| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instrument proto_to_name() to abort if given protocol number is not
among the well-known ones in xtables_chain_protos. Along with
xtables_parse_protocol() preferring said array for lookups as well, this
ensures reliable dump'n'restore regardless of /etc/protocols contents.
Another benefit is rule dump performance. A simple test-case dumping
100k rules matching on dccp protocol shows an 8s delta (2s vs. 10s for
legacy, 0.5s vs. 8s for nft) with this patch applied. For reference:
| for variant in nft legacy; do
| (
| echo "*filter"
| for ((i = 0; i < 100000; i++)); do
| echo "-A FORWARD -p dccp -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-${variant}-restore
| time iptables-${variant}-save | wc -l
| iptables-${variant} -F
| done
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Call with --combine as well, even though output doesn't differ. Also
there's no need to skip for xtables-nft-multi, it provides the same
functionality.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Some repeated calls have been reduced recently, assert this in a test
evaluating strace output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding a parser which supports common names for special MAC/mask
combinations and a print routine detecting those special addresses and
printing the respective name allows to consolidate all the various
duplicated implementations.
The side-effects of this change are manageable:
* arptables now accepts "BGA" as alias for the bridge group address
* "mac" match now prints MAC addresses in lower-case which is consistent
with the remaining code at least
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Extend the shared argv parser by storing whether a given argument was
quoted or not, then use it in iptables-xml. One remaining extra bit is
extraction of chain name in -A commands, do that afterwards in a loop.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently rule counters are always printed, but that's not the desired
behavior. We should only print them with the verbose flag. This broke
when the arguments of nft_rule_print_save() were changed to accept the
format instead of a counters flag.
Fixes: cdc78b1d6bd7 ("nft: convert rule into a command state structure")
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Add test for testing if iptables configuration is restored and saved.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The ipv4 version has bogus counters so this can also check
save/restore -c option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.
The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.
This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.
Current expected output:
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20
Signed-off-by: Florian Westphal <fw@strlen.de>
|