* [nft PATCH V2] tests: shell: Add tests for json import
@ 2017-09-02 23:32 Shyam Saini
2017-09-04 7:27 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 5+ messages in thread
From: Shyam Saini @ 2017-09-02 23:32 UTC (permalink / raw)
To: netfilter-devel; +Cc: Shyam Saini
These test cases can be used to test upcoming "import json" command.
Here is the short description of the files:
all_ruleset_list -> contains list of all the individual rules
json_import_0 -> script that runs json run-tests.sh
For Example:
$ ./run-tests.sh testcases/import/json_import_0
Below mentioned files contains individual rules in json format and
are added for the reference:
rules_ipv4* -> ip table rules files
rules_ipv6* -> ip6 table rules files
rules_arp* -> arp table rules files
rules_bridge* -> bridge table rules files
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
---
tests/shell/testcases/import/all_ruleset_list | 46 ++++++++++++++
tests/shell/testcases/import/json_import_0 | 72 ++++++++++++++++++++++
.../testcases/import/rules_arp_hlen_range.json | 1 +
tests/shell/testcases/import/rules_arp_htype.json | 1 +
.../testcases/import/rules_arp_operation.json | 1 +
.../import/rules_arp_operation_check.json | 1 +
.../shell/testcases/import/rules_arp_ptype_ip.json | 1 +
.../shell/testcases/import/rules_bridge_vlan.json | 1 +
.../testcases/import/rules_bridge_vlan_id.json | 1 +
...bridge_vlan_id_saddr_udp_dport_drop_domain.json | 1 +
.../import/rules_ipv4_ct_state_accept.json | 1 +
.../rules_ipv4_icmp_type_echo-request_accept.json | 1 +
.../rules_ipv4_icmp_type_echo-request_counter.json | 1 +
.../import/rules_ipv4_iifname_accept.json | 1 +
.../import/rules_ipv4_saddr_daddr_counter.json | 1 +
.../testcases/import/rules_ipv4_set_elements.json | 1 +
.../import/rules_ipv4_tcp_dport_http_ssh.json | 1 +
.../testcases/import/rules_ipv4_tcp_flags.json | 1 +
.../import/rules_ipv6_daddr_udp_dport_counter.json | 1 +
...es_ipv6_daddr_udp_dport_counter_masquerade.json | 1 +
.../testcases/import/rules_ipv6_icmpv6_id.json | 1 +
...iifname_ct_state_tcp_dport_vmap_masquerade.json | 1 +
.../import/rules_ipv6_l4proto_tcp_masquerade.json | 1 +
...dport_ssh_daddr_mapping_ether_saddr_accept.json | 1 +
24 files changed, 140 insertions(+)
create mode 100644 tests/shell/testcases/import/all_ruleset_list
create mode 100755 tests/shell/testcases/import/json_import_0
create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json
create mode 100644 tests/shell/testcases/import/rules_arp_htype.json
create mode 100644 tests/shell/testcases/import/rules_arp_operation.json
create mode 100644 tests/shell/testcases/import/rules_arp_operation_check.json
create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json
create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json
create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json
create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_iifname_accept.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
create mode 100644 tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
diff --git a/tests/shell/testcases/import/all_ruleset_list b/tests/shell/testcases/import/all_ruleset_list
new file mode 100644
index 000000000000..4e25a76d8016
--- /dev/null
+++ b/tests/shell/testcases/import/all_ruleset_list
@@ -0,0 +1,46 @@
+table ip mangle {
+ set blackhole {
+ type ipv4_addr
+ elements = { 192.168.1.4, 192.168.1.5 }
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport { ssh, http } accept
+ ip saddr @blackhole drop
+ icmp type echo-request accept
+ iifname "lo" accept
+ icmp type echo-request counter packets 0 bytes 0
+ ct state established,related accept
+ tcp flags != syn counter packets 7 bytes 841
+ ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
+ }
+}
+table arp x {
+ chain y {
+ arp htype 22
+ arp ptype ip
+ arp operation != rrequest
+ arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
+ arp hlen 33-45
+ }
+}
+table bridge x {
+ chain y {
+ type filter hook input priority 0; policy accept;
+ vlan id 4094
+ vlan id 4094 vlan cfi 0
+ vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
+ }
+}
+table ip6 x {
+ chain y {
+ type nat hook postrouting priority 0; policy accept;
+ icmpv6 id 33-45
+ ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
+ meta l4proto tcp masquerade to :1024
+ iifname "wlan0" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
+ tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
+ ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
+ }
+}
diff --git a/tests/shell/testcases/import/json_import_0 b/tests/shell/testcases/import/json_import_0
new file mode 100755
index 000000000000..a469a4dda754
--- /dev/null
+++ b/tests/shell/testcases/import/json_import_0
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+tmpfile=$(mktemp)
+
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET="table ip mangle {
+ set blackhole {
+ type ipv4_addr
+ elements = { 192.168.1.4, 192.168.1.5 }
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport { ssh, http } accept
+ ip saddr @blackhole drop
+ icmp type echo-request accept
+ iifname \"lo\" accept
