| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload. This is listed in Debian's /etc/protocols, which leads to
test failures:
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD -p 141
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
Replace it with 253, which IANA reserves for testing and experimentation.
Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
There are no external users, no need to promote it in xtables.h.
Fixes: 1af6984c57cce ("libxtables: Introduce xtables_strtoul_base()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Running the different testsuites in parallel is dangerous since despite
running in different netns, legacy iptables still synchronizes via the
common XTABLES_LOCKFILE.
Fixes: e1eaa04e31e44 ("Makefile.am: Integrate testsuites")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Similar problem as with the other suites: The build directory does not
contain test cases, only build results.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This was a tricky one: Since called from VPATH topdir, extensions/ do
not contain test files at all. The script consequently passed since 0
tests failed (of 0 in total).
Fix this by introducing TESTS_PATH which is extensions/ below the directory
of the running iptables-test.py. Keep EXTENSIONS_PATH as-is: The built
extensions are indeed there and XTABLES_LIBDIR must point to them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
If stdout is not a terminal, don't print the '[EXECUTING]' status line
which has to be cleared again.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Sometimes the test would fail, especially after removing
/run/xtables.lock file. Looks like the supposedly blocking
iptables-restore coproc sometimes takes a moment to set things up.
Fixes: 63ab5b8906f69 ("iptables-legacy: Fix for mandatory lock waiting")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
To make things less confusing for new readers, describe at least what
the two significant functions do.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Capture any non-zero return code, iptables not necessarily returns 1 on
error.
A known issue with trying to delete a rule by spec is the unsupported
--set-counters option. Strip it before deleting the rule.
Fixes: c8b7aaabbe1fc ("add iptables unit test infrastructure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Rules containing among match would spuriously fail to compare if there
was a previous rule with larger among match payload.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Now that extension options are parsed after these functions return, no
modifications need to be carried over to the clone and undone in the
original.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.
This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.
A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.
No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The target performs a "VPATH build", so built binaries are not put into
the same directory tree as the test script itself. For lack of a better
way to detect this, assume $PWD in this situation remains being the
build tree's TLD and check if binaries are present in there.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update iptables-test.py to run libxt_*.t both for iptables and
ip6tables. For libxt_*.t tests, append the command name to status output
line. This update requires changes in the existing tests.
* Rename libxt_*.t into libipt_*.t and add libip6_*.t variant.
- TEE
- TPROXY
- connlimit
- conntrack
- iprange
- ipvs
- policy
- recent
* Rename the following libxt_*.t to libipt_*.t since they are IPv4
specific:
- standard
- osf
* Remove IPv4 specific test in libxt_mark.t
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Unexpected results for lines which are supposed to fail are reported
twice: Once when fast mode runs them individually to clear the path
before batch-handling all others, a second time when non-fast mode takes
over after fast mode had failed and runs all tests individually again.
Sort this nuisance by running these tests silently in fast mode, knowing
that they will run again if failing anyway.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
dash can't run this script, so it will fail:
ebtables/0010-change-counters_0: 43: Syntax error: "(" unexpected
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Else, run-tests.sh doesn't execute it.
--- /tmp/old
+++ /tmp/new
@I: [OK] ././testcases/ipt-save/0001load-dumps_0
I: [OK] ././testcases/ipt-save/0002load-fedora27-firewalld_0
+I: [OK] ././testcases/ipt-save/0003save-restore_0
I: [OK] ././testcases/ipt-save/0005iptables_0
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Skip on ip6tables and arptables as they share the relevant code with
iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The command is supposed to fail if no rule at given index is found.
While at it, drop the goto and label which are unused since commit
9b896224e0bfc ("xtables: rework rule cache logic").
Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
For NFT_COMPAT_RULE_SAVE, one has to store the rule number, not its
index in nft_cmd object.
Fixes: 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
This flag is merely known to iptables-restore but actively rejected
there and it does not use IPT_OPTSTRING at all.
Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
It is a semantic link created by the build system.
Fixes: 68ff869e94a1b ("Makefile: Install arptables-translate link and man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
For obvious reasons, ebtables-nft does not need file-based locking to
prevent concurrency.
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The second one referring to xtables-monitor seems out of context without
the first one, join them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Right now this merely contains a number of intrapositioned negation
warnings, but might be useful in future when debugging unexpected
failures.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
libnftnl commit a96d5a338f24e ("rule: Don't append a newline when
printing a rule") affected nft (and iptables-nft) debug output in that
no extra newline is appended to rule bytecode output anymore. Tolerate
this in the sole test case it breaks by ignoring changes to blank lines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
nftables users have to explicitly add a verdict: xt_TPROXY's
tproxy_tg4() returns NF_ACCEPT if a socket was found and assigned,
NF_DROP otherwise.
Fixes: a62fe15abcc99 ("extensions: xt_TPROXY: add txlate support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Error compiling with musl-libc:
The commit hash 810f8568f44f5863c2350a39f4f5c8d60f762958
introduces the netinet/ether.h header into xtables.h, which causes an error due
to the redefinition of the ethhdr struct, defined in linux/if_ether.h and
netinet/ether.h. This is fixed by the inclusion of -D__UAPI_DEF_ETHHDR=0 in
CFLAGS for musl. Automatically check for this macro, since it is defined
in musl but not in glibc.
