diff options
Diffstat (limited to 'iptables/tests/shell/testcases/ipt-save')
4 files changed, 41 insertions, 11 deletions
diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 index 4e0be51c..48f5f7b4 100755 --- a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 +++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 @@ -39,6 +39,7 @@ do_simple() $XT_MULTI ${iptables}-restore < "$dumpfile" $XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile" + sed -i -e 's/-p 47 /-p gre /' "$tmpfile" do_diff $dumpfile "$tmpfile" if [ $? -ne 0 ]; then # cp "$tmpfile" "$dumpfile.got" diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 index 50c0cae8..bcfaad36 100755 --- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 +++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 @@ -1,13 +1,5 @@ #!/bin/bash -case "$(basename $XT_MULTI)" in - xtables-legacy-multi) - ;; - *) - echo "skip $XT_MULTI" - exit 0 - ;; -esac - dump=$(dirname $0)/dumps/fedora27-iptables diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) +diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump) diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 new file mode 100755 index 00000000..b86d71f2 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +# Test recent performance improvements in iptables-save due to reduced +# overhead. + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET=$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo ":mychain$i -" + echo "-A FORWARD -p tcp --dport 22 -j mychain$i" + done + echo "COMMIT" +) + +RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) +SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) + +do_grep() { # (name, threshold, pattern) + local cnt=$(grep -c "$3") + [[ $cnt -le $2 ]] && return 0 + echo "ERROR: Too many $3 lookups for $1: $cnt > $2" + exit 1 +} + +# iptables prefers hard-coded protocol names instead of looking them up first + +do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" + +# iptables-nft-save pointlessly checked whether chain jumps are targets + +do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" + +exit 0 diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt index bfb6bdda..6e42de78 100644 --- a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt +++ b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt @@ -40,8 +40,8 @@ -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT -A OUTPUT -o wlan0 -j wlanout -A OUTPUT -j block --A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:F1:05:A0:E0 -j RETURN --A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:F1:05:99:85 -j RETURN +-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:f1:05:a0:e0 -j RETURN +-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:f1:05:99:85 -j RETURN -A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:" -A WLAN -j DROP -A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:" |