From: Florian Westphal Date: Wed, 6 May 2026 13:22:24 +0000 (+0200) Subject: tests: shell: add socket expression test X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82a289074c02ae7fe1eee06ff90b3b062ad8a74e;p=thirdparty%2Fnftables.git tests: shell: add socket expression test Signed-off-by: Florian Westphal --- diff --git a/tests/shell/testcases/packetpath/dumps/socket.json-nft b/tests/shell/testcases/packetpath/dumps/socket.json-nft new file mode 100644 index 00000000..e94c7ed4 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/socket.json-nft @@ -0,0 +1,201 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "right": "syn" + } + }, + { + "match": { + "op": "==", + "left": { + "socket": { + "key": "transparent" + } + }, + "right": 0 + } + }, + { + "counter": { + "packets": 1, + "bytes": 60 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "right": "syn" + } + }, + { + "match": { + "op": "==", + "left": { + "socket": { + "key": "transparent" + } + }, + "right": 0 + } + }, + { + "counter": { + "packets": 1, + "bytes": 60 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "output", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "&": [ + { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "right": "syn" + } + }, + { + "match": { + "op": "==", + "left": { + "socket": { + "key": "transparent" + } + }, + "right": 0 + } + }, + { + "counter": { + "packets": 1, + "bytes": 60 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/socket.nft b/tests/shell/testcases/packetpath/dumps/socket.nft new file mode 100644 index 00000000..ea4dc3cf --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/socket.nft @@ -0,0 +1,16 @@ +table inet filter { + chain prerouting { + type filter hook prerouting priority filter; policy accept; + tcp flags & (syn | ack) == syn socket transparent 0 counter packets 1 bytes 60 + } + + chain input { + type filter hook input priority filter; policy accept; + tcp flags & (syn | ack) == syn socket transparent 0 counter packets 1 bytes 60 + } + + chain output { + type filter hook output priority filter; policy accept; + tcp flags & (syn | ack) == syn socket transparent 0 counter packets 1 bytes 60 + } +} diff --git a/tests/shell/testcases/packetpath/socket b/tests/shell/testcases/packetpath/socket new file mode 100755 index 00000000..f14510e5 --- /dev/null +++ b/tests/shell/testcases/packetpath/socket @@ -0,0 +1,42 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) + +ip link set up lo + +set -e + +$NFT -f - </dev/null + +# No need to check anything. Validation via dump file.