| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
argv is passed by parse_change_counters_rule and do_parse to parse_rule_range
as a const char. parse_rule_range modifies thepassed in argv, so pass as
non const so that it can be modified without warning.
Fixes:
iptables/xshared.c: In function 'parse_rule_range':
iptables/xshared.c:912:23: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
912 | char *colon = strchr(argv, ':'), *buffer;
| ^~~~~~
p is used as the return from strchr(sctp_chunk_names[i].valid_flags)
which is a const char. Declare p as a const char * pointer for use
addressing the warning.
Fixes:
extensions/libxt_sctp.c: In function 'parse_sctp_chunk':
extensions/libxt_sctp.c:211:40: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
211 | if ((p = strchr(sctp_chunk_names[i].valid_flags,
| ^
next is used as the return from strchr(loop) which is a const char.
Declare next as a const char * pointer for use addressing the warning.
Fixes:
libxtables/xtables.c: In function 'xtables_ipparse_multiple':
libxtables/xtables.c:1767:22: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
1767 | next = strchr(loop, ',');
| ^
libxtables/xtables.c: In function 'xtables_ip6parse_multiple':
libxtables/xtables.c:2066:22: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
2066 | next = strchr(loop, ',');
| ^
Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Iptables binary only understands NFT_BITWISE_MASK_XOR bitwise operation and
assumes its attributes are always present without actually checking, which
leads to a segfault in some cases.
This commit introduces this missing check.
| /**
| * enum nft_bitwise_ops - nf_tables bitwise operations
| *
| * @NFT_BITWISE_MASK_XOR: mask-and-xor operation used to implement NOT, AND, OR
| * and XOR boolean operations
| * @NFT_BITWISE_LSHIFT: left-shift operation \
| * @NFT_BITWISE_RSHIFT: right-shift operation |
| * @NFT_BITWISE_AND: and operation | These all are affected
| * @NFT_BITWISE_OR: or operation |
| * @NFT_BITWISE_XOR: xor operation /
| */
From iptables/nft-ruleparse.c:
| static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
| {
| [...]
|
| data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_XOR, &len); // <-- this attribute may not be present
|
| if (len > sizeof(dreg->bitwise.xor)) {
| ctx->errmsg = "bitwise xor too large";
| return;
| }
|
| memcpy(dreg->bitwise.xor, data, len); // <-- zero dereference happens here
|
| data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_MASK, &len);
|
| if (len > sizeof(dreg->bitwise.mask)) {
| ctx->errmsg = "bitwise mask too large";
| return;
| }
|
| memcpy(dreg->bitwise.mask, data, len);
|
| dreg->bitwise.set = true;
|
| }
The bug can be reproduced by creating a rule like this:
| # newrule.json
| {"chain": "example-chain",
| "expressions": {"elem": [{"data": {"base": 1,
| "dreg": 1,
| "len": 4,
| "offset": 12},
| "name": "payload"},
| {"data": {"data": {"value": [255, 255, 255, 0]},
| "dreg": 1,
| "len": 4,
| "op": 3,
| "sreg": 1},
| "name": "bitwise"},
| {"data": {"data": {"value": [1, 2, 3, 0]},
| "op": 0,
| "sreg": 1},
| "name": "cmp"},
| {"data": {"data": {"verdict": {"code": 1}},
| "dreg": 0},
| "name": "immediate"}]},
| "nfgen-family": 2,
| "table": "filter"}
| # newrule.sh
| set -euo pipefail
|
| iptables -N example-chain || true
|
| genid="$(
| ./tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/nftables.yaml \
| --do getgen --json "{}" --output-json |
| jq -r ".id"
| )"
|
| ./tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/nftables.yaml \
| --multi batch-begin "{\"genid\": $genid, \"res-id\": 10}" \
| --creat --append --multi newrule "$(cat ./newrule.json)" \
| --creat --multi batch-end '{}' \
| --output-json
Signed-off-by: Remy D. Farley <one-d-wide@protonmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend the existing setuid guard in xtables_init() to also detect
file capabilities via getauxval(AT_SECURE).
Some container runtimes and minimal distributions grant cap_net_admin
via file capabilities (setcap cap_net_admin+ep /usr/sbin/iptables)
rather than running through sudo. In that configuration the kernel
sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
getuid() == geteuid() so the existing setuid check passes.
Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
execution as the capability-elevated user.
getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
in the auxiliary vector -- this covers both classic setuid/setgid and
file capabilities. Exit with status 111, matching the existing
setuid behavior.
