diff options
Diffstat (limited to 'iptables/tests')
19 files changed, 329 insertions, 37 deletions
diff --git a/iptables/tests/shell/testcases/chain/0003rename_0 b/iptables/tests/shell/testcases/chain/0003rename_0 new file mode 100755 index 00000000..4cb2745b --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0003rename_0 @@ -0,0 +1,40 @@ +#!/bin/bash -x + +die() { + echo "E: $@" + exit 1 +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && cmds+=" arptables ebtables" + +declare -A invnames +invnames["existing"]="c2" +invnames["spaced"]="foo bar" +invnames["dashed"]="-foo" +invnames["negated"]="!foo" +# XXX: ebtables-nft accepts 255 chars +#invnames["overlong"]="thisisquitealongnameforachain" +invnames["standard target"]="ACCEPT" +invnames["extension target"]="DNAT" + +for cmd in $cmds; do + $XT_MULTI $cmd -N c1 || die "$cmd: can't add chain c1" + $XT_MULTI $cmd -N c2 || die "$cmd: can't add chain c2" + for key in "${!invnames[@]}"; do + val="${invnames[$key]}" + if [[ $key == "extension target" ]]; then + if [[ $cmd == "arptables" ]]; then + val="mangle" + elif [[ $cmd == "ebtables" ]]; then + val="dnat" + fi + fi + $XT_MULTI $cmd -N "$val" && \ + die "$cmd: added chain with $key name" + $XT_MULTI $cmd -E c1 "$val" && \ + die "$cmd: renamed to $key name" + done +done + +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0003rename_1 b/iptables/tests/shell/testcases/chain/0003rename_1 deleted file mode 100755 index 975c8e19..00000000 --- a/iptables/tests/shell/testcases/chain/0003rename_1 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -$XT_MULTI iptables -N c1 || exit 0 -$XT_MULTI iptables -N c2 || exit 0 -$XT_MULTI iptables -E c1 c2 || exit 1 - -$XT_MULTI ip6tables -N c1 || exit 0 -$XT_MULTI ip6tables -N c2 || exit 0 -$XT_MULTI ip6tables -E c1 c2 || exit 1 - -echo "E: Renamed with existing chain" >&2 -exit 0 diff --git a/iptables/tests/shell/testcases/chain/0007counters_0 b/iptables/tests/shell/testcases/chain/0007counters_0 new file mode 100755 index 00000000..0b21a926 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0007counters_0 @@ -0,0 +1,78 @@ +#!/bin/bash -e + +SETUP="*filter +:FORWARD ACCEPT [13:37] +-A FORWARD -c 1 2 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT +COMMIT" + + +### -Z with index shall zero a single chain only + +EXPECT="-P FORWARD ACCEPT -c 13 37 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT" + +$XT_MULTI iptables-restore --counters <<< "$SETUP" +$XT_MULTI iptables -Z FORWARD 1 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### -Z without index shall zero the chain and all rules + +EXPECT="-P FORWARD ACCEPT -c 0 0 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 0 0 -j ACCEPT" + +$XT_MULTI iptables -Z FORWARD +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### prepare for live test + +# iptables-nft will create output chain on demand, so make sure it exists +$XT_MULTI iptables -A OUTPUT -d 127.2.3.4 -j ACCEPT + +# test runs in its own netns, lo is there but down by default +ip link set lo up + + +### pings (and pongs) hit OUTPUT policy, its counters must increase + +get_pkt_counter() { # (CHAIN) + $XT_MULTI iptables -vS $1 | awk '/^-P '$1'/{print $5; exit}' +} + +counter_inc_test() { + pkt_pre=$(get_pkt_counter OUTPUT) + ping -q -i 0.2 -c 3 127.0.0.1 + pkt_post=$(get_pkt_counter OUTPUT) + [[ $pkt_post -gt $pkt_pre ]] +} + +counter_inc_test + +# iptables-nft-restore needed --counters to create chains with them +if [[ $XT_MULTI == *xtables-nft-multi ]]; then + $XT_MULTI iptables -F OUTPUT + $XT_MULTI iptables -X OUTPUT + $XT_MULTI iptables-restore <<EOF +*filter +:OUTPUT ACCEPT [0:0] +COMMIT +EOF + counter_inc_test +fi + +### unrelated restore must not touch changing counters in kernel + +# With legacy iptables, this works without --noflush even. With iptables-nft, +# ruleset is flushed though. Not sure which behaviour is actually correct. :) +pkt_pre=$pkt_post +$XT_MULTI iptables-restore --noflush <<EOF +*filter$(ping -i 0.2 -c 3 127.0.0.1 >/dev/null 2>&1) +COMMIT +EOF +nft list ruleset +pkt_post=$(get_pkt_counter OUTPUT) +[[ $pkt_post -eq $((pkt_pre + 6 )) ]] diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 index b5df9725..962b1e03 100755 --- a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 +++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 @@ -71,27 +71,35 @@ bf_client_ip1="10.167.11.2" pktsize=64 # --among-src [mac,IP] +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" ip netns exec "$nsb" $XT_MULTI ebtables -F -ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 --among-src "$among" -j DROP > /dev/null ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null assert_fail $? "--among-src [match]" # ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" ip netns exec "$nsb" $XT_MULTI ebtables -F -ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 ! --among-src "$among" -j DROP > /dev/null ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null assert_pass $? "--among-src [not match]" # --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" ip netns exec "$nsb" $XT_MULTI ebtables -F -ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 --among-dst "$among" -j DROP > /dev/null ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null assert_fail $? "--among-dst [match]" -# --among-dst ! [mac,IP] +# ! --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" ip netns exec "$nsb" $XT_MULTI ebtables -F -ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 ! --among-dst "$among" -j DROP > /dev/null ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null assert_pass $? "--among-dst [not match]" diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 new file mode 100755 index 00000000..0def0ac5 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: +# - with --noflush +# - a second table after the broute one +# - A policy command but no chain line for BROUTING chain + +set -e + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +$XT_MULTI ebtables-restore --noflush <<EOF +*broute +-P BROUTING ACCEPT +*nat +-P PREROUTING ACCEPT +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 new file mode 100755 index 00000000..4f783819 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 @@ -0,0 +1,45 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e +set -x + +check_rule() { # (pcnt, bcnt) + $XT_MULTI ebtables -L FORWARD --Lc --Ln | \ + grep -q "^1. -o eth0 -j CONTINUE , pcnt = $1 -- bcnt = $2$" +} + +$XT_MULTI ebtables -A FORWARD -o eth0 -c 10 20 +check_rule 10 20 + +$XT_MULTI ebtables -C FORWARD 1 100 200 +check_rule 100 200 + +$XT_MULTI ebtables -C FORWARD 101 201 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -C FORWARD 1 +10 -20 +check_rule 111 181 + +$XT_MULTI ebtables -C FORWARD -10 +20 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -A FORWARD -o eth1 -c 111 211 +$XT_MULTI ebtables -A FORWARD -o eth2 -c 121 221 + +$XT_MULTI ebtables -C FORWARD 2:3 +100 -200 + +EXPECT='1. -o eth0 -j CONTINUE , pcnt = 101 -- bcnt = 201 +2. -o eth1 -j CONTINUE , pcnt = 211 -- bcnt = 11 +3. -o eth2 -j CONTINUE , pcnt = 221 -- bcnt = 21' +diff -u <(echo "$EXPECT") \ + <($XT_MULTI ebtables -L FORWARD --Lc --Ln | grep -- '-o eth') + diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 index cc18a94b..45fab830 100755 --- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -33,11 +33,11 @@ EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::4 feed:babe::5 - 0 0 58 -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 - 0 0 0 -- * * ::/0 ::/0 dst length:42 rt type:23 - 0 0 LOG 0 -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ipv6-icmp -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 all -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG all -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 index c98bdd6e..09e39927 100755 --- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI ip6tables -N foo -$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 index 5ac70682..854768c9 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 @@ -20,3 +20,10 @@ EXPECT=":foo - [0:0] $XT_MULTI iptables-restore --counters <<< "$DUMP" diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo) + +# if present, counters must be in proper format +! $XT_MULTI iptables-restore <<EOF +*filter +:FORWARD ACCEPT bar +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 index 1a3af46f..bea1a690 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 @@ -12,5 +12,5 @@ EOF EXPECT='Chain