summaryrefslogtreecommitdiffstats
path: root/iptables/tests/shell
Commit message (Collapse)AuthorAgeFilesLines
* nft: Fix bitwise expression avoidance detectionPhil Sutter2021-03-091-0/+24
| | | | | | | | | Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: fix -Z optionFlorian Westphal2021-02-241-0/+64
| | | | | | | | | it zeroes the rule counters, so it needs fully populated cache. Add a test case to cover this. Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* tests/shell: Fix nft-only/0009-needless-bitwise_0Phil Sutter2021-01-151-1/+8
| | | | | | | | | For whatever reason, stored expected output contains false handles. To overcome this, filter the rule data lines from both expected and stored output before comparing. Fixes: 81a2e12851283 ("tests/shell: Add test for bitwise avoidance fixes") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Drop any dump sorting in placePhil Sutter2020-12-213-18/+5
| | | | | | | With iptables-nft-save output now sorted just like legacy one, no sorting to unify them is needed anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Sort custom chains by namePhil Sutter2020-12-211-1/+1
| | | | | | | | | | | | | | With base chains no longer residing in the tables' chain lists, they can easily be sorted upon insertion. This on one hand aligns custom chain ordering with legacy iptables and on the other makes it predictable, which is very helpful when manually comparing ruleset dumps for instance. Adjust the one ebtables-nft test case this change breaks (as wrong ordering is expected in there). The manual output sorting done for tests which apply to legacy as well as nft is removed in a separate patch. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/shell: Test for fixed extension registrationPhil Sutter2020-12-071-0/+25
| | | | | | | | | | Use strace to look at iptables-restore behaviour with typically problematic input (conntrack revision 0 is no longer supported by current kernels) to make sure the fix in commit a1eaaceb0460b ("libxtables: Simplify pending extension registration") is still effective. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-031-2/+2
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Fix for broken chain renamingPhil Sutter2020-11-171-0/+4
| | | | | | | | | | Loading extensions pollutes 'errno' value, hence before using it to indicate failure it should be sanitized. This was done by the called function before the parsing/netlink split and not migrated by accident. Move it into calling code to clarify the connection. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: update format of registers in bitwise payloads.Pablo Neira Ayuso2020-11-161-5/+5
| | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Add test for bitwise avoidance fixesPhil Sutter2020-11-101-0/+339
| | | | | | | | | Masked address matching was recently improved to avoid bitwise expression if the given mask covers full bytes. Make use of nft netlink debug output to assert iptables-nft generates the right bytecode for each situation. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Improve concurrent noflush restore test a bitPhil Sutter2020-10-271-0/+14
| | | | | | | | | | | | The described issue happens only if chain FOO does not exist at program start so flush the ruleset after each iteration to make sure this is the case. Sadly the bug is still not 100% reproducible on my testing VM. While being at it, add a paragraph describing what exact situation the test is trying to provoke. Fixes: dac904bdcd9a1 ("nft: Fix for concurrent noflush restore calls") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for concurrent noflush restore callsPhil Sutter2020-10-131-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Transaction refresh was broken with regards to nft_chain_restore(): It created a rule flush batch object only if the chain was found in cache and a chain add object only if the chain was not found. Yet with concurrent ruleset updates, one has to expect both situations: * If a chain vanishes, the rule flush job must be skipped and instead the chain add job become active. * If a chain appears, the chain add job must be skipped and instead rules flushed. Change the code accordingly: Create both batch objects and set their 'skip' field depending on the situation in cache and adjust both in nft_refresh_transaction(). As a side-effect, the implicit rule flush becomes explicit and all handling of implicit batch jobs is dropped along with the related field indicating such. Reuse the 'implicit' parameter of __nft_rule_flush() to control the initial 'skip' field value instead. A subtle caveat is vanishing of existing chains: Creating the chain add job based on the chain in cache causes a netlink message containing that chain's handle which the kernel dislikes. Therefore unset the chain's handle in that case. Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: fix basechain policy configurationPablo Neira Ayuso2020-10-081-0/+29
| | | | | | | | | | Previous to this patch, the basechain policy could not be properly configured if it wasn't explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore) trying to send an invalid ruleset to the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix for ruleset flush while restoringPhil Sutter2020-08-141-0/+23
| | | | | | | | | | | | | | | | | | If ruleset is flushed while an instance of iptables-nft-restore is running and has seen a COMMIT line once, it doesn't notice the disappeared table while handling the next COMMIT. This is due to table existence being tracked via 'initialized' boolean which is only reset by nft_table_flush(). To fix this, drop the dedicated 'initialized' boolean and switch users to the recently introduced 'exists' one. As a side-effect, this causes base chain existence being checked for each command calling nft_xt_builtin_init() as the old 'initialized' bit was used to track if that function has been called before or not. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Merge and extend return codes testPhil Sutter2020-08-142-91/+61
