* iptables: add more test cases and minor bug fixes
@ 2015-02-19 13:11 Florian Westphal
2015-02-19 13:11 ` [PATCH 1/7] extensions: remove MIRROR Florian Westphal
` (8 more replies)
0 siblings, 9 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel
Will push to master soon if there are no objections.
iptables-test.py should now be complete enough to replace the old
iptables-save format "test" files, so I'm going to remove the tests/
directory as well.
All tests pass on current nf.git tree (minus ULOG since thats no longer
supported).
Cheers,
Florian
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 1/7] extensions: remove MIRROR
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:28 ` Jan Engelhardt
2015-02-19 13:11 ` [PATCH 2/7] extensions: remove SAME target Florian Westphal
` (7 subsequent siblings)
8 siblings, 1 reply; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
removed from the kernel back in 2003.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libipt_MIRROR.c | 15 ---------------
extensions/libipt_MIRROR.man | 12 ------------
2 files changed, 27 deletions(-)
delete mode 100644 extensions/libipt_MIRROR.c
delete mode 100644 extensions/libipt_MIRROR.man
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
deleted file mode 100644
index fb78751..0000000
--- a/extensions/libipt_MIRROR.c
+++ /dev/null
@@ -1,15 +0,0 @@
-/* Shared library add-on to iptables to add MIRROR target support. */
-#include <xtables.h>
-
-static struct xtables_target mirror_tg_reg = {
- .name = "MIRROR",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
-};
-
-void _init(void)
-{
- xtables_register_target(&mirror_tg_reg);
-}
diff --git a/extensions/libipt_MIRROR.man b/extensions/libipt_MIRROR.man
deleted file mode 100644
index 7b720bc..0000000
--- a/extensions/libipt_MIRROR.man
+++ /dev/null
@@ -1,12 +0,0 @@
-This is an experimental demonstration target which inverts the source
-and destination fields in the IP header and retransmits the packet.
-It is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains, and user-defined chains which are only called from those
-chains. Note that the outgoing packets are
-.B NOT
-seen by any packet filtering chains, connection tracking or NAT, to
-avoid loops and other problems.
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 2/7] extensions: remove SAME target
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
2015-02-19 13:11 ` [PATCH 1/7] extensions: remove MIRROR Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:11 ` [PATCH 3/7] extensions: remove 'unclean' match Florian Westphal
` (6 subsequent siblings)
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
removed from the kernel December 2007.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libipt_SAME.c | 186 --------------------------------
extensions/libipt_SAME.man | 17 ---
include/linux/netfilter_ipv4/ipt_SAME.h | 20 ----
3 files changed, 223 deletions(-)
delete mode 100644 extensions/libipt_SAME.c
delete mode 100644 extensions/libipt_SAME.man
delete mode 100644 include/linux/netfilter_ipv4/ipt_SAME.h
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
deleted file mode 100644
index 5d5bf63..0000000
--- a/extensions/libipt_SAME.c
+++ /dev/null
@@ -1,186 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <xtables.h>
-#include <linux/netfilter/nf_nat.h>
-#include <linux/netfilter_ipv4/ipt_SAME.h>
-
-enum {
- O_TO_ADDR = 0,
- O_NODST,
- O_RANDOM,
- F_TO_ADDR = 1 << O_TO_ADDR,
- F_RANDOM = 1 << O_RANDOM,
-};
-
-static void SAME_help(void)
-{
- printf(
-"SAME target options:\n"
-" --to <ipaddr>-<ipaddr>\n"
-" Addresses to map source to.\n"
-" May be specified more than\n"
-" once for multiple ranges.\n"
-" --nodst\n"
-" Don't use destination-ip in\n"
-" source selection\n"
-" --random\n"
-" Randomize source port\n");
-}
-
-static const struct xt_option_entry SAME_opts[] = {
- {.name = "to", .id = O_TO_ADDR, .type = XTTYPE_STRING,
- .flags = XTOPT_MAND},
- {.name = "nodst", .id = O_NODST, .type = XTTYPE_NONE},
- {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
- XTOPT_TABLEEND,
-};
-
-/* Parses range of IPs */
-static void parse_to(const char *orig_arg, struct nf_nat_ipv4_range *range)
-{
- char *dash, *arg;
- const struct in_addr *ip;
-
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
- range->flags |= NF_NAT_RANGE_MAP_IPS;
- dash = strchr(arg, '-');
-
- if (dash)
- *dash = '\0';
-
- ip = xtables_numeric_to_ipaddr(arg);
- if (!ip)
- xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
- arg);
- range->min_ip = ip->s_addr;
-
- if (dash) {
- ip = xtables_numeric_to_ipaddr(dash+1);
- if (!ip)
- xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
- dash+1);
- }
- range->max_ip = ip->s_addr;
- if (dash)
- if (range->min_ip > range->max_ip)
- xtables_error(PARAMETER_PROBLEM, "Bad IP range \"%s-%s\"\n",
- arg, dash+1);
- free(arg);
-}
-
-static void SAME_parse(struct xt_option_call *cb)
-{
- struct ipt_same_info *mr = cb->data;
- unsigned int count;
-
- xtables_option_parse(cb);
- switch (cb->entry->id) {
- case O_TO_ADDR:
- if (mr->rangesize == IPT_SAME_MAX_RANGE)
- xtables_error(PARAMETER_PROBLEM,
- "Too many ranges specified, maximum "
- "is %i ranges.\n",
- IPT_SAME_MAX_RANGE);
- parse_to(cb->arg, &mr->range[mr->rangesize]);
- mr->rangesize++;
- break;
- case O_NODST:
- mr->info |= IPT_SAME_NODST;
- break;
- case O_RANDOM:
- for (count=0; count < mr->rangesize; count++)
- mr->range[count].flags |= NF_NAT_RANGE_PROTO_RANDOM;
- break;
- }
-}
-
-static void SAME_fcheck(struct xt_fcheck_call *cb)
-{
