From: Florian Westphal Date: Sun, 29 Jun 2025 08:30:41 +0000 (+0200) Subject: tests: shell: add optimize dump files X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5611a4c8665e5edf78fa80cf0212d034c550000e;p=thirdparty%2Fnftables.git tests: shell: add optimize dump files nomerge_vmap gains a nodump file, the test uses --check. Signed-off-by: Florian Westphal --- diff --git a/tests/shell/testcases/optimizations/dumps/bitmask.json-nft b/tests/shell/testcases/optimizations/dumps/bitmask.json-nft new file mode 100644 index 00000000..45ca199d --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/bitmask.json-nft @@ -0,0 +1,242 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "t", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "ack_chain", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "urg_chain", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "t", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "syn", + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "|": [ + "ack", + "urg" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "set": [ + { + "|": [ + "fin", + "ack", + "urg" + ] + }, + { + "|": [ + "fin", + "ack" + ] + }, + "fin", + { + "|": [ + "syn", + "ack" + ] + }, + "syn", + { + "|": [ + "rst", + "ack" + ] + }, + "rst", + { + "|": [ + "ack", + "urg" + ] + }, + "ack" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "rst", + "ack", + "urg" + ] + } + ] + }, + "right": { + "|": [ + "rst", + "ack" + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "t", + "chain": "c", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "ack", + "urg" + ] + } + ] + }, + "data": { + "set": [ + [ + "ack", + { + "jump": { + "target": "ack_chain" + } + } + ], + [ + "urg", + { + "jump": { + "target": "urg_chain" + } + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft b/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft new file mode 100644 index 00000000..3fdb0581 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_counter.json-nft @@ -0,0 +1,203 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "ct": { + "key": "state" + } + }, + "data": { + "set": [ + [ + { + "elem": { + "val": "invalid", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ], + [ + { + "elem": { + "val": "established", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": "related", + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ] + ] + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 80, + 123 + ] + } + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "vmap": { + "key": { + "concat": [ + { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + { + "payload": { + "protocol": "ip", + "field": "daddr" + } + } + ] + }, + "data": { + "set": [ + [ + { + "elem": { + "val": { + "concat": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "accept": null + } + ], + [ + { + "elem": { + "val": { + "concat": [ + "1.1.1.2", + "3.3.3.3" + ] + }, + "counter": { + "packets": 0, + "bytes": 0 + } + } + }, + { + "drop": null + } + ] + ] + } + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft new file mode 100644 index 00000000..aacdd00d --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.json-nft @@ -0,0 +1,84 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -300, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "sl", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "base": "th", + "offset": 160, + "len": 32 + } + }, + "right": 41118720 + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "y", + "handle": 0, + "comment": "pizzaseo.com", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "base": "th", + "offset": 160, + "len": 112 + } + }, + "right": "0x870697a7a6173656f03636f6d00" + } + }, + { + "drop": null + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft new file mode 100644 index 00000000..e68a4889 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/nomerge_raw_payload.nft @@ -0,0 +1,7 @@ +table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + @th,160,32 0x2736c00 drop comment "sl" + @th,160,112 0x870697a7a6173656f03636f6d00 drop comment "pizzaseo.com" + } +} diff --git a/tests/shell/testcases/optimizations/dumps/nomerge_vmap.nodump b/tests/shell/testcases/optimizations/dumps/nomerge_vmap.nodump new file mode 100644 index 00000000..e69de29b