File: single_flag

package info (click to toggle)
nftables 1.1.6-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 15,384 kB
  • sloc: ansic: 50,901; sh: 20,277; yacc: 5,861; python: 1,746; lex: 1,367; makefile: 392
file content (190 lines) | stat: -rwxr-xr-x 7,073 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
 
#!/bin/bash
#
# Test various "flags" properties in JSON syntax:
# - single item arrays are abbreviated as non-array in output
# - both non-array and single item array accepted in input
# - single and multiple item values are correctly printed in output and
#   recognized in input (checked against standard syntax input/output)

# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist)

set -e

json_sanitize() {
	sed -e 's/{"metainfo": {[^}]*}}, //' \
	    -e 's/\("handle":\) [0-9]*/\1 0/g'
}
back_n_forth() { # (std, json)
	$NFT flush ruleset
	$NFT -f - <<< "$1"
	diff --label "line ${BASH_LINENO[0]}: JSON output" \
	     --label "line ${BASH_LINENO[0]}: JSON expect" \
	     -u <($NFT -j list ruleset | json_sanitize) <(echo "$2")

	$NFT flush ruleset
	$NFT -j -f - <<< "$2"
	diff --label "line ${BASH_LINENO[0]}: std output" \
	     --label "line ${BASH_LINENO[0]}: std expect" \
	     -u <($NFT list ruleset) <(echo "$1")
}
json_equiv() { # (json_in, json_out)
	$NFT flush ruleset
	$NFT -j -f - <<< "$1"
	diff --label "line ${BASH_LINENO[0]}: JSON equiv output" \
	     --label "line ${BASH_LINENO[0]}: JSON equiv expect" \
	     -u <($NFT -j list ruleset | json_sanitize) <(echo "$2")
}

#
# test table flags
#

STD_TABLE_1="table ip t {
	flags dormant
}"
JSON_TABLE_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0, "flags": "dormant"}}]}'
JSON_TABLE_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_TABLE_1")

STD_TABLE_2=$(sed 's/\(flags dormant\)/\1,persist/' <<< "$STD_TABLE_1")
JSON_TABLE_2=$(sed 's/\("dormant"\)/\1, "persist"/' <<< "$JSON_TABLE_1_EQUIV")

back_n_forth "$STD_TABLE_1" "$JSON_TABLE_1_EQUIV"
json_equiv "$JSON_TABLE_1" "$JSON_TABLE_1_EQUIV"
back_n_forth "$STD_TABLE_2" "$JSON_TABLE_2"

#
# test set flags
#

STD_SET_1="table ip t {
	set s {
		type inet_proto
		flags interval
	}
}"
JSON_SET_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_proto", "handle": 0, "flags": "interval"}}]}'
JSON_SET_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SET_1")

STD_SET_2=$(sed 's/\(flags interval\)/\1,timeout/' <<< "$STD_SET_1")
JSON_SET_2=$(sed 's/\("interval"\)/\1, "timeout"/' <<< "$JSON_SET_1_EQUIV")

back_n_forth "$STD_SET_1" "$JSON_SET_1_EQUIV"
json_equiv "$JSON_SET_1" "$JSON_SET_1_EQUIV"
back_n_forth "$STD_SET_2" "$JSON_SET_2"

#
# test fib expression flags
#

STD_FIB_1="table ip t {
	chain c {
		fib saddr check exists
	}
}"
JSON_FIB_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"fib": {"result": "oif", "flags": "saddr"}}, "right": true}}]}}]}'
JSON_FIB_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_FIB_1")

STD_FIB_2=$(sed 's/\(fib saddr\)/\1 . iif/' <<< "$STD_FIB_1")
JSON_FIB_2=$(sed 's/\("saddr"\)/\1, "iif"/' <<< "$JSON_FIB_1_EQUIV")

back_n_forth "$STD_FIB_1" "$JSON_FIB_1_EQUIV"
json_equiv "$JSON_FIB_1" "$JSON_FIB_1_EQUIV"
back_n_forth "$STD_FIB_2" "$JSON_FIB_2"

#
# test nat statement flags
#

STD_NAT_1="table ip t {
	chain c {
		dnat to 192.168.0.0/24 persistent
	}
}"
JSON_NAT_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"dnat": {"addr": {"prefix": {"addr": "192.168.0.0", "len": 24}}, "flags": "persistent"}}]}}]}'
JSON_NAT_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_NAT_1")