- static const unsigned int f = F_TO_ADDR | F_RANDOM;
- struct ipt_same_info *mr = cb->data;
- unsigned int count;
-
- if ((cb->xflags & f) == f)
- for (count = 0; count < mr->rangesize; ++count)
- mr->range[count].flags |= NF_NAT_RANGE_PROTO_RANDOM;
-}
-
-static void SAME_print(const void *ip, const struct xt_entry_target *target,
- int numeric)
-{
- unsigned int count;
- const struct ipt_same_info *mr = (const void *)target->data;
- int random_selection = 0;
-
- printf(" same:");
-
- for (count = 0; count < mr->rangesize; count++) {
- const struct nf_nat_ipv4_range *r = &mr->range[count];
- struct in_addr a;
-
- a.s_addr = r->min_ip;
-
- printf("%s", xtables_ipaddr_to_numeric(&a));
- a.s_addr = r->max_ip;
-
- if (r->min_ip != r->max_ip)
- printf("-%s", xtables_ipaddr_to_numeric(&a));
- if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
- random_selection = 1;
- }
-
- if (mr->info & IPT_SAME_NODST)
- printf(" nodst");
-
- if (random_selection)
- printf(" random");
-}
-
-static void SAME_save(const void *ip, const struct xt_entry_target *target)
-{
- unsigned int count;
- const struct ipt_same_info *mr = (const void *)target->data;
- int random_selection = 0;
-
- for (count = 0; count < mr->rangesize; count++) {
- const struct nf_nat_ipv4_range *r = &mr->range[count];
- struct in_addr a;
-
- a.s_addr = r->min_ip;
- printf(" --to %s", xtables_ipaddr_to_numeric(&a));
- a.s_addr = r->max_ip;
-
- if (r->min_ip != r->max_ip)
- printf("-%s", xtables_ipaddr_to_numeric(&a));
- if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
- random_selection = 1;
- }
-
- if (mr->info & IPT_SAME_NODST)
- printf(" --nodst");
-
- if (random_selection)
- printf(" --random");
-}
-
-static struct xtables_target same_tg_reg = {
- .name = "SAME",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_same_info)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_same_info)),
- .help = SAME_help,
- .x6_parse = SAME_parse,
- .x6_fcheck = SAME_fcheck,
- .print = SAME_print,
- .save = SAME_save,
- .x6_options = SAME_opts,
-};
-
-void _init(void)
-{
- xtables_register_target(&same_tg_reg);
-}
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
deleted file mode 100644
index a99dc73..0000000
--- a/extensions/libipt_SAME.man
+++ /dev/null
@@ -1,17 +0,0 @@
-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
-(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
-source-/destination-address for each connection.
-.PP
-N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
-.TP
-\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
-Addresses to map source to. May be specified more than once for
-multiple ranges.
-.TP
-\fB\-\-nodst\fP
-Don't use the destination-ip in the calculations when selecting the
-new source-ip
-.TP
-\fB\-\-random\fP
-Port mapping will be forcibly randomized to avoid attacks based on
-port prediction (kernel >= 2.6.21).
diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h
deleted file mode 100644
index a855167..0000000
--- a/include/linux/netfilter_ipv4/ipt_SAME.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _IPT_SAME_H
-#define _IPT_SAME_H
-
-#include <linux/types.h>
-
-#define IPT_SAME_MAX_RANGE 10
-
-#define IPT_SAME_NODST 0x01
-
-struct ipt_same_info {
- unsigned char info;
- __u32 rangesize;
- __u32 ipnum;
- __u32 *iparray;
-
- /* hangs off end. */
- struct nf_nat_ipv4_range range[IPT_SAME_MAX_RANGE];
-};
-
-#endif /*_IPT_SAME_H*/
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 3/7] extensions: remove 'unclean' match
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
2015-02-19 13:11 ` [PATCH 1/7] extensions: remove MIRROR Florian Westphal
2015-02-19 13:11 ` [PATCH 2/7] extensions: remove SAME target Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:11 ` [PATCH 4/7] extensions: add more test cases for iptables-test.py Florian Westphal
` (5 subsequent siblings)
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
removed from kernel in 2003.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libipt_unclean.c | 15 ---------------
extensions/libipt_unclean.man | 2 --
2 files changed, 17 deletions(-)
delete mode 100644 extensions/libipt_unclean.c
delete mode 100644 extensions/libipt_unclean.man
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
deleted file mode 100644
index bc4a4a0..0000000
--- a/extensions/libipt_unclean.c
+++ /dev/null
@@ -1,15 +0,0 @@
-/* Shared library add-on to iptables for unclean. */
-#include <xtables.h>
-
-static struct xtables_match unclean_mt_reg = {
- .name = "unclean",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
-};
-
-void _init(void)
-{
- xtables_register_match(&unclean_mt_reg);
-}
diff --git a/extensions/libipt_unclean.man b/extensions/libipt_unclean.man
deleted file mode 100644
index 3fecd55..0000000
--- a/extensions/libipt_unclean.man
+++ /dev/null
@@ -1,2 +0,0 @@
-This module takes no options, but attempts to match packets which seem
-malformed or unusual. This is regarded as experimental.
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 4/7] extensions: add more test cases for iptables-test.py
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (2 preceding siblings ...)
2015-02-19 13:11 ` [PATCH 3/7] extensions: remove 'unclean' match Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:11 ` [PATCH 5/7] extensions: SNPT,DNPT: fix save/print output Florian Westphal
` (4 subsequent siblings)
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Instead of using iptables-save-formatted files in the tests/ dir,
lets use the iptables-test.py framework for all matches/targets.
