddr 10.1.1.2 icmp type echo-request counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list chain netdev t c | grep 'counter packets 1 bytes 84' diff --git a/tests/shell/testcases/packetpath/vlan_mangling b/tests/shell/testcases/packetpath/vlan_mangling new file mode 100755 index 00000000..3fc2ebb2 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_mangling @@ -0,0 +1,79 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 +ip -net "$ns2" link add vlan321 link veth0 type vlan id 321 + + +for dev in veth0 ; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done +ip -net "$ns1" link set vlan123 up +ip -net "$ns2" link set vlan321 up + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan321 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain in_update_vlan { + vlan type arp vlan id set 321 counter + ip saddr 10.1.1.1 icmp type echo-request vlan id set 321 counter + } + + chain in { + type filter hook ingress device veth0 priority filter; + vlan pcp 0 counter + ether saddr da:d3:00:01:02:03 vlan id 123 jump in_update_vlan + } + + chain out_update_vlan { + vlan type arp vlan id set 123 counter + ip daddr 10.1.1.1 icmp type echo-reply vlan id set 123 counter + vlan pcp set 6 counter + } + + chain out { + type filter hook egress device veth0 priority filter; + ether daddr da:d3:00:01:02:03 vlan id 321 jump out_update_vlan + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +set +e + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list table netdev t | grep 'counter packets' | grep 'counter packets 0 bytes 0' +if [ $? -eq 1 ] +then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/packetpath/vlan_qinq b/tests/shell/testcases/packetpath/vlan_qinq new file mode 100755 index 00000000..28655766 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_qinq @@ -0,0 +1,73 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns1" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +ip -net "$ns2" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns2" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +for dev in veth0 vlan10 vlan10.100; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan10.100 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan10.100 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c1 { + type filter hook ingress device veth0 priority filter; + ether type 8021ad vlan id 10 vlan type 8021q vlan id 100 vlan type ip counter + } + + chain c2 { + type filter hook ingress device vlan10 priority filter; + vlan id 100 ip daddr 10.1.1.2 counter + } + + chain c3 { + type filter hook ingress device vlan10.100 priority filter; + ip daddr 10.1.1.2 counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 +ip netns exec "$ns2" $NFT list ruleset + +set +e + +ip netns exec "$ns2" $NFT list chain netdev t c1 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c2 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c3 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +exit 0 diff --git a/tests/shell/testcases/parsing/dumps/describe.json-nft b/tests/shell/testcases/parsing/dumps/describe.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/describe.nft b/tests/shell/testcases/parsing/dumps/describe.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.nft diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft new file mode 100644 index 00000000..bf5dc65f --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft @@ -0,0 +1,4079 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "nd-router-advert", + "nd-neighbor-solicit" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "oif", + "flags": [ + "saddr", + "iif" + ] + } + }, + "right": false + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "raw_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "raw_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "mangle_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "mangle_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_IN_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_IN_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDI_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDI_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDO_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDO_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "netbios-ns" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "224.0.0.251" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "ff02::fb" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 138 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 139 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 445 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_allow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft new file mode 100644 index 00000000..15832752 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft @@ -0,0 +1,561 @@ +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport 137 ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + tcp dport 139 ct state new,untracked accept + tcp dport 445 ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +} diff --git a/tests/shell/testcases/parsing/dumps/log.json-nft b/tests/shell/testcases/parsing/dumps/log.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/log.nft b/tests/shell/testcases/parsing/dumps/log.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.nft diff --git a/tests/shell/testcases/parsing/dumps/octal.json-nft b/tests/shell/testcases/parsing/dumps/octal.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/octal.nft b/tests/shell/testcases/parsing/dumps/octal.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.nft diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe new file mode 100755 index 00000000..b6760c01 --- /dev/null +++ b/tests/shell/testcases/parsing/large_rule_pipe @@ -0,0 +1,571 @@ +#!/bin/bash + +set -e + +RULESET="#!/sbin/nft -f +flush ruleset; +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority -290; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority -140; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport netbios-ns ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport ssh ct state new,untracked accept + ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept + ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + udp dport netbios-ns ct state new,untracked accept + udp dport netbios-dgm ct state new,untracked accept + tcp dport netbios-ssn ct state new,untracked accept + tcp dport microsoft-ds ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +}" + +( echo "flush ruleset;"; echo "${RULESET}" ) | $NFT -f - + +exit 0 diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index c3329af5..18dc4a9f 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -6,5 +6,9 @@ set -e $NFT add table t $NFT add chain t c -$NFT add rule t c accept # should have handle 2 -$NFT replace rule t c handle 2 drop +$NFT 'add set t s1 { type ipv4_addr; }' +$NFT 'add set t s2 { type ipv4_addr; flags interval; }' +$NFT add rule t c accept # should have handle 4 +$NFT replace rule t c handle 4 drop +$NFT replace rule t c handle 4 ip saddr { 1.1.1.1, 2.2.2.2 } +$NFT replace rule t c handle 4 ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0 index 251cebb2..cd69a89d 100755 --- a/tests/shell/testcases/rule_management/0010replace_0 +++ b/tests/shell/testcases/rule_management/0010replace_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4 # ("netfilter: nf_tables: deactivate expressions in rule replecement routine") diff --git a/tests/shell/testcases/rule_management/0011destroy_0 b/tests/shell/testcases/rule_management/0011destroy_0 deleted file mode 100755 index 895c24a4..00000000 --- a/tests/shell/testcases/rule_management/0011destroy_0 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -set -e -$NFT add table t -$NFT add chain t c -$NFT insert rule t c accept # should have handle 2 - -$NFT destroy rule t c handle 2 diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0 index 8d230796..2004b17d 100755 --- a/tests/shell/testcases/rule_management/0011reset_0 +++ b/tests/shell/testcases/rule_management/0011reset_0 @@ -1,7 +1,30 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule) + set -e +echo "loading ruleset with anonymous set" +$NFT -f - <<EOF +table t { + chain dns-nat-pre { + type nat hook prerouting priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 1000 bytes 1000 dnat to 10.25.0.1 + } +} +EOF + +echo "resetting ruleset with anonymous set" +$NFT reset rules +EXPECT='table ip t { + chain dns-nat-pre { + type nat hook prerouting priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 ip saddr 10.24.0.0/24 ip daddr != 10.25.0.1 counter packets 0 bytes 0 dnat to 10.25.0.1 + } +}' +$DIFF -u <(echo "$EXPECT") <($NFT list ruleset) +$NFT flush ruleset + echo "loading ruleset" $NFT -f - <<EOF table ip t { @@ -72,13 +95,6 @@ $DIFF -u <(echo "$EXPECT") <($NFT list ruleset) echo "resetting specific chain" EXPECT='table ip t { - set s { - type ipv4_addr - size 65535 - flags dynamic - counter - } - chain c2 { counter packets 3 bytes 13 accept counter packets 4 bytes 14 drop @@ -93,6 +109,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { @@ -114,6 +131,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { @@ -141,6 +159,7 @@ EXPECT='table ip t { size 65535 flags dynamic counter + elements = { 1.1.1.1 counter packets 1 bytes 11 } } chain c { diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0 index 1b61155e..a058150f 100755 --- a/tests/shell/testcases/rule_management/0012destroy_0 +++ b/tests/shell/testcases/rule_management/0012destroy_0 @@ -1,7 +1,14 @@ -#!/bin/bash +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) -set -e $NFT add table t $NFT add chain t c +# pass for non-existent rule $NFT destroy rule t c handle 3333 + +# successfully delete existing rule +handle=$($NFT -a -e insert rule t c accept | \ + sed -n 's/.*handle \([0-9]*\)$/\1/p') +$NFT destroy rule t c handle "$handle" diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft new file mode 100644 index 00000000..83dfee0d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.json-nft @@ -0,0 +1,65 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft new file mode 100644 index 00000000..527d79d6 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft new file mode 100644 index 00000000..b3808ce2 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft new file mode 100644 index 00000000..b76cd930 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft new file mode 100644 index 00000000..9216cabf --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "sport" + } + }, + "right": { + "set": [ + { + "range": [ + 3478, + 3497 + ] + }, + { + "range": [ + 16384, + 16387 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "masquerade": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft new file mode 100644 index 00000000..811cb738 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.json-nft @@ -0,0 +1,84 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s2" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "3.3.3.3", + "4.4.4.4" + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft index e20952ef..803c0deb 100644 --- a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -1,5 +1,14 @@ table ip t { + set s1 { + type ipv4_addr + } + + set s2 { + type ipv4_addr + flags interval + } + chain c { - drop + ip saddr @s2 ip daddr { 3.3.3.3, 4.4.4.4 } } } diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0011destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft index 1e0d1d60..1e0d1d60 100644 --- a/tests/shell/testcases/rule_management/dumps/0011destroy_0.nft +++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft new file mode 100644 index 00000000..5d0b7d06 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft new file mode 100644 index 00000000..1e0d1d60 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft @@ -0,0 +1,4 @@ +table ip t { + chain c { + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft new file mode 100644 index 00000000..e57dee79 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft @@ -0,0 +1,255 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic", + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 1, + "bytes": 11 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t2", + "name": "c2", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t2", + "chain": "c2", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft new file mode 100644 index 00000000..db64cdbc --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0 index ba23f90f..c37b2f0d 100755 --- a/tests/shell/testcases/sets/0011add_many_elements_0 +++ b/tests/shell/testcases/sets/0011add_many_elements_0 @@ -3,6 +3,14 @@ # test adding many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -30,3 +38,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7e7beebd..64451604 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -31,3 +38,10 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 5774317b..c0925dd5 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -3,6 +3,13 @@ # test adding and deleting many sets elements in two nft -f runs. HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -32,3 +39,10 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0 index 44d451a8..1df38326 100755 --- a/tests/shell/testcases/sets/0020comments_0 +++ b/tests/shell/testcases/sets/0020comments_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_comment) + # Test that comments are added to set elements in standard sets. # Explicitly test bitmap backend set implementation. diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0 index 6062913b..48f6875b 100755 --- a/tests/shell/testcases/sets/0022type_selective_flush_0 +++ b/tests/shell/testcases/sets/0022type_selective_flush_0 @@ -16,7 +16,7 @@ $NFT -f - <<< "$RULESET" # Commands that should be invalid declare -a cmds=( - "flush set t m" "flush set t f" + "flush set t m" "flush map t s" "flush map t f" "flush meter t s" "flush meter t m" ) diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0 new file mode 100755 index 00000000..0c7da572 --- /dev/null +++ b/tests/shell/testcases/sets/0024synproxy_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_synproxy) + +# * creating valid named objects +# * referencing them from a valid rule + +RULESET=" +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + synproxy other-synproxy { + mss 1460 + wscale 5 + } + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } + chain y { + type filter hook input priority 0; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +}" + +set -e +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 2dbcd22b..ea581406 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -40,6 +40,7 @@ EXPECTED="table inet t { chain c { iifname @s accept oifname @s accept + fib saddr oifname @s accept tcp dport . meta iifname @sc accept meta iifname . meta mark @nv accept } diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0 index 059ade9a..32a705bf 100755 --- a/tests/shell/testcases/sets/0030add_many_elements_interval_0 +++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0 @@ -1,6 +1,13 @@ #!/bin/bash HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi tmpfile=$(mktemp) if [ ! -w $tmpfile ] ; then @@ -28,3 +35,10 @@ add element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 index 3343529b..32375b9f 100755 --- a/tests/shell/testcases/sets/0034get_element_0 +++ b/tests/shell/testcases/sets/0034get_element_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + RC=0 check() { # (set, elems, expected) diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0 index 3097d077..d961ffd4 100755 --- a/tests/shell/testcases/sets/0036add_set_element_expiration_0 +++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0 @@ -1,15 +1,25 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_setelem_expiration) + set -e +drop_seconds() { + sed -E 's/m[0-9]*s([0-9]*ms)?/m/g' +} + RULESET="add table ip x +add set ip x y { type ipv4_addr; flags dynamic,timeout; } +add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }" + +EXPECTED="add table ip x add set ip x y { type ipv4_addr; flags dynamic,timeout; } -add element ip x y { 1.1.1.1 timeout 30s expires 15s }" +add element ip x y { 1.1.1.1 timeout 30m expires 15m }" -test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation') +test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds) -if [ "$test_output" != "$RULESET" ] ; then - $DIFF -u <(echo "$test_output") <(echo "$RULESET") +if [ "$test_output" != "$EXPECTED" ] ; then + $DIFF -u <(echo "$test_output") <(echo "$EXPECTED") exit 1 fi diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0 index e9e0f6fb..7c37c1d8 100755 --- a/tests/shell/testcases/sets/0038meter_list_0 +++ b/tests/shell/testcases/sets/0038meter_list_0 @@ -14,7 +14,12 @@ RULESET=" " expected_output="table ip t { - meter m { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + set m { type ipv4_addr size 128 flags dynamic diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0 index 11767373..a3dbf5bf 100755 --- a/tests/shell/testcases/sets/0043concatenated_ranges_0 +++ b/tests/shell/testcases/sets/0043concatenated_ranges_0 @@ -1,4 +1,7 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges # @@ -14,12 +17,7 @@ # - delete them # - make sure they can't be deleted again -if [ "$(ps -o comm= $PPID)" = "run-tests.sh" ]; then - # Skip some permutations on a full test suite run to keep it quick - TYPES="ipv4_addr ipv6_addr ether_addr inet_service" -else - TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" -fi +TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark" RULESPEC_ipv4_addr="ip saddr" ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129" @@ -147,7 +145,7 @@ for ta in ${TYPES}; do eval add_b=\$ADD_${tb} eval add_c=\$ADD_${tc} ${NFT} add element inet filter test \ - "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" + "{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}" [ $(${NFT} list ${setmap} inet filter test | \ grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ] @@ -180,6 +178,10 @@ for ta in ${TYPES}; do continue fi + ${NFT} delete element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} ${mapv}}" + ${NFT} add element inet filter test \ + "{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}" sleep 1 [ $(${NFT} list ${setmap} inet filter test | \ grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ] diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1 index bab189c5..bb3bf6b2 100755 --- a/tests/shell/testcases/sets/0043concatenated_ranges_1 +++ b/tests/shell/testcases/sets/0043concatenated_ranges_1 @@ -1,7 +1,9 @@ -#!/bin/sh -e +#!/bin/bash -e # # 0043concatenated_ranges_1 - Insert and list subnets of different sizes +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + check() { $NFT add element "${1}" t s "{ ${2} . ${3} }" [ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ] diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0 index face90f2..b0f51cc8 100755 --- a/tests/shell/testcases/sets/0044interval_overlap_0 +++ b/tests/shell/testcases/sets/0044interval_overlap_0 @@ -1,4 +1,6 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0044interval_overlap_0 - Add overlapping and non-overlapping intervals # @@ -115,7 +117,11 @@ add_elements() { IFS=' ' for t in ${intervals_simple} switch ${intervals_concat}; do +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then [ "${t}" = "switch" ] && set="c" && continue +else + break +fi [ -z "${pass}" ] && pass="${t}" && continue [ -z "${interval}" ] && interval="${t}" && continue unset IFS @@ -146,7 +152,9 @@ add_elements() { $NFT add table t $NFT add set t s '{ type inet_service ; flags interval ; }' -$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c '{ type inet_service . inet_service ; flags interval ; }' +fi add_elements $NFT flush ruleset @@ -155,7 +163,9 @@ estimate_timeout $NFT flush ruleset $NFT add table t $NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }" -$NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +if [ "$NFT_TEST_HAVE_pipapo" = y ] ; then + $NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }" +fi add_elements sleep $((timeout * 3 / 2)) diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1 index eeea1943..cdd0c844 100755 --- a/tests/shell/testcases/sets/0044interval_overlap_1 +++ b/tests/shell/testcases/sets/0044interval_overlap_1 @@ -1,4 +1,6 @@ -#!/bin/sh -e +#!/bin/bash -e +# +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) # # 0044interval_overlap_1 - Single-sized intervals can never overlap partially # diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0 index 60bda401..7533623e 100755 --- a/tests/shell/testcases/sets/0046netmap_0 +++ b/tests/shell/testcases/sets/0046netmap_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netmap) + EXPECTED="table ip x { chain y { type nat hook postrouting priority srcnat; policy accept; diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0 index 4e53b7b8..757605ee 100755 --- a/tests/shell/testcases/sets/0047nat_0 +++ b/tests/shell/testcases/sets/0047nat_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + EXPECTED="table ip x { map y { type ipv4_addr : interval ipv4_addr diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0 index e62d25df..95babdc9 100755 --- a/tests/shell/testcases/sets/0048set_counters_0 +++ b/tests/shell/testcases/sets/0048set_counters_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e EXPECTED="table ip x { diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 index 1d512f7b..756afdc1 100755 --- a/tests/shell/testcases/sets/0049set_define_0 +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -14,3 +14,15 @@ table inet filter { " $NFT -f - <<< "$EXPECTED" + +EXPECTED="define ip-block-4 = { 1.1.1.1 } + + create set inet filter ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = \$ip-block-4 + } +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0 index ea90e264..6e67a43c 100755 --- a/tests/shell/testcases/sets/0051set_interval_counter_0 +++ b/tests/shell/testcases/sets/0051set_interval_counter_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e EXPECTED="table ip x { diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 index 107bfb87..2aeba2c5 100755 --- a/tests/shell/testcases/sets/0059set_update_multistmt_0 +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + RULESET="table x { set y { type ipv4_addr diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 index 6bd147c3..8e17444e 100755 --- a/tests/shell/testcases/sets/0060set_multistmt_0 +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + RULESET="table x { set y { type ipv4_addr diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1 index 1652668a..04ef047c 100755 --- a/tests/shell/testcases/sets/0060set_multistmt_1 +++ b/tests/shell/testcases/sets/0060set_multistmt_1 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions) + RULESET="table x { set y { type ipv4_addr diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0 index 48d589fe..48aa6fce 100755 --- a/tests/shell/testcases/sets/0062set_connlimit_0 +++ b/tests/shell/testcases/sets/0062set_connlimit_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + set -e RULESET="table ip x { @@ -24,3 +26,6 @@ RULESET="table ip x { }" $NFT -f - <<< $RULESET + +$NFT flush set ip x est-connlimit +$NFT flush set ip x new-connlimit diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0 index faca56a1..edd015d0 100755 --- a/tests/shell/testcases/sets/0063set_catchall_0 +++ b/tests/shell/testcases/sets/0063set_catchall_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + set -e RULESET="table ip x { diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0 index 43685160..fd289372 100755 --- a/tests/shell/testcases/sets/0064map_catchall_0 +++ b/tests/shell/testcases/sets/0064map_catchall_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element) + set -e RULESET="table ip x { diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 index 55cc0d4b..81621957 100755 --- a/tests/shell/testcases/sets/0067nat_concat_interval_0 +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -1,21 +1,8 @@ #!