set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
TMP=$(mktemp)
echo "$RULESET" >> "$TMP"
$NFT "flush ruleset;include \"$TMP\""
rule_handle=$($NFT list ruleset -a | awk '/saddr/{print $NF}')
$NFT delete rule inet test test handle $rule_handle
$NFT delete set inet test test
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
192.168.0.1/24,
}"
-$NFT -f - <<< $RULESET
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET"
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
RULESET_JSON=$($NFT export vm json)
$NFT flush ruleset
-$NFT import vm json <<< $RULESET_JSON
+$NFT import vm json <<< "$RULESET_JSON"
add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
n=2
$NFT "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
exit 1
fi
-$IP netns exec $NETNS_NAME $NFT -f - <<< $RULESET
+$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset in netns" >&2
$IP netns del $NETNS_NAME
exit 1
fi
- $IP netns exec $NETNS_NAME $NFT -f - <<< $RULESET
+ $IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset in netns" >&2
$IP netns del $NETNS_NAME
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
generate2 $family
done)
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset 2" >&2
exit 1
add rule t c ip saddr @s
"
-$NFT -f - <<< $RULESET 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
add element inet filter whitelist_v4 \$whitelist_v4
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
GET="$($NFT list ruleset)"
}"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
add rule t c ip saddr @s
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
ret=$?
trap - EXIT
192.168.0.1/24,
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
# make sure flush ruleset works right
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
}'
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load ruleset" >&2
exit 1
add rule t c tcp dport 80 meter f size 1024 {ip saddr limit rate 10/second}
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
# Commands that should be invalid
}"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
}
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
add rule x test set update ip daddr timeout 100ms @y"
set -e
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s5ms }'
$NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }'
add table x
add table y"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table x
add table x { flags dormant; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table y
flush ruleset"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table w
add chain w y"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add chain x y { type filter hook input priority 0; }
add chain x y { policy drop; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table w
add chain w y { type filter hook output priority 0; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table w
add chain w y { type filter hook output priority 0; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete chain x y
delete chain x y"
-$NFT -f - <<< $RULESET 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null
echo "E: allowing double-removal of chain" >&2
add chain x z
add rule x z jump y"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete chain x y
delete table x"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add rule x y ip saddr 1.1.1.1 counter
flush ruleset"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add chain x y
add rule x y ip saddr 2.2.2.2 counter"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add rule x y jump y"
# kernel must return ENOENT
-$NFT -f - <<< $RULESET 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null
echo "E: allowing jump loop to unexisting chain"
add rule x y jump y"
# kernel must return ELOOP
-$NFT -f - <<< $RULESET 2>/dev/null
+$NFT -f - <<< "$RULESET" 2>/dev/null
echo "E: allowing jump to chain loop"
flush ruleset
add table x"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete set x y
add set x y { type ipv4_addr; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add table w
add set w y { type ipv4_addr; }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add set x y { type ipv4_addr; }
delete set x y"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete element x y { 2.2.2.2 }
add element x y { 3.3.3.3 }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete element x y { 1.1.1.1 }
delete element x y { 1.1.1.1 }"
-$NFT -f - <<< $RULESET 2> /dev/null
+$NFT -f - <<< "$RULESET" 2> /dev/null
# Kernel must return ENOENT
echo "E: allowing double-removal of element"
add element x y { 1.1.1.0/24 }
delete element x y { 1.1.1.0/24 }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete element x y { 192.168.2.0/24 }
add element x y { 192.168.4.0/24 }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
delete element x y { 192.168.2.0/24 }
add element x y { 192.168.4.0/24 }"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
chain CIn_1 {
}
}"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
RULESET="delete element ip filter client_to_any { 1.2.3.4 : goto CIn_1 }
delete chain ip filter CIn_1"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
add chain ip t c { type nat hook postrouting priority 0; }
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
RULESET="
flush ruleset
$RULESET
"
-$NFT -f - <<< $RULESET
+$NFT -f - <<< "$RULESET"
projects / thirdparty / nftables.git / commitdiff