STD_NAT_2=$(sed 's/\(persistent\)/random,\1/' <<< "$STD_NAT_1")
JSON_NAT_2=$(sed 's/\("persistent"\)/"random", \1/' <<< "$JSON_NAT_1_EQUIV")

back_n_forth "$STD_NAT_1" "$JSON_NAT_1_EQUIV"
json_equiv "$JSON_NAT_1" "$JSON_NAT_1_EQUIV"
back_n_forth "$STD_NAT_2" "$JSON_NAT_2"

#
# test log statement flags
#

STD_LOG_1="table ip t {
	chain c {
		log flags tcp sequence
	}
}"
JSON_LOG_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"log": {"flags": "tcp sequence"}}]}}]}'
JSON_LOG_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_LOG_1")

STD_LOG_2=$(sed 's/\(tcp sequence\)/\1,options/' <<< "$STD_LOG_1")
JSON_LOG_2=$(sed 's/\("tcp sequence"\)/\1, "tcp options"/' <<< "$JSON_LOG_1_EQUIV")

back_n_forth "$STD_LOG_1" "$JSON_LOG_1_EQUIV"
json_equiv "$JSON_LOG_1" "$JSON_LOG_1_EQUIV"
back_n_forth "$STD_LOG_2" "$JSON_LOG_2"

#
# test synproxy statement flags
#

STD_SYNPROXY_1="table ip t {
	chain c {
		synproxy sack-perm
	}
}"
JSON_SYNPROXY_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"synproxy": {"flags": "sack-perm"}}]}}]}'
JSON_SYNPROXY_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SYNPROXY_1")

STD_SYNPROXY_2=$(sed 's/\(sack-perm\)/timestamp \1/' <<< "$STD_SYNPROXY_1")
JSON_SYNPROXY_2=$(sed 's/\("sack-perm"\)/"timestamp", \1/' <<< "$JSON_SYNPROXY_1_EQUIV")

back_n_forth "$STD_SYNPROXY_1" "$JSON_SYNPROXY_1_EQUIV"
json_equiv "$JSON_SYNPROXY_1" "$JSON_SYNPROXY_1_EQUIV"
back_n_forth "$STD_SYNPROXY_2" "$JSON_SYNPROXY_2"

#
# test synproxy object flags
#

STD_SYNPROXY_OBJ_1="table ip t {
	synproxy s {
		mss 1280
		wscale 64
		 sack-perm
	}
}"
JSON_SYNPROXY_OBJ_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"synproxy": {"family": "ip", "name": "s", "table": "t", "handle": 0, "mss": 1280, "wscale": 64, "flags": "sack-perm"}}]}'
JSON_SYNPROXY_OBJ_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_SYNPROXY_OBJ_1")

STD_SYNPROXY_OBJ_2=$(sed 's/ \(sack-perm\)/timestamp \1/' <<< "$STD_SYNPROXY_OBJ_1")
JSON_SYNPROXY_OBJ_2=$(sed 's/\("sack-perm"\)/"timestamp", \1/' <<< "$JSON_SYNPROXY_OBJ_1_EQUIV")

back_n_forth "$STD_SYNPROXY_OBJ_1" "$JSON_SYNPROXY_OBJ_1_EQUIV"
json_equiv "$JSON_SYNPROXY_OBJ_1" "$JSON_SYNPROXY_OBJ_1_EQUIV"
back_n_forth "$STD_SYNPROXY_OBJ_2" "$JSON_SYNPROXY_OBJ_2"

#
# test queue statement flags
#

STD_QUEUE_1="table ip t {
	chain c {
		queue flags bypass to 1-10
	}
}"
JSON_QUEUE_1='{"nftables": [{"table": {"family": "ip", "name": "t", "handle": 0}}, {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}, {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"queue": {"num": {"range": [1, 10]}, "flags": "bypass"}}]}}]}'
JSON_QUEUE_1_EQUIV=$(sed 's/\("flags":\) \([^}]*\)/\1 [\2]/' <<< "$JSON_QUEUE_1")

STD_QUEUE_2=$(sed 's/\(bypass\)/\1,fanout/' <<< "$STD_QUEUE_1")
JSON_QUEUE_2=$(sed 's/\("bypass"\)/\1, "fanout"/' <<< "$JSON_QUEUE_1_EQUIV")

back_n_forth "$STD_QUEUE_1" "$JSON_QUEUE_1_EQUIV"
json_equiv "$JSON_QUEUE_1" "$JSON_QUEUE_1_EQUIV"
back_n_forth "$STD_QUEUE_2" "$JSON_QUEUE_2"