This obsoletes tests/ completely, will be removed in followup patch.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libip6t_DNAT.t | 8 ++++++++
extensions/libip6t_DNPT.t | 6 ++++++
extensions/libip6t_HL.t | 10 ++++++++++
extensions/libip6t_MASQUERADE.t | 8 ++++++++
extensions/libip6t_NETMAP.t | 4 ++++
extensions/libip6t_REDIRECT.t | 6 ++++++
extensions/libip6t_SNAT.t | 8 ++++++++
extensions/libip6t_SNPT.t | 6 ++++++
extensions/libip6t_dst.t | 4 ++++
extensions/libip6t_frag.t | 11 +++++++++++
extensions/libip6t_hbh.t | 5 +++++
extensions/libip6t_hl.t | 8 ++++++++
extensions/libip6t_icmp6.t | 6 ++++++
| 4 ++++
extensions/libip6t_mh.t | 6 ++++++
extensions/libip6t_rt.t | 4 ++++
extensions/libipt_NETMAP.t | 4 ++++
extensions/libipt_REDIRECT.t | 6 ++++++
extensions/libipt_TTL.t | 10 ++++++++++
extensions/libipt_realm.t | 4 ++++
extensions/libxt_CONNSECMARK.t | 5 +++++
extensions/libxt_HMARK.t | 8 ++++++++
extensions/libxt_IDLETIMER.t | 4 ++++
extensions/libxt_LED.t | 4 ++++
extensions/libxt_RATEEST.t | 2 ++
extensions/libxt_SET.t | 3 +++
extensions/libxt_SYNPROXY.t | 3 +++
extensions/libxt_TCPMSS.t | 6 ++++++
extensions/libxt_TCPOPTSTRIP.t | 8 ++++++++
extensions/libxt_TPROXY.t | 5 +++++
extensions/libxt_bpf.t | 2 ++
extensions/libxt_ecn.t | 5 +++++
extensions/libxt_mac.t | 5 +++++
extensions/libxt_osf.t | 4 ++++
extensions/libxt_policy.t | 5 +++++
extensions/libxt_recent.t | 7 +++++++
extensions/libxt_rpfilter.t | 4 ++++
extensions/libxt_set.t | 4 ++++
extensions/libxt_socket.t | 4 ++++
extensions/libxt_statistic.t | 8 ++++++++
extensions/libxt_tcpmss.t | 5 +++++
extensions/libxt_u32.t | 2 ++
42 files changed, 231 insertions(+)
create mode 100644 extensions/libip6t_DNAT.t
create mode 100644 extensions/libip6t_DNPT.t
create mode 100644 extensions/libip6t_HL.t
create mode 100644 extensions/libip6t_MASQUERADE.t
create mode 100644 extensions/libip6t_NETMAP.t
create mode 100644 extensions/libip6t_REDIRECT.t
create mode 100644 extensions/libip6t_SNAT.t
create mode 100644 extensions/libip6t_SNPT.t
create mode 100644 extensions/libip6t_dst.t
create mode 100644 extensions/libip6t_frag.t
create mode 100644 extensions/libip6t_hbh.t
create mode 100644 extensions/libip6t_hl.t
create mode 100644 extensions/libip6t_icmp6.t
create mode 100644 extensions/libip6t_ipv6header.t
create mode 100644 extensions/libip6t_mh.t
create mode 100644 extensions/libip6t_rt.t
create mode 100644 extensions/libipt_NETMAP.t
create mode 100644 extensions/libipt_REDIRECT.t
create mode 100644 extensions/libipt_TTL.t
create mode 100644 extensions/libipt_realm.t
create mode 100644 extensions/libxt_CONNSECMARK.t
create mode 100644 extensions/libxt_HMARK.t
create mode 100644 extensions/libxt_IDLETIMER.t
create mode 100644 extensions/libxt_LED.t
create mode 100644 extensions/libxt_RATEEST.t
create mode 100644 extensions/libxt_SET.t
create mode 100644 extensions/libxt_SYNPROXY.t
create mode 100644 extensions/libxt_TCPMSS.t
create mode 100644 extensions/libxt_TCPOPTSTRIP.t
create mode 100644 extensions/libxt_TPROXY.t
create mode 100644 extensions/libxt_bpf.t
create mode 100644 extensions/libxt_ecn.t
create mode 100644 extensions/libxt_mac.t
create mode 100644 extensions/libxt_osf.t
create mode 100644 extensions/libxt_policy.t
create mode 100644 extensions/libxt_recent.t
create mode 100644 extensions/libxt_rpfilter.t
create mode 100644 extensions/libxt_set.t
create mode 100644 extensions/libxt_socket.t
create mode 100644 extensions/libxt_statistic.t
create mode 100644 extensions/libxt_tcpmss.t
create mode 100644 extensions/libxt_u32.t
diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
new file mode 100644
index 0000000..3141c29
--- /dev/null
+++ b/extensions/libip6t_DNAT.t
@@ -0,0 +1,8 @@
+:PREROUTING
+*nat
+-j DNAT --to-destination dead::beef;=;OK
+-j DNAT --to-destination dead::beef-dead::fee7;=;OK
+-p tcp -j DNAT --to-destination [dead::beef]:1025-65535;=;OK
+-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535;=;OK
+-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65536;;FAIL
+-j DNAT;;FAIL
diff --git a/extensions/libip6t_DNPT.t b/extensions/libip6t_DNPT.t
new file mode 100644
index 0000000..25ec935
--- /dev/null
+++ b/extensions/libip6t_DNPT.t
@@ -0,0 +1,6 @@
+:PREROUTING
+*mangle
+-j DNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
+-j DNPT --src-pfx dead::/64;;FAIL
+-j DNPT --dst-pfx dead::/64;;FAIL
+-j DNPT;;FAIL
diff --git a/extensions/libip6t_HL.t b/extensions/libip6t_HL.t
new file mode 100644
index 0000000..4e529f8
--- /dev/null
+++ b/extensions/libip6t_HL.t
@@ -0,0 +1,10 @@
+:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
+*mangle
+-j HL --hl-set 42;=;OK
+-j HL --hl-inc 1;=;OK
+-j HL --hl-dec 1;=;OK
+-j HL --hl-set 256;;FAIL
+-j HL --hl-inc 0;;FAIL
+-j HL --hl-dec 0;;FAIL
+-j HL --hl-dec 1 --hl-inc 1;;FAIL
+-j HL --hl-set --hl-inc 1;;FAIL
diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
new file mode 100644
index 0000000..4650204
--- /dev/null
+++ b/extensions/libip6t_MASQUERADE.t
@@ -0,0 +1,8 @@
+:POSTROUTING
+*nat
+-j MASQUERADE;=;OK
+-j MASQUERADE --random;=;OK
+-p tcp -j MASQUERADE --to-ports 1024;=;OK
+-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
+-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
+-p udp -j MASQUERADE --to-ports -1;;FAIL
diff --git a/extensions/libip6t_NETMAP.t b/extensions/libip6t_NETMAP.t
new file mode 100644
index 0000000..043562d
--- /dev/null
+++ b/extensions/libip6t_NETMAP.t
@@ -0,0 +1,4 @@
+:PREROUTING,INPUT,OUTPUT,POSTROUTING
+*nat
+-j NETMAP --to dead::/64;=;OK
+-j NETMAP --to dead::beef;=;OK
diff --git a/extensions/libip6t_REDIRECT.t b/extensions/libip6t_REDIRECT.t
new file mode 100644
index 0000000..a0fb0ed
--- /dev/null
+++ b/extensions/libip6t_REDIRECT.t
@@ -0,0 +1,6 @@
+:PREROUTING,OUTPUT
+*nat
+-p tcp -j REDIRECT --to-ports 42;=;OK
+-p udp -j REDIRECT --to-ports 42-1234;=;OK
+-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
+-j REDIRECT --to-ports 42;;FAIL
diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t
new file mode 100644
index 0000000..bb08049
--- /dev/null
+++ b/extensions/libip6t_SNAT.t
@@ -0,0 +1,8 @@
+:POSTROUTING
+*nat
+-j SNAT --to-source dead::beef;=;OK
+-j SNAT --to-source dead::beef-dead::fee7;=;OK
+-p tcp -j SNAT --to-source [dead::beef]:1025-65535;=;OK
+-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
+-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
+-j SNAT;;FAIL
diff --git a/extensions/libip6t_SNPT.t b/extensions/libip6t_SNPT.t
new file mode 100644
index 0000000..5a2fe7f
--- /dev/null
+++ b/extensions/libip6t_SNPT.t
@@ -0,0 +1,6 @@
+:INPUT,POSTROUTING
+*mangle
+-j SNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
+-j SNPT --src-pfx dead::/64;;FAIL
+-j SNPT --dst-pfx dead::/64;;FAIL
+-j SNPT;;FAIL
diff --git a/extensions/libip6t_dst.t b/extensions/libip6t_dst.t
new file mode 100644
index 0000000..b2788aa
--- /dev/null
+++ b/extensions/libip6t_dst.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m dst --dst-len 0;=;OK
+-m dst --dst-opts 149:92,12:12,123:12;=;OK
+-m dst --dst-len 42 --dst-opts 149:92,12:12,123:12;=;OK
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t
new file mode 100644
index 0000000..dab4989
--- /dev/null
+++ b/extensions/libip6t_frag.t
@@ -0,0 +1,11 @@
+:INPUT,FORWARD,OUTPUT
+-m frag --fragid 1:42;=;OK
+-m frag --fraglen 42;=;OK
+-m frag --fragres;=;OK
+-m frag --fragfirst;=;OK
+-m frag --fragmore;=;OK
+-m frag --fraglast;=;OK
+-m frag ! --fragid 1 ! --fraglen 42 --fragres --fragfirst;=;OK
+-m frag --fragfirst --fragmore;=;OK
+-m frag --fragfirst --fraglast;=;OK
+-m frag --fraglast --fragmore;;FAIL
diff --git a/extensions/libip6t_hbh.t b/extensions/libip6t_hbh.t
new file mode 100644
index 0000000..4b58f25
--- /dev/null
+++ b/extensions/libip6t_hbh.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-m hbh;=;OK
+-m hbh --hbh-len 42;=;OK
+-m hbh ! --hbh-len 42;=;OK
+-m hbh --hbh-len 42 --hbh-opts 1:2,23:42,4:6,8:10,42,23,4:5;=;OK
diff --git a/extensions/libip6t_hl.t b/extensions/libip6t_hl.t
new file mode 100644
index 0000000..b02816a
--- /dev/null
+++ b/extensions/libip6t_hl.t
@@ -0,0 +1,8 @@
+:INPUT,FORWARD,OUTPUT
+-m hl;;FAIL
+-m hl --hl-eq 42;=;OK
+-m hl ! --hl-eq 42;=;OK
+-m hl --hl-lt 42;=;OK
+-m hl --hl-gt 42;=;OK
+-m hl --hl-gt 42 --hl-eq 42;;FAIL
+-m hl --hl-gt;;FAIL
diff --git a/extensions/libip6t_icmp6.t b/extensions/libip6t_icmp6.t
new file mode 100644
index 0000000..028cfc1
--- /dev/null
+++ b/extensions/libip6t_icmp6.t
@@ -0,0 +1,6 @@
+:INPUT,FORWARD,OUTPUT
+-m icmpv6;;FAIL
+-p ipv6-icmp -m icmp6 --icmpv6-type 1/0;=;OK
+-p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK
+# cannot use option twice:
+-p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL
--git a/extensions/libip6t_ipv6header.t b/extensions/libip6t_ipv6header.t
new file mode 100644
index 0000000..67fa479
--- /dev/null
+++ b/extensions/libip6t_ipv6header.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m ipv6header --header hop-by-hop;=;OK
+-m ipv6header --header hop-by-hop --soft;=;OK
+-m ipv6header --header ipv6-nonxt;=;OK
diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t
new file mode 100644
index 0000000..6b76d13
--- /dev/null
+++ b/extensions/libip6t_mh.t
@@ -0,0 +1,6 @@
+:INPUT,FORWARD,OUTPUT
+-m mh;;FAIL
+-p mobility-header -m mh;=;OK
+-p mobility-header -m mh --mh-type 1;=;OK
+-p mobility-header -m mh ! --mh-type 4;=;OK
+-p mobility-header -m mh --mh-type 4:123;=;OK
diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t
new file mode 100644
index 0000000..7170138
--- /dev/null
+++ b/extensions/libip6t_rt.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK
+-m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
+-m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
