[PATCH] tests: add regression tests for xtables-translate

[PATCH] tests: add regression tests for xtables-translate

[Harsha Sharma]

This test suite is intended to detect regressions in the translation
infrastructure. The script checks if ip[6]tables-translate produces the
expected output, otherwise it prints the wrong translation and the
expected one.

** Arguments

  --all     # Show also passed tests
  [test]    # Run only the specified test file

** Test files structure

Test files are located under extensions directory. Every file contains
tests about specific extension translations. A test file name must end
with ".txlate".

Inside the files, every single test is defined by two consecutive lines:
ip[6]tables-translate command and expected result. One blank line is left
between tests by convention.

e.g.

  $ cat extensions/libxt_cpu.txlate
  iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
  nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept

  iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
  nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept

Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
---
 extensions/libxt_TOS.txlate | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 extensions/libxt_TOS.txlate

diff --git a/extensions/libxt_TOS.txlate b/extensions/libxt_TOS.txlate
new file mode 100644
index 00000000..6d55eb24
--- /dev/null
+++ b/extensions/libxt_TOS.txlate
@@ -0,0 +1,25 @@
+ip6tables-translate -A INPUT -j TOS --set-tos 0x1f
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x07
+
+ip6tables-translate -A INPUT -j TOS --set-tos 0xff
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x3f
+
+ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Delay
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
+
+ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Cost
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
+
+ip6tables-translate -A INPUT -j TOS --set-tos Normal-Service
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
+
+ip6tables-translate -A INPUT -j TOS --and-tos 0x12
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
+
+ip6tables-translate -A INPUT -j TOS --or-tos 0x12
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
+
+ip6tables-translate -A INPUT -j TOS --xor-tos 0x12
+nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
+
+
-- 
2.11.0

Re: [PATCH] tests: add regression tests for xtables-translate

[Pablo Neira Ayuso]

On Tue, Oct 17, 2017 at 01:02:18AM +0530, Harsha Sharma wrote:
> This test suite is intended to detect regressions in the translation
> infrastructure. The script checks if ip[6]tables-translate produces the
> expected output, otherwise it prints the wrong translation and the
> expected one.
> 
> ** Arguments
> 
>   --all     # Show also passed tests
>   [test]    # Run only the specified test file
> 
> ** Test files structure
> 
> Test files are located under extensions directory. Every file contains
> tests about specific extension translations. A test file name must end
> with ".txlate".
> 
> Inside the files, every single test is defined by two consecutive lines:
> ip[6]tables-translate command and expected result. One blank line is left
> between tests by convention.
> 
> e.g.
> 
>   $ cat extensions/libxt_cpu.txlate
>   iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
>   nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
> 
>   iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
>   nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept

I think you should replace this commit description to what this really
does, eg.

        libxt_TOS: add tests for translation infrastructure

        This patch checks that the iptables TOS to nftables translation
        works fine.

Please, revisit patch title and description and resubmit.

Thanks!

> Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
> ---
>  extensions/libxt_TOS.txlate | 25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
>  create mode 100644 extensions/libxt_TOS.txlate
> 
> diff --git a/extensions/libxt_TOS.txlate b/extensions/libxt_TOS.txlate
> new file mode 100644
> index 00000000..6d55eb24
> --- /dev/null
> +++ b/extensions/libxt_TOS.txlate
> @@ -0,0 +1,25 @@
> +ip6tables-translate -A INPUT -j TOS --set-tos 0x1f
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x07
> +
> +ip6tables-translate -A INPUT -j TOS --set-tos 0xff
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x3f
> +
> +ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Delay
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
> +
> +ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Cost
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
> +
> +ip6tables-translate -A INPUT -j TOS --set-tos Normal-Service
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
> +
> +ip6tables-translate -A INPUT -j TOS --and-tos 0x12
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x00
> +
> +ip6tables-translate -A INPUT -j TOS --or-tos 0x12
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
> +
> +ip6tables-translate -A INPUT -j TOS --xor-tos 0x12
> +nft add rule ip6 filter INPUT counter ip6 dscp set 0x04
> +
> +
> -- 
> 2.11.0
>