From ed9cfe1b4852647be7faa9d5262d315707a0a0c6 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 26 Jun 2018 23:16:22 +0200
Subject: tests: add initial save/restore test cases

Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.

The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.

This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.

Current expected output:

I: [OK]          ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK]          ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK]          ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK]          ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK]          ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK]          ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK]          ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK]          ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 .../tests/shell/testcases/chain/0001duplicate_1    |  7 ++-
 .../tests/shell/testcases/chain/0004newchain_0     |  9 +++
 iptables/tests/shell/testcases/chain/0004rename_0  |  6 --
 iptables/tests/shell/testcases/chain/0005rename_1  | 10 +++-
 .../shell/testcases/ipt-save/0001load-dumps_0      | 52 ++++++++++++++++
 .../testcases/ipt-save/dumps/ipt-save-filter.txt   | 69 ++++++++++++++++++++++
 .../shell/testcases/ipt-save/dumps/policy-drop.txt |  8 +++
 7 files changed, 150 insertions(+), 11 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/chain/0004newchain_0
 delete mode 100755 iptables/tests/shell/testcases/chain/0004rename_0
 create mode 100755 iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
 create mode 100644 iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
 create mode 100644 iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt

(limited to 'iptables/tests/shell/testcases')

diff --git a/iptables/tests/shell/testcases/chain/0001duplicate_1 b/iptables/tests/shell/testcases/chain/0001duplicate_1
index e88f82ad..80ebb119 100755
--- a/iptables/tests/shell/testcases/chain/0001duplicate_1
+++ b/iptables/tests/shell/testcases/chain/0001duplicate_1
@@ -2,8 +2,11 @@
 
 set -x
 
-$IPTABLES -t filter -N c1
-$IPTABLES -t filter -N c1 || exit 1
+$XT_MULTI iptables -t filter -N c1 || exit 0
+$XT_MULTI iptables -t filter -N c1 || exit 1
+
+$XT_MULTI ip6tables -t filter -N c1 || exit 0
+$XT_MULTI ip6tables -t filter -N c1 || exit 1
 
 echo "E: Duplicate chains" >&2
 exit 0
diff --git a/iptables/tests/shell/testcases/chain/0004newchain_0 b/iptables/tests/shell/testcases/chain/0004newchain_0
new file mode 100755
index 00000000..b1a76637
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0004newchain_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+$XTABLES_MULTI iptables -N c1
+$XTABLES_MULTI ip6tables -N c1
+
+$XTABLES_MULTI iptables -N c2
+$XTABLES_MULTI ip6tables -N c2
diff --git a/iptables/tests/shell/testcases/chain/0004rename_0 b/iptables/tests/shell/testcases/chain/0004rename_0
deleted file mode 100755
index a85369a5..00000000
--- a/iptables/tests/shell/testcases/chain/0004rename_0
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-set -e
-
-$IPTABLES -N c1
-$IPTABLES -E c1 c2
diff --git a/iptables/tests/shell/testcases/chain/0005rename_1 b/iptables/tests/shell/testcases/chain/0005rename_1
index f2f6e55a..3ccdc033 100755
--- a/iptables/tests/shell/testcases/chain/0005rename_1
+++ b/iptables/tests/shell/testcases/chain/0005rename_1
@@ -1,8 +1,12 @@
 #!/bin/bash
 
-$IPTABLES -N c1 || exit 0
-$IPTABLES -N c2 || exit 0
-$IPTABLES -E c1 c2 || exit 1
+$XTABLES_MULTI iptables -N c1 || exit 0
+$XTABLES_MULTI iptables -N c2 || exit 0
+$XTABLES_MULTI iptables -E c1 c2 || exit 1
+
+$XTABLES_MULTI ip6tables -N c1 || exit 0
+$XTABLES_MULTI ip6tables -N c2 || exit 0
+$XTABLES_MULTI ip6tables -E c1 c2 || exit 1
 
