diff options
Diffstat (limited to 'iptables/tests/shell/testcases')
62 files changed, 1871 insertions, 237 deletions
diff --git a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 index bf04dc0a..e64e9142 100755 --- a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 +++ b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 @@ -4,7 +4,7 @@ set -e #set -x # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } # fill arptables manually diff --git a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 index 38d387f3..afd0fcb4 100755 --- a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 +++ b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 @@ -3,7 +3,7 @@ set -e # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } # arptables-restore reuses preloaded targets and matches, make sure defaults # apply to consecutive rules using the same target/match as a previous one diff --git a/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0 b/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0 index 10c5ec33..952cfa78 100755 --- a/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0 +++ b/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0 @@ -4,7 +4,7 @@ set -e set -x # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } $XT_MULTI arptables -N foo diff --git a/iptables/tests/shell/testcases/chain/0003rename_0 b/iptables/tests/shell/testcases/chain/0003rename_0 new file mode 100755 index 00000000..4cb2745b --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0003rename_0 @@ -0,0 +1,40 @@ +#!/bin/bash -x + +die() { + echo "E: $@" + exit 1 +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && cmds+=" arptables ebtables" + +declare -A invnames +invnames["existing"]="c2" +invnames["spaced"]="foo bar" +invnames["dashed"]="-foo" +invnames["negated"]="!foo" +# XXX: ebtables-nft accepts 255 chars +#invnames["overlong"]="thisisquitealongnameforachain" +invnames["standard target"]="ACCEPT" +invnames["extension target"]="DNAT" + +for cmd in $cmds; do + $XT_MULTI $cmd -N c1 || die "$cmd: can't add chain c1" + $XT_MULTI $cmd -N c2 || die "$cmd: can't add chain c2" + for key in "${!invnames[@]}"; do + val="${invnames[$key]}" + if [[ $key == "extension target" ]]; then + if [[ $cmd == "arptables" ]]; then + val="mangle" + elif [[ $cmd == "ebtables" ]]; then + val="dnat" + fi + fi + $XT_MULTI $cmd -N "$val" && \ + die "$cmd: added chain with $key name" + $XT_MULTI $cmd -E c1 "$val" && \ + die "$cmd: renamed to $key name" + done +done + +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0003rename_1 b/iptables/tests/shell/testcases/chain/0003rename_1 deleted file mode 100755 index 975c8e19..00000000 --- a/iptables/tests/shell/testcases/chain/0003rename_1 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -$XT_MULTI iptables -N c1 || exit 0 -$XT_MULTI iptables -N c2 || exit 0 -$XT_MULTI iptables -E c1 c2 || exit 1 - -$XT_MULTI ip6tables -N c1 || exit 0 -$XT_MULTI ip6tables -N c2 || exit 0 -$XT_MULTI ip6tables -E c1 c2 || exit 1 - -echo "E: Renamed with existing chain" >&2 -exit 0 diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 new file mode 100755 index 00000000..cc07e4be --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +case $XT_MULTI in +*xtables-nft-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +set -e + +nft -f - <<EOF +table ip filter { + chain a { + type filter hook input priority filter + } + + chain INPUT { + type filter hook input priority filter + counter packets 218 bytes 91375 accept + } + + chain x { + type filter hook input priority filter + } +} +EOF + +EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them. +-P INPUT ACCEPT +-P FORWARD ACCEPT +-P OUTPUT ACCEPT +-A INPUT -j ACCEPT" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S) diff --git a/iptables/tests/shell/testcases/chain/0005base-delete_0 b/iptables/tests/shell/testcases/chain/0005base-delete_0 new file mode 100755 index 00000000..033a2819 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0005base-delete_0 @@ -0,0 +1,34 @@ +#!/bin/bash -x + +$XT_MULTI iptables -N foo || exit 1 +$XT_MULTI iptables -P FORWARD DROP || exit 1 +$XT_MULTI iptables -X || exit 1 +$XT_MULTI iptables -X foo && exit 1 + +# indefinite -X fails if a non-empty user-defined chain exists +$XT_MULTI iptables -N foo +$XT_MULTI iptables -N bar +$XT_MULTI iptables -A bar -j ACCEPT +$XT_MULTI iptables -X && exit 1 +$XT_MULTI iptables -D bar -j ACCEPT +$XT_MULTI iptables -X || exit 1 + +# make sure OUTPUT chain is created by iptables-nft +$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1 +$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1 + +case $XT_MULTI in +*xtables-nft-multi) + # must not delete chain FORWARD, its policy is not ACCEPT + $XT_MULTI iptables -X FORWARD && exit 1 + nft list chain ip filter FORWARD || exit 1 + # this should evict chain OUTPUT + $XT_MULTI iptables -X OUTPUT || exit 1 + nft list chain ip filter OUTPUT && exit 1 + ;; +*) + $XT_MULTI iptables -X FORWARD && exit 1 + $XT_MULTI iptables -X OUTPUT && exit 1 + ;; +esac +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0006rename-segfault_0 b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 new file mode 100755 index 00000000..c10a8006 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Cover for a bug in libiptc: +# - the chain 'node-98-tmp' is the last in the list sorted by name +# - there are 81 chains in total, so three chain index buckets +# - the last index bucket contains only the 'node-98-tmp' chain +# => rename temporarily removes it from the bucket, leaving a NULL bucket +# behind which is dereferenced later when inserting the chain again with new +# name again + +( + echo "*filter" + for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do + echo ":$chain - [0:0]" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore +$XT_MULTI iptables -E node-98-tmp node-98 +exit $? diff --git a/iptables/tests/shell/testcases/chain/0007counters_0 b/iptables/tests/shell/testcases/chain/0007counters_0 new file mode 100755 index 00000000..0b21a926 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0007counters_0 @@ -0,0 +1,78 @@ +#!/bin/bash -e + +SETUP="*filter +:FORWARD ACCEPT [13:37] +-A FORWARD -c 1 2 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT +COMMIT" + + +### -Z with index shall zero a single chain only + +EXPECT="-P FORWARD ACCEPT -c 13 37 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT" + +$XT_MULTI iptables-restore --counters <<< "$SETUP" +$XT_MULTI iptables -Z FORWARD 1 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### -Z without index shall zero the chain and all rules + +EXPECT="-P FORWARD ACCEPT -c 0 0 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 0 0 -j ACCEPT" + +$XT_MULTI iptables -Z FORWARD +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### prepare for live test + +# iptables-nft will create output chain on demand, so make sure it exists +$XT_MULTI iptables -A OUTPUT -d 127.2.3.4 -j ACCEPT + +# test runs in its own netns, lo is there but down by default +ip link set lo up + + +### pings (and pongs) hit OUTPUT policy, its counters must increase + +get_pkt_counter() { # (CHAIN) + $XT_MULTI iptables -vS $1 | awk '/^-P '$1'/{print $5; exit}' +} + +counter_inc_test() { + pkt_pre=$(get_pkt_counter OUTPUT) + ping -q -i 0.2 -c 3 127.0.0.1 + pkt_post=$(get_pkt_counter OUTPUT) + [[ $pkt_post -gt $pkt_pre ]] +} + +counter_inc_test + +# iptables-nft-restore needed --counters to create chains with them +if [[ $XT_MULTI == *xtables-nft-multi ]]; then + $XT_MULTI iptables -F OUTPUT + $XT_MULTI iptables -X OUTPUT + $XT_MULTI iptables-restore <<EOF +*filter +:OUTPUT ACCEPT [0:0] +COMMIT +EOF + counter_inc_test +fi + +### unrelated restore must not touch changing counters in kernel + +# With legacy iptables, this works without --noflush even. With iptables-nft, +# ruleset is flushed though. Not sure which behaviour is actually correct. :) +pkt_pre=$pkt_post +$XT_MULTI iptables-restore --noflush <<EOF +*filter$(ping -i 0.2 -c 3 127.0.0.1 >/dev/null 2>&1) +COMMIT +EOF +nft list ruleset +pkt_post=$(get_pkt_counter OUTPUT) +[[ $pkt_post -eq $((pkt_pre + 6 )) ]] diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush diff --git a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 index c7f24a38..bae0de7d 100755 --- a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 +++ b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 @@ -1,86 +1,93 @@ #!