path: root/iptables/tests/shell/testcases/ipt-restore
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0Phil Sutter2020-05-291-0/+1
| | | | | | | | The here-doc statement missed the final delimiter. Worked anyways because end-of-file would do the trick. Fixes: a103fbfadf4c1 ("xtables-restore: Fix parser feed from line buffer") Signed-off-by: Phil Sutter <>
* tests: shell: Add test for nfbz#1391Phil Sutter2020-04-281-0/+7
| | | | | | | | Problem is fixed since commit c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), looks like another case of use-after-free. Signed-off-by: Phil Sutter <>
* tests: shell: Test -F in dump filesPhil Sutter2020-04-231-0/+12
| | | | | | | While not really useful, iptables-nft-restore shouldn't segfault either. This tests the problem described in nfbz#1407. Signed-off-by: Phil Sutter <>
* tests: shell: Extend ipt-restore/0004-restore-race_0Phil Sutter2020-04-231-3/+2
| | | | | | | | | Add a second table to dump/restore. This triggers failures after reverting c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), hence acts as a reproducer for the bug fixed by that commit as well. Signed-off-by: Phil Sutter <>
* tests: shell: Improve ipt-restore/0001load-specific-table_0 a bitPhil Sutter2020-04-231-1/+1
| | | | | | | | Instead of reading from stdin, pass dump file as regular parameter. This way dump file name occurs in 'bash -x' output which helps finding out where things fail. Signed-off-by: Phil Sutter <>
* tests: shell: Fix skip checks with --host modePhil Sutter2020-02-141-1/+1
| | | | | | | | | | When testing host binaries, XT_MULTI variable contains just the program name without path component which most skip checks didn't expect. Fix them, and while being at it also reduce indenting level in two scripts by moving the skip check up front with an early exit call. Fixes: 416898e335322 ("tests/shell: Support testing host binaries") Signed-off-by: Phil Sutter <>
* xtables-restore: fix for --noflush and empty linesPhil Sutter2020-02-121-0/+16
| | | | | | | | | | | | | | | | | | | | | | Lookahead buffer used for cache requirements estimate in restore --noflush separates individual lines with nul-chars. Two consecutive nul-chars are interpreted as end of buffer and remaining buffer content is skipped. Sadly, reading an empty line (i.e., one containing a newline character only) caused double nul-chars to appear in buffer as well, leading to premature stop when reading cached lines from buffer. To fix that, make use of xtables_restore_parse_line() skipping empty lines without calling strtok() and just leave the newline character in place. A more intuitive approach, namely skipping empty lines while buffering, is deliberately not chosen as that would cause wrong values in 'line' variable. Closes: Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <> Acked-by: Arturo Borrero Gonzalez <>
* xtables-restore: Fix parser feed from line bufferPhil Sutter2019-12-041-0/+10
| | | | | | | | | | | | When called with --noflush, xtables-restore would trip over chain lines: Parser uses strtok() to separate chain name, policy and counters which inserts nul-chars into the source string. Therefore strlen() can't be used anymore to find end of line. Fix this by caching line length before calling xtables_restore_parse_line(). Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* tests: shell: Add ipt-restore/0007-flush-noflush_0Phil Sutter2019-11-061-0/+42
| | | | | | | | Simple test to make sure iptables-restore does not touch tables it is not supposed to. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xtables-restore: Unbreak *tables-restorePhil Sutter2019-10-231-2/+19
| | | | | | | | | | | | | | | | | Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") installed an error check which evaluated true in all cases as all callers of do_command callbacks pass a pointer to a table name already. Attached test case passed as it tested error condition only. Fix the whole mess by introducing a boolean to indicate whether a table parameter was seen already. Extend the test case to cover positive as well as negative behaviour and to test ebtables-restore and ip6tables-restore as well. Also add the required checking code to the latter since the original commit missed it. Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xtables-restore: Fix --table parameter checkPhil Sutter2019-10-211-0/+13
| | | | | | | | | | | | | | | | | | | | | Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* xtables-restore: Introduce rule counter tokenizer functionPhil Sutter2019-10-181-0/+22
| | | | | | | | | | | | | | The same piece of code appears three times, introduce a function to take care of tokenizing and error reporting. Pass buffer pointer via reference so it can be updated to point to after the counters (if found). While being at it, drop pointless casting when passing pcnt/bcnt to add_argv(). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* nft: Fix for add and delete of same rule in single batchPhil Sutter2019-09-301-5/+13
