Re: [nft PATCH V2] tests: shell: Add tests for json import

Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx> · Mon, 4 Sep 2017 09:27:57 +0200

On 3 September 2017 at 01:32, Shyam Saini <mayhs11saini@xxxxxxxxx> wrote:
> These test cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list   ->    contains list of all the individual rules
> json_import_0      ->    script that runs json run-tests.sh
>
>         For Example:
>         $ ./run-tests.sh testcases/import/json_import_0
>
> Below mentioned files contains individual rules in json format and
> are added for the reference:
> rules_ipv4*        ->    ip  table rules files
> rules_ipv6*        ->    ip6 table rules files
> rules_arp*         ->    arp table rules files
> rules_bridge*      ->    bridge table rules files
>
> Signed-off-by: Shyam Saini <mayhs11saini@xxxxxxxxx>
> ---

This is v2: generally in this patch section we include patch changelog
information.
Please, take a look at this when sending v3 :-)

>  tests/shell/testcases/import/all_ruleset_list      | 46 ++++++++++++++
>  tests/shell/testcases/import/json_import_0         | 72 ++++++++++++++++++++++
>  .../testcases/import/rules_arp_hlen_range.json     |  1 +
>  tests/shell/testcases/import/rules_arp_htype.json  |  1 +
>  .../testcases/import/rules_arp_operation.json      |  1 +
>  .../import/rules_arp_operation_check.json          |  1 +
>  .../shell/testcases/import/rules_arp_ptype_ip.json |  1 +
>  .../shell/testcases/import/rules_bridge_vlan.json  |  1 +
>  .../testcases/import/rules_bridge_vlan_id.json     |  1 +
>  ...bridge_vlan_id_saddr_udp_dport_drop_domain.json |  1 +
>  .../import/rules_ipv4_ct_state_accept.json         |  1 +
>  .../rules_ipv4_icmp_type_echo-request_accept.json  |  1 +
>  .../rules_ipv4_icmp_type_echo-request_counter.json |  1 +
>  .../import/rules_ipv4_iifname_accept.json          |  1 +
>  .../import/rules_ipv4_saddr_daddr_counter.json     |  1 +
>  .../testcases/import/rules_ipv4_set_elements.json  |  1 +
>  .../import/rules_ipv4_tcp_dport_http_ssh.json      |  1 +
>  .../testcases/import/rules_ipv4_tcp_flags.json     |  1 +
>  .../import/rules_ipv6_daddr_udp_dport_counter.json |  1 +
>  ...es_ipv6_daddr_udp_dport_counter_masquerade.json |  1 +
>  .../testcases/import/rules_ipv6_icmpv6_id.json     |  1 +
>  ...iifname_ct_state_tcp_dport_vmap_masquerade.json |  1 +
>  .../import/rules_ipv6_l4proto_tcp_masquerade.json  |  1 +
>  ...dport_ssh_daddr_mapping_ether_saddr_accept.json |  1 +
>  24 files changed, 140 insertions(+)
>  create mode 100644 tests/shell/testcases/import/all_ruleset_list
>  create mode 100755 tests/shell/testcases/import/json_import_0
>  create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_htype.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_operation.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_operation_check.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json
>  create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json
>  create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json
>  create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_iifname_accept.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
>
> diff --git a/tests/shell/testcases/import/all_ruleset_list b/tests/shell/testcases/import/all_ruleset_list
> new file mode 100644
> index 000000000000..4e25a76d8016
> --- /dev/null
> +++ b/tests/shell/testcases/import/all_ruleset_list
> @@ -0,0 +1,46 @@
> +table ip mangle {
> +        set blackhole {
> +                type ipv4_addr
> +                elements = { 192.168.1.4, 192.168.1.5 }
> +        }
> +
> +        chain prerouting {
> +                type filter hook prerouting priority 0; policy accept;
> +                tcp dport { ssh, http } accept
> +                ip saddr @blackhole drop
> +                icmp type echo-request accept
> +                iifname "lo" accept
> +                icmp type echo-request counter packets 0 bytes 0
> +                ct state established,related accept
> +                tcp flags != syn counter packets 7 bytes 841
> +                ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
> +        }
> +}
> +table arp x {
> +        chain y {
> +                arp htype 22
> +                arp ptype ip
> +                arp operation != rrequest
> +                arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
> +                arp hlen 33-45
> +        }
> +}
> +table bridge x {
> +        chain y {
> +                type filter hook input priority 0; policy accept;
> +                vlan id 4094
> +                vlan id 4094 vlan cfi 0
> +                vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
> +        }
> +}
> +table ip6 x {
> +        chain y {
> +                type nat hook postrouting priority 0; policy accept;
> +                icmpv6 id 33-45
> +                ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
> +                meta l4proto tcp masquerade to :1024
> +                iifname "wlan0" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
> +                tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
> +                ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
> +        }
> +}

Now that we included the ruleset in the testcase itself this file is
no longer useful?
Please, drop it.

> diff --git a/tests/shell/testcases/import/json_import_0 b/tests/shell/testcases/import/json_import_0
> new file mode 100755
> index 000000000000..a469a4dda754
> --- /dev/null
> +++ b/tests/shell/testcases/import/json_import_0
> @@ -0,0 +1,72 @@
> +#!/bin/bash
> +
> +tmpfile=$(mktemp)
> +
> +if [ ! -w $tmpfile ] ; then
> +       echo "Failed to create tmp file" >&2
> +       exit 0
> +fi
> +
> +trap "rm -rf $tmpfile" EXIT # cleanup if aborted
> +
> +RULESET="table ip mangle {
> +       set blackhole {
> +               type ipv4_addr
> +               elements = { 192.168.1.4, 192.168.1.5 }
> +       }
> +
> +       chain prerouting {
> +               type filter hook prerouting priority 0; policy accept;
> +               tcp dport { ssh, http } accept
> +               ip saddr @blackhole drop
> +               icmp type echo-request accept
> +               iifname \"lo\" accept
> +               icmp type echo-request counter packets 0 bytes 0
> +               ct state established,related accept
> +               tcp flags != syn counter packets 7 bytes 841
> +               ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
> +       }
> +}
> +table arp x {
> +       chain y {
> +               arp htype 22
> +               arp ptype ip
> +               arp operation != rrequest
> +               arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
> +               arp hlen 33-45
> +       }
> +}
> +table bridge x {
> +       chain y {
> +               type filter hook input priority 0; policy accept;
> +               vlan id 4094
> +               vlan id 4094 vlan cfi 0
> +               vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
> +       }
> +}
> +table ip6 x {
> +       chain y {
> +               type nat hook postrouting priority 0; policy accept;
> +               icmpv6 id 33-45
> +               ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
> +               meta l4proto tcp masquerade to :1024
> +               iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
> +               tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
> +               ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
> +       }
> +}"
> +
> +echo "$RULESET" > $tmpfile
> +$NFT -f $tmpfile
> +$NFT export json > $tmpfile
> +$NFT flush ruleset
> +cat $tmpfile | $NFT import json
> +
> +RESULT="$($NFT list ruleset)"
> +
> +
> +if [ "$RULESET" != "$RESULT" ] ; then
> +       DIFF="$(which diff)"
> +       [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT")

exit 1 in this case?

> +fi
> +

What is the pourpose of these json files? I guess they are no longer useful.

> diff --git a/tests/shell/testcases/import/rules_arp_hlen_range.json b/tests/shell/testcases/import/rules_arp_hlen_range.json
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html