/bin/sh +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + get_entries_count() { # (chain) $XT_MULTI ebtables -L $1 | sed -n 's/.*entries: \([0-9]*\).*/\1/p' } set -x -case "$XT_MULTI" in -*/xtables-nft-multi) - for t in filter nat;do - $XT_MULTI ebtables -t $t -L || exit 1 - $XT_MULTI ebtables -t $t -X || exit 1 - $XT_MULTI ebtables -t $t -F || exit 1 - done - - for t in broute foobar ;do - $XT_MULTI ebtables -t $t -L && - $XT_MULTI ebtables -t $t -X && - $XT_MULTI ebtables -t $t -F - if [ $? -eq 0 ]; then - echo "Expect nonzero return for unsupported table" - exit 1 - fi - done - - - $XT_MULTI ebtables -t filter -N FOO || exit 1 - $XT_MULTI ebtables -t filter -N FOO + +for t in filter nat broute; do + $XT_MULTI ebtables -t $t -L || exit 1 + $XT_MULTI ebtables -t $t -X || exit 1 + $XT_MULTI ebtables -t $t -F || exit 1 +done + +for t in foobar; do + $XT_MULTI ebtables -t $t -L && + $XT_MULTI ebtables -t $t -X && + $XT_MULTI ebtables -t $t -F if [ $? -eq 0 ]; then - echo "Duplicate chain FOO" - $XT_MULTI ebtables -t filter -L + echo "Expect nonzero return for unsupported table" exit 1 fi +done - entries=$(get_entries_count FOO) - if [ $entries -ne 0 ]; then - echo "Unexpected entries count in empty unreferenced chain (expected 0, have $entries)" - $XT_MULTI ebtables -L - exit 1 - fi - $XT_MULTI ebtables -A FORWARD -j FOO - entries=$(get_entries_count FORWARD) - if [ $entries -ne 1 ]; then - echo "Unexpected entries count in FORWARD chain (expected 1, have $entries)" - $XT_MULTI ebtables -L - exit 1 - fi +$XT_MULTI ebtables -t filter -N FOO || exit 1 +$XT_MULTI ebtables -t filter -N FOO +if [ $? -eq 0 ]; then + echo "Duplicate chain FOO" + $XT_MULTI ebtables -t filter -L + exit 1 +fi - entries=$(get_entries_count FOO) - if [ $entries -ne 0 ]; then - echo "Unexpected entries count in empty referenced chain (expected 0, have $entries)" - $XT_MULTI ebtables -L - exit 1 - fi +entries=$(get_entries_count FOO) +if [ $entries -ne 0 ]; then + echo "Unexpected entries count in empty unreferenced chain (expected 0, have $entries)" + $XT_MULTI ebtables -L + exit 1 +fi - $XT_MULTI ebtables -A FOO -j ACCEPT - entries=$(get_entries_count FOO) - if [ $entries -ne 1 ]; then - echo "Unexpected entries count in non-empty referenced chain (expected 1, have $entries)" - $XT_MULTI ebtables -L - exit 1 - fi +$XT_MULTI ebtables -A FORWARD -j FOO +entries=$(get_entries_count FORWARD) +if [ $entries -ne 1 ]; then + echo "Unexpected entries count in FORWARD chain (expected 1, have $entries)" + $XT_MULTI ebtables -L + exit 1 +fi - $XT_MULTI ebtables -t filter -N BAR || exit 1 - $XT_MULTI ebtables -t filter -N BAZ || exit 1 +entries=$(get_entries_count FOO) +if [ $entries -ne 0 ]; then + echo "Unexpected entries count in empty referenced chain (expected 0, have $entries)" + $XT_MULTI ebtables -L + exit 1 +fi - $XT_MULTI ebtables -t filter -L | grep -q FOO || exit 1 - $XT_MULTI ebtables -t filter -L | grep -q BAR || exit 1 - $XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1 +$XT_MULTI ebtables -A FOO -j ACCEPT +entries=$(get_entries_count FOO) +if [ $entries -ne 1 ]; then + echo "Unexpected entries count in non-empty referenced chain (expected 1, have $entries)" + $XT_MULTI ebtables -L + exit 1 +fi - $XT_MULTI ebtables -t filter -L BAZ || exit 1 - $XT_MULTI ebtables -t filter -X BAZ || exit 1 - $XT_MULTI ebtables -t filter -L BAZ | grep -q BAZ - if [ $? -eq 0 ]; then - echo "Deleted chain -L BAZ ok, expected failure" - $XT_MULTI ebtables -t filter -L - exit 1 - fi +$XT_MULTI ebtables -t filter -N BAR || exit 1 +$XT_MULTI ebtables -t filter -N BAZ || exit 1 - $XT_MULTI ebtables -t $t -F || exit 0 - ;; -*) - echo "skip $XT_MULTI" - ;; -esac +$XT_MULTI ebtables -t filter -L | grep -q FOO || exit 1 +$XT_MULTI ebtables -t filter -L | grep -q BAR || exit 1 +$XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1 + +$XT_MULTI ebtables -t filter -L BAZ || exit 1 +$XT_MULTI ebtables -t filter -X BAZ || exit 1 +$XT_MULTI ebtables -t filter -L BAZ | grep -q BAZ +if [ $? -eq 0 ]; then + echo "Deleted chain -L BAZ ok, expected failure" + $XT_MULTI ebtables -t filter -L + exit 1 +fi + +$XT_MULTI ebtables -t filter -E FOO BAZ || exit 1 +$XT_MULTI ebtables -t filter -L | grep -q FOO && exit 1 +$XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1 + +$XT_MULTI ebtables -t $t -F || exit 0 diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 index e18d4655..b4f9728b 100755 --- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 +++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 @@ -4,7 +4,7 @@ set -e #set -x # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } # fill ebtables manually @@ -13,8 +13,8 @@ $XT_MULTI ebtables -A INPUT -p IPv4 -i lo -j ACCEPT $XT_MULTI ebtables -P FORWARD DROP $XT_MULTI ebtables -A OUTPUT -s ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -j DROP $XT_MULTI ebtables -N foo -$XT_MULTI ebtables -A foo --802_3-sap 0x23 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT #$XT_MULTI ebtables -A foo --among-dst fe:ed:ba:be:00:01,fe:ed:ba:be:00:02,fe:ed:ba:be:00:03 -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-gratuitous -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-opcode Request -j ACCEPT @@ -38,13 +38,13 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT $XT_MULTI ebtables -A foo --log -$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT +$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT $XT_MULTI ebtables -A foo --nflog $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT #$XT_MULTI ebtables -A foo --vlan-id 42 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0x23 --limit 100 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 --limit 100 -j ACCEPT $XT_MULTI ebtables -A foo --pkttype-type multicast --log $XT_MULTI ebtables -A foo --pkttype-type multicast --limit 100 -j ACCEPT @@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo $XT_MULTI ebtables -N bar $XT_MULTI ebtables -P bar RETURN -$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT +$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01 $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT @@ -70,13 +70,13 @@ DUMP='*filter :INPUT ACCEPT :FORWARD DROP :OUTPUT ACCEPT -:foo ACCEPT :bar RETURN +:foo ACCEPT -A INPUT -p IPv4 -i lo -j ACCEPT -A FORWARD -j foo -A OUTPUT -s Broadcast -j DROP --A foo --802_3-sap 0x23 -j ACCEPT --A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +-A foo -p Length --802_3-sap 0x23 -j ACCEPT +-A foo -p Length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT -A foo -p ARP --arp-gratuitous -j ACCEPT -A foo -p ARP --arp-op Request -j ACCEPT -A foo -p ARP --arp-ip-src 10.0.0.1 -j ACCEPT @@ -91,13 +91,13 @@ DUMP='*filter -A foo -p IPv6 --ip6-dst feed:babe::/64 -j ACCEPT -A foo -p IPv6 --ip6-proto tcp -j ACCEPT -A foo --limit 100/sec --limit-burst 42 -j ACCEPT --A foo --log-level notice --log-prefix "" -j CONTINUE +-A foo --log-level notice -j CONTINUE -A foo -j mark --mark-set 0x23 --mark-target ACCEPT -A foo --nflog-group 1 -j CONTINUE -A foo --pkttype-type multicast -j ACCEPT -A foo --stp-type config -j ACCEPT --A foo --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT --A foo --pkttype-type multicast --log-level notice --log-prefix "" -j CONTINUE +-A foo -p Length --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT +-A foo --pkttype-type multicast --log-level notice -j CONTINUE -A foo --pkttype-type multicast --limit 100/sec --limit-burst 5 -j ACCEPT *nat :PREROUTING ACCEPT diff --git a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 index 62d22413..7554ef85 100755 --- a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 +++ b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 @@ -3,7 +3,7 @@ set -e # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } # ebtables-restore reuses preloaded targets and matches, make sure defaults # apply to consecutive rules using the same target/match as a previous one @@ -24,7 +24,7 @@ EXPECT='*filter -A FORWARD --limit 100/sec --limit-burst 42 -j ACCEPT -A FORWARD --limit 1000/sec --limit-burst 5 -j ACCEPT -A FORWARD --log-level notice --log-prefix "foobar" -j CONTINUE --A FORWARD --log-level notice --log-prefix "" -j