|
 |
e0f94f |
From 55554de816520471e11f39b99468d5777ae57937 Mon Sep 17 00:00:00 2001
|
|
|
e0f94f |
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
e0f94f |
Date: Fri, 25 Jun 2021 22:30:43 +0200
|
|
|
e0f94f |
Subject: [PATCH] tests: add tests ipset to nftables
|
|
|
e0f94f |
|
|
|
e0f94f |
This test checks that the translation from ipset to nftables is correct.
|
|
|
e0f94f |
|
|
|
e0f94f |
term$ cd tests/xlate
|
|
|
e0f94f |
term$ ./runtest.sh
|
|
|
e0f94f |
|
|
|
e0f94f |
in case that the translation is not correct, it shows the diff with expected
|
|
|
e0f94f |
translation output.
|
|
|
e0f94f |
|
|
|
e0f94f |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
e0f94f |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
|
|
e0f94f |
(cherry picked from commit 7587d1c4b5465f3b5315536b439b63a5ffe0311d)
|
|
|
e0f94f |
---
|
|
|
e0f94f |
tests/xlate/runtest.sh | 29 +++++++++++++++++++++
|
|
|
e0f94f |
tests/xlate/xlate.t | 55 ++++++++++++++++++++++++++++++++++++++++
|
|
|
e0f94f |
tests/xlate/xlate.t.nft | 56 +++++++++++++++++++++++++++++++++++++++++
|
|
|
e0f94f |
3 files changed, 140 insertions(+)
|
|
|
e0f94f |
create mode 100755 tests/xlate/runtest.sh
|
|
|
e0f94f |
create mode 100644 tests/xlate/xlate.t
|
|
|
e0f94f |
create mode 100644 tests/xlate/xlate.t.nft
|
|
|
e0f94f |
|
|
|
e0f94f |
diff --git a/tests/xlate/runtest.sh b/tests/xlate/runtest.sh
|
|
|
e0f94f |
new file mode 100755
|
|
|
e0f94f |
index 0000000000000..a2a02c05d7573
|
|
|
e0f94f |
--- /dev/null
|
|
|
e0f94f |
+++ b/tests/xlate/runtest.sh
|
|
|
e0f94f |
@@ -0,0 +1,29 @@
|
|
|
e0f94f |
+#!/bin/bash
|
|
|
e0f94f |
+
|
|
|
e0f94f |
+DIFF=$(which diff)
|
|
|
e0f94f |
+if [ ! -x "$DIFF" ] ; then
|
|
|
e0f94f |
+ echo "ERROR: missing diff"
|
|
|
e0f94f |
+ exit 1
|
|
|
e0f94f |
+fi
|
|
|
e0f94f |
+
|
|
|
e0f94f |
+IPSET_XLATE=$(which ipset-translate)
|
|
|
e0f94f |
+if [ ! -x "$IPSET_XLATE" ] ; then
|
|
|
e0f94f |
+ echo "ERROR: ipset-translate is not installed yet"
|
|
|
e0f94f |
+ exit 1
|
|
|
e0f94f |
+fi
|
|
|
e0f94f |
+
|
|
|
e0f94f |
+TMP=$(mktemp)
|
|
|
e0f94f |
+ipset-translate restore < xlate.t &> $TMP
|
|
|
e0f94f |
+if [ $? -ne 0 ]
|
|
|
e0f94f |
+then
|
|
|
e0f94f |
+ cat $TMP
|
|
|
e0f94f |
+ echo -e "[\033[0;31mERROR\033[0m] failed to run ipset-translate"
|
|
|
e0f94f |
+ exit 1
|
|
|
e0f94f |
+fi
|
|
|
e0f94f |
+${DIFF} -u xlate.t.nft $TMP
|
|
|
e0f94f |
+if [ $? -eq 0 ]
|
|
|
e0f94f |
+then
|
|
|
e0f94f |
+ echo -e "[\033[0;32mOK\033[0m] tests are fine!"