new file mode 100644
index 0000000..31924b9
--- /dev/null
+++ b/extensions/libipt_NETMAP.t
@@ -0,0 +1,4 @@
+:PREROUTING,INPUT,OUTPUT,POSTROUTING
+*nat
+-j NETMAP --to 1.2.3.0/24;=;OK
+-j NETMAP --to 1.2.3.4;=;OK
diff --git a/extensions/libipt_REDIRECT.t b/extensions/libipt_REDIRECT.t
new file mode 100644
index 0000000..a0fb0ed
--- /dev/null
+++ b/extensions/libipt_REDIRECT.t
@@ -0,0 +1,6 @@
+:PREROUTING,OUTPUT
+*nat
+-p tcp -j REDIRECT --to-ports 42;=;OK
+-p udp -j REDIRECT --to-ports 42-1234;=;OK
+-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
+-j REDIRECT --to-ports 42;;FAIL
diff --git a/extensions/libipt_TTL.t b/extensions/libipt_TTL.t
new file mode 100644
index 0000000..3680979
--- /dev/null
+++ b/extensions/libipt_TTL.t
@@ -0,0 +1,10 @@
+:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
+*mangle
+-j TTL --ttl-set 42;=;OK
+-j TTL --ttl-inc 1;=;OK
+-j TTL --ttl-dec 1;=;OK
+-j TTL --ttl-set 256;;FAIL
+-j TTL --ttl-inc 0;;FAIL
+-j TTL --ttl-dec 0;;FAIL
+-j TTL --ttl-dec 1 --ttl-inc 1;;FAIL
+-j TTL --ttl-set --ttl-inc 1;;FAIL
diff --git a/extensions/libipt_realm.t b/extensions/libipt_realm.t
new file mode 100644
index 0000000..ca66640
--- /dev/null
+++ b/extensions/libipt_realm.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m realm --realm 0x1/0x2a;=;OK
+-m realm --realm 0x2a;=;OK
+-m realm;;FAIL
diff --git a/extensions/libxt_CONNSECMARK.t b/extensions/libxt_CONNSECMARK.t
new file mode 100644
index 0000000..2751b25
--- /dev/null
+++ b/extensions/libxt_CONNSECMARK.t
@@ -0,0 +1,5 @@
+:PREROUTING,FORWARD,OUTPUT,POSTROUTING
+*mangle
+-j CONNSECMARK --restore;=;OK
+-j CONNSECMARK --save;=;OK
+-j CONNSECMARK;;FAIL
diff --git a/extensions/libxt_HMARK.t b/extensions/libxt_HMARK.t
new file mode 100644
index 0000000..3bcf1da
--- /dev/null
+++ b/extensions/libxt_HMARK.t
@@ -0,0 +1,8 @@
+:INPUT,FORWARD,OUTPUT
+-j HMARK;;FAIL
+-j HMARK --hmark-src-prefix 32 --hmark-rnd 0x00000004 --hmark-mod 42;=;OK
+-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-sport-mask 0xffff --hmark-dport-mask 0xffff --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
+-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-spi-mask 0x00000004 --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
+-j HMARK --hmark-src-prefix 1 --hmark-dst-prefix 2 --hmark-sport-mask 0x0003 --hmark-dport-mask 0x0004 --hmark-proto-mask 0x05 --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
+# cannot mix in spi mask:
+-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-sport-mask 0xffff --hmark-dport-mask 0xffff --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct --hmark-spi-mask 4;;FAIL
diff --git a/extensions/libxt_IDLETIMER.t b/extensions/libxt_IDLETIMER.t
new file mode 100644
index 0000000..6afd92c
--- /dev/null
+++ b/extensions/libxt_IDLETIMER.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-j IDLETIMER --timeout;;FAIL
+-j IDLETIMER --timeout 42;;FAIL
+-j IDLETIMER --timeout 42 --label foo;=;OK
diff --git a/extensions/libxt_LED.t b/extensions/libxt_LED.t
new file mode 100644
index 0000000..1f6705f
--- /dev/null
+++ b/extensions/libxt_LED.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-j LED;;FAIL
+-j LED --led-trigger-id "foo";=;OK
+-j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink;=;OK
diff --git a/extensions/libxt_RATEEST.t b/extensions/libxt_RATEEST.t
new file mode 100644
index 0000000..c2b6bb3
--- /dev/null
+++ b/extensions/libxt_RATEEST.t
@@ -0,0 +1,2 @@
+:INPUT,FORWARD,OUTPUT
+-j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms;=;OK
diff --git a/extensions/libxt_SET.t b/extensions/libxt_SET.t
new file mode 100644
index 0000000..30c27ca
--- /dev/null
+++ b/extensions/libxt_SET.t
@@ -0,0 +1,3 @@
+:INPUT,FORWARD,OUTPUT
+# fails: foo does not exist
+-j SET --add-set foo src,dst;;FAIL
diff --git a/extensions/libxt_SYNPROXY.t b/extensions/libxt_SYNPROXY.t
new file mode 100644
index 0000000..dd8b0e7
--- /dev/null
+++ b/extensions/libxt_SYNPROXY.t
@@ -0,0 +1,3 @@
+:INPUT,FORWARD
+-j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 9;;FAIL
+-p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460;=;OK
diff --git a/extensions/libxt_TCPMSS.t b/extensions/libxt_TCPMSS.t
new file mode 100644
index 0000000..553a345
--- /dev/null
+++ b/extensions/libxt_TCPMSS.t
@@ -0,0 +1,6 @@
+:FORWARD,OUTPUT,POSTROUTING
+*mangle
+-j TCPMSS;;FAIL
+-p tcp -j TCPMSS --set-mss 42;;FAIL
+-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 42;=;OK
+-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu;=;OK
diff --git a/extensions/libxt_TCPOPTSTRIP.t b/extensions/libxt_TCPOPTSTRIP.t
new file mode 100644
index 0000000..b5c7a10
--- /dev/null
+++ b/extensions/libxt_TCPOPTSTRIP.t
@@ -0,0 +1,8 @@
+:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
+*mangle
+-j TCPOPTSTRIP;;FAIL
+-p tcp -j TCPOPTSTRIP;=;OK