+ icmp type echo-request counter packets 0 bytes 0
+ ct state established,related accept
+ tcp flags != syn counter packets 7 bytes 841
+ ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
+ }
+}
+table arp x {
+ chain y {
+ arp htype 22
+ arp ptype ip
+ arp operation != rrequest
+ arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
+ arp hlen 33-45
+ }
+}
+table bridge x {
+ chain y {
+ type filter hook input priority 0; policy accept;
+ vlan id 4094
+ vlan id 4094 vlan cfi 0
+ vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
+ }
+}
+table ip6 x {
+ chain y {
+ type nat hook postrouting priority 0; policy accept;
+ icmpv6 id 33-45
+ ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
+ meta l4proto tcp masquerade to :1024
+ iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
+ tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
+ ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
+ }
+}"
+
+echo "$RULESET" > $tmpfile
+$NFT -f $tmpfile
+$NFT export json > $tmpfile
+$NFT flush ruleset
+cat $tmpfile | $NFT import json
+
+RESULT="$($NFT list ruleset)"
+
+
+if [ "$RULESET" != "$RESULT" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT")
+fi
+
diff --git a/tests/shell/testcases/import/rules_arp_hlen_range.json b/tests/shell/testcases/import/rules_arp_hlen_range.json
new file mode 100644
index 000000000000..d4ad00cd7a54
--- /dev/null
+++ b/tests/shell/testcases/import/rules_arp_hlen_range.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"arp","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"table":"x","family":"arp","use":1}},{"rule":{"family":"arp","table":"x","chain":"y","handle":3,"expr":[{"type":"payload","dreg":1,"offset":4,"len":1,"base":"network"},{"type":"cmp","sreg":1,"op":"gte","data":{"reg":{"type":"value","len":1,"data0":"0x00000021"}}},{"type":"cmp","sreg":1,"op":"lte","data":{"reg":{"type":"value","len":1,"data0":"0x0000002d"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_arp_htype.json b/tests/shell/testcases/import/rules_arp_htype.json
new file mode 100644
index 000000000000..95bd5580676d
--- /dev/null
+++ b/tests/shell/testcases/import/rules_arp_htype.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"arp","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"table":"x","family":"arp","use":1}},{"rule":{"family":"arp","table":"x","chain":"y","handle":5,"expr":[{"type":"payload","dreg":1,"offset":0,"len":2,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00001600"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_arp_operation.json b/tests/shell/testcases/import/rules_arp_operation.json
new file mode 100644
index 000000000000..94389a33725e
--- /dev/null
+++ b/tests/shell/testcases/import/rules_arp_operation.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"arp","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"table":"x","family":"arp","use":1}},{"set":{"name":"__set0","table":"x","flags":3,"family":"arp","key_type":11,"key_len":2,"desc_size":7,"set_elem":[{"key":{"reg":{"type":"value","len":2,"data0":"0x00000900"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000400"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000300"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000800"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000200"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000a00"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00000100"}}}]}},{"rule":{"family":"arp","table":"x","chain":"y","handle":3,"expr":[{"type":"payload","dreg":1,"offset":
6,"len":2,"base":"network"},{"type":"lookup","set":"__set0","sreg":1,"flags":0}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_arp_operation_check.json b/tests/shell/testcases/import/rules_arp_operation_check.json
new file mode 100644
index 000000000000..fac7b9447e3c
--- /dev/null
+++ b/tests/shell/testcases/import/rules_arp_operation_check.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"arp","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"table":"x","family":"arp","use":1}},{"rule":{"family":"arp","table":"x","chain":"y","handle":2,"expr":[{"type":"payload","dreg":1,"offset":6,"len":2,"base":"network"},{"type":"cmp","sreg":1,"op":"neq","data":{"reg":{"type":"value","len":2,"data0":"0x00000300"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_arp_ptype_ip.json b/tests/shell/testcases/import/rules_arp_ptype_ip.json
new file mode 100644
index 000000000000..81d2b6d366cd
--- /dev/null
+++ b/tests/shell/testcases/import/rules_arp_ptype_ip.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"arp","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"table":"x","family":"arp","use":1}},{"rule":{"family":"arp","table":"x","chain":"y","handle":4,"expr":[{"type":"payload","dreg":1,"offset":2,"len":2,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000008"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_bridge_vlan.json b/tests/shell/testcases/import/rules_bridge_vlan.json
new file mode 100644
index 000000000000..375ea9b2e29a
--- /dev/null
