| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
If the command segfaults, 'error' variable is empty and the resulting
error message is even misleading as the called program may not have been
iptables-translate.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add test cases for libarpt_mangle and extend the generic
tests to cover basic arptables matches.
Note that there are several historic artefacts that could be revised.
For example, arptables-legacy and arptables-nft both ignore "-p"
instead of returning an error about an unsupported option.
The ptype could be hard-wired to 0x800 and set unconditionally.
OTOH, this should always match for ethernet arp packets anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Since the script now supports running for multiple files given on
command line, do not skip printing a status line for each.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Source command may contain quotes, using shlex.split() does the right
thing there.
Fixes: 7705b2daa3bdc ("tests: xlate: Use --check to verify replay")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Simple use-case: run xlate-test for ebtables-nft:
| % ./xlate-test.py extensions/libebt_*.txlate
The script interpreted all parameters as a single file.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As per the manual[1]:
"When no test protocol is in use, an exit status of 0 from a test script
will denote a success, an exit status of 77 a skipped test, an exit
status of 99 a hard error, and any other exit status will denote a
failure."
[1] https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
After applying the translated rule using nft, pass the untranslated rule
to --check instead of dumping the ruleset and performing a string
search. This fixes for mandatory match reordering (e.g. addresses before
interfaces) and minor differences like /32 netmasks or even just
whitespace changes.
Fixes: 223e34b057b95 ("tests: xlate-test: Replay results for reverse direction testing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feed the nft expected output found in the .txlate test files to
nft -f via pipe/stdin directly without the shell mangling it.
The shell step isn't needed anymore because xtables-translate no longer
escapes quotes.
We only need to remove the "nft '" and trailing "'" because nft doesn't
expect those.
v3: handle multi-line expectations such as libxt_connlimmit.txlate (Phil Sutter)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Call nft with translation output as input, then check xtables-save
output to make sure iptables-nft can handle anything it suggests nft to
turn its ruleset into.
This extends the test case syntax to cover for expected asymmetries.
When the existing syntax was something like this:
| <xlate command>
| <nft output1>
| [<nft output2>
The new syntax then is:
| <xlate command>[;<replay rule part>]
| <nft output1>
| [<nft output2>]
To keep things terse, <replay rule part> may omit the obligatory '-A
<chain>' argument. If missing, <xlate command> is sanitized for how it
would appear in xtables-save output: '-I' is converted into '-A' and an
optional table spec is removed.
Since replay mode has to manipulate the ruleset in-kernel, abort if
called by unprivileged user. Also try to run in own net namespace to
reduce collateral damage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
It's just a convenience wrapper around Popen(), simplifying the call.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Put the actual translation test into a function to call from the loop
and clean it up a bit. Preparation work for running a second test on the
same data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The code overwrites 'line' before checking expected output. Save it in a
temporary variable.
Fixes: 62828a6aff231 ("tests: xlate-test: support multiline expectation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Lines won't become too long and it's more clear to users where test
input comes from this way.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If a test fails, return a non-zero exit code. To do so, propagate the
pass/fail statistics up to main() for evaluation. While being at it,
move the statistics printing into there as well and get rid of that
redundant assignment to 'test_passed'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Return code is always zero, so grepping for output on stderr is a
simple way to detect testsuite failures.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In conditionals, testing the empty string evaluates to false. This is
dumb but seems intentional, as readline() method returns an empty string
at EOF. This is distinct from reading an empty line as the latter
contains the newline character - unless it is stripped in between
readline() and conditional. The fixed commit introduced just that by
accident, effectively reducing any test file to the first contained
test:
| $ ./xlate-test.py
| [...]
| 81 test files, 84 tests, 84 tests passed, 0 tests failed, 0 errors
With this change in place, the summary looks much better:
| 81 test files, 368 tests, 368 tests passed, 0 tests failed, 0 errors
Fixes: 62828a6aff231 ("tests: xlate-test: support multiline expectation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Extend translation test to deal with multiline translation, e.g.
iptables-translate -A INPUT -m connlimit --connlimit-above 2
nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce --host parameter to run the testsuite against host's binaries
instead of built ones.
Apparently, extending PATH variable in main() was redundant with
explicit full path call in run_test() so drop the former.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Aparently, this is a leftover from the compat->nft naming change in
created binary (symlinks).
Fixes: be70918eab26e ("xtables: rename xt-multi binaries to -nft, -legacy")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
same as iptables-test: use the translate tools in the current working
directory, not the system-wide ones.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print errors and total no. of tests, tests passed, failed and errors for
testfile argument
Remove option "--all"
Print file names for which all tests are passed with OK
For e.g -
sudo ./xlate-test.py
generic.txlate: OK
libip6t_DNAT.txlate: OK
...
libxt_TCPMSS.txlate: Fail
src: iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
exp: nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter
tcp option maxseg size set rt mtu
res: nft # -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
...
libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
64 test files, 246 tests, 242 tests passed, 2 tests failed, 2 errors
sudo ./xlate-test.py extensions/libxt_iprange.txlate
1 test file, 5 tests, 5 tests passed, 0 tests failed, 0 errors
sudo ./xlate-test.py extensions/libxt_connlabel.txlate
extensions/libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
1 test file, 2 tests, 0 tests passed, 0 tests failed, 2 errors
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit replaces subprocess.run (introduced in python 3.5) with
subprocess.Popen (supported since the first version of python 3).
Furthermore, the output has been improved when ip[6]tables-translate
exits with non-zero return code.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This test suite is intended to detect regressions in the translation
infrastructure. The script checks if ip[6]tables-translate produces the
expected output, otherwise it prints the wrong translation and the
expected one.
** Arguments
--all # Show also passed tests
[test] # Run only the specified test file
** Test files structure
Test files are located under extensions directory. Every file contains
tests about specific extension translations. A test file name must end
with ".txlate".
Inside the files, every single test is defined by two consecutive lines:
ip[6]tables-translate command and expected result. One blank line is left
between tests by convention.
e.g.
$ cat extensions/libxt_cpu.txlate
iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
