diff options
| author | Phil Sutter <phil@nwl.cc> | 2024-01-26 16:59:56 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-02-01 14:51:30 +0100 |
| commit | c10d356c1a87b2181e148d6054c856c50d5b2159 (patch) | |
| tree | 6fb0cd0ac0ef289a648fc2ec82e3357762cb39e0 | |
| parent | ee87ad419e9a0c66a0b80fd73a530af741d2629e (diff) | |
tests: iptables-test: Increase non-fast mode strictness
The simple search for the rule in save output accepted arbitrary leading
and trailing rule parts. This was partly desired as it allowed to omit
the leading '-A' flag or ignore the mandatory '-j CONTINUE' in ebtables
rules, though it could hide bugs.
Introduction of fast mode mitigated this due to the way how it searches
for multiple rules at the same time, but there are cases which fast mode
does not support yet (e.g. test cases containing variant-specific rule
output).
Given save output format will never contain the rule in first or last
line, so enclosing the searched rule in newline characters is sufficient
to make the search apply to full lines only. The only drawback is having
to add '-A' and '-j CONTINUE' parts if needed.
The hidden bugs this revealed were:
- Long --nflog-prefix strings are not cut to 64 chars with iptables-nft
- The TCPMSS rule supposed to fail with legacy only must specify an
expected save output
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | extensions/libxt_NFLOG.t | 2 | ||||
| -rw-r--r-- | extensions/libxt_TCPMSS.t | 2 | ||||
| -rwxr-xr-x | iptables-test.py | 6 |
3 files changed, 7 insertions, 3 deletions
diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t index 25f332ae..0cd81c64 100644 --- a/extensions/libxt_NFLOG.t +++ b/extensions/libxt_NFLOG.t @@ -15,7 +15,7 @@ -j NFLOG --nflog-size 4294967296;;FAIL -j NFLOG --nflog-size -1;;FAIL -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK --j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK +-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK;LEGACY;= -j NFLOG --nflog-threshold 1;=;OK # ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0 # -j NFLOG --nflog-threshold 0;;FAIL diff --git a/extensions/libxt_TCPMSS.t b/extensions/libxt_TCPMSS.t index fbfbfcf8..b3639cc1 100644 --- a/extensions/libxt_TCPMSS.t +++ b/extensions/libxt_TCPMSS.t @@ -1,6 +1,6 @@ :FORWARD,OUTPUT,POSTROUTING *mangle -j TCPMSS;;FAIL --p tcp -j TCPMSS --set-mss 42;;FAIL;LEGACY +-p tcp -j TCPMSS --set-mss 42;=;FAIL;LEGACY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 42;=;OK -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu;=;OK diff --git a/iptables-test.py b/iptables-test.py index 179e366e..cefe4233 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -143,7 +143,8 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): return -1 # find the rule - matching = out.find(rule_save.encode('utf-8')) + matching = out.find("\n-A {}\n".format(rule_save).encode('utf-8')) + if matching < 0: if res == "OK": reason = "cannot find: " + iptables + " -I " + rule @@ -470,6 +471,9 @@ def run_test_file(filename, netns): else: rule_save = chain + " " + item[1] + if iptables == EBTABLES and rule_save.find('-j') < 0: + rule_save += " -j CONTINUE" + res = item[2].rstrip() if len(item) > 3: variant = item[3].rstrip() |