CONTINUE' +-A FORWARD --log-level notice -j CONTINUE' $XT_MULTI ebtables --init-table $XT_MULTI ebtables-restore <<<$DUMP diff --git a/iptables/tests/shell/testcases/ebtables/0004-save-counters_0 b/iptables/tests/shell/testcases/ebtables/0004-save-counters_0 index 46966f43..d52db900 100755 --- a/iptables/tests/shell/testcases/ebtables/0004-save-counters_0 +++ b/iptables/tests/shell/testcases/ebtables/0004-save-counters_0 @@ -3,7 +3,7 @@ set -e # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } $XT_MULTI ebtables --init-table $XT_MULTI ebtables -A FORWARD -i nodev123 -o nodev432 -j ACCEPT diff --git a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 index 2163d364..0b3acfd7 100755 --- a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 +++ b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 @@ -3,7 +3,7 @@ set -e # there is no legacy backend to test -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } EXPECT='*filter :INPUT ACCEPT diff --git a/iptables/tests/shell/testcases/ebtables/0006-flush_0 b/iptables/tests/shell/testcases/ebtables/0006-flush_0 new file mode 100755 index 00000000..5d714529 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0006-flush_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +set -e + +# there is no legacy backend to test +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:90:90=192.168.0.1 -j DROP' + +$XT_MULTI ebtables-restore <<<$RULESET +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t nat -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t filter -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 new file mode 100755 index 00000000..d79f91b1 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 @@ -0,0 +1,41 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e + +# ebtables supports policies in user-defined chains %) +# and the default policy is ACCEPT ... +$XT_MULTI ebtables -N FOO -P DROP +$XT_MULTI ebtables -N BAR +$XT_MULTI ebtables -P BAR RETURN +$XT_MULTI ebtables -N BAZ + +EXPECT_BASE="*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT" + +EXPECT="$EXPECT_BASE +:BAR RETURN +:BAZ ACCEPT +:FOO DROP" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# rule commands must not break the policies +$XT_MULTI ebtables -A FOO -j ACCEPT +$XT_MULTI ebtables -D FOO -j ACCEPT +$XT_MULTI ebtables -F +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# dropping the chains must implicitly remove the policy rule as well +$XT_MULTI ebtables -X +diff -u -Z <(echo -e "$EXPECT_BASE") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 new file mode 100755 index 00000000..962b1e03 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 @@ -0,0 +1,106 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +sfx=$(mktemp -u "XXXXXXXX") +nsa="nsa-$sfx" +nsb="nsb-$sfx" +nsc="nsc-$sfx" + +cleanup() +{ + ip netns del "$nsa" + ip netns del "$nsb" + ip netns del "$nsc" +} + +trap cleanup EXIT + +assert_fail() +{ + if [ $1 -eq 0 ]; then + echo "FAILED: $2" + exit 1 + fi +} + +assert_pass() +{ + if [ $1 -ne 0 ]; then + echo "FAILED: $2" + exit 2 + fi +} + +ip netns add "$nsa" +ip netns add "$nsb" +ip netns add "$nsc" + +ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb" +ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb" +ip netns exec "$nsb" ip link add name br0 type bridge + +ip -net "$nsb" link set b_c up +ip netns exec "$nsb" ip link set b_s up +ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0 +ip netns exec "$nsb" ip link set br0 up +ip netns exec "$nsb" ip link set b_c master br0 +ip netns exec "$nsb" ip link set b_s master br0 +ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b +ip netns exec "$nsc" ip link set c_b up +ip -net "$nsa" addr add 10.167.11.1/24 dev s_b +ip -net "$nsa" link set s_b up + +ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1 + +bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address` +bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address` +bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address` +bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address` + +bf_server_ip1="10.167.11.1" +bf_bridge_ip0="10.167.11.254" +bf_client_ip1="10.167.11.2" +pktsize=64 + +# --among-src [mac,IP] +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 --among-src "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_fail $? "--among-src [match]" + +# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc + +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 ! --among-src "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_pass $? "--among-src [not match]" + +# --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 --among-dst "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_fail $? "--among-dst [match]" + +# ! --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 ! --among-dst "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_pass $? "--among-dst [not match]" + +exit 0 diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 new file mode 100755 index 00000000..0def0ac5 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: +# - with --noflush +# - a second table after the broute one +# - A policy command but no chain line for BROUTING chain + +set -e + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +$XT_MULTI ebtables-restore --noflush <<EOF +*broute +-P BROUTING ACCEPT +*nat +-P PREROUTING ACCEPT +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 new file mode 100755 index 00000000..4f783819 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 @@ -0,0 +1,45 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e +set -x + +check_rule() { # (pcnt, bcnt) + $XT_MULTI ebtables -L FORWARD --Lc --Ln | \ + grep -q "^1. -o eth0 -j CONTINUE , pcnt = $1 -- bcnt = $2$" +} + +$XT_MULTI ebtables -A FORWARD -o eth0 -c 10 20 +check_rule 10 20 + +$XT_MULTI ebtables -C FORWARD 1 100 200 +check_rule 100 200 + +$XT_MULTI ebtables -C FORWARD 101 201 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -C FORWARD 1 +10 -20 +check_rule 111 181 + +$XT_MULTI ebtables -C FORWARD -10 +20 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -A FORWARD -o eth1 -c 111 211 +$XT_MULTI ebtables -A FORWARD -o eth2 -c 121 221 + +$XT_MULTI ebtables -C FORWARD 2:3 +100 -200 + +EXPECT='1. -o eth0 -j CONTINUE , pcnt = 101 -- bcnt = 201 +2. -o eth1 -j CONTINUE , pcnt = 211 -- bcnt = 11 +3. -o eth2 -j CONTINUE , pcnt = 221 -- bcnt = 21' +diff -u <(echo "$EXPECT") \ + <($XT_MULTI ebtables -L FORWARD --Lc --Ln | grep -- '-o eth') + diff --git a/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0 b/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0 index 8bf0c2c6..4900554e 100755 --- a/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0 +++ b/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0 @@ -230,21 +230,8 @@ for table in nat mangle raw filter;do $XT_MULTI iptables-save -t $table | grep -v '^#' >> "$tmpfile" done -case "$XT_MULTI" in -*/xtables-nft-multi) - # nft-multi displays chain names in different order, work around this for now - tmpfile2=$(mktemp) - sort "$tmpfile" > "$tmpfile2" - sort $(dirname "$0")/dumps/ipt-save-completed.txt > "$tmpfile" - diff -u $tmpfile $tmpfile2 - RET=$? - rm -f "$tmpfile2" - ;; -*) - diff -u $tmpfile $(dirname "$0")/dumps/ipt-save-completed.txt - RET=$? - ;; -esac +diff -u $tmpfile $(dirname "$0")/dumps/ipt-save-completed.txt +RET=$? rm -f "$tmpfile" diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 index 7b0e6468..45fab830 100755 --- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -6,23 +6,38 @@ set -e # ensure verbose output is identical between legacy and nft tools RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' -VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2' RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' -VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' +VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5' +RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route' +VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0' +RULE4='-m dst --dst-len 42 -m rt --rt-type 23' +VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23' +RULE5='-m frag --fragid 1337 -j LOG' +VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4' diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5) diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5) EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ipv6-icmp -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 all -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG all -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 index c98bdd6e..09e39927 100755 --- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI ip6tables -N foo -$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 new file mode 100755 index 00000000..7eb42f08 --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -s feed:babe::/ffff::0 +-A FORWARD -s feed:babe::/ffff:ff00::0 +-A FORWARD -s feed:babe::/ffff:fff0::0 +-A FORWARD -s feed:babe::/ffff:ffff::0 +-A FORWARD -s feed:babe::/0:ffff::0 +-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0 +COMMIT +EOF + +EXPECT='-P FORWARD ACCEPT +-A FORWARD -s feed::/16 +-A FORWARD -s feed:ba00::/24 +-A FORWARD -s feed:bab0::/28 +-A FORWARD -s feed:babe::/32 +-A FORWARD -s 0:babe::/0:ffff:: +-A FORWARD -s feed::babe:0/ffff::ffff:0' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) diff --git a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 b/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 deleted file mode 100755 index f023b791..00000000 --- a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -# make sure error return codes are as expected useful cases -# (e.g. commands to check ruleset state) - -global_rc=0 - -cmd() { # (rc, cmd, [args ...]) - rc_exp=$1; shift - - $XT_MULTI "$@" - rc=$? - - [ $rc -eq $rc_exp ] || { - echo "---> expected $rc_exp, got $rc for command '$@'" - global_rc=1 - } -} - -# test chain creation -cmd 0 ip6tables -N foo -cmd 1 ip6tables -N foo -# iptables-nft allows this - bug or feature? -#cmd 2 ip6tables -N "invalid name" - -# test rule adding -cmd 0 ip6tables -A INPUT -j ACCEPT -cmd 1 ip6tables -A noexist -j ACCEPT - -# test rule checking -cmd 0 ip6tables -C INPUT -j ACCEPT -cmd 1 ip6tables -C FORWARD -j ACCEPT -cmd 1 ip6tables -C nonexist -j ACCEPT -cmd 2 ip6tables -C INPUT -j foobar -cmd 2 ip6tables -C INPUT -m foobar -j ACCEPT -cmd 3 ip6tables -t foobar -C INPUT -j ACCEPT - -exit $global_rc diff --git a/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 new file mode 100755 index 00000000..cc8215bf --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Test the fix in commit 78850e7dba64a ("ip6tables: Fix checking existence of +# rule"). Happens with legacy ip6tables only, but testing ip6tables-nft doesn't +# hurt. +# +# Code taken from https://bugzilla.netfilter.org/show_bug.cgi?id=1667 +# Thanks to Jonathan Caicedo <jonathan@jcaicedo.com> for providing it. + +RULE='-p tcp --dport 81 -j DNAT --to-destination [::1]:81' + +$XT_MULTI ip6tables -t nat -N testchain || exit 1 +$XT_MULTI ip6tables -t nat -A testchain $RULE || exit 1 +$XT_MULTI ip6tables -t nat -C testchain $RULE || exit 1 + +$XT_MULTI ip6tables -t nat -C testchain ${RULE//81/82} 2>/dev/null && exit 1 +exit 0 diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 index ce3bef3a..3f443a98 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 @@ -22,7 +22,7 @@ do_simple() table="${2}" dumpfile="$(dirname "${0}")/dumps/${iptables}.dump" - "$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$? + "$XT_MULTI" "${iptables}-restore" --table="${table}" "${dumpfile}"; rv=$? if [ "${rv}" -ne 0 ]; then RET=1 diff --git a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 index 5c8748ec..d632cbc0 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 @@ -2,7 +2,7 @@ set -e -# make sure wait and wait-interval options are accepted +# make sure wait options are accepted clean_tempfile() { @@ -18,4 +18,3 @@ tmpfile=$(mktemp) || exit 1 $XT_MULTI iptables-save -f $tmpfile $XT_MULTI iptables-restore $tmpfile $XT_MULTI iptables-restore -w 5 $tmpfile -$XT_MULTI iptables-restore -w 5 -W 1 $tmpfile diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 index 3f1d229e..5482b7ea 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 @@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT -A FORWARD -m comment --comment "rule 3" -j ACCEPT' diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# test adding, referencing and deleting the same rule in a batch + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment "first rule" -j ACCEPT +-A FORWARD -m comment --comment "referenced rule" -j ACCEPT +-I FORWARD 2 -m comment --comment "referencing rule" -j ACCEPT +-D FORWARD -m comment --comment "referenced rule" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "first rule" -j ACCEPT +-A FORWARD -m comment --comment "referencing rule" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 b/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 index 96a5e66d..a7fae41d 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 @@ -45,8 +45,7 @@ get_target() make_dummy_rules() { - - echo "*filter" + echo "*${1:-filter}" echo ":INPUT ACCEPT [0:0]" echo ":FORWARD ACCEPT [0:0]" echo ":OUTPUT ACCEPT [0:0]" @@ -74,7 +73,7 @@ make_dummy_rules() tmpfile=$(mktemp) || exit 1 dumpfile=$(mktemp) || exit 1 -make_dummy_rules > $dumpfile +(make_dummy_rules; make_dummy_rules security) > $dumpfile $XT_MULTI iptables-restore -w < $dumpfile LINES1=$(wc -l < $dumpfile) $XT_MULTI iptables-save | grep -v '^#' > $dumpfile @@ -86,7 +85,7 @@ if [ $LINES1 -ne $LINES2 ]; then fi case "$XT_MULTI" in -*/xtables-nft-multi) +*xtables-nft-multi) attempts=$((RANDOM%10)) attempts=$((attempts+1)) ;; diff --git a/iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0 b/iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0 index 029db223..e705b28c 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0 @@ -18,7 +18,7 @@ EXPECT="*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -j ACCEPT COMMIT" -diff -u -Z <(echo -e "$EXPECT" | sort) <($XT_MULTI iptables-save | grep -v '^#' | sort) +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save | grep -v '^#') $XT_MULTI iptables-restore <<EOF *filter @@ -39,4 +39,4 @@ COMMIT :POSTROUTING ACCEPT [0:0] -A POSTROUTING -j ACCEPT COMMIT" -diff -u -Z <(echo -e "$EXPECT" | sort) <($XT_MULTI iptables-save | grep -v '^#' | sort) +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 index 5ac70682..854768c9 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 @@ -20,3 +20,10 @@ EXPECT=":foo - [0:0] $XT_MULTI iptables-restore --counters <<< "$DUMP" diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo) + +# if present, counters must be in proper format +! $XT_MULTI iptables-restore <<EOF +*filter +:FORWARD ACCEPT bar +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 new file mode 100755 index 00000000..2817376e --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 @@ -0,0 +1,11 @@ +#!/bin/sh -e + +# assert input feed from buffer doesn't trip over +# added nul-chars from parsing chain line. + +$XT_MULTI iptables-restore --noflush <<EOF +*filter +:foobar - [0:0] +-A foobar -j ACCEPT +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 new file mode 100755 index 00000000..bea1a690 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 @@ -0,0 +1,16 @@ +#!/bin/bash -e + +# make sure empty lines won't break --noflush + +cat <<EOF | $XT_MULTI iptables-restore --noflush +# just a comment followed by innocent empty line + +*filter +-A FORWARD -j ACCEPT +COMMIT +EOF + +EXPECT='Chain FORWARD (policy ACCEPT) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ' +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD) diff --git a/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 new file mode 100755 index 00000000..fd82afa1 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 @@ -0,0 +1,12 @@ +#!/bin/bash -e + +# make sure -F lines don't cause segfaults + +RULESET='*nat +-F PREROUTING +-A PREROUTING -j ACCEPT +-F PREROUTING +COMMIT' + +echo -e "$RULESET" | $XT_MULTI iptables-restore +echo -e "$RULESET" | $XT_MULTI iptables-restore -n diff --git a/iptables/tests/shell/testcases/ipt-restore/0013-test-mode_0 b/iptables/tests/shell/testcases/ipt-restore/0013-test-mode_0 new file mode 100755 index 00000000..65c3b9a1 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0013-test-mode_0 @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +# segfault with --test reported in nfbz#1391 + +printf '%s\nCOMMIT\n' '*nat' '*raw' '*filter' | $XT_MULTI iptables-restore --test diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 new file mode 100755 index 00000000..087156b1 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 @@ -0,0 +1,79 @@ +#!