+++ b/tests/shell/testcases/import/rules_bridge_vlan.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"bridge","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"bridge","use":1,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}},{"rule":{"family":"bridge","table":"x","chain":"y","handle":6,"expr":[{"type":"payload","dreg":1,"offset":12,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000081"}}},{"type":"payload","dreg":1,"offset":14,"len":2,"base":"link"},{"type":"bitwise","sreg":1,"dreg":1,"len":2,"mask":{"reg":{"type":"value","len":2,"data0":"0x0000ff0f"}},"xor":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x0000fe0f"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_bridge_vlan_id.json b/tests/shell/testcases/import/rules_bridge_vlan_id.json
new file mode 100644
index 000000000000..8f01fcedf9d2
--- /dev/null
+++ b/tests/shell/testcases/import/rules_bridge_vlan_id.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"bridge","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"bridge","use":1,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}},{"rule":{"family":"bridge","table":"x","chain":"y","handle":4,"expr":[{"type":"payload","dreg":1,"offset":12,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000081"}}},{"type":"payload","dreg":1,"offset":14,"len":2,"base":"link"},{"type":"bitwise","sreg":1,"dreg":1,"len":2,"mask":{"reg":{"type":"value","len":2,"data0":"0x0000ff0f"}},"xor":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x0000fe0f"}}},{"type":"paylo
ad","dreg":1,"offset":14,"len":1,"base":"link"},{"type":"bitwise","sreg":1,"dreg":1,"len":1,"mask":{"reg":{"type":"value","len":1,"data0":"0x00000010"}},"xor":{"reg":{"type":"value","len":1,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000000"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json b/tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
new file mode 100644
index 000000000000..69f8446e7622
--- /dev/null
+++ b/tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"bridge","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"bridge","use":1,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}},{"rule":{"family":"bridge","table":"x","chain":"y","handle":9,"expr":[{"type":"payload","dreg":1,"offset":12,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000081"}}},{"type":"payload","dreg":1,"offset":14,"len":2,"base":"link"},{"type":"bitwise","sreg":1,"dreg":1,"len":2,"mask":{"reg":{"type":"value","len":2,"data0":"0x0000ff0f"}},"xor":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000100"}}},{"type":"paylo
ad","dreg":1,"offset":16,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000008"}}},{"type":"payload","dreg":1,"offset":12,"len":4,"base":"network"},{"type":"bitwise","sreg":1,"dreg":1,"len":4,"mask":{"reg":{"type":"value","len":4,"data0":"0x00feffff"}},"xor":{"reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":4,"data0":"0x0000000a"}}},{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000011"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00003500"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_ct_state_accept.json b/tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
new file mode 100644
index 000000000000..942f19850026
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":696,"packets":8,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"ct","dreg":1,"key":"state"},{"type":"bitwise","sreg":1,"dreg":1,"len":4,"mask":{"reg":{"type":"value","len":4,"data0":"0x00000006"}},"xor":{"reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"neq","data":{"reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"accept"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json b/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
new file mode 100644
index 000000000000..5a1032d0b771
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":46200,"packets":417,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000001"}}},{"type":"payload","dreg":1,"offset":0,"len":1,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000008"}}},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"accept"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json b/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
new file mode 100644
index 000000000000..a95de6759a17
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":104,"packets":2,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000001"}}},{"type":"payload","dreg":1,"offset":0,"len":1,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000008"}}},{"type":"counter","pkts":0,"bytes":0}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_iifname_accept.json b/tests/shell/testcases/import/rules_ipv4_iifname_accept.json
new file mode 100644
index 000000000000..5a37a017901d
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_iifname_accept.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":4435,"packets":51,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":5,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":16,"data0":"0x00006f6c","data1":"0x00000000","data2":"0x00000000","data3":"0x00000000"}}},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"accept"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json b/tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
