selftests: netfilter: Extend nft_audit.sh

}

logfile=$(mktemp)

rulefile=$(mktemp)

echo "logging into $logfile"

./audit_logread >"$logfile" &

logread_pid=$!

trap 'kill $logread_pid; rm -f $logfile' EXIT

trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT

exec 3<"$logfile"

do_test() { # (cmd, log)

	res=$(diff -a -u <(echo "$2") - <&3)

	[ $? -eq 0 ] && { echo "OK"; return; }

	echo "FAIL"

	echo "$res"

	((RC++))

	grep -v '^\(---\|+++\|@@\)' <<< "$res"

	((RC--))

}

nft flush ruleset

# adding tables, chains and rules

for table in t1 t2; do

	do_test "nft add table $table" \

	"table=$table family=2 entries=1 op=nft_register_table"

	"table=$table family=2 entries=6 op=nft_register_rule"

done

for ((i = 0; i < 500; i++)); do

	echo "add rule t2 c3 counter accept comment \"rule $i\""

done >$rulefile

do_test "nft -f $rulefile" \

'table=t2 family=2 entries=500 op=nft_register_rule'

# adding sets and elements

settype='type inet_service; counter'

setelem='{ 22, 80, 443 }'

setblock="{ $settype; elements = $setelem; }"

do_test "nft add set t1 s $setblock" \

"table=t1 family=2 entries=4 op=nft_register_set"

do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \

"table=t1 family=2 entries=5 op=nft_register_set"

do_test "nft add element t1 s3 $setelem" \

"table=t1 family=2 entries=3 op=nft_register_setelem"

# resetting rules

do_test 'nft reset rules t1 c2' \

'table=t1 family=2 entries=3 op=nft_reset_rule'

table=t1 family=2 entries=3 op=nft_reset_rule

table=t1 family=2 entries=3 op=nft_reset_rule'

do_test 'nft reset rules' \

'table=t1 family=2 entries=3 op=nft_reset_rule

table=t1 family=2 entries=3 op=nft_reset_rule

table=t1 family=2 entries=3 op=nft_reset_rule

table=t2 family=2 entries=3 op=nft_reset_rule

table=t2 family=2 entries=3 op=nft_reset_rule

table=t2 family=2 entries=3 op=nft_reset_rule'

for ((i = 0; i < 500; i++)); do

	echo "add rule t2 c3 counter accept comment \"rule $i\""

done | do_test 'nft -f -' \

'table=t2 family=2 entries=500 op=nft_register_rule'

do_test 'nft reset rules t2 c3' \

'table=t2 family=2 entries=189 op=nft_reset_rule

table=t2 family=2 entries=188 op=nft_reset_rule

table=t2 family=2 entries=188 op=nft_reset_rule

table=t2 family=2 entries=135 op=nft_reset_rule'

# resetting sets and elements

elem=(22 ,80 ,443)

relem=""

for i in {1..3}; do

	relem+="${elem[((i - 1))]}"

	do_test "nft reset element t1 s { $relem }" \

	"table=t1 family=2 entries=$i op=nft_reset_setelem"

done

do_test 'nft reset set t1 s' \

'table=t1 family=2 entries=3 op=nft_reset_setelem'

# deleting rules

readarray -t handles < <(nft -a list chain t1 c1 | \

			 sed -n 's/.*counter.* handle \(.*\)$/\1/p')

do_test "nft delete rule t1 c1 handle ${handles[0]}" \

'table=t1 family=2 entries=1 op=nft_unregister_rule'

cmd='delete rule t1 c1 handle'

do_test "nft $cmd ${handles[1]}; $cmd ${handles[2]}" \

'table=t1 family=2 entries=2 op=nft_unregister_rule'

do_test 'nft flush chain t1 c2' \

'table=t1 family=2 entries=3 op=nft_unregister_rule'

do_test 'nft flush table t2' \

'table=t2 family=2 entries=509 op=nft_unregister_rule'

# deleting chains

do_test 'nft delete chain t2 c2' \

'table=t2 family=2 entries=1 op=nft_unregister_chain'

# deleting sets and elements

do_test 'nft delete element t1 s { 22 }' \

'table=t1 family=2 entries=1 op=nft_unregister_setelem'

do_test 'nft delete element t1 s { 80, 443 }' \

'table=t1 family=2 entries=2 op=nft_unregister_setelem'

do_test 'nft flush set t1 s2' \

'table=t1 family=2 entries=3 op=nft_unregister_setelem'

do_test 'nft delete set t1 s2' \

'table=t1 family=2 entries=1 op=nft_unregister_set'

do_test 'nft delete set t1 s3' \

'table=t1 family=2 entries=1 op=nft_unregister_set'

exit $RC