summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iptables-nft: fix -Z optionHEADmasterFlorian Westphal8 days2-1/+65
| | | | | | | | | it zeroes the rule counters, so it needs fully populated cache. Add a test case to cover this. Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* include: Drop libipulog.hPhil Sutter2021-02-171-39/+0
| | | | | | | | The file is not included anywhere, also it seems outdated compared to the one in libnetfilter_log (which also holds the implementation). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Exit gracefully on invalid table namesPhil Sutter2021-01-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | Users are able to cause program abort by passing a table name that doesn't exist: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. | Aborted Avoid this by checking table existence just like iptables-nft does upon parsing '-t' optarg. Since the list of tables is known and fixed, checking the given name's length is pointless. So just drop that check in return. With this patch in place, output looks much better: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables v1.8.7 (nf_tables): table 'dummy' does not exist | Perhaps iptables or your kernel needs to be upgraded. Signed-off-by: Phil Sutter <phil@nwl.cc>
* configure: bump version for 1.8.7 releasev1.8.7Pablo Neira Ayuso2021-01-151-3/+3
| | | | | | | | | | Update libtool version for libxtables since two new interfaces have been added: - xtables_parse_mac_and_mask() - xtables_print_well_known_mac_and_mask() Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Fix nft-only/0009-needless-bitwise_0Phil Sutter2021-01-151-1/+8
| | | | | | | | | For whatever reason, stored expected output contains false handles. To overcome this, filter the rule data lines from both expected and stored output before comparing. Fixes: 81a2e12851283 ("tests/shell: Add test for bitwise avoidance fixes") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid pointless table/chain creationPhil Sutter2020-12-213-18/+82
| | | | | | | | | | | | | | | | | Accept a chain name in nft_xt_builtin_init() to limit the base chain creation to that specific chain only. Introduce nft_xt_builtin_table_init() to create just the table for situations where no builtin chains are needed but the command may still succeed in an empty ruleset, particularly when creating a custom chain, restoring base chains or adding a set for ebtables among match. Introduce nft_xt_fake_builtin_chains(), a function to call after cache has been populated to fill empty base chain slots. This keeps ruleset listing output intact if some base chains do not exist (or even the whole ruleset is completely empty). Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Drop any dump sorting in placePhil Sutter2020-12-213-18/+5
| | | | | | | With iptables-nft-save output now sorted just like legacy one, no sorting to unify them is needed anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Sort custom chains by namePhil Sutter2020-12-212-3/+14
| | | | | | | | | | | | | | With base chains no longer residing in the tables' chain lists, they can easily be sorted upon insertion. This on one hand aligns custom chain ordering with legacy iptables and on the other makes it predictable, which is very helpful when manually comparing ruleset dumps for instance. Adjust the one ebtables-nft test case this change breaks (as wrong ordering is expected in there). The manual output sorting done for tests which apply to legacy as well as nft is removed in a separate patch. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce a dedicated base chain arrayPhil Sutter2020-12-213-2/+45
| | | | | | | | | Preparing for sorted chain output, introduce a per-table array holding base chains indexed by nf_inet_hooks value. Since the latter is ordered correctly, iterating over the array will return base chains in expected order. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce struct nft_chainPhil Sutter2020-12-217-66/+212
| | | | | | | | | Preparing for ordered output of user-defined chains, introduce a local datatype wrapping nftnl_chain. In order to maintain the chain name hash table, introduce nft_chain_list as well and use it instead of nftnl_chain_list. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Move nft_chain_find() overPhil Sutter2020-12-213-17/+17
| | | | | | It is basically just a cache lookup, hence fits better in here. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Implement nft_chain_foreach()Phil Sutter2020-12-215-96/+46