new file mode 100644
index 000000000000..396cf2368b94
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":2009,"packets":15,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"payload","dreg":1,"offset":12,"len":8,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":8,"data0":"0x6401a8c0","data1":"0x0101a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_set_elements.json b/tests/shell/testcases/import/rules_ipv4_set_elements.json
new file mode 100644
index 000000000000..ea641e384047
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_set_elements.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":2}},{"chain":{"name":"prerouting","handle":1,"bytes":15927,"packets":169,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"set":{"name":"blackhole","table":"mangle","family":"ip","key_type":7,"key_len":4,"set_elem":[{"key":{"reg":{"type":"value","len":4,"data0":"0x0401a8c0"}}},{"key":{"reg":{"type":"value","len":4,"data0":"0x0501a8c0"}}}]}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"payload","dreg":1,"offset":12,"len":4,"base":"network"},{"type":"lookup","set":"blackhole","sreg":1,"flags":0},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"drop"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json b/tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
new file mode 100644
index 000000000000..b0f1709b8f49
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":1308,"packets":12,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"set":{"name":"__set0","table":"mangle","flags":3,"family":"ip","key_type":13,"key_len":2,"desc_size":2,"set_elem":[{"key":{"reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x00005000"}}}]}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"lookup","
set":"__set0","sreg":1,"flags":0},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"accept"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv4_tcp_flags.json b/tests/shell/testcases/import/rules_ipv4_tcp_flags.json
new file mode 100644
index 000000000000..e0eadddd9528
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv4_tcp_flags.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"mangle","family":"ip","flags":0,"use":1}},{"chain":{"name":"prerouting","handle":1,"bytes":3886,"packets":36,"table":"mangle","family":"ip","use":1,"type":"filter","hooknum":"prerouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip","table":"mangle","chain":"prerouting","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":13,"len":1,"base":"transport"},{"type":"cmp","sreg":1,"op":"neq","data":{"reg":{"type":"value","len":1,"data0":"0x00000002"}}},{"type":"counter","pkts":6,"bytes":770}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json b/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
new file mode 100644
index 000000000000..78bf12071042
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":93,"packets":1,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":8,"expr":[{"type":"payload","dreg":1,"offset":24,"len":16,"base":"network"},{"type":"cmp","sreg":1,"op":"gte","data":{"reg":{"type":"value","len":16,"data0":"0x000000fe","data1":"0x00000000","data2":"0x00000000","data3":"0x01000000"}}},{"type":"cmp","sreg":1,"op":"lte","data":{"reg":{"type":"value","len":16,"data0":"0x000000fe","data1":"0x00000000","data2":"0x00000000","data3":"0x00020000"}}},{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"
data0":"0x00000011"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00003500"}}},{"type":"counter","pkts":0,"bytes":0}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json b/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
new file mode 100644
index 000000000000..8eda8f4ce1c9
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":2,"expr":[{"type":"payload","dreg":1,"offset":24,"len":16,"base":"network"},{"type":"cmp","sreg":1,"op":"gte","data":{"reg":{"type":"value","len":16,"data0":"0x000000fe","data1":"0x00000000","data2":"0x00000000","data3":"0x01000000"}}},{"type":"cmp","sreg":1,"op":"lte","data":{"reg":{"type":"value","len":16,"data0":"0x000000fe","data1":"0x00000000","data2":"0x00000000","data3":"0x00020000"}}},{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"d
ata0":"0x00000011"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00003500"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"masq"}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_icmpv6_id.json b/tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
new file mode 100644
index 000000000000..19804c21ee3d
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x0000003a"}}},{"type":"payload","dreg":1,"offset":4,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"gte","data":{"reg":{"type":"value","len":2,"data0":"0x00002100"}}},{"type":"cmp","sreg":1,"op":"lte","data":{"reg":{"type":"value","len":2,"data0":"0x00002d00"}}}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json b/tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
new file mode 100644
index 000000000000..5245041ed619
