From ad92ed77e77fe421a86f0fde907c51286ed47928 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Thu, 4 Jan 2018 13:21:26 +0100 Subject: Fix "don't update counters" mode when counters used at the matching The matching of the counters was not taken into account, fixed. --- tests/hash:net.t | 2 ++ tests/iptables.sh | 9 +++++++++ tests/match_target.t | 6 ++++++ 3 files changed, 17 insertions(+) (limited to 'tests') diff --git a/tests/hash:net.t b/tests/hash:net.t index 4db9e9a..501f63e 100644 --- a/tests/hash:net.t +++ b/tests/hash:net.t @@ -86,6 +86,8 @@ 0 ipset -A test 1.1.1.0/26 # Check non-matching IP 1 ipset -T test 1.1.1.1 +# Check non-matching IP with nomatch flag +0 ipset -T test 1.1.1.1 nomatch # Check matching IP from non-matchin small net 0 ipset -T test 1.1.1.3 # Check non-matching IP from larger net diff --git a/tests/iptables.sh b/tests/iptables.sh index 8bc77ef..bca3253 100755 --- a/tests/iptables.sh +++ b/tests/iptables.sh @@ -116,6 +116,15 @@ netiface) $cmd -A OUTPUT -m set --match-set test dst,dst -j LOG --log-prefix "in set netiface: " $cmd -A OUTPUT -d 10.255.255.254 -j DROP ;; +counter) + $ipset n test hash:ip counters + $ipset a test 10.255.255.64 + $cmd -A OUTPUT -m set --match-set test src --packets-gt 1 ! --update-counters -j DROP + $cmd -A OUTPUT -m set --match-set test src -j DROP + ./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1 + ./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1 + ./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1 + ;; stop) $cmd -F $cmd -X diff --git a/tests/match_target.t b/tests/match_target.t index 3d7ed1b..4141ce6 100644 --- a/tests/match_target.t +++ b/tests/match_target.t @@ -112,4 +112,10 @@ 0 ./check_klog.sh 10.255.255.64 udp 1025 netiface # Destroy sets and rules 0 ./iptables.sh inet stop +# Create set and rules for the counter test +0 ./iptables.sh inet counter +# Check packet counter +0 ipset l test |grep -q '^10.255.255.64 packets 2' +# Destroy sets and rules +0 ./iptables.sh inet stop # eof -- cgit v1.2.3