path: root/iptables/tests/shell/testcases
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0Phil Sutter2020-05-291-0/+1
| | | | | | | | The here-doc statement missed the final delimiter. Worked anyways because end-of-file would do the trick. Fixes: a103fbfadf4c1 ("xtables-restore: Fix parser feed from line buffer") Signed-off-by: Phil Sutter <>
* nft: cache: Optimize caching for flush commandPhil Sutter2020-05-111-0/+29
| | | | | | | | | | | | | | | | | | When flushing all chains and verbose mode is not enabled, nft_rule_flush() uses a shortcut: It doesn't specify a chain name for NFT_MSG_DELRULE, so the kernel will flush all existing chains without user space needing to know which they are. The above allows to avoid a chain cache, but there's a caveat: nft_xt_builtin_init() will create base chains as it assumes they are missing and thereby possibly overrides any non-default chain policies. Solve this by making nft_xt_builtin_init() cache-aware: If a command doesn't need a chain cache, there's no need to bother with creating any non-existing builtin chains, either. For the sake of completeness, also do nothing if cache is not initialized (although that shouldn't happen). Signed-off-by: Phil Sutter <>
* nft: split parsing from netlink commandsPablo Neira Ayuso2020-05-112-0/+7
| | | | | | | | | | | | | | This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso <> Signed-off-by: Phil Sutter <>
* tests: shell: Add test for nfbz#1391Phil Sutter2020-04-281-0/+7
| | | | | | | | Problem is fixed since commit c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), looks like another case of use-after-free. Signed-off-by: Phil Sutter <>
* tests: shell: Test -F in dump filesPhil Sutter2020-04-231-0/+12
| | | | | | | While not really useful, iptables-nft-restore shouldn't segfault either. This tests the problem described in nfbz#1407. Signed-off-by: Phil Sutter <>
* tests: shell: Extend ipt-restore/0004-restore-race_0Phil Sutter2020-04-231-3/+2
| | | | | | | | | Add a second table to dump/restore. This triggers failures after reverting c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), hence acts as a reproducer for the bug fixed by that commit as well. Signed-off-by: Phil Sutter <>
* tests: shell: Improve ipt-restore/0001load-specific-table_0 a bitPhil Sutter2020-04-231-1/+1
| | | | | | | | Instead of reading from stdin, pass dump file as regular parameter. This way dump file name occurs in 'bash -x' output which helps finding out where things fail. Signed-off-by: Phil Sutter <>
* xtables: Align effect of -4/-6 options with legacyPhil Sutter2020-02-241-0/+88
| | | | | | | | | | Legacy iptables doesn't accept -4 or -6 if they don't match the symlink's native family. The only exception to that is iptables-restore which simply ignores the lines introduced by non-matching options, which is useful to create combined dump files for feeding into both iptables-restore and ip6tables-restore. Signed-off-by: Phil Sutter <>
* tests: shell: Fix skip checks with --host modePhil Sutter2020-02-1413-84/+88
| | | | | | | | | | When testing host binaries, XT_MULTI variable contains just the program name without path component which most skip checks didn't expect. Fix them, and while being at it also reduce indenting level in two scripts by moving the skip check up front with an early exit call. Fixes: 416898e335322 ("tests/shell: Support testing host binaries") Signed-off-by: Phil Sutter <>
* xtables-restore: fix for --noflush and empty linesPhil Sutter2020-02-121-0/+16
| | | | | | | | | | | | | | | | | | | | | | Lookahead buffer used for cache requirements estimate in restore --noflush separates individual lines with nul-chars. Two consecutive nul-chars are interpreted as end of buffer and remaining buffer content is skipped. Sadly, reading an empty line (i.e., one containing a newline character only) caused double nul-chars to appear in buffer as well, leading to premature stop when reading cached lines from buffer. To fix that, make use of xtables_restore_parse_line() skipping empty lines without calling strtok() and just leave the newline character in place. A more intuitive approach, namely skipping empty lines while buffering, is deliberately not chosen as that would cause wrong values in 'line' variable. Closes: Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <> Acked-by: Arturo Borrero Gonzalez <>
* xtables-restore: Fix parser feed from line bufferPhil Sutter2019-12-041-0/+10
| | | | | | | | | | | | When called with --noflush, xtables-restore would trip over chain lines: Parser uses strtok() to separate chain name, policy and counters which inserts nul-chars into the source string. Therefore strlen() can't be used anymore to find end of line. Fix this by caching line length before calling xtables_restore_parse_line(). Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* tests: shell: Add ipt-restore/0007-flush-noflush_0Phil Sutter2019-11-061-0/+42
| | | | | | | | Simple test to make sure iptables-restore does not touch tables it is not supposed to. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* iptables-xml: Use add_param_to_argv()Phil Sutter2019-10-242-0/+938
