From b5306bc11d2b5acfbd2a7166d3b7a94987c6aa8a Mon Sep 17 00:00:00 2001 From: Alexis PIRES Date: Mon, 13 Jan 2020 14:36:38 +0100 Subject: [PATCH] merge master --- rule_test.go | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) diff --git a/rule_test.go b/rule_test.go index 104a237..057b875 100644 --- a/rule_test.go +++ b/rule_test.go @@ -142,3 +142,151 @@ func TestAddRuleWithPosition(t *testing.T) { t.Fatal(err) } } + +func TestRuleOperations(t *testing.T) { + + // Create a new network namespace to test these operations, + // and tear down the namespace at test completion. + c, newNS := openSystemNFTConn(t) + defer cleanupSystemNFTConn(t, newNS) + // Clear all rules at the beginning + end of the test. + c.FlushRuleset() + defer c.FlushRuleset() + + filter := c.AddTable(&nftables.Table{ + Family: nftables.TableFamilyIPv4, + Name: "filter", + }) + + prerouting := c.AddChain(&nftables.Chain{ + Name: "base-chain", + Table: filter, + Type: nftables.ChainTypeFilter, + Hooknum: nftables.ChainHookPrerouting, + Priority: nftables.ChainPriorityFilter, + }) + + c.AddRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 drop ] + Kind: expr.VerdictDrop, + }, + }, + }) + + c.AddRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 drop ] + Kind: expr.VerdictDrop, + }, + }, + }) + + c.InsertRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 accept ] + Kind: expr.VerdictAccept, + }, + }, + }) + + c.InsertRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 queue ] + Kind: expr.VerdictQueue, + }, + }, + }) + + if err := c.Flush(); err != nil { + t.Fatal(err) + } + + rules, _ := c.GetRule(filter, prerouting) + + want := []expr.VerdictKind{ + expr.VerdictQueue, + expr.VerdictAccept, + expr.VerdictDrop, + expr.VerdictDrop, + } + + for i, r := range rules { + rr, _ := r.Exprs[0].(*expr.Verdict) + + if rr.Kind != want[i] { + t.Fatalf("bad verdict kind at %d", i) + } + } + + c.ReplaceRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Handle: rules[2].Handle, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 accept ] + Kind: expr.VerdictAccept, + }, + }, + }) + + c.AddRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Position: rules[2].Handle, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 drop ] + Kind: expr.VerdictDrop, + }, + }, + }) + + c.InsertRule(&nftables.Rule{ + Table: filter, + Chain: prerouting, + Position: rules[2].Handle, + Exprs: []expr.Any{ + &expr.Verdict{ + // [ immediate reg 0 queue ] + Kind: expr.VerdictQueue, + }, + }, + }) + + if err := c.Flush(); err != nil { + t.Fatal(err) + } + + rules, _ = c.GetRule(filter, prerouting) + + want = []expr.VerdictKind{ + expr.VerdictQueue, + expr.VerdictAccept, + expr.VerdictQueue, + expr.VerdictAccept, + expr.VerdictDrop, + expr.VerdictDrop, + } + + for i, r := range rules { + rr, _ := r.Exprs[0].(*expr.Verdict) + + if rr.Kind != want[i] { + t.Fatalf("bad verdict kind at %d", i) + } + } +}