summaryrefslogtreecommitdiffstats
path: root/iptables/tests/shell/testcases/ip6tables
Commit message (Collapse)AuthorAgeFilesLines
* Revert "xshared: Print protocol numbers if --numeric was given"Phil Sutter2024-02-071-5/+5
| | | | | | | | | | | | | | This reverts commit da8ecc62dd765b15df84c3aa6b83dcb7a81d4ffa. The patch's original intention is not entirely clear anymore. If it was to reduce delays involved by calling getprotobynumber() though, commit b6196c7504d4d ("xshared: Prefer xtables_chain_protos lookup over getprotoent") avoids those if --numeric flag was given already. Also, this numeric protocol output did not cover iptables-save which is a more relevant candidate for such optimizations anyway. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1729 Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: Fix setting of ipv6 countersJacek Tomasiak2023-06-211-3/+3
| | | | | | | | | | | | | | When setting counters using ip6tables-nft -c X Y the X and Y values were not stored. This is a fix based on 9baf3bf0e77dab6ca4b167554ec0e57b65d0af01 but applied to the nft variant of ipv6 not the legacy. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1647 Fixes: 0391677c1a0b2 ("xtables: add IPv6 support") Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com> Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Test for false-positive rule checkPhil Sutter2023-04-051-0/+17
| | | | | | | | Rule comparison in legacy ip6tables was broken by commit eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables"): A part of the rules' data was masked out for comparison by accident. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix expected output for ip6tables dst matchPhil Sutter2022-10-061-2/+2
| | | | | | | | Forgot to update the shell testsuites when fixing for duplicate whitespace in output. Fixes: 11e06cbb3a877 ("extensions: libip6t_dst: Fix output for empty options") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Print protocol numbers if --numeric was givenPhil Sutter2022-07-291-5/+5
| | | | | | | | | | This is much trickier than expected: On one hand, proto_to_name() is used to lookup protocol extensions so must resolve despite FMT_NUMERIC being set. On the other, --verbose implies --numeric but changing the output there is probably a bad idea. Luckily the latter situation is identified by FMT_NOTABLE bit. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Fix for missing space after 'prot' columnPhil Sutter2022-07-291-1/+1
| | | | | | | Format string ensured a minimum field width of five characters, but allowed for longer strings to eat the column delimiting white space. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix testcases for changed ip6tables opts outputPhil Sutter2022-07-291-10/+10
| | | | | | | | Adjust captured output, ip6tables prints '--' instead of spaces since the commit in Fixes: tag. Fixes: 6e41c2d8747b2 ("iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Add some more rules to 0002-verbose-output_0Phil Sutter2022-06-111-0/+15
| | | | | | This increases coverage of function print_match() from 0 to 86.6%. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix bitwise expression avoidance detectionPhil Sutter2021-03-091-0/+24
| | | | | | | | | Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Merge and extend return codes testPhil Sutter2020-08-141-39/+0
| | | | | | | | | | Merge scripts for iptables and ip6tables, they were widely identical. Also extend the test by one check (removing a non-existent rule with valid chain and target) and quote the error messages where differences are deliberately ignored. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: split parsing from netlink commandsPablo Neira Ayuso2020-05-111-0/+1
| | | | | | | | | | | | | | This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Align return codes with legacy iptablesPhil Sutter2018-09-011-0/+38
| | | | | | | | Make sure return codes match legacy ones at least for a few selected commands typically used to check ruleset state. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Make 'iptables -S nonexisting' return non-zeroPhil Sutter2018-08-161-0/+64
| | | | | | | | | | | | To be consistent with legacy iptables, calling -S with a non-existing chain should lead to an error message. This is how some scripts find out whether a user-defined chain exists or not. Make sure doing the same for an existing chain does succeed, even if an invalid rule number was given. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Match verbose ip{,6}tables output with legacyPhil Sutter2018-08-041-0/+51
Legacy ip{,6}tables prints feedback for various commands if in verbose mode, make sure nft variants do the same. There is one difference, namely when checking a rule (-C command): Legacy ip{,6}tables print the rule in any case, nft variants don't in case the rule wasn't found. Changing this though would require to populate the nftnl_rule object just for printing, which is probably not feasible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>