@@ -4,7 +4,6 @@
TESTDIR="./$(dirname $0)/"
RETURNCODE_SEPARATOR="_"
SRC_NFT="$(dirname $0)/../../src/nft"
-POSITIVE_RET=0
DIFF=$(which diff)
msg_error() {
@@ -102,29 +101,27 @@ for testfile in $(find_tests)
do
kernel_cleanup
- rc_spec=$(awk -F${RETURNCODE_SEPARATOR} '{print $NF}' <<< $testfile)
-
msg_info "[EXECUTING] $testfile"
test_output=$(NFT=$NFT ${testfile} 2>&1)
rc_got=$?
echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
- if [ "$rc_got" == "$rc_spec" ] ; then
+ if [ "$rc_got" -eq 0 ] ; then
# check nft dump only for positive tests
- rc_spec="${POSITIVE_RET}"
dumppath="$(dirname ${testfile})/dumps"
dumpfile="${dumppath}/$(basename ${testfile}).nft"
- if [ "$rc_got" == "${POSITIVE_RET}" ] && [ -f ${dumpfile} ]; then
+ rc_spec=0
+ if [ "$rc_got" -eq 0 ] && [ -f ${dumpfile} ]; then
test_output=$(${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1)
rc_spec=$?
fi
- if [ "$rc_spec" == "${POSITIVE_RET}" ]; then
+ if [ "$rc_spec" -eq 0 ]; then
msg_info "[OK] $testfile"
[ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output"
((ok++))
- if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == "${POSITIVE_RET}" ] && [ ! -f "${dumpfile}" ]; then
+ if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == 0 ] && [ ! -f "${dumpfile}" ]; then
mkdir -p "${dumppath}"
nft list ruleset > "${dumpfile}"
fi
@@ -140,7 +137,7 @@ do
else
((failed++))
if [ "$VERBOSE" == "y" ] ; then
- msg_warn "[FAILED] $testfile: expected $rc_spec but got $rc_got"
+ msg_warn "[FAILED] $testfile: got $rc_got"
[ ! -z "$test_output" ] && echo "$test_output"
else
msg_warn "[FAILED] $testfile"
@@ -20,5 +20,7 @@ done
# this last jump should fail: too many links
$NFT add chain t c$((MAX_JUMPS + 1))
-$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null
+
+$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null || exit 0
echo "E: max jumps ignored?" >&2
+exit 1
@@ -17,5 +17,6 @@ do
done
# this last jump should fail: loop
-$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null
+$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null || exit 0
echo "E: loop of jumps ignored?" >&2
+exit 1
@@ -6,6 +6,8 @@ $NFT add table t
$NFT add chain t c1
$NFT add chain t c2
$NFT add rule t c1 jump c2
+
# kernel should return EBUSY
-$NFT delete chain t c2 2>/dev/null
+$NFT delete chain t c2 2>/dev/null || exit 0
echo "E: deleted a busy chain?" >&2
+exit 1
@@ -6,6 +6,8 @@ $NFT add table t
$NFT add chain t c1
$NFT add chain t c2
$NFT add rule t c1 tcp dport vmap { 1 : jump c2 }
+
# kernel should return EBUSY
-$NFT delete chain t c2 2>/dev/null
+$NFT delete chain t c2 2>/dev/null || exit 0
echo "E: deleted a busy chain?" >&2
+exit 1
@@ -4,6 +4,8 @@ set -e
$NFT add table t
$NFT add chain t c1 {type filter hook output priority 0 \; }
+
# wrong hook output, only postrouting is valid
-$NFT add rule t c1 masquerade 2>/dev/null
+$NFT add rule t c1 masquerade 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook" >&2
+exit 1
@@ -6,6 +6,8 @@ $NFT add table t
$NFT add chain t output {type nat hook output priority 0 \; }
$NFT add chain t c1
$NFT add rule t c1 masquerade
+
# kernel should return EOPNOTSUPP
-$NFT add rule t output jump c1 2>/dev/null
+$NFT add rule t output jump c1 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook" >&2
+exit 1
@@ -6,6 +6,8 @@ $NFT add table t
$NFT add chain t output {type nat hook output priority 0 \; }
$NFT add chain t c1
$NFT add rule t c1 masquerade
+
# kernel should return EOPNOTSUPP
-$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null
+$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook in a vmap" >&2
+exit 1
@@ -4,6 +4,8 @@ set -e
$NFT add table t
$NFT add chain t c
+
# kernel should return ELOOP
-$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null
+$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
@@ -10,5 +10,6 @@ $NFT add element t m {2 : jump c2}
$NFT add rule t c1 tcp dport vmap @m
# kernel should return ELOOP
-$NFT add element t m {1 : jump c1} 2>/dev/null
+$NFT add element t m {1 : jump c1} 2>/dev/null || exit 0
echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
