# without typeof, this is 'type string' and 'type integer',
# but neither could be used because it lacks size information.
-OSFMAP=""
-OSFRULE=""
-if [ "$NFT_TEST_HAVE_osf" != n ] ; then
- OSFMAP="map m1 {
- typeof osf name : ct mark
- elements = { "Linux" : 0x00000001 }
- }"
- OSFRULE="ct mark set osf name map @m1"
+set -e
+
+die() {
+ printf '%s\n' "$*"
+ exit 1
+}
+
+INPUT_OSF_CT="
+ ct mark set osf name map @m1"
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+ INPUT_OSF_CT=
fi
-EXPECTED="table inet t {
- $OSFMAP
+INPUT="table inet t {
+ map m1 {
+ typeof osf name : ct mark
+ elements = { Linux : 0x00000001 }
+ }
map m2 {
typeof vlan id : mark
elements = { 23 . eth0 : accept }
}
- chain c {
- $OSFRULE
+ chain c {$INPUT_OSF_CT
ether type vlan meta mark set vlan id map @m2
meta mark set ip saddr . ip daddr map @m3
iifname . ip protocol . th dport vmap @m4
}
}"
-set -e
-$NFT -f - <<< $EXPECTED
+EXPECTED="table inet t {
+ map m1 {
+ typeof osf name : ct mark
+ elements = { \"Linux\" : 0x00000001 }
+ }
+
+ map m2 {
+ typeof vlan id : meta mark
+ elements = { 1 : 0x00000001, 4095 : 0x00004095 }
+ }
+
+ map m3 {
+ typeof ip saddr . ip daddr : meta mark
+ elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001,
+ 2.3.4.5 . 6.7.8.9 : 0x00000002 }
+ }
+
+ map m4 {
+ typeof iifname . ip protocol . th dport : verdict
+ elements = { \"eth0\" . tcp . 22 : accept }
+ }
+
+ map m5 {
+ typeof ipsec in reqid . iifname : verdict
+ elements = { 23 . \"eth0\" : accept }
+ }
+
+ chain c {$INPUT_OSF_CT
+ meta mark set vlan id map @m2
+ meta mark set ip saddr . ip daddr map @m3
+ iifname . ip protocol . th dport vmap @m4
+ iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop }
+ ipsec in reqid . iifname vmap @m5
+ }
+}"
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
+
if [ "$NFT_TEST_HAVE_osf" = n ] ; then
- echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
- exit 77
+ echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+ exit 77
fi
# s1 and s2 are identical, they just use different
# ways for declaration.
-OSFSET=""
-OSFCHAIN=""
-if [ "$NFT_TEST_HAVE_osf" != n ] ; then
- OSFSET="set s1 {
+set -e
+
+die() {
+ printf '%s\n' "$*"
+ exit 1
+}
+
+INPUT_OSF_SET="
+ set s1 {
typeof osf name
elements = { \"Linux\" }
- }"
- OSFCHAIN="chain c1 {
+ }
+"
+INPUT_OSF_CHAIN="
+ chain c1 {
osf name @s1 accept
- }"
-fi
+ }
+"
-EXPECTED="table inet t {
- $OSFSET
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+ if [ "$((RANDOM % 2))" -eq 1 ] ; then
+ # Regardless of $NFT_TEST_HAVE_osf, we can define the set.
+ # Randomly do so.
+ INPUT_OSF_SET=
+ fi
+ INPUT_OSF_CHAIN=
+fi
+INPUT="table inet t {$INPUT_OSF_SET
set s2 {
typeof vlan id
elements = { 2, 3, 103 }
typeof vlan id . ip saddr
elements = { 3567 . 1.2.3.4 }
}
-
- $OSFCHAIN
-
+$INPUT_OSF_CHAIN
chain c2 {
ether type vlan vlan id @s2 accept
}
}
}"
-set -e
-$NFT -f - <<< $EXPECTED
+EXPECTED="table inet t {$INPUT_OSF_SET
+ set s2 {
+ typeof vlan id
+ elements = { 2, 3, 103 }
+ }
+
+ set s3 {
+ typeof meta ibrpvid
+ elements = { 2, 3, 103 }
+ }
+
+ set s4 {
+ typeof frag frag-off
+ elements = { 1, 1024 }
+ }
+
+ set s5 {
+ typeof ip option ra value
+ elements = { 1, 1024 }
+ }
+
+ set s6 {
+ typeof tcp option maxseg size
+ elements = { 1, 1024 }
+ }
+
+ set s7 {
+ typeof sctp chunk init num-inbound-streams
+ elements = { 1, 4 }
+ }
+
+ set s8 {
+ typeof ip version
+ elements = { 4, 6 }
+ }
+
+ set s9 {
+ typeof ip hdrlength
+ elements = { 0, 1, 2, 3, 4,
+ 15 }
+ }
+
+ set s10 {
+ typeof iifname . ip saddr . ipsec in reqid
+ elements = { \"eth0\" . 10.1.1.2 . 42 }
+ }
+
+ set s11 {
+ typeof vlan id . ip saddr
+ elements = { 3567 . 1.2.3.4 }
+ }
+$INPUT_OSF_CHAIN
+ chain c2 {
+ vlan id @s2 accept
+ }
+
+ chain c4 {
+ frag frag-off @s4 accept
+ }
+
+ chain c5 {
+ ip option ra value @s5 accept
+ }
+
+ chain c6 {
+ tcp option maxseg size @s6 accept
+ }
+
+ chain c7 {
+ sctp chunk init num-inbound-streams @s7 accept
+ }
+
+ chain c8 {
+ ip version @s8 accept
+ }
+
+ chain c9 {
+ ip hdrlength @s9 accept
+ }
+
+ chain c10 {
+ iifname . ip saddr . ipsec in reqid @s10 accept
+ }
+
+ chain c11 {
+ vlan id . ip saddr @s11 accept
+ }
+}"
+
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
if [ "$NFT_TEST_HAVE_osf" = n ] ; then
echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
projects / thirdparty / nftables.git / commitdiff