 echo "E: Renamed with existing chain" >&2
 exit 0
diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
new file mode 100755
index 00000000..acbc7b73
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+set -x
+
+
+clean_tmpfile()
+{
+        if [ ! -z "$tmpfile" ];then
+                rm -f "$tmpfile"
+        fi
+}
+
+trap clean_tmpfile EXIT
+
+do_diff()
+{
+	A="$1"
+	B="$2"
+
+	AT=$(mktemp)
+	grep -v "^#" "$A" > "$AT"
+
+	diff -u "$AT" "$B"
+
+	x=$?
+	rm -f "$AT"
+	echo "Return $x for $XT_MULTI $A"
+
+	return $x
+}
+
+tmpfile=$(mktemp) || exit 1
+do_simple()
+{
+	iptables="$1"
+	dumpfile="$2"
+
+	$XT_MULTI ${iptables}-restore < "$dumpfile"
+	$XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile"
+	do_diff $dumpfile "$tmpfile"
+	if [ $? -ne 0 ]; then
+		# cp "$tmpfile" "$dumpfile.got"
+		RET=1
+	fi
+}
+
+do_simple "iptables" $(dirname "$0")/dumps/ipt-save-filter.txt
+do_simple "iptables" $(dirname "$0")/dumps/policy-drop.txt
+
+exit $RET
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
new file mode 100644
index 00000000..bfb6bdda
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
@@ -0,0 +1,69 @@
+# Generated by iptables-save v1.2.4 on Mon Mar 17 19:59:10 2003
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:WLAN - [0:0]
+:accept_log - [0:0]
+:block - [0:0]
+:in_icmp - [0:0]
+:in_trusted - [0:0]
+:reject_log - [0:0]
+:wlanout - [0:0]
+-A INPUT -i wlan0 -j WLAN
+-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
+-A INPUT -i ppp0 -p icmp -m limit --limit 1/sec -j in_icmp
+-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j in_trusted
+-A INPUT -j block
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p udp -m udp --dport 4166 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 4180 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 4162 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 20376 -j ACCEPT
+-A FORWARD -d 192.168.100.2/32 -i ppp0 -p tcp -m tcp --dport 10209 -j ACCEPT
+-A FORWARD -d 192.168.100.2/32 -i ppp0 -p tcp -m tcp --dport 881 -j ACCEPT
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p icmp -j DROP
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p udp -j DROP
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p tcp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p icmp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p udp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p tcp -j DROP
+-A FORWARD -o ppp0 -p udp -m udp --sport 137:139 -j DROP
+-A FORWARD -o ppp0 -p udp -m udp --sport 445 -j DROP
+-A FORWARD -o ppp0 -p tcp -m tcp --sport 137:139 -j DROP
+-A FORWARD -o ppp0 -p tcp -m tcp --sport 445 -j DROP
+-A FORWARD -i ppp0 -p udp -m udp --dport 137:139 -j DROP
+-A FORWARD -i ppp0 -p udp -m udp --dport 445 -j DROP
+-A FORWARD -i ppp0 -p tcp -m tcp --dport 137:139 -j DROP
+-A FORWARD -i ppp0 -p tcp -m tcp --dport 445 -j DROP
+-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -j block
+-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
+-A OUTPUT -o wlan0 -j wlanout
+-A OUTPUT -j block
+-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:F1:05:A0:E0 -j RETURN
+-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:F1:05:99:85 -j RETURN
+-A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:"
+-A WLAN -j DROP
+-A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:"
+-A accept_log -i ppp0 ! -p tcp -m limit --limit 1/sec -j LOG --log-prefix "Accepted Datagram on ppp0:"
+-A accept_log -j ACCEPT
+-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A block ! -i ppp0 -m state --state NEW -j ACCEPT
+-A block -p tcp -j reject_log
+-A block -p udp -j reject_log
+-A in_icmp -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 4 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 1 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A in_trusted -s 10.230.173.148/32 -j ACCEPT
+-A in_trusted -s 10.230.173.151/32 -j ACCEPT
+-A reject_log -i ppp0 -p tcp -m tcp --dport 22:80 --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "RejectTCPConnectReq on ppp0:"
+-A reject_log -p tcp -j REJECT --reject-with tcp-reset
+-A reject_log -p udp -j REJECT --reject-with icmp-port-unreachable
+-A wlanout -d 192.168.200.4/32 -j RETURN
+-A wlanout -d 192.168.200.9/32 -j RETURN
+-A wlanout -j DROP
+COMMIT
+# Completed on Mon Mar 17 19:59:10 2003
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt b/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt
new file mode 100644
index 00000000..7522231c
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt
@@ -0,0 +1,8 @@
+# Generated by xtables-save v1.6.2 on Tue Jun 26 22:28:41 2018
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A OUTPUT -j ACCEPT
+COMMIT
+# Completed on Tue Jun 26 22:28:41 2018
-- 
cgit v1.2.3