+-p tcp -j TCPOPTSTRIP --strip-options 2,3,4,5,6,7;=;OK
+-p tcp -j TCPOPTSTRIP --strip-options 0;;FAIL
+-p tcp -j TCPOPTSTRIP --strip-options 1;;FAIL
+-p tcp -j TCPOPTSTRIP --strip-options 1,2;;FAIL
diff --git a/extensions/libxt_TPROXY.t b/extensions/libxt_TPROXY.t
new file mode 100644
index 0000000..12f82b1
--- /dev/null
+++ b/extensions/libxt_TPROXY.t
@@ -0,0 +1,5 @@
+:PREROUTING
+*mangle
+-j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;;FAIL
+-p udp -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;=;OK
+-p tcp -m tcp --dport 2342 -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;=;OK
diff --git a/extensions/libxt_bpf.t b/extensions/libxt_bpf.t
new file mode 100644
index 0000000..80361ad
--- /dev/null
+++ b/extensions/libxt_bpf.t
@@ -0,0 +1,2 @@
+:INPUT,FORWARD,OUTPUT
+-m bpf --bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";=;OK
diff --git a/extensions/libxt_ecn.t b/extensions/libxt_ecn.t
new file mode 100644
index 0000000..b32aea3
--- /dev/null
+++ b/extensions/libxt_ecn.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-m ecn --ecn-tcp-cwr;;FAIL
+-p tcp -m ecn --ecn-tcp-cwr;=;OK
+-p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 2;=;OK
+-p tcp -m ecn ! --ecn-tcp-ece ! --ecn-tcp-cwr ! --ecn-ip-ect 2;=;OK
diff --git a/extensions/libxt_mac.t b/extensions/libxt_mac.t
new file mode 100644
index 0000000..a5ec81d
--- /dev/null
+++ b/extensions/libxt_mac.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD
+-m mac --mac-source 42:01:02:03:04:05;=;OK
+-m mac --mac-source 42:01:02:03:04;=;FAIL
+-m mac --mac-source 42:01:02:03:04:05:06;=;FAIL
+-m mac;;FAIL
diff --git a/extensions/libxt_osf.t b/extensions/libxt_osf.t
new file mode 100644
index 0000000..ede6d32
--- /dev/null
+++ b/extensions/libxt_osf.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD
+-m osf --genre linux --ttl 0 --log 0;;FAIL
+-p tcp -m osf --genre linux --ttl 0 --log 0;=;OK
+-p tcp -m osf --genre linux --ttl 3 --log 0;;FAIL
diff --git a/extensions/libxt_policy.t b/extensions/libxt_policy.t
new file mode 100644
index 0000000..24a3e2f
--- /dev/null
+++ b/extensions/libxt_policy.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD
+-m policy --dir in --pol ipsec;=;OK
+-m policy --dir in --pol ipsec --strict;;FAIL
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
+-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL
diff --git a/extensions/libxt_recent.t b/extensions/libxt_recent.t
new file mode 100644
index 0000000..cb4049f
--- /dev/null
+++ b/extensions/libxt_recent.t
@@ -0,0 +1,7 @@
+:INPUT,FORWARD,OUTPUT
+-m recent --set;=;OK
+-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --update --rttl;=;OK
+-m recent --set --rttl;=;FAIL
+-m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;=;FAIL
diff --git a/extensions/libxt_rpfilter.t b/extensions/libxt_rpfilter.t
new file mode 100644
index 0000000..390268f
--- /dev/null
+++ b/extensions/libxt_rpfilter.t
@@ -0,0 +1,4 @@
+:PREROUTING
+*mangle
+-m rpfilter;=;OK
+-m rpfilter --loose --validmark --accept-local --invert;=;OK
diff --git a/extensions/libxt_set.t b/extensions/libxt_set.t
new file mode 100644
index 0000000..dd9e9f1
--- /dev/null
+++ b/extensions/libxt_set.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+-m set --match-set foo;;FAIL
+# fails: foo does not exist
+-m set --match-set foo src,dst;;FAIL
diff --git a/extensions/libxt_socket.t b/extensions/libxt_socket.t
new file mode 100644
index 0000000..8c0036e
--- /dev/null
+++ b/extensions/libxt_socket.t
@@ -0,0 +1,4 @@
+:PREROUTING,INPUT
+*mangle
+-m socket;=;OK
+-m socket --transparent --nowildcard;=;OK
diff --git a/extensions/libxt_statistic.t b/extensions/libxt_statistic.t
new file mode 100644
index 0000000..bb6673d
--- /dev/null
+++ b/extensions/libxt_statistic.t
@@ -0,0 +1,8 @@
+:INPUT,FORWARD,OUTPUT
+-m statistic;;FAIL
+-m statistic --mode random ! --probability 0.50000000000;=;OK
+-m statistic --mode random ! --probability 1.1;;FAIL
+-m statistic --probability 1;;FAIL
+-m statistic --mode nth ! --every 5 --packet 2;=;OK
+-m statistic --mode nth ! --every 5;;FAIL
+-m statistic --mode nth ! --every 5 --packet 5;;FAIL
diff --git a/extensions/libxt_tcpmss.t b/extensions/libxt_tcpmss.t
new file mode 100644
index 0000000..3181e49
--- /dev/null
+++ b/extensions/libxt_tcpmss.t
@@ -0,0 +1,5 @@
+:INPUT,FORWARD,OUTPUT
+-m tcpmss --mss 42;;FAIL
+-p tcp -m tcpmss --mss 42;=;OK
+-p tcp -m tcpmss --mss 42:12345;=;OK
+-p tcp -m tcpmss --mss 42:65536;;FAIL
diff --git a/extensions/libxt_u32.t b/extensions/libxt_u32.t
new file mode 100644
index 0000000..0d9be47
--- /dev/null
+++ b/extensions/libxt_u32.t
@@ -0,0 +1,2 @@
+:INPUT,FORWARD,OUTPUT
+-m u32 --u32 "0x0=0x0&&0x0=0x1";=;OK
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 5/7] extensions: SNPT,DNPT: fix save/print output
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (3 preceding siblings ...)
