From patchwork Wed Mar 7 21:51:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: nevola X-Patchwork-Id: 882807 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="A/XEMGjz"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zxS5N5fjmz9sgr for ; Thu, 8 Mar 2018 08:51:20 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933890AbeCGVvT (ORCPT ); Wed, 7 Mar 2018 16:51:19 -0500 Received: from mail-wm0-f50.google.com ([74.125.82.50]:51462 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933415AbeCGVvS (ORCPT ); Wed, 7 Mar 2018 16:51:18 -0500 Received: by mail-wm0-f50.google.com with SMTP id h21so7602759wmd.1 for ; Wed, 07 Mar 2018 13:51:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=TLuMzJYgQ+MtHoswIQ7zQwcWmT0NIXqHupCVbcICG0Q=; b=A/XEMGjzf+iE8moWNQYGj5iMznP48TXAQu1KtrH1GaB50bj0jsZR89u8dDBolEHe/P Z8R5nMwDKxWMjuuF7jpbi1pUHassn/maZcVDFufSwgvTonn4O/k1TYhr53nTNTHEYhGO bVT8W7f5fUHlvRwaJ2218PaYmEOBOQ7l0Z/ps+vVeRcahg79Gptma52JtJya8GJVoevV QEhTpWvUHX+OBmf4CCUbJJSFeBNqZzaO+n3cfPzWvknbMXRGz/xsJfdHhgc4iDHGk+IF YuOm6BEDaRGWxyehVcxaJGwCFYCueC0MxSiJdcXx+vIF9MR/ZbLll/ObAhLVEH30uWpS 7gww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=TLuMzJYgQ+MtHoswIQ7zQwcWmT0NIXqHupCVbcICG0Q=; b=U9UwMTe69PrtmQnQtW77uNsykMsYyp8X3EOBHMa/tGEIc8m6TrsqpnrfMY2dQKaELy o1jdYvbb/fM737m4WH28HetNZLTDwIskPdro9TOWm3Q+v2RixRw9MWjeejSVAiPJaDP9 WXrzfsR32HQyI5/n/49LFLcAzPmkWLqCsozlyAZPZipSaP4IGgaYIRv+mK13vEw936eb 9IRDnhxz/GfBw1/c4vtavQTOVLGXSjVRGFRFBI1+P9jZ8bmrP2ktLbWPJbWLx2QN5D1R pfhKj9GTL7V+7FfaqmNoho1mi0QZWVutI9+ONTjyFW5lIaw525c1s7lPNf2piHW8fuSE P2wA== X-Gm-Message-State: AElRT7FjX9gZlgCrqlFCEiq6FiDLBbxlgZu7EPyE3nAPLNI2H5+FJIow L92aSD77XO4UVRoDzBTSDDJGGw== X-Google-Smtp-Source: AG47ELvIwa4vQl1GPvxm3UfgcTKTH3CWd4Op1KbF4n2QbHUK7w3GHGbYyTchSfdIaMvcGnBRmC/dHQ== X-Received: by 10.28.223.212 with SMTP id w203mr16545846wmg.96.1520459474173; Wed, 07 Mar 2018 13:51:14 -0800 (PST) Received: from nevthink ([91.126.75.228]) by smtp.gmail.com with ESMTPSA id m3sm18819057wri.25.2018.03.07.13.51.12 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Mar 2018 13:51:13 -0800 (PST) Date: Wed, 7 Mar 2018 22:51:10 +0100 From: Laura Garcia Liebana To: netfilter-devel@vger.kernel.org Subject: [PATCH nft] tests: shell: autogenerate dump verification Message-ID: <20180307215110.y7i2rqwpzxvzgtos@nevthink> MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Complete the automated shell tests with the verification of the test file dump, only for positive tests and if the test execution was successful. It's able to generate the dump file with the -g option. Example: # ./run-tests.sh -g testcases/chains/0001jumps_0 The dump files are generated in the same path in the folder named dumps/ with .nft extension. It has been avoided the dump verification code in every test file. Signed-off-by: Laura Garcia Liebana --- tests/shell/README | 5 +- tests/shell/run-tests.sh | 46 +++++++++++++--- .../cache/dumps/0001_cache_handling_0.nft | 12 ++++ .../testcases/cache/dumps/0002_interval_0.nft | 7 +++ tests/shell/testcases/chains/0016delete_handle_0 | 23 -------- tests/shell/testcases/chains/dumps/0001jumps_0.nft | 64 ++++++++++++++++++++++ .../testcases/chains/dumps/0006masquerade_0.nft | 6 ++ .../shell/testcases/chains/dumps/0013rename_0.nft | 4 ++ .../testcases/chains/dumps/0016delete_handle_0.nft | 20 +++++++ tests/shell/testcases/flowtable/0001flowtable_0 | 8 --- .../testcases/flowtable/dumps/0001flowtable_0.nft | 10 ++++ tests/shell/testcases/import/vm_json_import_0 | 8 --- .../testcases/include/dumps/0001absolute_0.nft | 2 + .../testcases/include/dumps/0002relative_0.nft | 2 + .../testcases/include/dumps/0003includepath_0.nft | 2 + .../testcases/include/dumps/0006glob_single_0.nft | 2 + .../testcases/include/dumps/0007glob_double_0.nft | 4 ++ .../include/dumps/0011glob_dependency_0.nft | 4 ++ .../testcases/include/dumps/0013glob_dotfile_0.nft | 2 + .../include/dumps/0015doubleincludepath_0.nft | 4 ++ tests/shell/testcases/listing/0001ruleset_0 | 11 ---- tests/shell/testcases/listing/0002ruleset_0 | 9 --- .../testcases/listing/dumps/0001ruleset_0.nft | 2 + .../maps/0005interval_map_add_many_elements_0 | 15 ----- .../testcases/maps/0006interval_map_overlap_0 | 14 ----- .../shell/testcases/maps/0007named_ifname_dtype_0 | 7 --- .../dumps/0005interval_map_add_many_elements_0.nft | 8 +++ .../maps/dumps/0006interval_map_overlap_0.nft | 7 +++ .../maps/dumps/0007named_ifname_dtype_0.nft | 11 ++++ .../testcases/maps/dumps/anonymous_snat_map_0.nft | 5 ++ .../testcases/maps/dumps/map_with_flags_0.nft | 6 ++ .../testcases/maps/dumps/named_snat_map_0.nft | 10 ++++ tests/shell/testcases/maps/map_with_flags_0 | 15 ----- tests/shell/testcases/nft-f/0002rollback_rule_0 | 10 ---- tests/shell/testcases/nft-f/0003rollback_jump_0 | 10 ---- tests/shell/testcases/nft-f/0004rollback_set_0 | 10 ---- tests/shell/testcases/nft-f/0005rollback_map_0 | 10 ---- tests/shell/testcases/nft-f/0008split_tables_0 | 19 ------- .../testcases/nft-f/dumps/0002rollback_rule_0.nft | 16 ++++++ .../testcases/nft-f/dumps/0003rollback_jump_0.nft | 16 ++++++ .../testcases/nft-f/dumps/0004rollback_set_0.nft | 16 ++++++ .../testcases/nft-f/dumps/0005rollback_map_0.nft | 16 ++++++ .../testcases/nft-f/dumps/0008split_tables_0.nft | 10 ++++ .../shell/testcases/nft-f/dumps/0009variable_0.nft | 7 +++ .../shell/testcases/nft-f/dumps/0010variable_0.nft | 6 ++ .../nft-f/dumps/0012different_defines_0.nft | 16 ++++++ .../shell/testcases/optionals/dumps/comments_0.nft | 5 ++ .../optionals/dumps/comments_handles_0.nft | 5 ++ .../shell/testcases/optionals/dumps/handles_0.nft | 5 ++ .../testcases/rule_management/0001addposition_0 | 16 ------ .../testcases/rule_management/0002insertposition_0 | 16 ------ tests/shell/testcases/rule_management/0003insert_0 | 16 ------ .../shell/testcases/rule_management/0004replace_0 | 14 ----- tests/shell/testcases/rule_management/0007delete_0 | 14 ----- .../rule_management/dumps/0001addposition_0.nft | 7 +++ .../rule_management/dumps/0002insertposition_0.nft | 7 +++ .../rule_management/dumps/0003insert_0.nft | 7 +++ .../rule_management/dumps/0004replace_0.nft | 5 ++ .../rule_management/dumps/0007delete_0.nft | 5 ++ .../testcases/sets/0012add_delete_many_elements_0 | 13 ----- .../testcases/sets/0013add_delete_many_elements_0 | 14 ----- tests/shell/testcases/sets/0021nesting_0 | 14 ----- .../shell/testcases/sets/0029named_ifname_dtype_0 | 8 --- .../testcases/sets/dumps/0001named_interval_0.nft | 34 ++++++++++++ .../dumps/0002named_interval_automerging_0.nft | 7 +++ .../dumps/0003named_interval_missing_flag_0.nft | 5 ++ .../sets/dumps/0004named_interval_shadow_0.nft | 7 +++ .../sets/dumps/0005named_interval_shadow_0.nft | 7 +++ .../testcases/sets/dumps/0006create_set_0.nft | 5 ++ .../testcases/sets/dumps/0007create_element_0.nft | 6 ++ .../sets/dumps/0008comments_interval_0.nft | 7 +++ .../sets/dumps/0008create_verdict_map_0.nft | 13 +++++ .../sets/dumps/0009comments_timeout_0.nft | 7 +++ .../shell/testcases/sets/dumps/0010comments_0.nft | 6 ++ .../sets/dumps/0012add_delete_many_elements_0.nft | 5 ++ .../sets/dumps/0013add_delete_many_elements_0.nft | 5 ++ .../testcases/sets/dumps/0015rulesetflush_0.nft | 11 ++++ .../testcases/sets/dumps/0016element_leak_0.nft | 7 +++ .../testcases/sets/dumps/0017add_after_flush_0.nft | 7 +++ .../testcases/sets/dumps/0019set_check_size_0.nft | 7 +++ .../shell/testcases/sets/dumps/0020comments_0.nft | 6 ++ tests/shell/testcases/sets/dumps/0021nesting_0.nft | 5 ++ .../sets/dumps/0022type_selective_flush_0.nft | 13 +++++ .../dumps/0023incomplete_add_set_command_0.nft | 2 + .../testcases/sets/dumps/0024named_objects_0.nft | 28 ++++++++++ .../testcases/sets/dumps/0025anonymous_set_0.nft | 7 +++ .../testcases/sets/dumps/0026named_limit_0.nft | 10 ++++ .../testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft | 7 +++ .../sets/dumps/0029named_ifname_dtype_0.nft | 11 ++++ tests/shell/testcases/transactions/0001table_0 | 13 ----- tests/shell/testcases/transactions/0002table_0 | 12 ---- tests/shell/testcases/transactions/0003table_0 | 10 ---- tests/shell/testcases/transactions/0010chain_0 | 13 ----- tests/shell/testcases/transactions/0011chain_0 | 14 ----- tests/shell/testcases/transactions/0012chain_0 | 14 ----- tests/shell/testcases/transactions/0013chain_0 | 14 ----- tests/shell/testcases/transactions/0020rule_0 | 10 ---- tests/shell/testcases/transactions/0021rule_0 | 14 ----- tests/shell/testcases/transactions/0030set_0 | 11 ---- tests/shell/testcases/transactions/0031set_0 | 14 ----- tests/shell/testcases/transactions/0032set_0 | 14 ----- tests/shell/testcases/transactions/0033set_0 | 11 ---- tests/shell/testcases/transactions/0034set_0 | 14 ----- tests/shell/testcases/transactions/0035set_0 | 15 ----- tests/shell/testcases/transactions/0037set_0 | 15 ----- tests/shell/testcases/transactions/0038set_0 | 16 ------ tests/shell/testcases/transactions/0039set_0 | 16 ------ tests/shell/testcases/transactions/0040set_0 | 23 -------- .../testcases/transactions/dumps/0001table_0.nft | 4 ++ .../testcases/transactions/dumps/0002table_0.nft | 3 + .../testcases/transactions/dumps/0010chain_0.nft | 4 ++ .../testcases/transactions/dumps/0011chain_0.nft | 5 ++ .../testcases/transactions/dumps/0012chain_0.nft | 5 ++ .../testcases/transactions/dumps/0013chain_0.nft | 5 ++ .../testcases/transactions/dumps/0021rule_0.nft | 5 ++ .../testcases/transactions/dumps/0030set_0.nft | 2 + .../testcases/transactions/dumps/0031set_0.nft | 5 ++ .../testcases/transactions/dumps/0032set_0.nft | 5 ++ .../testcases/transactions/dumps/0033set_0.nft | 2 + .../testcases/transactions/dumps/0034set_0.nft | 5 ++ .../testcases/transactions/dumps/0035set_0.nft | 6 ++ .../testcases/transactions/dumps/0037set_0.nft | 6 ++ .../testcases/transactions/dumps/0038set_0.nft | 7 +++ .../testcases/transactions/dumps/0039set_0.nft | 7 +++ .../testcases/transactions/dumps/0040set_0.nft | 14 +++++ 125 files changed, 711 insertions(+), 565 deletions(-) create mode 100644 tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft create mode 100644 tests/shell/testcases/cache/dumps/0002_interval_0.nft create mode 100644 tests/shell/testcases/chains/dumps/0001jumps_0.nft create mode 100644 tests/shell/testcases/chains/dumps/0006masquerade_0.nft create mode 100644 tests/shell/testcases/chains/dumps/0013rename_0.nft create mode 100644 tests/shell/testcases/chains/dumps/0016delete_handle_0.nft create mode 100755 tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft create mode 100644 tests/shell/testcases/include/dumps/0001absolute_0.nft create mode 100644 tests/shell/testcases/include/dumps/0002relative_0.nft create mode 100644 tests/shell/testcases/include/dumps/0003includepath_0.nft create mode 100644 tests/shell/testcases/include/dumps/0006glob_single_0.nft create mode 100644 tests/shell/testcases/include/dumps/0007glob_double_0.nft create mode 100644 tests/shell/testcases/include/dumps/0011glob_dependency_0.nft create mode 100644 tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft create mode 100644 tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft create mode 100644 tests/shell/testcases/listing/dumps/0001ruleset_0.nft create mode 100644 tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft create mode 100644 tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft create mode 100644 tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft create mode 100644 tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft create mode 100644 tests/shell/testcases/maps/dumps/map_with_flags_0.nft create mode 100644 tests/shell/testcases/maps/dumps/named_snat_map_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0009variable_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0010variable_0.nft create mode 100644 tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft create mode 100644 tests/shell/testcases/optionals/dumps/comments_0.nft create mode 100644 tests/shell/testcases/optionals/dumps/comments_handles_0.nft create mode 100644 tests/shell/testcases/optionals/dumps/handles_0.nft create mode 100644 tests/shell/testcases/rule_management/dumps/0001addposition_0.nft create mode 100644 tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft create mode 100644 tests/shell/testcases/rule_management/dumps/0003insert_0.nft create mode 100644 tests/shell/testcases/rule_management/dumps/0004replace_0.nft create mode 100644 tests/shell/testcases/rule_management/dumps/0007delete_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0001named_interval_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0006create_set_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0007create_element_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0008comments_interval_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0010comments_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0016element_leak_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0019set_check_size_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0020comments_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0021nesting_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0024named_objects_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0026named_limit_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft create mode 100644 tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0001table_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0002table_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0010chain_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0011chain_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0012chain_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0013chain_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0021rule_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0030set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0031set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0032set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0033set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0034set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0035set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0037set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0038set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0039set_0.nft create mode 100644 tests/shell/testcases/transactions/dumps/0040set_0.nft diff --git a/tests/shell/README b/tests/shell/README index 3ffe642..e6d83bc 100644 --- a/tests/shell/README +++ b/tests/shell/README @@ -1,5 +1,5 @@ This test-suite is intended to perform tests of higher level than -the other reggresion test-suite. +the other regression test-suite. It can run arbitrary executables which can perform any test apart of testing the nft syntax or netlink code (which is what the regression tests does). @@ -15,6 +15,9 @@ test-files can be spread in any sub-directories. You can turn on a verbose execution by calling: % ./run-tests.sh -v +And generate missing dump files with: + % ./run-tests.sh -g + Before each call to the test-files, `nft flush ruleset' will be called. Also, test-files will receive the environment variable $NFT which contains the path to the nftables binary being tested. diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 3eee99d..d2f3e96 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -4,6 +4,8 @@ TESTDIR="./$(dirname $0)/" RETURNCODE_SEPARATOR="_" SRC_NFT="$(dirname $0)/../../src/nft" +POSITIVE_RET=0 +DIFF=$(which diff) msg_error() { echo "E: $1 ..." >&2 @@ -43,6 +45,16 @@ if [ ! -x "$MODPROBE" ] ; then msg_error "no modprobe binary found" fi +if [ "$1" == "-v" ] ; then + VERBOSE=y + shift +fi + +if [ "$1" == "-g" ] ; then + DUMPGEN=y + shift +fi + if [ -x "$1" ] ; then if grep ^.*${RETURNCODE_SEPARATOR}[0-9]\\+$ <<< $1 >/dev/null ; then SINGLE=$1 @@ -50,10 +62,6 @@ if [ -x "$1" ] ; then fi fi -if [ "$1" == "-v" ] ; then - VERBOSE=y -fi - kernel_cleanup() { $NFT flush ruleset $MODPROBE -raq \ @@ -97,9 +105,33 @@ do echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line if [ "$rc_got" == "$rc_spec" ] ; then - msg_info "[OK] $testfile" - [ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output" - ((ok++)) + # check nft dump only for positive tests + rc_spec="${POSITIVE_RET}" + dumppath="$(dirname ${testfile})/dumps" + dumpfile="${dumppath}/$(basename ${testfile}).nft" + if [ "$rc_got" == "${POSITIVE_RET}" ] && [ -f ${dumpfile} ]; then + test_output=$(${DIFF} ${dumpfile} <(nft list ruleset) 2>&1) + rc_spec=$? + fi + + if [ "$rc_spec" == "${POSITIVE_RET}" ]; then + msg_info "[OK] $testfile" + [ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output" + ((ok++)) + + if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == "${POSITIVE_RET}" ] && [ ! -f "${dumpfile}" ]; then + mkdir -p "${dumppath}" + nft list ruleset > "${dumpfile}" + fi + else + ((failed++)) + if [ "$VERBOSE" == "y" ] ; then + msg_warn "[DUMP FAIL] $testfile: dump diff detected" + [ ! -z "$test_output" ] && echo "$test_output" + else + msg_warn "[DUMP FAIL] $testfile" + fi + fi else ((failed++)) if [ "$VERBOSE" == "y" ] ; then diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft new file mode 100644 index 0000000..f6dd654 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft @@ -0,0 +1,12 @@ +table inet test { + set test { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain test { + ip daddr { 2.2.2.2 } counter packets 0 bytes 0 accept + ip saddr @test counter packets 0 bytes 0 accept + ip daddr { 2.2.2.2 } counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.nft b/tests/shell/testcases/cache/dumps/0002_interval_0.nft new file mode 100644 index 0000000..6a08132 --- /dev/null +++ b/tests/shell/testcases/cache/dumps/0002_interval_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/chains/0016delete_handle_0 b/tests/shell/testcases/chains/0016delete_handle_0 index cf11da8..677fba3 100755 --- a/tests/shell/testcases/chains/0016delete_handle_0 +++ b/tests/shell/testcases/chains/0016delete_handle_0 @@ -11,26 +11,3 @@ $NFT add chain ip6 test-ip6 y # should have handle 2 $NFT add chain ip6 test-ip6 z # should have handle 3 $NFT delete chain test-ip handle 2 $NFT delete chain ip6 test-ip6 handle 3 - -EXPECTED="table ip test-ip { - chain x { - } - - chain z { - } -} -table ip6 test-ip6 { - chain x { - } - - chain y { - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.nft b/tests/shell/testcases/chains/dumps/0001jumps_0.nft new file mode 100644 index 0000000..7054cde --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0001jumps_0.nft @@ -0,0 +1,64 @@ +table ip t { + chain c1 { + jump c2 + } + + chain c2 { + jump c3 + } + + chain c3 { + jump c4 + } + + chain c4 { + jump c5 + } + + chain c5 { + jump c6 + } + + chain c6 { + jump c7 + } + + chain c7 { + jump c8 + } + + chain c8 { + jump c9 + } + + chain c9 { + jump c10 + } + + chain c10 { + jump c11 + } + + chain c11 { + jump c12 + } + + chain c12 { + jump c13 + } + + chain c13 { + jump c14 + } + + chain c14 { + jump c15 + } + + chain c15 { + jump c16 + } + + chain c16 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft new file mode 100644 index 0000000..e4b9872 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft @@ -0,0 +1,6 @@ +table ip t { + chain c1 { + type nat hook postrouting priority 0; policy accept; + masquerade + } +} diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.nft b/tests/shell/testcases/chains/dumps/0013rename_0.nft new file mode 100644 index 0000000..e4e0171 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0013rename_0.nft @@ -0,0 +1,4 @@ +table ip t { + chain c2 { + } +} diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft new file mode 100644 index 0000000..de6ee9c --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft @@ -0,0 +1,20 @@ +table ip test-ip { + chain x { + } + + chain y { + } + + chain z { + } +} +table ip6 test-ip6 { + chain x { + } + + chain y { + } + + chain z { + } +} diff --git a/tests/shell/testcases/flowtable/0001flowtable_0 b/tests/shell/testcases/flowtable/0001flowtable_0 index 307f06f..6d08e25 100755 --- a/tests/shell/testcases/flowtable/0001flowtable_0 +++ b/tests/shell/testcases/flowtable/0001flowtable_0 @@ -23,11 +23,3 @@ EXPECTED='table inet t { echo "$EXPECTED" > $tmpfile set -e $NFT -f $tmpfile - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft new file mode 100755 index 0000000..5188b20 --- /dev/null +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft @@ -0,0 +1,10 @@ +table inet t { + flowtable f { + hook ingress priority 10 + devices = { eth0, wlan0 } + } + + chain c { + flow offload @f + } +} diff --git a/tests/shell/testcases/import/vm_json_import_0 b/tests/shell/testcases/import/vm_json_import_0 index dc367f6..e5ecbcc 100755 --- a/tests/shell/testcases/import/vm_json_import_0 +++ b/tests/shell/testcases/import/vm_json_import_0 @@ -61,11 +61,3 @@ $NFT -f $tmpfile $NFT export vm json > $tmpfile $NFT flush ruleset cat $tmpfile | $NFT import vm json - -RESULT="$($NFT list ruleset)" - - -if [ "$RULESET" != "$RESULT" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT") -fi diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.nft b/tests/shell/testcases/include/dumps/0001absolute_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0001absolute_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0002relative_0.nft b/tests/shell/testcases/include/dumps/0002relative_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0002relative_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.nft b/tests/shell/testcases/include/dumps/0003includepath_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0003includepath_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.nft b/tests/shell/testcases/include/dumps/0006glob_single_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0006glob_single_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.nft b/tests/shell/testcases/include/dumps/0007glob_double_0.nft new file mode 100644 index 0000000..f9cb080 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0007glob_double_0.nft @@ -0,0 +1,4 @@ +table ip y { +} +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft new file mode 100644 index 0000000..8e818d2 --- /dev/null +++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft @@ -0,0 +1,4 @@ +table ip x { + chain y { + } +} diff --git a/tests/shell/testcases/listing/0001ruleset_0 b/tests/shell/testcases/listing/0001ruleset_0 index 1a3a73b..19cb3b0 100755 --- a/tests/shell/testcases/listing/0001ruleset_0 +++ b/tests/shell/testcases/listing/0001ruleset_0 @@ -2,17 +2,6 @@ # list ruleset shows a table -EXPECTED="table ip test { -}" - set -e $NFT add table test -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/listing/0002ruleset_0 b/tests/shell/testcases/listing/0002ruleset_0 index 45121fb..b4a535c 100755 --- a/tests/shell/testcases/listing/0002ruleset_0 +++ b/tests/shell/testcases/listing/0002ruleset_0 @@ -5,12 +5,3 @@ EXPECTED="" set -e - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft new file mode 100644 index 0000000..1c9f40c --- /dev/null +++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft @@ -0,0 +1,2 @@ +table ip test { +} diff --git a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 index 55f9055..0714963 100755 --- a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 +++ b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 @@ -56,18 +56,3 @@ n=$HOWMANY echo "add element x y { 10.${n}.${n}.0/24 : 10.0.${n}.${n} }" > $tmpfile $NFT -f $tmpfile - -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags interval - elements = { "$(generate_test)" } - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/0006interval_map_overlap_0 b/tests/shell/testcases/maps/0006interval_map_overlap_0 index 8597639..682ac65 100755 --- a/tests/shell/testcases/maps/0006interval_map_overlap_0 +++ b/tests/shell/testcases/maps/0006interval_map_overlap_0 @@ -25,17 +25,3 @@ echo "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" > $tmpfile $NFT -f $tmpfile -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags interval - elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/0007named_ifname_dtype_0 b/tests/shell/testcases/maps/0007named_ifname_dtype_0 index dcbcf2f..5e51a60 100755 --- a/tests/shell/testcases/maps/0007named_ifname_dtype_0 +++ b/tests/shell/testcases/maps/0007named_ifname_dtype_0 @@ -26,10 +26,3 @@ set -e echo "$EXPECTED" > $tmpfile $NFT -f $tmpfile -GET="$($NFT list ruleset)" -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft new file mode 100644 index 0000000..ab992c4 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft @@ -0,0 +1,8 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2, + 10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft new file mode 100644 index 0000000..1f5343f --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft @@ -0,0 +1,7 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft new file mode 100644 index 0000000..878e7c0 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + map m1 { + type ifname : ipv4_addr + elements = { "eth0" : 1.1.1.1 } + } + + chain c { + ip daddr set iifname map @m1 + ip daddr set oifname map @m1 + } +} diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft new file mode 100644 index 0000000..5009560 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft @@ -0,0 +1,5 @@ +table ip nat { + chain postrouting { + snat to ip saddr map { 1.1.1.1 : 2.2.2.2 } + } +} diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft new file mode 100644 index 0000000..c96b1ed --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft @@ -0,0 +1,6 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + flags timeout + } +} diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft new file mode 100644 index 0000000..a7c5751 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft @@ -0,0 +1,10 @@ +table ip nat { + map m { + type ipv4_addr : ipv4_addr + elements = { 1.1.1.1 : 2.2.2.2 } + } + + chain postrouting { + snat to ip saddr map @m + } +} diff --git a/tests/shell/testcases/maps/map_with_flags_0 b/tests/shell/testcases/maps/map_with_flags_0 index 8774eb5..68bd80d 100755 --- a/tests/shell/testcases/maps/map_with_flags_0 +++ b/tests/shell/testcases/maps/map_with_flags_0 @@ -4,18 +4,3 @@ set -e $NFT add table x $NFT add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } - -EXPECTED="table ip x { - map y { - type ipv4_addr : ipv4_addr - flags timeout - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/nft-f/0002rollback_rule_0 b/tests/shell/testcases/nft-f/0002rollback_rule_0 index ddeb542..1969054 100755 --- a/tests/shell/testcases/nft-f/0002rollback_rule_0 +++ b/tests/shell/testcases/nft-f/0002rollback_rule_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0003rollback_jump_0 b/tests/shell/testcases/nft-f/0003rollback_jump_0 index 6c43df9..f53fd23 100755 --- a/tests/shell/testcases/nft-f/0003rollback_jump_0 +++ b/tests/shell/testcases/nft-f/0003rollback_jump_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0004rollback_set_0 b/tests/shell/testcases/nft-f/0004rollback_set_0 index 1dea85e..7674106 100755 --- a/tests/shell/testcases/nft-f/0004rollback_set_0 +++ b/tests/shell/testcases/nft-f/0004rollback_set_0 @@ -48,13 +48,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0005rollback_map_0 b/tests/shell/testcases/nft-f/0005rollback_map_0 index 777cc71..ba1fcc5 100755 --- a/tests/shell/testcases/nft-f/0005rollback_map_0 +++ b/tests/shell/testcases/nft-f/0005rollback_map_0 @@ -51,13 +51,3 @@ if [ $? -eq 0 ] ; then echo "E: bogus ruleset loaded?" >&2 exit 1 fi - -KERNEL_RULESET="$($NFT list ruleset -nn)" - -if [ "$GOOD_RULESET" != "$KERNEL_RULESET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$GOOD_RULESET") <(echo "$KERNEL_RULESET") - exit 1 -fi - -exit 0 diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0 index dd03545..b244d14 100755 --- a/tests/shell/testcases/nft-f/0008split_tables_0 +++ b/tests/shell/testcases/nft-f/0008split_tables_0 @@ -29,22 +29,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table inet filter { - chain ssh { - type filter hook input priority 0; policy accept; - tcp dport ssh accept - } - - chain input { - type filter hook input priority 1; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft new file mode 100644 index 0000000..f6f2615 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft new file mode 100644 index 0000000..f6f2615 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft new file mode 100644 index 0000000..f6f2615 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft new file mode 100644 index 0000000..f6f2615 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft new file mode 100644 index 0000000..1211411 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -0,0 +1,10 @@ +table inet filter { + chain ssh { + type filter hook input priority 0; policy accept; + tcp dport ssh accept + } + + chain input { + type filter hook input priority 1; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft new file mode 100644 index 0000000..a793751 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -0,0 +1,7 @@ +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = { 10.10.10.10 . smtp, + 10.10.10.10 . imap2 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft new file mode 100644 index 0000000..1f3d05e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft @@ -0,0 +1,6 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft new file mode 100644 index 0000000..e9eef4b --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -0,0 +1,16 @@ +table inet t { + chain c { + iifname "whatever" oifname "whatever" iif "lo" oif "lo" + iifname { "whatever" } iif { "lo" } mark 0x0000007b + ct state established,related,new + ct state != established | related | new + ip saddr 10.0.0.0 ip saddr 10.0.0.0 ip daddr 10.0.0.2 + ip6 daddr fe0::1 ip6 saddr fe0::2 + ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } + ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } + ip6 saddr . ip6 nexthdr { fe0::1 . udp, fe0::2 . tcp } + ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } + tcp dport 100-222 + udp dport vmap { 100-222 : accept } + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft new file mode 100644 index 0000000..416a07e --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft new file mode 100644 index 0000000..416a07e --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + } +} diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft new file mode 100644 index 0000000..eb0af81 --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/handles_0.nft @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport ssh counter packets 0 bytes 0 accept + } +} diff --git a/tests/shell/testcases/rule_management/0001addposition_0 b/tests/shell/testcases/rule_management/0001addposition_0 index e66bfff..ee90d92 100755 --- a/tests/shell/testcases/rule_management/0001addposition_0 +++ b/tests/shell/testcases/rule_management/0001addposition_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c accept # should have handle 3 $NFT add rule t c position 2 drop - -EXPECTED="table ip t { - chain c { - accept - drop - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0002insertposition_0 b/tests/shell/testcases/rule_management/0002insertposition_0 index cf8a568..e9f886f 100755 --- a/tests/shell/testcases/rule_management/0002insertposition_0 +++ b/tests/shell/testcases/rule_management/0002insertposition_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c accept # should have handle 3 $NFT insert rule t c position 2 drop - -EXPECTED="table ip t { - chain c { - drop - accept - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 index 6691c16..329ccc2 100755 --- a/tests/shell/testcases/rule_management/0003insert_0 +++ b/tests/shell/testcases/rule_management/0003insert_0 @@ -9,19 +9,3 @@ $NFT add chain t c $NFT insert rule t c accept $NFT insert rule t c drop $NFT insert rule t c masquerade - -EXPECTED="table ip t { - chain c { - masquerade - drop - accept - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0 index 6a4b949..c3329af 100755 --- a/tests/shell/testcases/rule_management/0004replace_0 +++ b/tests/shell/testcases/rule_management/0004replace_0 @@ -8,17 +8,3 @@ $NFT add table t $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT replace rule t c handle 2 drop - -EXPECTED="table ip t { - chain c { - drop - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0 index 126fe5d..11376cc 100755 --- a/tests/shell/testcases/rule_management/0007delete_0 +++ b/tests/shell/testcases/rule_management/0007delete_0 @@ -9,17 +9,3 @@ $NFT add chain t c $NFT add rule t c accept # should have handle 2 $NFT add rule t c drop # should have handle 3 $NFT delete rule t c