From: Florian Westphal <fw@strlen.de>
Date: Thu, 21 May 2026 02:52:51 +0000 (+0200)
Subject: tests: shell: add check for map+ratelimit+mark
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=912abc021f35bdd20edfae4cb92d17129e8c2972;p=thirdparty%2Fnftables.git

tests: shell: add check for map+ratelimit+mark

Causes a crash due to type confusion in json input parser.
Heavily based on the original reproducer provided by Alessandro.

Reported-by: Alessandro Gario <alessandro.gario@trailofbits.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft
new file mode 100644
index 00000000..91011383
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.json-nft
@@ -0,0 +1,78 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "t",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "t",
+        "name": "c",
+        "handle": 0
+      }
+    },
+    {
+      "map": {
+        "family": "ip",
+        "name": "m",
+        "table": "t",
+        "type": "ipv4_addr",
+        "handle": 0,
+        "map": "mark",
+        "size": 65535,
+        "flags": [
+          "timeout",
+          "dynamic"
+        ],
+        "timeout": 60
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "t",
+        "chain": "c",
+        "handle": 0,
+        "expr": [
+          {
+            "map": {
+              "op": "add",
+              "elem": {
+                "payload": {
+                  "protocol": "ip",
+                  "field": "saddr"
+                }
+              },
+              "data": {
+                "meta": {
+                  "key": "mark"
+                }
+              },
+              "map": "@m",
+              "stmt": [
+                {
+                  "limit": {
+                    "rate": 1,
+                    "burst": 1,
+                    "per": "second"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft
new file mode 100644
index 00000000..9fa79628
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/map_ratelimit_mark.nft
@@ -0,0 +1,12 @@
+table ip t {
+	map m {
+		type ipv4_addr : mark
+		size 65535
+		flags dynamic,timeout
+		timeout 1m
+	}
+
+	chain c {
+		add @m { ip saddr limit rate 1/second burst 1 packets : meta mark }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/map_ratelimit_mark b/tests/shell/testcases/nft-f/map_ratelimit_mark
new file mode 100755
index 00000000..ef7a9ccc
--- /dev/null
+++ b/tests/shell/testcases/nft-f/map_ratelimit_mark
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"