/bin/bash -set -e - -EXPECTED="table ip nat { - map ipportmap { - type ipv4_addr : interval ipv4_addr . inet_service - flags interval - elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } - } - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - ip protocol tcp dnat ip to ip saddr map @ipportmap - } -}" +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) -$NFT -f - <<< $EXPECTED -$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } +set -e EXPECTED="table ip nat { map ipportmap2 { diff --git a/tests/shell/testcases/sets/0067nat_interval_0 b/tests/shell/testcases/sets/0067nat_interval_0 new file mode 100755 index 00000000..c90203d0 --- /dev/null +++ b/tests/shell/testcases/sets/0067nat_interval_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +EXPECTED="table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 index 2cbc9868..e61010c7 100755 --- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 +++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 @@ -6,9 +6,18 @@ ruleset_file=$(mktemp) trap 'rm -f "$ruleset_file"' EXIT +HOWMANY=255 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=30 +fi + { echo 'define big_set = {' - for ((i = 1; i < 255; i++)); do + for ((i = 1; i < $HOWMANY; i++)); do for ((j = 1; j < 255; j++)); do echo "10.0.$i.$j," done @@ -27,3 +36,10 @@ table inet test68_table { EOF ( ulimit -s 400 && $NFT -f "$ruleset_file" ) + +if [ "$HOWMANY" != 255 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0 new file mode 100755 index 00000000..9886a9b0 --- /dev/null +++ b/tests/shell/testcases/sets/0072destroy_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) + +$NFT add table x + +# pass for non-existent set +$NFT destroy set x s + +# successfully delete existing set +$NFT add set x s '{type ipv4_addr; size 2;}' +$NFT destroy set x s diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set new file mode 100755 index 00000000..0630595f --- /dev/null +++ b/tests/shell/testcases/sets/0073flat_interval_set @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +EXPECTED="flush ruleset +add table inet filter +add map inet filter testmap { type ipv4_addr : counter; flags interval;} +add counter inet filter TEST +add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set new file mode 100755 index 00000000..e7f65fc5 --- /dev/null +++ b/tests/shell/testcases/sets/0074nested_interval_set @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 index 7530b3db..1dbac0b7 100755 --- a/tests/shell/testcases/sets/automerge_0 +++ b/tests/shell/testcases/sets/automerge_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + set -e RULESET="table inet x { @@ -10,14 +12,23 @@ RULESET="table inet x { } }" +HOWMANY=65535 +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + HOWMANY=5000 +fi + $NFT -f - <<< $RULESET tmpfile=$(mktemp) echo -n "add element inet x y { " > $tmpfile -for ((i=0;i<65535;i+=2)) +for ((i=0;i<$HOWMANY;i+=2)) do echo -n "$i, " >> $tmpfile - if [ $i -eq 65534 ] + if [ $i -eq $((HOWMANY-1)) ] then echo -n "$i" >> $tmpfile fi @@ -27,13 +38,13 @@ echo "}" >> $tmpfile $NFT -f $tmpfile tmpfile2=$(mktemp) -for ((i=1;i<65535;i+=2)) +for ((i=1;i<$HOWMANY;i+=2)) do echo "$i" >> $tmpfile2 done tmpfile3=$(mktemp) -shuf $tmpfile2 > $tmpfile3 +shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3" i=0 cat $tmpfile3 | while read line && [ $i -lt 10 ] do @@ -48,7 +59,7 @@ done for ((i=0;i<10;i++)) do - from=$(($RANDOM%65535)) + from=$(($RANDOM%$HOWMANY)) to=$(($from+100)) $NFT add element inet x y { $from-$to } if [ $? -ne 0 ] @@ -111,3 +122,10 @@ done rm -f $tmpfile rm -f $tmpfile2 rm -f $tmpfile3 + +if [ "$HOWMANY" != 65535 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 index 7699e9da..52a42c2f 100755 --- a/tests/shell/testcases/sets/collapse_elem_0 +++ b/tests/shell/testcases/sets/collapse_elem_0 @@ -17,3 +17,9 @@ add element ip a x { 2 } add element ip6 a x { 2 }" $NFT -f - <<< $RULESET + +RULESET="define m = { 3, 4 } +add element ip a x \$m +add element ip a x { 5 }" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0 index 4d90af9a..36138ae0 100755 --- a/tests/shell/testcases/sets/concat_interval_0 +++ b/tests/shell/testcases/sets/concat_interval_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e RULESET="table ip t { diff --git a/tests/shell/testcases/sets/concat_nlmsg_overrun b/tests/shell/testcases/sets/concat_nlmsg_overrun new file mode 100755 index 00000000..69cefe90 --- /dev/null +++ b/tests/shell/testcases/sets/concat_nlmsg_overrun @@ -0,0 +1,734 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +RULESET='flush ruleset + +table ip filter { + set test_set { + type iface_index . ether_addr . ipv4_addr + flags interval + elements = { + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890", + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + "lo" . 00:11:22:33:44:55 . 10.1.2.3, + } + } +}' + +$NFT -f - <<< $RULESET + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft new file mode 100644 index 00000000..9200154a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft @@ -0,0 +1,253 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "range": [ + "10.0.0.0", + "11.0.0.0" + ] + }, + { + "prefix": { + "addr": "172.16.0.0", + "len": 16 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + }, + { + "range": [ + "fe11::", + "fe22::" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s3", + "table": "t", + "type": "inet_proto", + "handle": 0, + "flags": "interval", + "elem": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s4", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": "interval", + "elem": [ + { + "range": [ + 0, + 1024 + ] + }, + { + "range": [ + 8080, + 8082 + ] + }, + { + "range": [ + 10000, + 40000 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "@s3" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@s4" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft new file mode 100644 index 00000000..b083ecb5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.json-nft @@ -0,0 +1,42 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft new file mode 100644 index 00000000..c79d9ba8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 64 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft new file mode 100644 index 00000000..464661e6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "fe00::", + "len": 48 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft new file mode 100644 index 00000000..b6173e9f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft new file mode 100644 index 00000000..f5a9ac19 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft new file mode 100644 index 00000000..e7152413 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft new file mode 100644 index 00000000..fa5dcb25 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "postrouting", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sourcemap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "100.123.10.2", + { + "jump": { + "target": "c" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@sourcemap" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft new file mode 100644 index 00000000..a67a0670 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "timeout", + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.json-nft b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft new file mode 100644 index 00000000..7ea3c602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "::1", + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft new file mode 100644 index 00000000..86d7eb6a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "blacklist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft new file mode 100644 index 00000000..96b9714a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft new file mode 100644 index 00000000..d226811c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.json-nft @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 2, + "elem": [ + "1.1.1.1", + "1.1.1.2" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.json-nft b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft new file mode 100644 index 00000000..401a8f23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.json-nft @@ -0,0 +1,35 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "elem": [ + { + "elem": { + "val": 22, + "comment": "test" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft new file mode 100644 index 00000000..5ed089dc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.json-nft @@ -0,0 +1,69 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "2.2.2.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "3.3.3.0", + "len": 24 + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft new file mode 100644 index 00000000..dcb62eb7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -0,0 +1,99 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service" + } + }, + { + "set": { + "family": "ip", + "name": "f", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@f", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 5a6e3261..38987ded 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -7,7 +7,13 @@ table ip t { type ipv4_addr : inet_service } + set f { + type ipv4_addr + size 1024 + flags dynamic + } + chain c { - tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second } + tcp dport 80 add @f { ip saddr limit rate 10/second burst 5 packets } } } diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft new file mode 100644 index 00000000..e0e56fec --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft new file mode 100644 index 00000000..b4521333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft new file mode 100644 index 00000000..dd71bb39 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft @@ -0,0 +1,129 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "synproxy": { + "family": "inet", + "name": "https-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 7, + "flags": [ + "timestamp", + "sack-perm" + ] + } + }, + { + "synproxy": { + "family": "inet", + "name": "other-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 5 + } + }, + { + "map": { + "family": "inet", + "name": "test2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "synproxy", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "synproxy": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft new file mode 100644 index 00000000..dd9a112a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft @@ -0,0 +1,24 @@ +table inet x { + synproxy https-synproxy { + mss 1460 + wscale 7 + timestamp sack-perm + } + + synproxy other-synproxy { + mss 1460 + wscale 5 + } + + map test2 { + type ipv4_addr : synproxy + flags interval + elements = { 192.168.1.0/24 : "https-synproxy", + 192.168.2.0/24 : "other-synproxy" } + } + + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft new file mode 100644 index 00000000..9d56d025 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "doesntexist" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 23 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft new file mode 100644 index 00000000..5d21f26c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "limit": { + "family": "ip", + "name": "http-traffic", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + "http-traffic" + ], + [ + 443, + "http-traffic" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft new file mode 100644 index 00000000..75d8b46d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft new file mode 100644 index 00000000..05fc072c --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft @@ -0,0 +1,162 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": "inet_proto", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "set": { + "family": "ip", + "name": "s3", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 1024, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "foobar" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@s3" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft new file mode 100644 index 00000000..0c604927 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft @@ -0,0 +1,26 @@ +table ip t { + set s1 { + type inet_proto + size 65535 + flags dynamic + } + + set s2 { + type ipv4_addr + size 65535 + flags dynamic + } + + set s3 { + type ipv4_addr + size 1024 + flags dynamic + } + + chain c { + type filter hook input priority filter; policy accept; + iifname "foobar" add @s1 { ip protocol } + iifname "foobar" add @s2 { ip daddr } + iifname "foobar" add @s3 { ip daddr } + } +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft new file mode 100644 index 00000000..9e5f708d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.json-nft @@ -0,0 +1,51 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test-ip", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "test-ip", + "type": "inet_service", + "handle": 0, + "flags": "timeout", + "timeout": 10845 + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "test-ip", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "constant", + "interval" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft new file mode 100644 index 00000000..0f25c763 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft @@ -0,0 +1,15 @@ +table ip test-ip { + set x { + type ipv4_addr + } + + set y { + type inet_service + timeout 3h45s + } + + set z { + type ipv4_addr + flags constant,interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft index 55cd4f26..6f9832a9 100644 --- a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -51,6 +51,7 @@ table inet t { chain c { iifname @s accept oifname @s accept + fib saddr oifname @s accept tcp dport . iifname @sc accept iifname . meta mark @nv accept } diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft new file mode 100644 index 00000000..7a723150 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.json-nft @@ -0,0 +1,45 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": "timeout" + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": "timeout" + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft new file mode 100644 index 00000000..56976528 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.json-nft @@ -0,0 +1,45 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "setA", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "flags": "timeout" + } + }, + { + "set": { + "family": "ip", + "name": "setB", + "table": "x", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": "timeout" + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft new file mode 100644 index 00000000..d6174c51 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft @@ -0,0 +1,11 @@ +table ip x { + set setA { + type ipv4_addr . inet_service . ipv4_addr + flags timeout + } + + set setB { + type ipv4_addr . inet_service + flags timeout + } +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft new file mode 100644 index 00000000..4f5ba0aa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.json-nft @@ -0,0 +1,134 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": "interval", + "elem": [ + 10, + { + "range": [ + 20, + 30 + ] + }, + 40, + { + "range": [ + 50, + 60 + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "ips", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + "10.0.0.1", + { + "range": [ + "10.0.0.5", + "10.0.0.8" + ] + }, + { + "prefix": { + "addr": "10.0.0.128", + "len": 25 + } + }, + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + "10.0.2.3", + "10.0.2.12" + ] + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "cs", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + "10.0.0.1", + 22 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.1.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "10.2.0.1", + "10.2.0.8" + ] + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft new file mode 100644 index 00000000..1c1dd977 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft @@ -0,0 +1,23 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 10, 20-30, 40, 50-60 } + } + + set ips { + type ipv4_addr + flags interval + elements = { 10.0.0.1, 10.0.0.5-10.0.0.8, + 10.0.0.128/25, 10.0.1.0/24, + 10.0.2.3-10.0.2.12 } + } + + set cs { + type ipv4_addr . inet_service + flags interval + elements = { 10.0.0.1 . 22, + 10.1.0.0/16 . 1-1024, + 10.2.0.1-10.2.0.8 . 1024-65535 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft new file mode 100644 index 00000000..f9fe4e6f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval" + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft new file mode 100644 index 00000000..ca69cee2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft new file mode 100644 index 00000000..1c3b559d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft @@ -0,0 +1,159 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "myset", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "192.168.0.113", + "tcp", + 22 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "udp", + 53 + ] + }, + { + "concat": [ + "192.168.0.12", + "tcp", + 80 + ] + }, + { + "concat": [ + "192.168.0.13", + "tcp", + 80 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "forward", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": "@myset" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft new file mode 100644 index 00000000..6f6555d2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -0,0 +1,94 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 256, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "size": 128, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@m", + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft new file mode 100644 index 00000000..8037dfa5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft @@ -0,0 +1,17 @@ +table ip t { + set s { + type ipv4_addr + size 256 + flags dynamic,timeout + } + + set m { + type ipv4_addr + size 128 + flags dynamic + } + + chain c { + tcp dport 80 add @m { ip saddr limit rate 10/second burst 5 packets } + } +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft new file mode 100644 index 00000000..afa81958 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.json-nft @@ -0,0 +1,37 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "range": [ + "192.168.1.0", + "192.168.1.254" + ] + }, + "192.168.1.255" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft new file mode 100644 index 00000000..1fc76572 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft new file mode 100644 index 00000000..486ca453 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.json-nft @@ -0,0 +1,37 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "mark", + "handle": 0, + "flags": "interval", + "elem": [ + { + "range": [ + 35, + 66 + ] + }, + 4919 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft new file mode 100644 index 00000000..f580c381 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type mark + flags interval + elements = { 0x00000023-0x00000042, 0x00001337 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.json-nft b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft new file mode 100644 index 00000000..c59a65ae --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + "192.168.2.196" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft new file mode 100644 index 00000000..222d4d74 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.2.196 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft new file mode 100644 index 00000000..3f98e120 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft @@ -0,0 +1,85 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set1", + "table": "t", + "type": "ether_addr", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "set2", + "table": "t", + "type": "ether_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "right": "@set1" + } + }, + { + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ether", + "field": "daddr" + } + }, + "set": "@set2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft new file mode 100644 index 00000000..56cc875e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft @@ -0,0 +1,15 @@ +table ip t { + set set1 { + type ether_addr + } + + set set2 { + type ether_addr + size 65535 + flags dynamic + } + + chain c { + ether daddr @set1 add @set2 { ether daddr counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft new file mode 100644 index 00000000..ffb76e2f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft @@ -0,0 +1,98 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "filter", + "type": [ + "mark", + "inet_service", + "inet_proto" + ], + "handle": 0, + "map": "mark", + "flags": [ + "interval", + "timeout" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "data": "@test" + } + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft new file mode 100644 index 00000000..f2077b91 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft @@ -0,0 +1,11 @@ +table inet filter { + map test { + type mark . inet_service . inet_proto : mark + flags interval,timeout + } + + chain output { + type filter hook output priority filter; policy accept; + meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft new file mode 100644 index 00000000..5ce063d7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.json-nft @@ -0,0 +1,1719 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "s", + "table": "t", + "type": [ + "ipv6_addr", + "ipv6_addr" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 32 + } + }, + { + "range": [ + "2001:db8:20::", + "2001:db8:20::20:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 33 + } + }, + { + "range": [ + "2001:db8:21::", + "2001:db8:21::21:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 34 + } + }, + { + "range": [ + "2001:db8:22::", + "2001:db8:22::22:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 35 + } + }, + { + "range": [ + "2001:db8:23::", + "2001:db8:23::23:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 36 + } + }, + { + "range": [ + "2001:db8:24::", + "2001:db8:24::24:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 37 + } + }, + { + "range": [ + "2001:db8:25::", + "2001:db8:25::25:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 38 + } + }, + { + "range": [ + "2001:db8:26::", + "2001:db8:26::26:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 39 + } + }, + { + "range": [ + "2001:db8:27::", + "2001:db8:27::27:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 40 + } + }, + { + "range": [ + "2001:db8:28::", + "2001:db8:28::28:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 41 + } + }, + { + "range": [ + "2001:db8:29::", + "2001:db8:29::29:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 42 + } + }, + { + "range": [ + "2001:db8:2a::", + "2001:db8:2a::2a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 43 + } + }, + { + "range": [ + "2001:db8:2b::", + "2001:db8:2b::2b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 44 + } + }, + { + "range": [ + "2001:db8:2c::", + "2001:db8:2c::2c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 45 + } + }, + { + "range": [ + "2001:db8:2d::", + "2001:db8:2d::2d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 46 + } + }, + { + "range": [ + "2001:db8:2e::", + "2001:db8:2e::2e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 47 + } + }, + { + "range": [ + "2001:db8:2f::", + "2001:db8:2f::2f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 48 + } + }, + { + "range": [ + "2001:db8:30::", + "2001:db8:30::30:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 49 + } + }, + { + "range": [ + "2001:db8:31::", + "2001:db8:31::31:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 50 + } + }, + { + "range": [ + "2001:db8:32::", + "2001:db8:32::32:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 51 + } + }, + { + "range": [ + "2001:db8:33::", + "2001:db8:33::33:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 52 + } + }, + { + "range": [ + "2001:db8:34::", + "2001:db8:34::34:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 53 + } + }, + { + "range": [ + "2001:db8:35::", + "2001:db8:35::35:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 54 + } + }, + { + "range": [ + "2001:db8:36::", + "2001:db8:36::36:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 55 + } + }, + { + "range": [ + "2001:db8:37::", + "2001:db8:37::37:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 56 + } + }, + { + "range": [ + "2001:db8:38::", + "2001:db8:38::38:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 57 + } + }, + { + "range": [ + "2001:db8:39::", + "2001:db8:39::39:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 58 + } + }, + { + "range": [ + "2001:db8:3a::", + "2001:db8:3a::3a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 59 + } + }, + { + "range": [ + "2001:db8:3b::", + "2001:db8:3b::3b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 60 + } + }, + { + "range": [ + "2001:db8:3c::", + "2001:db8:3c::3c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 61 + } + }, + { + "range": [ + "2001:db8:3d::", + "2001:db8:3d::3d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 62 + } + }, + { + "range": [ + "2001:db8:3e::", + "2001:db8:3e::3e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 63 + } + }, + { + "range": [ + "2001:db8:3f::", + "2001:db8:3f::3f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 64 + } + }, + { + "range": [ + "2001:db8:40::", + "2001:db8:40::40:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 65 + } + }, + { + "range": [ + "2001:db8:41::", + "2001:db8:41::41:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 66 + } + }, + { + "range": [ + "2001:db8:42::", + "2001:db8:42::42:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 67 + } + }, + { + "range": [ + "2001:db8:43::", + "2001:db8:43::43:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 68 + } + }, + { + "range": [ + "2001:db8:44::", + "2001:db8:44::44:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 69 + } + }, + { + "range": [ + "2001:db8:45::", + "2001:db8:45::45:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 70 + } + }, + { + "range": [ + "2001:db8:46::", + "2001:db8:46::46:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 71 + } + }, + { + "range": [ + "2001:db8:47::", + "2001:db8:47::47:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 72 + } + }, + { + "range": [ + "2001:db8:48::", + "2001:db8:48::48:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 73 + } + }, + { + "range": [ + "2001:db8:49::", + "2001:db8:49::49:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 74 + } + }, + { + "range": [ + "2001:db8:4a::", + "2001:db8:4a::4a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 75 + } + }, + { + "range": [ + "2001:db8:4b::", + "2001:db8:4b::4b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 76 + } + }, + { + "range": [ + "2001:db8:4c::", + "2001:db8:4c::4c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 77 + } + }, + { + "range": [ + "2001:db8:4d::", + "2001:db8:4d::4d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 78 + } + }, + { + "range": [ + "2001:db8:4e::", + "2001:db8:4e::4e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 79 + } + }, + { + "range": [ + "2001:db8:4f::", + "2001:db8:4f::4f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 80 + } + }, + { + "range": [ + "2001:db8:50::", + "2001:db8:50::50:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 81 + } + }, + { + "range": [ + "2001:db8:51::", + "2001:db8:51::51:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 82 + } + }, + { + "range": [ + "2001:db8:52::", + "2001:db8:52::52:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 83 + } + }, + { + "range": [ + "2001:db8:53::", + "2001:db8:53::53:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 84 + } + }, + { + "range": [ + "2001:db8:54::", + "2001:db8:54::54:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 85 + } + }, + { + "range": [ + "2001:db8:55::", + "2001:db8:55::55:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 86 + } + }, + { + "range": [ + "2001:db8:56::", + "2001:db8:56::56:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 87 + } + }, + { + "range": [ + "2001:db8:57::", + "2001:db8:57::57:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 88 + } + }, + { + "range": [ + "2001:db8:58::", + "2001:db8:58::58:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 89 + } + }, + { + "range": [ + "2001:db8:59::", + "2001:db8:59::59:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 90 + } + }, + { + "range": [ + "2001:db8:5a::", + "2001:db8:5a::5a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 91 + } + }, + { + "range": [ + "2001:db8:5b::", + "2001:db8:5b::5b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 92 + } + }, + { + "range": [ + "2001:db8:5c::", + "2001:db8:5c::5c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 93 + } + }, + { + "range": [ + "2001:db8:5d::", + "2001:db8:5d::5d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 94 + } + }, + { + "range": [ + "2001:db8:5e::", + "2001:db8:5e::5e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 95 + } + }, + { + "range": [ + "2001:db8:5f::", + "2001:db8:5f::5f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 96 + } + }, + { + "range": [ + "2001:db8:60::", + "2001:db8:60::60:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 97 + } + }, + { + "range": [ + "2001:db8:61::", + "2001:db8:61::61:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 98 + } + }, + { + "range": [ + "2001:db8:62::", + "2001:db8:62::62:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 99 + } + }, + { + "range": [ + "2001:db8:63::", + "2001:db8:63::63:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 100 + } + }, + { + "range": [ + "2001:db8:64::", + "2001:db8:64::64:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 101 + } + }, + { + "range": [ + "2001:db8:65::", + "2001:db8:65::65:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 102 + } + }, + { + "range": [ + "2001:db8:66::", + "2001:db8:66::66:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 103 + } + }, + { + "range": [ + "2001:db8:67::", + "2001:db8:67::67:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 104 + } + }, + { + "range": [ + "2001:db8:68::", + "2001:db8:68::68:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 105 + } + }, + { + "range": [ + "2001:db8:69::", + "2001:db8:69::69:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 106 + } + }, + { + "range": [ + "2001:db8:6a::", + "2001:db8:6a::6a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 107 + } + }, + { + "range": [ + "2001:db8:6b::", + "2001:db8:6b::6b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 108 + } + }, + { + "range": [ + "2001:db8:6c::", + "2001:db8:6c::6c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 109 + } + }, + { + "range": [ + "2001:db8:6d::", + "2001:db8:6d::6d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 110 + } + }, + { + "range": [ + "2001:db8:6e::", + "2001:db8:6e::6e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 111 + } + }, + { + "range": [ + "2001:db8:6f::", + "2001:db8:6f::6f:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 112 + } + }, + { + "range": [ + "2001:db8:70::", + "2001:db8:70::70:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 113 + } + }, + { + "range": [ + "2001:db8:71::", + "2001:db8:71::71:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 114 + } + }, + { + "range": [ + "2001:db8:72::", + "2001:db8:72::72:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 115 + } + }, + { + "range": [ + "2001:db8:73::", + "2001:db8:73::73:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 116 + } + }, + { + "range": [ + "2001:db8:74::", + "2001:db8:74::74:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 117 + } + }, + { + "range": [ + "2001:db8:75::", + "2001:db8:75::75:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 118 + } + }, + { + "range": [ + "2001:db8:76::", + "2001:db8:76::76:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 119 + } + }, + { + "range": [ + "2001:db8:77::", + "2001:db8:77::77:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 120 + } + }, + { + "range": [ + "2001:db8:78::", + "2001:db8:78::78:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 121 + } + }, + { + "range": [ + "2001:db8:79::", + "2001:db8:79::79:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 122 + } + }, + { + "range": [ + "2001:db8:7a::", + "2001:db8:7a::7a:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 123 + } + }, + { + "range": [ + "2001:db8:7b::", + "2001:db8:7b::7b:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 124 + } + }, + { + "range": [ + "2001:db8:7c::", + "2001:db8:7c::7c:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 125 + } + }, + { + "range": [ + "2001:db8:7d::", + "2001:db8:7d::7d:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 126 + } + }, + { + "range": [ + "2001:db8:7e::", + "2001:db8:7e::7e:1" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "2001:db8::", + "len": 127 + } + }, + { + "range": [ + "2001:db8:7f::", + "2001:db8:7f::7f:1" + ] + } + ] + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 24 + } + }, + { + "range": [ + "192.0.2.72", + "192.0.2.74" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 25 + } + }, + { + "range": [ + "192.0.2.75", + "192.0.2.77" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 26 + } + }, + { + "range": [ + "192.0.2.78", + "192.0.2.80" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 27 + } + }, + { + "range": [ + "192.0.2.81", + "192.0.2.83" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 28 + } + }, + { + "range": [ + "192.0.2.84", + "192.0.2.86" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 29 + } + }, + { + "range": [ + "192.0.2.87", + "192.0.2.89" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 30 + } + }, + { + "range": [ + "192.0.2.90", + "192.0.2.92" + ] + } + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "192.0.2.0", + "len": 31 + } + }, + { + "range": [ + "192.0.2.93", + "192.0.2.95" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft new file mode 100644 index 00000000..19d08d3d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft @@ -0,0 +1,116 @@ +table ip6 t { + set s { + type ipv6_addr . ipv6_addr + flags interval + elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1, + 2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1, + 2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1, + 2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1, + 2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1, + 2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1, + 2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1, + 2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1, + 2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1, + 2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1, + 2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1, + 2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1, + 2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1, + 2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1, + 2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1, + 2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1, + 2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1, + 2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1, + 2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1, + 2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1, + 2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1, + 2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1, + 2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1, + 2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1, + 2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1, + 2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1, + 2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1, + 2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1, + 2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1, + 2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1, + 2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1, + 2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1, + 2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1, + 2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1, + 2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1, + 2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1, + 2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1, + 2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1, + 2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1, + 2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1, + 2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1, + 2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1, + 2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1, + 2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1, + 2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1, + 2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1, + 2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1, + 2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1, + 2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1, + 2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1, + 2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1, + 2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1, + 2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1, + 2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1, + 2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1, + 2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1, + 2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1, + 2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1, + 2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1, + 2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1, + 2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1, + 2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1, + 2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1, + 2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1, + 2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1, + 2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1, + 2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1, + 2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1, + 2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1, + 2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1, + 2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1, + 2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1, + 2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1, + 2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1, + 2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1, + 2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1, + 2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1, + 2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1, + 2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1, + 2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1, + 2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1, + 2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1, + 2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1, + 2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1, + 2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1, + 2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1, + 2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1, + 2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1, + 2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1, + 2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1, + 2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1, + 2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1, + 2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1, + 2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1, + 2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1, + 2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 } + } +} +table ip t { + set s { + type ipv4_addr . ipv4_addr + flags interval + elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74, + 192.0.2.0/25 . 192.0.2.75-192.0.2.77, + 192.0.2.0/26 . 192.0.2.78-192.0.2.80, + 192.0.2.0/27 . 192.0.2.81-192.0.2.83, + 192.0.2.0/28 . 192.0.2.84-192.0.2.86, + 192.0.2.0/29 . 192.0.2.87-192.0.2.89, + 192.0.2.0/30 . 192.0.2.90-192.0.2.92, + 192.0.2.0/31 . 192.0.2.93-192.0.2.95 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft new file mode 100644 index 00000000..8f82990a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.json-nft @@ -0,0 +1,527 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": "interval", + "elem": [ + 25, + 30, + 82, + 119, + 349, + 745, + 748, + 1165, + 1233, + 1476, + 1550, + 1562, + 1743, + 1745, + 1882, + 2070, + 2194, + 2238, + 2450, + 2455, + 2642, + 2671, + 2906, + 3093, + 3203, + 3287, + 3348, + 3411, + 3540, + 3892, + 3943, + 4133, + 4205, + 4317, + 4733, + 5095, + 5156, + 5223, + 5230, + 5432, + 5826, + 5828, + 6044, + 6377, + 6388, + 6491, + 6952, + 6986, + 7012, + 7187, + 7300, + 7305, + 7549, + 7664, + 8111, + 8206, + 8396, + 8782, + 8920, + 8981, + 9067, + 9216, + 9245, + 9315, + 9432, + 9587, + 9689, + 9844, + 9991, + 10045, + 10252, + 10328, + 10670, + 10907, + 11021, + 11337, + 11427, + 11497, + 11502, + 11523, + 11552, + 11577, + 11721, + 11943, + 12474, + 12718, + 12764, + 12794, + 12922, + 13186, + 13232, + 13383, + 13431, + 13551, + 13676, + 13685, + 13747, + 13925, + 13935, + 14015, + 14090, + 14320, + 14392, + 14515, + 14647, + 14911, + 15096, + 15105, + 15154, + 15440, + 15583, + 15623, + 15677, + 15710, + 15926, + 15934, + 15960, + 16068, + 16166, + 16486, + 16489, + 16528, + 16646, + 16650, + 16770, + 16882, + 17052, + 17237, + 17387, + 17431, + 17886, + 17939, + 17999, + 18092, + 18123, + 18238, + 18562, + 18698, + 19004, + 19229, + 19237, + 19585, + 19879, + 19938, + 19950, + 19958, + 20031, + 20138, + 20157, + 20205, + 20368, + 20682, + 20687, + 20873, + 20910, + 20919, + 21019, + 21068, + 21115, + 21188, + 21236, + 21319, + 21563, + 21734, + 21806, + 21810, + 21959, + 21982, + 22078, + 22181, + 22308, + 22480, + 22643, + 22854, + 22879, + 22961, + 23397, + 23534, + 23845, + 23893, + 24130, + 24406, + 24794, + 24997, + 25019, + 25143, + 25179, + 25439, + 25603, + 25718, + 25859, + 25949, + 26006, + 26022, + 26047, + 26170, + 26193, + 26725, + 26747, + 26924, + 27023, + 27040, + 27233, + 27344, + 27478, + 27593, + 27600, + 27664, + 27678, + 27818, + 27822, + 28003, + 28038, + 28709, + 28808, + 29010, + 29057, + 29228, + 29485, + 30132, + 30160, + 30415, + 30469, + 30673, + 30736, + 30776, + 30780, + 31450, + 31537, + 31669, + 31839, + 31873, + 32019, + 32229, + 32685, + 32879, + 33318, + 33337, + 33404, + 33517, + 33906, + 34214, + 34346, + 34416, + 34727, + 34848, + 35325, + 35400, + 35451, + 35501, + 35637, + 35653, + 35710, + 35761, + 35767, + 36238, + 36258, + 36279, + 36464, + 36586, + 36603, + 36770, + 36774, + 36805, + 36851, + 37079, + 37189, + 37209, + 37565, + 37570, + 37585, + 37832, + 37931, + 37954, + 38006, + 38015, + 38045, + 38109, + 38114, + 38200, + 38209, + 38214, + 38277, + 38306, + 38402, + 38606, + 38697, + 38960, + 39004, + 39006, + 39197, + 39217, + 39265, + 39319, + 39460, + 39550, + 39615, + 39871, + 39886, + 40088, + 40135, + 40244, + 40323, + 40339, + 40355, + 40385, + 40428, + 40538, + 40791, + 40848, + 40959, + 41003, + 41131, + 41349, + 41643, + 41710, + 41826, + 41904, + 42027, + 42148, + 42235, + 42255, + 42498, + 42680, + 42973, + 43118, + 43135, + 43233, + 43349, + 43411, + 43487, + 43840, + 43843, + 43870, + 44040, + 44204, + 44817, + 44883, + 44894, + 44958, + 45201, + 45259, + 45283, + 45357, + 45423, + 45473, + 45498, + 45519, + 45561, + 45611, + 45627, + 45831, + 46043, + 46105, + 46116, + 46147, + 46169, + 46349, + 47147, + 47252, + 47314, + 47335, + 47360, + 47546, + 47617, + 47648, + 47772, + 47793, + 47846, + 47913, + 47952, + 48095, + 48325, + 48334, + 48412, + 48419, + 48540, + 48569, + 48628, + 48751, + 48944, + 48971, + 49008, + 49025, + 49503, + 49505, + 49613, + 49767, + 49839, + 49925, + 50022, + 50028, + 50238, + 51057, + 51477, + 51617, + 51910, + 52044, + 52482, + 52550, + 52643, + 52832, + 53382, + 53690, + 53809, + 53858, + 54001, + 54198, + 54280, + 54327, + 54376, + 54609, + 54776, + 54983, + 54984, + 55019, + 55038, + 55094, + 55368, + 55737, + 55793, + 55904, + 55941, + 55960, + 55978, + 56063, + 56121, + 56314, + 56505, + 56548, + 56568, + 56696, + 56798, + 56855, + 57102, + 57236, + 57333, + 57334, + 57441, + 57574, + 57659, + 57987, + 58325, + 58404, + 58509, + 58782, + 58876, + 59116, + 59544, + 59685, + 59700, + 59750, + 59799, + 59866, + 59870, + 59894, + 59984, + 60343, + 60481, + 60564, + 60731, + 61075, + 61087, + 61148, + 61174, + 61655, + 61679, + 61691, + 61723, + 61730, + 61758, + 61824, + 62035, + 62056, + 62661, + 62768, + 62946, + 63059, + 63116, + 63338, + 63387, + 63672, + 63719, + 63881, + 63995, + 64197, + 64374, + 64377, + 64472, + 64606, + 64662, + 64777, + 64795, + 64906, + 65049, + 65122, + 65318 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft new file mode 100644 index 00000000..5b249a3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft @@ -0,0 +1,106 @@ +table ip t { + set s { + type inet_service + flags interval + elements = { 25, 30, 82, 119, 349, + 745, 748, 1165, 1233, 1476, + 1550, 1562, 1743, 1745, 1882, + 2070, 2194, 2238, 2450, 2455, + 2642, 2671, 2906, 3093, 3203, + 3287, 3348, 3411, 3540, 3892, + 3943, 4133, 4205, 4317, 4733, + 5095, 5156, 5223, 5230, 5432, + 5826, 5828, 6044, 6377, 6388, + 6491, 6952, 6986, 7012, 7187, + 7300, 7305, 7549, 7664, 8111, + 8206, 8396, 8782, 8920, 8981, + 9067, 9216, 9245, 9315, 9432, + 9587, 9689, 9844, 9991, 10045, + 10252, 10328, 10670, 10907, 11021, + 11337, 11427, 11497, 11502, 11523, + 11552, 11577, 11721, 11943, 12474, + 12718, 12764, 12794, 12922, 13186, + 13232, 13383, 13431, 13551, 13676, + 13685, 13747, 13925, 13935, 14015, + 14090, 14320, 14392, 14515, 14647, + 14911, 15096, 15105, 15154, 15440, + 15583, 15623, 15677, 15710, 15926, + 15934, 15960, 16068, 16166, 16486, + 16489, 16528, 16646, 16650, 16770, + 16882, 17052, 17237, 17387, 17431, + 17886, 17939, 17999, 18092, 18123, + 18238, 18562, 18698, 19004, 19229, + 19237, 19585, 19879, 19938, 19950, + 19958, 20031, 20138, 20157, 20205, + 20368, 20682, 20687, 20873, 20910, + 20919, 21019, 21068, 21115, 21188, + 21236, 21319, 21563, 21734, 21806, + 21810, 21959, 21982, 22078, 22181, + 22308, 22480, 22643, 22854, 22879, + 22961, 23397, 23534, 23845, 23893, + 24130, 24406, 24794, 24997, 25019, + 25143, 25179, 25439, 25603, 25718, + 25859, 25949, 26006, 26022, 26047, + 26170, 26193, 26725, 26747, 26924, + 27023, 27040, 27233, 27344, 27478, + 27593, 27600, 27664, 27678, 27818, + 27822, 28003, 28038, 28709, 28808, + 29010, 29057, 29228, 29485, 30132, + 30160, 30415, 30469, 30673, 30736, + 30776, 30780, 31450, 31537, 31669, + 31839, 31873, 32019, 32229, 32685, + 32879, 33318, 33337, 33404, 33517, + 33906, 34214, 34346, 34416, 34727, + 34848, 35325, 35400, 35451, 35501, + 35637, 35653, 35710, 35761, 35767, + 36238, 36258, 36279, 36464, 36586, + 36603, 36770, 36774, 36805, 36851, + 37079, 37189, 37209, 37565, 37570, + 37585, 37832, 37931, 37954, 38006, + 38015, 38045, 38109, 38114, 38200, + 38209, 38214, 38277, 38306, 38402, + 38606, 38697, 38960, 39004, 39006, + 39197, 39217, 39265, 39319, 39460, + 39550, 39615, 39871, 39886, 40088, + 40135, 40244, 40323, 40339, 40355, + 40385, 40428, 40538, 40791, 40848, + 40959, 41003, 41131, 41349, 41643, + 41710, 41826, 41904, 42027, 42148, + 42235, 42255, 42498, 42680, 42973, + 43118, 43135, 43233, 43349, 43411, + 43487, 43840, 43843, 43870, 44040, + 44204, 44817, 44883, 44894, 44958, + 45201, 45259, 45283, 45357, 45423, + 45473, 45498, 45519, 45561, 45611, + 45627, 45831, 46043, 46105, 46116, + 46147, 46169, 46349, 47147, 47252, + 47314, 47335, 47360, 47546, 47617, + 47648, 47772, 47793, 47846, 47913, + 47952, 48095, 48325, 48334, 48412, + 48419, 48540, 48569, 48628, 48751, + 48944, 48971, 49008, 49025, 49503, + 49505, 49613, 49767, 49839, 49925, + 50022, 50028, 50238, 51057, 51477, + 51617, 51910, 52044, 52482, 52550, + 52643, 52832, 53382, 53690, 53809, + 53858, 54001, 54198, 54280, 54327, + 54376, 54609, 54776, 54983, 54984, + 55019, 55038, 55094, 55368, 55737, + 55793, 55904, 55941, 55960, 55978, + 56063, 56121, 56314, 56505, 56548, + 56568, 56696, 56798, 56855, 57102, + 57236, 57333, 57334, 57441, 57574, + 57659, 57987, 58325, 58404, 58509, + 58782, 58876, 59116, 59544, 59685, + 59700, 59750, 59799, 59866, 59870, + 59894, 59984, 60343, 60481, 60564, + 60731, 61075, 61087, 61148, 61174, + 61655, 61679, 61691, 61723, 61730, + 61758, 61824, 62035, 62056, 62661, + 62768, 62946, 63059, 63116, 63338, + 63387, 63672, 63719, 63881, 63995, + 64197, 64374, 64377, 64472, 64606, + 64662, 64777, 64795, 64906, 65049, + 65122, 65318 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft new file mode 100644 index 00000000..8473c333 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft @@ -0,0 +1,95 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65536, + "flags": [ + "timeout", + "dynamic" + ], + "elem": [ + { + "concat": [ + "192.168.7.1", + 22 + ] + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + 22 + ] + }, + "timeout": 60 + } + }, + "set": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft new file mode 100644 index 00000000..55f1a2ad --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0046netmap_0.json-nft @@ -0,0 +1,167 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.12.