diff options
| author | Florian Westphal <fw@strlen.de> | 2015-02-13 14:00:27 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2015-02-13 14:00:27 +0100 |
| commit | 36305b80176e2e7abe56bcdd084c0ba3d0fd7c0f (patch) | |
| tree | dea4868d0a4485b2aa0416ff5cfe226c4d575001 | |
| parent | 87f82cbd4f94cca74eb58506e117f226a2270759 (diff) | |
tests: split into family and table specific files
also add simple script to restore/save them.
run_qa.sh passes on standard-distro kernels.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | tests/options-ipv4.filter | 15 | ||||
| -rw-r--r-- | tests/options-ipv4.mangle | 21 | ||||
| -rw-r--r-- | tests/options-ipv4.nat | 12 | ||||
| -rw-r--r-- | tests/options-ipv4.rules | 52 | ||||
| -rw-r--r-- | tests/options-ipv6.filter (renamed from tests/options-most.rules) | 19 | ||||
| -rw-r--r-- | tests/options-ipv6.mangle | 12 | ||||
| -rw-r--r-- | tests/options-ipv6.raw | 6 | ||||
| -rw-r--r-- | tests/run_qa.sh | 39 |
8 files changed, 107 insertions, 69 deletions
diff --git a/tests/options-ipv4.filter b/tests/options-ipv4.filter new file mode 100644 index 00000000..3b4a7967 --- /dev/null +++ b/tests/options-ipv4.filter @@ -0,0 +1,15 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:QATEST - [0:0] +-A QATEST -m addrtype --src-type UNICAST --dst-type UNICAST --limit-iface-in +-A QATEST -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 0 +-A QATEST -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 1 +-A QATEST -p icmp -m icmp --icmp-type 5/0 +-A QATEST -p icmp -m icmp --icmp-type 5/1 +-A QATEST -p icmp -m icmp --icmp-type 5 +-A QATEST -m realm --realm 0x1 -m ttl --ttl-eq 64 -m ttl --ttl-lt 64 -m ttl --ttl-gt 64 +-A QATEST -p tcp -j REJECT --reject-with tcp-reset +-A QATEST -p udp -j REJECT --reject-with icmp-host-unreachable +COMMIT diff --git a/tests/options-ipv4.mangle b/tests/options-ipv4.mangle new file mode 100644 index 00000000..987c7d74 --- /dev/null +++ b/tests/options-ipv4.mangle @@ -0,0 +1,21 @@ +# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:QATEST - [0:0] +-A QATEST -p ah -m ah --ahspi 1 +-A QATEST -p ah -m ah --ahspi :2 +-A QATEST -p ah -m ah --ahspi 0:3 +-A QATEST -p ah -m ah --ahspi 4: +-A QATEST -p ah -m ah --ahspi 5:4294967295 +-A QATEST -p tcp -j ECN --ecn-tcp-remove +-A QATEST -j LOG --log-prefix "hi" --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode +-A QATEST -j TTL --ttl-inc 1 +-A QATEST -j TTL --ttl-dec 1 +-A QATEST -j TTL --ttl-set 1 +-A QATEST -j NFLOG --nflog-prefix "abc" --nflog-range 2 --nflog-threshold 2 +-A QATEST -p tcp -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 23/0xff +COMMIT diff --git a/tests/options-ipv4.nat b/tests/options-ipv4.nat new file mode 100644 index 00000000..89b2b596 --- /dev/null +++ b/tests/options-ipv4.nat @@ -0,0 +1,12 @@ +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A PREROUTING -d 1.2.3.4/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:02:03:04:05:06 --total-nodes 9 --local-node 2 --hash-init 123456789 +-A PREROUTING -i dummy0 -j DNAT --to-destination 1.2.3.4 --random --persistent +-A PREROUTING -i dummy0 -p tcp -j REDIRECT --to-ports 1-2 --random +-A POSTROUTING -o dummy0 -p tcp -j MASQUERADE --to-ports 1-2 --random +-A POSTROUTING -o dummy0 -p tcp -j NETMAP --to 1.0.0.0/8 +-A POSTROUTING -o dummy0 -p tcp -j SNAT --to-source 1.2.3.4-1.2.3.5 --random --persistent +COMMIT diff --git a/tests/options-ipv4.rules b/tests/options-ipv4.rules deleted file mode 100644 index b4adc926..00000000 --- a/tests/options-ipv4.rules +++ /dev/null @@ -1,52 +0,0 @@ -# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011 -*mangle -:PREROUTING ACCEPT [2461:977932] -:INPUT ACCEPT [2461:977932] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [1740:367048] -:POSTROUTING ACCEPT [1740:367048] - -# libipt_ --A INPUT -p ah -m ah --ahspi 1 --A INPUT -p ah -m ah --ahspi :2 --A INPUT -p ah -m ah --ahspi 0:3 --A INPUT -p ah -m ah --ahspi 4: --A INPUT -p ah -m ah --ahspi 5:4294967295 - --A FORWARD -p tcp -j ECN --ecn-tcp-remove --A FORWARD -j LOG --log-prefix "hi" --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode --A FORWARD -j TTL --ttl-inc 1 --A FORWARD -j TTL --ttl-dec 1 --A