diff options
Diffstat (limited to 'iptables/tests')
40 files changed, 1052 insertions, 58 deletions
diff --git a/iptables/tests/shell/run-tests.sh b/iptables/tests/shell/run-tests.sh index 7878760f..11256905 100755 --- a/iptables/tests/shell/run-tests.sh +++ b/iptables/tests/shell/run-tests.sh @@ -21,7 +21,6 @@ EOF msg_error() { echo "E: $1 ..." >&2 - exit 1 } msg_warn() { @@ -34,10 +33,12 @@ msg_info() { if [ "$(id -u)" != "0" ] ; then msg_error "this requires root!" + exit 77 fi if [ ! -d "$TESTDIR" ] ; then msg_error "missing testdir $TESTDIR" + exit 99 fi # support matching repeated pattern in SINGLE check below @@ -76,6 +77,7 @@ while [ -n "$1" ]; do ;; *) msg_error "unknown parameter '$1'" + exit 99 ;; esac done @@ -122,7 +124,8 @@ EOF if [ "$VALGRIND" == "y" ]; then tmpd=$(mktemp -d) msg_info "writing valgrind logs to $tmpd" - chmod a+rx $tmpd + # let nobody write logs, too (././testcases/iptables/0008-unprivileged_0) + chmod 777 $tmpd printscript "$XTABLES_NFT_MULTI" "$tmpd" >${tmpd}/xtables-nft-multi printscript "$XTABLES_LEGACY_MULTI" "$tmpd" >${tmpd}/xtables-legacy-multi trap "rm ${tmpd}/xtables-*-multi" EXIT diff --git a/iptables/tests/shell/testcases/chain/0003rename_0 b/iptables/tests/shell/testcases/chain/0003rename_0 new file mode 100755 index 00000000..4cb2745b --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0003rename_0 @@ -0,0 +1,40 @@ +#!/bin/bash -x + +die() { + echo "E: $@" + exit 1 +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && cmds+=" arptables ebtables" + +declare -A invnames +invnames["existing"]="c2" +invnames["spaced"]="foo bar" +invnames["dashed"]="-foo" +invnames["negated"]="!foo" +# XXX: ebtables-nft accepts 255 chars +#invnames["overlong"]="thisisquitealongnameforachain" +invnames["standard target"]="ACCEPT" +invnames["extension target"]="DNAT" + +for cmd in $cmds; do + $XT_MULTI $cmd -N c1 || die "$cmd: can't add chain c1" + $XT_MULTI $cmd -N c2 || die "$cmd: can't add chain c2" + for key in "${!invnames[@]}"; do + val="${invnames[$key]}" + if [[ $key == "extension target" ]]; then + if [[ $cmd == "arptables" ]]; then + val="mangle" + elif [[ $cmd == "ebtables" ]]; then + val="dnat" + fi + fi + $XT_MULTI $cmd -N "$val" && \ + die "$cmd: added chain with $key name" + $XT_MULTI $cmd -E c1 "$val" && \ + die "$cmd: renamed to $key name" + done +done + +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0003rename_1 b/iptables/tests/shell/testcases/chain/0003rename_1 deleted file mode 100755 index 975c8e19..00000000 --- a/iptables/tests/shell/testcases/chain/0003rename_1 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -$XT_MULTI iptables -N c1 || exit 0 -$XT_MULTI iptables -N c2 || exit 0 -$XT_MULTI iptables -E c1 c2 || exit 1 - -$XT_MULTI ip6tables -N c1 || exit 0 -$XT_MULTI ip6tables -N c2 || exit 0 -$XT_MULTI ip6tables -E c1 c2 || exit 1 - -echo "E: Renamed with existing chain" >&2 -exit 0 diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 new file mode 100755 index 00000000..cc07e4be --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +case $XT_MULTI in +*xtables-nft-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +set -e + +nft -f - <<EOF +table ip filter { + chain a { + type filter hook input priority filter + } + + chain INPUT { + type filter hook input priority filter + counter packets 218 bytes 91375 accept + } + + chain x { + type filter hook input priority filter + } +} +EOF + +EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them. +-P INPUT ACCEPT +-P FORWARD ACCEPT +-P OUTPUT ACCEPT +-A INPUT -j ACCEPT" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S) diff --git a/iptables/tests/shell/testcases/chain/0005base-delete_0 b/iptables/tests/shell/testcases/chain/0005base-delete_0 new file mode 100755 index 00000000..033a2819 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0005base-delete_0 @@ -0,0 +1,34 @@ +#!/bin/bash -x + +$XT_MULTI iptables -N foo || exit 1 +$XT_MULTI iptables -P FORWARD DROP || exit 1 +$XT_MULTI iptables -X || exit 1 +$XT_MULTI iptables -X foo && exit 1 + +# indefinite -X fails if a non-empty user-defined chain exists +$XT_MULTI iptables -N foo +$XT_MULTI iptables -N bar +$XT_MULTI iptables -A bar -j ACCEPT +$XT_MULTI iptables -X && exit 1 +$XT_MULTI iptables -D bar -j ACCEPT +$XT_MULTI iptables -X || exit 1 + +# make sure OUTPUT chain is created by iptables-nft +$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1 +$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1 + +case $XT_MULTI in +*xtables-nft-multi) + # must not delete chain FORWARD, its policy is not ACCEPT + $XT_MULTI iptables -X FORWARD && exit 1 + nft list chain ip filter FORWARD || exit 1 + # this should evict chain OUTPUT + $XT_MULTI iptables -X OUTPUT || exit 1 + nft list chain ip filter OUTPUT && exit 1 + ;; +*) + $XT_MULTI iptables -X FORWARD && exit 1 + $XT_MULTI iptables -X OUTPUT && exit 1 + ;; +esac +exit 0 diff --git a/iptables/tests/shell/testcases/chain/0006rename-segfault_0 b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 