path: root/iptables/tests
Commit message (Collapse)AuthorAgeFilesLines
* xtables: Fix for crash when comparing rules with standard targetPhil Sutter2019-02-011-0/+7
| | | | | | | | | | When parsing an nftnl_rule with a standard verdict, nft_rule_to_iptables_command_state() initialized cs->target but didn't care about cs->target->t. When later comparing that rule to another, compare_targets() crashed due to unconditional access to t's fields. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* tests: shell: Add arptables-nft verbose output testPhil Sutter2019-01-311-0/+64
| | | | | | | | With arptables-nft output being in a very good state now, add a test to ensure it stays that way. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft: Don't print default h-len/h-type valuesPhil Sutter2019-01-312-19/+19
| | | | | | | | | | | | | | Default values for --h-len and --h-type being printed for rules where user didn't provide them is unexpected and confusing. The drawback is the opposite: If user provided either of them with their default value, they are later omitted when listing rules. Though since unlike legacy arptables we can't distinguish between not specified and specified with default value, we can't fix both - so choose to optimize for the more likely case. Fixes: 5aecb2d8bfdda ("arptables: pre-init hlen and ethertype") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft-save: Fix position of -j optionPhil Sutter2019-01-312-19/+19
| | | | | | | | | | | | | | | | | | Legacy arptables-save (just like arptables itself) prints verdict as first option, then matches and finally any target options. To achieve this without introducing double/trailing spaces everywhere, integrate target ('-j') option printing into nft_arp_print_rule_details() and make it print separating whitespace before each option. In nft_arp_save_rule(), replace the call to save_matches_and_target() by by a direct call to cs->target->save() since the former prints '-j' option itself. Since there are no match extensions in arptables, any other code from that function is not needed. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* arptables-nft: Fix MARK target parsing and printingPhil Sutter2019-01-311-1/+1
| | | | | | | | | | | | | Legacy arptables parses mark values in hex no matter if prefixed with '0x' or not. Sadly, this is not easily achievable with guided option parser. Hence fall back to the old 'parse' callback. The introduced target definition is valid only for revision 2, but that's consistent with legacy arptables. When printing, use --set-mark option instead of --set-xmark. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Fix for inserting rule at wrong positionPhil Sutter2019-01-282-0/+155
| | | | | | | | | | | | | | | | | | | iptables-restore allows to insert rules at a certain position which is problematic for iptables-nft to realize since rule position is not determined by number but handle of previous or following rule and in case the rules surrounding the new one are new as well, they don't have a handle to refer to yet. Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When inserting before a rule which does not have a handle, refer to it using its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a new one to it. The last used rule ID value is tracked in a new field of struct nft_handle which is incremented before each use. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: Extend verbose output and return code testsPhil Sutter2018-12-272-4/+15
| | | | | | | | | | | | | Recent changes to chain flush and zero routines incorporate proper error propagation so trying to flush or zero a non-existent chain results in an error. This is consistent with iptables-legacy, extend tests to make sure it stays this way. Also extend verbose output test to make these recent changes didn't mess it up. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* tests: shell: fix expected arptables-save outputFlorian Westphal2018-11-121-3/+3
| | | | | | | forgot to squash this before pushing arptables fixes. Fixes: 5aecb2d8bfd ("arptables: pre-init hlen and ethertype") Signed-off-by: Florian Westphal <>
* arptables: pre-init hlen and ethertypeFlorian Westphal2018-11-121-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to check -s, we need to add the size of the hardware address to the arp header to obtain the offset where the ipv4 address begins: base_arphdr HW_ADDR IP_ADDR (src) IP_ADDR (target) In arptables-classic, the kernel will add dev->addr_len to the arp header base address to obtain the correct location, but we cannot do this in nf_tables, at least not at this time (we need a fixed offset value). code does: op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ... but if user did not provide "--h-length 6" argument, then this won't work even for ethernet, as the payload expression will be told to load the first 4 bytes of arp header source mac address (sender hw address). Fix this by pre-initialising arhlen to 6. We also need to set up arhrd. Otherwise, src/dst mac can't be used: arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66 arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT This means that matching won't work for AX25, NETROM etc, however, arptables "classic" can't parse non-ethernet addresses, and makes ETH_ALEN assumptions in several spots, so this should be fine from compatibility point of view. Signed-off-by: Florian Westphal <>
