forked from google/nftables
-
Notifications
You must be signed in to change notification settings - Fork 0
/
compat_policy_test.go
77 lines (68 loc) · 1.63 KB
/
compat_policy_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
package nftables
import (
"testing"
"github.com/google/nftables/expr"
"github.com/google/nftables/xt"
"golang.org/x/sys/unix"
)
func TestGetCompatPolicy(t *testing.T) {
// -tcp --dport 0:65534 --sport 0:65534
tcpMatch := &expr.Match{
Name: "tcp",
Info: &xt.Tcp{
SrcPorts: [2]uint16{0, 65534},
DstPorts: [2]uint16{0, 65534},
},
}
// -udp --dport 0:65534 --sport 0:65534
udpMatch := &expr.Match{
Name: "udp",
Info: &xt.Udp{
SrcPorts: [2]uint16{0, 65534},
DstPorts: [2]uint16{0, 65534},
},
}
// -j TCPMSS --set-mss 1460
mess := xt.Unknown([]byte{1460 & 0xff, (1460 >> 8) & 0xff})
tcpMessTarget := &expr.Target{
Name: "TCPMESS",
Info: &mess,
}
// -m state --state ESTABLISHED
ctMatch := &expr.Match{
Name: "conntrack",
Rev: 1,
Info: &xt.ConntrackMtinfo1{
ConntrackMtinfoBase: xt.ConntrackMtinfoBase{
MatchFlags: 0x2001,
},
StateMask: 0x02,
},
}
// compatPolicy.Proto should be tcp
if compatPolicy, err := getCompatPolicy([]expr.Any{
tcpMatch,
tcpMessTarget,
ctMatch,
}); err != nil {
t.Fatalf("getCompatPolicy fail %#v", err)
} else if compatPolicy.Proto != unix.IPPROTO_TCP {
t.Fatalf("getCompatPolicy wrong %#v", compatPolicy)
}
// should conflict
if _, err := getCompatPolicy([]expr.Any{
udpMatch,
tcpMatch,
},
); err == nil {
t.Fatalf("getCompatPolicy fail err should not be nil")
}
// compatPolicy should be nil
if compatPolicy, err := getCompatPolicy([]expr.Any{
ctMatch,
}); err != nil {
t.Fatalf("getCompatPolicy fail %#v", err)
} else if compatPolicy != nil {
t.Fatalf("getCompatPolicy fail compat policy of conntrack match should be nil")
}
}