summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2024-10-22 17:30:42 +0200
committerPhil Sutter <phil@nwl.cc>2024-11-05 18:10:24 +0100
commit29d78e196c771a8cc0788397a504b1b8c9e40e6e (patch)
tree4271cde5e523bddbb8e6dab28a0c77fa1599b86a
parentd6068deba5a51f906abea6c99dc7d2d07d0d4901 (diff)
tests: iptables-test: extend coverage for ip6tables
Update iptables-test.py to run libxt_*.t both for iptables and ip6tables. For libxt_*.t tests, append the command name to status output line. This update requires changes in the existing tests. * Rename libxt_*.t into libipt_*.t and add libip6_*.t variant. - TEE - TPROXY - connlimit - conntrack - iprange - ipvs - policy - recent * Rename the following libxt_*.t to libipt_*.t since they are IPv4 specific: - standard - osf * Remove IPv4 specific test in libxt_mark.t Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat
-rw-r--r--extensions/libip6t_TEE.t3
-rw-r--r--extensions/libip6t_TPROXY.t5
-rw-r--r--extensions/libip6t_connlimit.t16
-rw-r--r--extensions/libip6t_conntrack.t5
-rw-r--r--extensions/libip6t_iprange.t10
-rw-r--r--extensions/libip6t_ipvs.t4
-rw-r--r--extensions/libip6t_policy.t4
-rw-r--r--extensions/libip6t_recent.t10
-rw-r--r--extensions/libipt_TEE.t3
-rw-r--r--extensions/libipt_TPROXY.t (renamed from extensions/libxt_TPROXY.t)0
-rw-r--r--extensions/libipt_connlimit.t11
-rw-r--r--extensions/libipt_conntrack.t5
-rw-r--r--extensions/libipt_iprange.t10
-rw-r--r--extensions/libipt_ipvs.t4
-rw-r--r--extensions/libipt_osf.t (renamed from extensions/libxt_osf.t)0
-rw-r--r--extensions/libipt_policy.t4
-rw-r--r--extensions/libipt_recent.t10
-rw-r--r--extensions/libipt_standard.t21
-rw-r--r--extensions/libxt_TEE.t2
-rw-r--r--extensions/libxt_connlimit.t10
-rw-r--r--extensions/libxt_conntrack.t4
-rw-r--r--extensions/libxt_iprange.t9
-rw-r--r--extensions/libxt_ipvs.t3
-rw-r--r--extensions/libxt_mark.t2
-rw-r--r--extensions/libxt_policy.t3
-rw-r--r--extensions/libxt_recent.t9
-rw-r--r--extensions/libxt_standard.t19
-rwxr-xr-xiptables-test.py80
28 files changed, 177 insertions, 89 deletions
diff --git a/extensions/libip6t_TEE.t b/extensions/libip6t_TEE.t
new file mode 100644
index 00000000..8e668290
--- /dev/null
+++ b/extensions/libip6t_TEE.t
@@ -0,0 +1,3 @@
+:INPUT,FORWARD,OUTPUT
+-j TEE --gateway 2001:db8::1;=;OK
+-j TEE ! --gateway 2001:db8::1;;FAIL
diff --git a/extensions/libip6t_TPROXY.t b/extensions/libip6t_TPROXY.t
new file mode 100644
index 00000000..5af67542
--- /dev/null
+++ b/extensions/libip6t_TPROXY.t
@@ -0,0 +1,5 @@
+:PREROUTING
+*mangle
+-j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;;FAIL
+-p udp -j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;=;OK
+-p tcp -m tcp --dport 2342 -j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;=;OK
diff --git a/extensions/libip6t_connlimit.t b/extensions/libip6t_connlimit.t
new file mode 100644
index 00000000..8b7b3677
--- /dev/null
+++ b/extensions/libip6t_connlimit.t
@@ -0,0 +1,16 @@
+:INPUT,FORWARD,OUTPUT
+-m connlimit --connlimit-upto 0;-m connlimit --connlimit-upto 0 --connlimit-mask 128 --connlimit-saddr;OK
+-m connlimit --connlimit-upto 4294967295 --connlimit-mask 128 --connlimit-saddr;=;OK
+-m connlimit --connlimit-upto 4294967296 --connlimit-mask 128 --connlimit-saddr;;FAIL
