[PATCH nft] tests: shell: set element multistatement support

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 18 Dec 2020 12:32:12 +0100

This patch adds two tests to add multistatement support:

- Dynamic set updates from packet path.
- Set that is updated from the control plane.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 .../testcases/sets/0059set_update_multistmt_0 | 17 +++++++
 .../shell/testcases/sets/0060set_multistmt_0  | 49 +++++++++++++++++++
 .../sets/dumps/0059set_update_multistmt_0.nft | 13 +++++
 .../sets/dumps/0060set_multistmt_0.nft        | 12 +++++
 4 files changed, 91 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0059set_update_multistmt_0
 create mode 100755 tests/shell/testcases/sets/0060set_multistmt_0
 create mode 100644 tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
 create mode 100644 tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft

diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0
new file mode 100755
index 000000000000..107bfb870932
--- /dev/null
+++ b/tests/shell/testcases/sets/0059set_update_multistmt_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+RULESET="table x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 1h
+	}
+	chain z {
+		type filter hook output priority 0;
+		update @y { ip daddr limit rate 1/second counter }
+	}
+}"
+
+set -e
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0
new file mode 100755
index 000000000000..2cb4d3c55535
--- /dev/null
+++ b/tests/shell/testcases/sets/0060set_multistmt_0
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+RULESET="table x {
+	set y {
+		type ipv4_addr
+		limit rate 1/second counter
+	}
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @y
+	}
+}"
+
+$NFT -f - <<< $RULESET
+# should work
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 1.1.1.1 limit rate 1/second counter }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should fail
+$NFT add element x y { 2.2.2.2 limit rate 1/second }
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+# should fail
+$NFT add element x y { 3.3.3.3 counter limit rate 1/second }
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 4.4.4.4 }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
new file mode 100644
index 000000000000..1b0ffae4d651
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 1h
+	}
+
+	chain z {
+		type filter hook output priority filter; policy accept;
+		update @y { ip daddr limit rate 1/second counter }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
new file mode 100644
index 000000000000..7ebb709fac2a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
@@ -0,0 +1,12 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		limit rate 1/second counter
+		elements = { 1.1.1.1 limit rate 1/second counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second counter packets 0 bytes 0 }
+	}
+
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @y
+	}
+}
-- 
2.20.1