@@ -4,6 +4,8 @@ set -e
$NFT add table t
$NFT add chain t prerouting {type filter hook prerouting priority 0 \; }
+
# wrong hook prerouting, only input/forward/output is valid
-$NFT add rule t prerouting reject 2>/dev/null
+$NFT add rule t prerouting reject 2>/dev/null || exit 0
echo "E: accepted reject in prerouting hook" >&2
+exit 1
@@ -7,5 +7,7 @@ $NFT add chain t c1
$NFT add chain t c2
$NFT add t c1 jump c2
# kernel should return ENOENT
-$NFT add t c2 ip daddr vmap { 1 : jump c3 }
+
+$NFT add t c2 ip daddr vmap { 1 : jump c3 } || exit 0
echo "E: Jumped to non existing chain" >&2
+exit 1
@@ -6,5 +6,9 @@ $NFT add table t
$NFT add chain t input {type filter hook input priority 4 \; }
$NFT add chain t c1
$NFT add rule t input jump c1
+
# kernel should return EOPNOTSUPP
-$NFT add rule t c1 masquerade 2>/dev/null >&2
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+
+echo "E: Accepted masquerade rule in non-nat type base chain" 1>&2
+exit 1
@@ -6,5 +6,8 @@ $NFT add table ip filter
$NFT add chain ip filter ap1
$NFT add chain ip filter ap2
$NFT add rule ip filter ap1 jump ap2
+
# kernel should return EOPNOTSUPP
-$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2
+$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 || exit 0
+echo "E: Accepted jump-to-self"
+exit 1
@@ -6,5 +6,8 @@ $NFT add table t
$NFT add chain t input {type filter hook input priority 4 \; }
$NFT add chain t c1
$NFT add rule t input ip saddr vmap { 1.1.1.1 : jump c1 }
+
# kernel should return EOPNOTSUPP
-$NFT add rule t c1 masquerade 2>/dev/null >&2
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+echo "E: accepted masquerade in chain from non-nat type basechain" 1>&2
+exit 1
@@ -1,7 +1,6 @@
#!/bin/bash
set -e
-
$NFT add table ip filter
$NFT add chain ip filter input { type filter hook input priority 0\; }
@@ -19,4 +18,6 @@ for ((i=11;i<19;i++)); do
$NFT add rule ip filter a$i jump a$((i+1))
done
-$NFT add rule ip filter a10 jump a11
+$NFT add rule ip filter a10 jump a11 || exit 0
+echo "E: Expected 20th jump to fail due to jump stack exhaustion" 1>&2
+exit 1
@@ -3,5 +3,7 @@
set -e
$NFT add table ip x
-$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null
+
+$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null || exit 0
echo "E: dummy should not be a valid priority." >&2
+exit 1
@@ -9,8 +9,8 @@ do
if (($? == 0))
then
echo "E: srcnat should not be a valid priority name in $family $hook chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
@@ -9,8 +9,8 @@ do
if (($? == 0))
then
echo "E: dstnat should not be a valid priority name in $family $hook chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
@@ -10,8 +10,8 @@ family=arp
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for arp family chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
@@ -4,12 +4,12 @@ family=netdev
hook=ingress
for prioname in raw mangle dstnat security srcnat
do
- $NFT add table $family x
+ $NFT add table $family x || exit 1
$NFT add chain $family x y "{ type filter hook $hook device lo priority $prioname; }" &> /dev/null
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for netdev family chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
@@ -9,7 +9,7 @@ family=bridge
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
@@ -9,7 +9,7 @@ family=bridge
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
@@ -9,7 +9,7 @@ family=bridge
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
@@ -5,5 +5,7 @@ $NFT add table x
$NFT add chain x x
$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
$NFT add rule x x flow offload @y
-$NFT delete flowtable x y
+
+$NFT delete flowtable x y || exit 0
echo "E: delete flowtable in use"
+exit 1
@@ -7,8 +7,8 @@ do
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for flowtables" >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
@@ -14,5 +14,6 @@ RULESET="include \"$tmpfile\""
echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f $tmpfile 2>/dev/null || exit 0
echo "E: endless include loop" >&2
+exit 1
@@ -26,8 +26,6 @@ RULESET1="include \"$tmpdir/non_existent_file.nft\""
