From 624b034b83a66ec2263314db9dc62ac06b1ae7e7 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 8 Feb 2024 14:30:17 +0100 Subject: tests: shell: Pretty-print all *.json-nft dumps The problem with single line output as produced by 'nft -j list ruleset' is its incompatibility to unified diff format as any change in this single line will produce a diff which contains the old and new lines in total. This is not just unreadable but will blow up patches which may exceed mailinglists' mail size limits. Convert them all at once by feeding their contents to tests/shell/helpers/json-pretty.sh. Signed-off-by: Phil Sutter --- .../optimizations/dumps/dependency_kill.json-nft | 777 ++++++++++++++++++++- .../optimizations/dumps/merge_nat.json-nft | 380 +++++++++- .../optimizations/dumps/merge_nat_concat.json-nft | 201 +++++- .../optimizations/dumps/merge_reject.json-nft | 321 ++++++++- .../optimizations/dumps/merge_stmts.json-nft | 64 +- .../dumps/merge_stmts_concat.json-nft | 375 +++++++++- .../dumps/merge_stmts_concat_vmap.json-nft | 168 ++++- .../optimizations/dumps/merge_stmts_vmap.json-nft | 183 ++++- .../optimizations/dumps/merge_vmap_raw.json-nft | 439 +++++++++++- .../optimizations/dumps/merge_vmaps.json-nft | 206 +++++- .../optimizations/dumps/not_mergeable.json-nft | 141 +++- .../testcases/optimizations/dumps/ruleset.json-nft | 12 +- .../dumps/single_anon_set_expr.json-nft | 60 +- .../optimizations/dumps/skip_merge.json-nft | 236 ++++++- .../optimizations/dumps/skip_non_eq.json-nft | 109 ++- .../optimizations/dumps/skip_unsupported.json-nft | 257 ++++++- .../optimizations/dumps/variables.json-nft | 12 +- 17 files changed, 3924 insertions(+), 17 deletions(-) (limited to 'tests/shell/testcases/optimizations/dumps') diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft index 7085061b..712182e9 100644 --- a/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft +++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.json-nft @@ -1 +1,776 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "bridge", "name": "foo", "handle": 0}}, {"chain": {"family": "bridge", "table": "foo", "name": "bar", "handle": 0}}, {"rule": {"family": "bridge", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "bridge", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "bridge", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "bridge", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"table": {"family": "ip", "name": "foo", "handle": 0}}, {"chain": {"family": "ip", "table": "foo", "name": "bar", "handle": 0}}, {"rule": {"family": "ip", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"table": {"family": "ip6", "name": "foo", "handle": 0}}, {"chain": {"family": "ip6", "table": "foo", "name": "bar", "handle": 0}}, {"rule": {"family": "ip6", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip6", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip6", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "ip6", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"table": {"family": "netdev", "name": "foo", "handle": 0}}, {"chain": {"family": "netdev", "table": "foo", "name": "bar", "handle": 0}}, {"rule": {"family": "netdev", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "netdev", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "netdev", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "netdev", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"table": {"family": "inet", "name": "foo", "handle": 0}}, {"chain": {"family": "inet", "table": "foo", "name": "bar", "handle": 0}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "protocol"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ether", "field": "type"}}, "right": "ip6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "nfproto"}}, "right": "ipv4"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}, {"rule": {"family": "inet", "table": "foo", "chain": "bar", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "nfproto"}}, "right": "ipv6"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 67}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "bridge", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "bridge", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "bridge", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "netdev", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "netdev", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "netdev", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "foo", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "foo", + "name": "bar", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "protocol" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "ip6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "foo", + "chain": "bar", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 67 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft index c4e448e7..a6cf1bfc 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.json-nft @@ -1 +1,379 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "test1", "handle": 0}}, {"chain": {"family": "ip", "table": "test1", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "test1", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oif"}}, "right": "lo"}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "test1", "chain": "y", "handle": 