| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
When testing host binaries, XT_MULTI variable contains just the program
name without path component which most skip checks didn't expect. Fix
them, and while being at it also reduce indenting level in two scripts
by moving the skip check up front with an early exit call.
Fixes: 416898e335322 ("tests/shell: Support testing host binaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Make eb- and arptables-save print both header and footer comments, too.
Also print them for each table separately - the timing information is
worth the extra lines in output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Legacy arptables separates counters from rest of rule by ' , '. Assuming
that scripts scraping 'arptables -vL' output match on this, make
arptables-nft output conformant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With arptables-nft output being in a very good state now, add a test to
ensure it stays that way.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default values for --h-len and --h-type being printed for rules where
user didn't provide them is unexpected and confusing. The drawback is
the opposite: If user provided either of them with their default value,
they are later omitted when listing rules. Though since unlike legacy
arptables we can't distinguish between not specified and specified with
default value, we can't fix both - so choose to optimize for the more
likely case.
Fixes: 5aecb2d8bfdda ("arptables: pre-init hlen and ethertype")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy arptables-save (just like arptables itself) prints verdict as
first option, then matches and finally any target options.
To achieve this without introducing double/trailing spaces everywhere,
integrate target ('-j') option printing into
nft_arp_print_rule_details() and make it print separating whitespace
before each option.
In nft_arp_save_rule(), replace the call to save_matches_and_target() by
by a direct call to cs->target->save() since the former prints '-j'
option itself. Since there are no match extensions in arptables, any
other code from that function is not needed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy arptables parses mark values in hex no matter if prefixed with
'0x' or not. Sadly, this is not easily achievable with guided option
parser. Hence fall back to the old 'parse' callback. The introduced
target definition is valid only for revision 2, but that's consistent
with legacy arptables.
When printing, use --set-mark option instead of --set-xmark.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
forgot to squash this before pushing arptables fixes.
Fixes: 5aecb2d8bfd ("arptables: pre-init hlen and ethertype")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).
code does:
op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...
but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).
Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd. Otherwise, src/dst mac can't be used:
arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT
This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In an attempt to sanitize shell scripting, exit test in recent testcases
was altered, which led to them being skipped even in nft test runs. Drop
the quotes so that globbing happens again.
While here, improve the check a bit to glob only on leading path part,
not also the file name. Also print "skip ..." just like
nft-only/0001compat_0 testcase does.
Fixes: f1d8508fd6fdc ("tests: Add arptables-{save,restore} testcases")
Fixes: fbf0bf7c079d8 ("tests: Add ebtables-{save,restore} testcases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
This actually does a bit more since it creates the ruleset using
separate arptables calls.
Note that there are a few commented out lines containing commands which
don't apply for unknown reasons - something to investigate later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|