| | | | | | | | | | Merge scripts for iptables and ip6tables, they were widely identical. Also extend the test by one check (removing a non-existent rule with valid chain and target) and quote the error messages where differences are deliberately ignored. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add help output to run-tests.shPhil Sutter2020-07-061-0/+19
| | | | | | | The script has quite a few options nowadays, so add a bit of help text also. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-restore: Fix verbose mode table flushingPhil Sutter2020-06-091-0/+76
| | | | | | | | | | When called with --verbose mode, iptables-nft-restore did not print anything when flushing the table. Fix this by adding a "manual" mode to nft_cmd_table_flush(), turning it into a wrapper around '-F' and '-X' commands, which is exactly what iptables-legacy-restore does to flush a table. This though requires a real cache, so don't set NFT_CL_FAKE then. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0Phil Sutter2020-05-291-0/+1
| | | | | | | | The here-doc statement missed the final delimiter. Worked anyways because end-of-file would do the trick. Fixes: a103fbfadf4c1 ("xtables-restore: Fix parser feed from line buffer") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Implement --valgrind modePhil Sutter2020-05-111-0/+47
| | | | | | | | | | | | | | | | | | Wrap every call to $XT_MULTI with valgrind, or actually a wrapper script which does the valgrind wrap and stores the log if it contains something relevant. Carefully name the wrapper script(s) so that test cases' checks on $XT_MULTI name stay intact. This mode slows down testsuite execution horribly. Luckily, it's not meant for constant use, though. For now, ignore commands with non-zero exit status - error paths typically hit direct exit() calls and therefore leave reachable memory in place. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Optimize caching for flush commandPhil Sutter2020-05-111-0/+29
| | | | | | | | | | | | | | | | | | When flushing all chains and verbose mode is not enabled, nft_rule_flush() uses a shortcut: It doesn't specify a chain name for NFT_MSG_DELRULE, so the kernel will flush all existing chains without user space needing to know which they are. The above allows to avoid a chain cache, but there's a caveat: nft_xt_builtin_init() will create base chains as it assumes they are missing and thereby possibly overrides any non-default chain policies. Solve this by making nft_xt_builtin_init() cache-aware: If a command doesn't need a chain cache, there's no need to bother with creating any non-existing builtin chains, either. For the sake of completeness, also do nothing if cache is not initialized (although that shouldn't happen). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: split parsing from netlink commandsPablo Neira Ayuso2020-05-112-0/+7
| | | | | | | | | | | | | | This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Add test for nfbz#1391Phil Sutter2020-04-281-0/+7
| | | | | | | | Problem is fixed since commit c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), looks like another case of use-after-free. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Test -F in dump filesPhil Sutter2020-04-231-0/+12
| | | | | | | While not really useful, iptables-nft-restore shouldn't segfault either. This tests the problem described in nfbz#1407. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Extend ipt-restore/0004-restore-race_0Phil Sutter2020-04-231-3/+2
| | | | | | | | | Add a second table to dump/restore. This triggers failures after reverting c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), hence acts as a reproducer for the bug fixed by that commit as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Improve ipt-restore/0001load-specific-table_0 a bitPhil Sutter2020-04-231-1/+1
| | | | | | | | Instead of reading from stdin, pass dump file as regular parameter. This way dump file name occurs in 'bash -x' output which helps finding out where things fail. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Align effect of -4/-6 options with legacyPhil Sutter2020-02-241-0/+88
| | | | | | | | | | Legacy iptables doesn't accept -4 or -6 if they don't match the symlink's native family. The only exception to that is iptables-restore which simply ignores the lines introduced by non-matching options, which is useful to create combined dump files for feeding into both iptables-restore and ip6tables-restore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix skip checks with --host modePhil Sutter2020-02-1413-84/+88
| | | | | | | | | | When testing host binaries, XT_MULTI variable contains just the program name without path component which most skip checks didn't expect. Fix them, and while being at it also reduce indenting level in two scripts by moving the skip check up front with an early exit call. Fixes: 416898e335322 ("tests/shell: Support testing host binaries") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-restore: fix for --noflush and empty linesPhil Sutter2020-02-121-0/+16
