mirror of
https://github.com/edk2-porting/linux-next.git
synced 2025-01-07 21:24:00 +08:00
selftests: netfilter: Extend nft_audit.sh
Add tests for sets and elements and deletion of all kinds. Also reorder rule reset tests: By moving the bulk rule add command up, the two 'reset rules' tests become identical. While at it, fix for a failing bulk rule add test's error status getting lost due to its use in a pipe. Avoid this by using a temporary file. Headings in diff output for failing tests contain no useful data, strip them. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
parent
cf791b22be
commit
203bb9d398
@ -12,10 +12,11 @@ nft --version >/dev/null 2>&1 || {
|
|||||||
}
|
}
|
||||||
|
|
||||||
logfile=$(mktemp)
|
logfile=$(mktemp)
|
||||||
|
rulefile=$(mktemp)
|
||||||
echo "logging into $logfile"
|
echo "logging into $logfile"
|
||||||
./audit_logread >"$logfile" &
|
./audit_logread >"$logfile" &
|
||||||
logread_pid=$!
|
logread_pid=$!
|
||||||
trap 'kill $logread_pid; rm -f $logfile' EXIT
|
trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
|
||||||
exec 3<"$logfile"
|
exec 3<"$logfile"
|
||||||
|
|
||||||
do_test() { # (cmd, log)
|
do_test() { # (cmd, log)
|
||||||
@ -26,12 +27,14 @@ do_test() { # (cmd, log)
|
|||||||
res=$(diff -a -u <(echo "$2") - <&3)
|
res=$(diff -a -u <(echo "$2") - <&3)
|
||||||
[ $? -eq 0 ] && { echo "OK"; return; }
|
[ $? -eq 0 ] && { echo "OK"; return; }
|
||||||
echo "FAIL"
|
echo "FAIL"
|
||||||
echo "$res"
|
grep -v '^\(---\|+++\|@@\)' <<< "$res"
|
||||||
((RC++))
|
((RC--))
|
||||||
}
|
}
|
||||||
|
|
||||||
nft flush ruleset
|
nft flush ruleset
|
||||||
|
|
||||||
|
# adding tables, chains and rules
|
||||||
|
|
||||||
for table in t1 t2; do
|
for table in t1 t2; do
|
||||||
do_test "nft add table $table" \
|
do_test "nft add table $table" \
|
||||||
"table=$table family=2 entries=1 op=nft_register_table"
|
"table=$table family=2 entries=1 op=nft_register_table"
|
||||||
@ -62,6 +65,28 @@ for table in t1 t2; do
|
|||||||
"table=$table family=2 entries=6 op=nft_register_rule"
|
"table=$table family=2 entries=6 op=nft_register_rule"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
for ((i = 0; i < 500; i++)); do
|
||||||
|
echo "add rule t2 c3 counter accept comment \"rule $i\""
|
||||||
|
done >$rulefile
|
||||||
|
do_test "nft -f $rulefile" \
|
||||||
|
'table=t2 family=2 entries=500 op=nft_register_rule'
|
||||||
|
|
||||||
|
# adding sets and elements
|
||||||
|
|
||||||
|
settype='type inet_service; counter'
|
||||||
|
setelem='{ 22, 80, 443 }'
|
||||||
|
setblock="{ $settype; elements = $setelem; }"
|
||||||
|
do_test "nft add set t1 s $setblock" \
|
||||||
|
"table=t1 family=2 entries=4 op=nft_register_set"
|
||||||
|
|
||||||
|
do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \
|
||||||
|
"table=t1 family=2 entries=5 op=nft_register_set"
|
||||||
|
|
||||||
|
do_test "nft add element t1 s3 $setelem" \
|
||||||
|
"table=t1 family=2 entries=3 op=nft_register_setelem"
|
||||||
|
|
||||||
|
# resetting rules
|
||||||
|
|
||||||
do_test 'nft reset rules t1 c2' \
|
do_test 'nft reset rules t1 c2' \
|
||||||
'table=t1 family=2 entries=3 op=nft_reset_rule'
|
'table=t1 family=2 entries=3 op=nft_reset_rule'
|
||||||
|
|
||||||
@ -70,19 +95,6 @@ do_test 'nft reset rules table t1' \
|
|||||||
table=t1 family=2 entries=3 op=nft_reset_rule
|
table=t1 family=2 entries=3 op=nft_reset_rule
|
||||||
