selftests: netfilter: Extend nft_audit.sh
Add tests for sets and elements and deletion of all kinds. Also reorder rule reset tests: By moving the bulk rule add command up, the two 'reset rules' tests become identical. While at it, fix for a failing bulk rule add test's error status getting lost due to its use in a pipe. Avoid this by using a temporary file. Headings in diff output for failing tests contain no useful data, strip them. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
parent
cf791b22be
commit
203bb9d398
|
@ -12,10 +12,11 @@ nft --version >/dev/null 2>&1 || {
|
|||
}
|
||||
|
||||
logfile=$(mktemp)
|
||||
rulefile=$(mktemp)
|
||||
echo "logging into $logfile"
|
||||
./audit_logread >"$logfile" &
|
||||
logread_pid=$!
|
||||
trap 'kill $logread_pid; rm -f $logfile' EXIT
|
||||
trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
|
||||
exec 3<"$logfile"
|
||||
|
||||
do_test() { # (cmd, log)
|
||||
|
@ -26,12 +27,14 @@ do_test() { # (cmd, log)
|
|||
res=$(diff -a -u <(echo "$2") - <&3)
|
||||
[ $? -eq 0 ] && { echo "OK"; return; }
|
||||
echo "FAIL"
|
||||
echo "$res"
|
||||
((RC++))
|
||||
grep -v '^\(---\|+++\|@@\)' <<< "$res"
|
||||
((RC--))
|
||||
}
|
||||
|
||||
nft flush ruleset
|
||||
|
||||
# adding tables, chains and rules
|
||||
|
||||
for table in t1 t2; do
|
||||
do_test "nft add table $table" \
|
||||
"table=$table family=2 entries=1 op=nft_register_table"
|
||||
|
@ -62,6 +65,28 @@ for table in t1 t2; do
|
|||
"table=$table family=2 entries=6 op=nft_register_rule"
|
||||
done
|
||||
|
||||
for ((i = 0; i < 500; i++)); do
|
||||
echo "add rule t2 c3 counter accept comment \"rule $i\""
|
||||
done >$rulefile
|
||||
do_test "nft -f $rulefile" \
|
||||
'table=t2 family=2 entries=500 op=nft_register_rule'
|
||||
|
||||
# adding sets and elements
|
||||
|
||||
settype='type inet_service; counter'
|
||||
setelem='{ 22, 80, 443 }'
|
||||
setblock="{ $settype; elements = $setelem; }"
|
||||
do_test "nft add set t1 s $setblock" \
|
||||
"table=t1 family=2 entries=4 op=nft_register_set"
|
||||
|
||||
do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \
|
||||
"table=t1 family=2 entries=5 op=nft_register_set"
|
||||
|
||||
do_test "nft add element t1 s3 $setelem" \
|
||||
"table=t1 family=2 entries=3 op=nft_register_setelem"
|
||||
|
||||
# resetting rules
|
||||
|
||||
do_test 'nft reset rules t1 c2' \
|
||||
'table=t1 family=2 entries=3 op=nft_reset_rule'
|
||||
|
||||
|
@ -70,19 +95,6 @@ do_test 'nft reset rules table t1' \
|
|||
table=t1 family=2 entries=3 op=nft_reset_rule
|
||||
table=t1 family=2 entries=3 op=nft_reset_rule'
|
||||
|
||||
do_test 'nft reset rules' \
|
||||
'table=t1 family=2 entries=3 op=nft_reset_rule
|
||||
table=t1 family=2 entries=3 op=nft_reset_rule
|
||||
table=t1 family=2 entries=3 op=nft_reset_rule
|
||||
table=t2 family=2 entries=3 op=nft_reset_rule
|
||||
table=t2 family=2 entries=3 op=nft_reset_rule
|
||||
table=t2 family=2 entries=3 op=nft_reset_rule'
|
||||
|
||||
for ((i = 0; i < 500; i++)); do
|
||||
echo "add rule t2 c3 counter accept comment \"rule $i\""
|
||||
done | do_test 'nft -f -' \
|
||||
'table=t2 family=2 entries=500 op=nft_register_rule'
|
||||
|
||||
do_test 'nft reset rules t2 c3' \
|
||||
'table=t2 family=2 entries=189 op=nft_reset_rule
|
||||
table=t2 family=2 entries=188 op=nft_reset_rule
|
||||
|
@ -105,4 +117,57 @@ table=t2 family=2 entries=180 op=nft_reset_rule
|
|||
table=t2 family=2 entries=188 op=nft_reset_rule
|
||||
table=t2 family=2 entries=135 op=nft_reset_rule'
|
||||
|
||||
# resetting sets and elements
|
||||
|
||||
elem=(22 ,80 ,443)
|
||||
relem=""
|
||||
for i in {1..3}; do
|
||||
relem+="${elem[((i - 1))]}"
|
||||
do_test "nft reset element t1 s { $relem }" \
|
||||
"table=t1 family=2 entries=$i op=nft_reset_setelem"
|
||||
done
|
||||
|
||||
do_test 'nft reset set t1 s' \
|
||||
'table=t1 family=2 entries=3 op=nft_reset_setelem'
|
||||
|
||||
# deleting rules
|
||||
|
||||
readarray -t handles < <(nft -a list chain t1 c1 | \
|
||||
sed -n 's/.*counter.* handle \(.*\)$/\1/p')
|
||||
|
||||
do_test "nft delete rule t1 c1 handle ${handles[0]}" \
|
||||
'table=t1 family=2 entries=1 op=nft_unregister_rule'
|
||||
|
||||
cmd='delete rule t1 c1 handle'
|
||||
do_test "nft $cmd ${handles[1]}; $cmd ${handles[2]}" \
|
||||
'table=t1 family=2 entries=2 op=nft_unregister_rule'
|
||||
|
||||
do_test 'nft flush chain t1 c2' \
|
||||
'table=t1 family=2 entries=3 op=nft_unregister_rule'
|
||||
|
||||
do_test 'nft flush table t2' \
|
||||
'table=t2 family=2 entries=509 op=nft_unregister_rule'
|
||||
|
||||
# deleting chains
|
||||
|
||||
do_test 'nft delete chain t2 c2' \
|
||||
'table=t2 family=2 entries=1 op=nft_unregister_chain'
|
||||
|
||||
# deleting sets and elements
|
||||
|
||||
do_test 'nft delete element t1 s { 22 }' \
|
||||
'table=t1 family=2 entries=1 op=nft_unregister_setelem'
|
||||
|
||||
do_test 'nft delete element t1 s { 80, 443 }' \
|
||||
'table=t1 family=2 entries=2 op=nft_unregister_setelem'
|
||||
|
||||
do_test 'nft flush set t1 s2' \
|
||||
'table=t1 family=2 entries=3 op=nft_unregister_setelem'
|
||||
|
||||
do_test 'nft delete set t1 s2' \
|
||||
'table=t1 family=2 entries=1 op=nft_unregister_set'
|
||||
|
||||
do_test 'nft delete set t1 s3' \
|
||||
'table=t1 family=2 entries=1 op=nft_unregister_set'
|
||||
|
||||
exit $RC
|
||||
|
|
Loading…
Reference in New Issue