From 77b81cafb9a93a97a6b4a914fb6fbb45976f5c81 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 26 May 2021 18:58:06 +0200
Subject: tests: add test case for removal of anon sets with only a single
 element

Also add a few examples that should not be changed:
- anon set with 2 elements
- anon map with 1 element
- anon set with a concatenation

The latter could be done with cmp but this currently triggers
'Error: Use concatenations with sets and maps, not singleton values'
after removing the anon set.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 .../optimizations/dumps/single_anon_set.nft        | 15 ++++++++++
 .../optimizations/dumps/single_anon_set.nft.input  | 35 ++++++++++++++++++++++
 .../shell/testcases/optimizations/single_anon_set  | 13 ++++++++
 tests/shell/testcases/sets/dumps/0053echo_0.nft    |  2 +-
 4 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 tests/shell/testcases/optimizations/dumps/single_anon_set.nft
 create mode 100644 tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
 create mode 100755 tests/shell/testcases/optimizations/single_anon_set

(limited to 'tests')

diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
new file mode 100644
index 00000000..35e3f36e
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
@@ -0,0 +1,15 @@
+table ip test {
+	chain test {
+		ip saddr 127.0.0.1 accept
+		iif "lo" accept
+		tcp dport != 22 drop
+		ip saddr 127.0.0.0/8 accept
+		ip saddr 127.0.0.1-192.168.7.3 accept
+		tcp sport 1-1023 drop
+		ip daddr { 192.168.7.1, 192.168.7.5 } accept
+		tcp dport { 80, 443 } accept
+		ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+		meta mark set ip daddr map { 192.168.0.1 : 0x00000001 }
+		ct state { established, related } accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
new file mode 100644
index 00000000..35b93832
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
@@ -0,0 +1,35 @@
+table ip test {
+	chain test {
+		# Test cases where anon set can be removed:
+		ip saddr { 127.0.0.1 } accept
+		iif { "lo" } accept
+
+		# negation, can change to != 22.
+		tcp dport != { 22 } drop
+
+		# single prefix, can remove anon set.
+		ip saddr { 127.0.0.0/8 } accept
+
+		# range, can remove anon set.
+		ip saddr { 127.0.0.1-192.168.7.3 } accept
+		tcp sport { 1-1023 } drop
+
+		# Test cases where anon set must be kept.
+
+		# 2 elements, cannot remove the anon set.
+		ip daddr { 192.168.7.1, 192.168.7.5 } accept
+		tcp dport { 80, 443 } accept
+
+		# single element, but concatenation which is not
+		# supported outside of set/map context at this time.
+		ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+
+		# single element, but a map.
+		meta mark set ip daddr map { 192.168.0.1 : 1 }
+
+		# 2 elements.  This could be converted because
+		# ct state cannot be both established and related
+		# at the same time, but this needs extra work.
+		ct state { established, related } accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set
new file mode 100755
index 00000000..7275e360
--- /dev/null
+++ b/tests/shell/testcases/optimizations/single_anon_set
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Input file contains rules with anon sets that contain
+# one element, plus extra rule with two elements (that should be
+# left alone).
+
+# Dump file has the simplified rules where anon sets have been
+# replaced by equality tests where possible.
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile".input
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft
index 6a816636..bb7c5513 100644
--- a/tests/shell/testcases/sets/dumps/0053echo_0.nft
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft
@@ -1,6 +1,6 @@
 table inet filter {
 	chain input {
 		type filter hook input priority filter; policy drop;
-		iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept
+		iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept
 	}
 }
-- 
cgit v1.2.3