Signed-off-by: Alan Ross <alan@sleuthco.ai>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts the following commits:
758cfe51968a ("configure: Auto-detect libz unless explicitly requested")
fdb541cddad0 ("tests: iptables-test: Add nft-compat variant")
7746fa0b1619 ("nft: Embed compat extensions in rule userdata")
ff5f6a208efc ("nft-ruleparse: Fallback to compat expressions in userdata")
f6f0f4f55794 ("nft: Introduce UDATA_TYPE_COMPAT_EXT")
The main intended user for '--compat' will likely go away. It is also
unlikely the 'iptables-only-emits-native-nft' will ever come to pass.
If there is ever a demand of iptables-to-native-nft that can list rules
even if decompilation step fails then we can always resurrect this again
if needed be.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If user did not pass --with-zlib and it is not available, simply turn
off rule compat expression compression. It is not strictly necessary and
users may not care.
While at it, drop the conditional AC_DEFINE() call: In fact,
AC_CHECK_LIB() does that already.
Fixes: ff5f6a208efcc ("nft-ruleparse: Fallback to compat expressions in userdata")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
- Avoid calling host's nft binary, use double-verbose mode with *tables
tools instead
- Update expected payloads to match new byteorder-aware libnftnl output
- Drop '-x' flag from shell
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
With 16bit mask values, the first two bytes of bitwise.mask in struct
nft_xt_ctx_reg are significant. Reading the first 32bit-sized field
works only on Little Endian, on Big Endian the mask appears in the upper
two bytes which are discarded when assigning to a 16bit variable.
Fixes: ab2d5f8c7bbee ("nft-arp: add missing mask support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Repeat the change in commit 1a696c99d278c ("libxtables: store all
requested match types") for target registration. An obvious use-case
affected as described in that commit is an 'nft list ruleset' process
translating different families' extensions in one go. If the same
extension is used in multiple families, only the first one is being
found.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in nfbz#1820, trying to add a rule and replacing it in the
same batch would crash iptables due to a stale rule pointer left in an
obj_update.
Doing this is perfectly fine in legacy iptables, so implement the
missing feature instead of merely preventing the crash.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1820
Fixes: b199aca80da57 ("nft: Fix leak when replacing a rule")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
There is no way we can change this after two decades.
Add an example and document that declaring a user defined chain
will flush its contents in --noflush mode.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1242
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
See ip_route_input_slow() in net/ipv4/route.c in the Linux
kernel sources.
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit 61e85e3192dea ("iptables-nft: allow removal of empty
builtin chains"), the command may be applied to "builtin" chains as
well, so the output is basically valid.
Apart from that, since kernel commit a1050dd07168 ("netfilter:
nf_tables: Reintroduce shortened deletion notifications") the base chain
deletion notification does not contain NFTNL_CHAIN_PRIO (actually:
NFTA_HOOK_PRIORITY) attribute anymore so this implicitly fixes for
changed kernel behaviour.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 786b75f7c9b9feaa294da097c2e9727747162c79.
The internal routine xtopt_esize_by_type() is *not* just a fancy wrapper
around direct xtop_psize array access, as clearly indicated by the
comment right above it: It will return the single field size for
range-value types (XTTYPE_UINT*RC).
Using it in xtables_option_metavalidate() leads to spurious "memory
block of wrong size" complaints.
Fixes: 786b75f7c9b9f ("libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Apart from supporting range-types, this getter is convenient to sanitize
array out of bounds access. Use it in xtables_option_metavalidate() to
simplify the code a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.
This patch disables the translation to prevent possible misunderstanding.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.
Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Fixed commit made option checking overly strict: Some commands may be
commbined (foremost --list and --zero), reject a given option only if it
is not allowed by any of the given commands.
Reported-by: Adam Nielsen <a.nielsen@shikadi.net>
Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The intended side-effect here is that iptables-translate will accept
them too. In nftables, the names are supported since basically day 1.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Test iptables-nft with forced compat extension restore as third modus
operandi.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
If enabled (via --compat flag or XTABLES_COMPAT env variable), attach
any extensions for which native nftables expressions are generated to
userdata. An earlier version of the tool trying to parse the
kernel-dumped ruleset may then fall back to these extensions if native
expression parsing fails.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Creation of compat extensions in rule userdata will depend on a flag in
nft_handle.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
If parsing of a rule fails (e.g. due to an unknown native expression),
check if userdata contains a UDATA_TYPE_COMPAT_EXT attribute and retry
parsing the rule preferring the contained extensions instead of native
expressions.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
This new rule udata attribute will contain extensions which have been
converted to native nftables expressions for rule parsers to fall back
to.
