[LTP] [PATCH 2/2] network/iptables: add new test for iptables-tranlsate and nft

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 2/2] network/iptables: add new test for iptables-tranlsate and nft
Date: Thu, 28 Nov 2019 11:46:03 +0100	[thread overview]
Message-ID: <20191128104603.GA3216@dell5510> (raw)
In-Reply-To: <20191126115344.15926-2-alexey.kodanev@oracle.com>

Hi Alexey,

> * Reuse the test-cases from iptables_tests by moving them
>   into iptables_lib.sh.

> * create nft rules with iptables-translate.

> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>

Thanks for your patch.
Rewrite is ok, I'd just also drop dots from messages.

Also redirection to tst_iptables.out in cleanup() is pointless,
maybe we could just change:

cleanup()
{
	if lsmod | grep -q "ip_tables"; then
		NFRUN -F -t filter > /dev/null 2>&1
		NFRUN -F -t nat > /dev/null 2>&1
		NFRUN -F -t mangle > /dev/null 2>&1
		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
			 iptable_mangle iptable_nat ip_conntrack \
			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
			 nf_log_ipv4 nf_log_common nf_reject_ipv4 \
			 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \
			 > /dev/null 2>&1
	fi
}

For further work on iptables tests: I wonder if nc is more commonly installed in
distros than telnet (if yes, I'd be for using it).

But for nft01.sh I got error:

nft01 1 TINFO: INIT: Flushing all rules.
nft01 1 TCONF: nft not applicable for test 1
nft01 2 TINFO: Use nft to DROP packets from particular IP
nft01 2 TINFO: Rule to block icmp from 127.0.0.1
nft01 2 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip protocol icmp ip saddr 127.0.0.1 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 3 TINFO: Use nft to REJECT ping request.
nft01 3 TINFO: Rule to reject ping request.
nft01 3 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request counter reject
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 4 TINFO: Use nft to log packets to particular port.
nft01 4 TINFO: Rule to log tcp packets to particular port.
nft01 4 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45886 counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 5 TINFO: Use nft to log packets to multiple ports.
nft01 5 TINFO: Rule to log tcp packets to port 45801 - 45803.
nft01 5 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45801-45803 counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 6 TINFO: Use nft to log ping request with limited rate.
nft01 6 TINFO: Rule to log ping request.
nft01 6 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request limit rate 3/hour burst 5 packets counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Tested on openSUSE Tumbleweed (5.3.8-1-default, nftables v0.9.2 (Scram),
iptables v1.8.3 (legacy)) and Debian unstable (5.2.0-rc3+, nftables v0.9.0 (Fearless Fosdick), iptables v1.8.2 (nf_tables)). Am I missing something, have wrong version?

Kind regards,
Petr

next prev parent reply	other threads:[~2019-11-28 10:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-26 11:53 [LTP] [PATCH 1/2] network/iptables: reduce ping timeouts Alexey Kodanev
2019-11-26 11:53 ` [LTP] [PATCH 2/2] network/iptables: add new test for iptables-tranlsate and nft Alexey Kodanev
2019-11-28 10:46   ` Petr Vorel [this message]
2019-11-28 13:23     ` Alexey Kodanev
2019-11-28 15:34       ` Petr Vorel
2019-11-27 17:57 ` [LTP] [PATCH 1/2] network/iptables: reduce ping timeouts Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191128104603.GA3216@dell5510 \
    --to=pvorel@suse.cz \
    --cc=ltp@lists.linux.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.