summaryrefslogtreecommitdiffstats
path: root/tests/py/any/ct.t
blob: 9c88140e4772f278ca12bf36d73bf7ff2ed52aa1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
:output;type filter hook output priority 0

*ip;test-ip4;output
*ip6;test-ip6;output
*inet;test-inet;output

ct state new,established, related, untracked;ok;ct state established,related,new,untracked
ct state != related;ok
ct state {new,established, related, untracked};ok
ct state != {new,established, related, untracked};ok
ct state invalid drop;ok
ct state established accept;ok
ct state 8;ok;ct state new
ct state xxx;fail

ct direction original;ok
ct direction != original;ok
ct direction reply;ok
ct direction != reply;ok
ct direction {reply, original};ok
ct direction != {reply, original};ok
ct direction xxx;fail

ct status expected;ok
ct status != expected;ok
ct status seen-reply;ok
ct status != seen-reply;ok
ct status {expected, seen-reply, assured, confirmed, dying};ok
ct status expected,seen-reply,assured,confirmed,snat,dnat,dying;ok
ct status snat;ok
ct status dnat;ok
ct status xxx;fail

ct mark 0;ok;ct mark 0x00000000
ct mark or 0x23 == 0x11;ok;ct mark | 0x00000023 == 0x00000011
ct mark or 0x3 != 0x1;ok;ct mark | 0x00000003 != 0x00000001
ct mark and 0x23 == 0x11;ok;ct mark & 0x00000023 == 0x00000011
ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001
ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032
ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002

ct mark 0x00000032;ok
ct mark != 0x00000032;ok
ct mark 0x00000032-0x00000045;ok
ct mark != 0x00000032-0x00000045;ok
ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
ct mark {0x32-0x2222, 0x4444-0x42de3};ok;ct mark { 0x00000032-0x00002222, 0x00004444-0x00042de3}
ct mark != {0x32, 0x2222, 0x42de3};ok;ct mark != { 0x00042de3, 0x00002222, 0x00000032}

# ct mark != {0x32, 0x2222, 0x42de3};ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.

ct mark set 0x11 xor 0x1331;ok;ct mark set 0x00001320
ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
ct mark set 0x11;ok;ct mark set 0x00000011
ct mark set mark;ok;ct mark set mark
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a}

ct mark set {0x11333, 0x11};fail
ct zone set {123, 127};fail
ct label set {123, 127};fail
ct event set {new, related, destroy, label};fail

ct expiration 30;ok;ct expiration 30s
ct expiration 22;ok;ct expiration 22s
ct expiration != 233;ok;ct expiration != 3m53s
ct expiration 33-45;ok;ct expiration 33s-45s
ct expiration != 33-45;ok;ct expiration != 33s-45s
ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
ct expiration {33-55};ok;ct expiration { 33s-55s}
ct expiration != {33-55};ok; ct expiration != { 33s-55s}

ct helper "ftp";ok
ct helper "12345678901234567";fail
ct helper '""';fail

ct state . ct mark { new . 0x12345678};ok
ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
ct direction . ct mark { original . 0x12345678};ok
ct state . ct mark vmap { new . 0x12345678 : drop};ok

ct original bytes \> 100000;ok;ct original bytes > 100000
ct reply packets \< 100;ok;ct reply packets < 100
ct bytes \> 100000;ok;ct bytes > 100000

ct avgpkt \> 200;ok;ct avgpkt > 200
ct original avgpkt \< 500;ok;ct original avgpkt < 500

# bogus direction
ct both bytes gt 1;fail
# nonsensical
ct bytes original reply;fail

# missing direction
ct saddr 1.2.3.4;fail

# wrong base (ip6 but ipv4 address given)
meta nfproto ipv6 ct original saddr 1.2.3.4;fail

# direction, but must be used without
ct original mark 42;fail
# swapped key and direction
ct mark original;fail

ct event set new;ok
ct event set new or related or destroy or foobar;fail
ct event set 'new | related | destroy | label';ok;ct event set new,related,destroy,label
ct event set new,related,destroy,label;ok
ct event set new,destroy;ok
ct event set 1;ok;ct event set new
ct event set 0x0;ok

ct label 127;ok
ct label set 127;ok
ct label 128;fail

ct zone 0;ok
ct zone 23;ok
ct zone 65536;fail
ct both zone 1;fail
ct original zone 1;ok
ct reply zone 1;ok

ct zone set 1;ok
ct original zone set 1;ok
ct reply zone set 1;ok
ct zone set mark map { 1 : 1,  2 : 2 };ok;ct zone set mark map { 0x00000001 : 1, 0x00000002 : 2}
ct both zone set 1;fail

ct invalid;fail
ct invalid original;fail
ct set invalid original 42;fail
ct set invalid 42;fail

notrack;ok