blob: a7fae41df0e7434a4a3cb3461e9248845ced3b88 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#!/bin/bash
have_nft=false
nft -v > /dev/null && have_nft=true
dumpfile=""
tmpfile=""
set -e
clean()
{
$XT_MULTI iptables -t filter -F
$XT_MULTI iptables -t filter -X
$have_nft && nft flush ruleset
}
clean_tempfile()
{
[ -n "${tmpfile}" ] && rm -f "${tmpfile}"
[ -n "${dumpfile}" ] && rm -f "${dumpfile}"
clean
}
trap clean_tempfile EXIT
ENTRY_NUM=$((RANDOM%10))
UCHAIN_NUM=$((RANDOM%10))
get_target()
{
if [ $UCHAIN_NUM -eq 0 ]; then
echo -n "ACCEPT"
return
fi
x=$((RANDOM%2))
if [ $x -eq 0 ];then
echo -n "ACCEPT"
else
printf -- "UC-%x" $((RANDOM%UCHAIN_NUM))
fi
}
make_dummy_rules()
{
echo "*${1:-filter}"
echo ":INPUT ACCEPT [0:0]"
echo ":FORWARD ACCEPT [0:0]"
echo ":OUTPUT ACCEPT [0:0]"
if [ $UCHAIN_NUM -gt 0 ]; then
for i in $(seq 0 $UCHAIN_NUM); do
printf -- ":UC-%x - [0:0]\n" $i
done
fi
for proto in tcp udp sctp; do
for i in $(seq 0 $ENTRY_NUM); do
t=$(get_target)
printf -- "-A INPUT -i lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
t=$(get_target)
printf -- "-A FORWARD -i lo -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
t=$(get_target)
printf -- "-A OUTPUT -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
[ $UCHAIN_NUM -gt 0 ] && printf -- "-A UC-%x -j ACCEPT\n" $((RANDOM%UCHAIN_NUM))
done
done
echo COMMIT
}
tmpfile=$(mktemp) || exit 1
dumpfile=$(mktemp) || exit 1
(make_dummy_rules; make_dummy_rules security) > $dumpfile
$XT_MULTI iptables-restore -w < $dumpfile
LINES1=$(wc -l < $dumpfile)
$XT_MULTI iptables-save | grep -v '^#' > $dumpfile
LINES2=$(wc -l < $dumpfile)
if [ $LINES1 -ne $LINES2 ]; then
echo "Original dump has $LINES1, not $LINES2" 1>&2
exit 111
fi
case "$XT_MULTI" in
*xtables-nft-multi)
attempts=$((RANDOM%10))
attempts=$((attempts+1))
;;
*)
attempts=1
;;
esac
while [ $attempts -gt 0 ]; do
attempts=$((attempts-1))
clean
for i in $(seq 1 10); do
$XT_MULTI iptables-restore -w 15 < $dumpfile &
done
for i in $(seq 1 10); do
# causes exit in case ipt-restore failed (runs with set -e)
wait %$i
done
$XT_MULTI iptables-save | grep -v '^#' > $tmpfile
clean
cmp $tmpfile $dumpfile
done
exit 0
|
