| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when running `iptables-restore --table=X`, where `X` is not the first
table in the rules dump, the restore will fail when parsing the second table:
- a lock is acquird when parsing the first table name
- the table name does not match the parameter to `--table` so processing
continues until the next table
- when processing the next table a lock is acquired, which fails because a lock
is already held
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
This will release the lock as soon as it's decided the current table won't be
used.
Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using custom nft tables + iptables-nft, iptables-nft -L
may fail with
iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.
even if filter table is compatible.
Problem is that the chain cache tracks ALL chains.
The "old" compat-check only walked chains in the table to checked
(filter in this case), now we will see all other
chains including base chains of another table.
It seems better to extend the chain cache long-term to track chains
per table instead, but for now skip the foreign ones.
Reported-by: Eric Garver <e@erig.me>
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Pablo reports that tests that should return nozero now fail.
Reason is that $? is checking return value of "echo" and not the script.
Fixes: 17c66a50608 ("iptables: tests: shell: Add README")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Add test for testing if iptables configuration is restored and saved.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
1) README is added to run test suite.
2) Rename two test-case scripts to follow proper numerical order.
3) "echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line" command
should only used when verbose("-v") option is not there else instead of
clearing "[EXECUTING]" prompt it is clearing last prompt of the test file.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Mimic firewalld startup, i.e. "iptables-restore -n" use.
First script is normal startup,
second script restores ruleset, then re-runs first one (i.e., with
existing rules rather than non-existent tables).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Need to prepend XT_MULTI, not XTABLES_MULTI.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The ipv4 version has bogus counters so this can also check
save/restore -c option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.
The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.
This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.
Current expected output:
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, make following changes/fixes:
1. run each test in a fresh net namespace
2. remove rmmod use, its very distuptive and not needed after 1.
3. avoid -e use if possible
4. make sure we exit 0 when test is expected to fail
5. set XT_LIBDIR so we point at the correct extensions to be used
Also delete 0003duplicate_1, its same test as 0001duplicate_1.
NB: I don't think its good to have this 'encode retval in name' scheme.
These are scripts, so they should always return 0, i.e. do
iptables --this-command-should-fail || exit 0
echo "succeess, should fail"
exit 1
Much simpler, imo. This was inherited from nft shell tests
though and changing it there is rather intrusive so use same scheme for
now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
set -e causes 2nd command (which is expected to fail)
to terminate the script as well.
So, don't set -e and let the error check invert the return
value to 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
To run the test suite (as root):
% cd iptables/tests/shell
% ./run-tests.sh
Test files are executables files with the pattern <<name_N>> , where
N is the expected return code of the executable. Since they are
located with `find', test-files can be spreaded in any sub-directories.
You can turn on a verbose execution by calling:
% ./run-tests.sh -v
Before each call to the test-files, `kernel_cleanup' will be called.
Also, test-files will receive the environment variable $IPTABLES which
contains the path to the iptables binary being tested.
You can pass an arbitrary $IPTABLES value as well:
% IPTABLES=/../../xtables-multi iptables ./run-tests.sh
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
