--- /dev/null
+:tunnelchain;type filter hook ingress device lo priority 0
+
+*netdev;test-netdev;tunnelchain
+
+tunnel path exists;ok
+tunnel path missing;ok
+tunnel id 10;ok
--- /dev/null
+# tunnel path exists
+[
+ {
+ "match": {
+ "left": {
+ "tunnel": {
+ "key": "path"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# tunnel path missing
+[
+ {
+ "match": {
+ "left": {
+ "tunnel": {
+ "key": "path"
+ }
+ },
+ "op": "==",
+ "right": false
+ }
+ }
+]
+
+# tunnel id 10
+[
+ {
+ "match": {
+ "left": {
+ "tunnel": {
+ "key": "id"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
--- /dev/null
+# tunnel path exists
+netdev test-netdev tunnelchain
+ [ tunnel load path => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# tunnel path missing
+netdev test-netdev tunnelchain
+ [ tunnel load path => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# tunnel id 10
+netdev test-netdev tunnelchain
+ [ tunnel load id => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+
--- /dev/null
+# v5.7-rc1~146^2~137^2~26
+# 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+table netdev x {
+ tunnel y {
+ id 10
+ ip saddr 192.168.2.10
+ ip daddr 192.168.2.11
+ sport 10
+ dport 20
+ ttl 10
+ geneve {
+ class 0x1010 opt-type 0x1 data "0x12345678"
+ class 0x2010 opt-type 0x2 data "0x87654321"
+ class 0x2020 opt-type 0x3 data "0x87654321abcdeffe"
+ }
+ }
+}
--- /dev/null
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_tunnel)
+
+# * creating valid named objects
+# * referencing them from a valid rule
+
+RULESET="
+table netdev x {
+ tunnel geneve-t {
+ id 10
+ ip saddr 192.168.2.10
+ ip daddr 192.168.2.11
+ sport 10
+ dport 10
+ ttl 10
+ tos 10
+ geneve {
+ class 0x1 opt-type 0x1 data \"0x12345678\"
+ class 0x1010 opt-type 0x2 data \"0x87654321\"
+ class 0x2020 opt-type 0x3 data \"0x87654321abcdeffe\"
+ }
+ }
+
+ tunnel vxlan-t {
+ id 20
+ ip saddr 192.168.2.20
+ ip daddr 192.168.2.21
+ sport 20
+ dport 20
+ ttl 10
+ tos 10
+ vxlan {
+ gbp 200
+ }
+ }
+
+ tunnel erspan-tv1 {
+ id 30
+ ip saddr 192.168.2.30
+ ip daddr 192.168.2.31
+ sport 30
+ dport 30
+ ttl 10
+ tos 10
+ erspan {
+ version 1
+ index 5
+ }
+ }
+
+ tunnel erspan-tv2 {
+ id 40
+ ip saddr 192.168.2.40
+ ip daddr 192.168.2.41
+ sport 40
+ dport 40
+ ttl 10
+ tos 10
+ erspan {
+ version 2
+ direction ingress
+ id 10
+ }
+ }
+
+ chain x {
+ type filter hook ingress priority 0; policy accept;
+ tunnel name ip saddr map { 10.141.10.123 : "geneve-t", 10.141.10.124 : "vxlan-t", 10.141.10.125 : "erspan-tv1", 10.141.10.126 : "erspan-tv2" } counter
+ }
+}
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
--- /dev/null
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "netdev",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "netdev",
+ "table": "x",
+ "name": "x",
+ "handle": 0,
+ "type": "filter",
+ "hook": "ingress",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "tunnel": {
