| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shell-based tests currently encode a return value in the
file name, i.e. foo_1 expects that the script should return '1'
for the test case to pass.
This is very error prone, and one test case is even broken (i.e.,
it returns 1, but because of a different, earlier error).
do_something || exit 1
or
'set -e'
are both pretty common patterns, in both cases tests should fail.
In those test-cases that deliberately test for an error,
nft something_should_fail || exit 0
nft something_should_fail && exit 1
or a similar constructs should be used.
This initial commit modififies all '_1' scripts to return 0 on
success, usually via 'nft wrong || exit 0'.
All tests pass, except the one broken test case that hasn't worked
before either, but where 'set -e' use made it pass (the failing command
is supposed to work, and the command that is supposed to fail is never
run).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
bash 4.3.30 removes newlines in RULESET when "" are omitted, which
then causes nft -f to complain about invalid syntax.
As a result, all test cases that use this here-doc style fail.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In libnftables, detect if given filename is '-' and treat it as the
common way of requesting to read from stdin, then open /dev/stdin
instead. (Calling 'nft -f /dev/stdin' worked before as well, but this
makes it official.)
With this in place and bash's support for here strings, review all tests
in tests/shell for needless use of temp files. Note that two categories
of test cases were intentionally left unchanged:
- Tests creating potentially large rulesets to avoid running into shell
parameter length limits.
- Tests for 'include' directive for obvious reasons.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Complete the automated shell tests with the verification of
the test file dump, only for positive tests and if the test
execution was successful.
It's able to generate the dump file with the -g option.
Example:
# ./run-tests.sh -g testcases/chains/0001jumps_0
The dump files are generated in the same path in the folder named
dumps/ with .nft extension.
It has been avoided the dump verification code in every test
file.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new datatype is a string subtype.
It will allow us to build named maps/sets using meta keys like 'iifname',
'oifname', 'ibriport' or 'obriport'.
Example:
table inet t {
set s {
type ifname
elements = { "eth0",
"eth1" }
}
chain c {
iifname @s accept
oifname @s accept
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add tests for different map expression.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
map m {
type inet_service . iface_index : verdict
elements = { 123 . "lo" : accept,
1234 . "lo" : accept,
12345 . "lo" : accept,
12346 . "lo" : accept,
12347 . "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Not having a space between the last element in a set and the closing
curly brace looks ugly, so add it here.
This also adjusts all shell testcases as they match whitespace in nft
output and therefore fail otherwise.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Test adding elements to simple and interval maps.
Based on original work from Richard Mörbitz and Pablo Neira.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you add a map with timeouts, eg.
# nft add table x
# nft add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; }
The listing shows a set instead of a map:
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags timeout
}
}
This patch fixes the parser to keep the map flag around when timeout
flag (or any other flags) are specified.
This patch also comes with a regression test.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
Let's add some tests cases for maps.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
