From b14c971db6db069fbfd2a892c617de8d8bf26733 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 5 May 2023 20:18:38 +0200 Subject: tests: Test compat mode Extend iptables-test.py by a third mode, which is using xtables-nft-multi and passing --compat to all calls creating rules. Also add a shell testcase asserting the effectiveness of --compat by comparing debug (-vv) output. Signed-off-by: Phil Sutter --- .../shell/testcases/nft-only/0011-compat-mode_0 | 63 ++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100755 iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 (limited to 'iptables/tests/shell/testcases') diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 new file mode 100755 index 00000000..c8cee8ae --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +# reduce noise in debug output +$XT_MULTI iptables -t raw -A OUTPUT +$XT_MULTI iptables -t raw -F + +# add all the things which were "optimized" here +RULE='-t raw -A OUTPUT' + +# prefix matches on class (actually: byte) boundaries no longer need a bitwise +RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' + +# these were turned into native matches meanwhile +# (plus -m tcp, but it conflicts with -m udp) +RULE+=' -m limit --limit 1/min' +RULE+=' -p udp -m udp --sport 1024:65535' +RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' +RULE+=' -j TRACE' + +EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe +ip raw OUTPUT' + +EXPECT="$EXPECT_COMMON + [ payload load 1b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ limit rate 1/minute burst 5 type packets flags 0x0 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range eq reg 1 0x00000004 0x0000ffff ] + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] + [ cmp eq reg 1 0xfeedcafe ] + [ counter pkts 0 bytes 0 ] + [ immediate reg 9 0x00000001 ] + [ meta set nftrace with reg 9 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) + +EXPECT="$EXPECT_COMMON + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ match name limit rev 0 ] + [ match name udp rev 0 ] + [ match name mark rev 1 ] + [ counter pkts 0 bytes 0 ] + [ target name TRACE rev 0 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) -- cgit v1.2.3