/bin/bash + +set -e + +DUMP="*filter +:foo - [0:0] +:bar - [0:0] +-A foo -j ACCEPT +COMMIT +*nat +:natfoo - [0:0] +:natbar - [0:0] +-A natfoo -j ACCEPT +COMMIT +*raw +:rawfoo - [0:0] +COMMIT +*mangle +:manglefoo - [0:0] +COMMIT +*security +:secfoo - [0:0] +COMMIT +" + +$XT_MULTI iptables-restore <<< "$DUMP" +$XT_MULTI ip6tables-restore <<< "$DUMP" + +EXPECT="Flushing chain \`INPUT' +Flushing chain \`FORWARD' +Flushing chain \`OUTPUT' +Flushing chain \`bar' +Flushing chain \`foo' +Deleting chain \`bar' +Deleting chain \`foo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 +Flushing chain \`PREROUTING' +Flushing chain \`INPUT' +Flushing chain \`OUTPUT' +Flushing chain \`POSTROUTING' +Flushing chain \`natbar' +Flushing chain \`natfoo' +Deleting chain \`natbar' +Deleting chain \`natfoo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 +Flushing chain \`PREROUTING' +Flushing chain \`OUTPUT' +Flushing chain \`rawfoo' +Deleting chain \`rawfoo' +Flushing chain \`PREROUTING' +Flushing chain \`INPUT' +Flushing chain \`FORWARD' +Flushing chain \`OUTPUT' +Flushing chain \`POSTROUTING' +Flushing chain \`manglefoo' +Deleting chain \`manglefoo' +Flushing chain \`INPUT' +Flushing chain \`FORWARD' +Flushing chain \`OUTPUT' +Flushing chain \`secfoo' +Deleting chain \`secfoo'" + +EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' <<< "$EXPECT") + +diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP") +diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP") + +DUMP="*filter +:baz - [0:0] +-F foo +-X bar +-A foo -j ACCEPT +COMMIT +" + +EXPECT="" +for ipt in iptables-restore ip6tables-restore; do + diff -u -Z <(echo -ne "$EXPECT") <($XT_MULTI $ipt -v --noflush <<< "$DUMP") +done diff --git a/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 b/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 new file mode 100755 index 00000000..aa746ab4 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 @@ -0,0 +1,67 @@ +#!/bin/bash + +# test for iptables-restore --noflush skipping an explicitly requested chain +# flush because the chain did not exist when cache was fetched. In order to +# expect for that chain to appear when refreshing the transaction (due to a +# concurrent ruleset change), the chain flush job has to be present in batch +# job list (although disabled at first). +# The input line requesting chain flush is ':FOO - [0:0]'. RS1 and RS2 contents +# are crafted to cause EBUSY when deleting the BAR* chains if FOO is not +# flushed in the same transaction. + +set -e + +RS="*filter +:INPUT ACCEPT [12024:3123388] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [12840:2144421] +:FOO - [0:0] +:BAR0 - [0:0] +:BAR1 - [0:0] +:BAR2 - [0:0] +:BAR3 - [0:0] +:BAR4 - [0:0] +:BAR5 - [0:0] +:BAR6 - [0:0] +:BAR7 - [0:0] +:BAR8 - [0:0] +:BAR9 - [0:0] +" + +RS1="$RS +-X BAR3 +-X BAR6 +-X BAR9 +-A FOO -s 9.9.0.1/32 -j BAR1 +-A FOO -s 9.9.0.2/32 -j BAR2 +-A FOO -s 9.9.0.4/32 -j BAR4 +-A FOO -s 9.9.0.5/32 -j BAR5 +-A FOO -s 9.9.0.7/32 -j BAR7 +-A FOO -s 9.9.0.8/32 -j BAR8 +COMMIT +" + +RS2="$RS +-X BAR2 +-X BAR5 +-X BAR7 +-A FOO -s 9.9.0.1/32 -j BAR1 +-A FOO -s 9.9.0.3/32 -j BAR3 +-A FOO -s 9.9.0.4/32 -j BAR4 +-A FOO -s 9.9.0.6/32 -j BAR6 +-A FOO -s 9.9.0.8/32 -j BAR8 +-A FOO -s 9.9.0.9/32 -j BAR9 +COMMIT +" + +NORS="*filter +COMMIT +" + +for n in $(seq 1 10); do + $XT_MULTI iptables-restore <<< "$NORS" + $XT_MULTI iptables-restore --noflush -w <<< "$RS1" & + $XT_MULTI iptables-restore --noflush -w <<< "$RS2" & + wait -n + wait -n +done diff --git a/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 new file mode 100755 index 00000000..cf73de32 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0 @@ -0,0 +1,25 @@ +#!/bin/bash + +# A bug in extension registration would leave unsupported older extension +# revisions in pending list and get compatibility checked again for each rule +# using them. With SELinux enabled, the resulting socket() call per rule leads +# to significant slowdown (~50% performance in worst cases). + +set -e + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET="$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo "-A FORWARD -m conntrack --ctstate NEW" + done + echo "COMMIT" +)" + +cmd="$XT_MULTI iptables-restore" +socketcount=$(strace -esocket $cmd <<< "$RULESET" 2>&1 | wc -l) + +# unpatched iptables-restore would open 111 sockets, +# patched only 12 but keep a certain margin for future changes +[[ $socketcount -lt 20 ]] diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 index 4e0be51c..48f5f7b4 100755 --- a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 +++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 @@ -39,6 +39,7 @@ do_simple() $XT_MULTI ${iptables}-restore < "$dumpfile" $XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile" + sed -i -e 's/-p 47 /-p gre /' "$tmpfile" do_diff $dumpfile "$tmpfile" if [ $? -ne 0 ]; then # cp "$tmpfile" "$dumpfile.got" diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 index 50c0cae8..bcfaad36 100755 --- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 +++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 @@ -1,13 +1,5 @@ #!/bin/bash -case "$(basename $XT_MULTI)" in - xtables-legacy-multi) - ;; - *) - echo "skip $XT_MULTI" - exit 0 - ;; -esac - dump=$(dirname $0)/dumps/fedora27-iptables diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) +diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump) diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 new file mode 100755 index 00000000..b86d71f2 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +# Test recent performance improvements in iptables-save due to reduced +# overhead. + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET=$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo ":mychain$i -" + echo "-A FORWARD -p tcp --dport 22 -j mychain$i" + done + echo "COMMIT" +) + +RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) +SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) + +do_grep() { # (name, threshold, pattern) + local cnt=$(grep -c "$3") + [[ $cnt -le $2 ]] && return 0 + echo "ERROR: Too many $3 lookups for $1: $cnt > $2" + exit 1 +} + +# iptables prefers hard-coded protocol names instead of looking them up first + +do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" + +# iptables-nft-save pointlessly checked whether chain jumps are targets + +do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" + +exit 0 diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt index bfb6bdda..6e42de78 100644 --- a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt +++ b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt @@ -40,8 +40,8 @@ -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT -A OUTPUT -o wlan0 -j wlanout -A OUTPUT -j block --A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:F1:05:A0:E0 -j RETURN --A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:F1:05:99:85 -j RETURN +-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:f1:05:a0:e0 -j RETURN +-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:f1:05:99:85 -j RETURN -A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:" -A WLAN -j DROP -A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:" diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 index b1ef91f6..5d2af4c8 100755 --- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 @@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar) diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) + +# make sure non-verbose mode is silent +diff -u <(echo -n "") <( + $XT_MULTI iptables -N foobar + $XT_MULTI iptables -A foobar $RULE1 + $XT_MULTI iptables -A foobar $RULE2 + $XT_MULTI iptables -C foobar $RULE1 + $XT_MULTI iptables -D foobar $RULE2 + $XT_MULTI iptables -F foobar + $XT_MULTI iptables -X foobar +) diff --git a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 index d335d442..d07bd151 100755 --- a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI iptables -N foo -$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI iptables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI iptables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 index ce02e0bc..234f3040 100755 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 @@ -13,69 +13,85 @@ cmd() { # (rc, msg, cmd, [args ...]) msg_exp="$1"; shift } - msg="$($XT_MULTI "$@" 2>&1 >/dev/null)" - rc=$? + for ipt in iptables ip6tables; do + msg="$($XT_MULTI $ipt "$@" 2>&1 >/dev/null)" + rc=$? - [ $rc -eq $rc_exp ] || { - echo "---> expected return code $rc_exp, got $rc for command '$@'" - global_rc=1 - } + [ $rc -eq $rc_exp ] || { + echo "---> expected return code $rc_exp, got $rc for command '$ipt $@'" + global_rc=1 + } - [ -n "$msg_exp" ] || return - grep -q "$msg_exp" <<< $msg || { - echo "---> expected error message '$msg_exp', got '$msg' for command '$@'" - global_rc=1 - } + [ -n "$msg_exp" ] || continue + msg_exp_full="${ipt}$msg_exp" + grep -q "$msg_exp_full" <<< $msg || { + echo "---> expected error message '$msg_exp_full', got '$msg' for command '$ipt $@'" + global_rc=1 + } + done } -EEXIST_F="File exists." -EEXIST="Chain already exists." -ENOENT="No chain/target/match by that name." -E2BIG_I="Index of insertion too big." -E2BIG_D="Index of deletion too big." -E2BIG_R="Index of replacement too big." -EBADRULE="Bad rule (does a matching rule exist in that chain?)