+ "family": "netdev",
+ "name": "geneve-t",
+ "table": "x",
+ "handle": 0,
+ "id": 10,
+ "src": "192.168.2.10",
+ "dst": "192.168.2.11",
+ "sport": 10,
+ "dport": 10,
+ "tos": 10,
+ "ttl": 10,
+ "type": "geneve",
+ "tunnel": [
+ {
+ "class": 1,
+ "opt-type": 1,
+ "data": "0x12345678"
+ },
+ {
+ "class": 4112,
+ "opt-type": 2,
+ "data": "0x87654321"
+ },
+ {
+ "class": 8224,
+ "opt-type": 3,
+ "data": "0x87654321abcdeffe"
+ }
+ ]
+ }
+ },
+ {
+ "tunnel": {
+ "family": "netdev",
+ "name": "vxlan-t",
+ "table": "x",
+ "handle": 0,
+ "id": 20,
+ "src": "192.168.2.20",
+ "dst": "192.168.2.21",
+ "sport": 20,
+ "dport": 20,
+ "tos": 10,
+ "ttl": 10,
+ "type": "vxlan",
+ "tunnel": {
+ "gbp": 200
+ }
+ }
+ },
+ {
+ "tunnel": {
+ "family": "netdev",
+ "name": "erspan-tv1",
+ "table": "x",
+ "handle": 0,
+ "id": 30,
+ "src": "192.168.2.30",
+ "dst": "192.168.2.31",
+ "sport": 30,
+ "dport": 30,
+ "tos": 10,
+ "ttl": 10,
+ "type": "erspan",
+ "tunnel": {
+ "version": 1,
+ "index": 5
+ }
+ }
+ },
+ {
+ "tunnel": {
+ "family": "netdev",
+ "name": "erspan-tv2",
+ "table": "x",
+ "handle": 0,
+ "id": 40,
+ "src": "192.168.2.40",
+ "dst": "192.168.2.41",
+ "sport": 40,
+ "dport": 40,
+ "tos": 10,
+ "ttl": 10,
+ "type": "erspan",
+ "tunnel": {
+ "version": 2,
+ "dir": "ingress",
+ "hwid": 10
+ }
+ }
+ },
+ {
+ "rule": {
+ "family": "netdev",
+ "table": "x",
+ "chain": "x",
+ "handle": 0,
+ "expr": [
+ {
+ "tunnel": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "10.141.10.123",
+ "geneve-t"
+ ],
+ [
+ "10.141.10.124",
+ "vxlan-t"
+ ],
+ [
+ "10.141.10.125",
+ "erspan-tv1"
+ ],
+ [
+ "10.141.10.126",
+ "erspan-tv2"
+ ]
+ ]
+ }
+ }
+ }
+ },
+ {
+ "counter": {
+ "packets": 0,
+ "bytes": 0
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
--- /dev/null
+table netdev x {
+ tunnel geneve-t {
+ id 10
+ ip saddr 192.168.2.10
+ ip daddr 192.168.2.11
+ sport 10
+ dport 10
+ tos 10
+ ttl 10
+ geneve {
+ class 0x1 opt-type 0x1 data "0x12345678"
+ class 0x1010 opt-type 0x2 data "0x87654321"
+ class 0x2020 opt-type 0x3 data "0x87654321abcdeffe"
+ }
+ }
+
+ tunnel vxlan-t {
+ id 20
+ ip saddr 192.168.2.20
+ ip daddr 192.168.2.21
+ sport 20
+ dport 20
+ tos 10
+ ttl 10
+ vxlan {
+ gbp 200
+ }
+ }
+
+ tunnel erspan-tv1 {
+ id 30
+ ip saddr 192.168.2.30
+ ip daddr 192.168.2.31
+ sport 30
+ dport 30
+ tos 10
+ ttl 10
+ erspan {
+ version 1
+ index 5
+ }
+ }
+
+ tunnel erspan-tv2 {
+ id 40
+ ip saddr 192.168.2.40
+ ip daddr 192.168.2.41
+ sport 40
+ dport 40
+ tos 10
+ ttl 10
+ erspan {
+ version 2
+ direction ingress
+ id 10
+ }
+ }
+
+ chain x {
+ type filter hook ingress priority filter; policy accept;
+ tunnel name ip saddr map { 10.141.10.123 : "geneve-t", 10.141.10.124 : "vxlan-t", 10.141.10.125 : "erspan-tv1", 10.141.10.126 : "erspan-tv2" } counter packets 0 bytes 0
+ }
+}
projects / thirdparty / nftables.git / commitdiff