2015-02-19 13:11 ` [PATCH 4/7] extensions: add more test cases for iptables-test.py Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:11 ` [PATCH 6/7] extensions/libxt_recent.t: add test case for 3.19 regression Florian Westphal
` (3 subsequent siblings)
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
wrong placement of ' ', i.e. we get
-j SNPT--src-pfx dead::/64 --dst-pfx 1c3::/64
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libip6t_DNPT.c | 8 ++++----
extensions/libip6t_DNPT.t | 1 +
extensions/libip6t_SNPT.c | 8 ++++----
extensions/libip6t_SNPT.t | 1 +
4 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/extensions/libip6t_DNPT.c b/extensions/libip6t_DNPT.c
index a442de6..d045e44 100644
--- a/extensions/libip6t_DNPT.c
+++ b/extensions/libip6t_DNPT.c
@@ -52,9 +52,9 @@ static void DNPT_print(const void *ip, const struct xt_entry_target *target,
{
const struct ip6t_npt_tginfo *npt = (const void *)target->data;
- printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
+ printf(" DNPT src-pfx %s/%u", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
npt->src_pfx_len);
- printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
+ printf(" dst-pfx %s/%u", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
npt->dst_pfx_len);
}
@@ -65,12 +65,12 @@ static void DNPT_save(const void *ip, const struct xt_entry_target *target)
if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
info->src_pfx_len != 0)
- printf("--src-pfx %s/%u ",
+ printf(" --src-pfx %s/%u",
xtables_ip6addr_to_numeric(&info->src_pfx.in6),
info->src_pfx_len);
if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
info->dst_pfx_len != 0)
- printf("--dst-pfx %s/%u ",
+ printf(" --dst-pfx %s/%u",
xtables_ip6addr_to_numeric(&info->dst_pfx.in6),
info->dst_pfx_len);
}
diff --git a/extensions/libip6t_DNPT.t b/extensions/libip6t_DNPT.t
index 25ec935..0406dc9 100644
--- a/extensions/libip6t_DNPT.t
+++ b/extensions/libip6t_DNPT.t
@@ -1,5 +1,6 @@
:PREROUTING
*mangle
+-j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK
-j DNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
-j DNPT --src-pfx dead::/64;;FAIL
-j DNPT --dst-pfx dead::/64;;FAIL
diff --git a/extensions/libip6t_SNPT.c b/extensions/libip6t_SNPT.c
index 4f10de0..65f787d 100644
--- a/extensions/libip6t_SNPT.c
+++ b/extensions/libip6t_SNPT.c
@@ -52,9 +52,9 @@ static void SNPT_print(const void *ip, const struct xt_entry_target *target,
{
const struct ip6t_npt_tginfo *npt = (const void *)target->data;
- printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
+ printf(" SNPT src-pfx %s/%u", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
npt->src_pfx_len);
- printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
+ printf(" dst-pfx %s/%u", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
npt->dst_pfx_len);
}
@@ -65,12 +65,12 @@ static void SNPT_save(const void *ip, const struct xt_entry_target *target)
if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
info->src_pfx_len != 0)
- printf("--src-pfx %s/%u ",
+ printf(" --src-pfx %s/%u",
xtables_ip6addr_to_numeric(&info->src_pfx.in6),
info->src_pfx_len);
if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
info->dst_pfx_len != 0)
- printf("--dst-pfx %s/%u ",
+ printf(" --dst-pfx %s/%u",
xtables_ip6addr_to_numeric(&info->dst_pfx.in6),
info->dst_pfx_len);
}
diff --git a/extensions/libip6t_SNPT.t b/extensions/libip6t_SNPT.t
index 5a2fe7f..7ed6d0c 100644
--- a/extensions/libip6t_SNPT.t
+++ b/extensions/libip6t_SNPT.t
@@ -1,5 +1,6 @@
:INPUT,POSTROUTING
*mangle
+-j SNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK
-j SNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
-j SNPT --src-pfx dead::/64;;FAIL
-j SNPT --dst-pfx dead::/64;;FAIL
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 6/7] extensions/libxt_recent.t: add test case for 3.19 regression
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (4 preceding siblings ...)
2015-02-19 13:11 ` [PATCH 5/7] extensions: SNPT,DNPT: fix save/print output Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:11 ` [PATCH 7/7] extensions: libip6t_dst: make inversion work Florian Westphal
` (2 subsequent siblings)
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
fail with vanilla 3.19.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libxt_recent.t | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/extensions/libxt_recent.t b/extensions/libxt_recent.t
index cb4049f..8165c02 100644
--- a/extensions/libxt_recent.t
+++ b/extensions/libxt_recent.t
@@ -5,3 +5,7 @@
-m recent --update --rttl;=;OK
-m recent --set --rttl;=;FAIL
-m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;=;FAIL
+# nonsensical, but all should load successfully:
+-m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
+-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 7/7] extensions: libip6t_dst: make inversion work
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (5 preceding siblings ...)
2015-02-19 13:11 ` [PATCH 6/7] extensions/libxt_recent.t: add test case for 3.19 regression Florian Westphal
@ 2015-02-19 13:11 ` Florian Westphal
2015-02-19 13:33 ` Jan Engelhardt
2015-02-19 15:24 ` iptables: add more test cases and minor bug fixes Pablo Neira Ayuso
2015-02-19 16:49 ` Florian Westphal
8 siblings, 1 reply; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
The inversion flag wasn't set in the match struct.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libip6t_dst.c | 8 ++++----
extensions/libip6t_dst.t | 1 +
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 3fd4c01..1f15162 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -70,22 +70,21 @@ parse_options(const char *optsstr, uint16_t *opts)
*next++='\0';
range = strchr(cp, ':');
-
if (range) {
if (i == IP6T_OPTS_OPTSNR-1)
xtables_error(PARAMETER_PROBLEM,
"too many ports specified");
*range++ = '\0';
}
-
opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8;
if (range) {
if (opts[i] == 0)
xtables_error(PARAMETER_PROBLEM,
"PAD0 hasn't got length");
opts[i] |= parse_opts_num(range, "length") & 0xFF;
- } else
+ } else {
opts[i] |= (0x00FF);
+ }
#ifdef DEBUG
printf("opts str: %s %s\n", cp, range);
@@ -112,6 +111,8 @@ static void dst_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_DSTLEN:
+ if (cb->invert)
+ optinfo->invflags |= IP6T_OPTS_INV_LEN;
optinfo->flags |= IP6T_OPTS_LEN;
break;
case O_DSTOPTS:
@@ -152,7 +153,6 @@ static void dst_print(const void *ip, const struct xt_entry_match *match,
printf(" opts");
print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
-
if (optinfo->invflags & ~IP6T_OPTS_INV_MASK)
printf(" Unknown invflags: 0x%X",
optinfo->invflags & ~IP6T_OPTS_INV_MASK);
diff --git a/extensions/libip6t_dst.t b/extensions/libip6t_dst.t
index b2788aa..0b0013b 100644
--- a/extensions/libip6t_dst.t
+++ b/extensions/libip6t_dst.t
@@ -1,4 +1,5 @@
:INPUT,FORWARD,OUTPUT
-m dst --dst-len 0;=;OK
-m dst --dst-opts 149:92,12:12,123:12;=;OK
+-m dst ! --dst-len 42;=;OK
-m dst --dst-len 42 --dst-opts 149:92,12:12,123:12;=;OK
--
2.0.5
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 1/7] extensions: remove MIRROR
2015-02-19 13:11 ` [PATCH 1/7] extensions: remove MIRROR Florian Westphal
@ 2015-02-19 13:28 ` Jan Engelhardt
2015-02-19 13:34 ` Florian Westphal
2015-02-19 15:27 ` Pablo Neira Ayuso
0 siblings, 2 replies; 16+ messages in thread
From: Jan Engelhardt @ 2015-02-19 13:28 UTC (permalink / raw)
To: Florian Westphal; +Cc: Netfilter Developer Mailing List
On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>removed from the kernel back in 2003.
