tests: shell: add check for map+ratelimit+mark

Causes a crash due to type confusion in json input parser.
Heavily based on the original reproducer provided by Alessandro.

Reported-by: Alessandro Gario <alessandro.gario@trailofbits.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft
new file mode 100644 (file)
index 0000000..9101138
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft
@@ -0,0 +1,78 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "t",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "t",
+        "name": "c",
+        "handle": 0
+      }
+    },
+    {
+      "map": {
+        "family": "ip",
+        "name": "m",
+        "table": "t",
+        "type": "ipv4_addr",
+        "handle": 0,
+        "map": "mark",
+        "size": 65535,
+        "flags": [
+          "timeout",
+          "dynamic"
+        ],
+        "timeout": 60
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "t",
+        "chain": "c",
+        "handle": 0,
+        "expr": [
+          {
+            "map": {
+              "op": "add",
+              "elem": {
+                "payload": {
+                  "protocol": "ip",
+                  "field": "saddr"
+                }
+              },
+              "data": {
+                "meta": {
+                  "key": "mark"
+                }
+              },
+              "map": "@m",
+              "stmt": [
+                {
+                  "limit": {
+                    "rate": 1,
+                    "burst": 1,
+                    "per": "second"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}

diff --git a/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft
new file mode 100644 (file)
index 0000000..9fa7962
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft
@@ -0,0 +1,12 @@
+table ip t {
+       map m {
+               type ipv4_addr : mark
+               size 65535
+               flags dynamic,timeout
+               timeout 1m
+       }
+
+       chain c {
+               add @m { ip saddr limit rate 1/second burst 1 packets : meta mark }
+       }
+}

diff --git a/tests/shell/testcases/nft-f/map_ratelimit_mark b/tests/shell/testcases/nft-f/map_ratelimit_mark
new file mode 100755 (executable)
index 0000000..ef7a9cc
--- /dev/null
+++ b/tests/shell/testcases/nft-f/map_ratelimit_mark
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"