diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-08-15 13:47:28 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-09-01 13:15:03 +0200 |
| commit | 35ff97e9aca8cd301ff9b9a95b0a72de1aeb700b (patch) | |
| tree | 5f4b36dfccf29e4290e48b3a7dfe6bc7dab5dbf2 /iptables/tests | |
| parent | 63e4a64e943be64a7e0486838071b981074e696d (diff) | |
Revert --compat option related commits
This reverts the following commits:
b14c971db6db0 ("tests: Test compat mode")
11c464ed015b5 ("Add --compat option to *tables-nft and *-nft-restore commands")
ca709b5784c98 ("nft: Introduce and use bool nft_handle::compat")
402b9b3c07c81 ("nft: Pass nft_handle to add_{target,action}()")
This implementation of a compatibility mode implements rules using
xtables extensions if possible and thus relies upon existence of those
in kernel space. Assuming no viable replacement for the internal
mechanics of this mode will be found in foreseeable future, it will
effectively block attempts at deprecating and removing of these xtables
extensions in favor of nftables expressions and thus hinder upstream's
future plans for iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/tests')
| -rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 deleted file mode 100755 index c8cee8ae..00000000 --- a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } - -set -e - -# reduce noise in debug output -$XT_MULTI iptables -t raw -A OUTPUT -$XT_MULTI iptables -t raw -F - -# add all the things which were "optimized" here -RULE='-t raw -A OUTPUT' - -# prefix matches on class (actually: byte) boundaries no longer need a bitwise -RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' - -# these were turned into native matches meanwhile -# (plus -m tcp, but it conflicts with -m udp) -RULE+=' -m limit --limit 1/min' -RULE+=' -p udp -m udp --sport 1024:65535' -RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' -RULE+=' -j TRACE' - -EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe -ip raw OUTPUT' - -EXPECT="$EXPECT_COMMON - [ payload load 1b @ network header + 12 => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x0000a8c0 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ limit rate 1/minute burst 5 type packets flags 0x0 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ range eq reg 1 0x00000004 0x0000ffff ] - [ meta load mark => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] - [ cmp eq reg 1 0xfeedcafe ] - [ counter pkts 0 bytes 0 ] - [ immediate reg 9 0x00000001 ] - [ meta set nftrace with reg 9 ] -" - -diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) - -EXPECT="$EXPECT_COMMON - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000a8c0 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ match name limit rev 0 ] - [ match name udp rev 0 ] - [ match name mark rev 1 ] - [ counter pkts 0 bytes 0 ] - [ target name TRACE rev 0 ] -" - -diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) |