From 8d2f36763d23201100a11161b179e29dbec5be3a Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Thu, 29 Feb 2024 11:41:25 +0100 Subject: tests: maps: add a test case for "limit" objref map check add, delete and removal operations for objref maps. Also check type vs. typeof declarations and use both interval and interval+concatenation (rbtree, pipapo). Signed-off-by: Florian Westphal --- .../testcases/maps/dumps/named_limits.json-nft | 328 +++++++++++++++++++++ 1 file changed, 328 insertions(+) create mode 100644 tests/shell/testcases/maps/dumps/named_limits.json-nft (limited to 'tests/shell/testcases/maps/dumps/named_limits.json-nft') diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft new file mode 100644 index 00000000..28a92529 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft @@ -0,0 +1,328 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-pps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, + { + "limit": { + "family": "inet", + "name": "tarpit-bps", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "kbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-1m", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "limit": { + "family": "inet", + "name": "http-bulk-rl-10m", + "table": "filter", + "handle": 0, + "rate": 10, + "per": "second", + "rate_unit": "mbytes" + } + }, + { + "set": { + "family": "inet", + "name": "tarpit4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "set": { + "family": "inet", + "name": "tarpit6", + "table": "filter", + "type": "ipv6_addr", + "handle": 0, + "size": 10000, + "flags": [ + "timeout", + "dynamic" + ], + "timeout": 60 + } + }, + { + "map": { + "family": "inet", + "name": "addr4limit", + "table": "filter", + "type": [ + "inet_proto", + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": "limit", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-bps" + ], + [ + { + "concat": [ + "udp", + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + }, + { + "range": [ + 1, + 65535 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "127.0.0.1", + "127.1.2.3" + ] + }, + { + "range": [ + 1, + 1024 + ] + } + ] + }, + "tarpit-pps" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 80 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "range": [ + "10.0.0.1", + "10.0.0.255" + ] + }, + 443 + ] + }, + "http-bulk-rl-1m" + ], + [ + { + "concat": [ + "tcp", + { + "prefix": { + "addr": "10.0.1.0", + "len": 24 + } + }, + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "http-bulk-rl-10m" + ], + [ + { + "concat": [ + "tcp", + "10.0.2.1", + 22 + ] + }, + "http-bulk-rl-10m" + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "saddr6limit", + "table": "filter", + "type": "ipv6_addr", + "handle": 0, + "map": "limit", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "range": [ + "dead::beef", + "dead::1:aced" + ] + }, + "tarpit-pps" + ] + ] + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "sport" + } + } + ] + }, + "data": "@addr4limit" + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "limit": { + "map": { + "key": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "data": "@saddr6limit" + } + } + } + ] + } + } + ] +} -- cgit v1.2.3