handle 2 - -EXPECTED="table ip t { - chain c { - drop - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft new file mode 100644 index 0000000..e282e13 --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0001addposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + accept + drop + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft new file mode 100644 index 0000000..527d79d --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0002insertposition_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + drop + accept + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft new file mode 100644 index 0000000..9421f4a --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + masquerade + drop + accept + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft new file mode 100644 index 0000000..e20952e --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft new file mode 100644 index 0000000..e20952e --- /dev/null +++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft @@ -0,0 +1,5 @@ +table ip t { + chain c { + drop + } +} diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0 index 7a5f8c6..7e7beeb 100755 --- a/tests/shell/testcases/sets/0012add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0 @@ -31,16 +31,3 @@ delete element x y $(generate)" > $tmpfile set -e $NFT -f $tmpfile - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0 index 265a554..5774317 100755 --- a/tests/shell/testcases/sets/0013add_delete_many_elements_0 +++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0 @@ -32,17 +32,3 @@ add element x y $(generate)" > $tmpfile $NFT -f $tmpfile echo "delete element x y $(generate)" > $tmpfile $NFT -f $tmpfile - - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" -GET=$($NFT list ruleset) -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0 index 763d9ae..4779f26 100755 --- a/tests/shell/testcases/sets/0021nesting_0 +++ b/tests/shell/testcases/sets/0021nesting_0 @@ -30,17 +30,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0 index 8b7ab98..92f4a4a 100755 --- a/tests/shell/testcases/sets/0029named_ifname_dtype_0 +++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0 @@ -25,11 +25,3 @@ EXPECTED="table inet t { set -e echo "$EXPECTED" > $tmpfile $NFT -f $tmpfile - -GET="$($NFT list ruleset)" -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi - diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft new file mode 100644 index 0000000..3049aa8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft @@ -0,0 +1,34 @@ +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, + fe11::-fe22:: } + } + + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60 } + } + + set s4 { + type inet_service + flags interval + elements = { 0-1024, 8080-8082, 10000-40000 } + } + + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +} diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft new file mode 100644 index 0000000..452ee23 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24, 192.168.1.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft new file mode 100644 index 0000000..70c32a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft new file mode 100644 index 0000000..940030a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/64 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft new file mode 100644 index 0000000..4224d9d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { fe00::/48 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.nft b/tests/shell/testcases/sets/dumps/0006create_set_0.nft new file mode 100644 index 0000000..70c32a8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0006create_set_0.nft @@ -0,0 +1,5 @@ +table ip t { + set s { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.nft b/tests/shell/testcases/sets/dumps/0007create_element_0.nft new file mode 100644 index 0000000..169be11 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0007create_element_0.nft @@ -0,0 +1,6 @@ +table ip t { + set s { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft new file mode 100644 index 0000000..5e7a768 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags interval + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft new file mode 100644 index 0000000..ab0fe80 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft @@ -0,0 +1,13 @@ +table ip t { + map sourcemap { + type ipv4_addr : verdict + elements = { 100.123.10.2 : jump c } + } + + chain postrouting { + ip saddr vmap @sourcemap accept + } + + chain c { + } +} diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft new file mode 100644 index 0000000..455ebe3 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft @@ -0,0 +1,7 @@ +table ip t { + set s { + type ipv4_addr + flags timeout + elements = { 1.1.1.1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.nft b/tests/shell/testcases/sets/dumps/0010comments_0.nft new file mode 100644 index 0000000..6e42ec4 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0010comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type ipv6_addr + elements = { ::1 comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft new file mode 100644 index 0000000..f6eddbf --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft @@ -0,0 +1,11 @@ +table ip t { + chain c { + } +} +table inet filter { + set blacklist_v4 { + type ipv4_addr + flags interval + elements = { 192.168.0.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft new file mode 100644 index 0000000..9d2b0af --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft new file mode 100644 index 0000000..9d2b0af --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft new file mode 100644 index 0000000..8cd3707 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft @@ -0,0 +1,7 @@ +table ip x { + set s { + type ipv4_addr + size 2 + elements = { 1.1.1.1, 1.1.1.2 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft new file mode 100644 index 0000000..d533084 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft @@ -0,0 +1,6 @@ +table inet t { + set s { + type inet_service + elements = { ssh comment "test" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.nft b/tests/shell/testcases/sets/dumps/0021nesting_0.nft new file mode 100644 index 0000000..6fd2a44 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0021nesting_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft new file mode 100644 index 0000000..3dd9760 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -0,0 +1,13 @@ +table ip t { + set s { + type ipv4_addr + } + + map m { + type ipv4_addr : inet_service + } + + chain c { + tcp dport http meter f { ip saddr limit rate 10/second} + } +} diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft new file mode 100644 index 0000000..985768b --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft @@ -0,0 +1,2 @@ +table ip t { +} diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft new file mode 100644 index 0000000..929c5d9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -0,0 +1,28 @@ +table inet x { + counter user123 { + packets 12 bytes 1433 + } + + quota user123 { + over 2000 bytes + } + + quota user124 { + over 2000 bytes + } + + set y { + type ipv4_addr + } + + map test { + type ipv4_addr : quota + elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } + } + + chain y { + type filter hook input priority 0; policy accept; + counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } + quota name ip saddr map @test drop + } +} diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft new file mode 100644 index 0000000..c823ae9 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -0,0 +1,7 @@ +table ip t { + chain c { + type filter hook output priority 0; policy accept; + ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } + tcp dport { ssh, telnet } counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft new file mode 100644 index 0000000..0d1f125 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -0,0 +1,10 @@ +table ip filter { + limit http-traffic { + rate 1/second + } + + chain input { + type filter hook input priority 0; policy accept; + limit name tcp dport map { http : "http-traffic", https : "http-traffic" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft new file mode 100644 index 0000000..c49eefa --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft @@ -0,0 +1,7 @@ +table inet t { + set s { + type ipv6_addr + flags interval + elements = { ::ffff:0.0.0.0/96 } + } +} diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft new file mode 100644 index 0000000..2c82e57 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft @@ -0,0 +1,11 @@ +table inet t { + set s { + type ifname + elements = { "eth0" } + } + + chain c { + iifname @s accept + oifname @s accept + } +} diff --git a/tests/shell/testcases/transactions/0001table_0 b/tests/shell/testcases/transactions/0001table_0 index 0bde101..83f9fd0 100755 --- a/tests/shell/testcases/transactions/0001table_0 +++ b/tests/shell/testcases/transactions/0001table_0 @@ -21,16 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -} -table ip y { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0 index c5f319e..dbd2f4a 100755 --- a/tests/shell/testcases/transactions/0002table_0 +++ b/tests/shell/testcases/transactions/0002table_0 @@ -21,15 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - flags dormant -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0 index f17285e..004ce51 100755 --- a/tests/shell/testcases/transactions/0003table_0 +++ b/tests/shell/testcases/transactions/0003table_0 @@ -20,13 +20,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0010chain_0 b/tests/shell/testcases/transactions/0010chain_0 index f4c1fbd..d191868 100755 --- a/tests/shell/testcases/transactions/0010chain_0 +++ b/tests/shell/testcases/transactions/0010chain_0 @@ -22,16 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0011chain_0 b/tests/shell/testcases/transactions/0011chain_0 index 71afa6e..aac33d5 100755 --- a/tests/shell/testcases/transactions/0011chain_0 +++ b/tests/shell/testcases/transactions/0011chain_0 @@ -22,17 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - type filter hook input priority 0; policy drop; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0012chain_0 b/tests/shell/testcases/transactions/0012chain_0 index 757bc75..c3bfe13 100755 --- a/tests/shell/testcases/transactions/0012chain_0 +++ b/tests/shell/testcases/transactions/0012chain_0 @@ -26,17 +26,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - type filter hook output priority 0; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0013chain_0 b/tests/shell/testcases/transactions/0013chain_0 index 2c75bd4..67c31c8 100755 --- a/tests/shell/testcases/transactions/0013chain_0 +++ b/tests/shell/testcases/transactions/0013chain_0 @@ -27,17 +27,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - chain y { - type filter hook output priority 0; policy accept; - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0020rule_0 b/tests/shell/testcases/transactions/0020rule_0 index 1ad4362..e38634d 100755 --- a/tests/shell/testcases/transactions/0020rule_0 +++ b/tests/shell/testcases/transactions/0020rule_0 @@ -21,13 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0021rule_0 b/tests/shell/testcases/transactions/0021rule_0 index 2467124..284a9e7 100755 --- a/tests/shell/testcases/transactions/0021rule_0 +++ b/tests/shell/testcases/transactions/0021rule_0 @@ -24,17 +24,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - chain y { - ip saddr 2.2.2.2 counter packets 0 bytes 0 - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0030set_0 b/tests/shell/testcases/transactions/0030set_0 index 1fefb94..ad08b7e 100755 --- a/tests/shell/testcases/transactions/0030set_0 +++ b/tests/shell/testcases/transactions/0030set_0 @@ -21,14 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0031set_0 b/tests/shell/testcases/transactions/0031set_0 index 87848b4..6c5757c 100755 --- a/tests/shell/testcases/transactions/0031set_0 +++ b/tests/shell/testcases/transactions/0031set_0 @@ -21,17 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0032set_0 b/tests/shell/testcases/transactions/0032set_0 index d4d7e7e..1b41cf0 100755 --- a/tests/shell/testcases/transactions/0032set_0 +++ b/tests/shell/testcases/transactions/0032set_0 @@ -22,17 +22,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip w { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0033set_0 b/tests/shell/testcases/transactions/0033set_0 index b73b6fc..19543b3 100755 --- a/tests/shell/testcases/transactions/0033set_0 +++ b/tests/shell/testcases/transactions/0033set_0 @@ -20,14 +20,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0034set_0 b/tests/shell/testcases/transactions/0034set_0 index 25e6500..4cddb94 100755 --- a/tests/shell/testcases/transactions/0034set_0 +++ b/tests/shell/testcases/transactions/0034set_0 @@ -21,17 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0035set_0 b/tests/shell/testcases/transactions/0035set_0 index 0788e2f..9b20746 100755 --- a/tests/shell/testcases/transactions/0035set_0 +++ b/tests/shell/testcases/transactions/0035set_0 @@ -23,18 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - elements = { 3.3.3.3 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0037set_0 b/tests/shell/testcases/transactions/0037set_0 index 3e48c80..75b1d45 100755 --- a/tests/shell/testcases/transactions/0037set_0 +++ b/tests/shell/testcases/transactions/0037set_0 @@ -21,18 +21,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0038set_0 b/tests/shell/testcases/transactions/0038set_0 index 7655075..3120e91 100755 --- a/tests/shell/testcases/transactions/0038set_0 +++ b/tests/shell/testcases/transactions/0038set_0 @@ -23,19 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - elements = { 192.168.4.