* xtables: Fix error return code in nft_chain_user_rename()Phil Sutter2018-11-121-0/+4
| | | | | | | If the chain to rename wasn't found, the function would return -1 which got interpreted as success. Signed-off-by: Phil Sutter <>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-071-2/+2
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <> Signed-off-by: Florian Westphal <>
* xtables: Accept --wait in iptables-nft-restorePhil Sutter2018-09-101-0/+21
| | | | | | | | | | | Passing --wait option to iptables-nft-restore led to program abort because the flag parameter was not skipped. Mimick iptables-restore behaviour when encountering --wait or --wait-interval options (but still ignore the parameter). Fixes: b9d7b49d84bc2 ("xtables-compat: restore: sync options with iptables-restore") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Align return codes with legacy iptablesPhil Sutter2018-09-012-0/+76
| | | | | | | | Make sure return codes match legacy ones at least for a few selected commands typically used to check ruleset state. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Fix for deleting rules with commentPhil Sutter2018-08-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | Comment match allocation in command_match() and nft_rule_to_iptables_command_state() were misaligned in that the latter set match_size to just what is required instead of what the match needs at maximum like the further. This led to failure when comparing them later and therefore a rule with a comment could not be deleted. For comments of a specific length, the udata buffer is padded by libnftnl so nftnl_rule_get_data() returns a length value which is larger than the string (including NULL-byte). The trailing data is supposed to be ignored, but compare_matches() can't not know about that detail and therefore returns a false-negative if trailing data contains junk. To overcome this, use strncpy() when populating match data in nft_rule_to_iptables_command_state(). While being at it, make sure comment match allocation in that function is identical to what command_match() does with regards to data allocation size. Also use xtables_calloc() which does the required error checking. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* ebtables: Fix entries count in chain listingPhil Sutter2018-08-161-0/+30
| | | | | | | | | | | | | | | The previous fix for reference counts in iptables-nft output wasn't complete: While iptables lists the number of references for each custom chain (i.e., the number of jumps to it), ebtables lists number of entries (i.e., the number of rules contained) for each chain. Both used the same value for it, although they are different metrics. Fix this by passing both numbers separately to the 'print_header' callback so that each tool may print the desired value. Fixes: a0698de9866d2 ("xtables: Do not count rules as chain references") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Make 'iptables -S nonexisting' return non-zeroPhil Sutter2018-08-162-0/+80
| | | | | | | | | | | | To be consistent with legacy iptables, calling -S with a non-existing chain should lead to an error message. This is how some scripts find out whether a user-defined chain exists or not. Make sure doing the same for an existing chain does succeed, even if an invalid rule number was given. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* ebtables: Merge libebt_limit.c into libxt_limit.cPhil Sutter2018-08-162-5/+5
| | | | | | | | | | | | | | | | | Both extensions were very similar already, but now that they both are translated into native nftables code, their actual difference (i.e. match size) doesn't matter anymore. This change comes with one caveat: Since ebtables limit match is not in its own file anymore, match preloading automatically also loads the NFPROTO_UNSPEC limit match. This is not a problem per se since match lookup will prefer the family-specific one, but when parsing unknown options, a match without 'parse' callback is encountered. Therefore do_commandeb() has to check existence of that callback prior to dereferencing it. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Fix for wrong counter format in -S outputPhil Sutter2018-08-091-0/+48
| | | | | | | | | | | | | | | | | | | | | | Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between matches and target, this change affects save_matches_and_target() function. In order to get access to the rule counters, it's declaration is adjusted to receive iptables_command_state pointer instead of match, target and jumpto pointers from the same object. While being at it, integrate jump to user-defined chain into it as well since the related code in both callers was almost identical. Though since different rule flags are used between iptables and ip6tables, pass a 'goto_flag' boolean instead of the actual 'flags' bitfield. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Don't pass full invflags to add_compat()Phil Sutter2018-08-091-0/+10
| | | | | | | | | | | The function expects a boolean, not a bitfield. This bug caused inversion in another match to carry over to protocol match by accident. The supplied testcase contains rules which then fail because they contain matches requiring that protocol. Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags") Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules") Signed-off-by: Phil Sutter <>
* tests: Fix skipping for recent nft-only testsPhil Sutter2018-08-094-4/+4
| | | | | | | | | | | | | | | In an attempt to sanitize shell scripting, exit test in recent testcases was altered, which led to them being skipped even in nft test runs. Drop the quotes so that globbing happens again. While here, improve the check a bit to glob only on leading path part, not also the file name. Also print "skip ..." just like nft-only/0001compat_0 testcase does. Fixes: f1d8508fd6fdc ("tests: Add arptables-{save,restore} testcases") Fixes: fbf0bf7c079d8 ("tests: Add ebtables-{save,restore} testcases") Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* tests: Add ebtables-{save,restore} testcasesPhil Sutter2018-08-062-0/+145
| | | | | | | | | | | This actually does a bit more since it creates the ruleset using separate ebtables calls. Note that there are a few commented out lines containing commands which don't apply for unknown reasons - something to investigate later. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* tests: Add arptables-{save,restore} testcasesPhil Sutter2018-08-062-0/+86
| | | | | | | | | | | This actually does a bit more since it creates the ruleset using separate arptables calls. Note that there are a few commented out lines containing commands which don't apply for unknown reasons - something to investigate later. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Match verbose ip{,6}tables output with legacyPhil Sutter2018-08-042-0/+102
| | | | | | | | | | | | | | Legacy ip{,6}tables prints feedback for various commands if in verbose mode, make sure nft variants do the same. There is one difference, namely when checking a rule (-C command): Legacy ip{,6}tables print the rule in any case, nft variants don't in case the rule wasn't found. Changing this though would require to populate the nftnl_rule object just for printing, which is probably not feasible. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: Do not count rules as chain referencesPhil Sutter2018-08-041-0/+14
| | | | | | | | | | Unlike iptables, nftables counts rules in a chain as references to that chain. Align output of 'iptables-nft -L' with that of legacy iptables by counting the number of rules in a chain and subtracting that value from reference count before printing the chain header. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* nft: don't print rule counters unless verboseEric Garver2018-08-011-0/+30
| | | | | | | | | | | Currently rule counters are always printed, but that's not the desired behavior. We should only print them with the verbose flag. This broke when the arguments of nft_rule_print_save() were changed to accept the format instead of a counters flag. Fixes: cdc78b1d6bd7 ("nft: convert rule into a command state structure") Signed-off-by: Eric Garver <> Signed-off-by: Florian Westphal <>
* iptables-restore: free the table lock when skipping a tableJoel Goguen2018-07-263-0/+101
| | | | | | | | | | | | | | | | | | | Currently, when running `iptables-restore --table=X`, where `X` is not the first table in the rules dump, the restore will fail when parsing the second table: - a lock is acquird when parsing the first table name - the table name does not match the parameter to `--table` so processing continues until the next table - when processing the next table a lock is acquired, which fails because a lock is already held Another app is currently holding the xtables lock. Perhaps you want to use the -w option? This will release the lock as soon as it's decided the current table won't be used. Signed-off-by: Joel Goguen <> Signed-off-by: Florian Westphal <>
* xtables: avoid bogus 'is incompatible' warningFlorian Westphal2018-07-241-0/+21
| | | | | | | | | | | | | | | | | | | | | | when using custom nft tables + iptables-nft, iptables-nft -L may fail with iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool. even if filter table is compatible. Problem is that the chain cache tracks ALL chains. The "old" compat-check only walked chains in the table to checked (filter in this case), now we will see all other chains including base chains of another table. It seems better to extend the chain cache long-term to track chains per table instead, but for now skip the foreign ones. Reported-by: Eric Garver <> Fixes: 01e25e264a4c4 ("xtables: add chain cache") Signed-off-by: Florian Westphal <>