| | | | | | | | | | | | | | | | | | | | | | Lookahead buffer used for cache requirements estimate in restore --noflush separates individual lines with nul-chars. Two consecutive nul-chars are interpreted as end of buffer and remaining buffer content is skipped. Sadly, reading an empty line (i.e., one containing a newline character only) caused double nul-chars to appear in buffer as well, leading to premature stop when reading cached lines from buffer. To fix that, make use of xtables_restore_parse_line() skipping empty lines without calling strtok() and just leave the newline character in place. A more intuitive approach, namely skipping empty lines while buffering, is deliberately not chosen as that would cause wrong values in 'line' variable. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* xtables-restore: Fix parser feed from line bufferPhil Sutter2019-12-041-0/+10
| | | | | | | | | | | | When called with --noflush, xtables-restore would trip over chain lines: Parser uses strtok() to separate chain name, policy and counters which inserts nul-chars into the source string. Therefore strlen() can't be used anymore to find end of line. Fix this by caching line length before calling xtables_restore_parse_line(). Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add ipt-restore/0007-flush-noflush_0Phil Sutter2019-11-061-0/+42
| | | | | | | | Simple test to make sure iptables-restore does not touch tables it is not supposed to. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-xml: Use add_param_to_argv()Phil Sutter2019-10-242-0/+938
| | | | | | | | | Extend the shared argv parser by storing whether a given argument was quoted or not, then use it in iptables-xml. One remaining extra bit is extraction of chain name in -A commands, do that afterwards in a loop. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* xtables-restore: Unbreak *tables-restorePhil Sutter2019-10-231-2/+19
| | | | | | | | | | | | | | | | | Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") installed an error check which evaluated true in all cases as all callers of do_command callbacks pass a pointer to a table name already. Attached test case passed as it tested error condition only. Fix the whole mess by introducing a boolean to indicate whether a table parameter was seen already. Extend the test case to cover positive as well as negative behaviour and to test ebtables-restore and ip6tables-restore as well. Also add the required checking code to the latter since the original commit missed it. Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: Fix --table parameter checkPhil Sutter2019-10-211-0/+13
| | | | | | | | | | | | | | | | | | | | | Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* xtables-restore: Introduce rule counter tokenizer functionPhil Sutter2019-10-181-0/+22
| | | | | | | | | | | | | | The same piece of code appears three times, introduce a function to take care of tokenizing and error reporting. Pass buffer pointer via reference so it can be updated to point to after the counters (if found). While being at it, drop pointless casting when passing pcnt/bcnt to add_argv(). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix for add and delete of same rule in single batchPhil Sutter2019-09-301-5/+13
| | | | | | | | | | | | | | | Another corner-case found when extending restore ordering test: If a delete command in a dump referenced a rule added earlier within the same dump, kernel would reject the resulting NFT_MSG_DELRULE command. Catch this by assigning the rule to delete a RULE_ID value if it doesn't have a handle yet. Since __nft_rule_del() does not duplicate the nftnl_rule object when creating the NFT_COMPAT_RULE_DELETE command, this RULE_ID value is added to both NEWRULE and DELRULE commands - exactly what is needed to establish the reference. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests: shell: Support running for legacy/nft onlyPhil Sutter2019-09-301-8/+20
| | | | | | | | | After some changes, one might want to test a single variant only. Allow this by supporting -n/--nft and -l/--legacy parameters, each disabling the other variant. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests/shell: Speed up ipt-restore/0004-restore-race_0Phil Sutter2019-09-261-2/+2
| | | | | | | | | | | This test tended to cause quite excessive load on my system, sometimes taking longer than all other tests combined. Even with the reduced numbers, it still fails reliably after reverting commit 58d7de0181f61 ("xtables: handle concurrent ruleset modifications"). Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests/shell: Make ebtables-basic test more verbosePhil Sutter2019-09-231-12/+16
| | | | | | | Print expected entries count if it doesn't match. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-121-0/+21
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de>
* restore legacy behaviour of iptables-restore when rules start with -4/-6Adel Belhouane2019-07-292-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925343 Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <bugs.a.b@free.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-save: Unify *-save header/footer commentsPhil Sutter2019-07-236-24/+13
| | | | | | | | | Make eb- and arptables-save print both header and footer comments, too. Also print them for each table separately - the timing information is worth the extra lines in output. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-save: Fix counter formattingPhil Sutter2019-07-231-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial problem was 'ebtables-save -c' printing iptables-style counters but at the same time not disabling ebtables-style counter output (which was even printed in wrong format for ebtables-save). The code around counter output was complicated enough to motivate a larger rework: * Make FMT_C_COUNTS indicate the appended counter style for ebtables. * Use FMT_EBT_SAVE to distinguish between '-c' style counters and the legacy pcnt/bcnt ones. Consequently, ebtables-save sets format to: FMT_NOCOUNTS - for no counters FMT_EBT_SAVE - for iptables-style counters FMT_EBT_SAVE | FMT_C_COUNTS - for '-c' style counters For regular ebtables, list_rules() always sets FMT_C_COUNTS (iptables-style counters are never used there) and FMT_NOCOUNTS if no counters are requested. The big plus is if neither FMT_NOCOUNTS nor FMT_C_COUNTS is set, iptables-style counters are to be printed - both in iptables and ebtables. This allows to drop the ebtables-specific 'save_counters' callback. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Fix ipt-restore/0004-restore-race_0 testcasePhil Sutter2019-05-151-4/+3