|
|
|
e0f94f |
+else
|
|
|
e0f94f |
+ echo -e "[\033[0;31mERROR\033[0m] unexpected ipset to nftables translation"
|
|
|
e0f94f |
+fi
|
|
|
e0f94f |
diff --git a/tests/xlate/xlate.t b/tests/xlate/xlate.t
|
|
|
e0f94f |
new file mode 100644
|
|
|
e0f94f |
index 0000000000000..b1e7d288e2a98
|
|
|
e0f94f |
--- /dev/null
|
|
|
e0f94f |
+++ b/tests/xlate/xlate.t
|
|
|
e0f94f |
@@ -0,0 +1,55 @@
|
|
|
e0f94f |
+create hip1 hash:ip
|
|
|
e0f94f |
+add hip1 192.168.10.2
|
|
|
e0f94f |
+add hip1 192.168.10.3
|
|
|
e0f94f |
+create hip2 hash:ip hashsize 128 bucketsize 255 timeout 4
|
|
|
e0f94f |
+add hip2 192.168.10.3
|
|
|
e0f94f |
+add hip2 192.168.10.4 timeout 10
|
|
|
e0f94f |
+create hip3 hash:ip counters
|
|
|
e0f94f |
+add hip3 192.168.10.3 packets 5 bytes 3456
|
|
|
e0f94f |
+create hip4 hash:ip netmask 24
|
|
|
e0f94f |
+add hip4 192.168.10.0
|
|
|
e0f94f |
+create hip5 hash:ip maxelem 24
|
|
|
e0f94f |
+add hip5 192.168.10.0
|
|
|
e0f94f |
+create hip6 hash:ip comment
|
|
|
e0f94f |
+add hip5 192.168.10.1
|
|
|
e0f94f |
+add hip5 192.168.10.2 comment "this is a comment"
|
|
|
e0f94f |
+create ipp1 hash:ip,port
|
|
|
e0f94f |
+add ipp1 192.168.10.1,0
|
|
|
e0f94f |
+add ipp1 192.168.10.2,5
|
|
|
e0f94f |
+create ipp2 hash:ip,port timeout 4
|
|
|
e0f94f |
+add ipp2 192.168.10.1,0 timeout 12
|
|
|
e0f94f |
+add ipp2 192.168.10.2,5
|
|
|
e0f94f |
+create ipp3 hash:ip,port counters
|
|
|
e0f94f |
+add ipp3 192.168.10.3,20 packets 5 bytes 3456
|
|
|
e0f94f |
+create ipp4 hash:ip,port timeout 4 counters
|
|
|
e0f94f |
+add ipp4 192.168.10.3,20 packets 5 bytes 3456
|
|
|
e0f94f |
+create bip1 bitmap:ip range 2.0.0.1-2.1.0.1 timeout 5
|
|
|
e0f94f |
+create bip2 bitmap:ip range 10.0.0.0/8 netmask 24 timeout 5
|
|
|
e0f94f |
+add bip2 10.10.10.0
|
|
|
e0f94f |
+add bip2 10.10.20.0 timeout 12
|
|
|
e0f94f |
+create net1 hash:net
|
|
|
e0f94f |
+add net1 192.168.10.0/24
|
|
|
e0f94f |
+create net2 hash:net,net
|
|
|
e0f94f |
+add net2 192.168.10.0/24,192.168.20.0/24
|
|
|
e0f94f |
+create hm1 hash:mac
|
|
|
e0f94f |
+add hm1 aa:bb:cc:dd:ee:ff
|
|
|
e0f94f |
+create him1 hash:ip,mac
|
|
|
e0f94f |
+add him1 1.1.1.1,aa:bb:cc:dd:ee:ff
|
|
|
e0f94f |
+create ni1 hash:net,iface
|
|
|
e0f94f |
+add ni1 1.1.1.0/24,eth0
|
|
|
e0f94f |
+create nip1 hash:net,port
|
|
|
e0f94f |
+add nip1 1.1.1.0/24,22
|
|
|
e0f94f |
+create npn1 hash:net,port,net
|
|
|
e0f94f |
+add npn1 1.1.1.0/24,22,2.2.2.0/24
|
|
|
e0f94f |
+create nn1 hash:net,net
|
|
|
e0f94f |
+add nn1 1.1.1.0/24,2.2.2.0/24
|
|
|
e0f94f |
+create ipn1 hash:ip,port,net
|
|
|
e0f94f |
+add ipn1 1.1.1.1,22,2.2.2.0/24
|
|
|
e0f94f |
+create ipi1 hash:ip,port,ip
|
|
|
e0f94f |
+add ipi1 1.1.1.1,22,2.2.2.2
|
|
|
e0f94f |
+create im1 hash:ip,mark
|
|
|
e0f94f |
+add im1 1.1.1.1,0x123456
|
|
|
e0f94f |
+create bp1 bitmap:port range 1-1024
|
|
|
e0f94f |
+add bp1 22
|
|
|
e0f94f |
+create bim1 bitmap:ip,mac range 1.1.1.0/24
|
|
|
e0f94f |
+add bim1 1.1.1.1,aa:bb:cc:dd:ee:ff
|
|
|
e0f94f |
diff --git a/tests/xlate/xlate.t.nft b/tests/xlate/xlate.t.nft
|
|
|
e0f94f |
new file mode 100644
|
|
|
e0f94f |
index 0000000000000..96eba3b0175ea
|
|
|
e0f94f |
--- /dev/null
|
|
|
e0f94f |
+++ b/tests/xlate/xlate.t.nft
|
|
|
e0f94f |
@@ -0,0 +1,56 @@
|
|
|
e0f94f |
+add table inet global
|
|
|
e0f94f |
+add set inet global hip1 { type ipv4_addr; }
|
|
|
e0f94f |
+add element inet global hip1 { 192.168.10.2 }
|
|
|
e0f94f |
+add element inet global hip1 { 192.168.10.3 }
|
|
|
e0f94f |
+add set inet global hip2 { type ipv4_addr; timeout 4s; }
|
|
|
e0f94f |
+add element inet global hip2 { 192.168.10.3 }
|
|
|
e0f94f |
+add element inet global hip2 { 192.168.10.4 timeout 10s }
|
|
|
e0f94f |
+add set inet global hip3 { type ipv4_addr; counter; }
|
|
|
e0f94f |
+add element inet global hip3 { 192.168.10.3 counter packets 5 bytes 3456 }
