| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempting to delete all chains if --delete-chain is called without
argument has unwanted side-effects especially legacy iptables users are
not aware of and won't expect:
* Non-default policies are ignored, a previously dropping firewall may
start accepting traffic.
* The kernel refuses to remove non-empty chains, causing program abort
even if no user-defined chain exists.
Fix this by requiring a rule cache in that situation and make builtin
chain deletion depend on its policy and number of rules. Since this may
change concurrently, check again when having to refresh the transaction.
Also, hide builtin chains from verbose output - their creation is
implicit, so treat their removal as implicit, too.
When deleting a specific chain, do not allow to skip the job though.
Otherwise deleting a builtin chain which is still in use will succeed
although not executed.
Fixes: 61e85e3192dea ("iptables-nft: allow removal of empty builtin chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With introduction of dedicated base-chain slots, a selection process was
established as no longer all base-chains ended in the same chain list
for later searching/checking but only the first one found for each hook
matching criteria is kept and the rest discarded.
A side-effect of the above is that table compatibility checking started
to omit consecutive base-chains, making iptables-nft less restrictive as
long as the expected base-chains were returned first from kernel when
populating the cache.
Make behaviour consistent and warn users about the possibly disturbing
chains found by:
* Run all base-chain checks from nft_is_chain_compatible() before
allowing a base-chain to occupy its slot.
* If an unfit base-chain was found (and discarded), flag the table's
cache as tainted and warn about it if the remaining ruleset is
otherwise compatible.
Since base-chains that remain in cache would pass
nft_is_chain_compatible() checking, remove that and reduce it to rule
inspection.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
On error, nft_cache_add_chain() frees the allocated nft_chain object
along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to
not free the nftnl_chain again in that case.
Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
1) README is added to run test suite.
2) Rename two test-case scripts to follow proper numerical order.
3) "echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line" command
should only used when verbose("-v") option is not there else instead of
clearing "[EXECUTING]" prompt it is clearing last prompt of the test file.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Need to prepend XT_MULTI, not XTABLES_MULTI.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.
The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.
This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.
Current expected output:
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, make following changes/fixes:
1. run each test in a fresh net namespace
2. remove rmmod use, its very distuptive and not needed after 1.
3. avoid -e use if possible
4. make sure we exit 0 when test is expected to fail
5. set XT_LIBDIR so we point at the correct extensions to be used
Also delete 0003duplicate_1, its same test as 0001duplicate_1.
NB: I don't think its good to have this 'encode retval in name' scheme.
These are scripts, so they should always return 0, i.e. do
iptables --this-command-should-fail || exit 0
echo "succeess, should fail"
exit 1
Much simpler, imo. This was inherited from nft shell tests
though and changing it there is rather intrusive so use same scheme for
now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
set -e causes 2nd command (which is expected to fail)
to terminate the script as well.
So, don't set -e and let the error check invert the return
value to 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
To run the test suite (as root):
% cd iptables/tests/shell
% ./run-tests.sh
Test files are executables files with the pattern <<name_N>> , where
N is the expected return code of the executable. Since they are
located with `find', test-files can be spreaded in any sub-directories.
You can turn on a verbose execution by calling:
% ./run-tests.sh -v
Before each call to the test-files, `kernel_cleanup' will be called.
Also, test-files will receive the environment variable $IPTABLES which
contains the path to the iptables binary being tested.
You can pass an arbitrary $IPTABLES value as well:
% IPTABLES=/../../xtables-multi iptables ./run-tests.sh
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