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"set":{"name":"__map0","table":"x","flags":11,"family":"ip6","key_type":13,"key_len":2,"data_type":4294967040,"data_len":16,"desc_size":2,"set_elem":[{"key":{"reg":{"type":"value","len":2,"data0":"0x00001600"}},"data":{"reg":{"type":"verdict","verdict":"drop"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x0000de00"}},"data":{"reg":{"type":"verdict","verdict":"drop"}}}]}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":2,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":16,"data0"
:"0x6e616c77","data1":"0x00000030","data2":"0x00000000","data3":"0x00000000"}}},{"type":"ct","dreg":1,"key":"state"},{"type":"bitwise","sreg":1,"dreg":1,"len":4,"mask":{"reg":{"type":"value","len":4,"data0":"0x0000000a"}},"xor":{"reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"cmp","sreg":1,"op":"neq","data":{"reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"lookup","set":"__map0","sreg":1,"dreg":0,"flags":0},{"type":"masq"}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json b/tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
new file mode 100644
index 000000000000..c190d7eaa0b6
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"immediate","dreg":1,"data":{"reg":{"type":"value","len":2,"data0":"0x00000004"}}},{"type":"masq","sreg_proto_min":1,"sreg_proto_max":1}]}}]}]}
diff --git a/tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json b/tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
new file mode 100644
index 000000000000..9768b770f441
--- /dev/null
+++ b/tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
@@ -0,0 +1 @@
+{"nftables":[{"add":[{"table":{"name":"x","family":"ip6","flags":0,"use":1}},{"chain":{"name":"y","handle":1,"bytes":0,"packets":0,"table":"x","family":"ip6","use":1,"type":"nat","hooknum":"postrouting","prio":0,"policy":"accept"}},{"rule":{"family":"ip6","table":"x","chain":"y","handle":2,"expr":[{"type":"meta","dreg":1,"key":"l4proto"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"payload","dreg":1,"offset":24,"len":16,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":16,"data0":"0x00000100","data1":"0x00000000","data2":"0x00000000","d
ata3":"0x02000000"}}},{"type":"meta","dreg":1,"key":"iiftype"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":2,"data0":"0x00000001"}}},{"type":"payload","dreg":1,"offset":6,"len":6,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","data":{"reg":{"type":"value","len":6,"data0":"0x0c540f00","data1":"0x00000411"}}},{"type":"immediate","dreg":0,"data":{"reg":{"type":"verdict","verdict":"accept"}}}]}}]}]}
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [nft PATCH V2] tests: shell: Add tests for json import
2017-09-02 23:32 [nft PATCH V2] tests: shell: Add tests for json import Shyam Saini
@ 2017-09-04 7:27 ` Arturo Borrero Gonzalez
2017-09-04 12:39 ` Shyam Saini
0 siblings, 1 reply; 5+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-09-04 7:27 UTC (permalink / raw)
To: Shyam Saini; +Cc: Netfilter Development Mailing list
On 3 September 2017 at 01:32, Shyam Saini <mayhs11saini@gmail.com> wrote:
> These test cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list -> contains list of all the individual rules
> json_import_0 -> script that runs json run-tests.sh
>
> For Example:
> $ ./run-tests.sh testcases/import/json_import_0
>
> Below mentioned files contains individual rules in json format and
> are added for the reference:
> rules_ipv4* -> ip table rules files
> rules_ipv6* -> ip6 table rules files
> rules_arp* -> arp table rules files
> rules_bridge* -> bridge table rules files
>
> Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
> ---
This is v2: generally in this patch section we include patch changelog
information.
Please, take a look at this when sending v3 :-)
> tests/shell/testcases/import/all_ruleset_list | 46 ++++++++++++++
> tests/shell/testcases/import/json_import_0 | 72 ++++++++++++++++++++++
> .../testcases/import/rules_arp_hlen_range.json | 1 +
> tests/shell/testcases/import/rules_arp_htype.json | 1 +
> .../testcases/import/rules_arp_operation.json | 1 +
> .../import/rules_arp_operation_check.json | 1 +
> .../shell/testcases/import/rules_arp_ptype_ip.json | 1 +
> .../shell/testcases/import/rules_bridge_vlan.json | 1 +
> .../testcases/import/rules_bridge_vlan_id.json | 1 +
> ...bridge_vlan_id_saddr_udp_dport_drop_domain.json | 1 +
> .../import/rules_ipv4_ct_state_accept.json | 1 +
> .../rules_ipv4_icmp_type_echo-request_accept.json | 1 +
> .../rules_ipv4_icmp_type_echo-request_counter.json | 1 +
> .../import/rules_ipv4_iifname_accept.json | 1 +
> .../import/rules_ipv4_saddr_daddr_counter.json | 1 +
> .../testcases/import/rules_ipv4_set_elements.json | 1 +
> .../import/rules_ipv4_tcp_dport_http_ssh.json | 1 +
> .../testcases/import/rules_ipv4_tcp_flags.json | 1 +
> .../import/rules_ipv6_daddr_udp_dport_counter.json | 1 +
> ...es_ipv6_daddr_udp_dport_counter_masquerade.json | 1 +
> .../testcases/import/rules_ipv6_icmpv6_id.json | 1 +
> ...iifname_ct_state_tcp_dport_vmap_masquerade.json | 1 +
> .../import/rules_ipv6_l4proto_tcp_masquerade.json | 1 +