|
|
|
e0f94f |
+add set inet global hip4 { type ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global hip4 { 192.168.10.0/24 }
|
|
|
e0f94f |
+add set inet global hip5 { type ipv4_addr; size 24; }
|
|
|
e0f94f |
+add element inet global hip5 { 192.168.10.0 }
|
|
|
e0f94f |
+add set inet global hip6 { type ipv4_addr; }
|
|
|
e0f94f |
+add element inet global hip5 { 192.168.10.1 }
|
|
|
e0f94f |
+add element inet global hip5 { 192.168.10.2 comment "this is a comment" }
|
|
|
e0f94f |
+add set inet global ipp1 { type ipv4_addr . inet_proto . inet_service; }
|
|
|
e0f94f |
+add element inet global ipp1 { 192.168.10.1 . tcp . 0 }
|
|
|
e0f94f |
+add element inet global ipp1 { 192.168.10.2 . tcp . 5 }
|
|
|
e0f94f |
+add set inet global ipp2 { type ipv4_addr . inet_proto . inet_service; timeout 4s; }
|
|
|
e0f94f |
+add element inet global ipp2 { 192.168.10.1 . tcp . 0 timeout 12s }
|
|
|
e0f94f |
+add element inet global ipp2 { 192.168.10.2 . tcp . 5 }
|
|
|
e0f94f |
+add set inet global ipp3 { type ipv4_addr . inet_proto . inet_service; counter; }
|
|
|
e0f94f |
+add element inet global ipp3 { 192.168.10.3 . tcp . 20 counter packets 5 bytes 3456 }
|
|
|
e0f94f |
+add set inet global ipp4 { type ipv4_addr . inet_proto . inet_service; counter; timeout 4s; }
|
|
|
e0f94f |
+add element inet global ipp4 { 192.168.10.3 . tcp . 20 counter packets 5 bytes 3456 }
|
|
|
e0f94f |
+add set inet global bip1 { type ipv4_addr; timeout 5s; }
|
|
|
e0f94f |
+add set inet global bip2 { type ipv4_addr; timeout 5s; flags interval; }
|
|
|
e0f94f |
+add element inet global bip2 { 10.10.10.0/24 }
|
|
|
e0f94f |
+add element inet global bip2 { 10.10.20.0/24 timeout 12s }
|
|
|
e0f94f |
+add set inet global net1 { type ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global net1 { 192.168.10.0/24 }
|
|
|
e0f94f |
+add set inet global net2 { type ipv4_addr . ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global net2 { 192.168.10.0/24 . 192.168.20.0/24 }
|
|
|
e0f94f |
+add set inet global hm1 { type ether_addr; }
|
|
|
e0f94f |
+add element inet global hm1 { aa:bb:cc:dd:ee:ff }
|
|
|
e0f94f |
+add set inet global him1 { type ipv4_addr . ether_addr; }
|
|
|
e0f94f |
+add element inet global him1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff }
|
|
|
e0f94f |
+add set inet global ni1 { type ipv4_addr . ifname; flags interval; }
|
|
|
e0f94f |
+add element inet global ni1 { 1.1.1.0/24 . eth0 }
|
|
|
e0f94f |
+add set inet global nip1 { type ipv4_addr . inet_proto . inet_service; flags interval; }
|
|
|
e0f94f |
+add element inet global nip1 { 1.1.1.0/24 . tcp . 22 }
|
|
|
e0f94f |
+add set inet global npn1 { type ipv4_addr . inet_proto . inet_service . ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global npn1 { 1.1.1.0/24 . tcp . 22 . 2.2.2.0/24 }
|
|
|
e0f94f |
+add set inet global nn1 { type ipv4_addr . ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global nn1 { 1.1.1.0/24 . 2.2.2.0/24 }
|
|
|
e0f94f |
+add set inet global ipn1 { type ipv4_addr . inet_proto . inet_service . ipv4_addr; flags interval; }
|
|
|
e0f94f |
+add element inet global ipn1 { 1.1.1.1 . tcp . 22 . 2.2.2.0/24 }
|
|
|
e0f94f |
+add set inet global ipi1 { type ipv4_addr . inet_proto . inet_service . ipv4_addr; }
|
|
|
e0f94f |
+add element inet global ipi1 { 1.1.1.1 . tcp . 22 . 2.2.2.2 }
|
|
|
e0f94f |
+add set inet global im1 { type ipv4_addr . mark; }
|
|
|
e0f94f |
+add element inet global im1 { 1.1.1.1 . 0x00123456 }
|
|
|
e0f94f |
+add set inet global bp1 { type inet_service; }
|
|
|
e0f94f |
+add element inet global bp1 { 22 }
|
|
|
e0f94f |
+add set inet global bim1 { type ipv4_addr . ether_addr; }
|
|
|
e0f94f |
+add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff }
|
|
|
e0f94f |
--
|
|
|
e0f94f |
2.38.0
|
|
|
e0f94f |
|