diff mbox series

[nft,5/6] tests: add test case for -O no-remove-dependencies

Message ID 20210527154323.4003-6-fw@strlen.de
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series nftables: add --optimize support | expand

Commit Message

Florian Westphal May 27, 2021, 3:43 p.m. UTC 
Contains two different text files that contain the same rules, one
is with the implicit deps, the other one is without them.

Check they are the same and check that '-O no-remove-dependencies'
keeps the redundant meta/payload expressions.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 .../optimizations/dumps/payload_meta_deps.nft | 10 ++++++
 .../dumps/payload_meta_deps.no-remove-deps    | 10 ++++++
 .../testcases/optimizations/payload_meta_deps | 33 +++++++++++++++++++
 3 files changed, 53 insertions(+)
 create mode 100644 tests/shell/testcases/optimizations/dumps/payload_meta_deps.nft
 create mode 100644 tests/shell/testcases/optimizations/dumps/payload_meta_deps.no-remove-deps
 create mode 100755 tests/shell/testcases/optimizations/payload_meta_deps
diff mbox series

Patch

diff --git a/tests/shell/testcases/optimizations/dumps/payload_meta_deps.nft b/tests/shell/testcases/optimizations/dumps/payload_meta_deps.nft
new file mode 100644
index 000000000000..5f26f0d317d9
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/payload_meta_deps.nft
@@ -0,0 +1,10 @@ 
+table inet test {
+	chain test {
+		ip saddr 1.2.3.4
+		ip6 saddr dead::1
+		tcp dport 22
+		ip saddr 1.2.3.5 tcp dport 22 accept
+		ip6 nexthdr udp
+		ip ttl < 5 drop
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/payload_meta_deps.no-remove-deps b/tests/shell/testcases/optimizations/dumps/payload_meta_deps.no-remove-deps
new file mode 100644
index 000000000000..5e458e88eb29
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/payload_meta_deps.no-remove-deps
@@ -0,0 +1,10 @@ 
+table inet test {
+	chain test {
+		meta nfproto ipv4 ip saddr 1.2.3.4
+		meta nfproto ipv6 ip6 saddr dead::1
+		meta l4proto tcp tcp dport 22
+		meta nfproto ipv4 ip saddr 1.2.3.5 meta l4proto tcp tcp dport 22 accept
+		meta nfproto ipv6 ip6 nexthdr udp
+		meta nfproto ipv4 ip ttl < 5 drop
+	}
+}
diff --git a/tests/shell/testcases/optimizations/payload_meta_deps b/tests/shell/testcases/optimizations/payload_meta_deps
new file mode 100755
index 000000000000..1ec3bf0776e8
--- /dev/null
+++ b/tests/shell/testcases/optimizations/payload_meta_deps
@@ -0,0 +1,33 @@ 
+#!/bin/bash
+
+set -e
+
+# Input files are identical.  Second version includes the
+# (redundant) payload/meta dependencies, i.e. the files
+# are textually different but logically the rule sets are
+# the same.
+dumpfile_depon=$(dirname $0)/dumps/$(basename $0).nft
+dumpfile_depoff=$(dirname $0)/dumps/$(basename $0).no-remove-deps
+
+$NFT -f "$dumpfile_depon"
+A=$(mktemp)
+$NFT -O no-remove-dependencies list ruleset > "$A"
+
+# This checks that -O no-remove... kept all auto-generated
+# dependencies, even though the imported file doesn't
+# mention them.
+
+diff -u $dumpfile_depoff "$A"
+ret=$?
+
+rm -f "$A"
+
+$NFT delete table inet test
+
+# This makes calling test script check that the
+# no-remove-deps dump file logically matches the .nft version.
+# This detects future mismatches between the two representations.
+
+$NFT -f "$dumpfile_depoff"
+
+exit $ret