TESTDIR="./$(dirname $0)/"
RETURNCODE_SEPARATOR="_"
SRC_NFT="$(dirname $0)/../../src/nft"
-POSITIVE_RET=0
DIFF=$(which diff)
msg_error() {
do
kernel_cleanup
- rc_spec=$(awk -F${RETURNCODE_SEPARATOR} '{print $NF}' <<< $testfile)
-
msg_info "[EXECUTING] $testfile"
test_output=$(NFT=$NFT ${testfile} 2>&1)
rc_got=$?
echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
- if [ "$rc_got" == "$rc_spec" ] ; then
+ if [ "$rc_got" -eq 0 ] ; then
# check nft dump only for positive tests
- rc_spec="${POSITIVE_RET}"
dumppath="$(dirname ${testfile})/dumps"
dumpfile="${dumppath}/$(basename ${testfile}).nft"
- if [ "$rc_got" == "${POSITIVE_RET}" ] && [ -f ${dumpfile} ]; then
+ rc_spec=0
+ if [ "$rc_got" -eq 0 ] && [ -f ${dumpfile} ]; then
test_output=$(${DIFF} ${dumpfile} <($NFT list ruleset) 2>&1)
rc_spec=$?
fi
- if [ "$rc_spec" == "${POSITIVE_RET}" ]; then
+ if [ "$rc_spec" -eq 0 ]; then
msg_info "[OK] $testfile"
[ "$VERBOSE" == "y" ] && [ ! -z "$test_output" ] && echo "$test_output"
((ok++))
- if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == "${POSITIVE_RET}" ] && [ ! -f "${dumpfile}" ]; then
+ if [ "$DUMPGEN" == "y" ] && [ "$rc_got" == 0 ] && [ ! -f "${dumpfile}" ]; then
mkdir -p "${dumppath}"
nft list ruleset > "${dumpfile}"
fi
else
((failed++))
if [ "$VERBOSE" == "y" ] ; then
- msg_warn "[FAILED] $testfile: expected $rc_spec but got $rc_got"
+ msg_warn "[FAILED] $testfile: got $rc_got"
[ ! -z "$test_output" ] && echo "$test_output"
else
msg_warn "[FAILED] $testfile"
# this last jump should fail: too many links
$NFT add chain t c$((MAX_JUMPS + 1))
-$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null
+
+$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null || exit 0
echo "E: max jumps ignored?" >&2
+exit 1
done
# this last jump should fail: loop
-$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null
+$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null || exit 0
echo "E: loop of jumps ignored?" >&2
+exit 1
$NFT add chain t c1
$NFT add chain t c2
$NFT add rule t c1 jump c2
+
# kernel should return EBUSY
-$NFT delete chain t c2 2>/dev/null
+$NFT delete chain t c2 2>/dev/null || exit 0
echo "E: deleted a busy chain?" >&2
+exit 1
$NFT add chain t c1
$NFT add chain t c2
$NFT add rule t c1 tcp dport vmap { 1 : jump c2 }
+
# kernel should return EBUSY
-$NFT delete chain t c2 2>/dev/null
+$NFT delete chain t c2 2>/dev/null || exit 0
echo "E: deleted a busy chain?" >&2
+exit 1
$NFT add table t
$NFT add chain t c1 {type filter hook output priority 0 \; }
+
# wrong hook output, only postrouting is valid
-$NFT add rule t c1 masquerade 2>/dev/null
+$NFT add rule t c1 masquerade 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook" >&2
+exit 1
$NFT add chain t output {type nat hook output priority 0 \; }
$NFT add chain t c1
$NFT add rule t c1 masquerade
+
# kernel should return EOPNOTSUPP
-$NFT add rule t output jump c1 2>/dev/null
+$NFT add rule t output jump c1 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook" >&2
+exit 1
$NFT add chain t output {type nat hook output priority 0 \; }
$NFT add chain t c1
$NFT add rule t c1 masquerade
+
# kernel should return EOPNOTSUPP
-$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null
+$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null || exit 0
echo "E: accepted masquerade in output hook in a vmap" >&2
+exit 1
$NFT add table t
$NFT add chain t c
+
# kernel should return ELOOP
-$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null
+$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
$NFT add rule t c1 tcp dport vmap @m
# kernel should return ELOOP
-$NFT add element t m {1 : jump c1} 2>/dev/null
+$NFT add element t m {1 : jump c1} 2>/dev/null || exit 0
echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
$NFT add table t
$NFT add chain t prerouting {type filter hook prerouting priority 0 \; }
+
# wrong hook prerouting, only input/forward/output is valid
-$NFT add rule t prerouting reject 2>/dev/null
+$NFT add rule t prerouting reject 2>/dev/null || exit 0
echo "E: accepted reject in prerouting hook" >&2
+exit 1
$NFT add chain t c2
$NFT add t c1 jump c2
# kernel should return ENOENT
-$NFT add t c2 ip daddr vmap { 1 : jump c3 }
+
+$NFT add t c2 ip daddr vmap { 1 : jump c3 } || exit 0
echo "E: Jumped to non existing chain" >&2
+exit 1
$NFT add chain t input {type filter hook input priority 4 \; }
$NFT add chain t c1
$NFT add rule t input jump c1
+
# kernel should return EOPNOTSUPP
-$NFT add rule t c1 masquerade 2>/dev/null >&2
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+
+echo "E: Accepted masquerade rule in non-nat type base chain" 1>&2
+exit 1
$NFT add chain ip filter ap1
$NFT add chain ip filter ap2
$NFT add rule ip filter ap1 jump ap2
+
# kernel should return EOPNOTSUPP
-$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2
+$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 || exit 0
+echo "E: Accepted jump-to-self"
+exit 1
$NFT add chain t input {type filter hook input priority 4 \; }
$NFT add chain t c1
$NFT add rule t input ip saddr vmap { 1.1.1.1 : jump c1 }
+
# kernel should return EOPNOTSUPP
-$NFT add rule t c1 masquerade 2>/dev/null >&2
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+echo "E: accepted masquerade in chain from non-nat type basechain" 1>&2
+exit 1
#!/bin/bash
set -e
-
$NFT add table ip filter
$NFT add chain ip filter input { type filter hook input priority 0\; }
$NFT add rule ip filter a$i jump a$((i+1))
done
-$NFT add rule ip filter a10 jump a11
+$NFT add rule ip filter a10 jump a11 || exit 0
+echo "E: Expected 20th jump to fail due to jump stack exhaustion" 1>&2
+exit 1
set -e
$NFT add table ip x
-$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null
+
+$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null || exit 0
echo "E: dummy should not be a valid priority." >&2
+exit 1
if (($? == 0))
then
echo "E: srcnat should not be a valid priority name in $family $hook chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
if (($? == 0))
then
echo "E: dstnat should not be a valid priority name in $family $hook chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for arp family chains." >&2
- exit 0
+ exit 1
fi
done
done
-exit 1
+exit 0
hook=ingress
for prioname in raw mangle dstnat security srcnat
do
- $NFT add table $family x
+ $NFT add table $family x || exit 1
$NFT add chain $family x y "{ type filter hook $hook device lo priority $prioname; }" &> /dev/null
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for netdev family chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
$NFT add chain x x
$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
$NFT add rule x x flow offload @y
-$NFT delete flowtable x y
+
+$NFT delete flowtable x y || exit 0
echo "E: delete flowtable in use"
+exit 1
if (($? == 0))
then
echo "E: $prioname should not be a valid priority name for flowtables" >&2
- exit 0
+ exit 1
fi
done
-exit 1
+exit 0
echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f $tmpfile 2>/dev/null || exit 0
echo "E: endless include loop" >&2
+exit 1
echo "$RULESET1" > $tmpfile1
-$NFT -f $tmpfile1
-if [ $? -eq 0 ] ; then
- echo "E: Failed to catch a missing include directory/file" >&2
- exit 1
-fi
+$NFT -f $tmpfile1 || exit 0
+echo "E: Failed to catch a missing include directory/file" >&2
+exit 1
echo "$RULESET2" > $tmpfile2
echo "$RULESET3" > $tmpfile3
-$NFT -f $tmpfile3
-
-if [ $? -eq 0 ] ; then
- echo "E: didn't catch a broken file in directory" >&2
- exit 1
-fi
+$NFT -f $tmpfile3 || exit 0
+echo "E: didn't catch a broken file in directory" >&2
+exit 1
echo "$RULESET2" > $tmpfile1
echo "$RULESET3" > $tmpfile3
-$NFT -f $tmpfile3
-
-if [ $? -eq 0 ] ; then
- echo "E: did not catch wrong file order in include directory" >&2
- exit 1
-fi
+$NFT -f $tmpfile3 || exit 0
+echo "E: did not catch wrong file order in include directory" >&2
+exit 1
$NFT add table ip filter
$NFT add chain ip filter output { type filter hook output priority 0 \; }
-$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 }
+
+$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 } || exit 0
+
echo "E: Added two different types of expression to map"
+exit 1
add rule t c ip saddr @s
"
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null && exit 1
+exit 0
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
}
}"
-$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
[ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
exit 1
fi
+
+exit 0
$NFT add table test
$NFT add chain test test
$NFT add rule test test tcp dport 22 counter accept
-$NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null
+( $NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null ) && exit 1
+
+exit 0
$NFT $cmd rule t c $keyword 5 drop 2>/dev/null || continue
echo "E: invalid $keyword value allowed in $cmd command" >&2
- exit 0
+ exit 1
done
done
-exit 1
+exit 0
$NFT add table t
$NFT add chain t c
# kernel should return ENOENT
-$NFT replace rule t c handle 2 drop 2>/dev/null
+
+$NFT replace rule t c handle 2 drop 2>/dev/null || exit 0
echo "E: missing kernel ENOENT" >&2
+exit 1
set -e
$NFT add table t
$NFT add chain t c
+
# position keyword with replace action is not allowed, this should fail
-$NFT replace rule t c position 2 drop 2>/dev/null
+$NFT replace rule t c position 2 drop 2>/dev/null || exit 0
echo "E: allowed replace with position specification" >&2
+exit 1
set -e
$NFT add table t
$NFT add chain t c
+
# this should fail, we don't allow delete with position
-$NFT delete rule t c position 2 drop 2>/dev/null
+$NFT delete rule t c position 2 drop 2>/dev/null || exit 0
echo "E: allowed position spec with delete action" >&2
+exit 1
set -e
$NFT add table t
$NFT add chain t c
+
# kernel ENOENT
-$NFT delete rule t c handle 3333 2>/dev/null
+$NFT delete rule t c handle 3333 2>/dev/null || exit 0
echo "E: missing kernel ENOENT" >&2
+exit 1
$NFT add set x s {type ipv4_addr\; size 2\;}
$NFT add element x s {1.1.1.1}
$NFT add element x s {1.1.1.2}
-$NFT add element x s {1.1.1.3}
+
+$NFT add element x s {1.1.1.3} || exit 0
+echo "E: Accepted 3rd element in a table with max size of 2" 1>&2
+exit 1
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
delete chain x y
delete chain x y"
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing double-removal of chain" >&2
+exit 1
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
delete chain x y
add rule x y jump y"
# kernel must return ENOENT
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing jump loop to unexisting chain"
+exit 1
#!/bin/bash
-set -e
-
RULESET="add table x
add chain x y
add rule x y jump y"
# kernel must return ELOOP
-$NFT -f - <<< "$RULESET" 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
echo "E: allowing jump to chain loop"
+exit 1
#!/bin/bash
-set -e
-
RULESET="add table x
add set x y { type ipv4_addr; }
add element x y { 1.1.1.1, 2.2.2.2 }
delete element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-$NFT -f - <<< "$RULESET" 2> /dev/null
+$NFT -f - <<< "$RULESET" 2> /dev/null || exit 0
# Kernel must return ENOENT
echo "E: allowing double-removal of element"
+exit 1
projects / thirdparty / nftables.git / commitdiff
