tests: shell: connect chains to hook point

These tests should fail because they contain a loop or exceed the jump stack.

But this depends on the kernel validating chains that are not bound to any
basechain/hook point.

Wire up the initial chain to filter type.

Without this tests will start to fail when kernel stops validating
chains that are not reachable by any base chain.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
index 80e243f07bdb786b32ac49f16b241c63bef2e8c5..1a8eaf68674734979988dd86fbc87cd66e39a427 100755 (executable)
--- a/tests/shell/testcases/chains/0003jump_loop_1
+++ b/tests/shell/testcases/chains/0003jump_loop_1
@@ -5,8 +5,9 @@ set -e
 MAX_JUMPS=16
 
 $NFT add table t
+$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
 
-for i in $(seq 1 $MAX_JUMPS)
+for i in $(seq 2 $MAX_JUMPS)
 do
        $NFT add chain t c${i}
 done

diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
index 5d3ef2393331674d81b605540a2bbca51e9f9a06..6000e5d7dbf3877cbe2a35cbe62bb21a780a3aa3 100755 (executable)
--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table t
-$NFT add chain t c
+$NFT add chain "t c { type filter hook input priority 0; }"
 
 # kernel should return ELOOP
 $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0

diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
index d75932d7a7caca319147caec0fb4e813f40e4eb7..66abf8d04543e305d8c7fded0f6ca2e26ca0d88c 100755 (executable)
--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table t
-$NFT add chain t c1
+$NFT add chain "t c1 { type filter hook forward priority 0; }"
 $NFT add chain t c2
 $NFT add map t m {type inet_service : verdict \;}
 $NFT add element t m {2 : jump c2}

diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
index b87520f287d781742f49fa9ad0051358ccd7b7ca..1e674d3dc12b49ee2892c41483eb4ac582648d9b 100755 (executable)
--- a/tests/shell/testcases/chains/0018check_jump_loop_1
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table ip filter
-$NFT add chain ip filter ap1
+$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
 $NFT add chain ip filter ap2
 $NFT add rule ip filter ap1 jump ap2
 

diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft
index ceef32242503b0e076afa48dc61e518b8d37c136..d197e123bd67931c48bf17ce11e839624d921bd4 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft
+++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.json-nft
@@ -19,7 +19,11 @@
         "family": "ip",
         "table": "t",
         "name": "c1",
-        "handle": 0
+        "handle": 0,
+        "type": "filter",
+        "hook": "prerouting",
+        "prio": 0,
+        "policy": "accept"
       }
     },
     {

diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
index 7054cde459630a1baa9b41fe02c6d24f1b652f71..8d89bc40a6c4f30c6eab985da0ef85d232a70e21 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
@@ -1,5 +1,6 @@
 table ip t {
        chain c1 {
+               type filter hook prerouting priority filter; policy accept;
                jump c2
        }
 

diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft
index db64cdbcc44786a8014af6911c766429da20f544..af99873dbeda2e70d13331895baf5a6bb8fb2359 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft
+++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.json-nft
@@ -19,7 +19,11 @@
         "family": "ip",
         "table": "t",
         "name": "c",
-        "handle": 0
+        "handle": 0,
+        "type": "filter",
+        "hook": "input",
+        "prio": 0,
+        "policy": "accept"
       }
     }
   ]

diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
index 1e0d1d603739b95075d75dcf8b881f76ad3ac1ac..62fefaff185bb9a20e9b4465020a77d4293e66a9 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
@@ -1,4 +1,5 @@
 table ip t {
        chain c {
+               type filter hook input priority filter; policy accept;
        }
 }

diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
index e1a2262fdf04fdb4adf65c02a041e4f3467f997d..75a4d895fc3e2f67d5af9336f4d3300b0fffb962 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
+++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.json-nft
@@ -19,7 +19,11 @@
         "family": "ip",
         "table": "t",
         "name": "c1",
-        "handle": 0
+        "handle": 0,
+        "type": "filter",
+        "hook": "forward",
+        "prio": 0,
+        "policy": "accept"
       }
     },
     {

diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
index ca0a7378a584ff02d2ccbf0f28f5cea73a375b1d..d35736e8ded655e0f393d08791c7c019a8c3a08a 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
@@ -5,6 +5,7 @@ table ip t {
        }
 
        chain c1 {
+               type filter hook forward priority filter; policy accept;
                tcp dport vmap @m
        }
 

diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft
index 7294c8411b20037361c40188c091f84ff85f03e0..ac7e119958484839fba3adb052e705956c5d3f08 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft
+++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.json-nft
@@ -19,7 +19,11 @@
         "family": "ip",
         "table": "filter",
         "name": "ap1",
-        "handle": 0
+        "handle": 0,
+        "type": "filter",
+        "hook": "input",
+        "prio": 0,
+        "policy": "accept"
       }
     },
     {

diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
index 437900bc67934f1979924246c143487e92aa7a1b..bdd0ead778cb3c1822c7356a8f96ac68715fc671 100644 (file)
--- a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
@@ -1,5 +1,6 @@
 table ip filter {
        chain ap1 {
+               type filter hook input priority filter; policy accept;
                jump ap2
        }
 

diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
index e58c088c2e846e2e5d93a4b413e960c2fbab3b55..863bcde43aac7a40f240d93f122e6e9d87c63056 100755 (executable)
--- a/tests/shell/testcases/transactions/0023rule_1
+++ b/tests/shell/testcases/transactions/0023rule_1
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 RULESET="add table x
-add chain x y
+add chain x y { type filter hook input priority 0; }
 add rule x y jump y"
 
 # kernel must return ELOOP

diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop
index 2fd61810753dd2e9c78669f488cbbbb3fa40ffa0..3053d166c2863564a29d9caec27a212cef642dad 100755 (executable)
--- a/tests/shell/testcases/transactions/anon_chain_loop
+++ b/tests/shell/testcases/transactions/anon_chain_loop
@@ -3,7 +3,7 @@
 # anon chains with c1 -> c2 recursive jump, expect failure
 $NFT -f - <<EOF
 table ip t {
- chain c2 { }
+ chain c2 { type filter hook input priority 0; }
  chain c1 { }
 }