Signed-off-by: Joshua Lant joshualant@gmail.com
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
libxt_CONNMARK.c declares enum which is declared in the kernel header.
Modify the version of the header in the repo's include dir to match the
current kernel, and remove the enum declaration from xt_CONNMARK.c.
Signed-off-by: Joshua Lant joshualant@gmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Use the same named field in 'ctx' instead, it has to carry the value
anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
When iterating through the list of rules in a chain comparing against a
sample, there is no point in carrying that sample as nftnl_rule object
and converting into iptables_command_state object prior to each
comparison. Just do it up front and adjust the callback accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
The custom init done by nft_rule_to_ebtables_command_state() (which is
also the reason for its existence in the first place) should better go
into an ebtables-specific init_cs callback. Properly calling it from
do_commandeb() then removes the need for that custom rule_to_cs
callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Trying to recycle an iptables_command_state object by calling first
clear_cs then init_cs callbacks causes invalid data accesses with
ebtables otherwise.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Regular code path doesn't hit this because the conversion to
libnftnl_rule takes care of it already. Future changes though will cause
iptables_command_state objects to be printed directly, making this
relevant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Merge conditional interface printing code for input and output interface
into a function.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Print the extension's real name (if present) and prefix the extension
list by a position number for clarity.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Simplify callers a bit, the function tests other conditions
disqualifying any output already.
While being at it, invert the conditional - it is more readable this
way.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Since commit 22f2e1fca127b ("xshared: Share save_rule_details() with
legacy"), there are no callers outside of xshared.c anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The extra bits supported by print_state() won't be set by the parser, no
functional change expected.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The rule parses correctly, but the (never matching) part is lost on
output.
Looks like a day-1 bug, make it fix the change after which it applies
cleanly.
Fixes: b2197e7834f77 ("xshared: Entirely ignore interface masks when saving rules")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The checks were wrong: nft_arp_init_cs() initializes masks to 65535, not
0. This went on unnoticed because nft_arp_add() does it right and
init_cs callback was not used in e.g. nft_arp_print_rule(). The last
patch adding init_cs() calls in potentially required spots exposed this
though.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The callback is there for arptables only, so other family specific code
does not need it. Not calling it from family-agnostic code is wrong
though, as is ignoring it in arptables-specific code.
Fixes: cfdda18044d81 ("nft-shared: Introduce init_cs family ops callback")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Calling nft_cmd_free() in error case segfaults otherwise if the to be
freed object is not part of a list yet.
Exposed by commit eab75ed36a4f2 ("nft: Avoid memleak in error path of
nft_cmd_new()"), but belongs to commit a7f1e208cdf9c (and may go well
along with it).
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These version-agnostic conntrack match aliases emulating the 'state'
extension introduced by commit 0d70163162589 ("libxt_state: replace as
an alias to xt_conntrack") had incompatible print and save callbacks
assigned. These callbacks expected struct xt_state_info in match->data
which is incompatible to any of the actual xt_conntrack_mtinfo* structs
used.
Fixes: b28d4dcc9f555 ("iptables: state match incompatibilty across versions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Both fields 'seconds' and 'hit_count' are unsigned, use '%u'
accordingly. While being at it, also fix coding-style in those lines.
Basically a day-1 bug, have Fixes: point at a reasonably old commit.
Fixes: af1660fe0e88c ("Move libipt_recent to libxt_recent")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.
The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.
Instead, make use of the new fake chain annotation which identifies
fakes more reliably.
Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To avoid pointless kernel ruleset modifications without too many
workarounds in user space, code sometimes adds "fake" base chains to
cache. Yet these fake entries happen to prevent base chain creation for
a following command which actually requires them. Fix this by annotating
the fake entries as such so *_builtin_init() functions may convert them
into real ones.
Fixes: fd4b9bf08b9eb ("nft: Avoid pointless table/chain creation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Since kernel commit f4ebd03496f6 ("netfilter: xt_recent: Lift
restrictions on max hitcount value"), the max supported hitcount value
has increased significantly. Adjust the test to use a value which fails
on old as well as new kernels.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to zero a specific rule in an entirely empty ruleset caused an
error:
| # nft flush ruleset
| # iptables-nft -Z INPUT
| iptables v1.8.10 (nf_tables): CHAIN_ZERO failed (No such file or directory): chain INPUT
To fix this, start by faking any non-existing builtin chains so verbose
mode prints all the would-be-flushed chains. Later set 'skip' flag if
given chain is a fake one (indicated by missing HANDLE attribute).
Finally cover for concurrent ruleset updates by checking whether the
chain exists.
This bug seems to exist for a long time already, Fixes tag identified
via git-bisect. This patch won't apply to such old trees though, but
calling nft_xt_builtin_init() from nft_chain_zero_counters() should work
there.
Fixes: a6ce0c65d3a39 ("xtables: Optimize nft_chain_zero_counters()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