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + ], + [ + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "family": "ip6", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "2001:db8:1111::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2001:db8:2222::", + "len": 64 + } + } + ] + ] + } + } + }, + "flags": "netmap", + "type_flags": "prefix" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft index 9fa9fc74..86dbb708 100644 --- a/tests/shell/testcases/sets/dumps/0047nat_0.nft +++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft @@ -2,7 +2,8 @@ table ip x { map y { type ipv4_addr : interval ipv4_addr flags interval - elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31, + elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, + 10.141.11.0/24 : 192.168.4.2/31, 10.141.12.0/24 : 192.168.5.10-192.168.5.20 } } diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft new file mode 100644 index 00000000..4be4112b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "elem": [ + { + "elem": { + "val": "192.168.10.35", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.101", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "192.168.10.135", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft index 2145f6b1..d6247868 100644 --- a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft @@ -2,7 +2,8 @@ table ip x { set y { typeof ip saddr counter - elements = { 192.168.10.35 counter packets 0 bytes 0, 192.168.10.101 counter packets 0 bytes 0, + elements = { 192.168.10.35 counter packets 0 bytes 0, + 192.168.10.101 counter packets 0 bytes 0, 192.168.10.135 counter packets 0 bytes 0 } } diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft new file mode 100644 index 00000000..98ccafd4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft @@ -0,0 +1,92 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "set": { + "family": "inet", + "name": "ip-block-4-test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "auto-merge": true, + "elem": [ + "1.1.1.1" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 80, + 443 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft index 998b387a..d654420c 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -1,4 +1,11 @@ table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + chain input { type filter hook input priority filter; policy drop; tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft new file mode 100644 index 00000000..96cb397f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft @@ -0,0 +1,83 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@s" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft new file mode 100644 index 00000000..1ea8ede6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0052overlap_0.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "w_all", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "auto-merge": true, + "elem": [ + "10.10.10.10", + "10.10.10.253" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.json-nft b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft new file mode 100644 index 00000000..12a5c4b4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.json-nft @@ -0,0 +1,101 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "192.168.100.62" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 2001 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft new file mode 100644 index 00000000..a7293922 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.json-nft @@ -0,0 +1,41 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "test", + "flags": "interval" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "comment": "another test", + "map": "ipv4_addr", + "flags": "interval" + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft new file mode 100644 index 00000000..0232ad6f --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.json-nft @@ -0,0 +1,136 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "tcp_good_flags", + "table": "test", + "type": "tcp_flag", + "handle": 0, + "flags": "constant", + "elem": [ + { + "|": [ + "fin", + "ack" + ] + }, + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "fin", + "psh", + "ack", + "urg" + ] + }, + "syn", + { + "|": [ + "syn", + "ack" + ] + }, + { + "|": [ + "syn", + "ack", + "urg" + ] + }, + { + "|": [ + "syn", + "psh", + "ack" + ] + }, + { + "|": [ + "syn", + "psh", + "ack", + "urg" + ] + }, + "rst", + { + "|": [ + "rst", + "ack" + ] + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + }, + { + "|": [ + "rst", + "psh", + "ack" + ] + }, + { + "|": [ + "rst", + "psh", + "ack", + "urg" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack", + "urg" + ] + }, + "ack", + { + "|": [ + "ack", + "urg" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft index ffed5426..22bf5c46 100644 --- a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft +++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft @@ -2,9 +2,9 @@ table ip test { set tcp_good_flags { type tcp_flag flags constant - elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg, - syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg, - rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg, - psh | ack, ack | urg, ack } + elements = { fin | ack, fin | ack | urg, fin | psh | ack, fin | psh | ack | urg, syn, + syn | ack, syn | ack | urg, syn | psh | ack, syn | psh | ack | urg, rst, + rst | ack, rst | ack | urg, rst | psh | ack, rst | psh | ack | urg, psh | ack, + psh | ack | urg, ack, ack | urg } } } diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft new file mode 100644 index 00000000..79d7257e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "test", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "elem": [ + "1.1.1.1" + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft new file mode 100644 index 00000000..de43d565 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft @@ -0,0 +1,7 @@ +table inet filter { + set test { + type ipv4_addr + size 65535 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft new file mode 100644 index 00000000..ac8d8bef --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft @@ -0,0 +1,68 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "ssh_meter", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 2592000 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "add", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 2592000 + } + }, + "set": "@ssh_meter" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft new file mode 100644 index 00000000..16ecdb2a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft @@ -0,0 +1,79 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 3600 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y", + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft index 1b0ffae4..c1cc3b51 100644 --- a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -8,6 +8,6 @@ table ip x { chain z { type filter hook output priority filter; policy accept; - update @y { ip daddr limit rate 1/second counter } + update @y { ip daddr limit rate 1/second burst 5 packets counter } } } diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft new file mode 100644 index 00000000..1aede147 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft @@ -0,0 +1,105 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "4.4.4.4", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + }, + { + "elem": { + "val": "5.5.5.5", + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + } + } + ], + "stmt": [ + { + "limit": { + "rate": 1, + "burst": 5, + "per": "second" + } + }, + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft index f23db534..8521e3f7 100644 --- a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -1,9 +1,10 @@ table ip x { set y { type ipv4_addr - limit rate 1/second counter - elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0, - 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + limit rate 1/second burst 5 packets counter + elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } } chain y { diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft new file mode 100644 index 00000000..99805e55 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft @@ -0,0 +1,103 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic", + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "1.2.3.4", + "counter": { + "packets": 9, + "bytes": 756 + } + } + }, + { + "elem": { + "val": "2.2.2.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + }, + { + "quota": { + "val": 500, + "val_unit": "bytes" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft index ac1bd26b..befc2f75 100644 --- a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft @@ -4,7 +4,8 @@ table ip x { size 65535 flags dynamic counter quota 500 bytes - elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, + elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, + 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes, 2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes } } diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft new file mode 100644 index 00000000..c5591505 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.json-nft @@ -0,0 +1,57 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "range": [ + "1.1.1.1", + "1.1.1.2" + ] + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft new file mode 100644 index 00000000..7a948b1d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.json-nft @@ -0,0 +1,48 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "est-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "set": { + "family": "ip", + "name": "new-connlimit", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic", + "stmt": [ + { + "ct count": { + "val": 20, + "inv": true + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft new file mode 100644 index 00000000..13bbb953 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft @@ -0,0 +1,14 @@ +table ip x { + set est-connlimit { + type ipv4_addr + size 65535 + flags dynamic + } + + set new-connlimit { + type ipv4_addr + size 65535 + flags dynamic + ct count over 20 + } +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft new file mode 100644 index 00000000..fcfe9830 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.json-nft @@ -0,0 +1,92 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "elem": { + "val": { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ], + "stmt": [ + { + "counter": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft index f0d42cc2..faa984bd 100644 --- a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft +++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft @@ -2,13 +2,15 @@ table ip x { set y { type ipv4_addr counter - elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + elements = { 1.1.1.1 counter packets 0 bytes 0, + * counter packets 0 bytes 0 } } set z { type ipv4_addr flags interval counter - elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 } + elements = { 1.1.1.0/24 counter packets 0 bytes 0, + * counter packets 0 bytes 0 } } } diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft new file mode 100644 index 00000000..b7496ac8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft @@ -0,0 +1,218 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "elem": [ + [ + "10.141.0.1", + "192.168.0.2" + ], + [ + "*", + "192.168.0.4" + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "z", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "ipv4_addr", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@z" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + "192.168.0.2" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "prefix": { + "addr": "10.141.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + } + ] + }, + "192.168.0.2" + ], + [ + { + "concat": [ + { + "prefix": { + "addr": "192.168.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.10.0", + "len": 24 + } + } + ] + }, + "192.168.0.4" + ], + [ + "*", + "192.168.0.3" + ] + ] + } + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft index 890ed2aa..a1bba842 100644 --- a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft @@ -1,13 +1,15 @@ table ip x { map y { type ipv4_addr : ipv4_addr - elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 } + elements = { 10.141.0.1 : 192.168.0.2, + * : 192.168.0.4 } } map z { type ipv4_addr : ipv4_addr flags interval - elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 } + elements = { 10.141.0.0/24 : 192.168.0.2, + * : 192.168.0.3 } } chain y { diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft new file mode 100644 index 00000000..f470adf3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "id" + } + }, + "right": 42 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft new file mode 100644 index 00000000..461c7a73 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft @@ -0,0 +1,6 @@ +table ip x { + chain foo { + accept + icmp type { echo-reply, echo-request } icmp id 42 + } +} diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft index 6af47c66..9ac3774a 100644 --- a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft +++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft @@ -1,10 +1,4 @@ table ip nat { - map ipportmap { - type ipv4_addr : interval ipv4_addr . inet_service - flags interval - elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } - } - map ipportmap2 { type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service flags interval @@ -18,14 +12,14 @@ table ip nat { } map ipportmap4 { - type ifname . ipv4_addr : interval ipv4_addr + typeof iifname . ip saddr : interval ip daddr flags interval elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } } map ipportmap5 { - type ifname . ipv4_addr : interval ipv4_addr . inet_service + typeof iifname . ip saddr : interval ip daddr . tcp dport flags interval elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } @@ -33,7 +27,6 @@ table ip nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; - ip protocol tcp dnat ip to ip saddr map @ipportmap ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2 meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th dnat ip to iifname . ip saddr map @ipportmap4 diff --git a/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft new file mode 100644 index 00000000..3e1584a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0067nat_interval_0.nft @@ -0,0 +1,13 @@ +table ip nat { + map ipportmap { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, + 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + ip protocol tcp dnat ip to ip saddr map @ipportmap + } +} diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft new file mode 100644 index 00000000..7868cb33 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.json-nft @@ -0,0 +1,49 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "auto-merge": true, + "elem": [ + { + "range": [ + "1.2.3.0", + "1.2.4.255" + ] + }, + { + "range": [ + "3.3.3.3", + "3.3.3.6" + ] + }, + { + "range": [ + "4.4.4.0", + "4.4.5.0" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft new file mode 100644 index 00000000..588c2b1b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft @@ -0,0 +1,124 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "s1", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "prefix": { + "addr": "192.0.0.0", + "len": 2 + } + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "s2", + "table": "t", + "type": "ipv6_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + }, + { + "prefix": { + "addr": "ff00::", + "len": 8 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@s1" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@s2" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft new file mode 100644 index 00000000..e4649a7d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.json-nft @@ -0,0 +1,50 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft new file mode 100644 index 00000000..e4649a7d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.json-nft @@ -0,0 +1,50 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "counter": { + "family": "inet", + "name": "TEST", + "table": "filter", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "inet", + "name": "testmap", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter", + "flags": "interval", + "elem": [ + [ + { + "prefix": { + "addr": "192.168.0.0", + "len": 24 + } + }, + "TEST" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft new file mode 100644 index 00000000..c8ff4347 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.json-nft @@ -0,0 +1,53 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 1, + 2, + 3, + 4, + 5 + ] + } + }, + { + "table": { + "family": "ip6", + "name": "a", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "x", + "table": "a", + "type": "inet_service", + "handle": 0, + "elem": [ + 2 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft index a3244fc6..775f0ab1 100644 --- a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft +++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft @@ -1,7 +1,7 @@ table ip a { set x { type inet_service - elements = { 1, 2 } + elements = { 1, 2, 3, 4, 5 } } } table ip6 a { diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft new file mode 100644 index 00000000..3283f269 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.json-nft @@ -0,0 +1,64 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "flags": "interval", + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "set": { + "family": "ip", + "name": "s2", + "table": "t", + "type": [ + "ipv4_addr", + "mark" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + "10.10.10.10", + 256 + ] + }, + { + "concat": [ + "20.20.20.20", + 512 + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft new file mode 100644 index 00000000..01d76b90 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft @@ -0,0 +1,7 @@ +table ip filter { + set test_set { + type iface_index . ether_addr . ipv4_addr + flags interval + elements = { "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890" } + } +} diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft new file mode 100644 index 00000000..9de5b821 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft @@ -0,0 +1,81 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "dlist", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "output", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 1234 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "set": "@dlist" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/elem_limit_0.nft b/tests/shell/testcases/sets/dumps/elem_limit_0.nft new file mode 100644 index 00000000..ca5b2b54 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_limit_0.nft @@ -0,0 +1,7 @@ +table netdev filter { + set test123 { + typeof ip saddr + limit rate over 1 mbytes/second + elements = { 1.2.3.4 limit rate over 1 mbytes/second } + } +} diff --git a/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/elem_opts_compat_0.nodump diff --git a/tests/shell/testcases/sets/dumps/errors_0.json-nft b/tests/shell/testcases/sets/dumps/errors_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/errors_0.nft diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft new file mode 100644 index 00000000..7bba69d5 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.json-nft @@ -0,0 +1,108 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "1.0.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.0.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.0.8.0", + "len": 21 + } + }, + { + "prefix": { + "addr": "1.0.32.0", + "len": 19 + } + }, + { + "prefix": { + "addr": "1.1.0.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.2.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.4.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.8.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.9.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.1.10.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.1.12.