+-m connlimit --connlimit-upto -1;;FAIL
+-m connlimit --connlimit-above 0;-m connlimit --connlimit-above 0 --connlimit-mask 128 --connlimit-saddr;OK
+-m connlimit --connlimit-above 4294967295 --connlimit-mask 128 --connlimit-saddr;=;OK
+-m connlimit --connlimit-above 4294967296 --connlimit-mask 128 --connlimit-saddr;;FAIL
+-m connlimit --connlimit-above -1;;FAIL
+-m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL
+-m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-saddr;OK
+-m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-daddr;OK
+-m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL
+-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-saddr;=;OK
+-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-daddr;=;OK
+-m connlimit;;FAIL
diff --git a/extensions/libip6t_conntrack.t b/extensions/libip6t_conntrack.t
new file mode 100644
index 00000000..462d4e61
--- /dev/null
+++ b/extensions/libip6t_conntrack.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-m conntrack --ctorigsrc 2001:db8::1;=;OK
+-m conntrack --ctorigdst 2001:db8::1;=;OK
+-m conntrack --ctreplsrc 2001:db8::1;=;OK
+-m conntrack --ctrepldst 2001:db8::1;=;OK
diff --git a/extensions/libip6t_iprange.t b/extensions/libip6t_iprange.t
new file mode 100644
index 00000000..b98f2c29
--- /dev/null
+++ b/extensions/libip6t_iprange.t
@@ -0,0 +1,10 @@
+:INPUT,FORWARD,OUTPUT
+-m iprange --src-range 2001:db8::1-2001:db8::10;=;OK
+-m iprange ! --src-range 2001:db8::1-2001:db8::10;=;OK
+-m iprange --dst-range 2001:db8::1-2001:db8::10;=;OK
+-m iprange ! --dst-range 2001:db8::1-2001:db8::10;=;OK
+# it shows -A INPUT -m iprange --src-range 2001:db8::1-2001:db8::1, should we support this?
+# ERROR: should fail: ip6tables -A INPUT -m iprange --src-range 2001:db8::1
+# -m iprange --src-range 2001:db8::1;;FAIL
+# ERROR: should fail: ip6tables -A INPUT -m iprange --dst-range 2001:db8::1
+#-m iprange --dst-range 2001:db8::1;;FAIL
diff --git a/extensions/libip6t_ipvs.t b/extensions/libip6t_ipvs.t
new file mode 100644
index 00000000..ff7d9d81
--- /dev/null
+++ b/extensions/libip6t_ipvs.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m ipvs --vaddr 2001:db8::1;=;OK
+-m ipvs ! --vaddr 2001:db8::/64;=;OK
+-m ipvs --vproto 6 --vaddr 2001:db8::/64 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK
diff --git a/extensions/libip6t_policy.t b/extensions/libip6t_policy.t
new file mode 100644
index 00000000..06ed71b5
--- /dev/null
+++ b/extensions/libip6t_policy.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 2001:db8::/32 --tunnel-src 2001:db8::/32 --next --reqid 2;=;OK
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 2001:db8::/32;;FAIL
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 2001:db8::/32 --tunnel-src 2001:db8::/32 --next --reqid 2;=;OK
diff --git a/extensions/libip6t_recent.t b/extensions/libip6t_recent.t
new file mode 100644
index 00000000..55ae8dd5
--- /dev/null
+++ b/extensions/libip6t_recent.t
@@ -0,0 +1,10 @@
+:INPUT,FORWARD,OUTPUT
+-m recent --set;-m recent --set --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;OK
+-m recent --rcheck --hitcount 8 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;=;OK