0, "expr": [{"dnat": {"addr": {"map": {"key": {"payload": {"protocol": "ip", "field": "saddr"}}, "data": {"set": [["4.4.4.4", "1.1.1.1"], ["5.5.5.5", "2.2.2.2"]]}}}}}]}}, {"table": {"family": "ip", "name": "test2", "handle": 0}}, {"chain": {"family": "ip", "table": "test2", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "test2", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oif"}}, "right": "lo"}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "test2", "chain": "y", "handle": 0, "expr": [{"dnat": {"family": "ip", "addr": {"map": {"key": {"payload": {"protocol": "tcp", "field": "dport"}}, "data": {"set": [[80, {"concat": ["1.1.1.1", 8001]}], [81, {"concat": ["2.2.2.2", 9001]}]]}}}}}]}}, {"rule": {"family": "ip", "table": "test2", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"set": [{"prefix": {"addr": "10.141.11.0", "len": 24}}, {"prefix": {"addr": "10.141.13.0", "len": 24}}]}}}, {"masquerade": null}]}}, {"table": {"family": "ip", "name": "test4", "handle": 0}}, {"chain": {"family": "ip", "table": "test4", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "test4", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oif"}}, "right": "lo"}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "test4", "chain": "y", "handle": 0, "expr": [{"dnat": {"family": "ip", "addr": {"map": {"key": {"concat": [{"payload": {"protocol": "ip", "field": "daddr"}}, {"payload": {"protocol": "tcp", "field": "dport"}}]}, "data": {"set": [[{"concat": ["1.1.1.1", 80]}, {"concat": ["4.4.4.4", 8000]}], [{"concat": ["2.2.2.2", 81]}, {"concat": ["3.3.3.3", 9000]}]]}}}}}]}}, {"rule": {"family": "ip", "table": "test4", "chain": "y", "handle": 0, "expr": [{"redirect": {"port": {"map": {"key": {"payload": {"protocol": "tcp", "field": "dport"}}, "data": {"set": [[83, 8083], [84, 8084]]}}}}}]}}, {"rule": {"family": "ip", "table": "test4", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 85}}, {"redirect": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test1", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test1", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "4.4.4.4", + "1.1.1.1" + ], + [ + "5.5.5.5", + "2.2.2.2" + ] + ] + } + } + } + } + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test2", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "concat": [ + "1.1.1.1", + 8001 + ] + } + ], + [ + 81, + { + "concat": [ + "2.2.2.2", + 9001 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test2", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "10.141.13.0", + "len": 24 + } + } + ] + } + } + }, + { + "masquerade": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "test4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test4", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 80 + ] + }, + { + "concat": [ + "4.4.4.4", + 8000 + ] + } + ], + [ + { + "concat": [ + "2.2.2.2", + 81 + ] + }, + { + "concat": [ + "3.3.3.3", + 9000 + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "redirect": { + "port": { + "map": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 83, + 8083 + ], + [ + 84, + 8084 + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test4", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 85 + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft index 33f7771f..dc67feec 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_nat_concat.json-nft @@ -1 +1,200 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "test3", "handle": 0}}, {"chain": {"family": "ip", "table": "test3", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "test3", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oif"}}, "right": "lo"}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "test3", "chain": "y", "handle": 0, "expr": [{"snat": {"addr": {"map": {"key": {"concat": [{"payload": {"protocol": "ip", "field": "saddr"}}, {"payload": {"protocol": "tcp", "field": "sport"}}]}, "data": {"set": [[{"concat": ["1.1.1.1", {"range": [1024, 65535]}]}, "3.3.3.3"], [{"concat": ["2.2.2.2", {"range": [1024, 65535]}]}, "4.4.4.4"]]}}}}}]}}, {"rule": {"family": "ip", "table": "test3", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "enp2s0"}}, {"snat": {"family": "ip", "addr": {"map": {"key": {"payload": {"protocol": "ip", "field": "saddr"}}, "data": {"set": [[{"prefix": {"addr": "10.1.1.0", "len": 24}}, {"range": ["72.2.3.66", "72.2.3.78"]}]]}}}}}]}}, {"rule": {"family": "ip", "table": "test3", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [8888, 9999]}}}, {"redirect": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test3", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "snat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "sport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "3.3.3.3" + ], + [ + { + "concat": [ + "2.2.2.2", + { + "range": [ + 1024, + 65535 + ] + } + ] + }, + "4.4.4.4" + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp2s0" + } + }, + { + "snat": { + "family": "ip", + "addr": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.1.1.0", + "len": 24 + } + }, + { + "range": [ + "72.2.3.66", + "72.2.3.78" + ] + } + ] + ] + } + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test3", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 8888, + 9999 + ] + } + } + }, + { + "redirect": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft index 07169297..46ed0677 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_reject.json-nft @@ -1 +1,320 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "daddr"}}, "right": "172.30.33.70"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 3306}}, {"counter": {"packets": 0, "bytes": 0}}, {"drop": null}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"meta": {"key": "l4proto"}}, {"payload": {"protocol": "ip", "field": "daddr"}}, {"payload": {"protocol": "tcp", "field": "dport"}}]}, "right": {"set": [{"concat": ["tcp", "172.30.238.117", 8080]}, {"concat": ["tcp", "172.30.33.71", 3306]}, {"concat": ["tcp", "172.30.254.251", 3306]}]}}}, {"counter": {"packets": 0, "bytes": 0}}, {"reject": {"type": "icmp", "expr": "port-unreachable"}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "daddr"}}, "right": "172.30.254.252"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 3306}}, {"counter": {"packets": 0, "bytes": 0}}, {"reject": {"type": "tcp reset"}}]}}, {"table": {"family": "ip6", "name": "x", "handle": 0}}, {"chain": {"family": "ip6", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip6", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"meta": {"key": "l4proto"}}, {"payload": {"protocol": "ip6", "field": "daddr"}}, {"payload": {"protocol": "tcp", "field": "dport"}}]}, "right": {"set": [{"concat": ["tcp", "aaaa::3", 8080]}, {"concat": ["tcp", "aaaa::2", 3306]}, {"concat": ["tcp", "aaaa::4", 3306]}]}}}, {"counter": {"packets": 0, "bytes": 0}}, {"reject": {"type": "icmpv6", "expr": "port-unreachable"}}]}}, {"rule": {"family": "ip6", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "right": "aaaa::5"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 3306}}, {"counter": {"packets": 0, "bytes": 0}}, {"reject": {"type": "tcp reset"}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.33.70" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "172.30.238.117", + 8080 + ] + }, + { + "concat": [ + "tcp", + "172.30.33.71", + 3306 + ] + }, + { + "concat": [ + "tcp", + "172.30.254.251", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmp", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "172.30.254.252" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + "aaaa::3", + 8080 + ] + }, + { + "concat": [ + "tcp", + "aaaa::2", + 3306 + ] + }, + { + "concat": [ + "tcp", + "aaaa::4", + 3306 + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "icmpv6", + "expr": "port-unreachable" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "aaaa::5" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 3306 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft index b8229b40..c392b76a 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.json-nft @@ -1 +1,63 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "daddr"}}, "right": {"set": ["192.168.0.1", "192.168.0.2", "192.168.0.3"]}}}, {"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "set": [ + "192.168.0.1", + "192.168.0.2", + "192.168.0.3" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft index cc076f0e..267d84ef 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.json-nft @@ -1 +1,374 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "c1", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "c2", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "c3", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"meta": {"key": "iifname"}}, {"payload": {"protocol": "ip", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "daddr"}}]}, "right": {"set": [{"concat": ["eth1", "1.1.1.1", "2.2.2.3"]}, {"concat": ["eth1", "1.1.1.2", "2.2.2.4"]}, {"concat": ["eth1", "1.1.1.2", {"prefix": {"addr": "2.2.3.0", "len": 24}}]}, {"concat": ["eth1", "1.1.1.2", {"range": ["2.2.4.0", "2.2.4.10"]}]}, {"concat": ["eth2", "1.1.1.3", "2.2.2.5"]}]}}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ip", "field": "protocol"}}, {"payload": {"protocol": "th", "field": "dport"}}]}, "right": {"set": [{"concat": ["tcp", 22]}, {"concat": ["udp", 67]}]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "c1", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "udp", "field": "dport"}}, {"meta": {"key": "iifname"}}]}, "right": {"set": [{"concat": [51820, "foo"]}, {"concat": [514, "bar"]}, {"concat": [67, "bar"]}]}}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "x", "chain": "c2", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "udp", "field": "dport"}}, {"meta": {"key": "iifname"}}]}, "right": {"set": [{"concat": [100, "foo"]}, {"concat": [51820, "foo"]}, {"concat": [514, "bar"]}, {"concat": [67, "bar"]}]}}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "x", "chain": "c3", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "udp", "field": "dport"}}, {"meta": {"key": "iifname"}}]}, "right": {"set": [{"concat": [100, "foo"]}, {"concat": [51820, "foo"]}, {"concat": [514, "bar"]}, {"concat": [67, "bar"]}, {"concat": [100, "test"]}, {"concat": [51820, "test"]}]}}}, {"accept": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c3", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "eth1", + "1.1.1.1", + "2.2.2.3" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + "2.2.2.4" + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "prefix": { + "addr": "2.2.3.0", + "len": 24 + } + } + ] + }, + { + "concat": [ + "eth1", + "1.1.1.2", + { + "range": [ + "2.2.4.0", + "2.2.4.10" + ] + } + ] + }, + { + "concat": [ + "eth2", + "1.1.1.3", + "2.2.2.5" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "tcp", + 22 + ] + }, + { + "concat": [ + "udp", + 67 + ] + } + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c1", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c2", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c3", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + 100, + "foo" + ] + }, + { + "concat": [ + 51820, + "foo" + ] + }, + { + "concat": [ + 514, + "bar" + ] + }, + { + "concat": [ + 67, + "bar" + ] + }, + { + "concat": [ + 100, + "test" + ] + }, + { + "concat": [ + 51820, + "test" + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft index 2e499064..5dfa40a8 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.json-nft @@ -1 +1,167 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "x", "handle": 0, "expr": [{"vmap": {"key": {"concat": [{"meta": {"key": "pkttype"}}, {"payload": {"protocol": "udp", "field": "dport"}}]}, "data": {"set": [[{"concat": ["broadcast", 547]}, {"accept": null}], [{"concat": ["broadcast", 67]}, {"accept": null}], [{"concat": ["multicast", 1900]}, {"drop": null}]]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"vmap": {"key": {"concat": [{"payload": {"protocol": "ip", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "daddr"}}]}, "data": {"set": [[{"concat": ["1.1.1.1", "2.2.2.2"]}, {"accept": null}], [{"concat": ["2.2.2.2", "3.3.3.3"]}, {"drop": null}], [{"concat": ["4.4.4.4", "5.5.5.5"]}, {"accept": null}]]}}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "x", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "meta": { + "key": "pkttype" + } + }, + { + "payload": { + "protocol": "udp", + "field": "dport" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "broadcast", + 547 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "broadcast", + 67 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "multicast", + 1900 + ] + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + { + "drop": null + } + ], + [ + { + "concat": [ + "4.4.4.4", + "5.5.5.5" + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft index 56589276..17d57b8f 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.json-nft @@ -1 +1,182 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "z", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "w", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"vmap": {"key": {"ct": {"key": "state"}}, "data": {"set": [["invalid", {"drop": null}], ["established", {"accept": null}], ["related", {"accept": null}]]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "z", "handle": 0, "expr": [{"vmap": {"key": {"payload": {"protocol": "tcp", "field": "dport"}}, "data": {"set": [[1, {"accept": null}], [{"range": [2, 3]}, {"drop": null}], [4, {"accept": null}]]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "w", "handle": 0, "expr": [{"vmap": {"key": {"payload": {"protocol": "ip", "field": "saddr"}}, "data": {"set": [[{"elem": {"val": "1.1.1.1", "counter": {"packets": 0, "bytes": 0}}}, {"accept": null}], [{"elem": {"val": "1.1.1.2", "counter": {"packets": 0, "bytes": 0}}}, {"drop": null}]]}}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "w", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + "invalid", + { + "drop": null + } + ], + [ + "established", + { + "accept": null + } + ], + [ + "related", + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "z", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 1, + { + "accept": null + } + ], + [ + { + "range": [ + 2, + 3 + ] + }, + { + "drop": null + } + ], + [ + 4, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "w", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "1.1.1.1", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "1.1.1.2", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft index c6d7db53..b8ad126c 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.json-nft @@ -1 +1,438 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_dnstc", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_this_5301", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_saturn_5301", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_saturn_5302", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_saturn_5303", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "nat_dns_acme", "handle": 0}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_dnstc", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "l4proto"}}, "right": "udp"}}, {"redirect": {"port": 5300}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_dnstc", "handle": 0, "expr": [{"drop": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_this_5301", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "l4proto"}}, "right": "udp"}}, {"redirect": {"port": 5301}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_this_5301", "handle": 0, "expr": [{"drop": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5301", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "nfproto"}}, "right": "ipv4"}}, {"match": {"op": "==", "left": {"meta": {"key": "l4proto"}}, "right": "udp"}}, {"dnat": {"family": "ip", "addr": "240.0.1.2", "port": 5301}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5301", "handle": 0, "expr": [{"drop": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5302", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "nfproto"}}, "right": "ipv4"}}, {"match": {"op": "==", "left": {"meta": {"key": "l4proto"}}, "right": "udp"}}, {"dnat": {"family": "ip", "addr": "240.0.1.2", "port": 5302}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5302", "handle": 0, "expr": [{"drop": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5303", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "nfproto"}}, "right": "ipv4"}}, {"match": {"op": "==", "left": {"meta": {"key": "l4proto"}}, "right": "udp"}}, {"dnat": {"family": "ip", "addr": "240.0.1.2", "port": 5303}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_saturn_5303", "handle": 0, "expr": [{"drop": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_acme", "handle": 0, "expr": [{"vmap": {"key": {"concat": [{"payload": {"protocol": "udp", "field": "length"}}, {"payload": {"base": "th", "offset": 160, "len": 128}}]}, "data": {"set": [[{"concat": [{"range": [47, 63]}, "0xe373135363130333131303735353203"]}, {"goto": {"target": "nat_dns_dnstc"}}], [{"concat": [{"range": [62, 78]}, "0xe31393032383939353831343037320e"]}, {"goto": {"target": "nat_dns_this_5301"}}], [{"concat": [{"range": [62, 78]}, "0xe31363436323733373931323934300e"]}, {"goto": {"target": "nat_dns_saturn_5301"}}], [{"concat": [{"range": [62, 78]}, "0xe32393535373539353636383732310e"]}, {"goto": {"target": "nat_dns_saturn_5302"}}], [{"concat": [{"range": [62, 78]}, "0xe38353439353637323038363633390e"]}, {"goto": {"target": "nat_dns_saturn_5303"}}]]}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "nat_dns_acme", "handle": 0, "expr": [{"drop": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_dnstc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_this_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5301", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5302", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_saturn_5303", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "nat_dns_acme", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5300 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_dnstc", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "redirect": { + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_this_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5301 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5301", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5302 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5302", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv4" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "dnat": { + "family": "ip", + "addr": "240.0.1.2", + "port": 5303 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_saturn_5303", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "udp", + "field": "length" + } + }, + { + "payload": { + "base": "th", + "offset": 160, + "len": 128 + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "goto": { + "target": "nat_dns_dnstc" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31393032383939353831343037320e" + ] + }, + { + "goto": { + "target": "nat_dns_this_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe31363436323733373931323934300e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5301" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe32393535373539353636383732310e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5302" + } + } + ], + [ + { + "concat": [ + { + "range": [ + 62, + 78 + ] + }, + "0xe38353439353637323038363633390e" + ] + }, + { + "goto": { + "target": "nat_dns_saturn_5303" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "nat_dns_acme", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft index 3711e31e..f2ac7917 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft @@ -1 +1,205 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"set": {"family": "ip", "name": "s", "table": "x", "type": "ipv4_addr", "handle": 0, "size": 65535, "flags": ["dynamic"]}}, {"chain": {"family": "ip", "table": "x", "name": "filter_in_tcp", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "filter_in_udp", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"set": {"op": "update", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "set": "@s", "stmt": [{"limit": {"rate": 12, "burst": 30, "per": "minute"}}]}}, {"accept": null}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"vmap": {"key": {"payload": {"protocol": "tcp", "field": "dport"}}, "data": {"set": [[80, {"accept": null}], [81, {"accept": null}], [443, {"accept": null}], [{"range": [8000, 8100]}, {"accept": null}], [{"range": [24000, 