| | | | | | | | | Extend the shared argv parser by storing whether a given argument was quoted or not, then use it in iptables-xml. One remaining extra bit is extraction of chain name in -A commands, do that afterwards in a loop. Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* xtables-restore: Unbreak *tables-restorePhil Sutter2019-10-231-2/+19
| | | | | | | | | | | | | | | | | Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") installed an error check which evaluated true in all cases as all callers of do_command callbacks pass a pointer to a table name already. Attached test case passed as it tested error condition only. Fix the whole mess by introducing a boolean to indicate whether a table parameter was seen already. Extend the test case to cover positive as well as negative behaviour and to test ebtables-restore and ip6tables-restore as well. Also add the required checking code to the latter since the original commit missed it. Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xtables-restore: Fix --table parameter checkPhil Sutter2019-10-211-0/+13
| | | | | | | | | | | | | | | | | | | | | Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* xtables-restore: Introduce rule counter tokenizer functionPhil Sutter2019-10-181-0/+22
| | | | | | | | | | | | | | The same piece of code appears three times, introduce a function to take care of tokenizing and error reporting. Pass buffer pointer via reference so it can be updated to point to after the counters (if found). While being at it, drop pointless casting when passing pcnt/bcnt to add_argv(). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* nft: Fix for add and delete of same rule in single batchPhil Sutter2019-09-301-5/+13
| | | | | | | | | | | | | | | Another corner-case found when extending restore ordering test: If a delete command in a dump referenced a rule added earlier within the same dump, kernel would reject the resulting NFT_MSG_DELRULE command. Catch this by assigning the rule to delete a RULE_ID value if it doesn't have a handle yet. Since __nft_rule_del() does not duplicate the nftnl_rule object when creating the NFT_COMPAT_RULE_DELETE command, this RULE_ID value is added to both NEWRULE and DELRULE commands - exactly what is needed to establish the reference. Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* tests/shell: Speed up ipt-restore/0004-restore-race_0Phil Sutter2019-09-261-2/+2
| | | | | | | | | | | This test tended to cause quite excessive load on my system, sometimes taking longer than all other tests combined. Even with the reduced numbers, it still fails reliably after reverting commit 58d7de0181f61 ("xtables: handle concurrent ruleset modifications"). Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* tests/shell: Make ebtables-basic test more verbosePhil Sutter2019-09-231-12/+16
| | | | | | | Print expected entries count if it doesn't match. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-121-0/+21
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <> Closes: Signed-off-by: Florian Westphal <>
* restore legacy behaviour of iptables-restore when rules start with -4/-6Adel Belhouane2019-07-292-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <> Signed-off-by: Florian Westphal <>
* xtables-save: Unify *-save header/footer commentsPhil Sutter2019-07-236-24/+13
| | | | | | | | | Make eb- and arptables-save print both header and footer comments, too. Also print them for each table separately - the timing information is worth the extra lines in output. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* ebtables-save: Fix counter formattingPhil Sutter2019-07-231-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial problem was 'ebtables-save -c' printing iptables-style counters but at the same time not disabling ebtables-style counter output (which was even printed in wrong format for ebtables-save). The code around counter output was complicated enough to motivate a larger rework: * Make FMT_C_COUNTS indicate the appended counter style for ebtables. * Use FMT_EBT_SAVE to distinguish between '-c' style counters and the legacy pcnt/bcnt ones. Consequently, ebtables-save sets format to: FMT_NOCOUNTS - for no counters FMT_EBT_SAVE - for iptables-style counters FMT_EBT_SAVE | FMT_C_COUNTS - for '-c' style counters For regular ebtables, list_rules() always sets FMT_C_COUNTS (iptables-style counters are never used there) and FMT_NOCOUNTS if no counters are requested. The big plus is if neither FMT_NOCOUNTS nor FMT_C_COUNTS is set, iptables-style counters are to be printed - both in iptables and ebtables. This allows to drop the ebtables-specific 'save_counters' callback. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: Fix ipt-restore/0004-restore-race_0 testcasePhil Sutter2019-05-151-4/+3
| | | | | | | | | | | | | | | Two issues fixed: * XTABLES_LIBDIR was set wrong (CWD is not topdir but tests/). Drop the export altogether, the testscript does this already. * $LINES is a variable set by bash, so initial dump sanity check failed all the time complaining about a spurious initial dump line count. Use $LINES1 instead. Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: add test script for race-free restoreFlorian Westphal2019-04-271-0/+119