+-m recent --rcheck --hitcount 12 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;=;OK
+-m recent --update --rttl;-m recent --update --rttl --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;OK
+-m recent --rcheck --hitcount 65536 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;;FAIL
+# nonsensical, but all should load successfully:
+-m recent --rcheck --hitcount 3 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -m recent --rcheck --hitcount 4 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;=;OK
+-m recent --rcheck --hitcount 4 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -m recent --rcheck --hitcount 4 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;=;OK
+-m recent --rcheck --hitcount 8 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -m recent --rcheck --hitcount 12 --name foo --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource;=;OK
diff --git a/extensions/libipt_TEE.t b/extensions/libipt_TEE.t
new file mode 100644
index 00000000..23dceada
--- /dev/null
+++ b/extensions/libipt_TEE.t
@@ -0,0 +1,3 @@
+:INPUT,FORWARD,OUTPUT
+-j TEE --gateway 1.1.1.1;=;OK
+-j TEE ! --gateway 1.1.1.1;;FAIL
diff --git a/extensions/libxt_TPROXY.t b/extensions/libipt_TPROXY.t
index 12f82b1f..12f82b1f 100644
--- a/extensions/libxt_TPROXY.t
+++ b/extensions/libipt_TPROXY.t
diff --git a/extensions/libipt_connlimit.t b/extensions/libipt_connlimit.t
new file mode 100644
index 00000000..245a4784
--- /dev/null
+++ b/extensions/libipt_connlimit.t
@@ -0,0 +1,11 @@
+:INPUT,FORWARD,OUTPUT
+-m connlimit --connlimit-upto 0;-m connlimit --connlimit-upto 0 --connlimit-mask 32 --connlimit-saddr;OK
+-m connlimit --connlimit-upto 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK
+-m connlimit --connlimit-upto 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL
+-m connlimit --connlimit-above 0;-m connlimit --connlimit-above 0 --connlimit-mask 32 --connlimit-saddr;OK
+-m connlimit --connlimit-above 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK
+-m connlimit --connlimit-above 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL
+-m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK
+-m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;OK
+-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK
+-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK
diff --git a/extensions/libipt_conntrack.t b/extensions/libipt_conntrack.t
new file mode 100644
index 00000000..d70ab71f
--- /dev/null
+++ b/extensions/libipt_conntrack.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-m conntrack --ctorigsrc 1.1.1.1;=;OK
+-m conntrack --ctorigdst 1.1.1.1;=;OK
+-m conntrack --ctreplsrc 1.1.1.1;=;OK
+-m conntrack --ctrepldst 1.1.1.1;=;OK
diff --git a/extensions/libipt_iprange.t b/extensions/libipt_iprange.t
new file mode 100644
index 00000000..8b443417
--- /dev/null
+++ b/extensions/libipt_iprange.t
@@ -0,0 +1,10 @@
+:INPUT,FORWARD,OUTPUT
+-m iprange --src-range 1.1.1.1-1.1.1.10;=;OK
+-m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
+-m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
+-m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
+# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
+# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