| | | | | | | | | | | | | | This is just a fancy wrapper around nftnl_chain_list_foreach() with the added benefit of detecting invalid table names or uninitialized chain lists. This in turn allows to drop the checks in flush_rule_cache() and ignore the return code of nft_chain_foreach() as it fails only if the dropped checks had failed, too. Since this wrapper does the chain list lookup by itself, use of nft_chain_list_get() shrinks down to a single place, namely inside nft_chain_find(). Therefore fold it into the latter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Introduce nft_cache_add_chain()Phil Sutter2020-12-213-12/+19
| | | | | | | This is a convenience function for adding a chain to cache, for now just a simple wrapper around nftnl_chain_list_add_tail(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix selective chain compatibility checksPhil Sutter2020-12-211-0/+6
| | | | | | | | | | | | | | Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain' parameter passed to nft_chain_list_get() is no longer effective. Before, it was used to fetch only that single chain from kernel when populating the cache. So the returned list of chains for which compatibility checks are done would contain only that single chain. Re-establish the single chain compat checking by introducing a dedicated code path to nft_is_chain_compatible() doing so. Fixes: 80251bc2a56ed ("nft: remove cache build calls") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-monitor:Florian Westphal2020-12-141-0/+3
| | | | | | 'LL=0x304' is not very convenient, print LOOPBACK instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-monitor: print packet firstFlorian Westphal2020-12-141-11/+23
| | | | | | | | | | | The trace mode should first print the packet that was received and then the rule/verdict. Furthermore, the monitor did sometimes print an extra newline. After this patch, output is more consistent with nft monitor. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-monitor: fix packet family protocolFlorian Westphal2020-12-141-2/+2
| | | | | | | This prints the family passed on the command line (which might be 0). Print the table family instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-monitor: fix rule printingFlorian Westphal2020-12-141-17/+15
| | | | | | | | | | | trace_print_rule does a rule dump. This prints unrelated rules in the same chain. Instead the function should only request the specific handle. Furthermore, flush output buffer afterwards so this plays nice when output isn't a terminal. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: dccp: Fix for DCCP type 'INVALID'Phil Sutter2020-12-092-25/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | Support for matching on invalid DCCP type field values was pretty broken: While RFC4340 declares any type value from 10 to 15 invalid, the extension's type name 'INVALID' mapped to type value 10 only. Fix this by introduction of INVALID_OTHER_TYPE_MASK which has the remaining invalid type's bits set and apply it if bit 10 is set after parsing the type list. When printing, stop searching type names after printing 'INVALID' - unless numeric output was requested. The latter prints all actual type values. Since parsing types in numeric form is not supported, changing the output should not break existing scripts. When translating into nftables syntax, the code returned prematurely if 'INVALID' was among the list of types - thereby emitting invalid syntax. Instead print a real match for invalid types by use of a range expression. While being at it, fix syntax of translator output: If only '--dccp-types' was translated, the output contained an extra 'dccp'. On the other hand, if '--sport' and '--dport' was present, a required 'dccp' between the translations of both was missing. Fixes: e40b11d7ef827 ("add support for new 'dccp' protocol match") Fixes: c94a998724143 ("extensions: libxt_dccp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/shell: Test for fixed extension registrationPhil Sutter2020-12-071-0/+25
| | | | | | | | | | Use strace to look at iptables-restore behaviour with typically problematic input (conntrack revision 0 is no longer supported by current kernels) to make sure the fix in commit a1eaaceb0460b ("libxtables: Simplify pending extension registration") is still effective. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Merge some command option-related codePhil Sutter2020-12-036-258/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add OPT_FRAGMENT define into the enum of other OPT_* defines at the right position and adjust the arptables-specific ones that follow accordingly. Appropriately adjust inverse_for_options array in xtables-arp.c. Extend optflags from iptables.c by the arptables values for the sake of completeness, then move it to xshared.h along with NUMBER_OF_OPT definition. As a side-effect, this fixes for wrong ordering of entries in arptables' 'optflags' copy. Add arptables-specific bits to commands_v_options table (the speicific options are matches on ARP header fields, just treat them like '-s' option. This is also just a cosmetic change, arptables doesn't have a generic_opt_check() implementation and hence doesn't use such a table. With things potentially ready for common use, move commands_v_options table along with generic_opt_check() and opt2char() into xshared.c and drop the local (identical) implementations from iptables.c, ip6tables.c xtables.c and xtables-arp.c. While doing so, fix ordering of entries in that table: the row for CMD_ZERO_NUM was in the wrong position. Since all moved rows though are identical, this had no effect in practice. Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h") Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-arp: Don't use ARPT_INV_*Phil Sutter2020-12-033-68/+53
| | | | | | | | | | | | | | Arptables invflags are partly identical to IPT_INV_* ones but the bits are differently assigned. Eliminate this incompatibility by definition of the unique invflags in nft-arp.h on bits that don't collide with IPT_INV_* ones, then use those in combination with IPT_INV_* ones in arptables-specific code. Note that ARPT_INV_ARPPRO is replaced by IPT_INV_PROTO although these are in fact different options - yet since '-p' option is not supported by arptables, this does not lead to a collision. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-0311-266/+106
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-test.py: Try to unshare netns by defaultPhil Sutter2020-11-171-0/+7
| | | | | | | | If user did not explicitly requst to "test netnamespace path", try an import of 'unshare' module and call unshare() to avoid killing the local host's network by accident. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-test.py: Accept multiple test files on commandlinePhil Sutter2020-11-171-2/+2
| | | | | | | | This allows to call the script like so: | # ./iptables-test.py -n extensions/libebt_*.t Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Fix for broken chain renamingPhil Sutter2020-11-173-3/+5
| | | | | | | | | | Loading extensions pollutes 'errno' value, hence before using it to indicate failure it should be sanitized. This was done by the called function before the parsing/netlink split and not migrated by accident. Move it into calling code to clarify the connection. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: update format of registers in bitwise payloads.Pablo Neira Ayuso2020-11-161-5/+5
| | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Add test for bitwise avoidance fixesPhil Sutter2020-11-101-0/+339
| | | | | | | | | Masked address matching was recently improved to avoid bitwise expression if the given mask covers full bytes. Make use of nft netlink debug output to assert iptables-nft generates the right bytecode for each situation. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Optimize masked MAC address matchesPhil Sutter2020-11-046-24/+30
| | | | | | | | | | Just like with class-based prefix matches in iptables-nft, optimize masked MAC address matches if the mask is on a byte-boundary. To reuse the logic in add_addr(), extend it to accept the payload base value via parameter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Optimize class-based IP prefix matchesPhil Sutter2020-11-045-11/+30
| | | | | | | Payload expression works on byte-boundaries, leverage this with suitable prefix lengths. Signed-off-by: Phil Sutter <phil@nwl.cc>
* configure: bump version for 1.8.6 releasev1.8.6Pablo Neira Ayuso2020-10-311-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Improve concurrent noflush restore test a bitPhil Sutter2020-10-271-0/+14
| | | | | | | | | | | | The described issue happens only if chain FOO does not exist at program start so flush the ruleset after each iteration to make sure this is the case. Sadly the bug is still not 100% reproducible on my testing VM. While being at it, add a paragraph describing what exact situation the test is trying to provoke. Fixes: dac904bdcd9a1 ("nft: Fix for concurrent noflush restore calls") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for concurrent noflush restore callsPhil Sutter2020-10-132-28/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Transaction refresh was broken with regards to nft_chain_restore(): It created a rule flush batch object only if the chain was found in cache and a chain add object only if the chain was not found. Yet with concurrent ruleset updates, one has to expect both situations: * If a chain vanishes, the rule flush job must be skipped and instead the chain add job become active. * If a chain appears, the chain add job must be skipped and instead rules flushed. Change the code accordingly: Create both batch objects and set their 'skip' field depending on the situation in cache and adjust both in nft_refresh_transaction(). As a side-effect, the implicit rule flush becomes explicit and all handling of implicit batch jobs is dropped along with the related field indicating such. Reuse the 'implicit' parameter of __nft_rule_flush() to control the initial 'skip' field value instead. A subtle caveat is vanishing of existing chains: Creating the chain add job based on the chain in cache causes a netlink message containing that chain's handle which the kernel dislikes. Therefore unset the chain's handle in that case. Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: Avoid gcc-10 zero-length array warningPhil Sutter2020-10-121-1/+1
| | | | | | | | | | | | | | | | Gcc-10 doesn't like the use of zero-length arrays as last struct member to denote variable sized objects. The suggested alternative, namely to use a flexible array member as defined by C99, is problematic as that doesn't allow for said struct to be embedded into others. With the relevant structs being part of kernel UAPI, this can't be precluded though. The call to memcpy() which triggers the warning copies data from one struct xt_counters to another. Since this struct is flat and merely contains two u64 fields, One can use direct assignment instead which avoids the warning. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: fix basechain policy configurationPablo Neira Ayuso2020-10-082-1/+34
| | | | | | | | | | Previous to this patch, the basechain policy could not be properly configured if it wasn't explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore) trying to send an invalid ruleset to the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix error reporting for refreshed transactionsPhil Sutter2020-10-071-2/+3
| | | | | | | | | | | | | | When preparing a batch from the list of batch objects in nft_action(), the sequence number used for each object is stored within that object for later matching against returned error messages. Though if the transaction has to be refreshed, some of those objects may be skipped, other objects take over their sequence number and errors are matched to skipped objects. Avoid this by resetting the skipped object's sequence number to zero. Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* nft: Make batch_add_chain() return the added batch objectPhil Sutter2020-10-071-18/+17
| | | | | | | | | | Do this so in a later patch the 'skip' field can be adjusted. While being at it, simplify a few callers and eliminate the need for a 'ret' variable. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* libxtables: Register multiple extensions in ascending orderPhil Sutter2020-10-071-6/+8
| | | | | | | | | The newly introduced ordered insert algorithm in xtables_register_{match,target}() works best if extensions of same name are passed in ascending revisions. Since this is the case in about all extensions' arrays, iterate over them from beginning to end. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Simplify pending extension registrationPhil Sutter2020-10-071-95/+33
| | | | | | | | | | | | | | | | | | | | Assuming that pending extensions are sorted by first name and family, then descending revision, the decision where to insert a newly registered extension may be simplified by memorizing the previous registration (which obviously is of same name and family and higher revision). As a side-effect, fix for unsupported old extension revisions lingering in pending extension list forever and being retried with every use of the given extension. Any revision being rejected by the kernel may safely be dropped iff a previous (read: higher) revision was accepted already. Yet another side-effect of this change is the removal of an unwanted recursion by xtables_fully_register_pending_*() into itself via xtables_find_*(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Make sure extensions register in revision orderPhil Sutter2020-10-071-7/+64
| | | | | | | | | | | | Insert extensions into pending lists in ordered fashion: Group by extension name (and, for matches, family) and order groups by descending revision number. This allows to simplify the later full registration considerably. Since that involves kernel compatibility checks, the extra cycles here pay off eventually. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libipt_icmp: Fix translation of type 'any'Phil Sutter2020-10-062-0/+8
