From patchwork Sat Mar 9 11:35:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909955 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Y24wGmqB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1255-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZX48QBz1yX8 for ; Sat, 9 Mar 2024 22:35:48 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id AC66F1C20B43 for ; Sat, 9 Mar 2024 11:35:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BD4F738DF2; Sat, 9 Mar 2024 11:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Y24wGmqB" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5DF84364A8 for ; Sat, 9 Mar 2024 11:35:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; cv=none; b=bJUcUAh5BLtR3AJDcz7ButQTQ3QN5iHrZ9SXtr9pG4AUacpUUHOg7IqS0w1+IuRtnDsIHqzIffFDqUzFtDIDF25dAg4u5dqnAK26H+1IAnV08H09IvUVsbv8hhWTzRtyepftxgv0rVRUxnGnPZOTWShobTk8x+O6cnhEc7k7OH0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; c=relaxed/simple; bh=QZaCRS9bVnWk/smub4KfW7SxoSeoMf5BXT4BVCP3Zgk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NCpIhKudCzSnS2yQb4UPqYgikJ+0zYJFMzDBIZAKHa9Mmv2z0bnDe4+HALncjAl5Edou3we+n2j/2gGHjYHnfPYXtEG/NOZnKcpo4oDafnefUssJ8tc8V5Gv6U4bGJog7brlc+89md1imvfbZ6gOG7b+spxL05GDWEs/OFYbfNY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Y24wGmqB; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fFcoqbUv2nOCsDixgeUFozx43v71PoUyHfayCgXuh6g=; b=Y24wGmqBIYPZWjvziG7By+4mqd gbm1qRsZajd596OaR1re0PsHK0vk9bWtmmt+VWSNK+2z6PyfnQ38S49JWTruqYNVzMy6Uf6WiXXLN EiG4QOFqhbf9SzPN3CpsAVlstV14VHSnv1b2HyydULp5NW1KRw94/UrGEZP1BlX7EJ18hGLDsB/cR bEVUa+weEbQhXeJf7EZiDN9m4uVjMECmsQNdUWVwPloCGRWnrF/aG++byukYEKpkyJp+hUueNKQlW POe3A+daxsGgdzCz+17x+0nnls34m+CwpjhHcjfK/4Z45vbE9Bm+W55BtO6ePKzrh9DOwhcMtRmqv RppcTUIQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzF-000000003hJ-10bw; Sat, 09 Mar 2024 12:35:33 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 1/7] tests: shell: maps/named_ct_objects: Fix for recent kernel Date: Sat, 9 Mar 2024 12:35:21 +0100 Message-ID: <20240309113527.8723-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Since kernel commit 8059918a1377 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations"), ct expectations specifying an l3proto which does not match the table family are rejected. Signed-off-by: Phil Sutter --- tests/shell/testcases/maps/dumps/named_ct_objects.nft | 4 ++-- tests/shell/testcases/maps/named_ct_objects | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/shell/testcases/maps/dumps/named_ct_objects.nft b/tests/shell/testcases/maps/dumps/named_ct_objects.nft index 59f18932b28ad..457a08ebc32ca 100644 --- a/tests/shell/testcases/maps/dumps/named_ct_objects.nft +++ b/tests/shell/testcases/maps/dumps/named_ct_objects.nft @@ -4,7 +4,7 @@ table inet t { dport 9876 timeout 1m size 12 - l3proto ip + l3proto inet } ct expectation exp2 { @@ -12,7 +12,7 @@ table inet t { dport 9876 timeout 3s size 13 - l3proto ip6 + l3proto inet } ct helper myftp { diff --git a/tests/shell/testcases/maps/named_ct_objects b/tests/shell/testcases/maps/named_ct_objects index 61b87c1ab14a9..d0bf95012491c 100755 --- a/tests/shell/testcases/maps/named_ct_objects +++ b/tests/shell/testcases/maps/named_ct_objects @@ -9,7 +9,6 @@ table inet t { dport 9876 timeout 1m size 12 - l3proto ip } ct expectation exp2 { @@ -17,7 +16,6 @@ table inet t { dport 9876 timeout 3s size 13 - l3proto ip6 } ct helper myftp { From patchwork Sat Mar 9 11:35:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909957 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=TpJdA4uF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1256-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZb6Q5Fz1yXB for ; Sat, 9 Mar 2024 22:35:51 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 9C9001F216D9 for ; Sat, 9 Mar 2024 11:35:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1CC24364A8; Sat, 9 Mar 2024 11:35:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="TpJdA4uF" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31F2E364DC for ; Sat, 9 Mar 2024 11:35:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; cv=none; b=elabU0FqXDRkN/F0VdusESBMNxG2nKBGDXhL0B1HxzIN3MsXrhqln1SGQZXUq5SIgCsDaTyY+fyeSJmq7SgJSaXuBqQZ5F0dLF8+4628b0HpofJyg823GaQOt4x5G+7xdRVOoVugbgJy8QHjnUiupwz2C0ArAXLuUHi5k54LGrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; c=relaxed/simple; bh=rn//vveocJAFIVYfpU9Y/cxLN3dhEQtWUrVrsygR/Aw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vCb2ndlMccc8Jx/lDnmTUvQjpuveuNmECNCklHxrN3xFRMXUhuQ/RxmOYzC1lm7CCWQyFacIPa08daOk8P5A96oSbJwpopXKt2NL0EUQXn7X2orgBTH3oHOACuyfBUUjwSXpt75e9VXDz7DjAIf1khGRDcSTloH53yt07D2GSQI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=TpJdA4uF; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=V1jxi2tAQqoTxrscT8asWGGdemBElOP9/imKrm5y60Y=; b=TpJdA4uFbpDnxF1tuEQgFqEdui 1gGUXR+7HVT5AJD+cFEwJ01GkrBxby8PLPsLIh8jCp8o8/MUHuToBsKbLObUHnVkohq+7EaZd2FXQ otPqRpMJcjJrDSBVfdWNiQXI+INokuW9Yk6YZBRoYb7PPkAgD/99PegTf4LIT2JaC8U15tkApobD/ 3ITpEJJeu1ibG2WuirEURQ5rz5s8tYfB48tCCLHGYkfSQIPmSs4nWoq1//rCwQKFM3Kca8pinakaz hEIPirejzAS/zD+9UxwjQ/nBbc41iumdGlY1d+wBjNzRWn6xO/e6s6NDbGcQX+dEMQSWkIBrAObc7 yoDadHug==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzG-000000003hV-1fsw; Sat, 09 Mar 2024 12:35:34 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 2/7] tests: shell: packetpath/flowtables: Avoid spurious EPERM Date: Sat, 9 Mar 2024 12:35:22 +0100 Message-ID: <20240309113527.8723-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On my system for testing, called socat is not allowed to create the pipe file in local directory (probably due to sshfs). Specify a likely unique path in /tmp to avoid such problems. Fixes: 419c0199774c6 ("tests: shell: add test to cover ct offload by using nft flowtables") Signed-off-by: Phil Sutter --- tests/shell/testcases/packetpath/flowtables | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables index 852a05c6d0ab1..18a57a9b2b726 100755 --- a/tests/shell/testcases/packetpath/flowtables +++ b/tests/shell/testcases/packetpath/flowtables @@ -79,17 +79,17 @@ ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86 # A trick to control the timing to send a packet ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof & sleep 1 -ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 & +ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & sleep 1 ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } ip netns exec $R cat /proc/net/nf_conntrack sleep 6 ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } -ip netns exec $C echo "send sth" >> pipefile +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } ip netns exec $C sleep 3 -ip netns exec $C echo "send sth" >> pipefile +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ip netns exec $C sleep 3 ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } From patchwork Sat Mar 9 11:35:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909952 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Pp+72H8d; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1252-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZQ575lz1yX8 for ; Sat, 9 Mar 2024 22:35:42 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id E4E84B21062 for ; Sat, 9 Mar 2024 11:35:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 30BB3381AF; Sat, 9 Mar 2024 11:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Pp+72H8d" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75A2C2E3F2 for ; Sat, 9 Mar 2024 11:35:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984136; cv=none; b=uqU+vXqg08eoOX6gjxVkJx/hW8OlOY9slTlXnmNVmldahmj2g4wmclIwYzL9hxNv7SzK8QnIlhyFShYdeh0YcnRBxsM9CjpnrjWCvcUOBbWOnG/KivxUY86+ppnf4ldMrulhE7nRkqfVKBrdamfQS1KPfX/iUw9lHjpKjE3zQJA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984136; c=relaxed/simple; bh=5cD9fON8ZM2XksZ2DtF2ERaRqjz+2uF7xsDjCcuEJg0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CPord1a37t7Pjc5IGA+56yTE/4cajDvxc/lxwns3T2f0RzHtS0QEAQTp5dW7wocNEJpjdGDlgZ5fhOJPmL/53E0gKjgS95YCC+Up9xuY2/wbGiRuF56tGJpxjUYF5CE/lrmo7ixPKzTMn1cGz9Udn9bJ0mTARbeEB4wQZFCmYIQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Pp+72H8d; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hCh+gjVz77p7Ah9VCxqiS5Isu5WslhOiaQp+AA35phc=; b=Pp+72H8dbZ1BIJJ+vjPhJWJL0R mHP0peKHJNDvC1P2Aiw/qOytV231QuZ7PnDAXT6zQ6S6NZqcrtuTM5I+oXDsa80xRoqkoIsyfkTtp ebkM+Ns4LnY0QB2oI0DpmtkJgOpTmvXSnwOk3vUwCc/spL+Lkzy875yN9LEcemUvOnmYHrfEpXrNt TgnSmtsCKjvf/qdBHx7iHVh28E7XoqTnOfG2VdoiaY2wPxtmv+h4LYo/TQxqI1LY9/bv2fvslPaHx +bQ84gMhnI3R1+/jylnssIihkq6wHGuZgX+7u2l2WOu0smE9TbGUTw773Ofsl+YTYUvb1pUxEiP1B ityl97ZA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzE-000000003hD-2wOj; Sat, 09 Mar 2024 12:35:32 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 3/7] json: Order output like nft_cmd_expand() Date: Sat, 9 Mar 2024 12:35:23 +0100 Message-ID: <20240309113527.8723-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Print empty chain add commands early in list so following verdict maps and rules referring to them won't cause spurious errors when loading the resulting ruleset dump. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Signed-off-by: Phil Sutter --- src/json.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/json.c b/src/json.c index b3e1e4e14a5f9..bb515164d2587 100644 --- a/src/json.c +++ b/src/json.c @@ -1704,6 +1704,11 @@ static json_t *table_print_json_full(struct netlink_ctx *ctx, tmp = table_print_json(table); json_array_append_new(root, tmp); + /* both maps and rules may refer to chains, list them first */ + list_for_each_entry(chain, &table->chain_cache.list, cache.list) { + tmp = chain_print_json(chain); + json_array_append_new(root, tmp); + } list_for_each_entry(obj, &table->obj_cache.list, cache.list) { tmp = obj_print_json(obj); json_array_append_new(root, tmp); @@ -1719,9 +1724,6 @@ static json_t *table_print_json_full(struct netlink_ctx *ctx, json_array_append_new(root, tmp); } list_for_each_entry(chain, &table->chain_cache.list, cache.list) { - tmp = chain_print_json(chain); - json_array_append_new(root, tmp); - list_for_each_entry(rule, &chain->rules, list) { tmp = rule_print_json(&ctx->nft->output, rule); json_array_append_new(rules, tmp); From patchwork Sat Mar 9 11:35:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909959 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=puVS7ruW; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1259-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZf5cTZz1yX8 for ; Sat, 9 Mar 2024 22:35:54 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id CB7C61C20B11 for ; Sat, 9 Mar 2024 11:35:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B34639855; Sat, 9 Mar 2024 11:35:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="puVS7ruW" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24CA1381A4 for ; Sat, 9 Mar 2024 11:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984140; cv=none; b=aRMa6C512rdHBjPm6zYYJtcA6WoxSnP/pJ02xLbZ8muXgUZY5M4ZAEMxOoS5d7Zp4RFobVjKFmRfbc2YlDsVcfoyX0tYHhrZn+Qgfflykywn/UMHDckLNatU8J+7wBfmBg9sC3+3WrtmBqgHYfurxBwnkUBk2DljHi9LZCJLPlE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984140; c=relaxed/simple; bh=A6Rr4mlgKu9vr/eMWIv4YanJYJMF3GNC1P8Vx4ajt/w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vDQ+XduSGea6JoLEi9C9SAQZFkOHTlnaBAoCNG4T9AAWin3Ae1md7IZia8cWWuICDZPuQMO6WMj6BQRAWXFAAV6dpnWWS5gLXJ+IjHtvV62KWCl+L5yEbHqbXjkBPKnqRjKmG9t6qhy1/zL3GdtpzCabHetZ1FbhAIp2EBDNUN0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=puVS7ruW; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=enhodQDtnvRNu2znwbDK1h0+xXifCve1rOq6ErVv260=; b=puVS7ruWcRv4+wdG56Z3DLBe2r ntCs5/A7mAyGkrKoyYG4goGOCGjrNh5L7UO6w2kzQEDypT6pV2ldfL4H8FwWASsePrri9lJd553jT 0hKf0unpK3C94qY9VYcW2P3ckB7CBg0oZ9jm7U6YnuhHybmRZas8LcyRIh+BEtixpKWj9frmO/sMw fjXrFhVxfOPsIIuj57EaseXjdk9KuZKecA08+PzCRA18p+TzqvCvRrHx0gOrdG7Zj4te2Xx6uEGpV v82pmcnkhoz8iTR7ZXy+BoftKSvoJOXDeKHi7QrkLlH+QpgI356cEt6CJ2L3K7qFrNh0CY/VeazZm 4vC6E+Vg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzH-000000003hh-2OSt; Sat, 09 Mar 2024 12:35:35 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 4/7] tests: shell: Regenerate all json-nft dumps Date: Sat, 9 Mar 2024 12:35:24 +0100 Message-ID: <20240309113527.8723-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Ordering of 'nft -j list ruleset' output has changed, Regenerate existing json-nft dumps. No functional change intended, merely the position of chain objects should have moved up in the "nftables" array. Signed-off-by: Phil Sutter --- .../dumps/0001_cache_handling_0.json-nft | 16 ++++---- .../dumps/0005_cache_chain_flush.json-nft | 28 ++++++------- .../dumps/0006_cache_table_flush.json-nft | 28 ++++++------- .../comments/dumps/comments_0.json-nft | 16 ++++---- .../flowtable/dumps/0001flowtable_0.json-nft | 16 ++++---- .../dumps/0005delete_in_use_1.json-nft | 16 ++++---- .../dumps/0014addafterdelete_0.json-nft | 22 +++++----- .../json/dumps/0001set_statements_0.json-nft | 24 +++++------ .../json/dumps/0005secmark_objref_0.json-nft | 18 ++++----- .../listing/dumps/0013objects_0.json-nft | 16 ++++---- .../dumps/0021ruleset_json_terse_0.json-nft | 16 ++++---- .../listing/dumps/0022terse_0.json-nft | 24 +++++------ .../dumps/0007named_ifname_dtype_0.json-nft | 16 ++++---- .../dumps/0008interval_map_delete_0.json-nft | 24 +++++------ .../testcases/maps/dumps/0012map_0.json-nft | 16 ++++---- .../maps/dumps/0012map_concat_0.json-nft | 24 +++++------ .../testcases/maps/dumps/0013map_0.json-nft | 24 +++++------ .../maps/dumps/anon_objmap_concat.json-nft | 24 +++++------ .../maps/dumps/named_limits.json-nft | 24 +++++------ .../maps/dumps/named_snat_map_0.json-nft | 16 ++++---- .../maps/dumps/pipapo_double_flush.json-nft | 16 ++++---- .../dumps/typeof_maps_add_delete.json-nft | 40 +++++++++---------- .../maps/dumps/typeof_maps_update_0.json-nft | 32 +++++++-------- .../nft-f/dumps/0002rollback_rule_0.json-nft | 22 +++++----- .../nft-f/dumps/0003rollback_jump_0.json-nft | 22 +++++----- .../nft-f/dumps/0004rollback_set_0.json-nft | 22 +++++----- .../nft-f/dumps/0005rollback_map_0.json-nft | 22 +++++----- .../nft-f/dumps/0017ct_timeout_obj_0.json-nft | 16 ++++---- .../dumps/0018ct_expectation_obj_0.json-nft | 16 ++++---- .../nft-f/dumps/0022variables_0.json-nft | 24 +++++------ .../nft-f/dumps/0029split_file_0.json-nft | 18 ++++----- .../nft-f/dumps/0032pknock_0.json-nft | 24 +++++------ .../optimizations/dumps/merge_vmaps.json-nft | 26 ++++++------ .../optimizations/dumps/skip_merge.json-nft | 32 +++++++-------- .../dumps/skip_unsupported.json-nft | 16 ++++---- .../packetpath/dumps/set_lookups.json-nft | 24 +++++------ .../dumps/0011reset_0.json-nft | 32 +++++++-------- .../sets/dumps/0001named_interval_0.json-nft | 16 ++++---- .../dumps/0022type_selective_flush_0.json-nft | 16 ++++---- .../sets/dumps/0026named_limit_0.json-nft | 22 +++++----- .../sets/dumps/0028autoselect_0.json-nft | 24 +++++------ .../0037_set_with_inet_service_0.json-nft | 24 +++++------ .../sets/dumps/0038meter_list_0.json-nft | 16 ++++---- .../sets/dumps/0042update_set_0.json-nft | 16 ++++---- .../dumps/0043concatenated_ranges_0.json-nft | 24 +++++------ .../dumps/0045concat_ipv4_service.json-nft | 16 ++++---- .../sets/dumps/0048set_counters_0.json-nft | 24 +++++------ .../sets/dumps/0049set_define_0.json-nft | 24 +++++------ .../dumps/0051set_interval_counter_0.json-nft | 24 +++++------ .../dumps/0058_setupdate_timeout_0.json-nft | 16 ++++---- .../dumps/0059set_update_multistmt_0.json-nft | 24 +++++------ .../sets/dumps/0060set_multistmt_0.json-nft | 24 +++++------ .../sets/dumps/0060set_multistmt_1.json-nft | 24 +++++------ .../sets/dumps/0064map_catchall_0.json-nft | 16 ++++---- .../0071unclosed_prefix_interval_0.json-nft | 16 ++++---- .../sets/dumps/dynset_missing.json-nft | 24 +++++------ .../testcases/sets/dumps/inner_0.json-nft | 16 ++++---- .../testcases/sets/dumps/set_eval_0.json-nft | 24 +++++------ .../sets/dumps/type_set_symbol.json-nft | 32 +++++++-------- .../transactions/dumps/0040set_0.json-nft | 20 +++++----- 60 files changed, 647 insertions(+), 647 deletions(-) diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft index 752196624c33f..7a2eacdd7b614 100644 --- a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft +++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "test", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -27,14 +35,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "test", - "name": "test", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft index dbf561175a1b7..1c47d3ef0a266 100644 --- a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft +++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.json-nft @@ -15,34 +15,34 @@ } }, { - "map": { + "chain": { "family": "ip", - "name": "mapping", "table": "x", - "type": "ipv4_addr", - "handle": 0, - "map": "inet_service", - "size": 65535, - "flags": [ - "timeout", - "dynamic" - ] + "name": "y", + "handle": 0 } }, { "chain": { "family": "ip", "table": "x", - "name": "y", + "name": "z", "handle": 0 } }, { - "chain": { + "map": { "family": "ip", + "name": "mapping", "table": "x", - "name": "z", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] } }, { diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft index dbf561175a1b7..1c47d3ef0a266 100644 --- a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft +++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.json-nft @@ -15,34 +15,34 @@ } }, { - "map": { + "chain": { "family": "ip", - "name": "mapping", "table": "x", - "type": "ipv4_addr", - "handle": 0, - "map": "inet_service", - "size": 65535, - "flags": [ - "timeout", - "dynamic" - ] + "name": "y", + "handle": 0 } }, { "chain": { "family": "ip", "table": "x", - "name": "y", + "name": "z", "handle": 0 } }, { - "chain": { + "map": { "family": "ip", + "name": "mapping", "table": "x", - "name": "z", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "map": "inet_service", + "size": 65535, + "flags": [ + "timeout", + "dynamic" + ] } }, { diff --git a/tests/shell/testcases/comments/dumps/comments_0.json-nft b/tests/shell/testcases/comments/dumps/comments_0.json-nft index 28898a52608d3..201abd6fb5ce1 100644 --- a/tests/shell/testcases/comments/dumps/comments_0.json-nft +++ b/tests/shell/testcases/comments/dumps/comments_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -27,14 +35,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "x", - "name": "y", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft index 090c974456ca6..4d15fe3a39d17 100644 --- a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "flowtable": { "family": "inet", @@ -25,14 +33,6 @@ "dev": "lo" } }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft index db73a53036632..302502dcab098 100644 --- a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft +++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "x", + "handle": 0 + } + }, { "flowtable": { "family": "ip", @@ -25,14 +33,6 @@ "dev": "lo" } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "x", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft index 79707ca30d958..471ba5be0faeb 100644 --- a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft +++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.json-nft @@ -14,17 +14,6 @@ "handle": 0 } }, - { - "flowtable": { - "family": "inet", - "name": "f", - "table": "filter", - "handle": 0, - "hook": "ingress", - "prio": -1, - "dev": "lo" - } - }, { "chain": { "family": "inet", @@ -37,6 +26,17 @@ "policy": "accept" } }, + { + "flowtable": { + "family": "inet", + "name": "f", + "table": "filter", + "handle": 0, + "hook": "ingress", + "prio": -1, + "dev": "lo" + } + }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft index 3830b8450a93b..91db43e29ea9f 100644 --- a/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft +++ b/tests/shell/testcases/json/dumps/0001set_statements_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "testt", + "name": "testc", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -27,18 +39,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "testt", - "name": "testc", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft index f5519a6ed49ac..3783c6b78f5b2 100644 --- a/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.json-nft @@ -14,15 +14,6 @@ "handle": 0 } }, - { - "secmark": { - "family": "inet", - "name": "ssh_server", - "table": "x", - "handle": 0, - "context": "system_u:object_r:ssh_server_packet_t:s0" - } - }, { "chain": { "family": "inet", @@ -47,6 +38,15 @@ "policy": "accept" } }, + { + "secmark": { + "family": "inet", + "name": "ssh_server", + "table": "x", + "handle": 0, + "context": "system_u:object_r:ssh_server_packet_t:s0" + } + }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft index feb32b1b34329..830aad85cad87 100644 --- a/tests/shell/testcases/listing/dumps/0013objects_0.json-nft +++ b/tests/shell/testcases/listing/dumps/0013objects_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "input", + "handle": 0 + } + }, { "quota": { "family": "ip", @@ -62,14 +70,6 @@ "size": 12, "l3proto": "ip" } - }, - { - "chain": { - "family": "ip", - "table": "test", - "name": "input", - "handle": 0 - } } ] } diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft index e9bc05ac7be1a..d1131bb4045fd 100644 --- a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft +++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -26,14 +34,6 @@ "192.168.3.5" ] } - }, - { - "chain": { - "family": "ip", - "table": "test", - "name": "c", - "handle": 0 - } } ] } diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft index db19d0c3c2b5b..bd6383dac5e37 100644 --- a/tests/shell/testcases/listing/dumps/0022terse_0.json-nft +++ b/tests/shell/testcases/listing/dumps/0022terse_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "inet", @@ -30,18 +42,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "prerouting", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft index ec409c6cb361a..ef57a749fbeed 100644 --- a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "map": { "family": "inet", @@ -30,14 +38,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft index 0f8f25dcf77c5..bd3c6cc7ebf55 100644 --- a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "map": { "family": "ip", @@ -37,18 +49,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "filter", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/0012map_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_0.json-nft index e546a67979369..2892e11d71f54 100644 --- a/tests/shell/testcases/maps/dumps/0012map_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0012map_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, { "map": { "family": "ip", @@ -44,14 +52,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "y", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft index 08fce28624c01..000522365df9f 100644 --- a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "k", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 1, + "policy": "accept" + } + }, { "map": { "family": "ip", @@ -66,18 +78,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "k", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 1, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/0013map_0.json-nft b/tests/shell/testcases/maps/dumps/0013map_0.json-nft index 0379746a1e062..e91a269d8e6e6 100644 --- a/tests/shell/testcases/maps/dumps/0013map_0.json-nft +++ b/tests/shell/testcases/maps/dumps/0013map_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, { "map": { "family": "ip", @@ -58,18 +70,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "filter", - "name": "FORWARD", - "handle": 0, - "type": "filter", - "hook": "forward", - "prio": 0, - "policy": "drop" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft index f8352344eec73..642098427e6f9 100644 --- a/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft +++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "ct helper": { "family": "inet", @@ -36,18 +48,6 @@ "l3proto": "ip" } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft index 28a92529c8d29..7fa1298103832 100644 --- a/tests/shell/testcases/maps/dumps/named_limits.json-nft +++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "limit": { "family": "inet", @@ -251,18 +263,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft index ed141597f7f85..ad9eb36eac94e 100644 --- a/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft +++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "nat", + "name": "postrouting", + "handle": 0 + } + }, { "map": { "family": "ip", @@ -30,14 +38,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "nat", - "name": "postrouting", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft index 5cb600dbd0eed..ef8c3930f8153 100644 --- a/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft +++ b/tests/shell/testcases/maps/dumps/pipapo_double_flush.