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "1.1.16.0", + "len": 20 + } + }, + { + "prefix": { + "addr": "1.1.32.0", + "len": 19 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft new file mode 100644 index 00000000..c903e3fc --- /dev/null +++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.0.1.0/24, 1.0.2.0/23, + 1.0.8.0/21, 1.0.32.0/19, + 1.1.0.0/24, 1.1.2.0/23, + 1.1.4.0/22, 1.1.8.0/24, + 1.1.9.0/24, 1.1.10.0/23, + 1.1.12.0/22, 1.1.16.0/20, + 1.1.32.0/19 } + } +} diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft new file mode 100644 index 00000000..581d5340 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -0,0 +1,229 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "netdev", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "set": { + "family": "netdev", + "name": "x", + "table": "x", + "type": { + "typeof": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + } + }, + "handle": 0, + "elem": [ + { + "concat": [ + "3.3.3.3", + "4.4.4.4" + ] + } + ] + } + }, + { + "set": { + "family": "netdev", + "name": "y", + "table": "x", + "type": { + "typeof": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": "@x" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 4789 + } + }, + { + "set": { + "op": "update", + "elem": { + "payload": { + "tunnel": "vxlan", + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@y" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.json-nft b/tests/shell/testcases/sets/dumps/meter_0.json-nft new file mode 100644 index 00000000..c318e4f2 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip6", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out", + "table": "test", + "type": [ + "iface_index", + "ipv6_addr" + ], + "handle": 0, + "size": 4096, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "set": { + "family": "ip6", + "name": "acct_out2", + "table": "test", + "type": [ + "ipv6_addr", + "iface_index" + ], + "handle": 0, + "size": 12345, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "meta": { + "key": "iif" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "concat": [ + { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + { + "meta": { + "key": "iif" + } + } + ] + }, + "timeout": 600 + } + }, + "set": "@acct_out2", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "xyz", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "size": 8192, + "flags": [ + "timeout", + "dynamic" + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "elem": { + "val": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "timeout": 30 + } + }, + "set": "@xyz", + "stmt": [ + { + "counter": null + } + ] + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_0.nft b/tests/shell/testcases/sets/dumps/meter_0.nft new file mode 100644 index 00000000..3843f9a9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_0.nft @@ -0,0 +1,29 @@ +table ip6 test { + set acct_out { + type iface_index . ipv6_addr + size 4096 + flags dynamic,timeout + } + + set acct_out2 { + type ipv6_addr . iface_index + size 12345 + flags dynamic,timeout + } + + chain test { + update @acct_out { iif . ip6 saddr timeout 10m counter } + update @acct_out2 { ip6 saddr . iif timeout 10m counter } + } +} +table ip test { + set xyz { + type ipv4_addr + size 8192 + flags dynamic,timeout + } + + chain test { + update @xyz { ip saddr timeout 30s counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft new file mode 100644 index 00000000..9210c90b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft @@ -0,0 +1,103 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "http1", + "table": "filter", + "type": [ + "inet_service", + "ipv4_addr" + ], + "handle": 0, + "size": 65535, + "flags": "dynamic" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "set": { + "op": "add", + "elem": { + "concat": [ + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + ] + }, + "set": "@http1", + "stmt": [ + { + "limit": { + "rate": 200, + "burst": 5, + "per": "second", + "inv": true + } + } + ] + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft new file mode 100644 index 00000000..f911acaf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft @@ -0,0 +1,11 @@ +table ip filter { + set http1 { + type inet_service . ipv4_addr + size 65535 + flags dynamic + } + + chain input { + tcp dport 80 add @http1 { tcp dport . ip saddr limit rate over 200/second burst 5 packets } counter packets 0 bytes 0 drop + } +} diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft new file mode 100644 index 00000000..e1daa8f8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft @@ -0,0 +1,33 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "X", + "table": "t", + "type": "inet_service", + "handle": 0, + "flags": "interval", + "elem": [ + 10, + 30, + 35 + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft new file mode 100644 index 00000000..78979e9e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft @@ -0,0 +1,7 @@ +table ip t { + set X { + type inet_service + flags interval + elements = { 10, 30, 35 } + } +} diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft new file mode 100644 index 00000000..acb2f1f4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft @@ -0,0 +1,48 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "base", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + } + }, + "handle": 0, + "flags": "timeout", + "timeout": 60 + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft new file mode 100644 index 00000000..1edd2ec7 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.nft @@ -0,0 +1,10 @@ +table ip t { + set s { + typeof ip saddr + timeout 1m + } + + chain base { + type filter hook input priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft new file mode 100644 index 00000000..6f4f4c61 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft @@ -0,0 +1,83 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "nat", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "prerouting", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "set": { + "family": "ip", + "name": "set_with_interval", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval" + } + }, + { + "rule": { + "family": "ip", + "table": "nat", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 443 + } + }, + { + "dnat": { + "addr": "10.0.0.1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/set_stmt.nft b/tests/shell/testcases/sets/dumps/set_stmt.nft new file mode 100644 index 00000000..71ba7996 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_stmt.nft @@ -0,0 +1,66 @@ +table ip x { + set y0 { + type ipv4_addr + counter + elements = { 2.2.2.0 counter packets 3 bytes 4, + 3.3.3.0 counter packets 1 bytes 2, + 5.5.5.0 counter packets 1 bytes 2, + 6.6.6.0 counter packets 3 bytes 4 } + } + + set y1 { + type ipv4_addr + limit rate 1/second burst 5 packets + elements = { 2.2.2.1 limit rate 5/second burst 5 packets, + 3.3.3.1 limit rate 1/second burst 5 packets, + 5.5.5.1 limit rate 1/second burst 5 packets, + 6.6.6.1 limit rate 5/second burst 5 packets } + } + + set y2 { + type ipv4_addr + ct count over 2 + elements = { 2.2.2.2 ct count over 5, + 3.3.3.2 ct count over 2, + 5.5.5.2 ct count over 2, + 6.6.6.2 ct count over 5 } + } + + set y3 { + type ipv4_addr + last + elements = { 2.2.2.3 last used never, + 3.3.3.3 last used never, + 5.5.5.3 last used never, + 6.6.6.3 last used never } + } + + set y4 { + type ipv4_addr + quota over 1000 bytes + elements = { 2.2.2.4 quota over 30000 bytes used 1000 bytes, + 3.3.3.4 quota over 1000 bytes, + 5.5.5.4 quota over 1000 bytes, + 6.6.6.4 quota over 30000 bytes used 1000 bytes } + } + + chain y0 { + ip daddr @y0 + } + + chain y1 { + ip daddr @y1 + } + + chain y2 { + ip daddr @y2 + } + + chain y3 { + ip daddr @y3 + } + + chain y4 { + ip daddr @y4 + } +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft new file mode 100644 index 00000000..77ca5086 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft @@ -0,0 +1,545 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testifsets", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmp", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmpc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "do_nothing", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "simple", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "elem": [ + "abcdef0", + "abcdef1", + "othername" + ] + } + }, + { + "set": { + "family": "inet", + "name": "simple_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "flags": "interval", + "elem": [ + "abcdef*", + "othername", + "ppp0" + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + }, + { + "concat": [ + "10.1.2.2", + "abcdef1" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat_wild", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + }, + { + "concat": [ + "10.1.2.1", + "bar" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "1.1.2.0", + "len": 24 + } + }, + "abcdef0" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "12.2.2.0", + "len": 24 + } + }, + "abcdef*" + ] + } + ] + } + }, + { + "map": { + "family": "inet", + "name": "map_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "map": "verdict", + "flags": "interval", + "elem": [ + [ + "abcdef*", + { + "jump": { + "target": "do_nothing" + } + } + ], + [ + "eth0", + { + "jump": { + "target": "do_nothing" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "eth0", + "abcdef0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "abcdef*", + "eth0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@map_wild" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "jump": { + "target": "v4icmp" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "goto": { + "target": "v4icmpc" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft new file mode 100644 index 00000000..e22213ea --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft @@ -0,0 +1,114 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s1", + "table": "t", + "type": [ + "ipv4_addr", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 10800 + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "10.180.0.4", + 80 + ] + }, + "set": "@s1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "1.2.3.4", + 80 + ] + }, + "right": "@s1" + } + }, + { + "goto": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft new file mode 100644 index 00000000..21209f6d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft @@ -0,0 +1,16 @@ +table ip t { + set s1 { + type ipv4_addr . ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + timeout 3h + } + + chain c1 { + update @s1 { ip saddr . 10.180.0.4 . 80 } + } + + chain c2 { + ip saddr . 1.2.3.4 . 80 @s1 goto c1 + } +} diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft index 499ff167..4d6abaaa 100644 --- a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft @@ -6,7 +6,7 @@ table inet t { } chain y { - ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - ip daddr . @ih,32,32 @y + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft index 6f5b83af..34aaab60 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft @@ -55,6 +55,22 @@ table inet t { elements = { 3567 . 1.2.3.4 } } + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { "eth0" . 10.1.1.2 . exists } + } + + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } + } + + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, + mp-join . 10.1.1.2 } + } + chain c1 { osf name @s1 accept } @@ -94,4 +110,16 @@ table inet t { chain c11 { vlan id . ip saddr @s11 accept } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } + + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept + } } diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft index dbaf7cdc..348b5848 100644 --- a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft +++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft @@ -10,3 +10,14 @@ table netdev t { ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return } } +table ip t { + set s { + typeof ipsec in reqid . iif + size 16 + flags interval + } + + chain c2 { + ipsec in reqid . "lo" @s + } +} diff --git a/tests/shell/testcases/sets/elem_limit_0 b/tests/shell/testcases/sets/elem_limit_0 new file mode 100755 index 00000000..b57f9274 --- /dev/null +++ b/tests/shell/testcases/sets/elem_limit_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +## requires EXPR + +set -e + +RULESET="table netdev filter { + set test123 { + typeof ip saddr + limit rate over 1024 kbytes/second + elements = { 1.2.3.4 limit rate over 1024 kbytes/second } + } +}" + +$NFT -f - <<< $RULESET + +(echo "flush ruleset netdev"; $NFT --stateless list ruleset netdev) | $NFT -f - diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0 new file mode 100755 index 00000000..7563773e --- /dev/null +++ b/tests/shell/testcases/sets/elem_opts_compat_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr) + +# ordering of element options and expressions has changed, make sure parser +# accepts both ways + +set -e + +$NFT -f - <<EOF +table t { + set s { + type inet_service + counter; + timeout 30s; + } +} +EOF + +check() { + out=$($NFT list ruleset) + secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out") + [[ $secs -lt 11 ]] + grep -q 'counter packets 10 bytes 20' <<< "$out" +} + +$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }' +check +$NFT flush set t s +$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }' +check diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0 index 0eb172a8..39d91bd9 100755 --- a/tests/shell/testcases/sets/inner_0 +++ b/tests/shell/testcases/sets/inner_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching) + set -e RULESET="table netdev x { diff --git a/tests/shell/testcases/sets/interval_size b/tests/shell/testcases/sets/interval_size new file mode 100755 index 00000000..55a6cd49 --- /dev/null +++ b/tests/shell/testcases/sets/interval_size @@ -0,0 +1,44 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_rbtree_size_limit) + +RULESET="table inet x { + set x { + typeof ip saddr + flags interval + auto-merge + size 1 + } + + set y { + typeof ip saddr + flags interval + size 1 + } +}" + +$NFT -f - <<< $RULESET + +$NFT add element inet x x '{ 0.0.0.0, 255.255.255.255 }' && exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' && exit 1 +$NFT delete element inet x x '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' && exit 1 +$NFT add element inet x x '{ 0.0.0.0-255.255.255.0 }' || exit 1 +$NFT delete element inet x x '{ 1.1.1.1 }' && exit 1 +$NFT delete element inet x x '{ 0.0.0.0/0 }' || exit 1 +$NFT add element inet x x '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x x '{ 0.0.0.0 }' && exit 1 + +$NFT add element inet x y '{ 0.0.0.0, 255.255.255.255 }' && exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.0/24 }' && exit 1 +$NFT delete element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' && exit 1 +$NFT add element inet x y '{ 0.0.0.0-255.255.255.0 }' && exit 1 +$NFT delete element inet x y '{ 255.255.255.0/24 }' || exit 1 +$NFT add element inet x y '{ 0.0.0.0 }' || exit 1 +$NFT add element inet x y '{ 255.255.255.255 }' && exit 1 +exit 0 diff --git a/tests/shell/testcases/sets/interval_size_random b/tests/shell/testcases/sets/interval_size_random new file mode 100755 index 00000000..3320b512 --- /dev/null +++ b/tests/shell/testcases/sets/interval_size_random @@ -0,0 +1,115 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_rbtree_size_limit) + +generate_ip() { + local first=($1) + echo -n "$first.$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))" +} + +ip_to_int() { + local IFS='.' + local ip=($1) + printf '%d' "$((${ip[0]}<<24 | ${ip[1]}<<16 | ${ip[2]}<<8 | ${ip[3]}))" +} + +compare_ips() { + local ip1=$(ip_to_int $1) + local ip2=$(ip_to_int $2) + if [ "$ip1" -lt "$ip2" ]; then + echo "$1" + elif [ "$ip1" -gt "$ip2" ]; then + echo "$2" + else + echo "$1" + fi +} + +generate_range() { + start=$(generate_ip $1) + end=$(generate_ip $1) + result=$(compare_ips $start $end) + if [[ "$result" != "$start" ]] + then + temp=$start + start=$end + end=$temp + fi + echo -n "$start-$end" +} + +generate_prefix() { + prefix=$(generate_ip $1 | cut -d. -f1-3) + echo -n "$prefix.0/24" +} + +generate_intervals() { + echo "define x = {" + # not so random, first octet in IP address is $i, this cannot go over 255 + iter=$((RANDOM % 255 + 1)) + + [ $(($RANDOM % 2)) -eq 0 ] && echo "0.0.0.0," + + for ((i=0; i<iter; i++)); do + case $((RANDOM % 3)) in + 0) generate_ip $i;; + 1) generate_range $i;; + 2) generate_prefix $i;; + esac + echo "," + done + + [ $(($RANDOM % 2)) -eq 0 ] && echo "255.255.255.255," + + echo "}" +} + +run_test() { + local count=($1) + local elems=($2) + local ruleset=($3) + echo "table inet x { + set y { + include \"$elems\" + typeof ip saddr + flags interval + size $count + elements = { \$x } + } + }" > $ruleset +} + +count_elems() { + local elems=($2) + count=$(wc -l $elems_file | cut -f1 -d' ') + # subtract enclosing define lines + count=$(($count-2)) + echo $count +} + +elems_file=$(mktemp /tmp/elems-XXXXX.nft) +ruleset_file=$(mktemp /tmp/ruleset-XXXXX.nft) + +if [ ! -w "$elems_file" ] ; then + # cwd might be readonly, mark as skip. + echo "Failed to create tmp file" >&2 + exit 77 +fi + +trap "rm -rf $elems_file $ruleset_file" EXIT + +generate_intervals > $elems_file +count=$(count_elems $elems_file) + +run_test $count $elems_file $ruleset_file +$NFT -f $ruleset_file || exit 1 + +$NFT flush ruleset + +# subtract 1 to size, too small, it should fail +count=$(($count-1)) + +run_test $count $elems_file $ruleset_file +$NFT -f $ruleset_file && exit 1 + +exit 0 diff --git a/tests/shell/testcases/sets/meter_0 b/tests/shell/testcases/sets/meter_0 new file mode 100755 index 00000000..82e6f20a --- /dev/null +++ b/tests/shell/testcases/sets/meter_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +RULESET="table ip6 test { + chain test { + meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } + meter acct_out2 size 12345 { ip6 saddr . meta iif timeout 600s counter } + } +} + +table ip test { + chain test { + meter xyz size 8192 { ip saddr timeout 30s counter} + } +}" + +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/meter_set_reuse b/tests/shell/testcases/sets/meter_set_reuse new file mode 100755 index 00000000..94eccc1a --- /dev/null +++ b/tests/shell/testcases/sets/meter_set_reuse @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +addrule() +{ + $NFT add rule ip filter input tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop +} + +$NFT add table filter +$NFT add chain filter input +addrule + +$NFT list meters + +# This used to remove the anon set, but not anymore +$NFT flush chain filter input + +# This re-add should work. +addrule diff --git a/tests/shell/testcases/sets/range_with_same_start_end b/tests/shell/testcases/sets/range_with_same_start_end new file mode 100755 index 00000000..127f0921 --- /dev/null +++ b/tests/shell/testcases/sets/range_with_same_start_end @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +$NFT -f - <<EOF +table ip t { + set X { + type inet_service + flags interval + elements = { 10, 30-30, 30, 35 } + } +} +EOF diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 new file mode 100755 index 00000000..c59cc56d --- /dev/null +++ b/tests/shell/testcases/sets/reset_command_0 @@ -0,0 +1,137 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set) + +set -e + +trap '[[ $? -eq 0 ]] || echo FAIL' EXIT + +RULESET="table t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + + set s2 { + type ipv4_addr + flags interval, timeout + counter + timeout 30m + elements = { + 1.0.0.1 counter packets 5 bytes 30 expires 20m, + 1.0.1.1-1.0.1.10 counter packets 5 bytes 30 expires 20m, + 2.0.0.2 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + + map m { + type ipv4_addr : ipv4_addr + quota 50 bytes + elements = { + 1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4, + 5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8 + } + } + + map m1 { + type ipv4_addr : ipv4_addr + counter + timeout 30m + elements = { + 1.2.3.4 counter packets 5 bytes 30 expires 20m : 10.2.3.4, + 5.6.7.8 counter packets 10 bytes 100 timeout 15m expires 10m : 50.6.7.8 + } + } + + map m2 { + type ipv4_addr : ipv4_addr + flags interval, timeout + counter + timeout 30m + elements = { + 1.2.3.4-1.2.3.10 counter packets 5 bytes 30 expires 20m : 10.2.3.4, + 5.6.7.8-5.6.7.10 counter packets 10 bytes 100 timeout 15m expires 10m : 50.6.7.8 + } + } +}" + +echo -n "applying test ruleset: " +$NFT -f - <<< "$RULESET" +echo OK + +drop_seconds() { + sed 's/[0-9]\+m\?s//g' +} +expires_minutes() { + sed -n 's/.*expires \([0-9]*\)m.*/\1/p' +} + +get_and_reset() +{ + local setname="$1" + local key="$2" + + echo -n "get set elem matches reset set elem in set $setname: " + + elem="element t $setname { $key }" + echo $NFT get $elem + $NFT get $elem + [[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] + echo OK + + echo -n "counters are reset, expiry left alone in set $setname: " + NEW=$($NFT "get $elem") + echo NEW $NEW + grep -q 'counter packets 0 bytes 0' <<< "$NEW" + [[ $(expires_minutes <<< "$NEW") -lt 20 ]] + echo OK +} + +get_and_reset "s" "1.0.0.1 . udp . 53" +get_and_reset "s2" "1.0.0.1" +get_and_reset "s2" "1.0.1.1-1.0.1.10" +get_and_reset "m1" "1.2.3.4" +get_and_reset "m2" "1.2.3.4-1.2.3.10" + +echo -n "get map elem matches reset map elem: " +elem='element t m { 1.2.3.4 }' +[[ $($NFT "get $elem ; reset $elem" | \ + grep 'elements = ' | uniq | wc -l) == 1 ]] +echo OK + +echo -n "quota value is reset: " +$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4' +echo OK + +echo -n "other elements remain the same: " +OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }') +grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT" +VAL=$(expires_minutes <<< "$OUT") +[[ $val -lt 10 ]] +$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes' +echo OK + +echo -n "list set matches reset set: " +EXP=$($NFT list set t s | drop_seconds) +OUT=$($NFT reset set t s | drop_seconds) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "list map matches reset map: " +EXP=$($NFT list map t m) +OUT=$($NFT reset map t m) +$DIFF -u <(echo "$EXP") <(echo "$OUT") +echo OK + +echo -n "remaining elements are reset: " +OUT=$($NFT list ruleset) +grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT" +echo OK diff --git a/tests/shell/testcases/sets/set_element_timeout_updates b/tests/shell/testcases/sets/set_element_timeout_updates new file mode 100755 index 00000000..4bf6c7c3 --- /dev/null +++ b/tests/shell/testcases/sets/set_element_timeout_updates @@ -0,0 +1,120 @@ +#!/bin/bash +# +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_elem_timeout_update) +# + +assert_fail() +{ + ret=$1 + + if [ $ret -eq 0 ];then + echo "subtest should have failed: $2" + exit 111 + fi +} + +assert_ok() +{ + ret=$1 + + if [ $ret -ne 0 ];then + echo "subtest should have passed: $2" + exit 111 + fi +} + + +$NFT -f - <<EOF +table t { + set s { + typeof ip saddr + timeout 1m + elements = { 10.0.0.1, 10.0.0.2, 10.0.0.3 } + } + + chain base { + type filter hook input priority 0 + } +} +EOF + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i" +done + +# first, bogus updates to trigger abort path with updates. +$NFT -f - <<EOF +add element t s { 10.0.0.2 timeout 2m } +create element t s { 10.0.0.1 } +add element t s { 10.0.0.3 timeout 3m } +EOF +assert_fail $? "abort due to existing element" + +$NFT -f - <<EOF +add chain t a +add element t s { 10.0.0.1 timeout 1m } +add element t s { 10.0.0.2 timeout 2m } +add element t s { 10.0.0.3 timeout 3m } +add chain t b +add rule t a jump b +add rule t b jump a +add rule t base jump a +EOF +assert_fail $? "abort due to chainloop" + +$NFT -f - <<EOF +add element t s { 10.0.0.1 expires 2m } +EOF +assert_fail $? "expire larger than timeout" + +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1s } +add element t s { 10.0.0.2 timeout 1s } +add element t s { 10.0.0.3 timeout 1s } +add element t s { 10.0.0.4 expires 2m } +EOF +assert_fail $? "abort because expire too large" + +# check timeout update had no effect +sleep 1 +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i after aborted update" +done + +# adjust timeouts upwards. +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1m } +add element t s { 10.0.0.2 timeout 2m } +add element t s { 10.0.0.3 timeout 3m } +EOF +assert_ok $? "upwards adjust" + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_ok $? "get element $i" +done + +# insert 4th element with timeout larger than set default +$NFT -f - <<EOF +add element t s { 10.0.0.4 timeout 2m expires 2m } +EOF +$NFT get element t s "{ 10.0.0.4 }" +assert_ok $? "get element 4" + +# adjust timeouts downwards +$NFT -f - <<EOF +add element t s { 10.0.0.1 timeout 1s } +add element t s { 10.0.0.2 timeout 2s expires 1s } +add element t s { 10.0.0.3 expires 1s } +add element t s { 10.0.0.4 timeout 4m expires 1s } +EOF +assert_ok $? + +sleep 1 + +for i in 1 2 3;do + $NFT get element t s "{ 10.0.0.