echo "$RULESET1" > $tmpfile1
-$NFT -f $tmpfile1
-if [ $? -eq 0 ] ; then
- echo "E: Failed to catch a missing include directory/file" >&2
- exit 1
-fi
+$NFT -f $tmpfile1 || exit 0
+echo "E: Failed to catch a missing include directory/file" >&2
+exit 1
@@ -41,9 +41,6 @@ echo "$RULESET1" > $tmpfile1
echo "$RULESET2" > $tmpfile2
echo "$RULESET3" > $tmpfile3
-$NFT -f $tmpfile3
-
-if [ $? -eq 0 ] ; then
- echo "E: didn't catch a broken file in directory" >&2
- exit 1
-fi
+$NFT -f $tmpfile3 || exit 0
+echo "E: didn't catch a broken file in directory" >&2
+exit 1
@@ -44,9 +44,6 @@ echo "$RULESET1" > $tmpfile2
echo "$RULESET2" > $tmpfile1
echo "$RULESET3" > $tmpfile3
-$NFT -f $tmpfile3
-
-if [ $? -eq 0 ] ; then
- echo "E: did not catch wrong file order in include directory" >&2
- exit 1
-fi
+$NFT -f $tmpfile3 || exit 0
+echo "E: did not catch wrong file order in include directory" >&2
+exit 1
@@ -6,5 +6,8 @@ set -e
$NFT add table ip filter
$NFT add chain ip filter output { type filter hook output priority 0 \; }
-$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 }
+
+$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 } || exit 0
+
echo "E: Added two different types of expression to map"
+exit 1
@@ -10,4 +10,5 @@ add set t s {type ipv4_addr\;}
add rule t c ip saddr @s
"
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null && exit 1
+exit 0
@@ -14,4 +14,5 @@ table ip t {
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
@@ -14,4 +14,5 @@ table ip t {
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
@@ -13,4 +13,5 @@ table ip t {
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
@@ -30,3 +30,5 @@ if [ "$EXPECTED" != "$GET" ] ; then
[ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
exit 1
fi
+
+exit 0
@@ -5,4 +5,6 @@
$NFT add table test
$NFT add chain test test
$NFT add rule test test tcp dport 22 counter accept
-$NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null
+( $NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null ) && exit 1
+
+exit 0
@@ -17,7 +17,7 @@ for cmd in add insert; do
$NFT $cmd rule t c $keyword 5 drop 2>/dev/null || continue
echo "E: invalid $keyword value allowed in $cmd command" >&2
- exit 0
+ exit 1
done
done
-exit 1
+exit 0
@@ -7,5 +7,7 @@ set -e
$NFT add table t
$NFT add chain t c
# kernel should return ENOENT
-$NFT replace rule t c handle 2 drop 2>/dev/null
+
+$NFT replace rule t c handle 2 drop 2>/dev/null || exit 0
echo "E: missing kernel ENOENT" >&2
+exit 1
@@ -6,6 +6,8 @@
set -e
$NFT add table t
$NFT add chain t c
+
# position keyword with replace action is not allowed, this should fail
-$NFT replace rule t c position 2 drop 2>/dev/null
+$NFT replace rule t c position 2 drop 2>/dev/null || exit 0
echo "E: allowed replace with position specification" >&2
+exit 1
@@ -6,6 +6,8 @@
set -e
$NFT add table t
$NFT add chain t c
+
# this should fail, we don't allow delete with position
-$NFT delete rule t c position 2 drop 2>/dev/null
+$NFT delete rule t c position 2 drop 2>/dev/null || exit 0
echo "E: allowed position spec with delete action" >&2
+exit 1
@@ -6,6 +6,8 @@
set -e
$NFT add table t
$NFT add chain t c
+
# kernel ENOENT
-$NFT delete rule t c handle 3333 2>/dev/null
+$NFT delete rule t c handle 3333 2>/dev/null || exit 0
echo "E: missing kernel ENOENT" >&2
+exit 1
@@ -5,4 +5,7 @@ $NFT add table x
$NFT add set x s {type ipv4_addr\; size 2\;}
$NFT add element x s {1.1.1.1}
$NFT add element x s {1.1.1.2}
-$NFT add element x s {1.1.1.3}
+
+$NFT add element x s {1.1.1.3} || exit 0
+echo "E: Accepted 3rd element in a table with max size of 2" 1>&2
+exit 1
@@ -1,11 +1,10 @@
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
delete chain x y
delete chain x y"
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing double-removal of chain" >&2
+exit 1
@@ -1,12 +1,11 @@
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
delete chain x y
add rule x y jump y"
# kernel must return ENOENT
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing jump loop to unexisting chain"
+exit 1
@@ -1,11 +1,10 @@
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