> ...dport_ssh_daddr_mapping_ether_saddr_accept.json | 1 +
> 24 files changed, 140 insertions(+)
> create mode 100644 tests/shell/testcases/import/all_ruleset_list
> create mode 100755 tests/shell/testcases/import/json_import_0
> create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json
> create mode 100644 tests/shell/testcases/import/rules_arp_htype.json
> create mode 100644 tests/shell/testcases/import/rules_arp_operation.json
> create mode 100644 tests/shell/testcases/import/rules_arp_operation_check.json
> create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json
> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json
> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json
> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_iifname_accept.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
> create mode 100644 tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
>
> diff --git a/tests/shell/testcases/import/all_ruleset_list b/tests/shell/testcases/import/all_ruleset_list
> new file mode 100644
> index 000000000000..4e25a76d8016
> --- /dev/null
> +++ b/tests/shell/testcases/import/all_ruleset_list
> @@ -0,0 +1,46 @@
> +table ip mangle {
> + set blackhole {
> + type ipv4_addr
> + elements = { 192.168.1.4, 192.168.1.5 }
> + }
> +
> + chain prerouting {
> + type filter hook prerouting priority 0; policy accept;
> + tcp dport { ssh, http } accept
> + ip saddr @blackhole drop
> + icmp type echo-request accept
> + iifname "lo" accept
> + icmp type echo-request counter packets 0 bytes 0
> + ct state established,related accept
> + tcp flags != syn counter packets 7 bytes 841
> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
> + }
> +}
> +table arp x {
> + chain y {
> + arp htype 22
> + arp ptype ip
> + arp operation != rrequest
> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
> + arp hlen 33-45
> + }
> +}
> +table bridge x {
> + chain y {
> + type filter hook input priority 0; policy accept;
> + vlan id 4094
> + vlan id 4094 vlan cfi 0
> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
> + }
> +}
> +table ip6 x {
> + chain y {
> + type nat hook postrouting priority 0; policy accept;
> + icmpv6 id 33-45
> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
> + meta l4proto tcp masquerade to :1024
> + iifname "wlan0" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
> + }
> +}
Now that we included the ruleset in the testcase itself this file is
no longer useful?
Please, drop it.
> diff --git a/tests/shell/testcases/import/json_import_0 b/tests/shell/testcases/import/json_import_0
> new file mode 100755
> index 000000000000..a469a4dda754
> --- /dev/null
> +++ b/tests/shell/testcases/import/json_import_0
> @@ -0,0 +1,72 @@
> +#!/bin/bash
> +
> +tmpfile=$(mktemp)
> +
> +if [ ! -w $tmpfile ] ; then
> + echo "Failed to create tmp file" >&2
> + exit 0
> +fi
> +
> +trap "rm -rf $tmpfile" EXIT # cleanup if aborted
> +
> +RULESET="table ip mangle {
> + set blackhole {
> + type ipv4_addr
> + elements = { 192.168.1.4, 192.168.1.5 }
> + }
> +
> + chain prerouting {
> + type filter hook prerouting priority 0; policy accept;
> + tcp dport { ssh, http } accept
> + ip saddr @blackhole drop
> + icmp type echo-request accept
> + iifname \"lo\" accept
> + icmp type echo-request counter packets 0 bytes 0
> + ct state established,related accept
> + tcp flags != syn counter packets 7 bytes 841
> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
> + }
> +}
> +table arp x {
> + chain y {
> + arp htype 22
> + arp ptype ip
> + arp operation != rrequest
> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
> + arp hlen 33-45
> + }
> +}
> +table bridge x {
> + chain y {
> + type filter hook input priority 0; policy accept;
> + vlan id 4094
> + vlan id 4094 vlan cfi 0
> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
> + }
> +}
> +table ip6 x {
> + chain y {
> + type nat hook postrouting priority 0; policy accept;
> + icmpv6 id 33-45
> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
> + meta l4proto tcp masquerade to :1024
> + iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
> + }
> +}"
> +
> +echo "$RULESET" > $tmpfile
> +$NFT -f $tmpfile
> +$NFT export json > $tmpfile
> +$NFT flush ruleset
> +cat $tmpfile | $NFT import json
> +
> +RESULT="$($NFT list ruleset)"
> +
> +
> +if [ "$RULESET" != "$RESULT" ] ; then
> + DIFF="$(which diff)"
> + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT")
exit 1 in this case?
> +fi
> +
What is the pourpose of these json files? I guess they are no longer useful.
> diff --git a/tests/shell/testcases/import/rules_arp_hlen_range.json b/tests/shell/testcases/import/rules_arp_hlen_range.json
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [nft PATCH V2] tests: shell: Add tests for json import
2017-09-04 7:27 ` Arturo Borrero Gonzalez
@ 2017-09-04 12:39 ` Shyam Saini
2017-09-05 10:26 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 5+ messages in thread
From: Shyam Saini @ 2017-09-04 12:39 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: Netfilter Development Mailing list
>> These test cases can be used to test upcoming "import json" command.
