Let's add some testcases for named sets with intervals and ranges. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> --- tests/shell/testcases/sets/0001named_interval_0 | 47 ++++++++++++++++++++ .../sets/0002named_interval_automerging_0 | 12 +++++ .../sets/0003named_interval_missing_flag_0 | 12 +++++ .../testcases/sets/0004named_interval_shadow_0 | 13 ++++++ .../testcases/sets/0005named_interval_shadow_0 | 13 ++++++ 5 files changed, 97 insertions(+) create mode 100755 tests/shell/testcases/sets/0001named_interval_0 create mode 100755 tests/shell/testcases/sets/0002named_interval_automerging_0 create mode 100755 tests/shell/testcases/sets/0003named_interval_missing_flag_0 create mode 100755 tests/shell/testcases/sets/0004named_interval_shadow_0 create mode 100755 tests/shell/testcases/sets/0005named_interval_shadow_0 diff --git a/tests/shell/testcases/sets/0001named_interval_0 b/tests/shell/testcases/sets/0001named_interval_0 new file mode 100755 index 0000000..8d08b75 --- /dev/null +++ b/tests/shell/testcases/sets/0001named_interval_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +# This is the most basic testscase: +# * creating a valid interval set +# * referencing it from a valid rule + +tmpfile=$(mktemp) +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +echo " +table inet t { + set s1 { + type ipv4_addr + flags interval + elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 } + } + set s2 { + type ipv6_addr + flags interval + elements = { fe00::/64, fe11::-fe22::} + } + set s3 { + type inet_proto + flags interval + elements = { 10-20, 50-60} + } + set s4 { + type inet_service + flags interval + elements = {8080-8082, 0-1024, 10000-40000} + } + chain c { + ip saddr @s1 accept + ip6 daddr @s2 accept + ip protocol @s3 accept + ip6 nexthdr @s3 accept + tcp dport @s4 accept + } +}" > $tmpfile + +set -e +$NFT -f $tmpfile diff --git a/tests/shell/testcases/sets/0002named_interval_automerging_0 b/tests/shell/testcases/sets/0002named_interval_automerging_0 new file mode 100755 index 0000000..b07e0b0 --- /dev/null +++ b/tests/shell/testcases/sets/0002named_interval_automerging_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the automerging of adjacent intervals + +set -e + +$NFT add table t +$NFT add set t s { type ipv4_addr \; flags interval \; } +$NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } +$NFT list ruleset | grep "192.168.0.0/23" >/dev/null && exit 0 +echo "E: automerging of adjavect intervals failed in named set" >&2 +exit 1 diff --git a/tests/shell/testcases/sets/0003named_interval_missing_flag_0 b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 new file mode 100755 index 0000000..e0b7f74 --- /dev/null +++ b/tests/shell/testcases/sets/0003named_interval_missing_flag_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +# This testscase checks the nft checking of flags in named intervals + +set -e +$NFT add table t +$NFT add set t s { type ipv4_addr \; } +if $NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } 2>/dev/null ; then + echo "E: accepted interval in named set without proper flags" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0004named_interval_shadow_0 b/tests/shell/testcases/sets/0004named_interval_shadow_0 new file mode 100755 index 0000000..827423d --- /dev/null +++ b/tests/shell/testcases/sets/0004named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/64 } +if $NFT add element inet t s { fe00::/48 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/sets/0005named_interval_shadow_0 b/tests/shell/testcases/sets/0005named_interval_shadow_0 new file mode 100755 index 0000000..14fcbdc --- /dev/null +++ b/tests/shell/testcases/sets/0005named_interval_shadow_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# This testscase checks the nft checking of shadowed elements + +set -e +$NFT add table inet t +$NFT add set inet t s { type ipv6_addr \; flags interval \; } +$NFT add element inet t s { fe00::/48 } +if $NFT add element inet t s { fe00::/64 } 2>/dev/null ; then + echo "E: accepted shadowed element in named set" >&2 + exit 1 +fi +exit 0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html