+# -m iprange --src-range 1.1.1.1;;FAIL
+# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
+#-m iprange --dst-range 1.1.1.1;;FAIL
diff --git a/extensions/libipt_ipvs.t b/extensions/libipt_ipvs.t
new file mode 100644
index 00000000..bb23ccf2
--- /dev/null
+++ b/extensions/libipt_ipvs.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m ipvs --vaddr 1.2.3.4;=;OK
+-m ipvs ! --vaddr 1.2.3.4/255.255.255.0;-m ipvs ! --vaddr 1.2.3.4/24;OK
+-m ipvs --vproto 6 --vaddr 1.2.3.4/16 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK
diff --git a/extensions/libxt_osf.t b/extensions/libipt_osf.t
index ede6d32c..ede6d32c 100644
--- a/extensions/libxt_osf.t
+++ b/extensions/libipt_osf.t
diff --git a/extensions/libipt_policy.t b/extensions/libipt_policy.t
new file mode 100644
index 00000000..1fa3dcfd
--- /dev/null
+++ b/extensions/libipt_policy.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
diff --git a/extensions/libipt_recent.t b/extensions/libipt_recent.t
new file mode 100644
index 00000000..764a415d
--- /dev/null
+++ b/extensions/libipt_recent.t
@@ -0,0 +1,10 @@
+:INPUT,FORWARD,OUTPUT
+-m recent --set;-m recent --set --name DEFAULT --mask 255.255.255.255 --rsource;OK
+-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --update --rttl;-m recent --update --rttl --name DEFAULT --mask 255.255.255.255 --rsource;OK
+-m recent --rcheck --hitcount 65536 --name foo --mask 255.255.255.255 --rsource;;FAIL
+# nonsensical, but all should load successfully:
+-m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
diff --git a/extensions/libipt_standard.t b/extensions/libipt_standard.t
new file mode 100644
index 00000000..4eb144d1
--- /dev/null
+++ b/extensions/libipt_standard.t
@@ -0,0 +1,21 @@
+:INPUT,FORWARD,OUTPUT
+-s 127.0.0.1/32 -d 0.0.0.0/8 -j DROP;=;OK
+! -s 0.0.0.0 -j ACCEPT;! -s 0.0.0.0/32 -j ACCEPT;OK
+! -d 0.0.0.0/32 -j ACCEPT;=;OK
+-s 0.0.0.0/24 -j RETURN;=;OK
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
+:FORWARD
+--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
+-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
+-i + -d 1.2.3.4;-d 1.2.3.4/32;OK
diff --git a/extensions/libxt_TEE.t b/extensions/libxt_TEE.t
index ce8b103e..3c7b929c 100644
--- a/extensions/libxt_TEE.t
+++ b/extensions/libxt_TEE.t
@@ -1,4 +1,2 @@
:INPUT,FORWARD,OUTPUT
--j TEE --gateway 1.1.1.1;=;OK
--j TEE ! --gateway 1.1.1.1;;FAIL
-j TEE;;FAIL
diff --git a/extensions/libxt_connlimit.t b/extensions/libxt_connlimit.t
index 366cea74..79d08748 100644
--- a/extensions/libxt_connlimit.t
+++ b/extensions/libxt_connlimit.t
@@ -1,16 +1,6 @@
:INPUT,FORWARD,OUTPUT
--m connlimit --connlimit-upto 0;-m connlimit --connlimit-upto 0 --connlimit-mask 32 --connlimit-saddr;OK
--m connlimit --connlimit-upto 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK
--m connlimit --connlimit-upto 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL
-m connlimit --connlimit-upto -1;;FAIL
--m connlimit --connlimit-above 0;-m connlimit --connlimit-above 0 --connlimit-mask 32 --connlimit-saddr;OK
--m connlimit --connlimit-above 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK
--m connlimit --connlimit-above 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL
-m connlimit --connlimit-above -1;;FAIL
-m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL
--m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK
--m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;OK
-m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL
--m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK
--m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK
-m connlimit;;FAIL
diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
index 5e27ddce..2377a016 100644
--- a/extensions/libxt_conntrack.t
+++ b/extensions/libxt_conntrack.t
@@ -8,10 +8,6 @@
-m conntrack --ctstate wrong;;FAIL
# should we convert this to output "tcp" instead of 6?
-m conntrack --ctproto tcp;-m conntrack --ctproto 6;OK
--m conntrack --ctorigsrc 1.1.1.1;=;OK
--m conntrack --ctorigdst 1.1.1.1;=;OK
--m conntrack --ctreplsrc 1.1.1.1;=;OK
--m conntrack --ctrepldst 1.1.1.1;=;OK
-m conntrack --ctexpire 0;=;OK
-m conntrack --ctexpire 4294967295;=;OK
-m conntrack --ctexpire 0:4294967295;=;OK
diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t
index 6fd98be6..83a67d11 100644
--- a/extensions/libxt_iprange.t
+++ b/extensions/libxt_iprange.t
@@ -1,11 +1,2 @@
:INPUT,FORWARD,OUTPUT
--m iprange --src-range 1.1.1.1-1.1.1.10;=;OK
--m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
--m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
--m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
-# -m iprange --src-range 1.1.1.1;;FAIL
-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
-#-m iprange --dst-range 1.1.1.1;;FAIL
-m iprange;;FAIL
diff --git a/extensions/libxt_ipvs.t b/extensions/libxt_ipvs.t
index c2acc666..a76a6967 100644
--- a/extensions/libxt_ipvs.t
+++ b/extensions/libxt_ipvs.t
@@ -4,8 +4,6 @@
-m ipvs --vproto tcp;-m ipvs --vproto 6;OK
-m ipvs ! --vproto TCP;-m ipvs ! --vproto 6;OK
-m ipvs --vproto 23;=;OK
--m ipvs --vaddr 1.2.3.4;=;OK
--m ipvs ! --vaddr 1.2.3.4/255.255.255.0;-m ipvs ! --vaddr 1.2.3.4/24;OK
-m ipvs --vport http;-m ipvs --vport 80;OK
-m ipvs ! --vport ssh;-m ipvs ! --vport 22;OK
-m ipvs --vport 22;=;OK
@@ -17,4 +15,3 @@
-m ipvs --vmethod MASQ;=;OK
-m ipvs --vportctl 21;=;OK
-m ipvs ! --vportctl 21;=;OK
--m ipvs --vproto 6 --vaddr 1.2.3.4/16 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK
diff --git a/extensions/libxt_mark.t b/extensions/libxt_mark.t
index 12c05865..b8dc3cb3 100644
--- a/extensions/libxt_mark.t
+++ b/extensions/libxt_mark.t
@@ -5,4 +5,4 @@
-m mark --mark 4294967296;;FAIL
-m mark --mark -1;;FAIL
-m mark;;FAIL
--s 1.2.0.0/15 -m mark --mark 0x0/0xff0;=;OK
+-m mark --mark 0x0/0xff0;=;OK
diff --git a/extensions/libxt_policy.t b/extensions/libxt_policy.t
index 6524122b..fea708bb 100644
--- a/extensions/libxt_policy.t
+++ b/extensions/libxt_policy.t
@@ -3,6 +3,3 @@
-m policy --dir in --pol ipsec --proto ipcomp;=;OK
-m policy --dir in --pol ipsec --strict;;FAIL
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp;=;OK
--m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
--m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL
--m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
diff --git a/extensions/libxt_recent.t b/extensions/libxt_recent.t
index 3b0dd9fa..6c2cbd23 100644
--- a/extensions/libxt_recent.t
+++ b/extensions/libxt_recent.t
@@ -1,11 +1,2 @@
:INPUT,FORWARD,OUTPUT
--m recent --set;-m recent --set --name DEFAULT --mask 255.255.255.255 --rsource;OK
--m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --update --rttl;-m recent --update --rttl --name DEFAULT --mask 255.255.255.255 --rsource;OK
-m recent --set --rttl;;FAIL
--m recent --rcheck --hitcount 65536 --name foo --mask 255.255.255.255 --rsource;;FAIL
-# nonsensical, but all should load successfully:
--m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 7c83cfa3..947e92af 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -1,28 +1,9 @@
:INPUT,FORWARD,OUTPUT
--s 127.0.0.1/32 -d 0.0.0.0/8 -j DROP;=;OK
-! -s 0.0.0.0 -j ACCEPT;! -s 0.0.0.0/32 -j ACCEPT;OK
-! -d 0.0.0.0/32 -j ACCEPT;=;OK
--s 0.0.0.0/24 -j RETURN;=;OK
-p tcp -j ACCEPT;=;OK
! -p udp -j ACCEPT;=;OK
-j DROP;=;OK
-j ACCEPT;=;OK
-j RETURN;=;OK
! -p 0 -j ACCEPT;=;FAIL
--s 10.11.12.13/8;-s 10.0.0.0/8;OK
--s 10.11.12.13/9;-s 10.0.0.0/9;OK
--s 10.11.12.13/10;-s 10.0.0.0/10;OK
--s 10.11.12.13/11;-s 10.0.0.0/11;OK
--s 10.11.12.13/12;-s 10.0.0.0/12;OK
--s 10.11.12.13/30;-s 10.11.12.12/30;OK
--s 10.11.12.13/31;-s 10.11.12.12/31;OK
--s 10.11.12.13/32;-s 10.11.12.13/32;OK
--s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
--s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
--s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
--s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
:FORWARD
---protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
--ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
--i + -d 1.2.3.4;-d 1.2.3.4/32;OK
-i + -p tcp;-p tcp;OK
diff --git a/iptables-test.py b/iptables-test.py
index 28029ad3..0d2f30df 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -385,44 +385,20 @@ def run_test_file_fast(iptables, filename, netns):
return tests
-def run_test_file(filename, netns):
+def _run_test_file(iptables, filename, netns, suffix):
'''
Runs a test file
+ :param iptables: string with the iptables command to execute
:param filename: name of the file with the test rules
:param netns: network namespace to perform test run in
'''
- #
- # if this is not a test file, skip.
