diff options
author | Phil Sutter <phil@nwl.cc> | 2023-05-05 20:18:38 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
commit | b14c971db6db069fbfd2a892c617de8d8bf26733 (patch) | |
tree | 7943aa0771f1900cbaff4a3725a8f2f6c2e45e8c | |
parent | 11c464ed015b52a28d90c63c69e10e5f7d4053d4 (diff) |
tests: Test compat mode
Extend iptables-test.py by a third mode, which is using
xtables-nft-multi and passing --compat to all calls creating rules.
Also add a shell testcase asserting the effectiveness of --compat by
comparing debug (-vv) output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rwxr-xr-x | iptables-test.py | 19 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 | 63 |
2 files changed, 78 insertions, 4 deletions
diff --git a/iptables-test.py b/iptables-test.py index 6f63cdbe..22b445df 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -28,6 +28,8 @@ EBTABLES_SAVE = "ebtables-save" #IPTABLES_SAVE = ['xtables-save','-4'] #IP6TABLES_SAVE = ['xtables-save','-6'] +COMPAT_ARG = "" + EXTENSIONS_PATH = "extensions" LOGFILE="/tmp/iptables-test.log" log_file = None @@ -83,7 +85,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): ''' ret = 0 - cmd = iptables + " -A " + rule + cmd = iptables + COMPAT_ARG + " -A " + rule ret = execute_cmd(cmd, filename, lineno, netns) # @@ -318,7 +320,7 @@ def run_test_file_fast(iptables, filename, netns): # load all rules via iptables_restore - command = EXECUTABLE + " " + iptables + "-restore" + command = EXECUTABLE + " " + iptables + "-restore" + COMPAT_ARG if netns: command = "ip netns exec " + netns + " " + command @@ -558,6 +560,8 @@ def main(): help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', help='Test iptables-over-nftables') + parser.add_argument('-c', '--nft-compat', action='store_true', + help='Test iptables-over-nftables in compat mode') parser.add_argument('-N', '--netns', action='store_const', const='____iptables-container-test', help='Test netnamespace path') @@ -577,8 +581,10 @@ def main(): variants.append("legacy") if args.nftables: variants.append("nft") + if args.nft_compat: + variants.append("nft_compat") if len(variants) == 0: - variants = [ "legacy", "nft" ] + variants = [ "legacy", "nft", "nft_compat" ] if os.getuid() != 0: print("You need to be root to run this, sorry", file=sys.stderr) @@ -598,7 +604,12 @@ def main(): total_tests = 0 for variant in variants: global EXECUTABLE - EXECUTABLE = "xtables-" + variant + "-multi" + global COMPAT_ARG + if variant == "nft_compat": + EXECUTABLE = "xtables-nft-multi" + COMPAT_ARG = " --compat" + else: + EXECUTABLE = "xtables-" + variant + "-multi" test_files = 0 tests = 0 diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 new file mode 100755 index 00000000..c8cee8ae --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +# reduce noise in debug output +$XT_MULTI iptables -t raw -A OUTPUT +$XT_MULTI iptables -t raw -F + +# add all the things which were "optimized" here +RULE='-t raw -A OUTPUT' + +# prefix matches on class (actually: byte) boundaries no longer need a bitwise +RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' + +# these were turned into native matches meanwhile +# (plus -m tcp, but it conflicts with -m udp) +RULE+=' -m limit --limit 1/min' +RULE+=' -p udp -m udp --sport 1024:65535' +RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' +RULE+=' -j TRACE' + +EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe +ip raw OUTPUT' + +EXPECT="$EXPECT_COMMON + [ payload load 1b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ limit rate 1/minute burst 5 type packets flags 0x0 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range eq reg 1 0x00000004 0x0000ffff ] + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] + [ cmp eq reg 1 0xfeedcafe ] + [ counter pkts 0 bytes 0 ] + [ immediate reg 9 0x00000001 ] + [ meta set nftrace with reg 9 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) + +EXPECT="$EXPECT_COMMON + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ match name limit rev 0 ] + [ match name udp rev 0 ] + [ match name mark rev 1 ] + [ counter pkts 0 bytes 0 ] + [ target name TRACE rev 0 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) |