From 38a110874c006cc42b1a1e97f3cb082a33169c35 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 18 Dec 2020 11:13:57 +0100 Subject: tests: shell: set element multi-statement support This patch adds two tests to add multistatement support: - Dynamic set updates from packet path. - Set that is updated from the control plane. Signed-off-by: Pablo Neira Ayuso --- .../testcases/sets/0059set_update_multistmt_0 | 17 ++++++++ tests/shell/testcases/sets/0060set_multistmt_0 | 50 ++++++++++++++++++++++ .../sets/dumps/0059set_update_multistmt_0.nft | 13 ++++++ .../testcases/sets/dumps/0060set_multistmt_0.nft | 13 ++++++ 4 files changed, 93 insertions(+) create mode 100755 tests/shell/testcases/sets/0059set_update_multistmt_0 create mode 100755 tests/shell/testcases/sets/0060set_multistmt_0 create mode 100644 tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0 new file mode 100755 index 00000000..107bfb87 --- /dev/null +++ b/tests/shell/testcases/sets/0059set_update_multistmt_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +RULESET="table x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + chain z { + type filter hook output priority 0; + update @y { ip daddr limit rate 1/second counter } + } +}" + +set -e +$NFT -f - <<< $RULESET diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0 new file mode 100755 index 00000000..6bd147c3 --- /dev/null +++ b/tests/shell/testcases/sets/0060set_multistmt_0 @@ -0,0 +1,50 @@ +#!/bin/bash + +RULESET="table x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +}" + +$NFT -f - <<< $RULESET +# should work +if [ $? -ne 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 1.1.1.1 limit rate 1/second counter } +if [ $? -ne 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 2.2.2.2 limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should fail +$NFT add element x y { 3.3.3.3 counter limit rate 1/second } +if [ $? -eq 0 ] +then + exit 1 +fi + +# should work +$NFT add element x y { 4.4.4.4 } +if [ $? -ne 0 ] +then + exit 1 +fi + +exit 0 diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft new file mode 100644 index 00000000..1b0ffae4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1h + } + + chain z { + type filter hook output priority filter; policy accept; + update @y { ip daddr limit rate 1/second counter } + } +} diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft new file mode 100644 index 00000000..f23db534 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft @@ -0,0 +1,13 @@ +table ip x { + set y { + type ipv4_addr + limit rate 1/second counter + elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0, + 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 } + } + + chain y { + type filter hook output priority filter; policy accept; + ip daddr @y + } +} -- cgit v1.2.3