diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-05-05 20:18:38 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
| commit | b14c971db6db069fbfd2a892c617de8d8bf26733 (patch) | |
| tree | 7943aa0771f1900cbaff4a3725a8f2f6c2e45e8c /iptables | |
| parent | 11c464ed015b52a28d90c63c69e10e5f7d4053d4 (diff) | |
tests: Test compat mode
Extend iptables-test.py by a third mode, which is using
xtables-nft-multi and passing --compat to all calls creating rules.
Also add a shell testcase asserting the effectiveness of --compat by
comparing debug (-vv) output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
| -rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 new file mode 100755 index 00000000..c8cee8ae --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +# reduce noise in debug output +$XT_MULTI iptables -t raw -A OUTPUT +$XT_MULTI iptables -t raw -F + +# add all the things which were "optimized" here +RULE='-t raw -A OUTPUT' + +# prefix matches on class (actually: byte) boundaries no longer need a bitwise +RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' + +# these were turned into native matches meanwhile +# (plus -m tcp, but it conflicts with -m udp) +RULE+=' -m limit --limit 1/min' +RULE+=' -p udp -m udp --sport 1024:65535' +RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' +RULE+=' -j TRACE' + +EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe +ip raw OUTPUT' + +EXPECT="$EXPECT_COMMON + [ payload load 1b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ limit rate 1/minute burst 5 type packets flags 0x0 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range eq reg 1 0x00000004 0x0000ffff ] + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] + [ cmp eq reg 1 0xfeedcafe ] + [ counter pkts 0 bytes 0 ] + [ immediate reg 9 0x00000001 ] + [ meta set nftrace with reg 9 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) + +EXPECT="$EXPECT_COMMON + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ match name limit rev 0 ] + [ match name udp rev 0 ] + [ match name mark rev 1 ] + [ counter pkts 0 bytes 0 ] + [ target name TRACE rev 0 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) |