>> These test cases can be used to test upcoming "import json" command. >> >> Here is the short description of the files: >> all_ruleset_list -> contains list of all the individual rules >> json_import_0 -> script that runs json run-tests.sh >> >> For Example: >> $ ./run-tests.sh testcases/import/json_import_0 >> >> Below mentioned files contains individual rules in json format and >> are added for the reference: >> rules_ipv4* -> ip table rules files >> rules_ipv6* -> ip6 table rules files >> rules_arp* -> arp table rules files >> rules_bridge* -> bridge table rules files >> >> Signed-off-by: Shyam Saini <mayhs11saini@xxxxxxxxx> >> --- > > This is v2: generally in this patch section we include patch changelog > information. > Please, take a look at this when sending v3 :-) > >> tests/shell/testcases/import/all_ruleset_list | 46 ++++++++++++++ >> tests/shell/testcases/import/json_import_0 | 72 ++++++++++++++++++++++ >> .../testcases/import/rules_arp_hlen_range.json | 1 + >> tests/shell/testcases/import/rules_arp_htype.json | 1 + >> .../testcases/import/rules_arp_operation.json | 1 + >> .../import/rules_arp_operation_check.json | 1 + >> .../shell/testcases/import/rules_arp_ptype_ip.json | 1 + >> .../shell/testcases/import/rules_bridge_vlan.json | 1 + >> .../testcases/import/rules_bridge_vlan_id.json | 1 + >> ...bridge_vlan_id_saddr_udp_dport_drop_domain.json | 1 + >> .../import/rules_ipv4_ct_state_accept.json | 1 + >> .../rules_ipv4_icmp_type_echo-request_accept.json | 1 + >> .../rules_ipv4_icmp_type_echo-request_counter.json | 1 + >> .../import/rules_ipv4_iifname_accept.json | 1 + >> .../import/rules_ipv4_saddr_daddr_counter.json | 1 + >> .../testcases/import/rules_ipv4_set_elements.json | 1 + >> .../import/rules_ipv4_tcp_dport_http_ssh.json | 1 + >> .../testcases/import/rules_ipv4_tcp_flags.json | 1 + >> .../import/rules_ipv6_daddr_udp_dport_counter.json | 1 + >> ...es_ipv6_daddr_udp_dport_counter_masquerade.json | 1 + >> .../testcases/import/rules_ipv6_icmpv6_id.json | 1 + >> ...iifname_ct_state_tcp_dport_vmap_masquerade.json | 1 + >> .../import/rules_ipv6_l4proto_tcp_masquerade.json | 1 + >> ...dport_ssh_daddr_mapping_ether_saddr_accept.json | 1 + >> 24 files changed, 140 insertions(+) >> create mode 100644 tests/shell/testcases/import/all_ruleset_list >> create mode 100755 tests/shell/testcases/import/json_import_0 >> create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json >> create mode 100644 tests/shell/testcases/import/rules_arp_htype.json >> create mode 100644 tests/shell/testcases/import/rules_arp_operation.json >> create mode 100644 tests/shell/testcases/import/rules_arp_operation_check.json >> create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json >> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json >> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json >> create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_ct_state_accept.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_iifname_accept.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json >> create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json >> create mode 100644 tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json >> >> diff --git a/tests/shell/testcases/import/all_ruleset_list b/tests/shell/testcases/import/all_ruleset_list >> new file mode 100644 >> index 000000000000..4e25a76d8016 >> --- /dev/null >> +++ b/tests/shell/testcases/import/all_ruleset_list >> @@ -0,0 +1,46 @@ >> +table ip mangle { >> + set blackhole { >> + type ipv4_addr >> + elements = { 192.168.1.4, 192.168.1.5 } >> + } >> + >> + chain prerouting { >> + type filter hook prerouting priority 0; policy accept; >> + tcp dport { ssh, http } accept >> + ip saddr @blackhole drop >> + icmp type echo-request accept >> + iifname "lo" accept >> + icmp type echo-request counter packets 0 bytes 0 >> + ct state established,related accept >> + tcp flags != syn counter packets 7 bytes 841 >> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0 >> + } >> +} >> +table arp x { >> + chain y { >> + arp htype 22 >> + arp ptype ip >> + arp operation != rrequest >> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak } >> + arp hlen 33-45 >> + } >> +} >> +table bridge x { >> + chain y { >> + type filter hook input priority 0; policy accept; >> + vlan id 4094 >> + vlan id 4094 vlan cfi 0 >> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain >> + } >> +} >> +table ip6 x { >> + chain y { >> + type nat hook postrouting priority 0; policy accept; >> + icmpv6 id 33-45 >> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 >> + meta l4proto tcp masquerade to :1024 >> + iifname "wlan0" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade >> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept >> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade >> + } >> +} > > Now that we included the ruleset in the testcase itself this file is > no longer useful? > Please, drop it. > >> diff --git a/tests/shell/testcases/import/json_import_0 b/tests/shell/testcases/import/json_import_0 >> new file mode 100755 >> index 000000000000..a469a4dda754 >> --- /dev/null >> +++ b/tests/shell/testcases/import/json_import_0 >> @@ -0,0 +1,72 @@ >> +#!/bin/bash >> + >> +tmpfile=$(mktemp) >> + >> +if [ ! -w $tmpfile ] ; then >> + echo "Failed to create tmp file" >&2 >> + exit 0 >> +fi >> + >> +trap "rm -rf $tmpfile" EXIT # cleanup if aborted >> + >> +RULESET="table ip mangle { >> + set blackhole { >> + type ipv4_addr >> + elements = { 192.168.1.4, 192.168.1.5 } >> + } >> + >> + chain prerouting { >> + type filter hook prerouting priority 0; policy accept; >> + tcp dport { ssh, http } accept >> + ip saddr @blackhole drop >> + icmp type echo-request accept >> + iifname \"lo\" accept >> + icmp type echo-request counter packets 0 bytes 0 >> + ct state established,related accept >> + tcp flags != syn counter packets 7 bytes 841 >> + ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0 >> + } >> +} >> +table arp x { >> + chain y { >> + arp htype 22 >> + arp ptype ip >> + arp operation != rrequest >> + arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak } >> + arp hlen 33-45 >> + } >> +} >> +table bridge x { >> + chain y { >> + type filter hook input priority 0; policy accept; >> + vlan id 4094 >> + vlan id 4094 vlan cfi 0 >> + vlan id 1 ip saddr 10.0.0.0/23 udp dport domain >> + } >> +} >> +table ip6 x { >> + chain y { >> + type nat hook postrouting priority 0; policy accept; >> + icmpv6 id 33-45 >> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 >> + meta l4proto tcp masquerade to :1024 >> + iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade >> + tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept >> + ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade >> + } >> +}" >> + >> +echo "$RULESET" > $tmpfile >> +$NFT -f $tmpfile >> +$NFT export json > $tmpfile >> +$NFT flush ruleset >> +cat $tmpfile | $NFT import json >> + >> +RESULT="$($NFT list ruleset)" >> + >> + >> +if [ "$RULESET" != "$RESULT" ] ; then >> + DIFF="$(which diff)" >> + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$RESULT") > > exit 1 in this case? > >> +fi >> + > > > What is the pourpose of these json files? I guess they are no longer useful. > >> diff --git a/tests/shell/testcases/import/rules_arp_hlen_range.json b/tests/shell/testcases/import/rules_arp_hlen_range.json Thanks a lot Arturo for all these suggestions :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html