| | | | | | | | | | | | | | | Two issues fixed: * XTABLES_LIBDIR was set wrong (CWD is not topdir but tests/). Drop the export altogether, the testscript does this already. * $LINES is a variable set by bash, so initial dump sanity check failed all the time complaining about a spurious initial dump line count. Use $LINES1 instead. Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add test script for race-free restoreFlorian Westphal2019-04-271-0/+119
| | | | | | | | | | | | | | | | | | | | | | | | | | xtables-nft-restore ignores -w, check that we don't add duplicate rules when parallel restores happen. With a slightly older iptables-nft version this ususally fails with: I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 5: CHAIN_USER_ADD failed (File exists): chain UC-0 line 6: CHAIN_USER_ADD failed (File exists): chain UC-1 W: [FAILED] ipt-restore/0004-restore-race_0: expected 0 but got 4 or I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 iptables-restore v1.8.2 (nf_tables): line 1: TABLE_FLUSH failed (No such file or directory): table filter or /tmp/tmp.SItN4URxxF /tmp/tmp.P1y4LIxhTl differ: byte 7159, line 137 As the legacy version should not have such race (due to nature of full-table-replace), only do one iteration for legacy case. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: return-codes script is bash specificFlorian Westphal2019-04-191-1/+1
| | | | | | The script fails on systems where sh is not bash. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Support testing host binariesPhil Sutter2019-02-221-16/+32
| | | | | | | | | | | | | | Add -H/--host parameter to run the testsuite against host system's binaries. While being at it, rewrite parameter parsing: * Parse all parameters in a loop, this frees any ordering constraints. * Set extglob option so strict pattern matching for single testcase mode can be done via bash globbing. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: Print space before comma and countersPhil Sutter2019-02-211-6/+6
| | | | | | | | | Legacy arptables separates counters from rest of rule by ' , '. Assuming that scripts scraping 'arptables -vL' output match on this, make arptables-nft output conformant. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Extend return codes check by error messagesPhil Sutter2019-02-131-13/+46
| | | | | | | Check that error messages match between legacy and nft code. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-nft: Support user-defined chain policiesPhil Sutter2019-02-081-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Legacy ebtables supports policies for user-defined chains - and what's worse, they default to ACCEPT unlike anywhere else. So lack of support for this braindead feature in ebtables-nft is actually a change of behaviour which very likely affects all ebtables users out there. The solution implemented here uses an implicit (and transparent) last rule in all user-defined ebtables-nft chains with policy other than RETURN. This rule is identified by an nft comment "XTABLES_EB_INTERNAL_POLICY_RULE" (since commit ccf154d7420c0 ("xtables: Don't use native nftables comments") nft comments are not used otherwise). To minimize interference with existing code, this policy rule is removed from chains during cache population and the policy is saved in NFTNL_CHAIN_POLICY attribute. When committing changes to the kernel, nft_commit() traverses through the list of chains and (re-)creates policy rules if required. In ebtables-nft-restore, table flushes are problematic. To avoid weird kernel error responses, introduce a custom 'table_flush' callback which removes any pending policy rule add/remove jobs prior to creating the NFT_COMPAT_TABLE_FLUSH one. I've hidden all this mess behind checks for h->family, so hopefully impact on {ip,ip6,arp}tables-nft should be negligible. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for false-positive rule matchingPhil Sutter2019-02-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | When comparing two rules with non-standard targets, differences in targets' payloads wasn't respected. The cause is a rather hideous one: Unlike xtables_find_match(), xtables_find_target() did not care whether the found target was already in use or not, so the same target instance was assigned to both rules and therefore payload comparison happened over the same memory location. With legacy iptables it is not possible to reuse a target: The only case where two rules (i.e., iptables_command_state instances) could exist at the same time is when comparing rules, but that's handled using libiptc. The above change clashes with ebtables-nft's reuse of target objects: While input parsing still just assigns the object from xtables_targets list, rule conversion from nftnl to iptables_command_state allocates new data. To fix this, make ebtables-nft input parsing use the common command_jump() routine instead of its own simplified copy. In turn, this also eliminates the ebtables-nft-specific variants of parse_target(), though with a slight change of behaviour: Names of user-defined chains are no longer allowed to contain up to 31 but merely 28 characters. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>