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "map": { "family": "inet", @@ -29,14 +37,6 @@ "interval" ] } - }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } } ] } diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft index 4a58602a99cd4..8130c46c154cd 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft @@ -14,26 +14,6 @@ "handle": 0 } }, - { - "map": { - "family": "ip", - "name": "dynmark", - "table": "dynset", - "type": "ipv4_addr", - "handle": 0, - "map": "mark", - "size": 64, - "flags": [ - "timeout" - ], - "timeout": 300, - "stmt": [ - { - "counter": null - } - ] - } - }, { "chain": { "family": "ip", @@ -54,6 +34,26 @@ "policy": "accept" } }, + { + "map": { + "family": "ip", + "name": "dynmark", + "table": "dynset", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "size": 64, + "flags": [ + "timeout" + ], + "timeout": 300, + "stmt": [ + { + "counter": null + } + ] + } + }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft index 826785d1fc04d..1d50477d783df 100644 --- a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft +++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft @@ -14,6 +14,22 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "kube-nfproxy-v4", + "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", + "handle": 0 + } + }, { "map": { "family": "ip", @@ -44,22 +60,6 @@ "timeout": 60 } }, - { - "chain": { - "family": "ip", - "table": "kube-nfproxy-v4", - "name": "k8s-nfproxy-sep-TMVEFT7EX55F4T62", - "handle": 0 - } - }, - { - "chain": { - "family": "ip", - "table": "kube-nfproxy-v4", - "name": "k8s-nfproxy-sep-GMVEFT7EX55F4T62", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft index 8d500578d998c..99b0b28defb4d 100644 --- a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.json-nft @@ -15,31 +15,31 @@ } }, { - "set": { + "chain": { "family": "ip", - "name": "t", "table": "t", - "type": "ipv4_addr", - "handle": 0, - "elem": [ - "1.1.1.1" - ] + "name": "c", + "handle": 0 } }, { "chain": { "family": "ip", "table": "t", - "name": "c", + "name": "other", "handle": 0 } }, { - "chain": { + "set": { "family": "ip", + "name": "t", "table": "t", - "name": "other", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] } }, { diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft index 8d500578d998c..99b0b28defb4d 100644 --- a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.json-nft @@ -15,31 +15,31 @@ } }, { - "set": { + "chain": { "family": "ip", - "name": "t", "table": "t", - "type": "ipv4_addr", - "handle": 0, - "elem": [ - "1.1.1.1" - ] + "name": "c", + "handle": 0 } }, { "chain": { "family": "ip", "table": "t", - "name": "c", + "name": "other", "handle": 0 } }, { - "chain": { + "set": { "family": "ip", + "name": "t", "table": "t", - "name": "other", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] } }, { diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft index 8d500578d998c..99b0b28defb4d 100644 --- a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.json-nft @@ -15,31 +15,31 @@ } }, { - "set": { + "chain": { "family": "ip", - "name": "t", "table": "t", - "type": "ipv4_addr", - "handle": 0, - "elem": [ - "1.1.1.1" - ] + "name": "c", + "handle": 0 } }, { "chain": { "family": "ip", "table": "t", - "name": "c", + "name": "other", "handle": 0 } }, { - "chain": { + "set": { "family": "ip", + "name": "t", "table": "t", - "name": "other", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] } }, { diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft index 8d500578d998c..99b0b28defb4d 100644 --- a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.json-nft @@ -15,31 +15,31 @@ } }, { - "set": { + "chain": { "family": "ip", - "name": "t", "table": "t", - "type": "ipv4_addr", - "handle": 0, - "elem": [ - "1.1.1.1" - ] + "name": "c", + "handle": 0 } }, { "chain": { "family": "ip", "table": "t", - "name": "c", + "name": "other", "handle": 0 } }, { - "chain": { + "set": { "family": "ip", + "name": "t", "table": "t", - "name": "other", - "handle": 0 + "type": "ipv4_addr", + "handle": 0, + "elem": [ + "1.1.1.1" + ] } }, { diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft index 581d4d415ae58..b56240eab0cf3 100644 --- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, { "ct timeout": { "family": "ip", @@ -28,14 +36,6 @@ } } }, - { - "chain": { - "family": "ip", - "table": "filter", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft index 5e2b07f0d7ace..21c979703e096 100644 --- a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "c", + "handle": 0 + } + }, { "ct expectation": { "family": "ip", @@ -27,14 +35,6 @@ "l3proto": "ip" } }, - { - "chain": { - "family": "ip", - "table": "filter", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft index b971454fc3ae0..09a4c1e3deb8f 100644 --- a/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -28,18 +40,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "z", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft index c2aa400aa150f..ab680af8712d6 100644 --- a/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.json-nft @@ -14,15 +14,6 @@ "handle": 0 } }, - { - "set": { - "family": "inet", - "name": "whitelist_v4", - "table": "filter", - "type": "ipv4_addr", - "handle": 0 - } - }, { "chain": { "family": "inet", @@ -35,6 +26,15 @@ "policy": "accept" } }, + { + "set": { + "family": "inet", + "name": "whitelist_v4", + "table": "filter", + "type": "ipv4_addr", + "handle": 0 + } + }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft index 57d57bb9ea8c3..4c7d2bbe3f843 100644 --- a/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "portknock", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": -10, + "policy": "accept" + } + }, { "set": { "family": "inet", @@ -45,18 +57,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "portknock", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": -10, - "policy": "accept" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft index f2ac7917cd590..e87f1c4c082eb 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft +++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.json-nft @@ -14,19 +14,6 @@ "handle": 0 } }, - { - "set": { - "family": "ip", - "name": "s", - "table": "x", - "type": "ipv4_addr", - "handle": 0, - "size": 65535, - "flags": [ - "dynamic" - ] - } - }, { "chain": { "family": "ip", @@ -51,6 +38,19 @@ "handle": 0 } }, + { + "set": { + "family": "ip", + "name": "s", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "size": 65535, + "flags": [ + "dynamic" + ] + } + }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft index 3404a2e7521a6..7bb6c656435f5 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft +++ b/tests/shell/testcases/optimizations/dumps/skip_merge.json-nft @@ -14,6 +14,22 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "udp_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tcp_input", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -40,22 +56,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "udp_input", - "handle": 0 - } - }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "tcp_input", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft index a082020695b63..d6347b1eeed6e 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -100,14 +108,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "x", - "name": "y", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft index 49b51ababd773..24363f9071b22 100644 --- a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft +++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -136,18 +148,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft index 94203517cedb3..bc242467e22a7 100644 --- a/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft +++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.json-nft @@ -14,6 +14,22 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -43,22 +59,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0 - } - }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c2", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft index c48f3a9c918f4..b9c66a21aa084 100644 --- a/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -124,14 +132,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft index c82c12a171a54..ce391a6c37f9c 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -33,14 +41,6 @@ "map": "inet_service" } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft index 5307e26567f16..5d21f26cd5a37 100644 --- a/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.json-nft @@ -14,17 +14,6 @@ "handle": 0 } }, - { - "limit": { - "family": "ip", - "name": "http-traffic", - "table": "filter", - "handle": 0, - "rate": 1, - "per": "second", - "burst": 5 - } - }, { "chain": { "family": "ip", @@ -37,6 +26,17 @@ "policy": "accept" } }, + { + "limit": { + "family": "ip", + "name": "http-traffic", + "table": "filter", + "handle": 0, + "rate": 1, + "per": "second", + "burst": 5 + } + }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft index 682496a71c5c5..5968b2e0c11f0 100644 --- a/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -53,18 +65,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft index 3305f040e69cd..1c3b559d48d43 100644 --- a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "forward", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, { "set": { "family": "inet", @@ -64,18 +76,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "forward", - "handle": 0, - "type": "filter", - "hook": "forward", - "prio": 0, - "policy": "drop" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft index be24687c96d79..40b86f82eba33 100644 --- a/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -28,14 +36,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft index 8521adb8283d1..bc1d4cc2284d8 100644 --- a/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0042update_set_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -36,14 +44,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft index d51db88452872..ffb76e2f3641d 100644 --- a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "map": { "family": "inet", @@ -32,18 +44,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "output", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft index 211942c9ae63a..8473c3333889e 100644 --- a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft +++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -39,14 +47,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft index 2fa0e78848308..62a6a177b7776 100644 --- a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -57,18 +69,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "z", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft index 79e376b6e2931..f8495bab8b0f3 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, { "set": { "family": "inet", @@ -30,18 +42,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "input", - "handle": 0, - "type": "filter", - "hook": "input", - "prio": 0, - "policy": "drop" - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft index 0e67375999382..b468b5f9044ca 100644 --- a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -47,18 +59,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "y", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft index a727b25bdcb1b..ac8d8bef71e7e 100644 --- a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "test", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -29,14 +37,6 @@ "timeout": 2592000 } }, - { - "chain": { - "family": "inet", - "table": "filter", - "name": "test", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft index 9e5fae761fd70..16ecdb2ab8993 100644 --- a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "z", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -29,18 +41,6 @@ "timeout": 3600 } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "z", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft index 0026ba915af10..1aede147cacf3 100644 --- a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -67,18 +79,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "y", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft index 86b70b20c42c6..6098dc563141f 100644 --- a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft +++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -67,18 +79,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "y", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft index eba5d40ef5645..64dd26670528b 100644 --- a/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0 + } + }, { "map": { "family": "ip", @@ -62,14 +70,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "x", - "name": "y", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft index 426bf2d1e1577..6b579a2e09fff 100644 --- a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft +++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, { "set": { "family": "inet", @@ -66,14 +74,6 @@ ] } }, - { - "chain": { - "family": "inet", - "table": "t", - "name": "c", - "handle": 0 - } - }, { "rule": { "family": "inet", diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft index 3462d67f05562..ad8a7cc0564a8 100644 --- a/tests/shell/testcases/sets/dumps/dynset_missing.json-nft +++ b/tests/shell/testcases/sets/dumps/dynset_missing.json-nft @@ -14,6 +14,18 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, { "set": { "family": "ip", @@ -27,18 +39,6 @@ ] } }, - { - "chain": { - "family": "ip", - "table": "test", - "name": "output", - "handle": 0, - "type": "filter", - "hook": "output", - "prio": 0, - "policy": "accept" - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft index cc48de6b4f47f..8d84e1ccecb9f 100644 --- a/tests/shell/testcases/sets/dumps/inner_0.json-nft +++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft @@ -14,6 +14,14 @@ "handle": 0 } }, + { + "chain": { + "family": "netdev", + "table": "x", + "name": "y", + "handle": 0 + } + }, { "set": { "family": "netdev", @@ -47,14 +55,6 @@ ] } }, - { - "chain": { - "family": "netdev", - "table": "x", - "name": "y", - "handle": 0 - } - }, { "rule": { "family": "netdev", diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft index 4590b88403985..6f692381b6f7c 100644 --- a/tests/shell/testcases/sets/dumps/set_eval_0.json-nft +++ b/tests/shell/testcases/sets/dumps/set_eval_0.json-nft @@ -14,18 +14,6 @@ "handle": 0 } }, - { - "set": { - "family": "ip", - "name": "set_with_interval", - "table": "nat", - "type": "ipv4_addr", - "handle": 0, - "flags": [ - "interval" - ] - } - }, { "chain": { "family": "ip", @@ -38,6 +26,18 @@ "policy": "accept" } }, + { + "set": { + "family": "ip", + "name": "set_with_interval", + "table": "nat", + "type": "ipv4_addr", + "handle": 0, + "flags": [ + "interval" + ] + } + }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft index e4ae0a2e3df24..e22213ea3437a 100644 --- a/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft +++ b/tests/shell/testcases/sets/dumps/type_set_symbol.json-nft @@ -14,6 +14,22 @@ "handle": 0 } }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, { "set": { "family": "ip", @@ -33,22 +49,6 @@ "timeout": 10800 } }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c1", - "handle": 0 - } - }, - { - "chain": { - "family": "ip", - "table": "t", - "name": "c2", - "handle": 0 - } - }, { "rule": { "family": "ip", diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft index f8130d95a0fc5..1718a5b9d8b3b 100644 --- a/tests/shell/testcases/transactions/dumps/0040set_0.json-nft +++ b/tests/shell/testcases/transactions/dumps/0040set_0.json-nft @@ -14,16 +14,6 @@ "handle": 0 } }, - { - "map": { - "family": "ip", - "name": "client_to_any", - "table": "filter", - "type": "ipv4_addr", - "handle": 