$i }" + assert_fail $? +done diff --git a/tests/shell/testcases/sets/set_stmt b/tests/shell/testcases/sets/set_stmt new file mode 100755 index 00000000..0433b676 --- /dev/null +++ b/tests/shell/testcases/sets/set_stmt @@ -0,0 +1,48 @@ +#!/bin/bash + +test_set_stmt() { + local i=$1 + local stmt1=$2 + local stmt2=$3 + + RULESET="table x { + set y$i { + type ipv4_addr + $stmt1 + elements = { 5.5.5.$i $stmt1, + 6.6.6.$i $stmt2 } + } + chain y$i { + ip daddr @y$i + } +}" + + $NFT -f - <<< $RULESET + # should work + if [ $? -ne 0 ] + then + exit 1 + fi + + # should work + $NFT add element x y$i { 2.2.2.$i $stmt2 } + if [ $? -ne 0 ] + then + exit 1 + fi + + # should work + $NFT add element x y$i { 3.3.3.$i } + if [ $? -ne 0 ] + then + exit 1 + fi +} + +test_set_stmt "0" "counter packets 1 bytes 2" "counter packets 3 bytes 4" +test_set_stmt "1" "limit rate 1/second" "limit rate 5/second" +test_set_stmt "2" "ct count over 2" "ct count over 5" +test_set_stmt "3" "last" "last" +test_set_stmt "4" "quota over 1000 bytes" "quota over 30000 bytes used 1000 bytes" + +exit 0 diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames index 9531c856..c65499b7 100755 --- a/tests/shell/testcases/sets/sets_with_ifnames +++ b/tests/shell/testcases/sets/sets_with_ifnames @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + dumpfile=$(dirname $0)/dumps/$(basename $0).nft [ -z "$NFT" ] && exit 111 @@ -103,10 +105,67 @@ check_matching_icmp_ppp() fi } +check_add_del_ifnames() +{ + local what="$1" + local setname="$2" + local prefix="$3" + local data="$4" + local i=0 + + for i in $(seq 1 5);do + local cmd="element inet testifsets $setname { " + local to_batch=16 + + for j in $(seq 1 $to_batch);do + local name=$(printf '"%x-%d"' $i $j) + + [ -n "$prefix" ] && cmd="$cmd $prefix . " + + cmd="$cmd $name" + + [ -n "$data" ] && cmd="$cmd : $data" + + if [ $j -lt $to_batch ] ; then + cmd="$cmd, " + fi + done + + cmd="$cmd }" + + if ! $NFT "$what" "$cmd"; then + echo "$what $cmd failed." + $NFT list set inet testifsets $setname + exit 1 + fi + + if ! ip netns exec "$ns1" $NFT "$what" "$cmd"; then + echo "$ns1 $what $cmd failed." + ip netns exec "$ns1" $NFT list set inet testifsets $setname + exit 1 + fi + done +} + +check_add_ifnames() +{ + check_add_del_ifnames "add" "$1" "$2" "$3" +} + +check_del_ifnames() +{ + check_add_del_ifnames "delete" "$1" "$2" "$3" +} + ip netns add "$ns1" || exit 111 ip netns add "$ns2" || exit 111 ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3 +check_add_ifnames "simple" "" "" +check_add_ifnames "simple_wild" "" "" +check_add_ifnames "concat" "10.1.2.2" "" +check_add_ifnames "map_wild" "" "drop" + for n in abcdef0 abcdef1 othername;do check_elem simple $n done @@ -148,3 +207,8 @@ ip -net "$ns2" addr add 10.1.2.2/24 dev veth0 ip -net "$ns2" addr add 10.2.2.2/24 dev veth1 check_matching_icmp_ppp + +check_del_ifnames "simple" "" "" +check_del_ifnames "simple_wild" "" "" +check_del_ifnames "concat" "10.1.2.2" "" +check_del_ifnames "map_wild" "" "drop" diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol new file mode 100755 index 00000000..07820b7c --- /dev/null +++ b/tests/shell/testcases/sets/type_set_symbol @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0 index 36396b5c..66042eb4 100755 --- a/tests/shell/testcases/sets/typeof_raw_0 +++ b/tests/shell/testcases/sets/typeof_raw_0 @@ -7,8 +7,8 @@ EXPECTED="table inet t { } chain y { - ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - ip daddr . @ih,32,32 @y + ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } + ip daddr . @nh,32,32 @y } }" diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0 index 9f777a8c..ef2726db 100755 --- a/tests/shell/testcases/sets/typeof_sets_0 +++ b/tests/shell/testcases/sets/typeof_sets_0 @@ -4,12 +4,78 @@ # s1 and s2 are identical, they just use different # ways for declaration. -EXPECTED="table inet t { +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_ip_options) + +set -e + +die() { + printf '%s\n' "$*" + exit 1 +} + +INPUT_OSF_SET=" set s1 { typeof osf name elements = { \"Linux\" } } +" + +INPUT_FRAG_SET=" + set s4 { + typeof frag frag-off + elements = { 1, 1024 } + } +" +INPUT_VERSION_SET=" + set s8 { + typeof ip version + elements = { 4, 6 } + } +" + +INPUT_OSF_CHAIN=" + chain c1 { + osf name @s1 accept + } +" + +INPUT_FRAG_CHAIN=" + chain c4 { + frag frag-off @s4 accept + } +" + +INPUT_SCTP_CHAIN=" + chain c7 { + sctp chunk init num-inbound-streams @s7 accept + } +" +INPUT_VERSION_CHAIN=" + chain c8 { + ip version @s8 accept + } +" + +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + INPUT_SCTP_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + INPUT_FRAG_CHAIN= + INPUT_VERSION_CHAIN= +fi + +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + if [ "$((RANDOM % 2))" -eq 1 ] ; then + # Regardless of $NFT_TEST_HAVE_osf, we can define the set. + # Randomly do so. + INPUT_OSF_SET= + fi + INPUT_OSF_CHAIN= +fi + +INPUT="table inet t {$INPUT_OSF_SET set s2 { typeof vlan id elements = { 2, 3, 103 } @@ -18,12 +84,7 @@ EXPECTED="table inet t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } - } - - set s4 { - typeof frag frag-off - elements = { 1, 1024 } - } + }$INPUT_FRAG_SET set s5 { typeof ip option ra value @@ -38,12 +99,7 @@ EXPECTED="table inet t { set s7 { typeof sctp chunk init num-inbound-streams elements = { 1, 4 } - } - - set s8 { - typeof ip version - elements = { 4, 6 } - } + }$INPUT_VERSION_SET set s9 { typeof ip hdrlength @@ -59,19 +115,25 @@ EXPECTED="table inet t { typeof vlan id . ip saddr elements = { 3567 . 1.2.3.4 } } + set s12 { + typeof meta iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . 1 } + } - chain c1 { - osf name @s1 accept + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } } + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, mp-join . 10.1.1.2 } + } +$INPUT_OSF_CHAIN chain c2 { ether type vlan vlan id @s2 accept } - - chain c4 { - frag frag-off @s4 accept - } - +$INPUT_FRAG_CHAIN chain c5 { ip option ra value @s5 accept } @@ -79,28 +141,142 @@ EXPECTED="table inet t { chain c6 { tcp option maxseg size @s6 accept } +$INPUT_SCTP_CHAIN +$INPUT_VERSION_CHAIN + chain c9 { + ip hdrlength @s9 accept + } - chain c7 { - sctp chunk init num-inbound-streams @s7 accept + chain c10 { + meta iifname . ip saddr . ipsec in reqid @s10 accept } - chain c8 { - ip version @s8 accept + chain c11 { + ether type vlan vlan id . ip saddr @s11 accept + } + + chain c12 { + meta iifname . ip saddr . meta ipsec @s12 accept } + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept + } +}" + +EXPECTED="table inet t {$INPUT_OSF_SET + set s2 { + typeof vlan id + elements = { 2, 3, 103 } + } + + set s3 { + typeof meta ibrpvid + elements = { 2, 3, 103 } + } +$INPUT_FRAG_SET + set s5 { + typeof ip option ra value + elements = { 1, 1024 } + } + + set s6 { + typeof tcp option maxseg size + elements = { 1, 1024 } + } + + set s7 { + typeof sctp chunk init num-inbound-streams + elements = { 1, 4 } + } +$INPUT_VERSION_SET + set s9 { + typeof ip hdrlength + elements = { 0, 1, 2, 3, 4, + 15 } + } + + set s10 { + typeof iifname . ip saddr . ipsec in reqid + elements = { \"eth0\" . 10.1.1.2 . 42 } + } + + set s11 { + typeof vlan id . ip saddr + elements = { 3567 . 1.2.3.4 } + } + + set s12 { + typeof iifname . ip saddr . meta ipsec + elements = { \"eth0\" . 10.1.1.2 . exists } + } + + set s13 { + typeof tcp option mptcp subtype + elements = { mp-join, dss } + } + + set s14 { + typeof tcp option mptcp subtype . ip daddr + elements = { remove-addr . 10.1.1.1, + mp-join . 10.1.1.2 } + } +$INPUT_OSF_CHAIN + chain c2 { + vlan id @s2 accept + } +$INPUT_FRAG_CHAIN + chain c5 { + ip option ra value @s5 accept + } + + chain c6 { + tcp option maxseg size @s6 accept + } +$INPUT_SCTP_CHAIN$INPUT_VERSION_CHAIN chain c9 { ip hdrlength @s9 accept } chain c10 { - meta iifname . ip saddr . ipsec in reqid @s10 accept + iifname . ip saddr . ipsec in reqid @s10 accept } chain c11 { - ether type vlan vlan id . ip saddr @s11 accept + vlan id . ip saddr @s11 accept + } + + chain c12 { + iifname . ip saddr . meta ipsec @s12 accept + } + + chain c13 { + tcp option mptcp subtype @s13 accept + } + + chain c14 { + tcp option mptcp subtype . ip saddr @s14 accept } }" -set -e -$NFT -f - <<< $EXPECTED +$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<" + +$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<" + +if [ "$NFT_TEST_HAVE_bitshift" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_bitshift=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_osf" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip" + exit 77 +fi +if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then + echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip" + exit 77 +fi diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat index 07820b7c..34465f1d 100755 --- a/tests/shell/testcases/sets/typeof_sets_concat +++ b/tests/shell/testcases/sets/typeof_sets_concat @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + set -e dumpfile=$(dirname $0)/dumps/$(basename $0).nft diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1 index e58c088c..863bcde4 100755 --- a/tests/shell/testcases/transactions/0023rule_1 +++ b/tests/shell/testcases/transactions/0023rule_1 @@ -1,7 +1,7 @@ #!/bin/bash RULESET="add table x -add chain x y +add chain x y { type filter hook input priority 0; } add rule x y jump y" # kernel must return ELOOP diff --git a/tests/shell/testcases/transactions/0024rule_0 b/tests/shell/testcases/transactions/0024rule_0 index 4c1ac41d..645319e2 100755 --- a/tests/shell/testcases/transactions/0024rule_0 +++ b/tests/shell/testcases/transactions/0024rule_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_position_id) + RULESET="flush ruleset add table x add chain x y diff --git a/tests/shell/testcases/transactions/0049huge_0 b/tests/shell/testcases/transactions/0049huge_0 index 684d27a1..698716b2 100755 --- a/tests/shell/testcases/transactions/0049huge_0 +++ b/tests/shell/testcases/transactions/0049huge_0 @@ -7,6 +7,15 @@ $NFT add table inet test $NFT add chain inet test c RULE_COUNT=3000 + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/rmem_max may be unsuitable for + # the test. + # + # Run only a subset of the test and mark as skipped at the end. + RULE_COUNT=500 +fi + RULESET=$( for ((i = 0; i < ${RULE_COUNT}; i++)); do echo "add rule inet test c accept comment rule$i" @@ -28,7 +37,15 @@ done echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$((${RULE_COUNT} - 1))'"}}}' echo ']}' ) -test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 + +if [ "$NFT_TEST_HAVE_json" != n ]; then + test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1 +fi + +if [ "$NFT_TEST_HAVE_inet_nat" = n ]; then + echo "Test partially skipped due to missing inet nat support." + exit 77 +fi # Now an example from firewalld's testsuite # @@ -38,4 +55,18 @@ RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -290}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"jump": {"target": "raw_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -140}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT", "type": "filter", "hook": "input", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD", "type": "filter", "hook": "forward", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT", "type": "filter", "hook": "output", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_IN_ZONES"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_OUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_IN_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_OUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"fib": {"flags": ["saddr", "iif"], "result": "oif"}}, "op": "==", "right": false}}, {"drop": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "index": 0, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "index": 2, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"goto": {"target": "filter_IN_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"goto": {"target": "filter_FWDO_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "raw_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "raw_PRE_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "mangle_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_IN_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDI_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDO_work"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}]}' -test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')" +if [ "$NFT_TEST_HAVE_json" != n ]; then + test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')" +fi + +if [ "$NFT_TEST_HAVE_json" = n ]; then + echo "Test partially skipped due to missing JSON support." + exit 77 +fi + +if [ "$RULE_COUNT" != 3000 ] ; then + echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for" + echo "/proc/sys/net/core/rmem_max is too small for this test. Mark as SKIPPED" + echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`." + exit 77 +fi diff --git a/tests/shell/testcases/transactions/0051map_0 b/tests/shell/testcases/transactions/0051map_0 new file mode 100755 index 00000000..9ea5cd4c --- /dev/null +++ b/tests/shell/testcases/transactions/0051map_0 @@ -0,0 +1,122 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1trans-$rnd" + +# +# dependency tracking for implicit set +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + ip saddr vmap { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for map in implicit chain +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + meta iifname \"eno1\" jump { + ip saddr vmap { 1.1.1.1 : jump w, 3.3.3.3 : goto m } + } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for explicit map +# +RULESET="table ip x { + chain w {} + chain m {} + + map y { + type ipv4_addr : verdict + elements = { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="delete set ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } ip saddr vmap { 1.1.1.1 : jump z } counter flow add @nonexisting + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } jump { + ip saddr vmap { 1.1.1.1 : jump z } + } + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT flush table inet filter || exit 0 diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress new file mode 100755 index 00000000..e1e8b742 --- /dev/null +++ b/tests/shell/testcases/transactions/30s-stress @@ -0,0 +1,709 @@ +#!/bin/bash + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +runtime=30 + +# allow stand-alone execution as well, e.g. '$0 3600' +if [ x"$1" != "x" ] ;then + if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ]; then + NFT_TEST_HAVE_chain_binding=y + fi + if [ -z "${NFT_TEST_HAVE_pipapo+x}" ]; then + NFT_TEST_HAVE_pipapo=y + fi + echo "running standalone with:" + echo "NFT_TEST_HAVE_chain_binding="$NFT_TEST_HAVE_chain_binding + echo "NFT_TEST_HAVE_pipapo="$NFT_TEST_HAVE_pipapo + if [ $1 -ge 0 ]; then + runtime="$1" + else + echo "Invalid runtime $1" + exit 1 + fi +fi + +if [ x = x"$NFT" ] ; then + NFT=nft +fi + +if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then + # The socket limit /proc/sys/net/core/wmem_max may be unsuitable for + # the test. + # + # Skip it. You may ensure that the limits are suitable and rerun + # with NFT_TEST_HAS_SOCKET_LIMITS=n. + exit 77 +fi + +if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then + NFT_TEST_HAVE_chain_binding=n + mydir="$(dirname "$0")" + $NFT --check -f "$mydir/../../features/chain_binding.nft" + if [ $? -eq 0 ];then + NFT_TEST_HAVE_chain_binding=y + else + echo "Assuming anonymous chains are not supported" + fi +fi + +if [ "$NFT_TEST_HAVE_pipapo" != y ] ;then + echo "Skipping pipapo set backend, kernel does not support it" +fi + +testns=testns-$(mktemp -u "XXXXXXXX") +tmp="" + +faultname="/proc/self/make-it-fail" +tables="foo bar" + +failslab_defaults() { + test -w $faultname || return + + # Disable fault injection unless process has 'make-it-fail' set + echo Y > /sys/kernel/debug/failslab/task-filter + + # allow all slabs to fail (if process is tagged). + find /sys/kernel/slab/ -wholename '*/kmalloc-[0-9]*/failslab' -type f -exec sh -c 'echo 1 > {}' \; + + # no limit on the number of failures, or clause works around old kernels that reject negative integer. + echo -1 > /sys/kernel/debug/failslab/times 2>/dev/null || printf '%#x -1' > /sys/kernel/debug/failslab/times + + # Set to 2 for full dmesg traces for each injected error + echo 0 > /sys/kernel/debug/failslab/verbose +} + +failslab_random() +{ + r=$((RANDOM%2)) + + if [ $r -eq 0 ]; then + echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait + else + echo N > /sys/kernel/debug/failslab/ignore-gfp-wait + fi + + r=$((RANDOM%5)) + echo $r > /sys/kernel/debug/failslab/probability + r=$((RANDOM%100)) + echo $r > /sys/kernel/debug/failslab/interval + + # allow a small initial 'success budget'. + # failures only appear after this many allocated bytes. + r=$((RANDOM%16384)) + echo $r > /sys/kernel/debug/$FAILTYPE/space +} + +netns_del() { + ip netns pids "$testns" | xargs kill 2>/dev/null + ip netns del "$testns" +} + +netns_add() +{ + ip netns add "$testns" + ip -netns "$testns" link set lo up +} + +cleanup() { + [ "$tmp" = "" ] || rm -f "$tmp" + netns_del +} + +nft_with_fault_inject() +{ + file="$1" + + if [ -w "$faultname" ]; then + failslab_random + + ip netns exec "$testns" bash -c "echo 1 > $faultname ; exec $NFT -f $file" + fi + + ip netns exec "$testns" $NFT -f "$file" +} + +trap cleanup EXIT +tmp=$(mktemp) + +jump_or_goto() +{ + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo -n "jump" + else + echo -n "goto" + fi +} + +random_verdict() +{ + max="$1" + + if [ $max -eq 0 ]; then + max=1 + fi + + rnd=$((RANDOM%max)) + + if [ $rnd -gt 0 ];then + jump_or_goto + printf " chain%03u" "$((rnd+1))" + return + fi + + if [ $((RANDOM & 1)) -eq 0 ] ;then + echo "accept" + else + echo "drop" + fi +} + +randsleep() +{ + local s=$((RANDOM%1)) + local ms=$((RANDOM%1000)) + sleep $s.$ms +} + +randlist() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT list ruleset > /dev/null + done +} + +randflush() +{ + while [ -r $tmp ]; do + randsleep + ip netns exec $testns $NFT flush ruleset > /dev/null + done +} + +randdeltable() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete table inet $t + randsleep + fi + done + done +} + +randdelset() +{ + while [ -r $tmp ]; do + randsleep + for t in $tables; do + r=$((RANDOM%10)) + s=$((RANDOM%10)) + + case $r in + 0) + setname=set_$s + ;; + 1) + setname=sett${s} + ;; + 2) + setname=dmap_${s} + ;; + 3) + setname=dmapt${s} + ;; + 4) + setname=vmap_${s} + ;; + 5) + setname=vmapt${s} + ;; + *) + continue + ;; + esac + + if [ $r -eq 1 ] ;then + ip netns exec $testns $NFT delete set inet $t $setname + fi + done + done +} + +randdelchain() +{ + while [ -r $tmp ]; do + for t in $tables; do + local c=$((RANDOM%100)) + randsleep + chain=$(printf "chain%03u" "$c") + + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + # chain can be invalid/unknown. + ip netns exec $testns $NFT delete chain inet $t $chain + fi + done + done +} + +randdisable() +{ + while [ -r $tmp ]; do + for t in $tables; do + randsleep + local r=$((RANDOM%10)) + if [ $r -eq 1 ];then + ip netns exec $testns $NFT add table inet $t '{flags dormant; }' + randsleep + ip netns exec $testns $NFT add table inet $t '{ }' + fi + done + done +} + +randdelns() +{ + while [ -r $tmp ]; do + randsleep + netns_del + netns_add + randsleep + done +} + +available_flags() +{ + local -n available_flags=$1 + selected_key=$2 + if [ "$selected_key" == "single" ] ;then + available_flags+=("interval") + elif [ "$selected_key" == "concat" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + available_flags+=("interval") + fi + fi +} + +random_timeout() +{ + local timeout="" + local expires + local r=$((RANDOM%3)) + + case "$r" in + 0) + timeout=$((RANDOM%60000)) + timeout="timeout ${timeout}ms" + ;; + 1) + timeout=$((RANDOM%60000)) + expires=$((timeout)) + if [ $timeout -gt 0 ];then + expires=$((RANDOM%expires)) + else + expires=0 + fi + + timeout="timeout ${timeout}ms expires ${expires}ms" + ;; + esac + + echo -n "$timeout" +} + +random_element_string="" +# create a random element. Could cause any of the following: +# 1. Invalid set/map +# 2. Element already exists in set/map w. create +# 3. Element is new but wants to jump to unknown chain +# 4. Element already exsists in set/map w. add, but verdict (map data) differs +# 5. Element is created/added/deleted from 'flags constant' set. +random_elem() +{ + tr=$((RANDOM%2)) + t=0 + + for table in $tables; do + if [ $t -ne $tr ]; then + t=$((t+1)) + continue + fi + + kr=$((RANDOM%2)) + k=0 + cnt=0 + for key in "single" "concat"; do + if [ $k -ne $kr ] ;then + cnt=$((cnt+2)) + k=$((k+1)) + continue + fi + + fr=$((RANDOM%2)) + f=0 + + FLAGS=("") + available_flags FLAGS $key + for flags in "${FLAGS[@]}" ; do + cnt=$((cnt+1)) + if [ $f -ne fkr ] ;then + f=$((f+1)) + continue + fi + + want="${key}${flags}" + + e=$((RANDOM%256)) + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) echo "bogus key $want" + exit 111 + ;; + esac + + # This may result in invalid jump, but thats what we want. + count=$(($RANDOM%100)) + + r=$((RANDOM%7)) + case "$r" in + 0) + random_element_string="inet $table set_${cnt} { $element }" + ;; + 1) random_element_string="inet $table sett${cnt} { $element $(random_timeout) }" + ;; + 2) random_element_string="inet $table dmap_${cnt} { $element : $RANDOM }" + ;; + 3) random_element_string="inet $table dmapt${cnt} { $element $(random_timeout) : $RANDOM }" + ;; + 4) random_element_string="inet $table vmap_${cnt} { $element : `random_verdict $count` }" + ;; + 5) random_element_string="inet $table vmapt${cnt} { $element $(random_timeout) : `random_verdict $count` }" + ;; + 6) random_element_string="inet $table setc${cnt} { $element }" + ;; + esac + + return + done + done + done +} + +randload() +{ + while [ -r $tmp ]; do + random_element_string="" + r=$((RANDOM%10)) + + what="" + case $r in + 1) + (echo "flush ruleset"; cat "$tmp" + echo "insert rule inet foo INPUT meta nftrace set 1" + echo "insert rule inet foo OUTPUT meta nftrace set 1" + ) | nft_with_fault_inject "/dev/stdin" + ;; + 2) what="add" + ;; + 3) what="create" + ;; + 4) what="delete" + ;; + 5) what="destroy" + ;; + 6) what="get" + ;; + *) + randsleep + ;; + esac + + if [ x"$what" = "x" ]; then + nft_with_fault_inject "$tmp" + else + # This can trigger abort path, for various reasons: + # invalid set name + # key mismatches set specification (concat vs. single value) + # attempt to delete non-existent key + # attempt to create dupliacte key + # attempt to add duplicate key with non-matching value (data) + # attempt to add new uniqeue key with a jump to an unknown chain + random_elem + ( cat "$tmp"; echo "$what element $random_element_string") | nft_with_fault_inject "/dev/stdin" + fi + done +} + +randmonitor() +{ + while [ -r $tmp ]; do + randsleep + timeout=$((RANDOM%16)) + timeout $((timeout+1)) $NFT monitor > /dev/null + done +} + +floodping() { + cpunum=$(grep -c processor /proc/cpuinfo) + cpunum=$((cpunum+1)) + + while [ -r $tmp ]; do + spawn=$((RANDOM%$cpunum)) + + # spawn at most $cpunum processes. Or maybe none at all. + i=0 + while [ $i -lt $spawn ]; do + mask=$(printf 0x%x $((1<<$i))) + timeout 3 ip netns exec "$testns" taskset $mask ping -4 -fq 127.0.0.1 > /dev/null & + timeout 3 ip netns exec "$testns" taskset $mask ping -6 -fq ::1 > /dev/null & + i=$((i+1)) + done + + wait + randsleep + done +} + +stress_all() +{ + # if fault injection is