Last time I remember, Pablo wanted to keep this. Because modern iptables
may still be used with overly old preexisting kernels.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 7/7] extensions: libip6t_dst: make inversion work
2015-02-19 13:11 ` [PATCH 7/7] extensions: libip6t_dst: make inversion work Florian Westphal
@ 2015-02-19 13:33 ` Jan Engelhardt
2015-02-19 13:37 ` Florian Westphal
0 siblings, 1 reply; 16+ messages in thread
From: Jan Engelhardt @ 2015-02-19 13:33 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>The inversion flag wasn't set in the match struct.
The documentation needs to be updated too.
It reflected what source code did: not supportting the "!" option at
all/silently ignoring it.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/7] extensions: remove MIRROR
2015-02-19 13:28 ` Jan Engelhardt
@ 2015-02-19 13:34 ` Florian Westphal
2015-02-19 15:27 ` Pablo Neira Ayuso
1 sibling, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Florian Westphal, Netfilter Developer Mailing List
Jan Engelhardt <jengelh@inai.de> wrote:
> On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>
> >removed from the kernel back in 2003.
>
> Last time I remember, Pablo wanted to keep this. Because modern iptables
> may still be used with overly old preexisting kernels.
Fair enough, I can just omit the target/match removal patches when
pushing the changes.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 7/7] extensions: libip6t_dst: make inversion work
2015-02-19 13:33 ` Jan Engelhardt
@ 2015-02-19 13:37 ` Florian Westphal
2015-02-19 13:43 ` Jan Engelhardt
0 siblings, 1 reply; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 13:37 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Florian Westphal, netfilter-devel
Jan Engelhardt <jengelh@inai.de> wrote:
> On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>
> >The inversion flag wasn't set in the match struct.
>
> The documentation needs to be updated too.
>
> It reflected what source code did: not supportting the "!" option at
> all/silently ignoring it.
Interesting, --help does mention it:
dst match options:
[!] --dst-len length total length of this header
So, whats the desired action?
Given that the kernel already supports it (on kernel side its
a module alias for hop-by-hop match) I'd vote for just also updating
the man page snippet to mention ! as well, since it seems like artifical
restriction.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 7/7] extensions: libip6t_dst: make inversion work
2015-02-19 13:37 ` Florian Westphal
@ 2015-02-19 13:43 ` Jan Engelhardt
0 siblings, 0 replies; 16+ messages in thread
From: Jan Engelhardt @ 2015-02-19 13:43 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thursday 2015-02-19 14:37, Florian Westphal wrote:
>Interesting, --help does mention it:
>dst match options:
>[!] --dst-len length total length of this header
Um, I got confused by your change to dst-opts related code:
>>>
opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8;
if (range) {
if (opts[i] == 0)
xtables_error(PARAMETER_PROBLEM,
"PAD0 hasn't got length");
opts[i] |= parse_opts_num(range, "length") & 0xFF;
- } else
+ } else {
opts[i] |= (0x00FF);
+ }
<<<
All in order. But perhaps separate style changes from real changes
commit-wise.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: iptables: add more test cases and minor bug fixes
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (6 preceding siblings ...)
2015-02-19 13:11 ` [PATCH 7/7] extensions: libip6t_dst: make inversion work Florian Westphal
@ 2015-02-19 15:24 ` Pablo Neira Ayuso
2015-02-19 16:49 ` Florian Westphal
8 siblings, 0 replies; 16+ messages in thread
From: Pablo Neira Ayuso @ 2015-02-19 15:24 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thu, Feb 19, 2015 at 02:11:16PM +0100, Florian Westphal wrote:
> Will push to master soon if there are no objections.
> iptables-test.py should now be complete enough to replace the old
> iptables-save format "test" files, so I'm going to remove the tests/
> directory as well.
Nice you added more regression test, this will also help us with the
iptables-compat stuff, thanks Florian!
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/7] extensions: remove MIRROR
2015-02-19 13:28 ` Jan Engelhardt
2015-02-19 13:34 ` Florian Westphal
@ 2015-02-19 15:27 ` Pablo Neira Ayuso
1 sibling, 0 replies; 16+ messages in thread
From: Pablo Neira Ayuso @ 2015-02-19 15:27 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Florian Westphal, Netfilter Developer Mailing List
On Thu, Feb 19, 2015 at 02:28:53PM +0100, Jan Engelhardt wrote:
> On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>
> >removed from the kernel back in 2003.
>
> Last time I remember, Pablo wanted to keep this. Because modern iptables
> may still be used with overly old preexisting kernels.
No objections from my side to get rid of these old extensions.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: iptables: add more test cases and minor bug fixes
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
` (7 preceding siblings ...)
2015-02-19 15:24 ` iptables: add more test cases and minor bug fixes Pablo Neira Ayuso
@ 2015-02-19 16:49 ` Florian Westphal
8 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2015-02-19 16:49 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Florian Westphal <fw@strlen.de> wrote:
> Will push to master soon if there are no objections.
> iptables-test.py should now be complete enough to replace the old
> iptables-save format "test" files, so I'm going to remove the tests/
> directory as well.
pushed everthing plus/tests/ dir removal, I amended the ip6t_dst change
to not include the unrelated whitspace changes.
Thanks,
Florian
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2015-02-19 16:49 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-19 13:11 iptables: add more test cases and minor bug fixes Florian Westphal
2015-02-19 13:11 ` [PATCH 1/7] extensions: remove MIRROR Florian Westphal
2015-02-19 13:28 ` Jan Engelhardt
2015-02-19 13:34 ` Florian Westphal
2015-02-19 15:27 ` Pablo Neira Ayuso
2015-02-19 13:11 ` [PATCH 2/7] extensions: remove SAME target Florian Westphal
2015-02-19 13:11 ` [PATCH 3/7] extensions: remove 'unclean' match Florian Westphal
2015-02-19 13:11 ` [PATCH 4/7] extensions: add more test cases for iptables-test.py Florian Westphal
2015-02-19 13:11 ` [PATCH 5/7] extensions: SNPT,DNPT: fix save/print output Florian Westphal
2015-02-19 13:11 ` [PATCH 6/7] extensions/libxt_recent.t: add test case for 3.19 regression Florian Westphal
2015-02-19 13:11 ` [PATCH 7/7] extensions: libip6t_dst: make inversion work Florian Westphal
2015-02-19 13:33 ` Jan Engelhardt
2015-02-19 13:37 ` Florian Westphal
2015-02-19 13:43 ` Jan Engelhardt
2015-02-19 15:24 ` iptables: add more test cases and minor bug fixes Pablo Neira Ayuso
2015-02-19 16:49 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).