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0039set_0 b/tests/shell/testcases/transactions/0039set_0 index 7655075..3120e91 100755 --- a/tests/shell/testcases/transactions/0039set_0 +++ b/tests/shell/testcases/transactions/0039set_0 @@ -23,19 +23,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -EXPECTED="table ip x { - set y { - type ipv4_addr - flags interval - elements = { 192.168.4.0/24 } - } -}" - -GET="$($NFT list ruleset)" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/0040set_0 b/tests/shell/testcases/transactions/0040set_0 index 241703d..0ffc441 100755 --- a/tests/shell/testcases/transactions/0040set_0 +++ b/tests/shell/testcases/transactions/0040set_0 @@ -51,26 +51,3 @@ if [ $? -ne 0 ] ; then echo "E: unable to load good ruleset" >&2 exit 1 fi - -GET="$($NFT list ruleset)" - -EXPECTED="table ip filter { - map client_to_any { - type ipv4_addr : verdict - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - goto client_to_any - } - - chain client_to_any { - ip saddr vmap @client_to_any - } -}" - -if [ "$EXPECTED" != "$GET" ] ; then - DIFF="$(which diff)" - [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET") - exit 1 -fi diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.nft b/tests/shell/testcases/transactions/dumps/0001table_0.nft new file mode 100644 index 0000000..e4e5f9b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0001table_0.nft @@ -0,0 +1,4 @@ +table ip x { +} +table ip y { +} diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.nft b/tests/shell/testcases/transactions/dumps/0002table_0.nft new file mode 100644 index 0000000..6eb7072 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0002table_0.nft @@ -0,0 +1,3 @@ +table ip x { + flags dormant +} diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.nft b/tests/shell/testcases/transactions/dumps/0010chain_0.nft new file mode 100644 index 0000000..aa4a521 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0010chain_0.nft @@ -0,0 +1,4 @@ +table ip w { + chain y { + } +} diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.nft b/tests/shell/testcases/transactions/dumps/0011chain_0.nft new file mode 100644 index 0000000..02cdb23 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + type filter hook input priority 0; policy drop; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.nft b/tests/shell/testcases/transactions/dumps/0012chain_0.nft new file mode 100644 index 0000000..1fddecb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.nft b/tests/shell/testcases/transactions/dumps/0013chain_0.nft new file mode 100644 index 0000000..1fddecb --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.nft @@ -0,0 +1,5 @@ +table ip w { + chain y { + type filter hook output priority 0; policy accept; + } +} diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.nft b/tests/shell/testcases/transactions/dumps/0021rule_0.nft new file mode 100644 index 0000000..a6c4130 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0021rule_0.nft @@ -0,0 +1,5 @@ +table ip x { + chain y { + ip saddr 2.2.2.2 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.nft b/tests/shell/testcases/transactions/dumps/0030set_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0030set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.nft b/tests/shell/testcases/transactions/dumps/0031set_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0031set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.nft b/tests/shell/testcases/transactions/dumps/0032set_0.nft new file mode 100644 index 0000000..7d11892 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0032set_0.nft @@ -0,0 +1,5 @@ +table ip w { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.nft b/tests/shell/testcases/transactions/dumps/0033set_0.nft new file mode 100644 index 0000000..5d4d2ca --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0033set_0.nft @@ -0,0 +1,2 @@ +table ip x { +} diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.nft b/tests/shell/testcases/transactions/dumps/0034set_0.nft new file mode 100644 index 0000000..e3d4aee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0034set_0.nft @@ -0,0 +1,5 @@ +table ip x { + set y { + type ipv4_addr + } +} diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.nft b/tests/shell/testcases/transactions/dumps/0035set_0.nft new file mode 100644 index 0000000..e111494 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0035set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + elements = { 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.nft b/tests/shell/testcases/transactions/dumps/0037set_0.nft new file mode 100644 index 0000000..ca69cee --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0037set_0.nft @@ -0,0 +1,6 @@ +table ip x { + set y { + type ipv4_addr + flags interval + } +} diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.nft b/tests/shell/testcases/transactions/dumps/0038set_0.nft new file mode 100644 index 0000000..651a11b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0038set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.nft b/tests/shell/testcases/transactions/dumps/0039set_0.nft new file mode 100644 index 0000000..651a11b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0039set_0.nft @@ -0,0 +1,7 @@ +table ip x { + set y { + type ipv4_addr + flags interval + elements = { 192.168.4.0/24 } + } +} diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.nft b/tests/shell/testcases/transactions/dumps/0040set_0.nft new file mode 100644 index 0000000..fe86405 --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/0040set_0.nft @@ -0,0 +1,14 @@ +table ip filter { + map client_to_any { + type ipv4_addr : verdict + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + goto client_to_any + } + + chain client_to_any { + ip saddr vmap @client_to_any + } +}