tests: Add test cases for nested anonymous sets

This makes sure nesting of anonymous sets works regardless of whether
defines are used or not. As a side-effect, it also checks that overlap
checking when IP address prefixes are used, works.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
index 4cca02b61ff041a62fd3065f165740e17ea9429d..4d14e8253e528b498fe73c7756514bc912887bb9 100644 (file)
--- a/tests/py/ip/sets.t
+++ b/tests/py/ip/sets.t
@@ -46,3 +46,7 @@ ip saddr != @set33 drop;fail
 ?set4 192.168.2.0/24;ok
 ?set4 192.168.1.1;fail
 ?set4 192.168.3.0/24;ok
+
+# test nested anonymous sets
+ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 }
+ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 }

diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet
index 6d8d6bc3bbce6d0eee75954148f8d205b519dd38..35f699c7a13b41f7c75f45c048d0fe18f6e60328 100644 (file)
--- a/tests/py/ip/sets.t.payload.inet
+++ b/tests/py/ip/sets.t.payload.inet
@@ -30,3 +30,22 @@ inet test-inet input
   [ lookup reg 1 set set2 0x1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d t 3
+__set%d t 0
+       element 00010101  : 0 [end]     element 00030303  : 0 [end]     element 00020202  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d t 7
+__set%d t 0
+       element 00000000  : 1 [end]     element 00010101  : 0 [end]     element 00020101  : 1 [end]     element 00020202  : 0 [end]     element 00030202  : 1 [end]     element 00030303  : 0 [end]     element 00040303  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]

diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip
index 858a5e1c6bb3ee907bbd9ce292198e4dce7fd919..891a1ee404c7f55a1be9e1be456c0fea94eb88ad 100644 (file)
--- a/tests/py/ip/sets.t.payload.ip
+++ b/tests/py/ip/sets.t.payload.ip
@@ -22,3 +22,18 @@ ip test-ip4 input
   [ lookup reg 1 set set2 0x1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+       element 00010101  : 0 [end]     element 00030303  : 0 [end]     element 00020202  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+       element 00000000  : 1 [end]     element 00010101  : 0 [end]     element 00020101  : 1 [end]     element 00020202  : 0 [end]     element 00030202  : 1 [end]     element 00030303  : 0 [end]     element 00040303  : 1 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]

diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev
index 87d54a0f4813e43ecf46d2f654b401e6a2aea905..ae8b6e7c8c46f7541272190641829fbf78b36cf5 100644 (file)
--- a/tests/py/ip/sets.t.payload.netdev
+++ b/tests/py/ip/sets.t.payload.netdev
@@ -30,3 +30,22 @@ netdev test-netdev ingress
   [ lookup reg 1 set set2 0x1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+       element 00010101  : 0 [end]     element 00030303  : 0 [end]     element 00020202  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d test-netdev 7
+__set%d test-netdev 0
+       element 00000000  : 1 [end]     element 00010101  : 0 [end]     element 00020101  : 1 [end]     element 00020202  : 0 [end]     element 00030202  : 1 [end]     element 00030303  : 0 [end]     element 00040303  : 1 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]

diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0
new file mode 100755 (executable)
index 0000000..3bcb614
--- /dev/null
+++ b/tests/shell/testcases/sets/0021nesting_0
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+#trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET='
+define set1 = {
+       2.2.2.0/24,
+}
+define set2 = {
+       $set1,
+       1.1.1.0/24
+}
+table ip x {
+       chain y {
+               ip saddr { 3.3.3.0/24, $set2 }
+       }
+}'
+
+echo "$RULESET" > $tmpfile
+$NFT -f $tmpfile
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load ruleset" >&2
+        exit 1
+fi
+
+EXPECTED="table ip x {
+       chain y {
+               ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24}
+       }
+}"
+
+GET="$($NFT list ruleset)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+       DIFF="$(which diff)"
+       [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+       exit 1
+fi