>>
>> Here is the short description of the files:
>> all_ruleset_list -> contains list of all the individual rules
>> json_import_0 -> script that runs json run-tests.sh
>>
>> For Example:
>> $ ./run-tests.sh testcases/import/json_import_0
>>
>> Below mentioned files contains individual rules in json format and
>> are added for the reference:
>> rules_ipv4* -> ip table rules files
>> rules_ipv6* -> ip6 table rules files
>> rules_arp* -> arp table rules files
>> rules_bridge* -> bridge table rules files
>>
>> Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
>> ---
>
> This is v2: generally in this patch section we include patch changelog
> information.
> Please, take a look at this when sending v3 :-)
>
>> tests/shell/testcases/import/all_ruleset_list | 46 ++++++++++++++
>> tests/shell/testcases/import/json_import_0 | 72 ++++++++++++++++++++++
>> .../testcases/import/rules_arp_hlen_range.json | 1 +
>> tests/shell/testcases/import/rules_arp_htype.json | 1 +
>> .../testcases/import/rules_arp_operation.json | 1 +
>> .../import/rules_arp_operation_check.json | 1 +
>> .../shell/testcases/import/rules_arp_ptype_ip.json | 1 +
>> .../shell/testcases/import/rules_bridge_vlan.json | 1 +
>> .../testcases/import/rules_bridge_vlan_id.json | 1 +
>> ...bridge_vlan_id_saddr_udp_dport_drop_domain.json | 1 +
>> .../import/rules_ipv4_ct_state_accept.json | 1 +
>> .../rules_ipv4_icmp_type_echo-request_accept.json | 1 +
>> .../rules_ipv4_icmp_type_echo-request_counter.json | 1 +
>> .../import/rules_ipv4_iifname_accept.json | 1 +
>> .../import/rules_ipv4_saddr_daddr_counter.json | 1 +
>> .../testcases/import/rules_ipv4_set_elements.json | 1 +
>> .../import/rules_ipv4_tcp_dport_http_ssh.json | 1 +
>> .../testcases/import/rules_ipv4_tcp_flags.json | 1 +
>> .../import/rules_ipv6_daddr_udp_dport_counter.json | 1 +
>> ...es_ipv6_daddr_udp_dport_counter_masquerade.json | 1 +
>> .../testcases/import/rules_ipv6_icmpv6_id.json | 1 +
>> ...iifname_ct_state_tcp_dport_vmap_masquerade.json | 1 +
>> .../import/rules_ipv6_l4proto_tcp_masquerade.json | 1 +
>> ...dport_ssh_daddr_mapping_ether_saddr_accept.json | 1 +
>> 24 files changed, 140 insertions(+)
>> create mode 100644 tests/shell/testcases/import/all_ruleset_list
>> create mode 100755 tests/shell/testcases/import/json_import_0
>> create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json
>> create mode 100644 tests/shell/testcases/import/rules_arp_htype.json
>> create mode 100644 tests/shell/testcases/import/rules_arp_operation.json
>> create mode 100644 tests/shell/testcases/import/rules_arp_operation_check.json
>> create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json
>> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json
>> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json
>> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_iifname_accept.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
>> create mode 100644 tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
>>
>> diff --git a/tests/shell/testcases/import/all_ruleset_list b/tests/shell/testcases/import/all_ruleset_list
>> new file mode 100644
>> index 000000000000..4e25a76d8016
>> --- /dev/null
>> +++ b/tests/shell/testcases/import/all_ruleset_list
>> @@ -0,0 +1,46 @@
>> +table ip mangle {
>> + set blackhole {
>> + type ipv4_addr
>> + elements = { 192.168.1.4, 192.168.1.5 }
>> + }
>> +
>> + chain prerouting {
>> + type filter hook prerouting priority 0; policy accept;
>> + tcp dport { ssh, http } accept
>> + ip saddr @blackhole drop
>> + icmp type echo-request accept
>> + iifname "lo" accept
>> + icmp type echo-request counter packets 0 bytes 0
>> + ct state established,related accept
>> + tcp flags != syn counter packets 7 bytes 841
>> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
>> + }
>> +}
>> +table arp x {
>> + chain y {
>> + arp htype 22
>> + arp ptype ip
>> + arp operation != rrequest
>> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
>> + arp hlen 33-45
>> + }
>> +}
>> +table bridge x {
>> + chain y {
>> + type filter hook input priority 0; policy accept;
>> + vlan id 4094
>> + vlan id 4094 vlan cfi 0
>> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
>> + }
>> +}
>> +table ip6 x {
>> + chain y {
>> + type nat hook postrouting priority 0; policy accept;
>> + icmpv6 id 33-45
>> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
>> + meta l4proto tcp masquerade to :1024
>> + iifname "wlan0" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
>> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
>> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
>> + }
>> +}
>
> Now that we included the ruleset in the testcase itself this file is
> no longer useful?
> Please, drop it.