enabled, first a quick test to trigger + # abort paths without any parallel deletes/flushes. + if [ -w $faultname ] ;then + for i in $(seq 1 10);do + nft_with_fault_inject "$tmp" + done + fi + + randlist & + randflush & + randdeltable & + randdisable & + randdelchain & + randdelset & + randdelns & + randload & + randmonitor & +} + +gen_anon_chain_jump() +{ + echo -n "insert rule inet $@ " + jump_or_goto + + if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo " defaultchain" + return + fi + + echo -n " { " + jump_or_goto + echo " defaultchain; counter; }" +} + +gen_ruleset() { +echo > "$tmp" +for table in $tables; do + count=$((RANDOM % 100)) + if [ $count -lt 1 ];then + count=1 + fi + + echo add table inet "$table" >> "$tmp" + echo flush table inet "$table" >> "$tmp" + + echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" + echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + echo "add chain inet $table $chain" >> "$tmp" + done + + echo "add chain inet $table defaultchain" >> "$tmp" + + for c in $(seq 1 $count); do + chain=$(printf "chain%03u" "$c") + for BASE in INPUT OUTPUT; do + echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" + done + if [ $((RANDOM%10)) -eq 1 ];then + echo "add rule inet $table $chain counter jump defaultchain" >> "$tmp" + else + echo "add rule inet $table $chain counter return" >> "$tmp" + fi + done + + cnt=0 + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi + + # add a few anonymous sets. rhashtable is convered by named sets below. + c=$((RANDOM%$count)) + chain=$(printf "chain%03u" "$((c+1))") + echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp" + echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp" + echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp" + # bitmap 1byte, with anon chain jump + gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp" + # bitmap 2byte + echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" + echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi + + # add constant/immutable sets + size=$((RANDOM%5120000)) + size=$((size+2)) + echo "add set inet $table setc1 { typeof tcp dport; size $size; flags constant; elements = { 22, 44 } }" >> "$tmp" + echo "add set inet $table setc2 { typeof ip saddr; size $size; flags constant; elements = { 1.2.3.4, 5.6.7.8 } }" >> "$tmp" + echo "add set inet $table setc3 { typeof ip6 daddr; size $size; flags constant; elements = { ::1, dead::1 } }" >> "$tmp" + echo "add set inet $table setc4 { typeof tcp dport; size $size; flags interval,constant; elements = { 22-44, 55-66 } }" >> "$tmp" + echo "add set inet $table setc5 { typeof ip saddr; size $size; flags interval,constant; elements = { 1.2.3.4-5.6.7.8, 10.1.1.1 } }" >> "$tmp" + echo "add set inet $table setc6 { typeof ip6 daddr; size $size; flags interval,constant; elements = { ::1, dead::1-dead::3 } }" >> "$tmp" + + # add named sets with various combinations (plain value, range, concatenated values, concatenated ranges, with timeouts, with data ...) + for key in "ip saddr" "ip saddr . tcp dport"; do + FLAGS=("") + if [ "$key" == "ip saddr" ] ;then + FLAGS+=("flags interval;") + elif [ "$key" == "ip saddr . tcp dport" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + FLAGS+=("flags interval;") + fi + fi + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do + timeout=$((RANDOM%10)) + timeout=$((timeout+1)) + timeout="timeout ${timeout}s" + + cnt=$((cnt+1)) + flags=${FLAGS[$i]} + echo "add set inet $table set_${cnt} { typeof ${key} ; ${flags} }" >> "$tmp" + echo "add set inet $table sett${cnt} { typeof ${key} ; $timeout; ${flags} }" >> "$tmp" + echo "add map inet $table dmap_${cnt} { typeof ${key} : meta mark ; ${flags} }" >> "$tmp" + echo "add map inet $table dmapt${cnt} { typeof ${key} : meta mark ; $timeout ; ${flags} }" >> "$tmp" + echo "add map inet $table vmap_${cnt} { typeof ${key} : verdict ; ${flags} }" >> "$tmp" + echo "add map inet $table vmapt${cnt} { typeof ${key} : verdict; $timeout ; ${flags} }" >> "$tmp" + done + done + + cnt=0 + for key in "single" "concat"; do + FLAGS=("") + available_flags FLAGS $key + + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do + flags=${FLAGS[$i]} + want="${key}${flags}" + cnt=$((cnt+1)) + maxip=$((RANDOM%256)) + + if [ $maxip -eq 0 ];then + maxip=1 + fi + + for e in $(seq 1 $maxip);do + case "$want" in + "single") element="10.1.1.$e" + ;; + "concat") + element="10.1.2.$e . $((RANDOM%65536))" + ;; + "singleinterval") + element="10.1.$e.0-10.1.$e.$e" + ;; + "concatinterval") + element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))" + ;; + *) + echo "bogus key $want" + exit 111 + ;; + esac + + echo "add element inet $table set_${cnt} { $element }" >> "$tmp" + echo "add element inet $table sett${cnt} { $element $(random_timeout) }" >> "$tmp" + echo "add element inet $table dmap_${cnt} { $element : $RANDOM }" >> "$tmp" + echo "add element inet $table dmapt${cnt} { $element $(random_timeout) : $RANDOM }" >> "$tmp" + echo "add element inet $table vmap_${cnt} { $element : `random_verdict $count` }" >> "$tmp" + echo "add element inet $table vmapt${cnt} { $element $(random_timeout) : `random_verdict $count` }" >> "$tmp" + done + done + done +done +} + +run_test() +{ + local time_now=$(date +%s) + local time_stop=$((time_now + $runtime)) + local regen=30 + + while [ $time_now -lt $time_stop ]; do + if [ $regen -gt 0 ];then + sleep 1 + time_now=$(date +%s) + regen=$((regen-1)) + continue + fi + + # This clobbers the previously generated ruleset, this is intentional. + gen_ruleset + regen=$((RANDOM%60)) + regen=$((regen+2)) + time_now=$(date +%s) + done +} + +netns_add + +gen_ruleset +ip netns exec "$testns" $NFT -f "$tmp" || exit 1 + +failslab_defaults + +stress_all 2>/dev/null & + +randsleep + +floodping 2> /dev/null & + +run_test + +# this stops stress_all +rm -f "$tmp" +tmp="" +sleep 4 + +if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then + echo "Ran a modified version of the test due to NFT_TEST_HAVE_chain_binding=n" +fi diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop new file mode 100755 index 00000000..3053d166 --- /dev/null +++ b/tests/shell/testcases/transactions/anon_chain_loop @@ -0,0 +1,19 @@ +#!/bin/bash + +# anon chains with c1 -> c2 recursive jump, expect failure +$NFT -f - <<EOF +table ip t { + chain c2 { type filter hook input priority 0; } + chain c1 { } +} + +add t c1 ip saddr 127.0.0.1 jump { jump c2; } +add t c2 ip saddr 127.0.0.1 jump { jump c1; } +EOF + +if [ $? -eq 0 ] ; then + echo "E: able to load bad ruleset" >&2 + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/transactions/atomic_replace.sh b/tests/shell/testcases/transactions/atomic_replace.sh new file mode 100755 index 00000000..dce17860 --- /dev/null +++ b/tests/shell/testcases/transactions/atomic_replace.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +set -e + +rnd=$(mktemp -u XXXXXXXX) +ns="nft-atomic-$rnd" +pid1="" +pid2="" +duration=8 + +cleanup() +{ + kill "$pid1" "$pid2" + ip netns del "$ns" +} + +trap cleanup EXIT + +ip netns add "$ns" || exit 111 +ip -net "$ns" link set lo up + +ip netns exec "$ns" ping 127.0.0.1 -q -c 1 + +ip netns exec "$ns" $NFT -f - <<EOF +table ip t { + set s { + type ipv4_addr + elements = { 127.0.0.1 } + } + + chain input { + type filter hook input priority 0; policy accept; + ip protocol icmp counter + } + + chain output { + type filter hook output priority 0; policy accept; + ip protocol icmp ip daddr @s drop + } +} +EOF + +ip netns exec "$ns" ping -f 127.0.0.1 & +pid1=$! +ip netns exec "$ns" ping -f 127.0.0.1 & +pid2=$! + +time_now=$(date +%s) +time_stop=$((time_now + duration)) +repl=0 + +while [ $time_now -lt $time_stop ]; do +ip netns exec "$ns" $NFT -f - <<EOF +flush chain ip t output +table ip t { + chain output { + type filter hook output priority 0; policy accept; + ip protocol icmp ip daddr @s drop + } +} +EOF + repl=$((repl+1)) + + # do at least 100 replaces and stop after $duration seconds. + if [ $((repl % 101)) -eq 100 ];then + time_now=$(date +%s) + fi +done + +# must match, all icmp packets dropped in output. +ip netns exec "$ns" $NFT list chain ip t input | grep "counter packets 0" + +echo "Completed $repl chain replacements" diff --git a/tests/shell/testcases/transactions/bad_expression b/tests/shell/testcases/transactions/bad_expression new file mode 100755 index 00000000..794b6258 --- /dev/null +++ b/tests/shell/testcases/transactions/bad_expression @@ -0,0 +1,38 @@ +#!/bin/bash + +# table with invalid expression (masquerade called from filter table). +# nft must return an error. Also catch nfnetlink retry loops that +# cause nft or kernel to spin. +timeout 3 $NFT -f - <<EOF +table ip t0 { + chain c { } + chain input { + type filter hook input priority 0; + jump c + } +} + +table ip t1 { + chain a { + masquerade + } + chain input { + type filter hook input priority 1; + jump a + } +} +EOF + +rc=$? +if [ $rc -eq 0 ]; then + echo "Ruleset should have failed" 1>&2 + exit 111 +fi + +# 124 means 'command timed out', fail if this +# happens. Else, pass, failure is wanted here. +if [ $rc -ne 124 ]; then + exit 0 +fi + +exit $rc diff --git a/tests/shell/testcases/transactions/bad_rule_graphs b/tests/shell/testcases/transactions/bad_rule_graphs new file mode 100755 index 00000000..53047c3c --- /dev/null +++ b/tests/shell/testcases/transactions/bad_rule_graphs @@ -0,0 +1,262 @@ +#!/bin/bash + +# test case to attempt to fool ruleset validation. +# Initial ruleset added here is fine, then we try to make the +# ruleset exceed the jump chain depth via jumps, gotos, verdict +# map entries etc, either by having the map loop back to itself, +# jumping back to an earlier chain and so on. +# +# Also check that can't hook up a user-defined chain with a +# restricted expression (here: tproxy, only valid from prerouting +# hook) to the input hook, even if reachable indirectly via vmap. + +bad_ruleset() +{ + ret=$1 + shift + + if [ $ret -eq 0 ];then + echo "Accepted bad ruleset with $@" + $NFT list ruleset + exit 1 + fi +} + +good_ruleset() +{ + ret=$1 + shift + + if [ $ret -ne 0 ];then + echo "Rejected good ruleset with $@" + exit 1 + fi +} + +# add a loop with a vmap statement, either goto or jump, +# both with single rule and delta-transaction that also +# contains valid information. +check_loop() +{ + what=$1 + + $NFT "add element t m { 1.2.3.9 : $what c1 }" + bad_ruleset $? "bound map with $what to backjump should exceed jump stack" + + $NFT "add element t m { 1.2.3.9 : $what c7 }" + bad_ruleset $? "bound map with $what to backjump should exceed jump stack" + + $NFT "add element t m { 1.2.3.9 : $what c8 }" + bad_ruleset $? "bound map with $what to self should exceed jump stack" + + # rule bound to c8, this should not work -- jump stack should be exceeded. + $NFT "add element t m { 1.2.3.9 : jump c9 }" + bad_ruleset $? "bound map with $what should exceed jump stack" + + # rule bound to c8, this should be within jump stack limit + $NFT "add element t m { 1.2.3.9 : jump c10 }" + good_ruleset $? "bound map with $what should not have exceeded jump stack" + +$NFT -f - <<EOF +flush chain t c16 +flush chain t c15 +table t { + chain c9 { + ip protocol 6 goto c14 + } + + # calls @m again, but @m now runs c10, which is linked to c14 already. + chain c14 { + ip protocol 6 return + ip daddr vmap @m + } +} +EOF + bad_ruleset $? "delta with bound map with $what loop and rule deletions" + + # delete mapping again + $NFT "delete element t m { 1.2.3.9 }" + good_ruleset $? "cannot delete mapping" +} + +check_bad_expr() +{ +$NFT -f -<<EOF +table t { + chain c1 { + jump c9 + } +} +EOF +bad_ruleset $? "tproxy expr exposed to input hook" + +$NFT -f -<<EOF +flush map t m + +table t { + chain c1 { + ip saddr vmap @m + } +} +EOF +good_ruleset $? "bound vmap to c1" + +$NFT -f -<<EOF +table t { + map m { + type ipv4_addr : verdict + elements = { 1.2.3.4 : jump c9 } + } +} +EOF +bad_ruleset $? "tproxy expr exposed to input hook by vmap" + +$NFT -f -<<EOF +flush chain t c10 +flush chain t c11 +add rule t c8 jump c9 + +table t { + map m { + type ipv4_addr : verdict + elements = { 1.2.3.4 : goto c2 } + } +} +EOF +bad_ruleset $? "tproxy expr exposed to input hook by vmap" + +$NFT -f -<<EOF +flush chain t c2 +flush chain t c3 +flush chain t c4 +flush chain t c5 +flush chain t c6 +flush chain t c7 +flush chain t c10 +flush chain t c11 +flush chain t c12 +flush chain t c13 +flush chain t c14 +flush chain t c15 +flush chain t c16 +delete chain t c16 +delete chain t c15 +delete chain t c14 +delete chain t c13 +delete chain t c12 +delete chain t c11 +delete chain t c7 +delete chain t c6 +delete chain t c5 +delete chain t c4 +delete chain t c3 +add rule t c8 jump c9 +EOF +good_ruleset $? "connect chain c8 to chain c9" + +$NFT -f -<<EOF +table t { + map m { + type ipv4_addr : verdict + elements = { 1.2.3.4 : goto c8 } + } +} +EOF +bad_ruleset $? "tproxy expr exposed to input hook by vmap c1 -> vmap -> c8 -> c9" +} + +# 16 jump levels are permitted. +# First ruleset is fine, there is no jump +# from c8 to c9. +$NFT -f - <<EOF +table t { + map m { + type ipv4_addr : verdict + } + + chain c16 { } + chain c15 { jump c16; } + chain c14 { jump c15; } + chain c13 { jump c14; } + chain c12 { jump c13; } + chain c11 { jump c12; } + chain c10 { jump c11; } + chain c9 { jump c10; } + chain c8 { } + chain c7 { jump c8; } + chain c6 { jump c7; } + chain c5 { jump c6; } + chain c4 { jump c5; } + chain c3 { jump c4; } + chain c2 { jump c3; } + chain c1 { jump c2; } + chain c0 { type filter hook input priority 0; + jump c1 + } +} +EOF + +ret=$? +if [ $ret -ne 0 ];then + exit 1 +fi + +# ensure kernel catches the exceeded jumpstack use, despite no new chains +# are added here and cycle is acyclic. +$NFT -f - <<EOF +# unrelated rule. +add rule t c14 accept +add rule t c15 accept + +# close jump gap; after this jumpstack limit is exceeded. +add rule t c8 goto c9 + +# unrelated rules. +add rule t c14 accept +add rule t c15 accept +EOF + +bad_ruleset $? "chain jump stack exhausted without cycle" + +$NFT -f - <<EOF +# unrelated rule. +add rule t c12 accept +add rule t c13 accept + +add element t m { 1.2.3.1 : accept } +add element t m { 1.2.3.16 : goto c16 } +add element t m { 1.2.3.15 : goto c15 } + +# after this jumpstack limit is exceeded, +# IFF @m was bound to c8, but it is not. +add element t m { 1.2.3.9 : jump c9 } + +# unrelated rules. +add rule t c12 accept +add rule t c13 accept + +add element t m { 1.2.3.16 : goto c16 } +EOF +good_ruleset $? "unbounded map" + +# bind vmap to c8. This MUST fail, map jumps to c9. +$NFT "add rule t c8 ip saddr vmap @m" +bad_ruleset $? "jump c8->c9 via vmap expression" + +# delete the mapping again. +$NFT "delete element t m { 1.2.3.9 }" +$NFT "add rule t c8 ip saddr vmap @m" +good_ruleset $? "bind empty map to c8" + +check_loop "jump" +check_loop "goto" + +$NFT "flush chain t c8" +good_ruleset $? "flush chain t c8" + +# should work, c9 not connected to c0 aka filter input. +$NFT "add rule t c9 tcp dport 80 tproxy to :20000 meta mark set 1 accept" +good_ruleset $? "add tproxy expression to c9" +check_bad_expr + +exit $? diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort new file mode 100755 index 00000000..b2bbe37b --- /dev/null +++ b/tests/shell/testcases/transactions/concat_range_abort @@ -0,0 +1,28 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +set -e + +$NFT -f /dev/stdin <<EOF +table ip x { + map m { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo, + } + } + + chain foo { + accept + } +} +EOF + +$NFT -f /dev/stdin <<EOF +add chain ip x bar +add element ip x m { 1.2.3.4 . 42 : jump bar } +delete set ip x m +EOF diff --git a/tests/shell/testcases/transactions/doubled-set b/tests/shell/testcases/transactions/doubled-set new file mode 100755 index 00000000..50b568eb --- /dev/null +++ b/tests/shell/testcases/transactions/doubled-set @@ -0,0 +1,22 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) + +$NFT -f /dev/stdin <<EOF +table t { + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + } + + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + + } +} +EOF + +# run-tests.sh will validate dumpfile. diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.json-nft b/tests/shell/testcases/transactions/dumps/0001table_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0001table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.json-nft b/tests/shell/testcases/transactions/dumps/0002table_0.json-nft new file mode 100644 index 00000000..b1fefc31 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0002table_0.json-nft @@ -0,0 +1,31 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0, + "flags": "dormant" + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.json-nft b/tests/shell/testcases/transactions/dumps/0003table_0.json-nft new file mode 100644 index 00000000..ea75b43f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0003table_0.json-nft @@ -0,0 +1,25 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "table": { + "family": "ip", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.nft b/tests/shell/testcases/transactions/dumps/0003table_0.nft new file mode 100644 index 00000000..e4e5f9b1 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0003table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft new file mode 100644 index 00000000..85947674 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0010chain_0.json-nft @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft new file mode 100644 index 00000000..12cf0bbf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft new file mode 100644 index 00000000..dc5eaa61 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft new file mode 100644 index 00000000..dc5eaa61 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "w", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft b/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0014chain_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.nft b/tests/shell/testcases/transactions/dumps/0014chain_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0014chain_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft b/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0015chain_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.nft b/tests/shell/testcases/transactions/dumps/0015chain_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0015chain_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0020rule_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.nft b/tests/shell/testcases/transactions/dumps/0020rule_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0020rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft new file mode 100644 index 00000000..4c5500cc --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0021rule_0.json-nft @@ -0,0 +1,54 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "2.2.2.2" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0022rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.nft b/tests/shell/testcases/transactions/dumps/0022rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0022rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0023rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.nft b/tests/shell/testcases/transactions/dumps/0023rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0023rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft new file mode 100644 index 00000000..1e37f7d9 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0024rule_0.json-nft @@ -0,0 +1,82 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule1", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule2", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule3", + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "rule4", + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft new file mode 100644 index 00000000..623d9765 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0025rule_0.json-nft @@ -0,0 +1,52 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.json-nft b/tests/shell/testcases/transactions/dumps/0030set_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0030set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.json-nft b/tests/shell/testcases/transactions/dumps/0031set_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0031set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.json-nft b/tests/shell/testcases/transactions/dumps/0032set_0.json-nft new file mode 100644 index 00000000..66bbf0eb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0032set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "w", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "w", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.json-nft b/tests/shell/testcases/transactions/dumps/0033set_0.