." -ENOTGT="Couldn't load target \`foobar':No such file or directory" -ENOMTH="Couldn't load match \`foobar':No such file or directory" -ENOTBL="can't initialize iptables table \`foobar': Table does not exist" +EEXIST_F=": File exists." +EEXIST=": Chain already exists." +ENOENT=": No chain/target/match by that name." +E2BIG_I=": Index of insertion too big." +E2BIG_D=": Index of deletion too big." +E2BIG_R=": Index of replacement too big." +EBADRULE=": Bad rule (does a matching rule exist in that chain?)." +#ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory" +ENOMTH=" v[0-9\.]* [^ ]*: Couldn't \(load\|find\) match \`foobar'\(:No such file or directory\|\)" +ENOTBL=": can't initialize iptables table \`foobar': Table does not exist" # test chain creation -cmd 0 iptables -N foo -cmd 1 "$EEXIST" iptables -N foo +cmd 0 -N foo +cmd 1 "$EEXIST" -N foo # iptables-nft allows this - bug or feature? -#cmd 2 iptables -N "invalid name" +#cmd 2 -N "invalid name" # test chain flushing/zeroing -cmd 0 iptables -F foo -cmd 0 iptables -Z foo -cmd 1 "$ENOENT" iptables -F bar -cmd 1 "$ENOENT" iptables -Z bar +cmd 0 -F foo +cmd 0 -Z foo +cmd 1 "$ENOENT" -F bar +cmd 1 "$ENOENT" -Z bar # test chain rename -cmd 0 iptables -E foo bar -cmd 1 "$EEXIST_F" iptables -E foo bar +cmd 0 -E foo bar +cmd 1 "$EEXIST_F" -E foo bar +cmd 1 "$ENOENT" -E foo bar2 +cmd 1 "$ENOENT" -L foo +cmd 0 -N foo2 +cmd 1 "$EEXIST_F" -E foo2 bar # test rule adding -cmd 0 iptables -A INPUT -j ACCEPT -cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT +cmd 0 -A INPUT -j ACCEPT +cmd 1 "$ENOENT" -A noexist -j ACCEPT +# next three differ: +# legacy: Couldn't load target `foobar':No such file or directory +# nft: Chain 'foobar' does not exist +cmd 2 "" -I INPUT -j foobar +cmd 2 "" -R INPUT 1 -j foobar +cmd 2 "" -D INPUT -j foobar +cmd 1 "$EBADRULE" -D INPUT -p tcp --dport 22 -j ACCEPT # test rulenum commands -cmd 1 "$E2BIG_I" iptables -I INPUT 23 -j ACCEPT -cmd 1 "$E2BIG_D" iptables -D INPUT 23 -cmd 1 "$E2BIG_R" iptables -R INPUT 23 -j ACCEPT -cmd 1 "$ENOENT" iptables -I nonexist 23 -j ACCEPT -cmd 1 "$ENOENT" iptables -D nonexist 23 -cmd 1 "$ENOENT" iptables -R nonexist 23 -j ACCEPT +cmd 1 "$E2BIG_I" -I INPUT 23 -j ACCEPT +cmd 1 "$E2BIG_D" -D INPUT 23 +cmd 1 "$E2BIG_R" -R INPUT 23 -j ACCEPT +cmd 1 "$ENOENT" -I nonexist 23 -j ACCEPT +cmd 1 "$ENOENT" -D nonexist 23 +cmd 1 "$ENOENT" -R nonexist 23 -j ACCEPT # test rule checking -cmd 0 iptables -C INPUT -j ACCEPT -cmd 1 "$EBADRULE" iptables -C FORWARD -j ACCEPT -cmd 1 "$BADRULE" iptables -C nonexist -j ACCEPT -cmd 2 "$ENOMTH" iptables -C INPUT -m foobar -j ACCEPT +cmd 0 -C INPUT -j ACCEPT +cmd 1 "$EBADRULE" -C FORWARD -j ACCEPT +cmd 1 "$BADRULE" -C nonexist -j ACCEPT +cmd 2 "$ENOMTH" -C INPUT -m foobar -j ACCEPT # messages of those don't match, but iptables-nft ones are actually nicer. -#cmd 2 "$ENOTGT" iptables -C INPUT -j foobar -#cmd 3 "$ENOTBL" iptables -t foobar -C INPUT -j ACCEPT -cmd 2 "" iptables -C INPUT -j foobar -cmd 3 "" iptables -t foobar -C INPUT -j ACCEPT +# legacy: Couldn't load target `foobar':No such file or directory +# nft: Chain 'foobar' does not exist +cmd 2 "" -C INPUT -j foobar +# legacy: can't initialize ip6tables table `foobar': Table does not exist (do you need to insmod?) +# nft: table 'foobar' does not exist +cmd 3 "" -t foobar -C INPUT -j ACCEPT exit $global_rc diff --git a/iptables/tests/shell/testcases/iptables/0006-46-args_0 b/iptables/tests/shell/testcases/iptables/0006-46-args_0 new file mode 100755 index 00000000..17a0a018 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0006-46-args_0 @@ -0,0 +1,88 @@ +#!/bin/bash + +RC=0 + +$XT_MULTI iptables -6 -A FORWARD -j ACCEPT +rc=$? +if [[ $rc -ne 2 ]]; then + echo "'iptables -6' returned $rc instead of 2" + RC=1 +fi + +$XT_MULTI ip6tables -4 -A FORWARD -j ACCEPT +rc=$? +if [[ $rc -ne 2 ]]; then + echo "'ip6tables -4' returned $rc instead of 2" + RC=1 +fi + +RULESET='*filter +-4 -A FORWARD -d 10.0.0.1 -j ACCEPT +-6 -A FORWARD -d fec0:10::1 -j ACCEPT +COMMIT +' +EXPECT4='-P FORWARD ACCEPT +-A FORWARD -d 10.0.0.1/32 -j ACCEPT' +EXPECT6='-P FORWARD ACCEPT +-A FORWARD -d fec0:10::1/128 -j ACCEPT' +EXPECT_EMPTY='-P FORWARD ACCEPT' + +echo "$RULESET" | $XT_MULTI iptables-restore || { + echo "iptables-restore failed!" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || { + echo "unexpected iptables ruleset" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || { + echo "unexpected non-empty ip6tables ruleset" + RC=1 +} + +$XT_MULTI iptables -F FORWARD + +echo "$RULESET" | $XT_MULTI ip6tables-restore || { + echo "ip6tables-restore failed!" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || { + echo "unexpected ip6tables ruleset" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || { + echo "unexpected non-empty iptables ruleset" + RC=1 +} + +$XT_MULTI ip6tables -F FORWARD + +$XT_MULTI iptables -4 -A FORWARD -d 10.0.0.1 -j ACCEPT || { + echo "iptables failed!" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || { + echo "unexpected iptables ruleset" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || { + echo "unexpected non-empty ip6tables ruleset" + RC=1 +} + +$XT_MULTI iptables -F FORWARD + +$XT_MULTI ip6tables -6 -A FORWARD -d fec0:10::1 -j ACCEPT || { + echo "ip6tables failed!" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || { + echo "unexpected ip6tables ruleset" + RC=1 +} +diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || { + echo "unexpected non-empty iptables ruleset" + RC=1 +} + +exit $RC diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 new file mode 100755 index 00000000..21793472 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 @@ -0,0 +1,79 @@ +#!/bin/bash + +RC=0 +COUNTR=$RANDOM$RANDOM + +$XT_MULTI iptables-restore -c <<EOF +*filter +:INPUT ACCEPT [1:23] +:FOO - [0:0] +[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +[22:123] -A FOO -m comment --comment one +[44:123] -A FOO -m comment --comment two +[66:123] -A FOO -m comment --comment three +COMMIT +EOF +EXPECT="*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:FOO - [0:0] +[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +[0:0] -A FOO -m comment --comment one +[0:0] -A FOO -m comment --comment two +[0:0] -A FOO -m comment --comment three +COMMIT" + +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if [ $COUNTER != "[12:345]" ]; then + echo "Counter $COUNTER is wrong, expected 12:345" + RC=1 +fi + +$XT_MULTI iptables -Z FOO 2 +COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ") +if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should have been zeroed" + RC=1 +fi +COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ") +if [ $COUNTER != "[66:123]" ]; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + +$XT_MULTI iptables -Z FOO +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if [ $COUNTER = "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + +for c in one two; do + COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ") + if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should have been zeroed at rule $c" + RC=1 + fi +done + +$XT_MULTI iptables -Z +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") + +if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, expected 0:0 after -Z" + RC=1 +fi + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#') +if [ $? -ne 0 ]; then + echo "Diff error: counters were not zeroed" + RC=1 +fi + +$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR" +$XT_MULTI iptables -D FOO -m comment --comment one +$XT_MULTI iptables -D FOO -m comment --comment two +$XT_MULTI iptables -D FOO -m comment --comment three +$XT_MULTI iptables -X FOO +exit $RC diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 new file mode 100755 index 00000000..983531fe --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 @@ -0,0 +1,66 @@ +#!