From 7d93e2c2fbc77f05fd7acb63a2acf9874c9ad58f Mon Sep 17 00:00:00 2001 From: Laura Garcia Liebana Date: Wed, 7 Mar 2018 22:51:10 +0100 Subject: tests: shell: autogenerate dump verification Complete the automated shell tests with the verification of the test file dump, only for positive tests and if the test execution was successful. It's able to generate the dump file with the -g option. Example: # ./run-tests.sh -g testcases/chains/0001jumps_0 The dump files are generated in the same path in the folder named dumps/ with .nft extension. It has been avoided the dump verification code in every test file. Signed-off-by: Laura Garcia Liebana Signed-off-by: Pablo Neira Ayuso --- .../testcases/sets/0012add_delete_many_elements_0 | 13 --------- .../testcases/sets/0013add_delete_many_elements_0 | 14 --------- tests/shell/testcases/sets/0021nesting_0 | 14 --------- .../shell/testcases/sets/0029named_ifname_dtype_0 | 8 ----- .../testcases/sets/dumps/0001named_interval_0.nft | 34 ++++++++++++++++++++++ .../dumps/0002named_interval_automerging_0.nft | 7 +++++ .../dumps/0003named_interval_missing_flag_0.nft | 5 ++++ .../sets/dumps/0004named_interval_shadow_0.nft | 7 +++++ .../sets/dumps/0005named_interval_shadow_0.nft | 7 +++++ .../testcases/sets/dumps/0006create_set_0.nft | 5 ++++ .../testcases/sets/dumps/0007create_element_0.nft | 6 ++++ .../sets/dumps/0008comments_interval_0.nft | 7 +++++ .../sets/dumps/0008create_verdict_map_0.nft | 13 +++++++++ .../sets/dumps/0009comments_timeout_0.nft | 7 +++++ .../shell/testcases/sets/dumps/0010comments_0.nft | 6 ++++ .../sets/dumps/0012add_delete_many_elements_0.nft | 5 ++++ .../sets/dumps/0013add_delete_many_elements_0.nft | 5 ++++ .../testcases/sets/dumps/0015rulesetflush_0.nft | 11 +++++++ .../testcases/sets/dumps/0016element_leak_0.nft | 7 +++++ .../testcases/sets/dumps/0017add_after_flush_0.nft | 7 +++++ .../testcases/sets/dumps/0019set_check_size_0.nft | 7 +++++ .../shell/testcases/sets/dumps/0020comments_0.nft | 6 ++++ tests/shell/testcases/sets/dumps/0021nesting_0.nft | 5 ++++ .../sets/dumps/0022type_selective_flush_0.nft | 13 +++++++++ .../dumps/0023incomplete_add_set_command_0.nft | 2 ++ .../testcases/sets/dumps/0024named_objects_0.nft | 28 ++++++++++++++++++ .../testcases/sets/dumps/0025anonymous_set_0.nft | 7 +++++ .../testcases/sets/dumps/0026named_limit_0.nft | 10 +++++++ .../testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft | 7 +++++ .../sets/dumps/0029named_ifname_dtype_0.nft | 11 +++++++ 30 files changed, 235 insertions(+), 49 deletions(-) create mode 100644 tests/shell/testcases/sets/dumps/0001named_interval_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0006create_set_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0007create_element_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0008comments_interval_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0010comments_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0016element_leak_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0019set_check_size_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0020comments_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0021nesting_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0024named_objects_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0026named_limit_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft (limited to 'tests/shell/testcases/sets') diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7a5f8c69..7e7beebd 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -31,16 +31,3 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 265a5540..5774317b 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -32,17 +32,3 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile - - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0 index 763d9ae1..4779f264 100755 --- a/tests/shell/testcases/sets/0021nesting_0 +++ b/tests/shell/testcases/sets/0021nesting_0 @@ -30,17 +30,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 8b7ab982..92f4a4ad 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -25,11 +25,3 @@ EXPECTED="table inet t { set -e echo "$EXPECTED" > $tmpfile $NFT -f $tmpfile - -GET="$($NFT list ruleset)" -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft new file mode 100644 index 00000000..3049aa84 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft @@ -0,0 +1,34 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, + fe11::-fe22:: } + } + + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60 } + } + + set s4 { + type inet_service + flags interval + elements = { 0-1024, 8080-8082, 10000-40000 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft new file mode 100644 index 00000000..452ee23e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24, 192.168.1.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft new file mode 100644 index 00000000..70c32a85 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft new file mode 100644 index 00000000..940030a1 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft new file mode 100644 index 00000000..4224d9da --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/48 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.nft b/tests/shell/testcases/sets/dumps/0006create_set_0.nft new file mode 100644 index 00000000..70c32a85 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.nft b/tests/shell/testcases/sets/dumps/0007create_element_0.nft new file mode 100644 index 00000000..169be117 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.nft @@ -0,0 +1,6 @@ +table ip t { + set s { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft new file mode 100644 index 00000000..5e7a7680 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft new file mode 100644 index 00000000..ab0fe80d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft @@ -0,0 +1,13 @@ +table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain postrouting { + ip saddr vmap @sourcemap accept + } + + chain c { + } +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft new file mode 100644 index 00000000..455ebe3e --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags timeout + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.nft b/tests/shell/testcases/sets/dumps/0010comments_0.nft new file mode 100644 index 00000000..6e42ec4b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type ipv6_addr + elements = { ::1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft new file mode 100644 index 00000000..e3d4aee6 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft new file mode 100644 index 00000000..f6eddbf8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft @@ -0,0 +1,11 @@ +table ip t { + chain c { + } +} +table inet filter { + set blacklist_v4 { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft new file mode 100644 index 00000000..9d2b0afe --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft new file mode 100644 index 00000000..9d2b0afe --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft new file mode 100644 index 00000000..8cd37076 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft new file mode 100644 index 00000000..d5330848 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type inet_service + elements = { ssh comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.nft b/tests/shell/testcases/sets/dumps/0021nesting_0.nft new file mode 100644 index 00000000..6fd2a441 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft new file mode 100644 index 00000000..3dd97602 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + } + + map m { + type ipv4_addr : inet_service + } + + chain c { + tcp dport http meter f { ip saddr limit rate 10/second} + } +} diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft new file mode 100644 index 00000000..985768ba --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft new file mode 100644 index 00000000..929c5d93 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -0,0 +1,28 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + set y { + type ipv4_addr + } + + map test { + type ipv4_addr : quota + elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + } + + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + quota name ip saddr map @test drop + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft new file mode 100644 index 00000000..c823ae9d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + type filter hook output priority 0; policy accept; + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } + tcp dport { ssh, telnet } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft new file mode 100644 index 00000000..0d1f1254 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -0,0 +1,10 @@ +table ip filter { + limit http-traffic { + rate 1/second + } + + chain input { + type filter hook input priority 0; policy accept; + limit name tcp dport map { http : "http-traffic", https : "http-traffic" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft new file mode 100644 index 00000000..c49eefae --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { ::ffff:0.0.0.0/96 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft new file mode 100644 index 00000000..2c82e57d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + set s { + type ifname + elements = { "eth0" } + } + + chain c { + iifname @s accept + oifname @s accept + } +} -- cgit v1.2.3