0, - "map": "verdict" - } - }, { "chain": { "family": "ip", @@ -44,6 +34,16 @@ "handle": 0 } }, + { + "map": { + "family": "ip", + "name": "client_to_any", + "table": "filter", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict" + } + }, { "rule": { "family": "ip", From patchwork Sat Mar 9 11:35:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909954 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qNm5y8Do; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1254-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZW2hM1z1yXB for ; Sat, 9 Mar 2024 22:35:47 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 5712E1C20B5A for ; Sat, 9 Mar 2024 11:35:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A291C383B5; Sat, 9 Mar 2024 11:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="qNm5y8Do" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E792FEDD for ; Sat, 9 Mar 2024 11:35:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; cv=none; b=KMVdX3/SI+4SkI9xRd2ASHXTvpxq7hTCpYOqYL2IgZhPgmNysX0agB8XlQTqANH0scRDJ7p5Opk7WUX+EI47W7YPCYEk9EzhG9a9z4qwXooHXciRqm6FfOUARq13sNtUpQyh1X2R2sPSDilVYrXcULDtAS/Nbt2DAQTOdpuPDuk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; c=relaxed/simple; bh=Ev1mzNidUkI+oEiYi0GtWLXUFWnmVxAUz3qn3MlLajk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MsNmisU/dU45c9tq2to2v8WbbCAc26K2ox/BdPUCQsXyDWgCvLpdYQtxJfndWUXpIFMv1LZeRgOaYsF2vgqPE3nm1jp0/qVzhBkShND3cgR2QQQiZUIsxBTo+XIgxXp6Snafwb3+gkHk7KVp92O5PiQxw4pfImU3kP99/aiiS1Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=qNm5y8Do; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4PRCPI8pluOOcXw+JlsLS4iq1gM48Jjr/j9hMqLTlbI=; b=qNm5y8DorUTzmIXkWdOPzUdS0H PEfIk+Vk+DztfN6R7uU4oox5Y06u0YiDrWLGgHkJikce34553FbqrJwrTsrZOVEDM7Ifrg+329c3m 5g7p+A44We4B8kt6z89itHe+bBmjgryltppuqf9aMpNRaeYv8zEGRtzVbV9RKgXhSC7aqgHkFtwZu b8efQrp88a0CoRszxnfYd4aZXvBSpq3REM3n3IZxagwtjFXPib9UgjD8QiX+j6ZKLHx4iC4QTfxIM n6oVTRLslipa7lt2d448F2BihiSx30aNCsOiB5uU1hnVgNZfG0xIHariV+wwaSfsok2YKNXhLTXYt 8Urr4F8A==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzD-000000003h0-23xt; Sat, 09 Mar 2024 12:35:31 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 5/7] json: Support maps with concatenated data Date: Sat, 9 Mar 2024 12:35:25 +0100 Message-ID: <20240309113527.8723-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Dump such maps with an array of types in "map" property, make the parser aware of this. Signed-off-by: Phil Sutter --- src/json.c | 10 +++++----- src/parser_json.c | 18 +++++++++--------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/json.c b/src/json.c index bb515164d2587..29fbd0cfdba28 100644 --- a/src/json.c +++ b/src/json.c @@ -130,15 +130,15 @@ static json_t *set_stmt_list_json(const struct list_head *stmt_list, static json_t *set_print_json(struct output_ctx *octx, const struct set *set) { - json_t *root, *tmp; - const char *type, *datatype_ext = NULL; + json_t *root, *tmp, *datatype_ext = NULL; + const char *type; if (set_is_datamap(set->flags)) { type = "map"; - datatype_ext = set->data->dtype->name; + datatype_ext = set_dtype_json(set->data); } else if (set_is_objmap(set->flags)) { type = "map"; - datatype_ext = obj_type_name(set->objtype); + datatype_ext = json_string(obj_type_name(set->objtype)); } else if (set_is_meter(set->flags)) { type = "meter"; } else { @@ -155,7 +155,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) if (set->comment) json_object_set_new(root, "comment", json_string(set->comment)); if (datatype_ext) - json_object_set_new(root, "map", json_string(datatype_ext)); + json_object_set_new(root, "map", datatype_ext); if (!(set->flags & (NFT_SET_CONSTANT))) { if (set->policy != NFT_SET_POL_PERFORMANCE) { diff --git a/src/parser_json.c b/src/parser_json.c index ff52423af4d7f..bb027448319c5 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -3255,7 +3255,7 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, enum cmd_ops op, enum cmd_obj obj) { struct handle h = { 0 }; - const char *family = "", *policy, *dtype_ext = NULL; + const char *family = "", *policy; json_t *tmp, *stmt_json; struct set *set; @@ -3308,19 +3308,19 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, return NULL; } - if (!json_unpack(root, "{s:s}", "map", &dtype_ext)) { - const struct datatype *dtype; + if (!json_unpack(root, "{s:o}", "map", &tmp)) { + if (json_is_string(tmp)) { + const char *s = json_string_value(tmp); - set->objtype = string_to_nft_object(dtype_ext); + set->objtype = string_to_nft_object(s); + } if (set->objtype) { set->flags |= NFT_SET_OBJECT; - } else if ((dtype = datatype_lookup_byname(dtype_ext))) { - set->data = constant_expr_alloc(&netlink_location, - dtype, dtype->byteorder, - dtype->size, NULL); + } else if ((set->data = json_parse_dtype_expr(ctx, tmp))) { set->flags |= NFT_SET_MAP; } else { - json_error(ctx, "Invalid map type '%s'.", dtype_ext); + json_error(ctx, "Invalid map type '%s'.", + json_dumps(tmp, 0)); set_free(set); handle_free(&h); return NULL; From patchwork Sat Mar 9 11:35:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909958 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=LI0B3nkZ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1258-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZd1hrBz1yX8 for ; Sat, 9 Mar 2024 22:35:53 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 415B51C20B55 for ; Sat, 9 Mar 2024 11:35:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E159D38FA6; Sat, 9 Mar 2024 11:35:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="LI0B3nkZ" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC577374D4 for ; Sat, 9 Mar 2024 11:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984138; cv=none; b=mlQC9/xP20GPx/8pBaeilT6Xe9feLL7fgt5/d4edfQFO3815WBSgCfXINER/Kh3Nve/fuZIZWnC/0goWV6S8b3og5lxZJmW8afAHNrPdBUfQCcJ0+eAZpoZNPfkscsCFIJQfX0hHn3VBjFk5E7OzRQmYwM3Q5lYnum8KH0yCOxQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984138; c=relaxed/simple; bh=OTRI94HLC5NUDwpj5wkAsbG+7UPVtPM3F1kGQUOneq8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WY0Rm1H0iAo684IXLoHTFl8DcXrQPaMLHba4lVww3KLtmtdGTkDAqAhzwtzg0gYVNxQDmcdn7boOWuZJCSPkygWpcSuKEilhbzP/349+X4s6AEfDhj2rZZm6aMVKmebvi/Doj9XgMokNXAW2RDB0d6wjQH5c4O0Z9cAdnNETbHc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=LI0B3nkZ; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+9hQfpVzdZ5WdJG5aL4t/QWSL6efH9Ufzveau65wngI=; b=LI0B3nkZ//MN2+hZ2CgziKoE3J ir+JyT0NJ6F//3uVeAyPGA18jtf9wwNwx/RFPGTaLqadMPuxibm6NCmgxaCVssY2LR8mF5zMujAx0 GfxpLXlfuL7+lucBDltyoqMHuogDTghx7cOCNFhP/MQLvOjP/d+5A2obqoqd5nOp0CRDcGuFsGmBf Li1S88lp2LL6LxZPY2/t3+N7ybCwO2F0FHZ+KFtzZrD7NsvnFYoZ+wl3UVe51NvevxdnHyBt96zal tmkl8FEbA/P6s4rY54qDE9Lv7y0wHbsWyjNlvxL4uvsT4mhkWMEG3UggiX6eOVoYnFglYVJY5yj38 718jGfZg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzH-000000003hb-0D3L; Sat, 09 Mar 2024 12:35:35 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 6/7] parser: json: Support for synproxy objects Date: Sat, 9 Mar 2024 12:35:26 +0100 Message-ID: <20240309113527.8723-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Parsing code was there already, merely the entry in json_parse_cmd_add() missing. To support maps with synproxy target, an entry in string_to_nft_object() is required. While being at it, add other missing entries as well. Signed-off-by: Phil Sutter --- src/parser_json.