new file mode 100755 index 00000000..c10a8006 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Cover for a bug in libiptc: +# - the chain 'node-98-tmp' is the last in the list sorted by name +# - there are 81 chains in total, so three chain index buckets +# - the last index bucket contains only the 'node-98-tmp' chain +# => rename temporarily removes it from the bucket, leaving a NULL bucket +# behind which is dereferenced later when inserting the chain again with new +# name again + +( + echo "*filter" + for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do + echo ":$chain - [0:0]" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore +$XT_MULTI iptables -E node-98-tmp node-98 +exit $? diff --git a/iptables/tests/shell/testcases/chain/0007counters_0 b/iptables/tests/shell/testcases/chain/0007counters_0 new file mode 100755 index 00000000..0b21a926 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0007counters_0 @@ -0,0 +1,78 @@ +#!/bin/bash -e + +SETUP="*filter +:FORWARD ACCEPT [13:37] +-A FORWARD -c 1 2 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT +COMMIT" + + +### -Z with index shall zero a single chain only + +EXPECT="-P FORWARD ACCEPT -c 13 37 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 3 4 -j ACCEPT" + +$XT_MULTI iptables-restore --counters <<< "$SETUP" +$XT_MULTI iptables -Z FORWARD 1 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### -Z without index shall zero the chain and all rules + +EXPECT="-P FORWARD ACCEPT -c 0 0 +-A FORWARD -c 0 0 -j ACCEPT +-A FORWARD -c 0 0 -j ACCEPT" + +$XT_MULTI iptables -Z FORWARD +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -vS FORWARD) + + +### prepare for live test + +# iptables-nft will create output chain on demand, so make sure it exists +$XT_MULTI iptables -A OUTPUT -d 127.2.3.4 -j ACCEPT + +# test runs in its own netns, lo is there but down by default +ip link set lo up + + +### pings (and pongs) hit OUTPUT policy, its counters must increase + +get_pkt_counter() { # (CHAIN) + $XT_MULTI iptables -vS $1 | awk '/^-P '$1'/{print $5; exit}' +} + +counter_inc_test() { + pkt_pre=$(get_pkt_counter OUTPUT) + ping -q -i 0.2 -c 3 127.0.0.1 + pkt_post=$(get_pkt_counter OUTPUT) + [[ $pkt_post -gt $pkt_pre ]] +} + +counter_inc_test + +# iptables-nft-restore needed --counters to create chains with them +if [[ $XT_MULTI == *xtables-nft-multi ]]; then + $XT_MULTI iptables -F OUTPUT + $XT_MULTI iptables -X OUTPUT + $XT_MULTI iptables-restore <<EOF +*filter +:OUTPUT ACCEPT [0:0] +COMMIT +EOF + counter_inc_test +fi + +### unrelated restore must not touch changing counters in kernel + +# With legacy iptables, this works without --noflush even. With iptables-nft, +# ruleset is flushed though. Not sure which behaviour is actually correct. :) +pkt_pre=$pkt_post +$XT_MULTI iptables-restore --noflush <<EOF +*filter$(ping -i 0.2 -c 3 127.0.0.1 >/dev/null 2>&1) +COMMIT +EOF +nft list ruleset +pkt_post=$(get_pkt_counter OUTPUT) +[[ $pkt_post -eq $((pkt_pre + 6 )) ]] diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush diff --git a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 index 6f11bd12..bae0de7d 100755 --- a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 +++ b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 @@ -15,13 +15,13 @@ get_entries_count() { # (chain) set -x -for t in filter nat;do +for t in filter nat broute; do $XT_MULTI ebtables -t $t -L || exit 1 $XT_MULTI ebtables -t $t -X || exit 1 $XT_MULTI ebtables -t $t -F || exit 1 done -for t in broute foobar ;do +for t in foobar; do $XT_MULTI ebtables -t $t -L && $XT_MULTI ebtables -t $t -X && $XT_MULTI ebtables -t $t -F diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 index ccdef19c..b4f9728b 100755 --- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 +++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 @@ -13,8 +13,8 @@ $XT_MULTI ebtables -A INPUT -p IPv4 -i lo -j ACCEPT $XT_MULTI ebtables -P FORWARD DROP $XT_MULTI ebtables -A OUTPUT -s ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -j DROP $XT_MULTI ebtables -N foo -$XT_MULTI ebtables -A foo --802_3-sap 0x23 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT #$XT_MULTI ebtables -A foo --among-dst fe:ed:ba:be:00:01,fe:ed:ba:be:00:02,fe:ed:ba:be:00:03 -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-gratuitous -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-opcode Request -j ACCEPT @@ -38,13 +38,13 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT $XT_MULTI ebtables -A foo --log -$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT +$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT $XT_MULTI ebtables -A foo --nflog $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT #$XT_MULTI ebtables -A foo --vlan-id 42 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0x23 --limit 100 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 --limit 100 -j ACCEPT $XT_MULTI ebtables -A foo --pkttype-type multicast --log $XT_MULTI ebtables -A foo --pkttype-type