diff options
Diffstat (limited to 'iptables/tests')
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 | 117 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/iptables/0005-rule-replace_0 | 38 |
2 files changed, 155 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 new file mode 100755 index 00000000..51f2422e --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 @@ -0,0 +1,117 @@ +#!/bin/bash + +# Make sure iptables-restore does the right thing +# when encountering INSERT rules with index. + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI iptables -S | grep -v '^-P' +} + +# basic issue reproducer + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment "appended rule" -j ACCEPT +-I FORWARD 1 -m comment --comment "rule 1" -j ACCEPT +-I FORWARD 2 -m comment --comment "rule 2" -j ACCEPT +-I FORWARD 3 -m comment --comment "rule 3" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "rule 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT +-A FORWARD -m comment --comment "appended rule" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# insert rules into existing ruleset + +$XT_MULTI iptables-restore --noflush <<EOF +*filter +-I FORWARD 1 -m comment --comment "rule 0.5" -j ACCEPT +-I FORWARD 3 -m comment --comment "rule 1.5" -j ACCEPT +-I FORWARD 5 -m comment --comment "rule 2.5" -j ACCEPT +-I FORWARD 7 -m comment --comment "rule 3.5" -j ACCEPT +-I FORWARD 9 -m comment --comment "appended rule 2" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "rule 0.5" -j ACCEPT +-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "rule 1.5" -j ACCEPT +-A FORWARD -m comment --comment "rule 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 2.5" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT +-A FORWARD -m comment --comment "rule 3.5" -j ACCEPT +-A FORWARD -m comment --comment "appended rule" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 2" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# insert rules in between added ones + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment "appended rule 1" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 2" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 3" -j ACCEPT +-I FORWARD 1 -m comment --comment "rule 1" -j ACCEPT +-I FORWARD 3 -m comment --comment "rule 2" -j ACCEPT +-I FORWARD 5 -m comment --comment "rule 3" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 1" -j ACCEPT +-A FORWARD -m comment --comment "rule 2" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# test rule deletion in dump files + +$XT_MULTI iptables-restore --noflush <<EOF +*filter +-D FORWARD -m comment --comment "appended rule 1" -j ACCEPT +-D FORWARD 3 +-I FORWARD 3 -m comment --comment "manually replaced rule 2" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "rule 2" -j ACCEPT +-A FORWARD -m comment --comment "manually replaced rule 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT +-A FORWARD -m comment --comment "appended rule 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# test rule replacement in dump files + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "rule to be replaced" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT +COMMIT +EOF + +$XT_MULTI iptables-restore --noflush <<EOF +*filter +-R FORWARD 2 -m comment --comment "replacement" -j ACCEPT +-I FORWARD 2 -m comment --comment "insert referencing replaced rule" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "insert referencing replaced rule" -j ACCEPT +-A FORWARD -m comment --comment replacement -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/tests/shell/testcases/iptables/0005-rule-replace_0 b/iptables/tests/shell/testcases/iptables/0005-rule-replace_0 new file mode 100755 index 00000000..5a3e922e --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0005-rule-replace_0 @@ -0,0 +1,38 @@ +#!/bin/bash + +# test rule replacement + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI iptables -S | grep -v '^-P' +} + +$XT_MULTI iptables -A FORWARD -m comment --comment "rule 1" -j ACCEPT +$XT_MULTI iptables -A FORWARD -m comment --comment "rule 2" -j ACCEPT +$XT_MULTI iptables -A FORWARD -m comment --comment "rule 3" -j ACCEPT + +$XT_MULTI iptables -R FORWARD 2 -m comment --comment "replaced 2" -j ACCEPT + +EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT +-A FORWARD -m comment --comment "replaced 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +$XT_MULTI iptables -R FORWARD 1 -m comment --comment "replaced 1" -j ACCEPT + +EXPECT='-A FORWARD -m comment --comment "replaced 1" -j ACCEPT +-A FORWARD -m comment --comment "replaced 2" -j ACCEPT +-A FORWARD -m comment --comment "rule 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +$XT_MULTI iptables -R FORWARD 3 -m comment --comment "replaced 3" -j ACCEPT + +EXPECT='-A FORWARD -m comment --comment "replaced 1" -j ACCEPT +-A FORWARD -m comment --comment "replaced 2" -j ACCEPT +-A FORWARD -m comment --comment "replaced 3" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) |