From c8b7aaabbe1fc6da1c97d1e3de8cfae67ad483a1 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 21 Aug 2012 19:43:09 +0200 Subject: add iptables unit test infrastructure This patch adds a python script to verify unit test cases. Signed-off-by: Pablo Neira Ayuso --- iptables-test.py | 311 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 311 insertions(+) create mode 100755 iptables-test.py diff --git a/iptables-test.py b/iptables-test.py new file mode 100755 index 00000000..9e137f8c --- /dev/null +++ b/iptables-test.py @@ -0,0 +1,311 @@ +#!/usr/bin/python +# +# (C) 2012-2013 by Pablo Neira Ayuso +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software has been sponsored by Sophos Astaro +# + +import sys +import os +import subprocess +import argparse + +IPTABLES = "iptables" +IP6TABLES = "ip6tables" +#IPTABLES = "xtables -4" +#IP6TABLES = "xtables -6" + +IPTABLES_SAVE = "iptables-save" +IP6TABLES_SAVE = "ip6tables-save" +#IPTABLES_SAVE = ['xtables-save','-4'] +#IP6TABLES_SAVE = ['xtables-save','-6'] + +EXTENSIONS_PATH = "extensions" +LOGFILE="/tmp/iptables-test.log" +log_file = None + + +class Colors: + HEADER = '\033[95m' + BLUE = '\033[94m' + GREEN = '\033[92m' + YELLOW = '\033[93m' + RED = '\033[91m' + ENDC = '\033[0m' + + +def print_error(reason, filename=None, lineno=None): + ''' + Prints an error with nice colors, indicating file and line number. + ''' + print (filename + ": " + Colors.RED + "ERROR" + + Colors.ENDC + ": line %d (%s)" % (lineno, reason)) + + +def delete_rule(iptables, rule, filename, lineno): + ''' + Removes an iptables rule + ''' + cmd = iptables + " -D " + rule + ret = execute_cmd(cmd, filename, lineno) + if ret == 1: + reason = "cannot delete: " + iptables + " -I " + rule + print_error(reason, filename, lineno) + return -1 + + return 0 + + +def run_test(iptables, rule, rule_save, res, filename, lineno): + ''' + Executes an unit test. Returns the output of delete_rule(). + + Parameters: + :param iptables: string with the iptables command to execute + :param rule: string with iptables arguments for the rule to test + :param rule_save: string to find the rule in the output of iptables -save + :param res: expected result of the rule. Valid values: "OK", "FAIL" + :param filename: name of the file tested (used for print_error purposes) + :param lineno: line number being tested (used for print_error purposes) + ''' + ret = 0 + + cmd = iptables + " -A " + rule + ret = execute_cmd(cmd, filename, lineno) + + # + # report failed test + # + if ret: + if res == "OK": + reason = "cannot load: " + cmd + print_error(reason, filename, lineno) + return -1 + else: + # do not report this error + return 0 + else: + if res == "FAIL": + reason = "should fail: " + cmd + print_error(reason, filename, lineno) + delete_rule(iptables, rule, filename, lineno) + return -1 + + matching = 0 + splitted = iptables.split(" ") + if len(splitted) == 2: + if splitted[1] == '-4': + command = IPTABLES_SAVE + elif splitted[1] == '-6': + command = IP6TABLES_SAVE + elif len(splitted) == 1: + if splitted[0] == IPTABLES: + command = IPTABLES_SAVE + elif splitted[0] == IP6TABLES: + command = IP6TABLES_SAVE + args = splitted[1:] + proc = subprocess.Popen(command, stdin=subprocess.PIPE, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = proc.communicate() + + # + # check for segfaults + # + if proc.returncode == -11: + reason = "iptables-save segfaults: " + cmd + print_error(reason, filename, lineno) + delete_rule(iptables, rule, filename, lineno) + return -1 + + # find the rule + matching = out.find(rule_save) + if matching < 0: + reason = "cannot find: " + iptables + " -I " + rule + print_error(reason, filename, lineno) + delete_rule(iptables, rule, filename, lineno) + return -1 + + return delete_rule(iptables, rule, filename, lineno) + + +def execute_cmd(cmd, filename, lineno): + ''' + Executes a command, checking for segfaults and returning the command exit + code. + + :param cmd: string with the command to be executed + :param filename: name of the file tested (used for print_error purposes) + :param lineno: line number being tested (used for print_error purposes) + ''' + global log_file + print >> log_file, "command: %s" % cmd + ret = subprocess.call(cmd, shell=True, universal_newlines=True, + stderr=subprocess.STDOUT, stdout=log_file) + log_file.flush() + + # generic check for segfaults + if ret == -11: + reason = "command segfaults: " + cmd + print_error(reason, filename, lineno) + return ret + + +def run_test_file(filename): + ''' + Runs a test file + + :param filename: name of the file with the test rules + ''' + # + # if this is not a test file, skip. + # + if not filename.endswith(".t"): + return 0, 0 + + if "libipt_" in filename: + iptables = IPTABLES + elif "libip6t_" in filename: + iptables = IP6TABLES + elif "libxt_" in filename: + iptables = IPTABLES + else: + # default to iptables if not known prefix + iptables = IPTABLES + + f = open(filename) + + tests = 0 + passed = 0 + table = "" + total_test_passed = True + + for lineno, line in enumerate(f): + if line[0] == "#": + continue + + if line[0] == ":": + chain_array = line.rstrip()[1:].split(",") + continue + + # external non-iptables invocation, executed as is. + if line[0] == "@": + external_cmd = line.rstrip()[1:] + execute_cmd(external_cmd, filename, lineno) + continue + + if line[0] == "*": + table = line.rstrip()[1:] + continue + + if len(chain_array) == 0: + print "broken test, missing chain, leaving" + sys.exit() + + test_passed = True + tests += 1 + + for chain in chain_array: + item = line.split(";") + if table == "": + rule = chain + " " + item[0] + else: + rule = chain + " -t " + table + " " + item[0] + + if item[1] == "=": + rule_save = chain + " " + item[0] + else: + rule_save = chain + " " + item[1] + + res = item[2].rstrip() + + ret = run_test(iptables, rule, rule_save, + res, filename, lineno + 1) + if ret < 0: + test_passed = False + total_test_passed = False + break + + if test_passed: + passed += 1 + + if total_test_passed: + print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC + + f.close() + return tests, passed + + +def show_missing(): + ''' + Show the list of missing test files + ''' + file_list = os.listdir(EXTENSIONS_PATH) + testfiles = [i for i in file_list if i.endswith('.t')] + libfiles = [i for i in file_list + if i.startswith('lib') and i.endswith('.c')] + + def test_name(x): + return x[0:-2] + '.t' + missing = [test_name(i) for i in libfiles + if not test_name(i) in testfiles] + + print '\n'.join(missing) + + +# +# main +# +def main(): + parser = argparse.ArgumentParser(description='Run iptables tests') + parser.add_argument('filename', nargs='?', + metavar='path/to/file.t', + help='Run only this test') + parser.add_argument('-m', '--missing', action='store_true', + help='Check for missing tests') + args = parser.parse_args() + + # + # show list of missing test files + # + if args.missing: + show_missing() + return + + if os.getuid() != 0: + print "You need to be root to run this, sorry" + return + + test_files = 0 + tests = 0 + passed = 0 + + # setup global var log file + global log_file + try: + log_file = open(LOGFILE, 'w') + except IOError: + print "Couldn't open log file %s" % LOGFILE + return + + file_list = [os.path.join(EXTENSIONS_PATH, i) + for i in os.listdir(EXTENSIONS_PATH)] + if args.filename: + file_list = [args.filename] + for filename in file_list: + file_tests, file_passed = run_test_file(filename) + if file_tests: + tests += file_tests + passed += file_passed + test_files += 1 + + print ("%d test files, %d unit tests, %d passed" % + (test_files, tests, passed)) + + +if __name__ == '__main__': + main() -- cgit v1.2.3 From 4165db16b7645e7e8858a4ec40e198bcc5623018 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 4 Sep 2012 16:04:28 +0200 Subject: extensions: libipt_ah: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_ah.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libipt_ah.t diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t new file mode 100644 index 00000000..a0ce3b06 --- /dev/null +++ b/extensions/libipt_ah.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-p ah -m ah --ahspi 0;=;OK +-p ah -m ah --ahspi 4294967295;=;OK +-p ah -m ah --ahspi 0:4294967295;-p ah -m ah;OK +-p ah -m ah ! --ahspi 0;=;OK +-p ah -m ah --ahspi -1;;FAIL +-p ah -m ah --ahspi 4294967296;;FAIL +-p ah -m ah --ahspi invalid;;FAIL +-p ah -m ah --ahspi 0:invalid;;FAIL +-m ah --ahspi 0;;FAIL +-m ah --ahspi;;FAIL +-m ah;;FAIL -- cgit v1.2.3 From f692400fe73c456280958f8b770fc17461f320a3 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 4 Sep 2012 17:02:21 +0200 Subject: extensions: libip6t_ah: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libip6t_ah.t | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 extensions/libip6t_ah.t diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t new file mode 100644 index 00000000..459e9ecd --- /dev/null +++ b/extensions/libip6t_ah.t @@ -0,0 +1,14 @@ +:INPUT,FORWARD,OUTPUT +-m ah --ahspi 0;=;OK +-m ah --ahspi 4294967295;=;OK +-m ah --ahspi 0:4294967295;-m ah;OK +-m ah ! --ahspi 0;=;OK +# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1 +# -m ah --ahres;=;OK +# ERROR: line 7 (cannot find: ip6tables -I INPUT -m ah --ahlen 32 +# -m ah --ahlen 32;=;OK +-m ah --ahspi -1;;FAIL +-m ah --ahspi 4294967296;;FAIL +-m ah --ahspi invalid;;FAIL +-m ah --ahspi 0:invalid;;FAIL +-m ah --ahspi;;FAIL -- cgit v1.2.3 From cc558052772ba455020f2f94b37117b2ae748db4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 4 Sep 2012 18:18:22 +0200 Subject: extensions: libipt_LOG: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_LOG.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libipt_LOG.t diff --git a/extensions/libipt_LOG.t b/extensions/libipt_LOG.t new file mode 100644 index 00000000..fbf5118b --- /dev/null +++ b/extensions/libipt_LOG.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-j LOG;-j LOG;OK +-j LOG --log-prefix "test: ";=;OK +-j LOG --log-prefix "test: " --log-level 1;=;OK +# iptables displays the log-level output using the number; not the string +-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK +-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK +-j LOG --log-prefix "test: " --log-tcp-options;=;OK +-j LOG --log-prefix "test: " --log-ip-options;=;OK +-j LOG --log-prefix "test: " --log-uid;=;OK +-j LOG --log-prefix "test: " --log-level bad;;FAIL +-j LOG --log-prefix;;FAIL -- cgit v1.2.3 From 1436d09122e95079d74f891eefd7231925b754d2 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 5 Sep 2012 10:54:53 +0200 Subject: extensions: libxt_addrtype: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_addrtype.t | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 extensions/libxt_addrtype.t diff --git a/extensions/libxt_addrtype.t b/extensions/libxt_addrtype.t new file mode 100644 index 00000000..390a63f0 --- /dev/null +++ b/extensions/libxt_addrtype.t @@ -0,0 +1,17 @@ +:INPUT,FORWARD,OUTPUT +-m addrtype;;FAIL +-m addrtype --src-type wrong;;FAIL +-m addrtype --src-type UNSPEC;=;OK +-m addrtype --dst-type UNSPEC;=;OK +-m addrtype --src-type LOCAL --dst-type LOCAL;=;OK +-m addrtype --dst-type UNSPEC;=;OK +-m addrtype --limit-iface-in;;FAIL +-m addrtype --limit-iface-out;;FAIL +-m addrtype --limit-iface-in --limit-iface-out;;FAIL +-m addrtype --src-type LOCAL --limit-iface-in --limit-iface-out;;FAIL +:INPUT +-m addrtype --src-type LOCAL --limit-iface-in;=;OK +-m addrtype --dst-type LOCAL --limit-iface-in;=;OK +:OUTPUT +-m addrtype --src-type LOCAL --limit-iface-out;=;OK +-m addrtype --dst-type LOCAL --limit-iface-out;=;OK -- cgit v1.2.3 From 4e7751a3fc358d379e5da71b40a5802ba629cef8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 5 Sep 2012 11:48:56 +0200 Subject: extensions: libip6t_LOG: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libip6t_LOG.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libip6t_LOG.t diff --git a/extensions/libip6t_LOG.t b/extensions/libip6t_LOG.t new file mode 100644 index 00000000..fbf5118b --- /dev/null +++ b/extensions/libip6t_LOG.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-j LOG;-j LOG;OK +-j LOG --log-prefix "test: ";=;OK +-j LOG --log-prefix "test: " --log-level 1;=;OK +# iptables displays the log-level output using the number; not the string +-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK +-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK +-j LOG --log-prefix "test: " --log-tcp-options;=;OK +-j LOG --log-prefix "test: " --log-ip-options;=;OK +-j LOG --log-prefix "test: " --log-uid;=;OK +-j LOG --log-prefix "test: " --log-level bad;;FAIL +-j LOG --log-prefix;;FAIL -- cgit v1.2.3 From 501800ebd3668b4a1f1f6762fdcacbbaa929422f Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 5 Sep 2012 11:52:24 +0200 Subject: extensions: libxt_cluster: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_cluster.t | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 extensions/libxt_cluster.t diff --git a/extensions/libxt_cluster.t b/extensions/libxt_cluster.t new file mode 100644 index 00000000..ac608244 --- /dev/null +++ b/extensions/libxt_cluster.t @@ -0,0 +1,10 @@ +:PREROUTING,FORWARD,POSTROUTING +*mangle +-m cluster;;FAIL +-m cluster --cluster-total-nodes 3;;FAIL +-m cluster --cluster-total-nodes 2 --cluster-local-node 2;;FAIL +-m cluster --cluster-total-nodes 2 --cluster-local-node 3 --cluster-hash-seed;;FAIL +# +# outputs --cluster-local-nodemask instead of --cluster-local-node +# +-m cluster --cluster-total-nodes 2 --cluster-local-node 2 --cluster-hash-seed 0xfeedcafe;-m cluster --cluster-local-nodemask 0x00000002 --cluster-total-nodes 2 --cluster-hash-seed 0xfeedcafe;OK -- cgit v1.2.3 From 521b8f043c662a11b2f479f7df7969c654837165 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 5 Sep 2012 11:56:34 +0200 Subject: extensions: libxt_comment: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_comment.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libxt_comment.t diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t new file mode 100644 index 00000000..f12cd668 --- /dev/null +++ b/extensions/libxt_comment.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-m comment;;FAIL +-m comment --comment;;FAIL +# +# it fails with 256 characters +# +# should fail: iptables -A INPUT -m comment --comment xxxxxxxxxxxxxxxxx [....] +# -m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL +# +# success with 255 characters +# +-m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK -- cgit v1.2.3 From 48db23425761b52f09791b72774c8193e6739948 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 7 Sep 2012 16:44:28 +0200 Subject: extensions: libxt_AUDIT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_AUDIT.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_AUDIT.t diff --git a/extensions/libxt_AUDIT.t b/extensions/libxt_AUDIT.t new file mode 100644 index 00000000..97575b0e --- /dev/null +++ b/extensions/libxt_AUDIT.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-j AUDIT --type accept;=;OK +-j AUDIT --type drop;=;OK +-j AUDIT --type reject;=;OK +-j AUDIT;;FAIL +-j AUDIT --type wrong;;FAIL -- cgit v1.2.3 From cfb111332097ab5284e42294cfee1bc6c25388ae Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 7 Sep 2012 17:27:09 +0200 Subject: extensions: libxt_CHECKSUM: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_CHECKSUM.t | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 extensions/libxt_CHECKSUM.t diff --git a/extensions/libxt_CHECKSUM.t b/extensions/libxt_CHECKSUM.t new file mode 100644 index 00000000..9451ad86 --- /dev/null +++ b/extensions/libxt_CHECKSUM.t @@ -0,0 +1,4 @@ +:PREROUTING,FORWARD,POSTROUTING +*mangle +-j CHECKSUM --checksum-fill;=;OK +-j CHECKSUM;;FAIL -- cgit v1.2.3 From f331d969fe38bcbb5cd98a801527008ed951856a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 7 Sep 2012 17:42:59 +0200 Subject: extensions: libxt_CLASSIFY: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_CLASSIFY.t | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 extensions/libxt_CLASSIFY.t diff --git a/extensions/libxt_CLASSIFY.t b/extensions/libxt_CLASSIFY.t new file mode 100644 index 00000000..7b3ddbf7 --- /dev/null +++ b/extensions/libxt_CLASSIFY.t @@ -0,0 +1,9 @@ +:FORWARD,OUTPUT,POSTROUTING +*mangle +-j CLASSIFY --set-class 0000:ffff;=;OK +# maximum handle accepted by tc is 0xffff +# ERROR : should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 0000:ffffffff +# -j CLASSIFY --set-class 0000:ffffffff;;FAIL +# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1 +# -j CLASSIFY --set-class 1:-1;;FAIL +-j CLASSIFY;;FAIL -- cgit v1.2.3 From 4f590b47983424b5a530cb8a161af31f5776fb15 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 7 Sep 2012 17:56:38 +0200 Subject: extensions: libxt_connbytes: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_connbytes.t | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 extensions/libxt_connbytes.t diff --git a/extensions/libxt_connbytes.t b/extensions/libxt_connbytes.t new file mode 100644 index 00000000..6b24e266 --- /dev/null +++ b/extensions/libxt_connbytes.t @@ -0,0 +1,21 @@ +:INPUT,FORWARD,OUTPUT +-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir reply;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir both;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir original;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir reply;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir both;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir original;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir reply;=;OK +-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK +-m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL +-m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL +# ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both +# -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK +-m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL +-m connbytes --connbytes 0:1000 --connbytes-mode wrong --connbytes-dir both;;FAIL +-m connbytes --connbytes 0:1000 --connbytes-dir original;;FAIL +-m connbytes --connbytes 0:1000 --connbytes-mode packets;;FAIL +-m connbytes --connbytes-dir original;;FAIL +-m connbytes --connbytes 0:1000;;FAIL +-m connbytes;;FAIL -- cgit v1.2.3 From 5161a50b2d9ff0edcc11ca50da40cecbf7187cef Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 9 Sep 2012 22:42:36 +0200 Subject: extensions: libxt_connlimit: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_connlimit.t | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 extensions/libxt_connlimit.t diff --git a/extensions/libxt_connlimit.t b/extensions/libxt_connlimit.t new file mode 100644 index 00000000..c7ea61e9 --- /dev/null +++ b/extensions/libxt_connlimit.t @@ -0,0 +1,16 @@ +:INPUT,FORWARD,OUTPUT +-m connlimit --connlimit-upto 0;=;OK +-m connlimit --connlimit-upto 4294967295;=;OK +-m connlimit --connlimit-upto 4294967296;;FAIL +-m connlimit --connlimit-upto -1;;FAIL +-m connlimit --connlimit-above 0;=;OK +-m connlimit --connlimit-above 4294967295;=;OK +-m connlimit --connlimit-above 4294967296;;FAIL +-m connlimit --connlimit-above -1;;FAIL +-m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL +-m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK +-m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;OK +-m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL +-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK +-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK +-m connlimit;;FAIL -- cgit v1.2.3 From 1756c5a912b15cd7be9381b134683112b3ceedba Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 11:31:32 +0200 Subject: extensions: libxt_connmark: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_connmark.t | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 extensions/libxt_connmark.t diff --git a/extensions/libxt_connmark.t b/extensions/libxt_connmark.t new file mode 100644 index 00000000..4dd7d9af --- /dev/null +++ b/extensions/libxt_connmark.t @@ -0,0 +1,9 @@ +:PREROUTING,FORWARD,OUTPUT,POSTROUTING +*mangle +-m connmark --mark 0xffffffff;=;OK +-m connmark --mark 0xffffffff/0xffffffff;-m connmark --mark 0xffffffff;OK +-m connmark --mark 0xffffffff/0;=;OK +-m connmark --mark 0/0xffffffff;-m connmark --mark 0;OK +-m connmark --mark -1;;FAIL +-m connmark --mark 0xfffffffff;;FAIL +-m connmark;;FAIL -- cgit v1.2.3 From 42807456f7621cd883dc18647deafcadda934334 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 11:37:22 +0200 Subject: extensions: libxt_CONNMARK: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_CONNMARK.t | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 extensions/libxt_CONNMARK.t diff --git a/extensions/libxt_CONNMARK.t b/extensions/libxt_CONNMARK.t new file mode 100644 index 00000000..79a838fe --- /dev/null +++ b/extensions/libxt_CONNMARK.t @@ -0,0 +1,7 @@ +:PREROUTING,FORWARD,OUTPUT,POSTROUTING +*mangle +-j CONNMARK --restore-mark;=;OK +-j CONNMARK --save-mark;=;OK +-j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --save-mark;OK +-j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --restore-mark;OK +-j CONNMARK;;FAIL -- cgit v1.2.3 From fcf9f6f25db11fa1abccb759c202159a56f301e7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 12:36:55 +0200 Subject: extensions: libxt_hashlimit: add unit test based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_hashlimit.t | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 extensions/libxt_hashlimit.t diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t new file mode 100644 index 00000000..59d66135 --- /dev/null +++ b/extensions/libxt_hashlimit.t @@ -0,0 +1,26 @@ +:INPUT,FORWARD,OUTPUT +-m hashlimit --hashlimit-above 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" +-m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" +-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-expire 2000;=;OK +-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 2000;=;OK +-m hashlimit --hashlimit-upto 1/sec --hashlimit-name mini1;-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;OK +-m hashlimit --hashlimit-upto 4kb/s --hashlimit-burst 400kb --hashlimit-name mini5;=;OK +-m hashlimit --hashlimit-upto 10mb/s --hashlimit-name mini6;=;OK +-m hashlimit --hashlimit-upto 123456b/s --hashlimit-burst 1mb --hashlimit-name mini7;=;OK +# should work, it says "iptables v1.4.15: burst cannot be smaller than 96b" +# ERROR: cannot load: iptables -A INPUT -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1 +# -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-name mini1;;FAIL +-m hashlimit --hashlimit-upto 1/sec;;FAIL +-m hashlimit;;FAIL -- cgit v1.2.3 From 5e63e896e2f60edeafffcc54d0c5bde3f76641f0 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 12:51:38 +0200 Subject: extensions: libxt_time: add unit test based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_time.t | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 extensions/libxt_time.t diff --git a/extensions/libxt_time.t b/extensions/libxt_time.t new file mode 100644 index 00000000..673af09b --- /dev/null +++ b/extensions/libxt_time.t @@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +-m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz;=;OK +-m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05;=;OK +-m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00;=;OK -- cgit v1.2.3 From cfe5464f46ebdd0e86181760cc05e4e63faf921c Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 12:54:16 +0200 Subject: extensions: libxt_length: add unit test based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_length.t | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 extensions/libxt_length.t diff --git a/extensions/libxt_length.t b/extensions/libxt_length.t new file mode 100644 index 00000000..0b6624ee --- /dev/null +++ b/extensions/libxt_length.t @@ -0,0 +1,10 @@ +:INPUT,FORWARD,OUTPUT +-m length --length 1;=;OK +-m length --length :2;-m length --length 0:2;OK +-m length --length 0:3;=;OK +-m length --length 4:;=;OK +-m length --length 0:65535;=;OK +-m length ! --length 0:65535;=;OK +-m length --length 0:65536;;FAIL +-m length --length -1:65535;;FAIL +-m length;;FAIL -- cgit v1.2.3 From 7945c0ddfc47b0f3d4933612d42d871be69232dd Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 12:39:28 +0200 Subject: extensions: libxt_udp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_udp.t | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 extensions/libxt_udp.t diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t new file mode 100644 index 00000000..1b4d3dd6 --- /dev/null +++ b/extensions/libxt_udp.t @@ -0,0 +1,22 @@ +:INPUT,OUTPUT,FORWARD +-p udp -m udp --sport 1;=;OK +-p udp -m udp --sport 65535;=;OK +-p udp -m udp --dport 1;=;OK +-p udp -m udp --dport 65535;=;OK +-p udp -m udp --sport 1:1023;=;OK +-p udp -m udp --sport 1024:65535;=;OK +-p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK +-p udp -m udp ! --sport 1;=;OK +-p udp -m udp ! --sport 65535;=;OK +-p udp -m udp ! --dport 1;=;OK +-p udp -m udp ! --dport 65535;=;OK +-p udp -m udp --sport 1 --dport 65535;=;OK +-p udp -m udp --sport 65535 --dport 1;=;OK +-p udp -m udp ! --sport 1 --dport 65535;=;OK +-p udp -m udp ! --sport 65535 --dport 1;=;OK +# ERRROR: should fail: iptables -A INPUT -p udp -m udp --sport 65536 +# -p udp -m udp --sport 65536;;FAIL +-p udp -m udp --sport -1;;FAIL +-p udp -m udp --dport -1;;FAIL +# should we accept this below? +-p udp -m udp;=;OK -- cgit v1.2.3 From 963f438f0ded07a81529a7c261e19404f2b96fa9 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 12:41:47 +0200 Subject: extensions: libxt_tcp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_tcp.t | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 extensions/libxt_tcp.t diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t new file mode 100644 index 00000000..b0e8006e --- /dev/null +++ b/extensions/libxt_tcp.t @@ -0,0 +1,26 @@ +:INPUT,FORWARD,OUTPUT +-p tcp -m tcp --sport 1;=;OK +-p tcp -m tcp --sport 65535;=;OK +-p tcp -m tcp --dport 1;=;OK +-p tcp -m tcp --dport 65535;=;OK +-p tcp -m tcp --sport 1:1023;=;OK +-p tcp -m tcp --sport 1024:65535;=;OK +-p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK +-p tcp -m tcp ! --sport 1;=;OK +-p tcp -m tcp ! --sport 65535;=;OK +-p tcp -m tcp ! --dport 1;=;OK +-p tcp -m tcp ! --dport 65535;=;OK +-p tcp -m tcp --sport 1 --dport 65535;=;OK +-p tcp -m tcp --sport 65535 --dport 1;=;OK +-p tcp -m tcp ! --sport 1 --dport 65535;=;OK +-p tcp -m tcp ! --sport 65535 --dport 1;=;OK +-p tcp -m tcp --sport 65536;;FAIL +-p tcp -m tcp --sport -1;;FAIL +-p tcp -m tcp --dport -1;;FAIL +-p tcp -m tcp --syn;-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN;OK +-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN;=;OK +-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK +-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK +-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST;=;OK +# should we accept this below? +-p tcp -m tcp;=;OK -- cgit v1.2.3 From d0c2ebe7f8463248edcf5107fd095273a31f29ac Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 12:42:19 +0200 Subject: extensions: libxt_tos: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_tos.t | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 extensions/libxt_tos.t diff --git a/extensions/libxt_tos.t b/extensions/libxt_tos.t new file mode 100644 index 00000000..ccbe8009 --- /dev/null +++ b/extensions/libxt_tos.t @@ -0,0 +1,13 @@ +:INPUT,FORWARD,OUTPUT +-m tos --tos Minimize-Delay;-m tos --tos 0x10/0x3f;OK +-m tos --tos Maximize-Throughput;-m tos --tos 0x08/0x3f;OK +-m tos --tos Maximize-Reliability;-m tos --tos 0x04/0x3f;OK +-m tos --tos Minimize-Cost;-m tos --tos 0x02/0x3f;OK +-m tos --tos Normal-Service;-m tos --tos 0x00/0x3f;OK +-m tos --tos 0xff;=;OK +-m tos ! --tos 0xff;=;OK +-m tos --tos 0x00;=;OK +-m tos --tos 0x0f;=;OK +-m tos --tos 0x0f/0x0f;=;OK +-m tos --tos wrong;;FAIL +-m tos;;FAIL -- cgit v1.2.3 From 621ded212fad6cb7c38903b6d1c44dc8e8b3830a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 12:59:41 +0200 Subject: extensions: libxt_NFLOG: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_NFLOG.t | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 extensions/libxt_NFLOG.t diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t new file mode 100644 index 00000000..f9768aae --- /dev/null +++ b/extensions/libxt_NFLOG.t @@ -0,0 +1,19 @@ +:INPUT,FORWARD,OUTPUT +-j NFLOG --nflog-group 1;=;OK +-j NFLOG --nflog-group 65535;=;OK +-j NFLOG --nflog-group 65536;;FAIL +-j NFLOG --nflog-group 0;-j NFLOG;OK +-j NFLOG --nflog-range 1;=;OK +-j NFLOG --nflog-range 4294967295;=;OK +-j NFLOG --nflog-range 4294967296;;FAIL +-j NFLOG --nflog-range -1;;FAIL +# ERROR: cannot find: iptables -I INPUT -j NFLOG --nflog-prefix xxxxxx [...] +# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK +# ERROR: should fail: iptables -A INPUT -j NFLOG --nflog-prefix xxxxxxx [...] +# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL +-j NFLOG --nflog-threshold 1;=;OK +# ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0 +# -j NFLOG --nflog-threshold 0;;FAIL +-j NFLOG --nflog-threshold 65535;=;OK +-j NFLOG --nflog-threshold 65536;;FAIL +-j NFLOG;=;OK -- cgit v1.2.3 From cb4b82738ec0f45b2df15de0dcb079990ac4cda5 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 18:21:53 +0200 Subject: extensions: libxt_dccp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_dccp.t | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 extensions/libxt_dccp.t diff --git a/extensions/libxt_dccp.t b/extensions/libxt_dccp.t new file mode 100644 index 00000000..f60b480f --- /dev/null +++ b/extensions/libxt_dccp.t @@ -0,0 +1,30 @@ +:INPUT,FORWARD,OUTPUT +-p dccp -m dccp --sport 1;=;OK +-p dccp -m dccp --sport 65535;=;OK +-p dccp -m dccp --dport 1;=;OK +-p dccp -m dccp --dport 65535;=;OK +-p dccp -m dccp --sport 1:1023;=;OK +-p dccp -m dccp --sport 1024:65535;=;OK +-p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK +-p dccp -m dccp ! --sport 1;=;OK +-p dccp -m dccp ! --sport 65535;=;OK +-p dccp -m dccp ! --dport 1;=;OK +-p dccp -m dccp ! --dport 65535;=;OK +-p dccp -m dccp --sport 1 --dport 65535;=;OK +-p dccp -m dccp --sport 65535 --dport 1;=;OK +-p dccp -m dccp ! --sport 1 --dport 65535;=;OK +-p dccp -m dccp ! --sport 65535 --dport 1;=;OK +# ERROR: should fail: iptables -A INPUT -p dccp -m dccp --sport 65536 +# -p dccp -m dccp --sport 65536;;FAIL +-p dccp -m dccp --sport -1;;FAIL +-p dccp -m dccp --dport -1;;FAIL +-p dccp -m dccp --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK +-p dccp -m dccp ! --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK +# DCCP option 0 is valid, see http://tools.ietf.org/html/rfc4340#page-29 +# ERROR: cannot load: iptables -A INPUT -p dccp -m dccp --dccp-option 0 +#-p dccp -m dccp --dccp-option 0;=;OK +-p dccp -m dccp --dccp-option 255;=;OK +-p dccp -m dccp --dccp-option 256;;FAIL +-p dccp -m dccp --dccp-option -1;;FAIL +# should we accept this below? +-p dccp -m dccp;=;OK -- cgit v1.2.3 From bfb10d8385240ea46eeb2573e80b96f7964a3f73 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 12 Sep 2012 18:28:33 +0200 Subject: extensions: libxt_esp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_esp.t | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 extensions/libxt_esp.t diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t new file mode 100644 index 00000000..008013b9 --- /dev/null +++ b/extensions/libxt_esp.t @@ -0,0 +1,9 @@ +:INPUT,FORWARD,OUTPUT +-p esp -m esp --espspi 0;=;OK +-p esp -m esp --espspi :32;-p esp -m esp --espspi 0:32;OK +-p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK +-p esp -m esp ! --espspi 0:4294967294;=;OK +-p esp -m esp --espspi -1;;FAIL +# should fail? +-p esp -m esp;=;OK +-m esp;;FAIL -- cgit v1.2.3 From 07c143bed394f76d4f61c65b1f9ec3cd421c6713 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Sep 2012 15:00:07 +0200 Subject: extensions: libxt_helper: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_helper.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_helper.t diff --git a/extensions/libxt_helper.t b/extensions/libxt_helper.t new file mode 100644 index 00000000..8c8420ac --- /dev/null +++ b/extensions/libxt_helper.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-m helper --helper ftp;=;OK +# should be OK? +# ERROR: should fail: iptables -A INPUT -m helper --helper wrong +# -m helper --helper wrong;;FAIL +-m helper;;FAIL -- cgit v1.2.3 From 49d5b7277c7f212762d4ddfa321c733107c97043 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Sep 2012 15:09:16 +0200 Subject: extensions: libipt_icmp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_icmp.t | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 extensions/libipt_icmp.t diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t new file mode 100644 index 00000000..f4ba65c2 --- /dev/null +++ b/extensions/libipt_icmp.t @@ -0,0 +1,15 @@ +:INPUT,FORWARD,OUTPUT +-p icmp -m icmp --icmp-type any;=;OK +# output uses the number, better use the name? +# ERROR: cannot find: iptables -I INPUT -p icmp -m icmp --icmp-type echo-reply +# -p icmp -m icmp --icmp-type echo-reply;=;OK +# output uses the number, better use the name? +# ERROR: annot find: iptables -I INPUT -p icmp -m icmp --icmp-type destination-unreachable +# -p icmp -m icmp --icmp-type destination-unreachable;=;OK +# it does not acccept name/name, should we accept this? +# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable +# -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable;=;OK +-m icmp;;FAIL +# we accept "iptables -I INPUT -p tcp -m tcp", why not this below? +# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp +# -p icmp -m icmp;=;OK -- cgit v1.2.3 From 308645c0b55f1de0423bef5fd61f0fc729aa61d6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Sep 2012 15:31:52 +0200 Subject: extensions: libxt_NFQUEUE: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_NFQUEUE.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libxt_NFQUEUE.t diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t new file mode 100644 index 00000000..d4e4274b --- /dev/null +++ b/extensions/libxt_NFQUEUE.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-j NFQUEUE;=;OK +-j NFQUEUE --queue-num 0;=;OK +-j NFQUEUE --queue-num 65535;=;OK +-j NFQUEUE --queue-num 65536;;FAIL +-j NFQUEUE --queue-num -1;;FAIL +# it says "NFQUEUE: number of total queues is 0", overflow in NFQUEUE_parse_v1? +# ERROR: cannot load: iptables -A INPUT -j NFQUEUE --queue-balance 0:65535 +# -j NFQUEUE --queue-balance 0:65535;=;OK +-j NFQUEUE --queue-balance 0:65536;;FAIL +-j NFQUEUE --queue-balance -1:65535;;FAIL +-j NFQUEUE --queue-num 10 --queue-bypass;=;OK -- cgit v1.2.3 From 4f9d3c5507e2d76b92571f865e8fbc4be809a397 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Sep 2012 15:37:36 +0200 Subject: extensions: libipt_ttl.t: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_ttl.t | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 extensions/libipt_ttl.t diff --git a/extensions/libipt_ttl.t b/extensions/libipt_ttl.t new file mode 100644 index 00000000..ebe5b3a2 --- /dev/null +++ b/extensions/libipt_ttl.t @@ -0,0 +1,15 @@ +:INPUT,FORWARD,OUTPUT +-m ttl --ttl-eq 0;=;OK +-m ttl --ttl-eq 255;=;OK +-m ttl ! --ttl-eq 0;=;OK +-m ttl ! --ttl-eq 255;=;OK +-m ttl --ttl-gt 0;=;OK +# not possible have anything greater than 255, TTL is 8-bit long +# ERROR: should fail: iptables -A INPUT -m ttl --ttl-gt 255 +## -m ttl --ttl-gt 255;;FAIL +# not possible have anything below 0 +# ERROR: should fail: iptables -A INPUT -m ttl --ttl-lt 0 +## -m ttl --ttl-lt 0;;FAIL +-m ttl --ttl-eq 256;;FAIL +-m ttl --ttl-eq -1;;FAIL +-m ttl;;FAIL -- cgit v1.2.3 From f29f11825da374e2faea68859cc3ec8ec70d49f3 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Sep 2012 15:40:55 +0200 Subject: extensions: libxt_pkttype: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_pkttype.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_pkttype.t diff --git a/extensions/libxt_pkttype.t b/extensions/libxt_pkttype.t new file mode 100644 index 00000000..d93baeaf --- /dev/null +++ b/extensions/libxt_pkttype.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-m pkttype --pkt-type unicast;=;OK +-m pkttype --pkt-type broadcast;=;OK +-m pkttype --pkt-type multicast;=;OK +-m pkttype --pkt-type wrong;;FAIL +-m pkttype;;FAIL -- cgit v1.2.3 From 63cf8a565e5c9746ee5342594773277bc3c23e06 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 17 Sep 2012 18:57:55 +0200 Subject: extensions: libxt_CT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_CT.t | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 extensions/libxt_CT.t diff --git a/extensions/libxt_CT.t b/extensions/libxt_CT.t new file mode 100644 index 00000000..3c28534e --- /dev/null +++ b/extensions/libxt_CT.t @@ -0,0 +1,20 @@ +:PREROUTING,OUTPUT +*raw +-j CT --notrack;=;OK +-j CT --ctevents new,related,destroy,reply,assured,protoinfo,helper,mark;=;OK +-j CT --expevents new;=;OK +# ERROR: cannot find: iptables -I PREROUTING -t raw -j CT --zone 0 +# -j CT --zone 0;=;OK +-j CT --zone 65535;=;OK +-j CT --zone 65536;;FAIL +-j CT --zone -1;;FAIL +# ERROR: should fail: iptables -A PREROUTING -t raw -j CT +# -j CT;;FAIL +@nfct timeout add test inet tcp ESTABLISHED 100 +# cannot load: iptables -A PREROUTING -t raw -j CT --timeout test +# -j CT --timeout test;=;OK +@nfct timeout del test +@nfct helper add rpc inet tcp +# cannot load: iptables -A PREROUTING -t raw -j CT --helper rpc +# -j CT --helper rpc;=;OK +@nfct helper del rpc -- cgit v1.2.3 From f60f7fd755ea55c8955019b283e48ec87291732e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 17 Sep 2012 19:03:29 +0200 Subject: extensions: libxt_state: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_state.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_state.t diff --git a/extensions/libxt_state.t b/extensions/libxt_state.t new file mode 100644 index 00000000..8e4bce3f --- /dev/null +++ b/extensions/libxt_state.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-m state --state INVALID;=;OK +-m state --state NEW,RELATED;=;OK +-m state --state UNTRACKED;=;OK +-m state wrong;;FAIL +-m state;;FAIL -- cgit v1.2.3 From 5a2a47ce96593c25e8fa15d10e1867baeb317373 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 18 Sep 2012 02:30:26 +0200 Subject: extensions: libxt_string: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_string.t | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 extensions/libxt_string.t diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t new file mode 100644 index 00000000..d68f099d --- /dev/null +++ b/extensions/libxt_string.t @@ -0,0 +1,18 @@ +:INPUT,FORWARD,OUTPUT +# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test" +# -m string --algo bm --string "test";=;OK +# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test") +# -m string --algo kmp --string "test";=;OK +# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test" +# -m string --algo kmp ! --string "test";=;OK +# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....] +# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK +# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx" +# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK +# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|" +# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK +# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test" +# -m string --algo bm --from 0 --to 65535 --string "test";=;OK +-m string --algo wrong;;FAIL +-m string --algo bm;;FAIL +-m string;;FAIL -- cgit v1.2.3 From 1667e7a4efc3d3c6f9d5142414738555e04d0a93 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 10 Sep 2012 12:38:35 +0200 Subject: extensions: libxt_rateest: add unit test based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_rateest.t | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 extensions/libxt_rateest.t diff --git a/extensions/libxt_rateest.t b/extensions/libxt_rateest.t new file mode 100644 index 00000000..c53b4b62 --- /dev/null +++ b/extensions/libxt_rateest.t @@ -0,0 +1,16 @@ +:INPUT,FORWARD,OUTPUT +@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms +-m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit;=;OK +-m rateest --rateest RE1 --rateest-eq --rateest-pps 5;=;OK +-m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit;-m rateest --rateest RE1 --rateest-gt --rateest-bps 5000bit;OK +-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit;=;OK +@iptables -I INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms +-m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2;=;OK +-m rateest --rateest-delta --rateest1 RE1 --rateest-pps1 0 --rateest-lt --rateest-pps2 42 --rateest2 RE2;=;OK +-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit;=;OK +-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit;=;OK +-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9;=;OK +-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9;=;OK +-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9;=;OK +@iptables -D INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms +@iptables -D INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms -- cgit v1.2.3 From 0cdb4411273d2b35678a464199c019d522148075 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 20 Sep 2012 01:33:43 +0200 Subject: extensions: libxt_nfacct: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_nfacct.t | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 extensions/libxt_nfacct.t diff --git a/extensions/libxt_nfacct.t b/extensions/libxt_nfacct.t new file mode 100644 index 00000000..3419b4ce --- /dev/null +++ b/extensions/libxt_nfacct.t @@ -0,0 +1,10 @@ +:INPUT,FORWARD,OUTPUT +@nfacct add test +# +# extra space in iptables-save output, fix it +# +# ERROR: cannot load: iptables -A INPUT -m nfacct --nfacct-name test +#-m nfacct --nfacct-name test;=;OK +-m nfacct --nfacct-name wrong;;FAIL +-m nfacct;;FAIL +@nfacct del test -- cgit v1.2.3 From e41aa9e926462727612a0cd380a27d00171d6f35 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 20 Sep 2012 01:40:29 +0200 Subject: extensions: libxt_mark: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_mark.t | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 extensions/libxt_mark.t diff --git a/extensions/libxt_mark.t b/extensions/libxt_mark.t new file mode 100644 index 00000000..7c005379 --- /dev/null +++ b/extensions/libxt_mark.t @@ -0,0 +1,7 @@ +:INPUT,FORWARD,OUTPUT +-m mark --mark 0xfeedcafe/0xfeedcafe;=;OK +-m mark --mark 0;=;OK +-m mark --mark 4294967295;-m mark --mark 0xffffffff;OK +-m mark --mark 4294967296;;FAIL +-m mark --mark -1;;FAIL +-m mark;;FAIL -- cgit v1.2.3 From 81932e13aad014b5f6cd2ae100c75e0c65afa19a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 20 Sep 2012 01:43:19 +0200 Subject: extensions: libipt_REJECT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_REJECT.t | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 extensions/libipt_REJECT.t diff --git a/extensions/libipt_REJECT.t b/extensions/libipt_REJECT.t new file mode 100644 index 00000000..5b26b107 --- /dev/null +++ b/extensions/libipt_REJECT.t @@ -0,0 +1,9 @@ +:INPUT,FORWARD,OUTPUT +-j REJECT;=;OK +-j REJECT --reject-with icmp-net-unreachable;=;OK +-j REJECT --reject-with icmp-host-unreachable;=;OK +-j REJECT --reject-with icmp-port-unreachable;=;OK +-j REJECT --reject-with icmp-proto-unreachable;=;OK +-j REJECT --reject-with icmp-net-prohibited;=;OK +-j REJECT --reject-with icmp-host-prohibited;=;OK +-j REJECT --reject-with icmp-admin-prohibited;=;OK -- cgit v1.2.3 From 962637186ece954653dd40c66053d67c57c4df4a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 15:31:31 +0200 Subject: extensions: libxt_sctp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_sctp.t | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 extensions/libxt_sctp.t diff --git a/extensions/libxt_sctp.t b/extensions/libxt_sctp.t new file mode 100644 index 00000000..2f75e2a6 --- /dev/null +++ b/extensions/libxt_sctp.t @@ -0,0 +1,32 @@ +:INPUT,FORWARD,OUTPUT +-p sctp -m sctp --sport 1;=;OK +-p sctp -m sctp --sport 65535;=;OK +-p sctp -m sctp --sport 1:65535;=;OK +-p sctp -m sctp --sport -1;;FAIL +-p sctp -m sctp --sport 65536;;FAIL +-p sctp -m sctp --dport 1;=;OK +-p sctp -m sctp --dport 1:65535;=;OK +-p sctp -m sctp --dport 65535;=;OK +-p sctp -m sctp --dport -1;;FAIL +-p sctp -m sctp --dport 65536;;FAIL +-p sctp -m sctp --chunk-types all DATA;=;OK +-p sctp -m sctp --chunk-types all INIT;=;OK +-p sctp -m sctp --chunk-types all INIT_ACK;=;OK +-p sctp -m sctp --chunk-types all SACK;=;OK +-p sctp -m sctp --chunk-types all HEARTBEAT;=;OK +-p sctp -m sctp --chunk-types all HEARTBEAT_ACK;=;OK +-p sctp -m sctp --chunk-types all ABORT;=;OK +-p sctp -m sctp --chunk-types all SHUTDOWN;=;OK +-p sctp -m sctp --chunk-types all SHUTDOWN_ACK;=;OK +-p sctp -m sctp --chunk-types all ERROR;=;OK +-p sctp -m sctp --chunk-types all COOKIE_ECHO;=;OK +-p sctp -m sctp --chunk-types all COOKIE_ACK;=;OK +-p sctp -m sctp --chunk-types all ECN_ECNE;=;OK +-p sctp -m sctp --chunk-types all ECN_CWR;=;OK +# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF +# -p sctp -m sctp --chunk-types all ASCONF;=;OK +# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF_ACK +# -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK +# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all FORWARD_TSN +# -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK +-p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK -- cgit v1.2.3 From 866b8da190a740564e602c8554d14da208b5d2d9 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 15:56:34 +0200 Subject: extensions: libxt_NOTRACK: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_NOTRACK.t | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 extensions/libxt_NOTRACK.t diff --git a/extensions/libxt_NOTRACK.t b/extensions/libxt_NOTRACK.t new file mode 100644 index 00000000..585be82d --- /dev/null +++ b/extensions/libxt_NOTRACK.t @@ -0,0 +1,4 @@ +:PREROUTING,OUTPUT +*raw +# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK +#-j NOTRACK;=;OK -- cgit v1.2.3 From 9772ecd13b105b0a1806fc64246883a6e390767a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 15:59:36 +0200 Subject: extensions: libipt_MASQUERADE: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_MASQUERADE.t | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 extensions/libipt_MASQUERADE.t diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t new file mode 100644 index 00000000..46502040 --- /dev/null +++ b/extensions/libipt_MASQUERADE.t @@ -0,0 +1,8 @@ +:POSTROUTING +*nat +-j MASQUERADE;=;OK +-j MASQUERADE --random;=;OK +-p tcp -j MASQUERADE --to-ports 1024;=;OK +-p udp -j MASQUERADE --to-ports 1024-65535;=;OK +-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL +-p udp -j MASQUERADE --to-ports -1;;FAIL -- cgit v1.2.3 From 5847cc0c6f073cd3104371e3a962d1d170f58e77 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 18:24:23 +0200 Subject: extensions: libxt_standard: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_standard.t | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 extensions/libxt_standard.t diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t new file mode 100644 index 00000000..923569c3 --- /dev/null +++ b/extensions/libxt_standard.t @@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +-j DROP;=;OK +-j ACCEPT;=;OK +-j RETURN;=;OK -- cgit v1.2.3 From 305639fc5c06acc19ffea4703c7cde428558cef8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 18:27:32 +0200 Subject: extensions: libipt_ECN: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_ECN.t | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 extensions/libipt_ECN.t diff --git a/extensions/libipt_ECN.t b/extensions/libipt_ECN.t new file mode 100644 index 00000000..2e092052 --- /dev/null +++ b/extensions/libipt_ECN.t @@ -0,0 +1,5 @@ +:PREROUTING,FORWARD,OUTPUT,POSTROUTING +*mangle +-j ECN;;FAIL +-p tcp -j ECN;;FAIL +-p tcp -j ECN --ecn-tcp-remove;=;OK -- cgit v1.2.3 From 3ba132d130a541e9465945c5f2e8fb5e9d60d58b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Sep 2012 18:34:02 +0200 Subject: extensions: libxt_TRACE: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_TRACE.t | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 extensions/libxt_TRACE.t diff --git a/extensions/libxt_TRACE.t b/extensions/libxt_TRACE.t new file mode 100644 index 00000000..cadb7330 --- /dev/null +++ b/extensions/libxt_TRACE.t @@ -0,0 +1,3 @@ +:PREROUTING,OUTPUT +*raw +-j TRACE;=;OK -- cgit v1.2.3 From 7738b27717716452130eaf7da94f6c193a7a75c8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 24 Sep 2012 00:50:38 +0200 Subject: extensions: libxt_TOS: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_TOS.t | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 extensions/libxt_TOS.t diff --git a/extensions/libxt_TOS.t b/extensions/libxt_TOS.t new file mode 100644 index 00000000..ae8531cc --- /dev/null +++ b/extensions/libxt_TOS.t @@ -0,0 +1,16 @@ +:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING +*mangle +-j TOS --set-tos 0x1f;=;OK +-j TOS --set-tos 0x1f/0x1f;=;OK +# maximum TOS is 0x1f (5 bits) +# ERROR: should fail: iptables -A PREROUTING -t mangle -j TOS --set-tos 0xff +# -j TOS --set-tos 0xff;;FAIL +-j TOS --set-tos Minimize-Delay;-j TOS --set-tos 0x10;OK +-j TOS --set-tos Maximize-Throughput;-j TOS --set-tos 0x08;OK +-j TOS --set-tos Maximize-Reliability;-j TOS --set-tos 0x04;OK +-j TOS --set-tos Minimize-Cost;-j TOS --set-tos 0x02;OK +-j TOS --set-tos Normal-Service;-j TOS --set-tos 0x00;OK +-j TOS --and-tos 0x12;-j TOS --set-tos 