From 1dd08fcfa07a4e5bacc14b4e4a27ed64581f2e41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Veyret?= Date: Tue, 9 Jul 2019 15:02:09 +0200 Subject: src: add ct expectations support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret Signed-off-by: Pablo Neira Ayuso --- tests/py/ip/objects.t | 9 +++++++++ tests/py/ip/objects.t.json | 7 +++++++ tests/py/ip/objects.t.payload | 4 ++++ tests/py/nft-test.py | 4 ++++ tests/shell/testcases/listing/0013objects_0 | 10 +++++++++- tests/shell/testcases/nft-f/0018ct_expectation_obj_0 | 18 ++++++++++++++++++ 6 files changed, 51 insertions(+), 1 deletion(-) create mode 100755 tests/shell/testcases/nft-f/0018ct_expectation_obj_0 (limited to 'tests') diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t index fc2ee266..35d01101 100644 --- a/tests/py/ip/objects.t +++ b/tests/py/ip/objects.t @@ -41,3 +41,12 @@ limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok %cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail ct timeout set "cttime1";ok + +# ct expectation +%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok +%ctexpect2 type ct expectation { protocol udp; };fail +%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail +%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail +%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok + +ct expectation set "ctexpect1";ok diff --git a/tests/py/ip/objects.t.json b/tests/py/ip/objects.t.json index a98d73c5..596ad188 100644 --- a/tests/py/ip/objects.t.json +++ b/tests/py/ip/objects.t.json @@ -193,3 +193,10 @@ } ] +# ct expectation set "ctexpect1" +[ + { + "ct expect": "ctexpect1" + } +] + diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload index 719b6c37..ef3e86aa 100644 --- a/tests/py/ip/objects.t.payload +++ b/tests/py/ip/objects.t.payload @@ -63,3 +63,7 @@ ip test-ip4 output # ct timeout set "cttime1" ip test-ip4 output [ objref type 7 name cttime1 ] + +# ct expectation set "ctexpect1" +ip test-ip4 output + [ objref type 9 name ctexpect1 ] diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index fcbd28ca..7f424cf1 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -1123,6 +1123,10 @@ def obj_process(obj_line, filename, lineno): obj_type = "ct timeout" tokens[3] = "" + if obj_type == "ct" and tokens[3] == "expectation": + obj_type = "ct expectation" + tokens[3] = "" + if len(tokens) > 3: obj_spcf = " ".join(tokens[3:]) diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 index da782a68..f6915796 100755 --- a/tests/shell/testcases/listing/0013objects_0 +++ b/tests/shell/testcases/listing/0013objects_0 @@ -18,6 +18,14 @@ EXPECTED="table ip test { policy = { unreplied : 15, replied : 12 } } + ct expectation ctexpect { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + chain input { } }" @@ -29,6 +37,7 @@ $NFT add chain test input $NFT add quota test https-quota 25 mbytes $NFT add ct helper test cthelp { type \"sip\" protocol tcp \; } $NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; } +$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; } $NFT add table test-ip GET="$($NFT list table test)" @@ -37,4 +46,3 @@ if [ "$EXPECTED" != "$GET" ] ; then [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") exit 1 fi - diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 new file mode 100755 index 00000000..eb9df3ce --- /dev/null +++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +EXPECTED='table ip filter { + ct expectation ctexpect{ + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +}' + +set -e +$NFT -f - <<< $EXPECTED -- cgit v1.2.3