From 2ce9f65a374bad212899bc584d3e5f4698df6fc6 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sat, 4 Aug 2018 13:10:19 +0200 Subject: xtables: Match verbose ip{,6}tables output with legacy Legacy ip{,6}tables prints feedback for various commands if in verbose mode, make sure nft variants do the same. There is one difference, namely when checking a rule (-C command): Legacy ip{,6}tables print the rule in any case, nft variants don't in case the rule wasn't found. Changing this though would require to populate the nftnl_rule object just for printing, which is probably not feasible. Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal --- .../testcases/ip6tables/0002-verbose-output_0 | 51 ++++++++++++++++++++++ .../shell/testcases/iptables/0002-verbose-output_0 | 51 ++++++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100755 iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 create mode 100755 iptables/tests/shell/testcases/iptables/0002-verbose-output_0 (limited to 'iptables/tests/shell/testcases') diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 new file mode 100755 index 00000000..7b0e6468 --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -0,0 +1,51 @@ +#!/bin/bash + +set -e +#set -x + +# ensure verbose output is identical between legacy and nft tools + +RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' +VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' +VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) + +EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -n -L) + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -D FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -D FORWARD $RULE2) + +EXPECT="Flushing chain \`INPUT' +Flushing chain \`FORWARD' +Flushing chain \`OUTPUT'" + +diff -u <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -F) + +EXPECT="Zeroing chain \`INPUT' +Zeroing chain \`FORWARD' +Zeroing chain \`OUTPUT'" + +diff -u <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -Z) + +diff -u <(echo "Flushing chain \`OUTPUT'") <($XT_MULTI ip6tables -v -F OUTPUT) +diff -u <(echo "Zeroing chain \`OUTPUT'") <($XT_MULTI ip6tables -v -Z OUTPUT) + +$XT_MULTI ip6tables -N foo +diff -u <(echo "Deleting chain \`foo'") <($XT_MULTI ip6tables -v -X foo) diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 new file mode 100755 index 00000000..2e805953 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 @@ -0,0 +1,51 @@ +#!/bin/bash + +set -e +#set -x + +# ensure verbose output is identical between legacy and nft tools + +RULE1='-i eth2 -o eth3 -s 10.0.0.1 -d 10.0.0.2 -j ACCEPT' +VOUT1='ACCEPT all opt -- in eth2 out eth3 10.0.0.1 -> 10.0.0.2' +RULE2='-i eth2 -o eth3 -s 10.0.0.4 -d 10.0.0.5 -j ACCEPT' +VOUT2='ACCEPT all opt -- in eth2 out eth3 10.0.0.4 -> 10.0.0.5' + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -A FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -I FORWARD 2 $RULE2) + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -C FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -C FORWARD $RULE2) + +EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2 + 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5 + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -n -L) + +diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -D FORWARD $RULE1) +diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -D FORWARD $RULE2) + +EXPECT="Flushing chain \`INPUT' +Flushing chain \`FORWARD' +Flushing chain \`OUTPUT'" + +diff -u <(echo -e "$EXPECT") <($XT_MULTI iptables -v -F) + +EXPECT="Zeroing chain \`INPUT' +Zeroing chain \`FORWARD' +Zeroing chain \`OUTPUT'" + +diff -u <(echo -e "$EXPECT") <($XT_MULTI iptables -v -Z) + +diff -u <(echo "Flushing chain \`OUTPUT'") <($XT_MULTI iptables -v -F OUTPUT) +diff -u <(echo "Zeroing chain \`OUTPUT'") <($XT_MULTI iptables -v -Z OUTPUT) + +$XT_MULTI iptables -N foo +diff -u <(echo "Deleting chain \`foo'") <($XT_MULTI iptables -v -X foo) -- cgit v1.2.3