25000]}, {"accept": null}]]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"vmap": {"key": {"meta": {"key": "l4proto"}}, "data": {"set": [["tcp", {"goto": {"target": "filter_in_tcp"}}], ["udp", {"goto": {"target": "filter_in_udp"}}]]}}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"log": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_tcp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "filter_in_udp", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@s", + "stmt": [ + { + "limit": { + "rate": 12, + "burst": 30, + "per": "minute" + } + } + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": { + "set": [ + [ + 80, + { + "accept": null + } + ], + [ + 81, + { + "accept": null + } + ], + [ + 443, + { + "accept": null + } + ], + [ + { + "range": [ + 8000, + 8100 + ] + }, + { + "accept": null + } + ], + [ + { + "range": [ + 24000, + 25000 + ] + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "l4proto" + } + }, + "data": { + "set": [ + [ + "tcp", + { + "goto": { + "target": "filter_in_tcp" + } + } + ], + [ + "udp", + { + "goto": { + "target": "filter_in_udp" + } + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "log": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft index bf0745b2..8e64ba1e 100644 --- a/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft +++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.json-nft @@ -1 +1,140 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "x", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "t1", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "t2", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "t3", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "t4", "handle": 0}}, {"chain": {"family": "ip", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"jump": {"target": "t1"}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"jump": {"target": "t2"}}]}}, {"rule": {"family": "ip", "table": "x", "chain": "y", "handle": 0, "expr": [{"vmap": {"key": {"payload": {"protocol": "ip", "field": "version"}}, "data": {"set": [[4, {"jump": {"target": "t3"}}], [6, {"jump": {"target": "t4"}}]]}}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t2", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t3", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "t4", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t1" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "jump": { + "target": "t2" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "version" + } + }, + "data": { + "set": [ + [ + 4, + { + "jump": { + "target": "t3" + } + } + ], + [ + 6, + { + "jump": { + "target": "t4" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.json-nft b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft index 0048e6b1..546cc597 100644 --- a/tests/shell/testcases/optimizations/dumps/ruleset.json-nft +++ b/tests/shell/testcases/optimizations/dumps/ruleset.json-nft @@ -1 +1,11 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft index f8057cf6..c8adddb1 100644 --- a/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft +++ b/tests/shell/testcases/optimizations/dumps/single_anon_set_expr.json-nft @@ -1 +1,59 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "test", "handle": 0}}, {"chain": {"family": "ip", "table": "test", "name": "test", "handle": 0}}, {"rule": {"family": "ip", "table": "test", "chain": "test", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "mark"}}, "right": {"set": [{"elem": {"val": 10, "counter": {"packets": 0, "bytes": 0}}}]}}}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "test", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "test", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "mark" + } + }, + "right": { + "set": [ + { + "elem": { + "val": 10, + "counter": { + "packets": 0, + "bytes": 0 + } + } + } + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft index 8ac27d8d..3404a2e7 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft @@ -1 +1,235 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "filter", "handle": 0}}, {"set": {"family": "inet", "name": "udp_accepted", "table": "filter", "type": "inet_service", "handle": 0, "elem": [500, 4500]}}, {"set": {"family": "inet", "name": "tcp_accepted", "table": "filter", "type": "inet_service", "handle": 0, "elem": [80, 443]}}, {"chain": {"family": "inet", "table": "filter", "name": "udp_input", "handle": 0}}, {"chain": {"family": "inet", "table": "filter", "name": "tcp_input", "handle": 0}}, {"rule": {"family": "inet", "table": "filter", "chain": "udp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": {"range": [1, 128]}}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "filter", "chain": "udp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": "@udp_accepted"}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "filter", "chain": "udp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 53}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "filter", "chain": "tcp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [{"range": [1, 128]}, {"range": [8888, 9999]}]}}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "filter", "chain": "tcp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@tcp_accepted"}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "filter", "chain": "tcp_input", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"range": [1024, 