add rule x y jump y"
# kernel must return ELOOP
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing jump to chain loop"
+exit 1
@@ -1,13 +1,12 @@
#!/bin/bash
-set -e
-
RULESET="add table x
add set x y { type ipv4_addr; }
add element x y { 1.1.1.1, 2.2.2.2 }
delete element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-$NFT -f - <<< "$RULESET" 2> /dev/null
+$NFT -f - <<< "$RULESET" 2> /dev/null || exit 0
# Kernel must return ENOENT
echo "E: allowing double-removal of element"
+exit 1
The shell-based tests currently encode a return value in the file name, i.e. foo_1 expects that the script should return '1' for the test case to pass. This is very error prone, and one test case is even broken (i.e., it returns 1, but because of a different, earlier error). do_something || exit 1 or 'set -e' are both pretty common patterns, in both cases tests should fail. In those test-cases that deliberately test for an error, nft something_should_fail || exit 0 nft something_should_fail && exit 1 or a similar constructs should be used. This initial commit modififies all '_1' scripts to return 0 on success, usually via 'nft wrong || exit 0'. All tests pass, except the one broken test case that hasn't worked before either, but where 'set -e' use made it pass (the failing command is supposed to work, and the command that is supposed to fail is never run). Signed-off-by: Florian Westphal <fw@strlen.de> --- tests/shell/run-tests.sh | 15 ++++++--------- tests/shell/testcases/chains/0002jumps_1 | 4 +++- tests/shell/testcases/chains/0003jump_loop_1 | 3 ++- tests/shell/testcases/chains/0004busy_1 | 4 +++- tests/shell/testcases/chains/0005busy_map_1 | 4 +++- tests/shell/testcases/chains/0007masquerade_1 | 4 +++- .../shell/testcases/chains/0008masquerade_jump_1 | 4 +++- .../shell/testcases/chains/0009masquerade_jump_1 | 4 +++- .../testcases/chains/0010endless_jump_loop_1 | 4 +++- .../testcases/chains/0011endless_jump_loop_1 | 3 ++- .../testcases/chains/0012reject_in_prerouting_1 | 4 +++- .../shell/testcases/chains/0015check_jump_loop_1 | 4 +++- .../shell/testcases/chains/0017masquerade_jump_1 | 6 +++++- .../shell/testcases/chains/0018check_jump_loop_1 | 5 ++++- .../shell/testcases/chains/0019masquerade_jump_1 | 5 ++++- tests/shell/testcases/chains/0020depth_1 | 5 +++-- tests/shell/testcases/chains/0022prio_dummy_1 | 4 +++- .../shell/testcases/chains/0023prio_inet_srcnat_1 | 4 ++-- .../shell/testcases/chains/0024prio_inet_dstnat_1 | 4 ++-- tests/shell/testcases/chains/0025prio_arp_1 | 4 ++-- tests/shell/testcases/chains/0026prio_netdev_1 | 6 +++--- .../testcases/chains/0027prio_bridge_dstnat_1 | 4 ++-- .../shell/testcases/chains/0028prio_bridge_out_1 | 4 ++-- .../testcases/chains/0029prio_bridge_srcnat_1 | 4 ++-- .../shell/testcases/flowtable/0005delete_in_use_1 | 4 +++- tests/shell/testcases/flowtable/0008prio_1 | 4 ++-- tests/shell/testcases/include/0004endlessloop_1 | 3 ++- tests/shell/testcases/include/0009glob_nofile_1 | 8 +++----- .../testcases/include/0010glob_broken_file_1 | 9 +++------ .../shell/testcases/include/0012glob_dependency_1 | 9 +++------ tests/shell/testcases/maps/different_map_types_1 | 5 ++++- .../nft-f/0007action_object_set_segfault_1 | 3 ++- tests/shell/testcases/nft-f/0013defines_1 | 3 ++- tests/shell/testcases/nft-f/0014defines_1 | 3 ++- tests/shell/testcases/nft-f/0015defines_1 | 3 ++- tests/shell/testcases/nft-f/0016redefines_1 | 2 ++ tests/shell/testcases/optionals/handles_1 | 4 +++- .../rule_management/0002addinsertlocation_1 | 4 ++-- .../shell/testcases/rule_management/0005replace_1 | 4 +++- .../shell/testcases/rule_management/0006replace_1 | 4 +++- .../shell/testcases/rule_management/0008delete_1 | 4 +++- .../shell/testcases/rule_management/0009delete_1 | 4 +++- tests/shell/testcases/sets/0018set_check_size_1 | 5 ++++- tests/shell/testcases/transactions/0014chain_1 | 5 ++--- tests/shell/testcases/transactions/0022rule_1 | 5 ++--- tests/shell/testcases/transactions/0023rule_1 | 5 ++--- tests/shell/testcases/transactions/0036set_1 | 5 ++--- 47 files changed, 130 insertions(+), 87 deletions(-)