FORWARD -j TTL --ttl-set 1 --A FORWARD -j ULOG --ulog-prefix "abc" --ulog-cprange 2 --ulog-qthreshold 2 -COMMIT -# Completed on Mon Jan 31 03:03:38 2011 -# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] --A PREROUTING -d 1.2.3.4/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:02:03:04:05:06 --total-nodes 9 --local-node 2 --hash-init 123456789 --A PREROUTING -i dummy0 -j DNAT --to-destination 1.2.3.4 --random --persistent --A PREROUTING -i dummy0 -p tcp -j REDIRECT --to-ports 1-2 --random --A POSTROUTING -o dummy0 -p tcp -j MASQUERADE --to-ports 1-2 --random --A POSTROUTING -o dummy0 -p tcp -j NETMAP --to 1.0.0.0/8 --A POSTROUTING -o dummy0 -p tcp -j SNAT --to-source 1.2.3.4-1.2.3.5 --random --persistent -COMMIT -# Completed on Mon Jan 31 03:03:38 2011 -# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011 -*filter -:INPUT ACCEPT [76:13548] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [59:11240] -#-A INPUT -m addrtype --src-type UNICAST --dst-type UNICAST --limit-iface-in --A INPUT -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 0 --A INPUT -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 1 --A INPUT -p icmp -m icmp --icmp-type 5/0 --A INPUT -p icmp -m icmp --icmp-type 5/1 --A INPUT -p icmp -m icmp --icmp-type 5 --A INPUT -m realm --realm 0x1 -m ttl --ttl-eq 64 -m ttl --ttl-lt 64 -m ttl --ttl-gt 64 --A FORWARD -p tcp -j REJECT --reject-with tcp-reset -COMMIT -# Completed on Mon Jan 31 03:03:39 2011 diff --git a/tests/options-most.rules b/tests/options-ipv6.filter index ef4e7f1c..0401d001 100644 --- a/tests/options-most.rules +++ b/tests/options-ipv6.filter @@ -5,11 +5,10 @@ :matches - - :ntarg - - :zmatches - - --A INPUT -j matches +-A INPUT -i dummy0 -j matches -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg -A INPUT -j zmatches --A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY --A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --timestop 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" -m hbh -m hbh -m hl --hl-eq 1 +-A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -A INPUT -m ipv6header --header hop-by-hop --soft -A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 @@ -198,17 +197,3 @@ -A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9 -A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9 COMMIT -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -:matches - - -:ntarg - - -:zmatches - - --A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg --A ntarg -j HL --hl-inc 1 --A ntarg -j HL --hl-dec 1 --A ntarg -COMMIT diff --git a/tests/options-ipv6.mangle b/tests/options-ipv6.mangle new file mode 100644 index 00000000..ca144821 --- /dev/null +++ b/tests/options-ipv6.mangle @@ -0,0 +1,12 @@ +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:ntarg - - +-A INPUT -i dummy0 -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg +-A ntarg -j HL --hl-inc 1 +-A ntarg -j HL --hl-dec 1 +-A ntarg +COMMIT diff --git a/tests/options-ipv6.raw b/tests/options-ipv6.raw new file mode 100644 index 00000000..ebb39067 --- /dev/null +++ b/tests/options-ipv6.raw @@ -0,0 +1,6 @@ +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A PREROUTING -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY +-A PREROUTING -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --timestop 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" -m hbh -m hbh -m hl --hl-eq 1 +COMMIT diff --git a/tests/run_qa.sh b/tests/run_qa.sh new file mode 100644 index 00000000..1b045f5b --- /dev/null +++ b/tests/run_qa.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e + +test_family() { + f=$1 + xt=$2 + + for file in options-"$f".* ;do + echo "restoring $file" + "$xt"tables-restore < "$file" + done +} + +test_family ipv4 ip +test_family ipv6 ip6 + +TMPA=$(mktemp) || exit 111 +TMPB=$(mktemp) || exit 111 + +iptables-save > "$TMPA" +(iptables-save | iptables-restore) || exit 111 +iptables-save > "$TMPB" + +echo "iptables diff" +diff -u "$TMPA" "$TMPB" + +rm "$TMPA" "$TMPB" + +ip6tables-save > "$TMPA" +(ip6tables-save | ip6tables-restore) || exit 111 +ip6tables-save > "$TMPB" + +echo "ip6tables diff" +diff -u "$TMPA" "$TMPB" + +rm "$TMPA" "$TMPB" + + |