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/parser_json.c b/src/parser_json.c index bb027448319c5..4fc0479cf4972 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -3217,14 +3217,18 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, static int string_to_nft_object(const char *str) { const char *obj_tbl[__NFT_OBJECT_MAX] = { - [NFT_OBJECT_COUNTER] = "counter", - [NFT_OBJECT_QUOTA] = "quota", - [NFT_OBJECT_LIMIT] = "limit", - [NFT_OBJECT_SECMARK] = "secmark", + [NFT_OBJECT_COUNTER] = "counter", + [NFT_OBJECT_QUOTA] = "quota", + [NFT_OBJECT_CT_HELPER] = "ct helper", + [NFT_OBJECT_LIMIT] = "limit", + [NFT_OBJECT_CT_TIMEOUT] = "ct timeout", + [NFT_OBJECT_SECMARK] = "secmark", + [NFT_OBJECT_CT_EXPECT] = "ct expectation", + [NFT_OBJECT_SYNPROXY] = "synproxy", }; unsigned int i; - for (i = 0; i < NFT_OBJECT_MAX; i++) { + for (i = 0; i <= NFT_OBJECT_MAX; i++) { if (obj_tbl[i] && !strcmp(str, obj_tbl[i])) return i; } @@ -3759,7 +3763,8 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx, { "ct timeout", NFT_OBJECT_CT_TIMEOUT, json_parse_cmd_add_object }, { "ct expectation", NFT_OBJECT_CT_EXPECT, json_parse_cmd_add_object }, { "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object }, - { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object } + { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }, + { "synproxy", CMD_OBJ_SYNPROXY, json_parse_cmd_add_object } }; unsigned int i; json_t *tmp; From patchwork Sat Mar 9 11:35:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1909953 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=nq2gCyJ2; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-1253-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TsLZW0dbcz1yX8 for ; Sat, 9 Mar 2024 22:35:47 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D63681C20C30 for ; Sat, 9 Mar 2024 11:35:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A0001383B2; Sat, 9 Mar 2024 11:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="nq2gCyJ2" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C6DC2DF7D for ; Sat, 9 Mar 2024 11:35:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; cv=none; b=HTR2fb/hAwmK2uVcRp/VCU+c/laoe1QAq+HnpS0z96i+jyU1KhMAhf0Y4P4Sf2qgjQtQU45cbvLTaxIxSZ0VlMMLYLu2gKwZv8b1etIrlGPjrCIXnEZoNaGQ/U8CFbixw6B4f7+WwTX/6Aighu6qXhB6B6UxCftnr6YIOWJyvQQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709984137; c=relaxed/simple; bh=xfw8vK0izvlJzUgBy3/FCib9T1Fw7nAGZ3q5iXwEyZI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NKOj/GDsTwpYdhI4UecYBo4pQEETQpxu7bo3JaL/9yFPUS5UAswKRb/ZGcGN5FsXTARvobf0/KsmAF1ecC2yO6En348OFcqJtM9k2Zpw3QFMS8drnNXFB13rmGFhf9/CQSFzkrQyN6AgEO58nKH46GFG7djWr/UI4gHihxAxLEw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=nq2gCyJ2; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dWen0EdBzbLmkxk9jaNzIukcIIxCikAR/xOqXWblL4k=; b=nq2gCyJ2L6gPI0eS8ZnKn5m+aJ m7kXNHx3PIDIxvM+Za4JlILCy9Fn/bqemGZl+6aMvABosHk5PT8vMXQnGtwpo0QHqI4CAklgLEu+I TJPGvq561jPDE76C2vN2OhTsfX7A+KC4mUewwBs/2ttHt7QDmwRwcRFaJnIHXnhTu7R0bQ46u6rhV AO0AGpZs7e9UFpwdTvbJCPiqajAmAUJ8QO+VZus8bfQ55g0l7d7m86wBBvEQLvAtCmWhByPaUTr3N 9A/fXZIioEFce9j1dDdsdCUQjFFImluCCDvQfQkBUuFyTqH4gxRTDKpaoEZf47D/Ul4kS+AxfdRBn qrEgamjQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1riuzE-000000003h7-0MPL; Sat, 09 Mar 2024 12:35:32 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal Subject: [nft PATCH 7/7] tests: shell: Add missing json-nft dumps Date: Sat, 9 Mar 2024 12:35:27 +0100 Message-ID: <20240309113527.8723-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240309113527.8723-1-phil@nwl.cc> References: <20240309113527.8723-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Given that a bunch of issues got fixed, add some more dumps. Also add tests/shell/testcases/owner/dumps/0002-persist.nft while at it, even though it's really small. Signed-off-by: Phil Sutter --- .../dumps/0011endless_jump_loop_1.json-nft | 75 +++ .../maps/dumps/0010concat_map_0.json-nft | 106 ++++ .../testcases/maps/dumps/0011vmap_0.json-nft | 145 +++++ .../maps/dumps/0024named_objects_0.json-nft | 165 ++++++ .../dumps/map_catchall_double_free_2.json-nft | 46 ++ .../maps/dumps/vmap_mark_bitwise_0.json-nft | 158 +++++ .../maps/dumps/vmap_timeout.json-nft | 229 ++++++++ .../dumps/comments_objects_0.json-nft | 102 ++++ .../owner/dumps/0002-persist.json-nft | 19 + .../testcases/owner/dumps/0002-persist.nft | 3 + .../dumps/0008create_verdict_map_0.json-nft | 78 +++ .../sets/dumps/0024synproxy_0.json-nft | 131 +++++ .../sets/dumps/sets_with_ifnames.json-nft | 551 ++++++++++++++++++ 13 files changed, 1808 insertions(+) create mode 100644 tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0011vmap_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft create mode 100644 tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft create mode 100644 tests/shell/testcases/maps/dumps/vmap_timeout.json-nft create mode 100644 tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.json-nft create mode 100644 tests/shell/testcases/owner/dumps/0002-persist.nft create mode 100644 tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft create mode 100644 tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft create mode 100644 tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft new file mode 100644 index 0000000000000..e1a2262fdf04f --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c2", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 2, + { + "jump": { + "target": "c2" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "c1", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@m" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft new file mode 100644 index 0000000000000..fcc23bb8095fa --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.json-nft @@ -0,0 +1,106 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "z", + "table": "x", + "type": [ + "ipv4_addr", + "inet_proto", + "inet_service" + ], + "handle": 0, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "1.1.1.1", + "tcp", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@z" + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft new file mode 100644 index 0000000000000..8f07378a84e4c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0011vmap_0.json-nft @@ -0,0 +1,145 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "elem": [ + [ + { + "elem": { + "val": 22, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "jump": { + "target": "ssh_input" + } + } + ], + [ + { + "elem": { + "val": "*", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ], + "stmt": [ + { + "counter": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft new file mode 100644 index 0000000000000..aa2f6f8c22874 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_0.json-nft @@ -0,0 +1,165 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "set": { + "family": "inet", + "name": "y", + "table": "x", + "type": "ipv4_addr", + "handle": 0 + } + }, + { + "map": { + "family": "inet", + "name": "test", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "quota", + "elem": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@test" + } + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft new file mode 100644 index 0000000000000..a9d4c8e9fde3c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/map_catchall_double_free_2.json-nft @@ -0,0 +1,46 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "testchain", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "testmap", + "table": "test", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "*", + { + "jump": { + "target": "testchain" + } + } + ] + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft new file mode 100644 index 0000000000000..df156411c346c --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.json-nft @@ -0,0 +1,158 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_0", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "sctm_o0_1", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "SET_ctmark_RPLYroute", + "handle": 0 + } + }, + { + "counter": { + "family": "ip", + "name": "c_o0_0", + "table": "x", + "handle": 0, + "packets": 0, + "bytes": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o0", + "table": "x", + "type": "mark", + "handle": 0, + "map": "verdict", + "elem": [ + [ + 0, + { + "jump": { + "target": "sctm_o0_0" + } + } + ], + [ + 1, + { + "jump": { + "target": "sctm_o0_1" + } + } + ] + ] + } + }, + { + "map": { + "family": "ip", + "name": "sctm_o1", + "table": "x", + "type": "mark", + "handle": 0, + "map": "counter", + "elem": [ + [ + 0, + "c_o0_0" + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o0" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "SET_ctmark_RPLYroute", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "&": [ + { + ">>": [ + { + "meta": { + "key": "mark" + } + }, + 8 + ] + }, + 15 + ] + }, + "data": "@sctm_o1" + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft new file mode 100644 index 0000000000000..1c3aa590f846e --- /dev/null +++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft @@ -0,0 +1,229 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "ssh_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "log_and_drop", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "other_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "wan_input", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "map": { + "family": "inet", + "name": "portmap", + "table": "filter", + "type": "inet_service", + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + 22, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "map": { + "family": "inet", + "name": "portaddrmap", + "table": "filter", + "type": [ + "ipv4_addr", + "inet_service" + ], + "handle": 0, + "map": "verdict", + "flags": [ + "timeout" + ], + "gc-interval": 10, + "elem": [ + [ + { + "concat": [ + "1.2.3.4", + 22 + ] + }, + { + "jump": { + "target": "ssh_input" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "log_and_drop", + "handle": 0, + "expr": [ + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "other_input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "log_and_drop" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "tcp", + "field": "dport" + } + } + ] + }, + "data": "@portaddrmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "wan_input", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "data": "@portmap" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iif" + } + }, + "data": { + "set": [ + [ + "lo", + { + "jump": { + "target": "wan_input" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft new file mode 100644 index 0000000000000..b5359d8b10c0f --- /dev/null +++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.json-nft @@ -0,0 +1,102 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 0 + } + }, + { + "quota": { + "family": "ip", + "name": "foo1", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 0, + "used": 0, + "inv": false + } + }, + { + "quota": { + "family": "ip", + "name": "q", + "table": "filter", + "handle": 0, + "comment": "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678", + "bytes": 1200, + "used": 0, + "inv": true + } + }, + { + "counter": { + "family": "ip", + "name": "c", + "table": "filter", + "handle": 0, + "comment": "test2", + "packets": 0, + "bytes": 0 + } + }, + { + "ct helper": { + "family": "ip", + "name": "h", + "table": "filter", + "handle": 0, + "comment": "test3", + "type": "sip", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "ct expectation": { + "family": "ip", + "name": "e", + "table": "filter", + "handle": 0, + "comment": "test4", + "protocol": "tcp", + "dport": 666, + "timeout": 100, + "size": 96, + "l3proto": "ip" + } + }, + { + "limit": { + "family": "ip", + "name": "l", + "table": "filter", + "handle": 0, + "comment": "test5", + "rate": 400, + "per": "hour", + "burst": 5 + } + }, + { + "synproxy": { + "family": "ip", + "name": "s", + "table": "filter", + "handle": 0, + "comment": "test6", + "mss": 1460, + "wscale": 2 + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0002-persist.json-nft b/tests/shell/testcases/owner/dumps/0002-persist.json-nft new file mode 100644 index 0000000000000..f0c336a86e52f --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.json-nft @@ -0,0 +1,19 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0, + "flags": "persist" + } + } + ] +} diff --git a/tests/shell/testcases/owner/dumps/0002-persist.nft b/tests/shell/testcases/owner/dumps/0002-persist.nft new file mode 100644 index 0000000000000..b47027d35a30c --- /dev/null +++ b/tests/shell/testcases/owner/dumps/0002-persist.nft @@ -0,0 +1,3 @@ +table ip t { + flags persist +} diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft new file mode 100644 index 0000000000000..fa5dcb2571b1a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.json-nft @@ -0,0 +1,78 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "postrouting", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "sourcemap", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "verdict", + "elem": [ + [ + "100.123.10.2", + { + "jump": { + "target": "c" + } + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "t", + "chain": "postrouting", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": "@sourcemap" + } + }, + { + "accept": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft new file mode 100644 index 0000000000000..0af613333592d --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.json-nft @@ -0,0 +1,131 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "synproxy": { + "family": "inet", + "name": "https-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 7, + "flags": [ + "timestamp", + "sack-perm" + ] + } + }, + { + "synproxy": { + "family": "inet", + "name": "other-synproxy", + "table": "x", + "handle": 0, + "mss": 1460, + "wscale": 5 + } + }, + { + "map": { + "family": "inet", + "name": "test2", + "table": "x", + "type": "ipv4_addr", + "handle": 0, + "map": "synproxy", + "flags": [ + "interval" + ], + "elem": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "synproxy": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + }, + "https-synproxy" + ], + [ + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + }, + "other-synproxy" + ] + ] + } + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft new file mode 100644 index 0000000000000..ac4284293c32a --- /dev/null +++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.json-nft @@ -0,0 +1,551 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "testifsets", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmp", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "v4icmpc", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "testifsets", + "name": "do_nothing", + "handle": 0 + } + }, + { + "set": { + "family": "inet", + "name": "simple", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "elem": [ + "abcdef0", + "abcdef1", + "othername" + ] + } + }, + { + "set": { + "family": "inet", + "name": "simple_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + "abcdef*", + "othername", + "ppp0" + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + }, + { + "concat": [ + "10.1.2.2", + "abcdef1" + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "concat_wild", + "table": "testifsets", + "type": [ + "ipv4_addr", + "ifname" + ], + "handle": 0, + "flags": [ + "interval" + ], + "elem": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + }, + { + "concat": [ + "10.1.2.1", + "bar" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "1.1.2.0", + "len": 24 + } + }, + "abcdef0" + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "12.2.2.0", + "len": 24 + } + }, + "abcdef*" + ] + } + ] + } + }, + { + "map": { + "family": "inet", + "name": "map_wild", + "table": "testifsets", + "type": "ifname", + "handle": 0, + "map": "verdict", + "flags": [ + "interval" + ], + "elem": [ + [ + "abcdef*", + { + "jump": { + "target": "do_nothing" + } + } + ], + [ + "eth0", + { + "jump": { + "target": "do_nothing" + } + } + ] + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "@simple_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "eth0", + "abcdef0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "abcdef*", + "eth0" + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmp", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "meta": { + "key": "iifname" + } + }, + "data": "@map_wild" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": "@concat_wild" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef0" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "v4icmpc", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "meta": { + "key": "iifname" + } + } + ] + }, + "right": { + "set": [ + { + "concat": [ + "10.1.2.2", + "abcdef*" + ] + } + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "jump": { + "target": "v4icmp" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "testifsets", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "goto": { + "target": "v4icmpc" + } + } + ] + } + } + ] +}