<term><option>-f, --file <replaceable>filename</replaceable></option></term>
<listitem>
<para>
- Read input from <replaceable>filename</replaceable>.
+ Read input from <replaceable>filename</replaceable>. If <replaceable>filename</replaceable> is <literal>-</literal>, read from <literal>stdin</literal>.
</para>
<para>
nft scripts must start <command>#!/usr/sbin/nft -f</command>
if (rc < 0)
return -1;
+ if (!strcmp(filename, "-"))
+ filename = "/dev/stdin";
+
parser_init(nft->nf_sock, &nft->cache, &state,
&msgs, nft->debug_mask, &nft->output);
scanner = scanner_init(&state);
#!/bin/bash
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET='
table inet test {
set test {
type ipv4_addr
ip saddr @test counter accept
ip daddr { 2.2.2.2} counter accept
}
-}" > $tmpfile
+}'
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
rule_handle=$($NFT list ruleset -a | awk '/saddr/{print $NF}')
$NFT delete rule inet test test handle $rule_handle
$NFT delete set inet test test
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="flush ruleset
table inet t {
set s { type ipv4_addr; flags interval; }
192.168.0.1/24,
}"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
+$NFT -f - <<< $RULESET
#!/bin/bash
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-
EXPECTED='table inet t {
flowtable f {
hook ingress priority 10
}
}'
-echo "$EXPECTED" > $tmpfile
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $EXPECTED
#!/bin/bash
-tmpfile=$(mktemp)
-
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="table ip mangle {
set blackhole {
type ipv4_addr
}
}"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
-$NFT export vm json > $tmpfile
+$NFT -f - <<< $RULESET
+RULESET_JSON=$($NFT export vm json)
$NFT flush ruleset
-cat $tmpfile | $NFT import vm json
+$NFT import vm json <<< $RULESET_JSON
# shows how disjoint intervals are seen as overlaps
# NOTE this is only an issue with two separate nft calls
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
n=1
-echo "add table x
+RULESET="add table x
add map x y { type ipv4_addr : ipv4_addr; flags interval; }
-add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" > $tmpfile
+add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
n=2
-echo "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }" > $tmpfile
-
-$NFT -f $tmpfile
-
+$NFT "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
# support for ifname in named maps
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
EXPECTED="table inet t {
map m1 {
type ifname : ipv4_addr
}"
set -e
-echo "$EXPECTED" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $EXPECTED
exit 1
fi
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="table ip t {
set s {
type ipv4_addr
exit 1
fi
-echo "$RULESET" > $tmpfile
-$IP netns exec $NETNS_NAME $NFT -f $tmpfile
+$IP netns exec $NETNS_NAME $NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset in netns" >&2
$IP netns del $NETNS_NAME
exit 1
fi
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="table ip t {
set s {
type ipv4_addr
}
}"
-echo "$RULESET" > $tmpfile
-
function test_netns()
{
local NETNS_NAME=$1
exit 1
fi
- $IP netns exec $NETNS_NAME $NFT -f $tmpfile
+ $IP netns exec $NETNS_NAME $NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset in netns" >&2
$IP netns del $NETNS_NAME
# tests for commit 85d6803 (parser_bison: initializer_expr must use rhs_expr)
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
define net = 1.1.1.1/24
-" > $tmpfile
+"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# test a kernel rollback operation
# fail reason: rule
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
GOOD_RULESET="table ip t {
set t {
type ipv4_addr
}
}"
-echo "$GOOD_RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $GOOD_RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
fi
-echo "$BAD_RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $BAD_RULESET 2>/dev/null
if [ $? -eq 0 ] ; then
echo "E: bogus ruleset loaded?" >&2
exit 1
# test a kernel rollback operation
# fail reason: invalid jump
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
GOOD_RULESET="table ip t {
set t {
type ipv4_addr
}
}"
-echo "$GOOD_RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $GOOD_RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
fi
-echo "$BAD_RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $BAD_RULESET 2>/dev/null
if [ $? -eq 0 ] ; then
echo "E: bogus ruleset loaded?" >&2
exit 1
# test a kernel rollback operation
# fail reason: invalid set
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
GOOD_RULESET="table ip t {
set t {
type ipv4_addr
}
}"
-echo "$GOOD_RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $GOOD_RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
fi
-echo "$BAD_RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $BAD_RULESET 2>/dev/null
if [ $? -eq 0 ] ; then
echo "E: bogus ruleset loaded?" >&2
exit 1
# test a kernel rollback operation
# fail reason: invalid map
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