multicast --limit 100 -j ACCEPT @@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo $XT_MULTI ebtables -N bar $XT_MULTI ebtables -P bar RETURN -$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT +$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01 $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT @@ -75,8 +75,8 @@ DUMP='*filter -A INPUT -p IPv4 -i lo -j ACCEPT -A FORWARD -j foo -A OUTPUT -s Broadcast -j DROP --A foo --802_3-sap 0x23 -j ACCEPT --A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +-A foo -p Length --802_3-sap 0x23 -j ACCEPT +-A foo -p Length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT -A foo -p ARP --arp-gratuitous -j ACCEPT -A foo -p ARP --arp-op Request -j ACCEPT -A foo -p ARP --arp-ip-src 10.0.0.1 -j ACCEPT @@ -91,13 +91,13 @@ DUMP='*filter -A foo -p IPv6 --ip6-dst feed:babe::/64 -j ACCEPT -A foo -p IPv6 --ip6-proto tcp -j ACCEPT -A foo --limit 100/sec --limit-burst 42 -j ACCEPT --A foo --log-level notice --log-prefix "" -j CONTINUE +-A foo --log-level notice -j CONTINUE -A foo -j mark --mark-set 0x23 --mark-target ACCEPT -A foo --nflog-group 1 -j CONTINUE -A foo --pkttype-type multicast -j ACCEPT -A foo --stp-type config -j ACCEPT --A foo --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT --A foo --pkttype-type multicast --log-level notice --log-prefix "" -j CONTINUE +-A foo -p Length --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT +-A foo --pkttype-type multicast --log-level notice -j CONTINUE -A foo --pkttype-type multicast --limit 100/sec --limit-burst 5 -j ACCEPT *nat :PREROUTING ACCEPT diff --git a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 index 63891c1b..7554ef85 100755 --- a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 +++ b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 @@ -24,7 +24,7 @@ EXPECT='*filter -A FORWARD --limit 100/sec --limit-burst 42 -j ACCEPT -A FORWARD --limit 1000/sec --limit-burst 5 -j ACCEPT -A FORWARD --log-level notice --log-prefix "foobar" -j CONTINUE --A FORWARD --log-level notice --log-prefix "" -j CONTINUE' +-A FORWARD --log-level notice -j CONTINUE' $XT_MULTI ebtables --init-table $XT_MULTI ebtables-restore <<<$DUMP diff --git a/iptables/tests/shell/testcases/ebtables/0006-flush_0 b/iptables/tests/shell/testcases/ebtables/0006-flush_0 new file mode 100755 index 00000000..5d714529 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0006-flush_0 @@ -0,0 +1,47 @@ +#!/bin/bash + +set -e + +# there is no legacy backend to test +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:90:90=192.168.0.1 -j DROP' + +$XT_MULTI ebtables-restore <<<$RULESET +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t nat -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t filter -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 new file mode 100755 index 00000000..d79f91b1 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 @@ -0,0 +1,41 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e + +# ebtables supports policies in user-defined chains %) +# and the default policy is ACCEPT ... +$XT_MULTI ebtables -N FOO -P DROP +$XT_MULTI ebtables -N BAR +$XT_MULTI ebtables -P BAR RETURN +$XT_MULTI ebtables -N BAZ + +EXPECT_BASE="*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT" + +EXPECT="$EXPECT_BASE +:BAR RETURN +:BAZ ACCEPT +:FOO DROP" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# rule commands must not break the policies +$XT_MULTI ebtables -A FOO -j ACCEPT +$XT_MULTI ebtables -D FOO -j ACCEPT +$XT_MULTI ebtables -F +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# dropping the chains must implicitly remove the policy rule as well +$XT_MULTI ebtables -X +diff -u -Z <(echo -e "$EXPECT_BASE") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 new file mode 100755 index 00000000..962b1e03 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 @@ -0,0 +1,106 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +sfx=$(mktemp -u "XXXXXXXX") +nsa="nsa-$sfx" +nsb="nsb-$sfx" +nsc="nsc-$sfx" + +cleanup() +{ + ip netns del "$nsa" + ip netns del "$nsb" + ip netns del "$nsc" +} + +trap cleanup EXIT + +assert_fail() +{ + if [ $1 -eq 0 ]; then + echo "FAILED: $2" + exit 1 + fi +} + +assert_pass() +{ + if [ $1 -ne 0 ]; then + echo "FAILED: $2" + exit 2 + fi +} + +ip netns add "$nsa" +ip netns add "$nsb" +ip netns add "$nsc" + +ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb" +ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb" +ip netns exec "$nsb" ip link add name br0 type bridge + +ip -net "$nsb" link set b_c up +ip netns exec "$nsb" ip link set b_s up +ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0 +ip netns exec "$nsb" ip link set br0 up +ip netns exec "$nsb" ip link set b_c master br0 +ip netns exec "$nsb" ip link set b_s master br0 +ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b +ip netns exec "$nsc" ip link set c_b up +ip -net "$nsa" addr add 10.167.11.1/24 dev s_b +ip -net "$nsa" link set s_b up + +ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1 + +bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address` +bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address` +bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address` +bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address` + +bf_server_ip1="10.167.11.1" +bf_bridge_ip0="10.167.11.254" +bf_client_ip1="10.167.11.2" +pktsize=64 + +# --among-src [mac,IP] +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 --among-src "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_fail $? "--among-src [match]" + +# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc + +among="$bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-dst $bf_server_ip1 ! --among-src "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_pass $? "--among-src [not match]" + +# --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 --among-dst "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_fail $? "--among-dst [match]" + +# ! --among-dst [mac,IP] +among="$bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1" +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD \ + -p ip --ip-src $bf_client_ip1 ! --among-dst "$among" -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_pass $? "--among-dst [not match]" + +exit 0 diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 new file mode 100755 index 00000000..0def0ac5 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: +# - with --noflush +# - a second table after the broute one +# - A policy command but no chain line for BROUTING chain + +set -e + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +$XT_MULTI ebtables-restore --noflush <<EOF +*broute +-P BROUTING ACCEPT +*nat +-P PREROUTING ACCEPT +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 new file mode 100755 index 00000000..4f783819 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0010-change-counters_0 @@ -0,0 +1,45 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e +set -x + +check_rule() { # (pcnt, bcnt) + $XT_MULTI ebtables -L FORWARD --Lc --Ln | \ + grep -q "^1. -o eth0 -j CONTINUE , pcnt = $1 -- bcnt = $2$" +} + +$XT_MULTI ebtables -A FORWARD -o eth0 -c 10 20 +check_rule 10 20 + +$XT_MULTI ebtables -C FORWARD 1 100 200 +check_rule 100 200 + +$XT_MULTI ebtables -C FORWARD 101 201 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -C FORWARD 1 +10 -20 +check_rule 111 181 + +$XT_MULTI ebtables -C FORWARD -10 +20 -o eth0 +check_rule 101 201 + +$XT_MULTI ebtables -A FORWARD -o eth1 -c 111 211 +$XT_MULTI ebtables -A FORWARD -o eth2 -c 121 221 + +$XT_MULTI ebtables -C FORWARD 2:3 +100 -200 + +EXPECT='1. -o eth0 -j CONTINUE , pcnt = 101 -- bcnt = 201 +2. -o eth1 -j CONTINUE , pcnt = 211 -- bcnt = 11 +3. -o eth2 -j CONTINUE , pcnt = 221 -- bcnt = 21' +diff -u <(echo "$EXPECT") \ + <($XT_MULTI ebtables -L FORWARD --Lc --Ln | grep -- '-o eth') + diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 index 7b0e6468..45fab830 100755 --- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -6,23 +6,38 @@ set -e # ensure verbose output is identical between legacy and nft tools RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' -VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2' RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' -VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' +VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5' +RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route' +VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0' +RULE4='-m dst --dst-len 42 -m rt --rt-type 23' +VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23' +RULE5='-m frag --fragid 1337 -j LOG' +VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4' diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5) diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5) EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT all -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ipv6-icmp -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 all -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG all -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 index c98bdd6e..09e39927 100755 --- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI ip6tables -N foo -$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 new file mode 100755 index 00000000..cc8215bf --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0005-rule-check_0 @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Test the fix in commit 78850e7dba64a ("ip6tables: Fix checking existence of +# rule"). Happens with legacy ip6tables only, but testing ip6tables-nft doesn't +# hurt. +# +# Code taken from https://bugzilla.netfilter.org/show_bug.cgi?id=1667 +# Thanks to Jonathan Caicedo <jonathan@jcaicedo.com> for providing it. + +RULE='-p tcp --dport 81 -j DNAT --to-destination [::1]:81' + +$XT_MULTI ip6tables -t nat -N testchain || exit 1 +$XT_MULTI ip6tables -t nat -A testchain $RULE || exit 1 +$XT_MULTI ip6tables -t nat -C testchain $RULE || exit 1 + +$XT_MULTI ip6tables -t nat -C testchain ${RULE//81/82} 2>/dev/null && exit 1 +exit 0 diff --git a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 index 5c8748ec..d632cbc0 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 @@ -2,7 +2,7 @@ set -e -# make sure wait and wait-interval options are accepted +# make sure wait options are accepted clean_tempfile() { @@ -18,4 +18,3 @@ tmpfile=$(mktemp) || exit 1 $XT_MULTI iptables-save -f $tmpfile $XT_MULTI iptables-restore $tmpfile $XT_MULTI iptables-restore -w 5 $tmpfile -$XT_MULTI iptables-restore -w 5 -W 1 $tmpfile diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 index 3f1d229e..5482b7ea 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 @@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT -A FORWARD -m comment --comment "rule 3" -j ACCEPT' diff -u -Z <(echo -e "$EXPECT") <(ipt_show) + +# test adding, referencing and deleting the same rule in a batch + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment "first rule" -j ACCEPT +-A FORWARD -m comment --comment "referenced rule" -j ACCEPT +-I FORWARD 2 -m comment --comment "referencing rule" -j ACCEPT +-D FORWARD -m comment --comment "referenced rule" -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment "first rule" -j ACCEPT +-A FORWARD -m comment --comment "referencing rule" -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 index 5ac70682..854768c9 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 @@ -20,3 +20,10 @@ EXPECT=":foo - [0:0] $XT_MULTI iptables-restore --counters <<< "$DUMP" diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo) + +# if present, counters must be in proper format +! $XT_MULTI iptables-restore <<EOF +*filter +:FORWARD ACCEPT bar +COMMIT +EOF diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 index fc8559c5..087156b1 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 @@ -33,6 +33,7 @@ Flushing chain \`bar' Flushing chain \`foo' Deleting chain \`bar' Deleting chain \`foo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`INPUT' Flushing chain \`OUTPUT' @@ -41,6 +42,7 @@ Flushing chain \`natbar' Flushing chain \`natfoo' Deleting chain \`natbar' Deleting chain \`natfoo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`OUTPUT' Flushing chain \`rawfoo' @@ -58,9 +60,10 @@ Flushing chain \`OUTPUT' Flushing chain \`secfoo' Deleting chain \`secfoo'" -for ipt in iptables-restore ip6tables-restore; do - diff -u -Z <(echo "$EXPECT") <($XT_MULTI $ipt -v <<< "$DUMP") -done +EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' <<< "$EXPECT") + +diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP") +diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP") DUMP="*filter :baz - [0:0] diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 index 4e0be51c..48f5f7b4 100755 --- a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 +++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 @@ -39,6 +39,7 @@ do_simple() $XT_MULTI ${iptables}-restore < "$dumpfile" $XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile" + sed -i -e 's/-p 47 /-p gre /' "$tmpfile" do_diff $dumpfile "$tmpfile" if [ $? -ne 0 ]; then # cp "$tmpfile" "$dumpfile.got" diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 index 50c0cae8..bcfaad36 100755 --- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 +++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 @@ -1,13 +1,5 @@ #!/bin/bash -case "$(basename $XT_MULTI)" in - xtables-legacy-multi) - ;; - *) - echo "skip $XT_MULTI" - exit 0 - ;; -esac - dump=$(dirname $0)/dumps/fedora27-iptables diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) +diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump) diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 new file mode 100755 index 00000000..b86d71f2 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +# Test recent performance improvements in iptables-save due to reduced +# overhead. + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET=$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo ":mychain$i -" + echo "-A FORWARD -p tcp --dport 22 -j mychain$i" + done + echo "COMMIT" +) + +RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) +SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) + +do_grep() { # (name, threshold, pattern) + local cnt=$(grep -c "$3") + [[ $cnt -le $2 ]] && return 0 + echo "ERROR: Too many $3 lookups for $1: $cnt > $2" + exit 1 +} + +# iptables prefers hard-coded protocol names instead of looking them up first + +do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" + +# iptables-nft-save pointlessly checked whether chain jumps are targets + +do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" + +exit 0 diff --git a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 index d335d442..d07bd151 100755 --- a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 +++ b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 @@ -3,7 +3,7 @@ set -e $XT_MULTI iptables -N foo -$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT +$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 $XT_MULTI iptables -A FORWARD -i eth42 -o eth23 -g foo $XT_MULTI iptables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT @@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0 -N foo --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S) @@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S FORWARD) EXPECT='-P FORWARD ACCEPT -c 0 0 --A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT +-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S FORWARD) diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 index dcd9dfd3..234f3040 100755 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 @@ -39,7 +39,7 @@ E2BIG_D=": Index of deletion too big." E2BIG_R=": Index of replacement too big." EBADRULE=": Bad rule (does a matching rule exist in that chain?)." #ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory" -ENOMTH=" v[0-9\.]* [^ ]*: Couldn't load match \`foobar':No such file or directory" +ENOMTH=" v[0-9\.]* [^ ]*: Couldn't \(load\|find\) match \`foobar'\(:No such file or directory\|\)" ENOTBL=": can't initialize iptables table \`foobar': Table does not exist" # test chain creation @@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar cmd 0 -E foo bar cmd 1 "$EEXIST_F" -E foo bar cmd 1 "$ENOENT" -E foo bar2 +cmd 1 "$ENOENT" -L foo cmd 0 -N foo2 cmd 1 "$EEXIST_F" -E foo2 bar diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 index 36da1907..21793472 100755 --- a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 +++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 @@ -10,6 +10,7 @@ $XT_MULTI iptables-restore -c <<EOF [12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" [22:123] -A FOO -m comment --comment one [44:123] -A FOO -m comment --comment two +[66:123] -A FOO -m comment --comment three COMMIT EOF EXPECT="*filter @@ -20,6 +21,7 @@ EXPECT="*filter [0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" [0:0] -A FOO -m comment --comment one [0:0] -A FOO -m comment --comment two +[0:0] -A FOO -m comment --comment three COMMIT" COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") @@ -28,6 +30,18 @@ if [ $COUNTER != "[12:345]" ]; then RC=1 fi +$XT_MULTI iptables -Z FOO 2 +COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ") +if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should have been zeroed" + RC=1 +fi +COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ") +if [ $COUNTER != "[66:123]" ]; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + $XT_MULTI iptables -Z FOO COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") if [ $COUNTER = "[0:0]" ]; then @@ -60,5 +74,6 @@ fi $XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR" $XT_MULTI iptables -D FOO -m comment --comment one $XT_MULTI iptables -D FOO -m comment --comment two +$XT_MULTI iptables -D FOO -m comment --comment three $XT_MULTI iptables -X FOO exit $RC diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 new file mode 100755 index 00000000..983531fe --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 @@ -0,0 +1,66 @@ +#!/bin/bash + +# iptables may print match/target specific help texts +# help output should work for unprivileged users + +run() { + echo "running: $*" >&2 + runuser -u nobody -- "$@" +} + +grep_or_rc() { + declare -g rc + grep -q "$*" && return 0 + echo "missing in output: $*" >&2 + return 1 +} + +out=$(run $XT_MULTI iptables --help) +let "rc+=$?" +grep_or_rc "iptables -h (print this help information)" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -m limit --help) +let "rc+=$?" +grep_or_rc "limit match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + +# TEE has no revision 0 +out=$(run $XT_MULTI iptables -j TEE --help) +let "rc+=$?" +grep_or_rc "TEE target options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + + +run $XT_MULTI iptables -L 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +exit $rc diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 new file mode 100755 index 00000000..ac6e7439 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 @@ -0,0 +1,31 @@ +#!/bin/bash + +rc=0 + +check() { + local cmd="$1" + local msg="$2" + + $XT_MULTI $cmd 2>&1 | grep -q "$msg" || { + echo "cmd: $XT_MULTI $1" + echo "exp: $msg" + echo "res: $($XT_MULTI $cmd 2>&1)" + rc=1 + } +} + +cmds="iptables ip6tables" +[[ $XT_MULTI == *xtables-nft-multi ]] && { + cmds+=" ebtables" + cmds+=" iptables-translate" + cmds+=" ip6tables-translate" + cmds+=" ebtables-translate" +} + +for cmd in $cmds; do + check "${cmd} --foo" 'unknown option "--foo"' + check "${cmd} -A" 'option "-A" requires an argument' + check "${cmd} -aL" 'unknown option "-a"' +done + +exit $rc diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 new file mode 100755 index 00000000..4481f966 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 @@ -0,0 +1,55 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-legacy-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +coproc RESTORE { $XT_MULTI iptables-restore; } +echo "*filter" >&${RESTORE[1]} + + +$XT_MULTI iptables -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 1 $ipt_pid +[[ $? -eq 3 ]] && { + echo "process waits when it should not" + exit 1 +} +wait $ipt_pid +[[ $? -eq 0 ]] && { + echo "process exited 0 despite busy lock" + exit 1 +} + +t0=$(date +%s) +$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT +t1=$(date +%s) +[[ $((t1 - t0)) -ge 3 ]] || { + echo "wait time not expired" + exit 1 +} + +$XT_MULTI iptables -w -A FORWARD -j ACCEPT & +ipt_pid=$! + +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] || { + echo "no indefinite wait" + exit 1 +} +kill $ipt_pid +waitpid -t 3 $ipt_pid +[[ $? -eq 3 ]] && { + echo "killed waiting iptables call did not exit in time" + exit 1 +} + +kill $RESTORE_PID +wait +exit 0 diff --git a/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 index 43880ffb..981f007f 100755 --- a/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 +++ b/iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0 @@ -13,11 +13,11 @@ COMMIT :foo [0:0] EOF -$XT_MULTI iptables-save | grep -q ':foo' +sleep 1 +$XT_MULTI iptables-save | grep -q ':foo' || exit 1 nft flush ruleset echo "COMMIT" >&"${COPROC[1]}" -sleep 1 - -[[ -n $COPROC_PID ]] && kill $COPROC_PID -wait +# close the pipe to make iptables-restore exit if it didn't error out yet +eval "exec ${COPROC[1]}>&-" +wait $COPROC_PID diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 index 41588a10..34802cc2 100755 --- a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 +++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 @@ -340,7 +340,7 @@ bridge filter OUTPUT 10 9 # - lines with bytecode (starting with ' [') # - empty lines (so printed diff is not a complete mess) filter() { - awk '/^( \[|$)/{print}' + awk '/^table /{exit} /^( \[|$)/{print}' } diff -u -Z <(filter <<< "$EXPECT") <(nft --debug=netlink list ruleset | filter) diff --git a/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt b/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt new file mode 100644 index 00000000..5ee4c231 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt @@ -0,0 +1,26 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 23 -j ACCEPT +-A INPUT -s 1.2.3.0/24 -d 0.0.0.0/32 -p udp -m udp --dport 67:69 -j DROP +-A INPUT -s 1.0.0.0/8 -d 0.0.0.0/32 -p tcp -m tcp --sport 1024:65535 --dport 443 --tcp-flags SYN,ACK SYN -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 ! --tcp-flags SYN NONE -m comment --comment "checks if SYN bit is set" +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "same as iptables --syn" +-A INPUT -p tcp -m tcp --tcp-flags SYN SYN +-A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK SYN,ACK +-A INPUT -d 0.0.0.0/1 -m ttl --ttl-eq 1 -j DROP +-A INPUT -d 0.0.0.0/2 -m ttl --ttl-gt 2 -j ACCEPT +-A INPUT -d 0.0.0.0/3 -m ttl --ttl-lt 254 -j ACCEPT +-A INPUT -d 0.0.0.0/4 -m ttl ! --ttl-eq 255 -j DROP +-A INPUT -d 8.0.0.0/5 -p icmp -m icmp --icmp-type 1 -j ACCEPT +-A INPUT -d 8.0.0.0/6 -p icmp -m icmp --icmp-type 2/3 -j ACCEPT +-A INPUT -d 10.0.0.0/7 -p icmp -m icmp --icmp-type 8 -j ACCEPT +-A INPUT -m pkttype --pkt-type broadcast -j ACCEPT +-A INPUT -m pkttype ! --pkt-type unicast -j DROP +-A INPUT -p tcp +-A INPUT -d 0.0.0.0/1 -p udp +-A FORWARD -m limit --limit 10/day +-A FORWARD -p udp -m udp --dport 42 +-A FORWARD -i lo -o lo+ -j NFLOG --nflog-prefix "should use NFLOG" --nflog-group 1 --nflog-size 123 --nflog-threshold 42 +COMMIT diff --git a/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 b/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 new file mode 100755 index 00000000..7859e76c --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +nft -v >/dev/null || exit 0 + +set -e + +unshare -n bash -c "nft -f $(dirname $0)/0010-nft-native.txt; + diff -u -Z $(dirname $0)/0010-iptables-nft-save.txt <($XT_MULTI iptables-save | grep -v '^#')" diff --git a/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt b/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt new file mode 100644 index 00000000..d37ce873 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt @@ -0,0 +1,41 @@ +table ip filter { + chain INPUT { + type filter hook input priority filter; policy accept; + + ip saddr 1.2.3.4 tcp dport 23 accept + ip saddr 1.2.3.0/24 ip daddr 0.0.0.0 udp dport 67-69 drop + + ip saddr 1.0.0.0/8 ip daddr 0.0.0.0 tcp sport 1024-65535 tcp dport 443 tcp flags syn / syn,ack accept + tcp dport 443 tcp flags syn comment "checks if SYN bit is set" + tcp flags syn / syn,rst,ack,fin comment "same as iptables --syn" + tcp flags & syn == syn + tcp flags & (syn | ack) != (syn | ack ) + + ip daddr 0.0.0.0/1 ip ttl 1 drop + ip daddr 0.0.0.0/2 ip ttl > 2 accept + ip daddr 0.0.0.0/3 ip ttl < 254 accept + ip daddr 0.0.0.0/4 ip ttl != 255 drop + + ip daddr 8.0.0.0/5 icmp type 1 accept + ip daddr 8.0.0.0/6 icmp type 2 icmp code port-unreachable accept + ip daddr 10.0.0.0/7 icmp type echo-request accept + + meta pkttype broadcast accept + meta pkttype != host drop + + ip saddr 0.0.0.0/0 ip