/bin/bash + +# iptables may print match/target specific help texts +# help output should work for unprivileged users + +run() { + echo "running: $*" >&2 + runuser -u nobody -- "$@" +} + +grep_or_rc() { + declare -g rc + grep -q "$*" && return 0 + echo "missing in output: $*" >&2 + return 1 +} + +out=$(run $XT_MULTI iptables --help) +let "rc+=$?" +grep_or_rc "iptables -h (print this help information)" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -m limit --help) +let "rc+=$?" +grep_or_rc "limit match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + +# TEE has no revision 0 +out=$(run $XT_MULTI iptables -j TEE --help) +let "rc+=$?" +grep_or_rc "TEE target options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + + +run $XT_MULTI iptables -L 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +exit $rc diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 new file mode 100755 index 00000000..ac6e7439 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +rc=0 + +check() { + local cmd="$1" + local msg="$2" + + $XT_MULTI $cmd 2>&1 | grep -q "$msg" || { + echo "cmd: $XT_MULTI $1" + echo "exp: $msg" + echo "res: $($XT_MULTI $cmd 2>&1)" + rc=1 + } +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && { + cmds+=" ebtables" + cmds+=" iptables-translate" + cmds+=" ip6tables-translate" + cmds+=" ebtables-translate" +} + +for cmd in $cmds; do + check "${cmd} --foo" 'unknown option "--foo"' + check "${cmd} -A" 'option "-A" requires an argument' + check "${cmd} -aL" 'unknown option "-a"' +done + +exit $rc diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 new file mode 100755 index 00000000..4481f966 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 @@ -0,0 +1,55 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-legacy-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +coproc RESTORE { $XT_MULTI iptables-restore; } +echo "*filter" >&${RESTORE[1]} + + +$XT_MULTI iptables -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 1 $ipt_pid +[[ $? -eq 3 ]] && { + echo "process waits when it should not" + exit 1 +} +wait $ipt_pid +[[ $? -eq 0 ]] && { + echo "process exited 0 despite busy lock" + exit 1 +} + +t0=$(date +%s) +$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT +t1=$(date +%s) +[[ $((t1 - t0)) -ge 3 ]] || { + echo "wait time not expired" + exit 1 +} + +$XT_MULTI iptables -w -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] || { + echo "no indefinite wait" + exit 1 +} +kill $ipt_pid +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] && { + echo "killed waiting iptables call did not exit in time" + exit 1 +} + +kill $RESTORE_PID +wait +exit 0 diff --git a/iptables/tests/shell/testcases/nft-only/0001compat_0 b/iptables/tests/shell/testcases/nft-only/0001compat_0 index 4319ea5a..a617c52f 100755 --- a/iptables/tests/shell/testcases/nft-only/0001compat_0 +++ b/iptables/tests/shell/testcases/nft-only/0001compat_0 @@ -5,17 +5,18 @@ # xtables: avoid bogus 'is incompatible' warning case "$XT_MULTI" in -*/xtables-nft-multi) - nft -v >/dev/null || exit 0 - nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1 - nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1 - - $XT_MULTI iptables -L -t filter || exit 1 - $XT_MULTI ip6tables -L -t filter || exit 1 +*xtables-nft-multi) ;; *) echo skip $XT_MULTI + exit 0 ;; esac +nft -v >/dev/null || exit 0 +nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1 +nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1 + +$XT_MULTI iptables -L -t filter || exit 1 +$XT_MULTI ip6tables -L -t filter || exit 1 exit 0 diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0 index 406b6081..fe33874d 100755 --- a/iptables/tests/shell/testcases/nft-only/0002invflags_0 +++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0 @@ -2,7 +2,7 @@ set -e -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } $XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT $XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT diff --git a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 index 67af9fd8..ccb009e4 100755 --- a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 +++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 @@ -2,7 +2,7 @@ set -e -[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } comment1="foo bar" comment2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" diff --git a/iptables/tests/shell/testcases/nft-only/0006-policy-override_0 b/iptables/tests/shell/testcases/nft-only/0006-policy-override_0 new file mode 100755 index 00000000..68e2019b --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0006-policy-override_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +# make sure none of the commands invoking nft_xt_builtin_init() override +# non-default chain policies via needless chain add. + +RC=0 + +do_test() { + $XT_MULTI $@ + $XT_MULTI iptables -S | grep -q -- '-P FORWARD DROP' && return + + echo "command '$@' kills chain policies" + $XT_MULTI iptables -P FORWARD DROP + RC=1 +} + +$XT_MULTI iptables -P FORWARD DROP + +do_test iptables -A OUTPUT -j ACCEPT +do_test iptables -F +do_test iptables -N foo +do_test iptables -E foo foo2 +do_test iptables -I OUTPUT -j ACCEPT +do_test iptables -nL +do_test iptables -S + +exit $RC diff --git a/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 new file mode 100755 index 00000000..981f007f --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 @@ -0,0 +1,23 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +nft -v >/dev/null || { echo "skip $XT_MULTI (no nft)"; exit 0; } + +coproc $XT_MULTI iptables-restore --noflush + +cat >&"${COPROC[1]}" <<EOF +*filter +:foo [0:0] +COMMIT +*filter +:foo [0:0] +EOF + +sleep 1 +$XT_MULTI iptables-save | grep -q ':foo' || exit 1 +nft flush ruleset + +echo "COMMIT" >&"${COPROC[1]}" +# close the pipe to make iptables-restore exit if it didn't error out yet +eval "exec ${COPROC[1]}>&-" +wait $COPROC_PID diff --git a/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 new file mode 100755 index 00000000..a81e9bad --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 @@ -0,0 +1,29 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +set -e + +$XT_MULTI iptables -t raw -P OUTPUT DROP + +# make sure iptables-nft-restore can correctly handle basechain policies when +# they aren't set with --noflush +# +$XT_MULTI iptables-restore --noflush <<EOF +*raw +:OUTPUT - [0:0] +:PREROUTING - [0:0] +:neutron-linuxbri-OUTPUT - [0:0] +:neutron-linuxbri-PREROUTING - [0:0] +-I OUTPUT 1 -j neutron-linuxbri-OUTPUT +-I PREROUTING 1 -j neutron-linuxbri-PREROUTING +-I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -j CT --zone 4097 +-I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -j CT --zone 4097 +-I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -j CT --zone 4097 + +COMMIT +EOF + +$XT_MULTI iptables-save | grep -C2 raw | grep OUTPUT | grep DROP +if [ $? -ne 0 ]; then + exit 1 +fi diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 new file mode 100755 index 00000000..34802cc2 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 @@ -0,0 +1,346 @@ +#!