* tests: check iptables retval, not echoFlorian Westphal2018-07-101-2/+2
| | | | | | | | | Pablo reports that tests that should return nozero now fail. Reason is that $? is checking return value of "echo" and not the script. Fixes: 17c66a50608 ("iptables: tests: shell: Add README") Reported-by: Pablo Neira Ayuso <> Signed-off-by: Florian Westphal <>
* iptables: tests: add test for iptables-save and iptables-restoreArushi Singhal2018-07-101-0/+47
| | | | | | | Add test for testing if iptables configuration is restored and saved. Signed-off-by: Arushi Singhal <> Signed-off-by: Pablo Neira Ayuso <>
* iptables: tests: shell: Add READMEArushi Singhal2018-07-074-1/+18
| | | | | | | | | | | 1) README is added to run test suite. 2) Rename two test-case scripts to follow proper numerical order. 3) "echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line" command should only used when verbose("-v") option is not there else instead of clearing "[EXECUTING]" prompt it is clearing last prompt of the test file. Signed-off-by: Arushi Singhal <> Signed-off-by: Florian Westphal <>
* tests: add script that mimics firewalld startupFlorian Westphal2018-07-023-0/+419
| | | | | | | | | Mimic firewalld startup, i.e. "iptables-restore -n" use. First script is normal startup, second script restores ruleset, then re-runs first one (i.e., with existing rules rather than non-existent tables). Signed-off-by: Florian Westphal <>
* tests: fix variable name to multi-binaryFlorian Westphal2018-06-292-10/+10
| | | | | | Need to prepend XT_MULTI, not XTABLES_MULTI. Signed-off-by: Florian Westphal <>
* tests: add a few simple tests for list/new/deleteFlorian Westphal2018-06-291-0/+52
| | | | Signed-off-by: Florian Westphal <>
* tests: add firewalld default ruleset from fedora 27Florian Westphal2018-06-273-0/+320
| | | | | | | The ipv4 version has bogus counters so this can also check save/restore -c option. Signed-off-by: Florian Westphal <>
* tests: add another ipv4 only rulesetFlorian Westphal2018-06-272-0/+82
| | | | Signed-off-by: Florian Westphal <>
* tests: add initial save/restore test casesFlorian Westphal2018-06-278-34/+170
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add script to restore ipt-save files and compare it with save output. This should be extended to cover as many rulesets as possible, so this is only a start. The test script is changed to pass XT_MULTI instead of iptables/ip6tables. This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts multiple times for ip/ip6tables. Current expected output: I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1 I: [OK] ./iptables/tests/shell/testcases/chain/000newchain_0 I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1 I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10 I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1 I: [OK] ./iptables/tests/shell/testcases/chain/0004newchain_0 I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1 I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10 I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20 Signed-off-by: Florian Westphal <>
* tests: adapt test suite to run with legacy+nftables based binariesFlorian Westphal2018-06-275-93/+45
| | | | | | | | | | | | | | | | | | | | | | | | | While at it, make following changes/fixes: 1. run each test in a fresh net namespace 2. remove rmmod use, its very distuptive and not needed after 1. 3. avoid -e use if possible 4. make sure we exit 0 when test is expected to fail 5. set XT_LIBDIR so we point at the correct extensions to be used Also delete 0003duplicate_1, its same test as 0001duplicate_1. NB: I don't think its good to have this 'encode retval in name' scheme. These are scripts, so they should always return 0, i.e. do iptables --this-command-should-fail || exit 0 echo "succeess, should fail" exit 1 Much simpler, imo. This was inherited from nft shell tests though and changing it there is rather intrusive so use same scheme for now. Signed-off-by: Florian Westphal <>
* tests: make duplicate test workFlorian Westphal2018-06-251-3/+1
| | | | | | | | | | set -e causes 2nd command (which is expected to fail) to terminate the script as well. So, don't set -e and let the error check invert the return value to 0. Signed-off-by: Florian Westphal <>
* iptables: tests: shell: add shell test-suiteArushi Singhal2018-06-126-0/+180
To run the test suite (as root): % cd iptables/tests/shell % ./ Test files are executables files with the pattern <<name_N>> , where N is the expected return code of the executable. Since they are located with `find', test-files can be spreaded in any sub-directories. You can turn on a verbose execution by calling: % ./ -v Before each call to the test-files, `kernel_cleanup' will be called. Also, test-files will receive the environment variable $IPTABLES which contains the path to the iptables binary being tested. You can pass an arbitrary $IPTABLES value as well: % IPTABLES=/../../xtables-multi iptables ./ Signed-off-by: Arushi Singhal <> Signed-off-by: Pablo Neira Ayuso <>