protocol tcp + ip daddr 0.0.0.0/1 ip protocol udp + } + + chain FORWARD { + type filter hook forward priority filter; + limit rate 10/day counter + udp dport 42 counter + + # FIXME: can't dissect plain syslog + # meta iif "lo" log prefix "just doing a log" level alert flags tcp sequence,options + + # iif, not iifname, and wildcard + meta iif "lo" oifname "lo*" log group 1 prefix "should use NFLOG" queue-threshold 42 snaplen 123 + } +} diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 new file mode 100755 index 00000000..e276a953 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 @@ -0,0 +1,12 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" +for cmd in iptables ip6tables; do + $XT_MULTI $cmd -t mangle -A PREROUTING $rule + $XT_MULTI $cmd -t mangle -Z + $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" +done diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 new file mode 100755 index 00000000..c49b7ccd --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -0,0 +1,139 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +log=$(mktemp) +trap "rm -f $log" EXIT +echo "logging into file $log" +rc=0 + +# Filter monitor output: +# - NEWGEN event is moot: +# - GENID/PID are arbitrary, +# - NAME always "xtables-nft-mul" +# - handle is arbitrary as well +logfilter() { # (logfile) + grep -v '^NEWGEN:' "$1" | sed -e 's/handle [0-9]\+/handle 0/' +} + +# Compare monitor output for given command against content of the global $EXP +monitorcheck() { # (cmd ...) + $XT_MULTI xtables-monitor -e >"$log"& + monpid=$! + sleep 0.5 + + $XT_MULTI "$@" || { + echo "Error: command failed: $@" + let "rc++" + kill $monpid + wait + return + } + sleep 0.5 + kill $monpid + wait + diffout=$(diff -u <(echo "$EXP") <(logfilter "$log")) || { + echo "Fail: unexpected result for command: '$@':" + grep -v '^\(---\|+++\|@@\)' <<< "$diffout" + let "rc++" + } +} + +EXP="\ + EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: iptables -t filter -A FORWARD -j ACCEPT" +monitorcheck iptables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: ip6tables -t filter -A FORWARD -j ACCEPT" +monitorcheck ip6tables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 + EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 + EVENT: ebtables -t filter -A FORWARD -j ACCEPT" +monitorcheck ebtables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0 + EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: arptables -t filter -A INPUT -j ACCEPT" +monitorcheck arptables -A INPUT -j ACCEPT + +EXP=" EVENT: iptables -t filter -N foo" +monitorcheck iptables -N foo + +EXP=" EVENT: ip6tables -t filter -N foo" +monitorcheck ip6tables -N foo + +EXP=" EVENT: ebtables -t filter -N foo" +monitorcheck ebtables -N foo + +EXP=" EVENT: arptables -t filter -N foo" +monitorcheck arptables -N foo + +# meta l4proto matches require proper nft_handle:family value +EXP=" EVENT: iptables -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: ip6tables -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" +monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: arptables -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: iptables -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: ip6tables -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" +monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: iptables -t filter -X foo" +monitorcheck iptables -X foo + +EXP=" EVENT: ip6tables -t filter -X foo" +monitorcheck ip6tables -X foo + +EXP=" EVENT: ebtables -t filter -X foo" +monitorcheck ebtables -X foo + +EXP=" EVENT: arptables -t filter -X foo" +monitorcheck arptables -X foo + +EXP=" EVENT: iptables -t filter -D FORWARD -j ACCEPT" +monitorcheck iptables -F FORWARD + +EXP=" EVENT: ip6tables -t filter -D FORWARD -j ACCEPT" +monitorcheck ip6tables -F FORWARD + +EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT" +monitorcheck ebtables -F FORWARD + +EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT" +monitorcheck arptables -F INPUT + +EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck iptables -X FORWARD + +EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck ip6tables -X FORWARD + +EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1" +monitorcheck ebtables -X FORWARD + +EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck arptables -X INPUT + +exit $rc diff --git a/iptables/tests/shell/testcases/nft-only/0013-zero-non-existent_0 b/iptables/tests/shell/testcases/nft-only/0013-zero-non-existent_0 new file mode 100755 index 00000000..bbf1af76 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0013-zero-non-existent_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +nft --version >/dev/null 2>&1 || { echo "skip nft"; exit 0; } + +set -e + +nft flush ruleset +$XT_MULTI iptables -Z INPUT + +EXP="Zeroing chain \`INPUT'" +diff -u <(echo "$EXP") <($XT_MULTI iptables -v -Z INPUT) + +EXP="Zeroing chain \`INPUT' +Zeroing chain \`FORWARD' +Zeroing chain \`OUTPUT'" +diff -u <(echo "$EXP") <($XT_MULTI iptables -v -Z) |