summaryrefslogtreecommitdiffstats
path: root/tests/iptables.sh
Commit message (Collapse)AuthorAgeFilesLines
* Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface typeJozsef Kadlecsik2016-01-131-0/+6
|
* Out of bound access in hash:net* types fixedJozsef Kadlecsik2015-08-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Dave Jones reported that KASan detected out of bounds access in hash:net* types: [ 23.139532] ================================================================== [ 23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220 at addr ffff8800d4844b58 [ 23.152937] Write of size 4 by task ipset/457 [ 23.159742] ============================================================================= [ 23.166672] BUG kmalloc-512 (Not tainted): kasan: bad access detected [ 23.173641] ----------------------------------------------------------------------------- [ 23.194668] INFO: Allocated in hash_net_create+0x16a/0x470 age=7 cpu=1 pid=456 [ 23.201836] __slab_alloc.constprop.66+0x554/0x620 [ 23.208994] __kmalloc+0x2f2/0x360 [ 23.216105] hash_net_create+0x16a/0x470 [ 23.223238] ip_set_create+0x3e6/0x740 [ 23.230343] nfnetlink_rcv_msg+0x599/0x640 [ 23.237454] netlink_rcv_skb+0x14f/0x190 [ 23.244533] nfnetlink_rcv+0x3f6/0x790 [ 23.251579] netlink_unicast+0x272/0x390 [ 23.258573] netlink_sendmsg+0x5a1/0xa50 [ 23.265485] SYSC_sendto+0x1da/0x2c0 [ 23.272364] SyS_sendto+0xe/0x10 [ 23.279168] entry_SYSCALL_64_fastpath+0x12/0x6f The bug is fixed in the patch and the testsuite is extended in ipset to check cidr handling more thoroughly.
* Add element count to hash headersEric B Munson2015-06-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | It would be useful for userspace to query the size of an ipset hash, however, this data is not exposed to userspace outside of counting the number of member entries. This patch uses the attribute IPSET_ATTR_ELEMENTS to indicate the size in the the header that is exported to userspace. This field is then printed by the userspace tool for hashes. Because it is only meaningful for hashes to report their size, the output is conditional on the set type. To do this checking the MATCH_TYPENAME macro was moved to utils.h. The bulk of this patch changes the expected test suite to account for the change in output. Signed-off-by: Eric B Munson <emunson@akamai.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Josh Hunt <johunt@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix cidr handling for hash:*net* typesJozsef Kadlecsik2015-03-131-0/+5
| | | | | | | | Commit 092d67cda9ad4 broke the cidr handling for the hash:*net* types when the sets were used by the SET target: entries with invalid cidr values were added to the sets. Reported by Jonathan Johnson. Testsuite entry is added to verify the fix.
* Add test to check mark mappingJozsef Kadlecsik2014-09-141-0/+9
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Pass IPSET_BIN to test scripts to change binary locationNeutron Soutmun2014-04-071-19/+21
| | | | | | | | | | | | | In the "as-installed" package testing situation, the test scripts should invokes the system installed "ipset" binary. Therefore, the IPSET_BIN could be passed to change the binary location. IPSET_BIN=/sbin/ipset ./runtest.sh The test scripts run fine in build source tree without IPSET_BIN. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-211-0/+29
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-181-0/+4
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Testsuite checks addedJozsef Kadlecsik2011-04-101-0/+4
| | | | | | - check iptables match/target extensions with invalid number of dir parameters - check SET target with --del-set option
* Fixes, cleanups, commentsv5.0-pre8Jozsef Kadlecsik2010-10-241-1/+1
| | | | | | | | | | | | | | | | | | | - More comments added to the code - ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip and hash:ip,port,net types - hash:net and hash:ip,port,net types are reworked - hash:net,port type added - Wrong direction parameters fixed in hash:ip,port - Helps and manpage are updated - More tests added - Ugly macros are rewritten to functions in parse.c (Holger Eitzenberger) - resize related bug in hash types fixed (Holger Eitzenberger) - autoreconf patches by Jan Engelhardt applied - netlink patch minimalized: dumping can be initialized by a second parsing of the message (thanks to David and Patrick for the suggestion) - IPv4/IPv6 address attributes are introduced in order to fix the context (suggested by David)
* ipset 5: Sparc related and compatibility fixesv5.0-pre5Jozsef Kadlecsik2010-06-291-0/+1
| | | | | | | | ipset 5 is tested on Sparc, which revealed some compatibility issues and those are fixed. Kernels from 2.6.31 onward are supported. The testsuite checkings are completed to run match/target checks. The README file is updated to reflect the requirements to install and run ipset 5.
* ipset 5: IPv6 port related and manpage fixes, more testsv5.0-pre4Jozsef Kadlecsik2010-06-251-0/+72
- getting ports for family INET6 fixed - more manpage polishing - tests to check the iptables/ip6tables match and target added