65535]}}}, {"accept": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "udp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 500, + 4500 + ] + } + }, + { + "set": { + "family": "inet", + "name": "tcp_accepted", + "table": "filter", + "type": "inet_service", + "handle": 0, + "elem": [ + 80, + 443 + ] + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "udp_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tcp_input", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1, + 128 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": "@udp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "udp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + { + "range": [ + 1, + 128 + ] + }, + { + "range": [ + 8888, + 9999 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": "@tcp_accepted" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tcp_input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1024, + 65535 + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft index a9393c75..19296d02 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft +++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.json-nft @@ -1 +1,108 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 0}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "eth0"}}, {"match": {"op": "!=", "left": {"meta": {"key": "oifname"}}, "right": "eth0"}}, {"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "eth0"}}, {"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "eth0"}}, {"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "!=", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "eth0" + } + }, + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "eth0" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft index 2600bb57..a0820206 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft @@ -1 +1,256 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 0}}, {"set": {"family": "inet", "name": "GEOIP_CC_wan-lan_120", "table": "x", "type": "ipv4_addr", "handle": 0, "flags": ["interval"], "elem": [{"prefix": {"addr": "1.32.128.0", "len": 18}}, {"range": ["1.32.200.0", "1.32.204.128"]}, {"prefix": {"addr": "1.32.207.0", "len": 24}}, {"range": ["1.32.216.118", "1.32.216.255"]}, {"range": ["1.32.219.0", "1.32.222.255"]}, {"prefix": {"addr": "1.32.226.0", "len": 23}}, {"prefix": {"addr": "1.32.231.0", "len": 24}}, {"prefix": {"addr": "1.32.233.0", "len": 24}}, {"prefix": {"addr": "1.32.238.0", "len": 23}}, {"prefix": {"addr": "1.32.240.0", "len": 24}}, {"prefix": {"addr": "223.223.220.0", "len": 22}}, {"prefix": {"addr": "223.255.254.0", "len": 24}}]}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 0}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": "1.2.3.4"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 80}}, {"mangle": {"key": {"meta": {"key": "mark"}}, "value": 10}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": "1.2.3.4"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 81}}, {"mangle": {"key": {"meta": {"key": "mark"}}, "value": 11}}, {"accept": null}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ip", "field": "saddr"}}, {"payload": {"protocol": "tcp", "field": "dport"}}]}, "right": {"set": [{"concat": ["1.2.3.5", 81]}, {"concat": ["1.2.3.5", 82]}]}}}, {"accept": null}]}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "GEOIP_CC_wan-lan_120", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "prefix": { + "addr": "1.32.128.0", + "len": 18 + } + }, + { + "range": [ + "1.32.200.0", + "1.32.204.128" + ] + }, + { + "prefix": { + "addr": "1.32.207.0", + "len": 24 + } + }, + { + "range": [ + "1.32.216.118", + "1.32.216.255" + ] + }, + { + "range": [ + "1.32.219.0", + "1.32.222.255" + ] + }, + { + "prefix": { + "addr": "1.32.226.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.231.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.233.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "1.32.238.0", + "len": 23 + } + }, + { + "prefix": { + "addr": "1.32.240.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "223.223.220.0", + "len": 22 + } + }, + { + "prefix": { + "addr": "223.255.254.0", + "len": 24 + } + } + ] + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 80 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 10 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "1.2.3.4" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 81 + } + }, + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": 11 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "1.2.3.5", + 81 + ] + }, + { + "concat": [ + "1.2.3.5", + 82 + ] + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/variables.json-nft b/tests/shell/testcases/optimizations/dumps/variables.json-nft index 0048e6b1..546cc597 100644 --- a/tests/shell/testcases/optimizations/dumps/variables.json-nft +++ b/tests/shell/testcases/optimizations/dumps/variables.json-nft @@ -1 +1,11 @@ -{"nftables": [{"metainfo": {"version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1}}]} +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} -- cgit v1.2.3