>
>> diff --git a/tests/shell/testcases/import/json_import_0 b/tests/shell/testcases/import/json_import_0
>> new file mode 100755
>> index 000000000000..a469a4dda754
>> --- /dev/null
>> +++ b/tests/shell/testcases/import/json_import_0
>> @@ -0,0 +1,72 @@
>> +#!/bin/bash
>> +
>> +tmpfile=$(mktemp)
>> +
>> +if [ ! -w $tmpfile ] ; then
>> + echo "Failed to create tmp file" >&2
>> + exit 0
>> +fi
>> +
>> +trap "rm -rf $tmpfile" EXIT # cleanup if aborted
>> +
>> +RULESET="table ip mangle {
>> + set blackhole {
>> + type ipv4_addr
>> + elements = { 192.168.1.4, 192.168.1.5 }
>> + }
>> +
>> + chain prerouting {
>> + type filter hook prerouting priority 0; policy accept;
>> + tcp dport { ssh, http } accept
>> + ip saddr @blackhole drop
>> + icmp type echo-request accept
>> + iifname \"lo\" accept
>> + icmp type echo-request counter packets 0 bytes 0
>> + ct state established,related accept
>> + tcp flags != syn counter packets 7 bytes 841
>> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
>> + }
>> +}
>> +table arp x {
>> + chain y {
>> + arp htype 22
>> + arp ptype ip
>> + arp operation != rrequest
>> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
>> + arp hlen 33-45
>> + }
>> +}
>> +table bridge x {
>> + chain y {
>> + type filter hook input priority 0; policy accept;
>> + vlan id 4094
>> + vlan id 4094 vlan cfi 0
>> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
>> + }
>> +}
>> +table ip6 x {
>> + chain y {
>> + type nat hook postrouting priority 0; policy accept;
>> + icmpv6 id 33-45
>> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
>> + meta l4proto tcp masquerade to :1024
>> + iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
>> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
>> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
>> + }
>> +}"
>> +
>> +echo "$RULESET" > $tmpfile
>> +$NFT -f $tmpfile
>> +$NFT export json > $tmpfile
>> +$NFT flush ruleset
>> +cat $tmpfile | $NFT import json
>> +
>> +RESULT="$($NFT list ruleset)"
>> +
>> +
>> +if [ "$RULESET" != "$RESULT" ] ; then
>> + DIFF="$(which diff)"
>> + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT")
>
> exit 1 in this case?
>
>> +fi
>> +
>
>
> What is the pourpose of these json files? I guess they are no longer useful.
>
>> diff --git a/tests/shell/testcases/import/rules_arp_hlen_range.json b/tests/shell/testcases/import/rules_arp_hlen_range.json
Thanks a lot Arturo for all these suggestions :)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [nft PATCH V2] tests: shell: Add tests for json import
2017-09-04 12:39 ` Shyam Saini
@ 2017-09-05 10:26 ` Arturo Borrero Gonzalez
2017-09-06 4:06 ` Shyam Saini
0 siblings, 1 reply; 5+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-09-05 10:26 UTC (permalink / raw)
To: Shyam Saini; +Cc: Netfilter Development Mailing list
On 4 September 2017 at 14:39, Shyam Saini <mayhs11saini@gmail.com> wrote:
>>> These test cases can be used to test upcoming "import json" command.
>>>
Hi Shyam,
your v3 looks fine.
I was going to test it out, but it seems the first patch [0] in the
series requires a refresh.
Please, refresh this first patch.
thanks for your work!
[0] http://patchwork.ozlabs.org/patch/803561/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [nft PATCH V2] tests: shell: Add tests for json import
2017-09-05 10:26 ` Arturo Borrero Gonzalez
@ 2017-09-06 4:06 ` Shyam Saini
0 siblings, 0 replies; 5+ messages in thread
From: Shyam Saini @ 2017-09-06 4:06 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: Netfilter Development Mailing list
> Hi Shyam,
Hi Arturo,
> your v3 looks fine.
Thank you :)
> I was going to test it out, but it seems the first patch [0] in the
> series requires a refresh.
> Please, refresh this first patch.
>
> thanks for your work!
>
> [0] http://patchwork.ozlabs.org/patch/803561/
Sorry, for the inconvenience caused.
Will send the new patch asap.
Thanks,
Shyam
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-09-06 4:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-02 23:32 [nft PATCH V2] tests: shell: Add tests for json import Shyam Saini
2017-09-04 7:27 ` Arturo Borrero Gonzalez
2017-09-04 12:39 ` Shyam Saini
2017-09-05 10:26 ` Arturo Borrero Gonzalez
2017-09-06 4:06 ` Shyam Saini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.