diff options
Diffstat (limited to 'iptables/tests/shell/testcases/chain')
5 files changed, 169 insertions, 12 deletions
diff --git a/iptables/tests/shell/testcases/chain/0003rename_0 b/iptables/tests/shell/testcases/chain/0003rename_0 new file mode 100755 index 00000000..4cb2745b --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0003rename_0 @@ -0,0 +1,40 @@ +#!/bin/bash -x + +die() { + echo "E: $@" + exit 1 +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && cmds+=" arptables ebtables" + +declare -A invnames +invnames["existing"]="c2" +invnames["spaced"]="foo bar" +invnames["dashed"]="-foo" +invnames["negated"]="!foo" +# XXX: ebtables-nft accepts 255 chars +#invnames["overlong"]="thisisquitealongnameforachain" +invnames["standard target"]="ACCEPT" +invnames["extension target"]="DNAT" + +for cmd in $cmds; do + $XT_MULTI $cmd -N c1 || die "$cmd: can't add chain c1" + $XT_MULTI $cmd -N c2 || die "$cmd: can't add chain c2" + for key in "${!invnames[@]}"; do + val="${invnames[$key]}" + if [[ $key == "extension target" ]]; then + if [[ $cmd == "arptables" ]]; then + val="mangle" + elif [[ $cmd == "ebtables" ]]; then + val="dnat" + fi + fi + $XT_MULTI $cmd -N "$val" && \ + die "$cmd: added chain with $key name" + $XT_MULTI $cmd -E c1 "$val" && \ + die "$cmd: renamed to $key name" + done +done + +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0003rename_1 b/iptables/tests/shell/testcases/chain/0003rename_1 deleted file mode 100755 index 975c8e19..00000000 --- a/iptables/tests/shell/testcases/chain/0003rename_1 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -$XT_MULTI iptables -N c1 || exit 0 -$XT_MULTI iptables -N c2 || exit 0 -$XT_MULTI iptables -E c1 c2 || exit 1 - -$XT_MULTI ip6tables -N c1 || exit 0 -$XT_MULTI ip6tables -N c2 || exit 0 -$XT_MULTI ip6tables -E c1 c2 || exit 1 - -echo "E: Renamed with existing chain" >&2 -exit 0 diff --git a/iptables/tests/shell/testcases/chain/0006rename-segfault_0 b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 new file mode 100755 index 00000000..c10a8006 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Cover for a bug in libiptc: +# - the chain 'node-98-tmp' is the last in the list sorted by name +# - there are 81 chains in total, so three chain index buckets +# - the last index bucket contains only the 'node-98-tmp' chain +# => rename temporarily removes it from the bucket, leaving a NULL bucket +# behind which is dereferenced later when inserting the chain again with new +# name again + +( + echo "*filter" + for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do + echo ":$chain - [0:0]" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore +$XT_MULTI iptables -E node-98-tmp node-98 +exit $? diff --git a/iptables/tests/shell/testcases/chain/0007counters_0 b/iptables/tests/shell/testcases/chain/0007counters_0 new file mode 100755 index 00000000..0b21a926 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0007counters_0 @@ -0,0 +1,78 @@ +#!/bin/bash -e + +SETUP="*filter +:FORWARD ACCEPT [13:37] +-A FORWARD -c 1 2 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT +COMMIT" + + +### -Z with index shall zero a single chain only + +EXPECT="-P FORWARD ACCEPT -c 13 37 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT" + +$XT_MULTI iptables-restore --counters <<< "$SETUP" +$XT_MULTI iptables -Z FORWARD 1 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### -Z without index shall zero the chain and all rules + +EXPECT="-P FORWARD ACCEPT -c 0 0 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 0 0 -j ACCEPT" + +$XT_MULTI iptables -Z FORWARD +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### prepare for live test + +# iptables-nft will create output chain on demand, so make sure it exists +$XT_MULTI iptables -A OUTPUT -d 127.2.3.4 -j ACCEPT + +# test runs in its own netns, lo is there but down by default +ip link set lo up + + +### pings (and pongs) hit OUTPUT policy, its counters must increase + +get_pkt_counter() { # (CHAIN) + $XT_MULTI iptables -vS $1 | awk '/^-P '$1'/{print $5; exit}' +} + +counter_inc_test() { + pkt_pre=$(get_pkt_counter OUTPUT) + ping -q -i 0.2 -c 3 127.0.0.1 + pkt_post=$(get_pkt_counter OUTPUT) + [[ $pkt_post -gt $pkt_pre ]] +} + +counter_inc_test + +# iptables-nft-restore needed --counters to create chains with them +if [[ $XT_MULTI == *xtables-nft-multi ]]; then + $XT_MULTI iptables -F OUTPUT + $XT_MULTI iptables -X OUTPUT + $XT_MULTI iptables-restore <<EOF +*filter +:OUTPUT ACCEPT [0:0] +COMMIT +EOF + counter_inc_test +fi + +### unrelated restore must not touch changing counters in kernel + +# With legacy iptables, this works without --noflush even. With iptables-nft, +# ruleset is flushed though. Not sure which behaviour is actually correct. :) +pkt_pre=$pkt_post +$XT_MULTI iptables-restore --noflush <<EOF +*filter$(ping -i 0.2 -c 3 127.0.0.1 >/dev/null 2>&1) +COMMIT +EOF +nft list ruleset +pkt_post=$(get_pkt_counter OUTPUT) +[[ $pkt_post -eq $((pkt_pre + 6 )) ]] diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush |