iptables - iptables tree

	Commit message (Collapse)	Author	Age	Files	Lines
*	extensions: fix iptables-{nft,translate} with conntrack EXPECTED	Quentin Armitage	2019-09-20	1	-0/+3
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED outputs: nft add rule ip filter INPUT ct status expected,assured counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED produces nft list output: chain INPUT { ct status expected,assured counter packets 0 bytes 0 accept } which are correct. However, iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft # -A INPUT -m conntrack --ctstatus EXPECTED and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { counter packets 0 bytes 0 accept } neither of which is what is desired. Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft" included the following code in _conntrack3_mt_xlate(): if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; ... If the intention had been not to produce output when status_mask == 1, it would have been written as: if (sinfo->status_mask == IPS_EXPECTED) return 0; so it looks as though this is debugging code accidently left in the original patch. Removing the lines: if (sinfo->status_mask == 1) return 0; resolves the problems, and iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft add rule ip filter INPUT ct status expected counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { ct status expected counter packets 0 bytes 0 accept } This commit also includes an additional txlate test to check when only the status EXPECTED is specified. Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests: add regression tests for xtables-translate	Pablo M. Bermudo Garay	2017-04-07	1	-0/+41
	This test suite is intended to detect regressions in the translation infrastructure. The script checks if ip[6]tables-translate produces the expected output, otherwise it prints the wrong translation and the expected one. Arguments --all # Show also passed tests [test] # Run only the specified test file Test files structure Test files are located under extensions directory. Every file contains tests about specific extension translations. A test file name must end with ".txlate". Inside the files, every single test is defined by two consecutive lines: ip[6]tables-translate command and expected result. One blank line is left between tests by convention. e.g. $ cat extensions/libxt_cpu.txlate iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>