| | | | | | | | | | | | | | | | | | | | | | | | | | xtables-nft-restore ignores -w, check that we don't add duplicate rules when parallel restores happen. With a slightly older iptables-nft version this ususally fails with: I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 5: CHAIN_USER_ADD failed (File exists): chain UC-0 line 6: CHAIN_USER_ADD failed (File exists): chain UC-1 W: [FAILED] ipt-restore/0004-restore-race_0: expected 0 but got 4 or I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 1: TABLE_FLUSH failed (No such file or directory): table filter or /tmp/tmp.SItN4URxxF /tmp/tmp.P1y4LIxhTl differ: byte 7159, line 137 As the legacy version should not have such race (due to nature of full-table-replace), only do one iteration for legacy case. Signed-off-by: Florian Westphal <> Acked-by: Pablo Neira Ayuso <>
* tests: return-codes script is bash specificFlorian Westphal2019-04-191-1/+1
| | | | | | The script fails on systems where sh is not bash. Signed-off-by: Florian Westphal <>
* arptables: Print space before comma and countersPhil Sutter2019-02-211-6/+6
| | | | | | | | | Legacy arptables separates counters from rest of rule by ' , '. Assuming that scripts scraping 'arptables -vL' output match on this, make arptables-nft output conformant. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: Extend return codes check by error messagesPhil Sutter2019-02-131-13/+46
| | | | | | | Check that error messages match between legacy and nft code. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* ebtables-nft: Support user-defined chain policiesPhil Sutter2019-02-081-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Legacy ebtables supports policies for user-defined chains - and what's worse, they default to ACCEPT unlike anywhere else. So lack of support for this braindead feature in ebtables-nft is actually a change of behaviour which very likely affects all ebtables users out there. The solution implemented here uses an implicit (and transparent) last rule in all user-defined ebtables-nft chains with policy other than RETURN. This rule is identified by an nft comment "XTABLES_EB_INTERNAL_POLICY_RULE" (since commit ccf154d7420c0 ("xtables: Don't use native nftables comments") nft comments are not used otherwise). To minimize interference with existing code, this policy rule is removed from chains during cache population and the policy is saved in NFTNL_CHAIN_POLICY attribute. When committing changes to the kernel, nft_commit() traverses through the list of chains and (re-)creates policy rules if required. In ebtables-nft-restore, table flushes are problematic. To avoid weird kernel error responses, introduce a custom 'table_flush' callback which removes any pending policy rule add/remove jobs prior to creating the NFT_COMPAT_TABLE_FLUSH one. I've hidden all this mess behind checks for h->family, so hopefully impact on {ip,ip6,arp}tables-nft should be negligible. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <> Signed-off-by: Florian Westphal <>
* xtables: Fix for false-positive rule matchingPhil Sutter2019-02-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | When comparing two rules with non-standard targets, differences in targets' payloads wasn't respected. The cause is a rather hideous one: Unlike xtables_find_match(), xtables_find_target() did not care whether the found target was already in use or not, so the same target instance was assigned to both rules and therefore payload comparison happened over the same memory location. With legacy iptables it is not possible to reuse a target: The only case where two rules (i.e., iptables_command_state instances) could exist at the same time is when comparing rules, but that's handled using libiptc. The above change clashes with ebtables-nft's reuse of target objects: While input parsing still just assigns the object from xtables_targets list, rule conversion from nftnl to iptables_command_state allocates new data. To fix this, make ebtables-nft input parsing use the common command_jump() routine instead of its own simplified copy. In turn, this also eliminates the ebtables-nft-specific variants of parse_target(), though with a slight change of behaviour: Names of user-defined chains are no longer allowed to contain up to 31 but merely 28 characters. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Fix for crash when comparing rules with standard targetPhil Sutter2019-02-011-0/+7
| | | | | | | | | | When parsing an nftnl_rule with a standard verdict, nft_rule_to_iptables_command_state() initialized cs->target but didn't care about cs->target->t. When later comparing that rule to another, compare_targets() crashed due to unconditional access to t's fields. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* tests: shell: Add arptables-nft verbose output testPhil Sutter2019-01-311-0/+64
| | | | | | | | With arptables-nft output being in a very good state now, add a test to ensure it stays that way. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft: Don't print default h-len/h-type valuesPhil Sutter2019-01-312-19/+19