GOOD_RULESET="table ip t {
set t {
type ipv4_addr
}
}"
-echo "$GOOD_RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $GOOD_RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
fi
-echo "$BAD_RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $BAD_RULESET 2>/dev/null
if [ $? -eq 0 ] ; then
echo "E: bogus ruleset loaded?" >&2
exit 1
# test loading a ruleset with the 'action object' pattern
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -f $tmpfile" EXIT # cleanup if aborted
-
set -e
FAMILIES="ip ip6 inet arp bridge"
add element $family t m {10080:drop}
insert rule $family t c meta l4proto tcp tcp dport vmap @m
add rule $family t c meta l4proto udp udp sport vmap {1111:accept}
- " >> $tmpfile
+ "
}
generate2()
delete element $family t s {8080}
delete chain $family t c
delete table $family t
- " >> $tmpfile
+ "
}
-for family in $FAMILIES ; do
+RULESET=$(for family in $FAMILIES ; do
generate1 $family
-done
+done)
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset 1" >&2
exit 1
fi
-echo "" > $tmpfile
-for family in $FAMILIES ; do
+RULESET=$(for family in $FAMILIES ; do
generate2 $family
-done
+done)
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset 2" >&2
exit 1
# test for a segfault if bad syntax was used in set declaration
# and the set is referenced in the same batch
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -f $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
add table t
add chain t c
add set t s {type ipv4_addr\;}
add rule t c ip saddr @s
-" > $tmpfile
+"
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $RULESET 2>/dev/null
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="table inet filter {
chain ssh {
type filter hook input priority 0; policy accept;
}
}"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="define concat-set-variable = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
table inet forward {
}
}"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="define whitelist_v4 = { 1.1.1.1 }
table inet filter {
add element inet filter whitelist_v4 \$whitelist_v4
"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# tests different spots, datatypes and usages for nft defines
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
define d_iifname = whatever
define d_oifname = \$d_iifname
define d_iif = lo
tcp dport \$d_ports
udp dport vmap { \$d_ports : accept }
}
-}" >> $tmpfile
+}"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
define var2 = \$var1
define var1 = lo
chain c {
iif \$var2
}
-}" >> $tmpfile
+}"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
define var1 = lo
define var1 = lo
chain c {
iif \$var1
}
-}" >> $tmpfile
+}"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
define var1 = \$var1
table ip t {
chain c {
iif \$var1
}
-}" >> $tmpfile
+}"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table ip x {
chain y {
define unused = 4.4.4.4
ip saddr $address
undefine unused
}
-}" >> $tmpfile
+}"
EXPECTED="table ip x {
chain y {
}
}"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
GET="$($NFT list ruleset)"
# * creating a valid interval set
# * referencing it from a valid rule
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table inet t {
set s1 {
type ipv4_addr
ip6 nexthdr @s3 accept
tcp dport @s4 accept
}
-}" > $tmpfile
+}"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
#!/bin/bash
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table ip t {
map sourcemap {
type ipv4_addr : verdict;
}
add chain t c
add element t sourcemap { 100.123.10.2 : jump c }
-" > $tmpfile
+"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# In this case, nft should error out because the set doesn't exist instead of
# segfaulting
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
add table t
add chain t c
add set t s {type ipv4_addr\;}
add rule t c ip saddr @s
-" >$tmpfile
+"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
ret=$?
trap - EXIT
#!/bin/bash
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "flush ruleset
+RULESET="flush ruleset
add table t
add chain t c
add element inet filter blacklist_v4 {
192.168.0.1/24,
-}" >$tmpfile
+}"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# make sure flush ruleset works right
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-#trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET='
define set1 = {
2.2.2.0/24,
}
}'
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset" >&2
exit 1
# This tests the selectiveness of flush command on structures that use the
# generic set infrastructure (sets, maps and meters).
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
add table t
add chain t c
add set t s {type ipv4_addr;}
add map t m {type ipv4_addr : inet_service;}
add rule t c tcp dport 80 meter f {ip saddr limit rate 10/second}
-" >$tmpfile
+"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# Commands that should be invalid
for i in "${cmds[@]}"
do
- echo "$i" >$tmpfile
- $NFT -f $tmpfile &>/dev/null
+ $NFT "$i" &>/dev/null
ret=$?
