diff options
Diffstat (limited to 'iptables/tests/shell/testcases/ip6tables')
5 files changed, 63 insertions, 45 deletions
diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 index 7b0e6468..45fab830 100755 --- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -6,23 +6,38 @@ set -e # ensure verbose output is identical between legacy and nft tools RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' -VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2' RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' -VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' +VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5' +RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route' +VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0' +RULE4='-m dst --dst-len 42 -m rt --rt-type 23' +VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23' +RULE5='-m frag --fragid 1337 -j LOG' +VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4' diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5) diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5) EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ipv6-icmp -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 all -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG all -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 index c98bdd6e..09e39927 100755 --- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI ip6tables -N foo -$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 new file mode 100755 index 00000000..7eb42f08 --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -s feed:babe::/ffff::0 +-A FORWARD -s feed:babe::/ffff:ff00::0 +-A FORWARD -s feed:babe::/ffff:fff0::0 +-A FORWARD -s feed:babe::/ffff:ffff::0 +-A FORWARD -s feed:babe::/0:ffff::0 +-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0 +COMMIT +EOF + +EXPECT='-P FORWARD ACCEPT +-A FORWARD -s feed::/16 +-A FORWARD -s feed:ba00::/24 +-A FORWARD -s feed:bab0::/28 +-A FORWARD -s feed:babe::/32 +-A FORWARD -s 0:babe::/0:ffff:: +-A FORWARD -s feed::babe:0/ffff::ffff:0' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) diff --git a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 b/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 deleted file mode 100755 index f023b791..00000000 --- a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -# make sure error return codes are as expected useful cases -# (e.g. commands to check ruleset state) - -global_rc=0 - -cmd() { # (rc, cmd, [args ...]) - rc_exp=$1; shift - - $XT_MULTI "$@" - rc=$? - - [ $rc -eq $rc_exp ] || { - echo "---> expected $rc_exp, got $rc for command '$@'" - global_rc=1 - } -} - -# test chain creation -cmd 0 ip6tables -N foo -cmd 1 ip6tables -N foo -# iptables-nft allows this - bug or feature? -#cmd 2 ip6tables -N "invalid name" - -# test rule adding -cmd 0 ip6tables -A INPUT -j ACCEPT -cmd 1 ip6tables -A noexist -j ACCEPT - -# test rule checking -cmd 0 ip6tables -C INPUT -j ACCEPT -cmd 1 ip6tables -C FORWARD -j ACCEPT -cmd 1 ip6tables -C nonexist -j ACCEPT -cmd 2 ip6tables -C INPUT -j foobar -cmd 2 ip6tables -C INPUT -m foobar -j ACCEPT -cmd 3 ip6tables -t foobar -C INPUT -j ACCEPT - -exit $global_rc diff --git a/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 new file mode 100755 index 00000000..cc8215bf --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Test the fix in commit 78850e7dba64a ("ip6tables: Fix checking existence of +# rule"). Happens with legacy ip6tables only, but testing ip6tables-nft doesn't +# hurt. +# +# Code taken from https://bugzilla.netfilter.org/show_bug.cgi?id=1667 +# Thanks to Jonathan Caicedo <jonathan@jcaicedo.com> for providing it. + +RULE='-p tcp --dport 81 -j DNAT --to-destination [::1]:81' + +$XT_MULTI ip6tables -t nat -N testchain || exit 1 +$XT_MULTI ip6tables -t nat -A testchain $RULE || exit 1 +$XT_MULTI ip6tables -t nat -C testchain $RULE || exit 1 + +$XT_MULTI ip6tables -t nat -C testchain ${RULE//81/82} 2>/dev/null && exit 1 +exit 0 |