| | | | | | | | | | | | | | Default values for --h-len and --h-type being printed for rules where user didn't provide them is unexpected and confusing. The drawback is the opposite: If user provided either of them with their default value, they are later omitted when listing rules. Though since unlike legacy arptables we can't distinguish between not specified and specified with default value, we can't fix both - so choose to optimize for the more likely case. Fixes: 5aecb2d8bfdda ("arptables: pre-init hlen and ethertype") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft-save: Fix position of -j optionPhil Sutter2019-01-312-19/+19
| | | | | | | | | | | | | | | | | | Legacy arptables-save (just like arptables itself) prints verdict as first option, then matches and finally any target options. To achieve this without introducing double/trailing spaces everywhere, integrate target ('-j') option printing into nft_arp_print_rule_details() and make it print separating whitespace before each option. In nft_arp_save_rule(), replace the call to save_matches_and_target() by by a direct call to cs->target->save() since the former prints '-j' option itself. Since there are no match extensions in arptables, any other code from that function is not needed. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft: Fix MARK target parsing and printingPhil Sutter2019-01-311-1/+1
| | | | | | | | | | | | | Legacy arptables parses mark values in hex no matter if prefixed with '0x' or not. Sadly, this is not easily achievable with guided option parser. Hence fall back to the old 'parse' callback. The introduced target definition is valid only for revision 2, but that's consistent with legacy arptables. When printing, use --set-mark option instead of --set-xmark. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Fix for inserting rule at wrong positionPhil Sutter2019-01-282-0/+155
| | | | | | | | | | | | | | | | | | | iptables-restore allows to insert rules at a certain position which is problematic for iptables-nft to realize since rule position is not determined by number but handle of previous or following rule and in case the rules surrounding the new one are new as well, they don't have a handle to refer to yet. Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When inserting before a rule which does not have a handle, refer to it using its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a new one to it. The last used rule ID value is tracked in a new field of struct nft_handle which is incremented before each use. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: Extend verbose output and return code testsPhil Sutter2018-12-272-4/+15
| | | | | | | | | | | | | Recent changes to chain flush and zero routines incorporate proper error propagation so trying to flush or zero a non-existent chain results in an error. This is consistent with iptables-legacy, extend tests to make sure it stays this way. Also extend verbose output test to make these recent changes didn't mess it up. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: shell: fix expected arptables-save outputFlorian Westphal2018-11-121-3/+3
| | | | | | | forgot to squash this before pushing arptables fixes. Fixes: 5aecb2d8bfd ("arptables: pre-init hlen and ethertype") Signed-off-by: Florian Westphal <>
* arptables: pre-init hlen and ethertypeFlorian Westphal2018-11-121-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to check -s, we need to add the size of the hardware address to the arp header to obtain the offset where the ipv4 address begins: base_arphdr HW_ADDR IP_ADDR (src) IP_ADDR (target) In arptables-classic, the kernel will add dev->addr_len to the arp header base address to obtain the correct location, but we cannot do this in nf_tables, at least not at this time (we need a fixed offset value). code does: op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ... but if user did not provide "--h-length 6" argument, then this won't work even for ethernet, as the payload expression will be told to load the first 4 bytes of arp header source mac address (sender hw address). Fix this by pre-initialising arhlen to 6. We also need to set up arhrd. Otherwise, src/dst mac can't be used: arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66 arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT This means that matching won't work for AX25, NETROM etc, however, arptables "classic" can't parse non-ethernet addresses, and makes ETH_ALEN assumptions in several spots, so this should be fine from compatibility point of view. Signed-off-by: Florian Westphal <>
* xtables: Fix error return code in nft_chain_user_rename()Phil Sutter2018-11-121-0/+4
| | | | | | | If the chain to rename wasn't found, the function would return -1 which got interpreted as success. Signed-off-by: Phil Sutter <>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-071-2/+2
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <> Signed-off-by: Florian Westphal <>
* xtables: Accept --wait in iptables-nft-restorePhil Sutter2018-09-101-0/+21
| | | | | | | | | | | Passing --wait option to iptables-nft-restore led to program abort because the flag parameter was not skipped. Mimick iptables-restore behaviour when encountering --wait or --wait-interval options (but still ignore the parameter). Fixes: b9d7b49d84bc2 ("xtables-compat: restore: sync options with iptables-restore") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Align return codes with legacy iptablesPhil Sutter2018-09-012-0/+76
| | | | | | | | Make sure return codes match legacy ones at least for a few selected commands typically used to check ruleset state. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Fix for deleting rules with commentPhil Sutter2018-08-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | Comment match allocation in command_match() and nft_rule_to_iptables_command_state() were misaligned in that the latter set match_size to just what is required instead of what the match needs at maximum like the further. This led to failure when comparing them later and therefore a rule with a comment could not be deleted. For comments of a specific length, the udata buffer is padded by libnftnl so nftnl_rule_get_data() returns a length value which is larger than the string (including NULL-byte). The trailing data is supposed to be ignored, but compare_matches() can't not know about that detail and therefore returns a false-negative if trailing data contains junk. To overcome this, use strncpy() when populating match data in nft_rule_to_iptables_command_state(). While being at it, make sure comment match allocation in that function is identical to what command_match() does with regards to data allocation size. Also use xtables_calloc() which does the required error checking. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* ebtables: Fix entries count in chain listingPhil Sutter2018-08-161-0/+30
| | | | | | | | | | | | | | | The previous fix for reference counts in iptables-nft output wasn't complete: While iptables lists the number of references for each custom chain (i.e., the number of jumps to it), ebtables lists number of entries (i.e., the number of rules contained) for each chain. Both used the same value for it, although they are different metrics. Fix this by passing both numbers separately to the 'print_header' callback so that each tool may print the desired value. Fixes: a0698de9866d2 ("xtables: Do not count rules as chain references") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Make 'iptables -S nonexisting' return non-zeroPhil Sutter2018-08-162-0/+80
| | | | | | | | | | | | To be consistent with legacy iptables, calling -S with a non-existing chain should lead to an error message. This is how some scripts find out whether a user-defined chain exists or not. Make sure doing the same for an existing chain does succeed, even if an invalid rule number was given. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* ebtables: Merge libebt_limit.c into libxt_limit.cPhil Sutter2018-08-162-5/+5
| | | | | | | | | | | | | | | | | Both extensions were very similar already, but now that they both are translated into native nftables code, their actual difference (i.e. match size) doesn't matter anymore. This change comes with one caveat: Since ebtables limit match is not in its own file anymore, match preloading automatically also loads the NFPROTO_UNSPEC limit match. This is not a problem per se since match lookup will prefer the family-specific one, but when parsing unknown options, a match without 'parse' callback is encountered. Therefore do_commandeb() has to check existence of that callback prior to dereferencing it. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Fix for wrong counter format in -S outputPhil Sutter2018-08-091-0/+48
| | | | | | | | | | | | | | | | | | | | | | Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between matches and target, this change affects save_matches_and_target() function. In order to get access to the rule counters, it's declaration is adjusted to receive iptables_command_state pointer instead of match, target and jumpto pointers from the same object. While being at it, integrate jump to user-defined chain into it as well since the related code in both callers was almost identical. Though since different rule flags are used between iptables and ip6tables, pass a 'goto_flag' boolean instead of the actual 'flags' bitfield. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Don't pass full invflags to add_compat()Phil Sutter2018-08-091-0/+10
| | | | | | | | | | | The function expects a boolean, not a bitfield. This bug caused inversion in another match to carry over to protocol match by accident. The supplied testcase contains rules which then fail because they contain matches requiring that protocol. Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags") Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules") Signed-off-by: Phil Sutter <>
* tests: Fix skipping for recent nft-only testsPhil Sutter2018-08-094-4/+4
| | | | | | | | | | | | | | | In an attempt to sanitize shell scripting, exit test in recent testcases was altered, which led to them being skipped even in nft test runs. Drop the quotes so that globbing happens again. While here, improve the check a bit to glob only on leading path part, not also the file name. Also print "skip ..." just like nft-only/0001compat_0 testcase does. Fixes: f1d8508fd6fdc ("tests: Add arptables-{save,restore} testcases") Fixes: fbf0bf7c079d8 ("tests: Add ebtables-{save,restore} testcases") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>