if [ $ret -eq 0 ]; then
# * creating valid named objects
# * referencing them from a valid rule
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table inet x {
counter user123 {
packets 12 bytes 1433
counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
quota name ip saddr map @test drop
}
-}" > $tmpfile
+}"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# * creating valid named limits
# * referencing them from a valid rule
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table ip filter {
limit http-traffic {
rate 1/second
type filter hook input priority 0; policy accept;
limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
-}" > $tmpfile
+}"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "
+RULESET="
table inet t {
set s {
type ipv6_addr
elements = { ::ffff:0.0.0.0/96 }
}
}
-" > $tmpfile
+"
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
# support for ifname in named sets
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
EXPECTED="table inet t {
set s {
type ifname
}"
set -e
-echo "$EXPECTED" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $EXPECTED
#!/bin/bash
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
-echo "add table x
-add set x y { type ipv4_addr; size 128; timeout 30s; }" > $tmpfile
+RULESET="add table x
+add set x y { type ipv4_addr; size 128; timeout 30s; }"
set -e
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
delete table x
add table x
add table y"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
delete table x
add table x
add table x { flags dormant; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add table y
flush ruleset"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
flush ruleset
add table w
add chain w y"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
delete chain x y
add chain x y { type filter hook input priority 0; }
add chain x y { policy drop; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
flush ruleset
add table w
add chain w y { type filter hook output priority 0; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
delete chain x y
add table w
add chain w y { type filter hook output priority 0; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
delete chain x y
delete chain x y"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $RULESET 2>/dev/null
echo "E: allowing double-removal of chain" >&2
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
add rule x y ip saddr 1.1.1.1 counter
flush ruleset"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
add rule x y ip saddr 1.1.1.1 counter
add chain x y
add rule x y ip saddr 2.2.2.2 counter"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
delete chain x y
add rule x y jump y"
-echo "$RULESET" > $tmpfile
# kernel must return ENOENT
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $RULESET 2>/dev/null
echo "E: allowing jump loop to unexisting chain"
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add chain x y
add rule x y jump y"
-echo "$RULESET" > $tmpfile
# kernel must return ELOOP
-$NFT -f $tmpfile 2>/dev/null
+$NFT -f - <<< $RULESET 2>/dev/null
echo "E: allowing jump to chain loop"
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
flush ruleset
add table x"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
delete set x y
add set x y { type ipv4_addr; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
flush ruleset
add table w
add set w y { type ipv4_addr; }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
delete set x y"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
add element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
add element x y { 1.1.1.1, 2.2.2.2 }
delete element x y { 2.2.2.2 }
add element x y { 3.3.3.3 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; }
add element x y { 1.1.1.1, 2.2.2.2 }
delete element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile 2> /dev/null
+$NFT -f - <<< $RULESET 2> /dev/null
# Kernel must return ENOENT
echo "E: allowing double-removal of element"
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; flags interval;}
add element x y { 1.1.1.0/24 }
delete element x y { 1.1.1.0/24 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; flags interval;}
add element x y { 192.168.0.0/24, 192.168.2.0/24 }
delete element x y { 192.168.2.0/24 }
add element x y { 192.168.4.0/24 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="add table x
add set x y { type ipv4_addr; flags interval;}
add element x y { 192.168.0.0/24, 192.168.2.0/24 }
delete element x y { 192.168.2.0/24 }
add element x y { 192.168.4.0/24 }"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
set -e
-tmpfile=$(mktemp)
-if [ ! -w $tmpfile ] ; then
- echo "Failed to create tmp file" >&2
- exit 0
-fi
-
-trap "rm -rf $tmpfile" EXIT # cleanup if aborted
-
RULESET="table ip filter {
map client_to_any {
type ipv4_addr : verdict
chain CIn_1 {
}
}"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
RULESET="delete element ip filter client_to_any { 1.2.3.4 : goto CIn_1 }
delete chain ip filter CIn_1"
-echo "$RULESET" > $tmpfile
-$NFT -f $tmpfile
+$NFT -f - <<< $RULESET
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
projects / thirdparty / nftables.git / commitdiff
