summaryrefslogtreecommitdiffstats
path: root/tests/regression/any/ct.t
blob: ab4b167df8ecec584aada5e0032f6237698d79a1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
*ip;test-ip4
*ip6;test-ip6
*inet;test-inet
# ct expresion is not supported in arp and bridge family yet.
- *arp;test-arp
- *bridge;test-bridge

:output;type filter hook output priority 0

ct state new,established, related, untracked;ok;ct state established,related,new,untracked
ct state != related;ok
ct state {new,established, related, untracked};ok
- ct state != {new,established, related, untracked};ok
ct state invalid drop;ok
ct state established accept;ok
ct state 8;ok;ct state new
ct state xxx;fail

ct direction original;ok
ct direction != original;ok
ct direction reply;ok
ct direction != reply;ok
ct direction {reply, original};ok
- ct direction != {reply, original};ok
ct direction xxx;fail

ct status expected;ok
ct status != expected;ok
ct status seen-reply;ok
ct status != seen-reply;ok
ct status {expected, seen-reply, assured, confirmed, dying};ok
ct status xxx;fail

# SYMBOL("snat", IPS_SRC_NAT)
# SYMBOL("dnat", IPS_DST_NAT)
- ct status snat;ok
- ct status dnat;ok

ct mark 0;ok;ct mark 0x00000000
ct mark or 0x23 == 0x11;ok;ct mark | 0x00000023 == 0x00000011
ct mark or 0x3 != 0x1;ok;ct mark | 0x00000003 != 0x00000001
ct mark and 0x23 == 0x11;ok;ct mark & 0x00000023 == 0x00000011
ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001
ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032
ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002

ct mark 0x00000032;ok
ct mark != 0x00000032;ok
ct mark 0x00000032-0x00000045;ok
ct mark != 0x00000032-0x00000045;ok
ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
- ct mark != {0x32, 0x2222, 0x42de3};ok

# ct mark != {0x32, 0x2222, 0x42de3};ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.

ct mark set 0x11 xor 0x1331;ok;ct mark set 0x00001320
ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
ct mark set 0x11;ok;ct mark set 0x00000011

ct expiration 30;ok;ct expiration 30s
ct expiration 22;ok;ct expiration 22s
ct expiration != 233;ok;ct expiration != 3m53s
ct expiration 33-45;ok;ct expiration 33s-45s
ct expiration != 33-45;ok;ct expiration != 33s-45s
ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
- ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
ct expiration {33-55};ok;ct expiration { 33s-55s}
# BUG: ct expiration {33-55}
# Broken output: ct expiration { "4271d23h25m52s"-"8738d3h11m59s" }
- ct expiration != {33-55};ok

ct helper "ftp";ok
ct helper "12345678901234567";fail

# BUG: ct l3proto "Layer  3 protocol of the connection"
# nft add rule ip test input ct l3proto arp
# <cmdline>:1:35-37: Error: Can t parse symbolic invalid expressions


# If table is ip6 or inet or bridge family,, It is failed. I can not test it
# ct saddr 1.2.3.4;ok

# BUG: ct saddr 192.168.3.4
# <cmdline>:1:1-43: Error: Could not process rule: Invalid argument
# add rule ip test input ct saddr 192.168.3.4
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- ct saddr 192.168.3.4;ok
- ct daddr 192.168.3.4;ok

# BUG: ct protocol tcp
# <cmdline>:1:1-37: Error: Could not process rule: Invalid argument
# input ct protocol bgp <cmdline>:1:36-38: Error: Could not resolve protocol name
# ct protocol tcp;ok
- ct protocol tcp;ok

- ct proto-src udp;ok
- ct proto-dst udp;ok
# BUG: ct proto-src udp and ct proto-dst udp
# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
# add rule ip test input ct proto-src udp
#                       ~~~~~~~~~~~~ ^^^
# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
# add rule ip test input ct proto-dst udp
#                        ~~~~~~~~~~~~ ^^^

ct state . ct mark { new . 0x12345678};ok
ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
ct direction . ct mark { original . 0x12345678};ok
ct state . ct mark vmap { new . 0x12345678 : drop};ok