table=t1 family=2 entries=3 op=nft_reset_rule'
|
table=t1 family=2 entries=3 op=nft_reset_rule'
|
||||||
|
|
||||||
do_test 'nft reset rules' \
|
|
||||||
'table=t1 family=2 entries=3 op=nft_reset_rule
|
|
||||||
table=t1 family=2 entries=3 op=nft_reset_rule
|
|
||||||
table=t1 family=2 entries=3 op=nft_reset_rule
|
|
||||||
table=t2 family=2 entries=3 op=nft_reset_rule
|
|
||||||
table=t2 family=2 entries=3 op=nft_reset_rule
|
|
||||||
table=t2 family=2 entries=3 op=nft_reset_rule'
|
|
||||||
|
|
||||||
for ((i = 0; i < 500; i++)); do
|
|
||||||
echo "add rule t2 c3 counter accept comment \"rule $i\""
|
|
||||||
done | do_test 'nft -f -' \
|
|
||||||
'table=t2 family=2 entries=500 op=nft_register_rule'
|
|
||||||
|
|
||||||
do_test 'nft reset rules t2 c3' \
|
do_test 'nft reset rules t2 c3' \
|
||||||
'table=t2 family=2 entries=189 op=nft_reset_rule
|
'table=t2 family=2 entries=189 op=nft_reset_rule
|
||||||
table=t2 family=2 entries=188 op=nft_reset_rule
|
table=t2 family=2 entries=188 op=nft_reset_rule
|
||||||
@ -105,4 +117,57 @@ table=t2 family=2 entries=180 op=nft_reset_rule
|
|||||||
table=t2 family=2 entries=188 op=nft_reset_rule
|
table=t2 family=2 entries=188 op=nft_reset_rule
|
||||||
table=t2 family=2 entries=135 op=nft_reset_rule'
|
table=t2 family=2 entries=135 op=nft_reset_rule'
|
||||||
|
|
||||||
|
# resetting sets and elements
|
||||||
|
|
||||||
|
elem=(22 ,80 ,443)
|
||||||
|
relem=""
|
||||||
|
for i in {1..3}; do
|
||||||
|
relem+="${elem[((i - 1))]}"
|
||||||
|
do_test "nft reset element t1 s { $relem }" \
|
||||||
|
"table=t1 family=2 entries=$i op=nft_reset_setelem"
|
||||||
|
done
|
||||||
|
|
||||||
|
do_test 'nft reset set t1 s' \
|
||||||
|
'table=t1 family=2 entries=3 op=nft_reset_setelem'
|
||||||
|
|
||||||
|
# deleting rules
|
||||||
|
|
||||||
|
readarray -t handles < <(nft -a list chain t1 c1 | \
|
||||||
|
sed -n 's/.*counter.* handle \(.*\)$/\1/p')
|
||||||
|
|
||||||
|
do_test "nft delete rule t1 c1 handle ${handles[0]}" \
|
||||||
|
'table=t1 family=2 entries=1 op=nft_unregister_rule'
|
||||||
|
|
||||||
|
cmd='delete rule t1 c1 handle'
|
||||||
|
do_test "nft $cmd ${handles[1]}; $cmd ${handles[2]}" \
|
||||||
|
'table=t1 family=2 entries=2 op=nft_unregister_rule'
|
||||||
|
|
||||||
|
do_test 'nft flush chain t1 c2' \
|
||||||
|
'table=t1 family=2 entries=3 op=nft_unregister_rule'
|
||||||
|
|
||||||
|
do_test 'nft flush table t2' \
|
||||||
|
'table=t2 family=2 entries=509 op=nft_unregister_rule'
|
||||||
|
|
||||||
|
# deleting chains
|
||||||
|
|
||||||
|
do_test 'nft delete chain t2 c2' \
|
||||||
|
'table=t2 family=2 entries=1 op=nft_unregister_chain'
|
||||||
|
|
||||||
|
# deleting sets and elements
|
||||||
|
|
||||||
|
do_test 'nft delete element t1 s { 22 }' \
|
||||||
|
'table=t1 family=2 entries=1 op=nft_unregister_setelem'
|
||||||
|
|
||||||
|
do_test 'nft delete element t1 s { 80, 443 }' \
|
||||||
|
'table=t1 family=2 entries=2 op=nft_unregister_setelem'
|
||||||
|
|
||||||
|
do_test 'nft flush set t1 s2' \
|
||||||
|
'table=t1 family=2 entries=3 op=nft_unregister_setelem'
|
||||||
|
|
||||||
|
do_test 'nft delete set t1 s2' \
|
||||||
|
'table=t1 family=2 entries=1 op=nft_unregister_set'
|
||||||
|
|
||||||
|
do_test 'nft delete set t1 s3' \
|
||||||
|
'table=t1 family=2 entries=1 op=nft_unregister_set'
|
||||||
|
|
||||||
exit $RC
|
exit $RC
|
||||||
|
Loading…
Reference in New Issue
Block a user