- #
- if not filename.endswith(".t"):
- return 0, 0
-
- if "libipt_" in filename:
- iptables = IPTABLES
- elif "libip6t_" in filename:
- iptables = IP6TABLES
- elif "libxt_" in filename:
- iptables = IPTABLES
- elif "libarpt_" in filename:
- # only supported with nf_tables backend
- if EXECUTABLE != "xtables-nft-multi":
- return 0, 0
- iptables = ARPTABLES
- elif "libebt_" in filename:
- # only supported with nf_tables backend
- if EXECUTABLE != "xtables-nft-multi":
- return 0, 0
- iptables = EBTABLES
- else:
- # default to iptables if not known prefix
- iptables = IPTABLES
fast_failed = False
if fast_run_possible(filename):
tests = run_test_file_fast(iptables, filename, netns)
if tests > 0:
- print(filename + ": " + maybe_colored('green', "OK", STDOUT_IS_TTY))
+ print(filename + ": " + maybe_colored('green', "OK", STDOUT_IS_TTY) + suffix)
return tests, tests
fast_failed = True
@@ -503,14 +479,60 @@ def run_test_file(filename, netns):
if netns:
execute_cmd("ip netns del " + netns, filename)
if total_test_passed:
- suffix = ""
if fast_failed:
- suffix = maybe_colored('red', " but fast mode failed!", STDOUT_IS_TTY)
+ suffix += maybe_colored('red', " but fast mode failed!", STDOUT_IS_TTY)
print(filename + ": " + maybe_colored('green', "OK", STDOUT_IS_TTY) + suffix)
f.close()
return tests, passed
+def run_test_file(filename, netns):
+ '''
+ Runs a test file
+
+ :param filename: name of the file with the test rules
+ :param netns: network namespace to perform test run in
+ '''
+ #
+ # if this is not a test file, skip.
+ #
+ if not filename.endswith(".t"):
+ return 0, 0
+
+ if "libipt_" in filename:
+ xtables = [ IPTABLES ]
+ elif "libip6t_" in filename:
+ xtables = [ IP6TABLES ]
+ elif "libxt_" in filename:
+ xtables = [ IPTABLES, IP6TABLES ]
+ elif "libarpt_" in filename:
+ # only supported with nf_tables backend
+ if EXECUTABLE != "xtables-nft-multi":
+ return 0, 0
+ xtables = [ ARPTABLES ]
+ elif "libebt_" in filename:
+ # only supported with nf_tables backend
+ if EXECUTABLE != "xtables-nft-multi":
+ return 0, 0
+ xtables = [ EBTABLES ]
+ else:
+ # default to iptables if not known prefix
+ xtables = [ IPTABLES ]
+
+ tests = 0
+ passed = 0
+ print_result = False
+ suffix = ""
+ for iptables in xtables:
+ if len(xtables) > 1:
+ suffix = "({})".format(iptables)
+
+ file_tests, file_passed = _run_test_file(iptables, filename, netns, suffix)
+ if file_tests:
+ tests += file_tests
+ passed += file_passed
+
+ return tests, passed
def show_missing():
'''
generated by cgit v1.2.3 (git 2.25.0) at 2025-08-01 06:28:12 +0000