/bin/bash -x + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +set -e + +nft flush ruleset + +( + echo "*filter" + for plen in "" 32 30 24 16 8 0; do + addr="10.1.2.3${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore + +( + echo "*filter" + for plen in "" 128 124 120 112 88 80 64 48 16 8 0; do + addr="feed:c0ff:ee00:0102:0304:0506:0708:090A${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + echo "COMMIT" +) | $XT_MULTI ip6tables-restore + +masks=" +ff:ff:ff:ff:ff:ff +ff:ff:ff:ff:ff:f0 +ff:ff:ff:ff:ff:00 +ff:ff:ff:ff:00:00 +ff:ff:ff:00:00:00 +ff:ff:00:00:00:00 +ff:00:00:00:00:00 +" +( + echo "*filter" + for plen in "" 32 30 24 16 8 0; do + addr="10.1.2.3${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + for mask in $masks; do + echo "-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/$mask" + done + echo "COMMIT" +) | $XT_MULTI arptables-restore + +( + echo "*filter" + for mask in $masks; do + echo "-A OUTPUT -d fe:ed:00:c0:ff:ee/$mask" + done + echo "COMMIT" +) | $XT_MULTI ebtables-restore + +EXPECT="ip filter OUTPUT 4 + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 5 4 + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 6 5 + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 7 6 + [ payload load 3b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 8 7 + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 9 8 + [ payload load 1b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 10 9 + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 4 + [ payload load 16b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 5 4 + [ payload load 16b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 6 5 + [ payload load 16b @ network header + 24 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 7 6 + [ payload load 15b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 8 7 + [ payload load 14b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 9 8 + [ payload load 11b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 10 9 + [ payload load 10b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 11 10 + [ payload load 8b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 12 11 + [ payload load 6b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x000000ee ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 13 12 + [ payload load 2b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 14 13 + [ payload load 1b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 15 14 + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 3 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 4 3 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 5 4 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 6 5 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 3b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 7 6 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 2b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 8 7 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 1b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 9 8 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 10 9 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 6b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x0000eeff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 11 10 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 6b @ network header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 12 11 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 5b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x000000ff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 13 12 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 14 13 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 3b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 15 14 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 2b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 16 15 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 1b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 4 + [ payload load 6b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x0000eeff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 5 4 + [ payload load 6b @ link header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 6 5 + [ payload load 5b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x000000ff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 7 6 + [ payload load 4b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 8 7 + [ payload load 3b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 9 8 + [ payload load 2b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 10 9 + [ payload load 1b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] +" + +# print nothing but: +# - lines with bytecode (starting with ' [') +# - empty lines (so printed diff is not a complete mess) +filter() { + awk '/^table /{exit} /^( \[|$)/{print}' +} + +diff -u -Z <(filter <<< "$EXPECT") <(nft --debug=netlink list ruleset | filter) diff --git a/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt b/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt new file mode 100644 index 00000000..5ee4c231 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt @@ -0,0 +1,26 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 23 -j ACCEPT +-A INPUT -s 1.2.3.0/24 -d 0.0.0.0/32 -p udp -m udp --dport 67:69 -j DROP +-A INPUT -s 1.0.0.0/8 -d 0.0.0.0/32 -p tcp -m tcp --sport 1024:65535 --dport 443 --tcp-flags SYN,ACK SYN -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 ! --tcp-flags SYN NONE -m comment --comment "checks if SYN bit is set" +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "same as iptables --syn" +-A INPUT -p tcp -m tcp --tcp-flags SYN SYN +-A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK SYN,ACK +-A INPUT -d 0.0.0.0/1 -m ttl --ttl-eq 1 -j DROP +-A INPUT -d 0.0.0.0/2 -m ttl --ttl-gt 2 -j ACCEPT +-A INPUT -d 0.0.0.0/3 -m ttl --ttl-lt 254 -j ACCEPT +-A INPUT -d 0.0.0.0/4 -m ttl ! --ttl-eq 255 -j DROP +-A INPUT -d 8.0.0.0/5 -p icmp -m icmp --icmp-type 1 -j ACCEPT +-A INPUT -d 8.0.0.0/6 -p icmp -m icmp --icmp-type 2/3 -j ACCEPT +-A INPUT -d 10.0.0.0/7 -p icmp -m icmp --icmp-type 8 -j ACCEPT +-A INPUT -m pkttype --pkt-type broadcast -j ACCEPT +-A INPUT -m pkttype ! --pkt-type unicast -j DROP +-A INPUT -p tcp +-A INPUT -d 0.0.0.0/1 -p udp +-A FORWARD -m limit --limit 10/day +-A FORWARD -p udp -m udp --dport 42 +-A FORWARD -i lo -o lo+ -j NFLOG --nflog-prefix "should use NFLOG" --nflog-group 1 --nflog-size 123 --nflog-threshold 42 +COMMIT diff --git a/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 b/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 new file mode 100755 index 00000000..7859e76c --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +nft -v >/dev/null || exit 0 + +set -e + +unshare -n bash -c "nft -f $(dirname $0)/0010-nft-native.txt; + diff -u -Z $(dirname $0)/0010-iptables-nft-save.txt <($XT_MULTI iptables-save | grep -v '^#')" diff --git a/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt b/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt new file mode 100644 index 00000000..d37ce873 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt @@ -0,0 +1,41 @@ +table ip filter { + chain INPUT { + type filter hook input priority filter; policy accept; + + ip saddr 1.2.3.4 tcp dport 23 accept + ip saddr 1.2.3.0/24 ip daddr 0.0.0.0 udp dport 67-69 drop + + ip saddr 1.0.0.0/8 ip daddr 0.0.0.0 tcp sport 1024-65535 tcp dport 443 tcp flags syn / syn,ack accept + tcp dport 443 tcp flags syn comment "checks if SYN bit is set" + tcp flags syn / syn,rst,ack,fin comment "same as iptables --syn" + tcp flags & syn == syn + tcp flags & (syn | ack) != (syn | ack ) + + ip daddr 0.0.0.0/1 ip ttl 1 drop + ip daddr 0.0.0.0/2 ip ttl > 2 accept + ip daddr 0.0.0.0/3 ip ttl < 254 accept + ip daddr 0.0.0.0/4 ip ttl != 255 drop + + ip daddr 8.0.0.0/5 icmp type 1 accept + ip daddr 8.0.0.0/6 icmp type 2 icmp code port-unreachable accept + ip daddr 10.0.0.0/7 icmp type echo-request accept + + meta pkttype broadcast accept + meta pkttype != host drop + + ip saddr 0.0.0.0/0 ip protocol tcp + ip daddr 0.0.0.0/1 ip protocol udp + } + + chain FORWARD { + type filter hook forward priority filter; + limit rate 10/day counter + udp dport 42 counter + + # FIXME: can't dissect plain syslog + # meta iif "lo" log prefix "just doing a log" level alert flags tcp sequence,options + + # iif, not iifname, and wildcard + meta iif "lo" oifname "lo*" log group 1 prefix "should use NFLOG" queue-threshold 42 snaplen 123 + } +} diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 new file mode 100755 index 00000000..e276a953 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" +for cmd in iptables ip6tables; do + $XT_MULTI $cmd -t mangle -A PREROUTING $rule + $XT_MULTI $cmd -t mangle -Z + $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" +done |