diff options
author | Phil Sutter <phil@nwl.cc> | 2022-10-21 12:15:21 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-11-11 19:14:28 +0100 |
commit | 223e34b057b95604f07c53e984b199c56140e309 (patch) | |
tree | 0ec4a2f11d2a89ec86ab5c34053a35f44d9fafc6 /iptables | |
parent | 595cad95fd2f61c6bc71e521ab58556f13648c30 (diff) |
tests: xlate-test: Replay results for reverse direction testing
Call nft with translation output as input, then check xtables-save
output to make sure iptables-nft can handle anything it suggests nft to
turn its ruleset into.
This extends the test case syntax to cover for expected asymmetries.
When the existing syntax was something like this:
| <xlate command>
| <nft output1>
| [<nft output2>
The new syntax then is:
| <xlate command>[;<replay rule part>]
| <nft output1>
| [<nft output2>]
To keep things terse, <replay rule part> may omit the obligatory '-A
<chain>' argument. If missing, <xlate command> is sanitized for how it
would appear in xtables-save output: '-I' is converted into '-A' and an
optional table spec is removed.
Since replay mode has to manipulate the ruleset in-kernel, abort if
called by unprivileged user. Also try to run in own net namespace to
reduce collateral damage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
0 files changed, 0 insertions, 0 deletions