While at it, export parse_udata_cb() as rule parsing code will call it
in future.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
These functions either call xtables_error() which terminates the process
or succeed - make them return void. While at it, export them as rule
parsing code will call them in future. Also make input parameter const,
they're not supposed to alter extension data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Extract the parsing of one expression into a separate function and
export it, preparing for following code changes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
It is not used outside of nft.c, though in the wrong position so keep
the declaration but right above its caller.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
For compatability with other /bin/sh like busybox ash, since they don't
support the addition assignment operators (+=) and otherwise fails with:
./configure: line 14174: regular_CFLAGS+= -D__UAPI_DEF_ETHHDR=0: not found
Signed-off-by: Achill Gilgenast <fossdd@pwned.life>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Fixed commit only adjusted the IPv4-specific callback for unclear
reasons.
Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones. The
result of this is that they are zero. However, they are used to mask interfaces
in `is_same_interfaces`. Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:
# iptables -N test
# iptables -A test -i lo \! -o lo -j REJECT
# iptables -v -L test
Chain test (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
# iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
Remove the mask parameters from `is_same_interfaces`. Add a test-case.
Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload. This is listed in Debian's /etc/protocols, which leads to
test failures:
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD -p 141
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
Replace it with 253, which IANA reserves for testing and experimentation.
Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
There are no external users, no need to promote it in xtables.h.
Fixes: 1af6984c57cce ("libxtables: Introduce xtables_strtoul_base()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Running the different testsuites in parallel is dangerous since despite
running in different netns, legacy iptables still synchronizes via the
common XTABLES_LOCKFILE.
Fixes: e1eaa04e31e44 ("Makefile.am: Integrate testsuites")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Similar problem as with the other suites: The build directory does not
contain test cases, only build results.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This was a tricky one: Since called from VPATH topdir, extensions/ do
not contain test files at all. The script consequently passed since 0
tests failed (of 0 in total).
Fix this by introducing TESTS_PATH which is extensions/ below the directory
of the running iptables-test.py. Keep EXTENSIONS_PATH as-is: The built
extensions are indeed there and XTABLES_LIBDIR must point to them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
If stdout is not a terminal, don't print the '[EXECUTING]' status line
which has to be cleared again.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Sometimes the test would fail, especially after removing
/run/xtables.lock file. Looks like the supposedly blocking
iptables-restore coproc sometimes takes a moment to set things up.
Fixes: 63ab5b8906f69 ("iptables-legacy: Fix for mandatory lock waiting")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
To make things less confusing for new readers, describe at least what
the two significant functions do.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Capture any non-zero return code, iptables not necessarily returns 1 on
error.
A known issue with trying to delete a rule by spec is the unsupported
--set-counters option. Strip it before deleting the rule.
Fixes: c8b7aaabbe1fc ("add iptables unit test infrastructure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Rules containing among match would spuriously fail to compare if there
was a previous rule with larger among match payload.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Now that extension options are parsed after these functions return, no
modifications need to be carried over to the clone and undone in the
original.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.
This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.
A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.
No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The target performs a "VPATH build", so built binaries are not put into
the same directory tree as the test script itself. For lack of a better
way to detect this, assume $PWD in this situation remains being the
build tree's TLD and check if binaries are present in there.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update iptables-test.py to run libxt_*.t both for iptables and
ip6tables. For libxt_*.t tests, append the command name to status output
line. This update requires changes in the existing tests.
* Rename libxt_*.t into libipt_*.t and add libip6_*.t variant.
- TEE
- TPROXY
- connlimit
- conntrack
- iprange
- ipvs
- policy
- recent
* Rename the following libxt_*.t to libipt_*.t since they are IPv4
specific:
- standard
- osf
* Remove IPv4 specific test in libxt_mark.t
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Unexpected results for lines which are supposed to fail are reported
twice: Once when fast mode runs them individually to clear the path
before batch-handling all others, a second time when non-fast mode takes
over after fast mode had failed and runs all tests individually again.
Sort this nuisance by running these tests silently in fast mode, knowing
that they will run again if failing anyway.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
dash can't run this script, so it will fail:
ebtables/0010-change-counters_0: 43: Syntax error: "(" unexpected
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Else, run-tests.sh doesn't execute it.
--- /tmp/old
+++ /tmp/new
@I: [OK] ././testcases/ipt-save/0001load-dumps_0
I: [OK] ././testcases/ipt-save/0002load-fedora27-firewalld_0
+I: [OK] ././testcases/ipt-save/0003save-restore_0
I: [OK] ././testcases/ipt-save/0005iptables_0
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Skip on ip6tables and arptables as they share the relevant code with
iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The command is supposed to fail if no rule at given index is found.
While at it, drop the goto and label which are unused since commit
9b896224e0bfc ("xtables: rework rule cache logic").
Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