| | | | | | | | | | | | | By itself, '-m icmp --icmp-type any' is a noop, it matches any icmp types. Yet nft_ipv4_xlate() does not emit an 'ip protocol' match if there's an extension with same name present in the rule. Luckily, legacy iptables demands icmp match to be prepended by '-p icmp', so we can assume this is present and just emit the 'ip protocol' match from icmp xlate callback. Fixes: aa158ca0fda65 ("extensions: libipt_icmp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* nft: Fix for broken address mask match detectionPhil Sutter2020-09-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Trying to decide whether a bitwise expression is needed to match parts of a source or destination address only, add_addr() checks if all bytes in 'mask' are 0xff or not. The check is apparently broken though as each byte in 'mask' is cast to a signed char before comparing against 0xff, therefore the bitwise is always added: | # ./bad/iptables-nft -A foo -s 10.0.0.1 -j ACCEPT | # ./good/iptables-nft -A foo -s 10.0.0.2 -j ACCEPT | # nft --debug=netlink list chain ip filter foo | ip filter foo 5 | [ payload load 4b @ network header + 12 => reg 1 ] | [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] | [ cmp eq reg 1 0x0100000a ] | [ counter pkts 0 bytes 0 ] | [ immediate reg 0 accept ] | | ip filter foo 6 5 | [ payload load 4b @ network header + 12 => reg 1 ] | [ cmp eq reg 1 0x0200000a ] | [ counter pkts 0 bytes 0 ] | [ immediate reg 0 accept ] | | table ip filter { | chain foo { | ip saddr 10.0.0.1 counter packets 0 bytes 0 accept | ip saddr 10.0.0.2 counter packets 0 bytes 0 accept | } | } Fix the cast, safe an extra op and gain 100% performance in ideal cases. Fixes: 56859380eb328 ("xtables-compat: avoid unneeded bitwise ops") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use nft_chain_find() in nft_chain_builtin_init()Phil Sutter2020-08-211-12/+4
| | | | | | The replaced code is basically identical to nft_chain_find()'s body. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fold nftnl_rule_list_chain_save() into callerPhil Sutter2020-08-211-24/+7
| | | | | | | | | | | Existence of this function was mostly code-duplication: Caller already branches depending on whether 'chain' is NULL or not and even does the chain list lookup. While being at it, simplify __nftnl_rule_list_chain_save function name a bit now that the non-prefixed name is gone. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Extend use of nftnl_chain_list_foreach()Phil Sutter2020-08-211-77/+86
| | | | | | | | | | | | | Make use of the callback-based iterator in nft_rule_list(), nft_rule_list_save(), nft_rule_flush() and nft_rule_save(). Callback code for nft_rule_list() and nft_rule_list_save is pretty similar, so introduce and use a common callback function. For nft_rule_save(), turn nft_chain_save_rules() into a callback - it is not used anywhere else, anyway. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Check consistency with NFT_CL_FAKE, tooPhil Sutter2020-08-211-2/+2
| | | | | | | | Athough this cache level fetches table names only, it shouldn't skip the consistency check. Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Add missing man pages to CLEANFILESPhil Sutter2020-08-171-0/+4
| | | | | | | The list of man pages to remove along with 'make clean' was missing a few built ones, add them. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for ruleset flush while restoringPhil Sutter2020-08-143-14/+25
| | | | | | | | | | | | | | | | | | If ruleset is flushed while an instance of iptables-nft-restore is running and has seen a COMMIT line once, it doesn't notice the disappeared table while handling the next COMMIT. This is due to table existence being tracked via 'initialized' boolean which is only reset by nft_table_flush(). To fix this, drop the dedicated 'initialized' boolean and switch users to the recently introduced 'exists' one. As a side-effect, this causes base chain existence being checked for each command calling nft_xt_builtin_init() as the old 'initialized' bit was used to track if that function has been called before or not. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-monitor: Fix ip6tables rule printingPhil Sutter2020-08-141-0/+2
| | | | | | | | | | | | | | When printing an ip6tables rule event, false family ops are used as they are initially looked up for AF_INET and reused no matter the current rule's family. In practice, this means that nft_rule_print_save() calls the wrong rule_to_cs, save_rule and clear_cs callbacks. Therefore, if a rule specifies a source or destination address, the address is not printed. Fix this by performing a family lookup each time rule_cb is called. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Merge and extend return codes testPhil Sutter2020-08-142-91/+61
| | | | | | | | | | Merge scripts for iptables and ip6tables, they were widely identical. Also extend the test by one check (removing a non-existent rule with valid chain and target) and quote the error messages where differences are deliberately ignored. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>