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0033set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.json-nft b/tests/shell/testcases/transactions/dumps/0034set_0.json-nft new file mode 100644 index 00000000..c1b7639d --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0034set_0.json-nft @@ -0,0 +1,27 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.json-nft b/tests/shell/testcases/transactions/dumps/0035set_0.json-nft new file mode 100644 index 00000000..6b8f671c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0035set_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "3.3.3.3" + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.json-nft b/tests/shell/testcases/transactions/dumps/0036set_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0036set_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.nft b/tests/shell/testcases/transactions/dumps/0036set_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0036set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.json-nft b/tests/shell/testcases/transactions/dumps/0037set_0.json-nft new file mode 100644 index 00000000..f9fe4e6f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0037set_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.json-nft b/tests/shell/testcases/transactions/dumps/0038set_0.json-nft new file mode 100644 index 00000000..5f97d09e --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0038set_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.json-nft b/tests/shell/testcases/transactions/dumps/0039set_0.json-nft new file mode 100644 index 00000000..5f97d09e --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0039set_0.json-nft @@ -0,0 +1,36 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": "interval", + "elem": [ + { + "prefix": { + "addr": "192.168.4.0", + "len": 24 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft new file mode 100644 index 00000000..1718a5b9 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft @@ -0,0 +1,84 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "client_to_any", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "client_to_any", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 0, + "expr": [ + { + "goto": { + "target": "client_to_any" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "client_to_any", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@client_to_any" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft new file mode 100644 index 00000000..32fce943 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.json-nft @@ -0,0 +1,30 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 0, + "policy": "accept" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft new file mode 100644 index 00000000..b7180012 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + type nat hook postrouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft new file mode 100644 index 00000000..ea3b5d3c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.json-nft @@ -0,0 +1,28 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m1", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "counter" + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft new file mode 100644 index 00000000..e5cc63f2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft @@ -0,0 +1,5 @@ +table ip filter { + map m1 { + type ipv4_addr : counter + } +} diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.json-nft b/tests/shell/testcases/transactions/dumps/0043set_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0043set_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.nft b/tests/shell/testcases/transactions/dumps/0043set_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0043set_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft b/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0044rule_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.nft b/tests/shell/testcases/transactions/dumps/0044rule_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0044rule_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.json-nft b/tests/shell/testcases/transactions/dumps/0046set_0.json-nft new file mode 100644 index 00000000..f9b488e7 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0046set_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.nft b/tests/shell/testcases/transactions/dumps/0046set_0.nft new file mode 100644 index 00000000..eb39c44f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0046set_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.json-nft b/tests/shell/testcases/transactions/dumps/0047set_0.json-nft new file mode 100644 index 00000000..fb6348f2 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0047set_0.json-nft @@ -0,0 +1,71 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "group_10060", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "classid", + "flags": "interval", + "elem": [ + [ + "10.1.26.2", + "1:bbf8" + ], + [ + "10.1.26.3", + "1:c1ad" + ], + [ + "10.1.26.4", + "1:b2d7" + ], + [ + "10.1.26.5", + "1:f705" + ], + [ + "10.1.26.6", + "1:b895" + ], + [ + "10.1.26.7", + "1:ec4c" + ], + [ + "10.1.26.8", + "1:de78" + ], + [ + "10.1.26.9", + "1:b4f3" + ], + [ + "10.1.26.10", + "1:dec6" + ], + [ + "10.1.26.11", + "1:b4c0" + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.nft b/tests/shell/testcases/transactions/dumps/0047set_0.nft new file mode 100644 index 00000000..d8e8e38a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0047set_0.nft @@ -0,0 +1,16 @@ +table ip filter { + map group_10060 { + type ipv4_addr : classid + flags interval + elements = { 10.1.26.2 : 1:bbf8, + 10.1.26.3 : 1:c1ad, + 10.1.26.4 : 1:b2d7, + 10.1.26.5 : 1:f705, + 10.1.26.6 : 1:b895, + 10.1.26.7 : 1:ec4c, + 10.1.26.8 : 1:de78, + 10.1.26.9 : 1:b4f3, + 10.1.26.10 : 1:dec6, + 10.1.26.11 : 1:b4c0 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft new file mode 100644 index 00000000..f9b488e7 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft new file mode 100644 index 00000000..eb39c44f --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft @@ -0,0 +1,2 @@ +table ip filter { +} diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft b/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft new file mode 100644 index 00000000..456ada94 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0049huge_0.json-nft @@ -0,0 +1,5121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_OUTPUT", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "nd-router-advert", + "nd-neighbor-solicit" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "oif", + "flags": [ + "saddr", + "iif" + ] + } + }, + "right": false + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "raw_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "raw_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "raw_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "mangle_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "mangle_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "mangle_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "status" + } + }, + "right": "dnat" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "established", + "related" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "status" + } + }, + "right": "dnat" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "::", + "len": 96 + } + }, + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + }, + { + "prefix": { + "addr": "2002::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:7f00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a9fe::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:ac10::", + "len": 28 + } + }, + { + "prefix": { + "addr": "2002:c0a8::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:e000::", + "len": 19 + } + } + ] + } + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "addr-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_OUTPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_OUTPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "::", + "len": 96 + } + }, + { + "prefix": { + "addr": "::ffff:0.0.0.0", + "len": 96 + } + }, + { + "prefix": { + "addr": "2002::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:7f00::", + "len": 24 + } + }, + { + "prefix": { + "addr": "2002:a9fe::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:ac10::", + "len": 28 + } + }, + { + "prefix": { + "addr": "2002:c0a8::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2002:e000::", + "len": 19 + } + } + ] + } + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "addr-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_IN_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_IN_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_IN_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_FWDI_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_FWDI_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDI_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "filter_FWDO_work" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "filter_FWDO_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDO_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_trusted", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": { + "set": [ + "new", + "untracked" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_post" + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_POST_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_POST_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_post" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_trusted_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_post", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_pre", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_post", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_PRE_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_PRE_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy" + } + }, + { + "goto": { + "target": "nat_POST_work" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "perm_dummy2" + } + }, + { + "goto": { + "target": "nat_POST_trusted" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_trusted", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_trusted_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_post" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_pre" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_post" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.nft b/tests/shell/testcases/transactions/dumps/0049huge_0.nft new file mode 100644 index 00000000..96f5a387 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0049huge_0.nft @@ -0,0 +1,749 @@ +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES { + iifname "perm_dummy" goto raw_PRE_work + iifname "perm_dummy2" goto raw_PRE_trusted + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES { + iifname "perm_dummy" goto mangle_PRE_work + iifname "perm_dummy2" goto mangle_PRE_trusted + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state { established, related } accept + ct status dnat accept + iifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_OUTPUT { + type filter hook output priority filter + 10; policy accept; + oifname "lo" accept + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable + } + + chain filter_INPUT_ZONES { + iifname "perm_dummy" goto filter_IN_work + iifname "perm_dummy2" goto filter_IN_trusted + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES { + iifname "perm_dummy" goto filter_FWDI_work + iifname "perm_dummy2" goto filter_FWDI_trusted + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES { + oifname "perm_dummy" goto filter_FWDO_work + oifname "perm_dummy2" goto filter_FWDO_trusted + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_pre + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + jump raw_PRE_public_post + } + + chain raw_PRE_public_pre { + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain raw_PRE_public_post { + } + + chain filter_IN_public { + jump filter_IN_public_pre + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + jump filter_IN_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_pre { + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_public_post { + } + + chain filter_FWDI_public { + jump filter_FWDI_public_pre + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + jump filter_FWDI_public_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_pre { + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain filter_FWDI_public_post { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_pre + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + jump mangle_PRE_public_post + } + + chain mangle_PRE_public_pre { + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain mangle_PRE_public_post { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_pre + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + jump filter_FWDO_public_post + } + + chain filter_FWDO_public_pre { + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain filter_FWDO_public_post { + } + + chain raw_PRE_trusted { + jump raw_PRE_trusted_pre + jump raw_PRE_trusted_log + jump raw_PRE_trusted_deny + jump raw_PRE_trusted_allow + jump raw_PRE_trusted_post + } + + chain raw_PRE_trusted_pre { + } + + chain raw_PRE_trusted_log { + } + + chain raw_PRE_trusted_deny { + } + + chain raw_PRE_trusted_allow { + } + + chain raw_PRE_trusted_post { + } + + chain mangle_PRE_trusted { + jump mangle_PRE_trusted_pre + jump mangle_PRE_trusted_log + jump mangle_PRE_trusted_deny + jump mangle_PRE_trusted_allow + jump mangle_PRE_trusted_post + } + + chain mangle_PRE_trusted_pre { + } + + chain mangle_PRE_trusted_log { + } + + chain mangle_PRE_trusted_deny { + } + + chain mangle_PRE_trusted_allow { + } + + chain mangle_PRE_trusted_post { + } + + chain filter_IN_trusted { + jump filter_IN_trusted_pre + jump filter_IN_trusted_log + jump filter_IN_trusted_deny + jump filter_IN_trusted_allow + jump filter_IN_trusted_post + accept + } + + chain filter_IN_trusted_pre { + } + + chain filter_IN_trusted_log { + } + + chain filter_IN_trusted_deny { + } + + chain filter_IN_trusted_allow { + } + + chain filter_IN_trusted_post { + } + + chain filter_FWDI_trusted { + jump filter_FWDI_trusted_pre + jump filter_FWDI_trusted_log + jump filter_FWDI_trusted_deny + jump filter_FWDI_trusted_allow + jump filter_FWDI_trusted_post + accept + } + + chain filter_FWDI_trusted_pre { + } + + chain filter_FWDI_trusted_log { + } + + chain filter_FWDI_trusted_deny { + } + + chain filter_FWDI_trusted_allow { + } + + chain filter_FWDI_trusted_post { + } + + chain filter_FWDO_trusted { + jump filter_FWDO_trusted_pre + jump filter_FWDO_trusted_log + jump filter_FWDO_trusted_deny + jump filter_FWDO_trusted_allow + jump filter_FWDO_trusted_post + accept + } + + chain filter_FWDO_trusted_pre { + } + + chain filter_FWDO_trusted_log { + } + + chain filter_FWDO_trusted_deny { + } + + chain filter_FWDO_trusted_allow { + } + + chain filter_FWDO_trusted_post { + } + + chain raw_PRE_work { + jump raw_PRE_work_pre + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + jump raw_PRE_work_post + } + + chain raw_PRE_work_pre { + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain raw_PRE_work_post { + } + + chain filter_IN_work { + jump filter_IN_work_pre + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + jump filter_IN_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_pre { + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state { new, untracked } accept + ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept + } + + chain filter_IN_work_post { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_pre + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + jump mangle_PRE_work_post + } + + chain mangle_PRE_work_pre { + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain mangle_PRE_work_post { + } + + chain filter_FWDI_work { + jump filter_FWDI_work_pre + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + jump filter_FWDI_work_post + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_pre { + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain filter_FWDI_work_post { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_pre + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + jump filter_FWDO_work_post + } + + chain filter_FWDO_work_pre { + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } + + chain filter_FWDO_work_post { + } +} +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES { + iifname "perm_dummy" goto nat_PRE_work + iifname "perm_dummy2" goto nat_PRE_trusted + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES { + oifname "perm_dummy" goto nat_POST_work + oifname "perm_dummy2" goto nat_POST_trusted + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_pre + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + jump nat_PRE_public_post + } + + chain nat_PRE_public_pre { + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_PRE_public_post { + } + + chain nat_POST_public { + jump nat_POST_public_pre + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + jump nat_POST_public_post + } + + chain nat_POST_public_pre { + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_POST_public_post { + } + + chain nat_PRE_trusted { + jump nat_PRE_trusted_pre + jump nat_PRE_trusted_log + jump nat_PRE_trusted_deny + jump nat_PRE_trusted_allow + jump nat_PRE_trusted_post + } + + chain nat_PRE_trusted_pre { + } + + chain nat_PRE_trusted_log { + } + + chain nat_PRE_trusted_deny { + } + + chain nat_PRE_trusted_allow { + } + + chain nat_PRE_trusted_post { + } + + chain nat_POST_trusted { + jump nat_POST_trusted_pre + jump nat_POST_trusted_log + jump nat_POST_trusted_deny + jump nat_POST_trusted_allow + jump nat_POST_trusted_post + } + + chain nat_POST_trusted_pre { + } + + chain nat_POST_trusted_log { + } + + chain nat_POST_trusted_deny { + } + + chain nat_POST_trusted_allow { + } + + chain nat_POST_trusted_post { + } + + chain nat_PRE_work { + jump nat_PRE_work_pre + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + jump nat_PRE_work_post + } + + chain nat_PRE_work_pre { + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_PRE_work_post { + } + + chain nat_POST_work { + jump nat_POST_work_pre + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + jump nat_POST_work_post + } + + chain nat_POST_work_pre { + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } + + chain nat_POST_work_post { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft b/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0050rule_1.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.nft b/tests/shell/testcases/transactions/dumps/0050rule_1.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0050rule_1.nft diff --git a/tests/shell/testcases/transactions/dumps/0051map_0.nodump b/tests/shell/testcases/transactions/dumps/0051map_0.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0051map_0.nodump diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.json-nft b/tests/shell/testcases/transactions/dumps/30s-stress.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/30s-stress.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.nft b/tests/shell/testcases/transactions/dumps/30s-stress.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/30s-stress.nft diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft diff --git a/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump b/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.json-nft b/tests/shell/testcases/transactions/dumps/bad_expression.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_expression.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.nft b/tests/shell/testcases/transactions/dumps/bad_expression.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_expression.nft diff --git a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft new file mode 100644 index 00000000..30789211 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft @@ -0,0 +1,201 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c10", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c9", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c8", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c0", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c10" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c9", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "tproxy": { + "port": 20000 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 1 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c8", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c9" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@m" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c0", + "handle": 0, + "expr": [ + { + "jump": { + "target": "c1" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft new file mode 100644 index 00000000..3a593650 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft @@ -0,0 +1,30 @@ +table ip t { + map m { + type ipv4_addr : verdict + } + + chain c10 { + } + + chain c9 { + jump c10 + tcp dport 80 tproxy to :20000 meta mark set 0x00000001 accept + } + + chain c8 { + jump c9 + } + + chain c2 { + } + + chain c1 { + jump c2 + ip saddr vmap @m + } + + chain c0 { + type filter hook input priority filter; policy accept; + jump c1 + } +} diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft new file mode 100644 index 00000000..8db71894 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft @@ -0,0 +1,47 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "foo", + "handle": 0, + "expr": [ + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft new file mode 100644 index 00000000..06adca7a --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft @@ -0,0 +1,8 @@ +table ip x { + chain foo { + accept + } + + chain bar { + } +} diff --git a/tests/shell/testcases/transactions/dumps/doubled-set.json-nft b/tests/shell/testcases/transactions/dumps/doubled-set.json-nft new file mode 100644 index 00000000..1b9af211 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/doubled-set.json-nft @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": "interval", + "elem": [ + { + "concat": [ + "1.2.3.4", + "foo" + ] + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/doubled-set.nft b/tests/shell/testcases/transactions/dumps/doubled-set.nft new file mode 100644 index 00000000..48a322eb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/doubled-set.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr . ifname + flags interval + elements = { 1.2.3.4 . "foo" } + } +} diff --git a/tests/shell/testcases/transactions/dumps/handle_bad_family.json-nft b/tests/shell/testcases/transactions/dumps/handle_bad_family.json-nft new file mode 100644 index 00000000..15ec0aac --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/handle_bad_family.json-nft @@ -0,0 +1,18 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/handle_bad_family.nft b/tests/shell/testcases/transactions/dumps/handle_bad_family.nft new file mode 100644 index 00000000..5d4d2caf --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/handle_bad_family.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.json-nft b/tests/shell/testcases/transactions/dumps/table_onoff.json-nft new file mode 100644 index 00000000..a7583e8c --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/table_onoff.json-nft @@ -0,0 +1,59 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0, + "flags": "dormant" + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.42" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.nft b/tests/shell/testcases/transactions/dumps/table_onoff.nft new file mode 100644 index 00000000..038be1c0 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/table_onoff.nft @@ -0,0 +1,8 @@ +table ip t { + flags dormant + + chain c { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.42 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump diff --git a/tests/shell/testcases/transactions/handle_bad_family b/tests/shell/testcases/transactions/handle_bad_family new file mode 100755 index 00000000..59224189 --- /dev/null +++ b/tests/shell/testcases/transactions/handle_bad_family @@ -0,0 +1,9 @@ +#!/bin/bash + +NFT=nft + +HANDLE=$($NFT -a -e add table ip x | cut -d '#' -f 2 | awk '{ print $2 }' | head -1) + +# should fail +$NFT delete table inet handle $HANDLE +[ $? -ne 0 ] && exit 0 diff --git a/tests/shell/testcases/transactions/table_onoff b/tests/shell/testcases/transactions/table_onoff new file mode 100755 index 00000000..831d4614 --- /dev/null +++ b/tests/shell/testcases/transactions/table_onoff @@ -0,0 +1,44 @@ +#!/bin/bash + +# attempt to re-awaken a table that is flagged dormant within +# same transaction +$NFT -f - <<EOF +add table ip t +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add table ip t +delete table ip t +EOF + +if [ $? -eq 0 ]; then + exit 1 +fi + +set -e + +ip link set lo up + +# add a dormant table, then wake it up in same +# transaction. +$NFT -f - <<EOF +add table ip t { flags dormant; } +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t +EOF + +# check table is indeed active. +ping -c 1 127.0.0.42 +$NFT list chain ip t c | grep "counter packets 1" +$NFT delete table ip t + +# allow to flag table dormant. +$NFT -f - <<EOF +add table ip t +add chain ip t c { type filter hook input priority 0; } +add rule ip t c ip daddr 127.0.0.42 counter +add table ip t { flags dormant; } +EOF + +ping -c 1 127.0.0.42 +# expect run-tests.sh to complain if counter isn't 0. diff --git a/tests/shell/testcases/transactions/validation_recursion.sh b/tests/shell/testcases/transactions/validation_recursion.sh new file mode 100755 index 00000000..bc3ebcc1 --- /dev/null +++ b/tests/shell/testcases/transactions/validation_recursion.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# regression check for kernel commit +# cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate") + +chains=100 + +# first create skeleton, linear list +# of 1k jumps, c1 -> c2 .. -> c100. +# +# not caught, commit phase validation doesn't care about +# non-base chains. +( + echo add table ip t + + for i in $(seq 1 $chains);do + echo add chain t c$i + done + + for i in $(seq 1 $((chains-1)) );do + echo add rule t c$i jump c$((i+1)) + done +) | $NFT -f - + +# now link up c0 to c1. This triggers register-store validation for +# c1. Old algorithm is recursive and will blindly chase the entire +# list of chains created above. On older kernels, this will cause kernel +# stack overflow/guard page crash. +$NFT -f - <<EOF +add chain t c0 { type filter hook input priority 0; } +add rule t c0 jump c1 +EOF + +if [ $? -eq 0 ] ; then + echo "E: loaded bogus ruleset" >&2 + exit 1 +fi + +$NFT delete table ip t |