0x00/0xed;OK +-j TOS --or-tos 0x12;-j TOS --set-tos 0x12/0x12;OK +-j TOS --xor-tos 0x12;-j TOS --set-tos 0x12/0x00;OK +-j TOS;;FAIL -- cgit v1.2.3 From 96e8db3d4bcfa7a3f53b2cc85776e006b911c7f3 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 24 Sep 2012 15:44:35 +0200 Subject: extensions: libxt_DSCP: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_DSCP.t | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 extensions/libxt_DSCP.t diff --git a/extensions/libxt_DSCP.t b/extensions/libxt_DSCP.t new file mode 100644 index 00000000..fcc55986 --- /dev/null +++ b/extensions/libxt_DSCP.t @@ -0,0 +1,11 @@ +:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING +*mangle +-j DSCP --set-dscp 0;=;OK +-j DSCP --set-dscp 0x3f;=;OK +-j DSCP --set-dscp -1;;FAIL +-j DSCP --set-dscp 0x40;;FAIL +-j DSCP --set-dscp 0x3f --set-dscp-class CS0;;FAIL +-j DSCP --set-dscp-class CS0;-j DSCP --set-dscp 0x00;OK +-j DSCP --set-dscp-class BE;-j DSCP --set-dscp 0x00;OK +-j DSCP --set-dscp-class EF;-j DSCP --set-dscp 0x2e;OK +-j DSCP;;FAIL -- cgit v1.2.3 From da486c202bbd6380c13ae6d1de945f6af65c9769 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 24 Sep 2012 15:48:21 +0200 Subject: extensions: libip6t_eui64: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libip6t_eui64.t | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 extensions/libip6t_eui64.t diff --git a/extensions/libip6t_eui64.t b/extensions/libip6t_eui64.t new file mode 100644 index 00000000..e5aaaace --- /dev/null +++ b/extensions/libip6t_eui64.t @@ -0,0 +1,8 @@ +:PREROUTING +*raw +-m eui64;=;OK +:INPUT,FORWARD +*filter +-m eui64;=;OK +:OUTPUT +-m eui64;;FAIL -- cgit v1.2.3 From d65a6917974ef4e5107ae696c9872096c309864d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 24 Sep 2012 16:01:38 +0200 Subject: extensions: libxt_limit: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_limit.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_limit.t diff --git a/extensions/libxt_limit.t b/extensions/libxt_limit.t new file mode 100644 index 00000000..b0af6538 --- /dev/null +++ b/extensions/libxt_limit.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-m limit --limit 1/sec;=;OK +-m limit --limit 1/min;=;OK +-m limit --limit 1000/hour;=;OK +-m limit --limit 1000/day;=;OK +-m limit --limit 1/sec --limit-burst 1;=;OK -- cgit v1.2.3 From e80fe60adcb65b756f760922441cac3b7d232593 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 17:36:55 +0200 Subject: extensions: libxt_conntrack: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_conntrack.t | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 extensions/libxt_conntrack.t diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t new file mode 100644 index 00000000..db531475 --- /dev/null +++ b/extensions/libxt_conntrack.t @@ -0,0 +1,27 @@ +:INPUT,FORWARD,OUTPUT +-m conntrack --ctstate NEW;=;OK +-m conntrack --ctstate NEW,ESTABLISHED;=;OK +-m conntrack --ctstate NEW,RELATED,ESTABLISHED;=;OK +-m conntrack --ctstate INVALID;=;OK +-m conntrack --ctstate UNTRACKED;=;OK +-m conntrack --ctstate SNAT,DNAT;=;OK +-m conntrack --ctstate wrong;;FAIL +# should we convert this to output "tcp" instead of 6? +-m conntrack --ctproto tcp;-m conntrack --ctproto 6;OK +-m conntrack --ctorigsrc 1.1.1.1;=;OK +-m conntrack --ctorigdst 1.1.1.1;=;OK +-m conntrack --ctreplsrc 1.1.1.1;=;OK +-m conntrack --ctrepldst 1.1.1.1;=;OK +-m conntrack --ctexpire 0;=;OK +-m conntrack --ctexpire 4294967295;=;OK +-m conntrack --ctexpire 0:4294967295;=;OK +-m conntrack --ctexpire 42949672956;;FAIL +-m conntrack --ctexpire -1;;FAIL +-m conntrack --ctdir ORIGINAL;=;OK +-m conntrack --ctdir REPLY;=;OK +-m conntrack --ctstatus NONE;=;OK +-m conntrack --ctstatus CONFIRMED;=;OK +-m conntrack --ctstatus ASSURED;=;OK +-m conntrack --ctstatus EXPECTED;=;OK +-m conntrack --ctstatus SEEN_REPLY;=;OK +-m conntrack;;FAIL -- cgit v1.2.3 From b00ab93206f3c2573d3aa8efa83ee55a14eb7d3d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 17:46:44 +0200 Subject: extensions: libipt_ULOG: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_ULOG.t | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 extensions/libipt_ULOG.t diff --git a/extensions/libipt_ULOG.t b/extensions/libipt_ULOG.t new file mode 100644 index 00000000..97500b00 --- /dev/null +++ b/extensions/libipt_ULOG.t @@ -0,0 +1,19 @@ +:INPUT,FORWARD,OUTPUT +-j ULOG --ulog-nlgroup 1;-j ULOG;OK +-j ULOG --ulog-nlgroup 32;=;OK +-j ULOG --ulog-nlgroup 33;;FAIL +-j ULOG --ulog-nlgroup 0;;FAIL +-j ULOG --ulog-cprange 1;=;OK +-j ULOG --ulog-cprange 4294967295;=;OK +# This below outputs 0 in iptables-save +# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-cprange 4294967296 +#-j ULOG --ulog-cprange 4294967296;;FAIL +# supports up to 31 characters +-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK +# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-prefix xxxxxx [...] +#-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL +-j ULOG --ulog-qthreshold 1;-j ULOG;OK +-j ULOG --ulog-qthreshold 0;;FAIL +-j ULOG --ulog-qthreshold 50;=;OK +-j ULOG --ulog-qthreshold 51;;FAIL +-j ULOG;=;OK -- cgit v1.2.3 From 03aaf36d917029a50b93357b0f415ade38cc8148 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:24:34 +0200 Subject: extensions: libxt_multiport: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_multiport.t | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 extensions/libxt_multiport.t diff --git a/extensions/libxt_multiport.t b/extensions/libxt_multiport.t new file mode 100644 index 00000000..e9b80a4e --- /dev/null +++ b/extensions/libxt_multiport.t @@ -0,0 +1,23 @@ +:INPUT,FORWARD,OUTPUT +-p tcp -m multiport --sports 53,1024:65535;=;OK +-p tcp -m multiport --dports 53,1024:65535;=;OK +-p udp -m multiport --sports 53,1024:65535;=;OK +-p udp -m multiport --dports 53,1024:65535;=;OK +-p udp -m multiport --ports 53,1024:65535;=;OK +-p udp -m multiport --ports 53,1024:65535;=;OK +-p sctp -m multiport --sports 53,1024:65535;=;OK +-p sctp -m multiport --dports 53,1024:65535;=;OK +-p dccp -m multiport --sports 53,1024:65535;=;OK +-p dccp -m multiport --dports 53,1024:65535;=;OK +-p udplite -m multiport --sports 53,1024:65535;=;OK +-p udplite -m multiport --dports 53,1024:65535;=;OK +-p tcp -m multiport --sports 1024:65536;;FAIL +-p udp -m multiport --sports 1024:65536;;FAIL +-p tcp -m multiport --ports 1024:65536;;FAIL +-p udp -m multiport --ports 1024:65536;;FAIL +-p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15;=;OK +# fix manpage, it says "up to 15 ports supported" +# ERROR: should fail: iptables -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16 +# -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16;;FAIL +-p tcp --multiport;;FAIL +-m multiport;;FAIL -- cgit v1.2.3 From 6326a9eb445aacf8c5186acc3de0aea7c903a0b7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:29:11 +0200 Subject: extensions: libip6t_REJECT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libip6t_REJECT.t | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 extensions/libip6t_REJECT.t diff --git a/extensions/libip6t_REJECT.t b/extensions/libip6t_REJECT.t new file mode 100644 index 00000000..5a389420 --- /dev/null +++ b/extensions/libip6t_REJECT.t @@ -0,0 +1,9 @@ +:INPUT,FORWARD,OUTPUT +-j REJECT;=;OK +# manpage for IPv6 variant of REJECT does not show up for some reason? +-j REJECT --reject-with icmp6-no-route;=;OK +-j REJECT --reject-with icmp6-adm-prohibited;=;OK +-j REJECT --reject-with icmp6-addr-unreachable;=;OK +-j REJECT --reject-with icmp6-port-unreachable;=;OK +-p tcp -j REJECT --reject-with tcp-reset;=;OK +-j REJECT --reject-with tcp-reset;;FAIL -- cgit v1.2.3 From 0daedce412a33543805fce4bc36e0f1a85c1ca89 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:31:03 +0200 Subject: extensions: libxt_dscp: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_dscp.t | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 extensions/libxt_dscp.t diff --git a/extensions/libxt_dscp.t b/extensions/libxt_dscp.t new file mode 100644 index 00000000..38d7f04e --- /dev/null +++ b/extensions/libxt_dscp.t @@ -0,0 +1,10 @@ +:INPUT,FORWARD,OUTPUT +-m dscp --dscp 0;=;OK +-m dscp --dscp 0x3f;=;OK +-m dscp --dscp -1;;FAIL +-m dscp --dscp 0x40;;FAIL +-m dscp --dscp 0x3f --dscp-class CS0;;FAIL +-m dscp --dscp-class CS0;-m dscp --dscp 0x00;OK +-m dscp --dscp-class BE;-m dscp --dscp 0x00;OK +-m dscp --dscp-class EF;-m dscp --dscp 0x2e;OK +-m dscp;;FAIL -- cgit v1.2.3 From eb2ca0d302157515ed8d50799be877d740790c6a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:34:08 +0200 Subject: extensions: libxt_cpu: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_cpu.t | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 extensions/libxt_cpu.t diff --git a/extensions/libxt_cpu.t b/extensions/libxt_cpu.t new file mode 100644 index 00000000..f5adb45d --- /dev/null +++ b/extensions/libxt_cpu.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +-m cpu --cpu 0;=;OK +-m cpu ! --cpu 0;=;OK +-m cpu --cpu 4294967295;=;OK +-m cpu --cpu 4294967296;;FAIL +-m cpu;;FAIL -- cgit v1.2.3 From babf6d968fca2b283fd40dd8a0a358883aa9d9ea Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:37:45 +0200 Subject: extensions: libxt_quota: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_quota.t | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 extensions/libxt_quota.t diff --git a/extensions/libxt_quota.t b/extensions/libxt_quota.t new file mode 100644 index 00000000..76f0ee95 --- /dev/null +++ b/extensions/libxt_quota.t @@ -0,0 +1,10 @@ +:INPUT,FORWARD,OUTPUT +-m quota --quota 0;=;OK +# iptables-save shows wrong output +# ERROR: cannot find: iptables -I INPUT -m quota ! --quota 0) +#-m quota ! --quota 0;=;OK +-m quota --quota 18446744073709551615;=;OK +# ERROR: cannot find: iptables -I INPUT -m quota ! --quota 18446744073709551615 +#-m quota ! --quota 18446744073709551615;=;OK +-m quota --quota 18446744073709551616;;FAIL +-m quota;;FAIL -- cgit v1.2.3 From 3b2ae1cf7db6480b8f93ff7edb0799ba8859fd2b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:41:39 +0200 Subject: extensions: libxt_iprange: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_iprange.t | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 extensions/libxt_iprange.t diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t new file mode 100644 index 00000000..6fd98be6 --- /dev/null +++ b/extensions/libxt_iprange.t @@ -0,0 +1,11 @@ +:INPUT,FORWARD,OUTPUT +-m iprange --src-range 1.1.1.1-1.1.1.10;=;OK +-m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK +-m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK +-m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK +# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this? +# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1 +# -m iprange --src-range 1.1.1.1;;FAIL +# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1 +#-m iprange --dst-range 1.1.1.1;;FAIL +-m iprange;;FAIL -- cgit v1.2.3 From 3aae811bac0a2a2d417c0e56b5fc906103ddb567 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 19:08:28 +0200 Subject: extensions: libxt_physdev: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_physdev.t | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 extensions/libxt_physdev.t diff --git a/extensions/libxt_physdev.t b/extensions/libxt_physdev.t new file mode 100644 index 00000000..1fab7e19 --- /dev/null +++ b/extensions/libxt_physdev.t @@ -0,0 +1,14 @@ +:INPUT,FORWARD +-m physdev --physdev-in lo;=;OK +-m physdev --physdev-is-in --physdev-in lo;=;OK +:OUTPUT,FORWARD +# xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. +# ERROR: should fail: iptables -A FORWARD -m physdev --physdev-out lo +#-m physdev --physdev-out lo;;FAIL +# ERROR: cannot load: iptables -A OUTPUT -m physdev --physdev-is-out --physdev-out lo +#-m physdev --physdev-is-out --physdev-out lo;=;OK +:FORWARD +-m physdev --physdev-in lo --physdev-is-bridged;=;OK +:POSTROUTING +*mangle +-m physdev --physdev-out lo --physdev-is-bridged;=;OK -- cgit v1.2.3 From c10fa682b41d0a78e0ec0bc1bd48116650037343 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:44:27 +0200 Subject: extensions: libxt_TEE: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_TEE.t | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 extensions/libxt_TEE.t diff --git a/extensions/libxt_TEE.t b/extensions/libxt_TEE.t new file mode 100644 index 00000000..ce8b103e --- /dev/null +++ b/extensions/libxt_TEE.t @@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +-j TEE --gateway 1.1.1.1;=;OK +-j TEE ! --gateway 1.1.1.1;;FAIL +-j TEE;;FAIL -- cgit v1.2.3 From c2881394a5e50f1963f6dff61d492d679201b6c8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:47:58 +0200 Subject: extensions: libipt_SNAT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_SNAT.t | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 extensions/libipt_SNAT.t diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t new file mode 100644 index 00000000..73071bb0 --- /dev/null +++ b/extensions/libipt_SNAT.t @@ -0,0 +1,8 @@ +:POSTROUTING +*nat +-j SNAT --to-source 1.1.1.1;=;OK +-j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK +-p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK +-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK +-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL +-j SNAT;;FAIL -- cgit v1.2.3 From f62d5770765cff20288cc20c2c087544d37e1cbd Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:51:55 +0200 Subject: extensions: libip6t_DNAT: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_DNAT.t | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 extensions/libipt_DNAT.t diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t new file mode 100644 index 00000000..e3fd5632 --- /dev/null +++ b/extensions/libipt_DNAT.t @@ -0,0 +1,8 @@ +:PREROUTING +*nat +-j DNAT --to-destination 1.1.1.1;=;OK +-j DNAT --to-destination 1.1.1.1-1.1.1.10;=;OK +-p tcp -j DNAT --to-destination 1.1.1.1:1025-65535;=;OK +-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65535;=;OK +-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65536;;FAIL +-j DNAT;;FAIL -- cgit v1.2.3 From 7b0888152f855676be0203ca303a5284c21ebeac Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 18:56:48 +0200 Subject: extensions: libxt_owner: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_owner.t | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 extensions/libxt_owner.t diff --git a/extensions/libxt_owner.t b/extensions/libxt_owner.t new file mode 100644 index 00000000..aec30b65 --- /dev/null +++ b/extensions/libxt_owner.t @@ -0,0 +1,12 @@ +:OUTPUT,POSTROUTING +*mangle +-m owner --uid-owner root;-m owner --uid-owner 0;OK +-m owner --uid-owner 0-10;=;OK +-m owner --gid-owner root;-m owner --gid-owner 0;OK +-m owner --gid-owner 0-10;=;OK +-m owner --uid-owner root --gid-owner root;-m owner --uid-owner 0 --gid-owner 0;OK +-m owner --uid-owner 0-10 --gid-owner 0-10;=;OK +-m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK +-m owner --socket-exists;=;OK +:INPUT +-m owner --uid-owner root;;FAIL -- cgit v1.2.3 From 8711de56dfa0edb6e1d6eeff8edd7e21fd941f5e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 26 Sep 2012 19:02:41 +0200 Subject: extensions: libxt_MARK: add unit test Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_MARK.t | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 extensions/libxt_MARK.t diff --git a/extensions/libxt_MARK.t b/extensions/libxt_MARK.t new file mode 100644 index 00000000..9d1aa7d7 --- /dev/null +++ b/extensions/libxt_MARK.t @@ -0,0 +1,7 @@ +:INPUT,FORWARD,OUTPUT +-j MARK --set-xmark 0xfeedcafe/0xfeedcafe;=;OK +-j MARK --set-xmark 0;=;OK +-j MARK --set-xmark 4294967295;-j MARK --set-xmark 0xffffffff;OK +-j MARK --set-xmark 4294967296;;FAIL +-j MARK --set-xmark -1;;FAIL +-j MARK;;FAIL -- cgit v1.2.3 From 4b187eeed49dc507d38438affabe90d36847412d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 4 Dec 2013 13:28:00 +0100 Subject: build: don't include tests in released tarball Do not include all our .t test files in releases. Skip iptables-tests.py script as well. Signed-off-by: Pablo Neira Ayuso --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index c38d3600..275ebc35 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,7 +21,7 @@ tarball: rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd; pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd; - tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; + tar --exclude=*.t --exclude=iptables-test.py -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \ -- cgit v1.2.3