98 lines
3.5 KiB
Diff
98 lines
3.5 KiB
Diff
From 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 Mon Sep 17 00:00:00 2001
|
|
From: Florian Westphal <fw@strlen.de>
|
|
Date: Wed, 10 Jul 2024 02:33:37 +0200
|
|
Subject: tests: shell: connect chains to hook point
|
|
|
|
These tests should fail because they contain a loop or exceed the jump stack.
|
|
|
|
But this depends on the kernel validating chains that are not bound to any
|
|
basechain/hook point.
|
|
|
|
Wire up the initial chain to filter type.
|
|
|
|
Without this tests will start to fail when kernel stops validating
|
|
chains that are not reachable by any base chain.
|
|
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
Conflict:delete the file that we don't have
|
|
Reference:https://git.netfilter.org/nftables/commit/?id=1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
|
|
|
|
---
|
|
tests/shell/testcases/chains/0003jump_loop_1 | 3 ++-
|
|
tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +-
|
|
tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +-
|
|
tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +-
|
|
tests/shell/testcases/transactions/0023rule_1 | 2 +-
|
|
5 files changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
|
|
index 80e243f0..1a8eaf68 100755
|
|
--- a/tests/shell/testcases/chains/0003jump_loop_1
|
|
+++ b/tests/shell/testcases/chains/0003jump_loop_1
|
|
@@ -5,8 +5,9 @@ set -e
|
|
MAX_JUMPS=16
|
|
|
|
$NFT add table t
|
|
+$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
|
|
|
|
-for i in $(seq 1 $MAX_JUMPS)
|
|
+for i in $(seq 2 $MAX_JUMPS)
|
|
do
|
|
$NFT add chain t c${i}
|
|
done
|
|
diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
|
|
index 5d3ef239..6000e5d7 100755
|
|
--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
|
|
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
|
|
@@ -3,7 +3,7 @@
|
|
set -e
|
|
|
|
$NFT add table t
|
|
-$NFT add chain t c
|
|
+$NFT add chain "t c { type filter hook input priority 0; }"
|
|
|
|
# kernel should return ELOOP
|
|
$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
|
|
diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
|
|
index d75932d7..66abf8d0 100755
|
|
--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
|
|
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
|
|
@@ -3,7 +3,7 @@
|
|
set -e
|
|
|
|
$NFT add table t
|
|
-$NFT add chain t c1
|
|
+$NFT add chain "t c1 { type filter hook forward priority 0; }"
|
|
$NFT add chain t c2
|
|
$NFT add map t m {type inet_service : verdict \;}
|
|
$NFT add element t m {2 : jump c2}
|
|
diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
|
|
index b87520f2..1e674d3d 100755
|
|
--- a/tests/shell/testcases/chains/0018check_jump_loop_1
|
|
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
|
|
@@ -3,7 +3,7 @@
|
|
set -e
|
|
|
|
$NFT add table ip filter
|
|
-$NFT add chain ip filter ap1
|
|
+$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
|
|
$NFT add chain ip filter ap2
|
|
$NFT add rule ip filter ap1 jump ap2
|
|
|
|
diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
|
|
index e58c088c..863bcde4 100755
|
|
--- a/tests/shell/testcases/transactions/0023rule_1
|
|
+++ b/tests/shell/testcases/transactions/0023rule_1
|
|
@@ -1,7 +1,7 @@
|
|
#!/bin/bash
|
|
|
|
RULESET="add table x
|
|
-add chain x y
|
|
+add chain x y { type filter hook input priority 0; }
|
|
add rule x y jump y"
|
|
|
|
# kernel must return ELOOP
|
|
--
|
|
cgit v1.2.3
|