FORWARD (policy ACCEPT) target prot opt source destination -ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ' +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ' diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD) diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 index 4e0be51c..48f5f7b4 100755 --- a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 +++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 @@ -39,6 +39,7 @@ do_simple() $XT_MULTI ${iptables}-restore < "$dumpfile" $XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile" + sed -i -e 's/-p 47 /-p gre /' "$tmpfile" do_diff $dumpfile "$tmpfile" if [ $? -ne 0 ]; then # cp "$tmpfile" "$dumpfile.got" diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 index 15c72af3..5d2af4c8 100755 --- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 @@ -21,8 +21,8 @@ EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.1 10.0.0.2 - 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.4 10.0.0.5 + 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2 + 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 index d335d442..d07bd151 100755 --- a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI iptables -N foo -$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI iptables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI iptables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 index 33c5f1f3..234f3040 100755 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 @@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar cmd 0 -E foo bar cmd 1 "$EEXIST_F" -E foo bar cmd 1 "$ENOENT" -E foo bar2 +cmd 1 "$ENOENT" -L foo cmd 0 -N foo2 cmd 1 "$EEXIST_F" -E foo2 bar diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 new file mode 100755 index 00000000..4481f966 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 @@ -0,0 +1,55 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-legacy-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +coproc RESTORE { $XT_MULTI iptables-restore; } +echo "*filter" >&${RESTORE[1]} + + +$XT_MULTI iptables -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 1 $ipt_pid +[[ $? -eq 3 ]] && { + echo "process waits when it should not" + exit 1 +} +wait $ipt_pid +[[ $? -eq 0 ]] && { + echo "process exited 0 despite busy lock" + exit 1 +} + +t0=$(date +%s) +$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT +t1=$(date +%s) +[[ $((t1 - t0)) -ge 3 ]] || { + echo "wait time not expired" + exit 1 +} + +$XT_MULTI iptables -w -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] || { + echo "no indefinite wait" + exit 1 +} +kill $ipt_pid +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] && { + echo "killed waiting iptables call did not exit in time" + exit 1 +} + +kill $RESTORE_PID +wait +exit 0 diff --git a/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 index 43880ffb..981f007f 100755 --- a/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 +++ b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 @@ -13,11 +13,11 @@ COMMIT :foo [0:0] EOF -$XT_MULTI iptables-save | grep -q ':foo' +sleep 1 +$XT_MULTI iptables-save | grep -q ':foo' || exit 1 nft flush ruleset echo "COMMIT" >&"${COPROC[1]}" -sleep 1 - -[[ -n $COPROC_PID ]] && kill $COPROC_PID -wait +# close the pipe to make iptables-restore exit if it didn't error out yet +eval "exec ${COPROC[1]}>&-" +wait $COPROC_PID diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 index 41588a10..34802cc2 100755 --- a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 +++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 @@ -340,7 +340,7 @@ bridge filter OUTPUT 10 9 # - lines with bytecode (starting with ' [') # - empty lines (so printed diff is not a complete mess) filter() { - awk '/^( \[|$)/{print}' + awk '/^table /{exit} /^( \[|$)/{print}' } diff -u -Z <(filter <<< "$EXPECT") <(nft --debug=netlink list ruleset | filter) diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 new file mode 100755 index 00000000..e276a953 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" +for cmd in iptables ip6tables; do + $XT_MULTI $cmd -t mangle -A PREROUTING $rule + $XT_MULTI $cmd -t mangle -Z + $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" +done |