| | | | | | | | | | | | | | | Another corner-case found when extending restore ordering test: If a delete command in a dump referenced a rule added earlier within the same dump, kernel would reject the resulting NFT_MSG_DELRULE command. Catch this by assigning the rule to delete a RULE_ID value if it doesn't have a handle yet. Since __nft_rule_del() does not duplicate the nftnl_rule object when creating the NFT_COMPAT_RULE_DELETE command, this RULE_ID value is added to both NEWRULE and DELRULE commands - exactly what is needed to establish the reference. Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* tests/shell: Speed up ipt-restore/0004-restore-race_0Phil Sutter2019-09-261-2/+2
| | | | | | | | | | | This test tended to cause quite excessive load on my system, sometimes taking longer than all other tests combined. Even with the reduced numbers, it still fails reliably after reverting commit 58d7de0181f61 ("xtables: handle concurrent ruleset modifications"). Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* restore legacy behaviour of iptables-restore when rules start with -4/-6Adel Belhouane2019-07-292-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <> Signed-off-by: Florian Westphal <>
* tests: Fix ipt-restore/0004-restore-race_0 testcasePhil Sutter2019-05-151-4/+3
| | | | | | | | | | | | | | | Two issues fixed: * XTABLES_LIBDIR was set wrong (CWD is not topdir but tests/). Drop the export altogether, the testscript does this already. * $LINES is a variable set by bash, so initial dump sanity check failed all the time complaining about a spurious initial dump line count. Use $LINES1 instead. Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: add test script for race-free restoreFlorian Westphal2019-04-271-0/+119
| | | | | | | | | | | | | | | | | | | | | | | | | | xtables-nft-restore ignores -w, check that we don't add duplicate rules when parallel restores happen. With a slightly older iptables-nft version this ususally fails with: I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 5: CHAIN_USER_ADD failed (File exists): chain UC-0 line 6: CHAIN_USER_ADD failed (File exists): chain UC-1 W: [FAILED] ipt-restore/0004-restore-race_0: expected 0 but got 4 or I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 1: TABLE_FLUSH failed (No such file or directory): table filter or /tmp/tmp.SItN4URxxF /tmp/tmp.P1y4LIxhTl differ: byte 7159, line 137 As the legacy version should not have such race (due to nature of full-table-replace), only do one iteration for legacy case. Signed-off-by: Florian Westphal <> Acked-by: Pablo Neira Ayuso <>
* xtables: Fix for inserting rule at wrong positionPhil Sutter2019-01-281-0/+117
| | | | | | | | | | | | | | | | | | | iptables-restore allows to insert rules at a certain position which is problematic for iptables-nft to realize since rule position is not determined by number but handle of previous or following rule and in case the rules surrounding the new one are new as well, they don't have a handle to refer to yet. Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When inserting before a rule which does not have a handle, refer to it using its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a new one to it. The last used rule ID value is tracked in a new field of struct nft_handle which is incremented before each use. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Accept --wait in iptables-nft-restorePhil Sutter2018-09-101-0/+21
| | | | | | | | | | | Passing --wait option to iptables-nft-restore led to program abort because the flag parameter was not skipped. Mimick iptables-restore behaviour when encountering --wait or --wait-interval options (but still ignore the parameter). Fixes: b9d7b49d84bc2 ("xtables-compat: restore: sync options with iptables-restore") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* iptables-restore: free the table lock when skipping a tableJoel Goguen2018-07-263-0/+101
Currently, when running `iptables-restore --table=X`, where `X` is not the first table in the rules dump, the restore will fail when parsing the second table: - a lock is acquird when parsing the first table name - the table name does not match the parameter to `--table` so processing continues until the next table - when processing the next table a lock is acquired, which fails because a lock is already held Another app is currently holding the xtables lock. Perhaps you want to use the -w option? This will release the lock as soon as it's decided the current table won't be used. Signed-off-by: Joel Goguen <> Signed-off-by: Florian Westphal <>